CISA REVIEW The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA. CISA REVIEW Chapter 1 – Learning Objectives • Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices. • Plan specific audits to ensure IT and business systems are protected and controlled. • Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives. • Communicate emerging issues, potential risks and audit results to key stakeholders. • Advise on the implementation of risk management and control practices within the organization, while maintaining independence. CISA REVIEW Chapter 1 – The IS Audit Process IS Audit is defined as: •collect and evaluate evidence to determine whether the information systems and related resources adequately safeguard assets, •maintain data and system integrity, •provide relevant and reliable information, •achieve organizational goals effectively, and •consume resources efficiently. CISA REVIEW Chapter 1 – The IS Audit Process An IS Audit is intended to: •assesses whether internal controls provide reasonable assurance that business, operational and control objectives will be met, and •that undesired events will be prevented, or detected and corrected, in a timely manner. CISA REVIEW Chapter 1 – The IS Audit Process IS auditors are expected to comply with a code of professional ethics, and to conduct their work in accordance with specific standards, guidelines, and procedures. You will not be tested on the precise text of the various standards, guidelines and procedures. Rather, the exam will focus on your understanding of them and how they are applied in specific situations. CISA REVIEW Chapter 1 – The Audit Charter An audit charter establishes the role of the IS audit function. An IS audit can be integrated within the financial or operation audit, or it can be part of an internal audit. The charter should include: •A clear statement of management's responsibility and objectives for the audit function •Management's delegation of authority to the audit function •The overall authority, scope and responsibilities of the audit function •The reporting lines and relationships CISA REVIEW Chapter 1 – The Audit Charter • A definition of the organizational independence of the internal audit, including accountability of the audit and provision for objective assessment of its resource requirements • A recognition of the control environment of the organization (operations, resources, services, responsibilities to external entities) • The internal audit's right of access to all records, assets, personnel and premises, including those of partner organizations • The internal audit's authority to obtain the information and explanations it considers necessary to fulfill its responsibilities • The charter should be approved at the highest management level and by the audit committee if available. • Once the charter has been established, any changes must be thoroughly justified. CISA REVIEW Chapter 1 – Audit Objectives •Audit objectives refer to the specific goals of the audit. These objectives often are centered on substantiating that internal controls are functioning to minimize business risk. The audit objectives, then, need to be translated into specific IS audit objectives. •For example, for a financial audit, an internal control is designed to ensure transactions are posted correctly to the general ledger. The audit objective is to determine whether this control is performing as intended. The corresponding IS audit objective might be to make sure that editing features are in place to detect errors in the transaction coding that may affect the posting of the transactions. CISA REVIEW Chapter 1 – Audit Documentation In addition to the audit plan, the documentation for an IS audit includes: •A description or diagram of the IS environment •Audit programs •Minutes of meetings •Audit evidence •Findings •Conclusions and recommendations •Any report issued as a result of the audit work •Supervisory review comments, if any CISA REVIEW Chapter 1 – Audit Documentation, cont. At a minimum, documentation should include a record of the: •Planning and preparation of the audit scope and objectives •Description and/or walkthroughs on the scoped audit area •Audit program •Audit steps performed and audit evidence gathered •Use of services of other auditors and experts •Audit findings, conclusions and recommendations •The documentation should also include evidence of supervisory review and the report that was issued as a result of the audit work. •Also necessary is any audit information required by contractual stipulations, regulations, laws and professional standards. CISA REVIEW Chapter 1 – IT Audit Program An effectively planned and developed IT audit program should: •Identify areas of greatest IT risk exposure to the organization. •Promote the confidentiality, integrity and availability of information systems. •Determine the effectiveness of management's planning and oversight of IT activities. •Evaluate the adequacy of operating processes and internal controls. •Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal control procedures. •Recommend appropriate corrective action to address deficient internal controls. •Follow-up with management to ensure that recommended corrective actions have been effectively implemented. CISA REVIEW Chapter 1 – Enterprise Risk Management The initial steps of risk management include: •analyzing the value of assets to the business, •identifying threats to those assets, and •evaluating how vulnerable each asset is to those threats. CISA REVIEW Chapter 1 – Enterprise Risk Management An effective risk-based auditing program should cover all of an organization's major activities. The frequency and depth of each area's audit will vary according to the risk assessment of that area. Risk-based IT audit programs should: •Identify the organization's data, application and operating systems, technology, facilities, and personnel. •Identify the business activities and processes within each of those categories. •Include profiles of significant business units, departments, and product lines or systems, and their associated business risks and control features, resulting in a document describing the structure of risk and controls throughout the organization. •Use a measurement or scoring system that ranks and evaluates business and control risks for significant business units, departments and products. CISA REVIEW Chapter 1 – Enterprise Risk Management, cont. Risk-based IT audit programs should also: •Include board or audit committee approval of risk assessments and annual risk-based audit plans that establish audit schedules, audit cycles, work program scope and resource allocation for each area audited, •Implement the audit plan through planning, execution, reporting and follow-up, •Include a process that regularly monitors the risk assessment and updates it at least annually for all significant business units, departments, and products or systems. CISA REVIEW Chapter 1 – Testing Procedures for IS Controls It is management's responsibility to establish and maintain IT controls that meet internal control objectives. When well-designed, these controls can both deter fraud and enable its early detection. Planning for appropriate audit tests requires that the IS auditor have an understanding of the procedures for testing and evaluating IS controls. These may include: •Use of generalized audit software to survey the contents of data files (including system logs) •Use of specialized software to assess the contents of operating system parameter files (or detect deficiencies in system parameter settings) •Process-charting techniques for documenting automated applications and business processes •The use of audit logs or reports available in operation/application systems •Documentation review •Observation CISA REVIEW Chapter 1 – Compliance and Substantive Testing •Testing may involve identifying the controls for compliance with management policies and procedures – that is, gathering evidence to determine whether they are being applied and functioning as expected. •The audit may also involve substantive tests, in which evidence is gathered to evaluate the integrity of selected data or individual transactions. Substantive procedures are tests performed to obtain audit evidence to detect material misstatements in the financial statements. •Because of time and cost constraints, it is often impossible to verify all transactions or events in a specific group of items, so auditors use a sample of that group. This sampling allows auditors to infer characteristics of the entire group based on the characteristics of the sample. CISA REVIEW Chapter 1 – Interviewing and Observing An early step in performance of the audit is interviewing and observing personnel involved in the tasks that will be assessed in the audit. The auditor should: •Determine who is responsible for performing which functions – and whether these individuals are actually doing so. •Do a walkthrough of the processes and procedures. •Observe the security awareness of the individuals involved. •Investigate reporting relationships, and ensure there is appropriate segregation of duties. CISA REVIEW Chapter 1 – Interviewing and Observing Question: What is the difference between compliance testing and substantive testing? CISA REVIEW Chapter 1 – Interviewing and Observing Answer: What is the difference between compliance testing and substantive testing? Compliance testing determines whether controls are in compliance with management policies and procedures. Substantive testing tests the integrity of actual processing. CISA REVIEW 1. 2. 3. 4. 5. 6. Chapter 1 – Tips for Conducting a Successful Interview Know your material, the job function being audited, the inputs and outputs, and the subject's job responsibilities. Be familiar with key terms and acronyms and how they are used within the context of the job function under review. Prepare a few questions, but do not read off a list. Review prior-period work papers and audit reports to gain an understanding of questions that were not asked that should have been. Also, ask what changes have occurred that may have affected the operations under review. Ask open-ended questions wherever possible. Avoid questions that have definite, specific answers. Provide the interviewee with an opportunity to add or elaborate on anything before ending the interview. CISA REVIEW Chapter 1 – Sampling General approaches to audit sampling include statistical sampling and non-statistical (or judgmental) sampling. Either type of sampling requires the auditor to make judgments in defining the population characteristics. Key steps in choosing a sample include: •Determine the objectives of the test. •Define the population to be sampled. •Determine the sampling method, such as attribute versus variable sampling. •Calculate the sample size. •Select the sample. •Evaluate the sample from an audit perspective. Determining what constitutes the sample depends on several factors such as access to the individuals in the representative group, the availability of resources to use in the selection of the sample, and the technical expertise of those involved in the data collection. CISA REVIEW Chapter 1 – Computer Assisted Audit Techniques (CAAT) A software tool is almost a necessity to gather and analyze records from systems that have different hardware and software environments, or different data structures, record formats or processing functions. CAATs offer a way to access and analyze data for a specific audit objective, and to report the audit findings. The reliability of the information source provides reassurance on the findings produced. Advantages of CAATs •Reduced level of audit risk •Greater independence from the auditee •Broader and more consistent audit coverage •Faster availability of information •Improved exception identification •Greater opportunity to quantify internal control weaknesses •Enhanced sampling •Cost savings over time CISA REVIEW Chapter 1 – Computer Assisted Audit Techniques (CAAT) The following are examples of documentation that should be retained in the auditor's fieldwork papers when using CAATs: •Online reports detailing high-risk issues for review •Commented program listings •Flowcharts •Sample reports •Record and file layouts •Field definitions •Operating instructions •Description of applicable source documents CISA REVIEW Chapter 1 – Internal Controls •Internal controls include policies, procedures, practices and organizational structures that are put in place to reduce risk. Their intent is to provide reasonable assurance that the business objectives of the organization will be achieved and that risk events will be prevented, detected, or corrected. •To implement the control, a control objective is defined for an identified risk. Then, specific control activities or procedures designed to achieve the objective are instituted. These processes and activities, automated or manual, function at all levels in the organization to reduce exposure to risks that could prevent the organization from achieving its business objectives. CISA REVIEW Chapter 1 – Internal Controls Responsibility for establishing a culture that supports internal controls resides with the board of directors and executive management. A control has two purposes: •to support the organization's operation objectives, and •to prevent, detect or correct undesirable events. Control elements are classified according to those functions – as preventive, detective or corrective. CISA REVIEW Chapter 1 – Internal Controls Control objectives are management objectives used as the framework for developing and implementing controls or control procedures. They are statements of the purposes that control activities or procedures are designed to serve. Internal controls typically include: Internal accounting controls – principally concerned with accounting operations. Examples: the safeguarding of assets, the reliability of financial records Operational controls – related to the basic operations, functions and activities to ensure the operation is meeting the business objectives Administrative controls – focused on operational efficiency in a functional area and adhering to management policies, including operational controls CISA REVIEW Chapter 1 – Example Control Objective Control Objective: Controls provide reasonable assurance that the organization's electronic funds transfer (EFT) system is protected against unauthorized physical and logical access. Illustrative controls: •The responsibility for the development and enforcement of a security policy is at an organizational level that facilitates compliance by organization personnel and enables enforcement of policies and procedures. •Security policy and procedures are in place, and are communicated to appropriate employees and contractors. •Policies and procedures are in place for reporting security incidents or observed irregularities to an organizational level at which such matters can be investigated and resolved in a timely fashion. •Policies and procedures are established for the security of filing, retention and destruction of EFT system files. CISA REVIEW Chapter 1 – Example Control Objective Control Objective: Controls provide reasonable assurance that the organization's electronic funds transfer (EFT) system is protected against unauthorized physical and logical access. Illustrative controls, cont: •Policies and procedures are in place for conducting security system training. •Policies and procedures are in place for discontinuing an employee's (or contractor's) ability to access EFT hardware, software and data when the employee is terminated or the employee's duties change. •Access to EFT files or processes is limited based on users' needs. •Passwords control access to EFT files, personal identification numbers and privacy data. •Firewalls or other procedures prevent unauthorized access to data from an external network. •Policies and procedures are in place to prevent unauthorized access to the EFT processing facility. CISA REVIEW Chapter 1 – IS Control Objectives •Safeguarding assets – information on automated systems is secure from improper access and kept up to date. •Ensuring the integrity of general operating system environments, including network management and operations. •Ensuring the integrity of sensitive and critical application system environments, including accounting/financial and management information through: oAuthorization of the input – each transaction is authorized and entered only once. oAccuracy and completeness of processing of transactions – all transactions are recorded and entered into the computer for the proper period. oAccuracy, completeness and security of the output. oDatabase integrity and availability. •Complying with the users' requirements, organizational policies and procedures, and applicable laws and regulations. •Developing business continuity and disaster recovery plans. •Developing an incident response and handling plan. •Managing change. CISA REVIEW Chapter 1 – IS Control Objectives Identify for each example whether it is a preventative, detective or corrective control? Preventative Using internal audit functions Completing programmed edit checks Checking calculations in duplicate Controlling access to physical facilities Using encryption software to prevent unauthorized disclosure of data Reviewing past-due account reports Creating contingency plans Checking hash totals Implementing backup procedures Detective Corrective CISA REVIEW Chapter 1 – IS Control Objectives Answer: Identify for each example whether it is a preventative, detective or corrective control? Preventative Using internal audit functions Completing programmed edit checks X X Controlling access to physical facilities X Using encryption software to prevent unauthorized disclosure of data X X Creating contingency plans Checking hash totals Implementing backup procedures Corrective X Checking calculations in duplicate Reviewing past-due account reports Detective X X X CISA REVIEW Chapter 1 – COBIT COBIT is a governance framework and supporting tool set that IT organizations can use to ensure that IT is working as effectively as possible to minimize risk and maximize the benefits of technology investments. The COBIT control framework links IT initiatives to the business requirements, organizes IT activities into a generally accepted process model, identifies the major IT resources to be leveraged and defines the management control objectives to be considered. CISA REVIEW Chapter 1 – COBIT •The growing adoption of IT best practices has been driven by a requirement for the IT industry to better manage the quality and reliability of IT in business, and to respond to a growing number of regulatory and contractual requirements. The danger, however, is that implementation of these potentially helpful best practices will be costly and unfocused if they are treated as purely technical guidance. To be most effective, best practices should be applied within the business context, focusing on where their use would provide the most benefit to the organization. •Senior management, business management, auditors, compliance officers and IT managers should work together to make sure that IT best practices lead to cost-effective and well-controlled IT delivery. When developing control recommendations, management should ensure that the controls are well-designed and efficient, that the overall IT operations environment is taken into consideration, and that the controls ultimately assist management in achieving its long-term IT strategic goals. CISA REVIEW Chapter 1 – General Controls To provide reasonable assurance that specific objectives will be achieved, management institutes general control procedures and practices. •Strategy and direction •General organization and management •Access to data and programs •Systems development methodologies and change control •Data processing operations •Systems programming and technical support functions •Data processing quality assurance procedures •Physical access controls •Business continuity and disaster recovery planning •Networks and communications •Database administration CISA REVIEW Chapter 1 – Application Controls IT application or program controls are fully-automated (i.e., performed automatically by the systems) and designed to ensure the complete and accurate processing of data. These controls may also help ensure the privacy and security of data transmitted between applications. Categories of IT application controls may include: •Completeness checks - controls that ensure all records were processed from initiation to completion. •Validity checks - controls that ensure only valid data is input or processed. •Authentication - controls that provide an authentication mechanism in the application system. •Authorization - controls that ensure only approved business users have access to the application system. •Input controls - controls that ensure data integrity fed from upstream sources into the application system. Source - Wikipedia CISA REVIEW Chapter 1 – Risk Based Audits A growing number of organizations are moving to a risk-based audit approach. This approach can influence an IS auditor's decision to perform either compliance testing or substantive testing. Identifying risks and vulnerabilities allows the auditor to determine the controls needed to mitigate those risks. In a risk-based audit approach, IS auditors are not just relying on risk. You are also relying on internal and operational controls, as well as knowledge of the organization. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk, allowing for practical choices and better cost-benefit recommendations to management. Knowledge of the relationship between risk and control is important for IS auditors. As an IS auditor, you must be able to •Differentiate types of risks related to business, technology and audit •Identify relevant controls to mitigate these risks •Evaluate the organization's risk assessment and management techniques •Assess risk in order to plan audit work CISA REVIEW Chapter 1 – Risk Based Audits Risk-based IS audit programs should include: •Profiles of significant business units, departments and products, including: oData oApplications and operating systems oTechnology oFacilities oPersonnel •Associated business risks and control features •Board or audit committee approval of risk assessments and annual risk-based audit plans •A documented process to monitor the risk assessment and updates it (at least annually) for all significant business units, departments and products CISA REVIEW Chapter 1 – Risk Based Audit Approach Gather Information and Plan •Knowledge of business and industry •Prior year's audit results •Recent financial information •Regulatory statutes •Inherent risk assessment Obtain Understanding of Internal Control •Control environment •Control procedures •Detection risk assessment •Control risk assessment •Equate total risk CISA REVIEW Chapter 1 – Risk Based Audit Approach, cont. Perform Compliance Tests •Identify key controls to be tested •Perform tests on reliability, risk prevention, and adherence to organization policies and procedures Perform Substantive Tests •Analytical procedures •Detailed tests of account balances •Other substantive audit procedures Conclude the Audit •Create recommendations •Write audit report CISA REVIEW Chapter 1 – Risk Identification When identifying risk, there are three elements to assess: •Threats to, and vulnerabilities of, processes and assets (including both physical and information assets) •Impact on assets based on threats and vulnerabilities •Probabilities of threats (combination of the likelihood and frequency of occurrence) Although auditors need to be aware of all potential risks, operational risk is the primary risk associated with information technology. Operational risk (also referred to as transaction risk) is the risk of loss resulting from inadequate or failed processes, people or systems. CISA REVIEW Chapter 1 – Responding to Risks After identifying and quantifying risks, the decision must be made as to how to respond to them. Below are the main response strategies for risks. •Risk avoidance •Risk acceptance •Risk transference •Risk mitigation Audit planning should address the highest-risk areas within the organization, given the resources available to the internal audit department. Changes to the audit plan may require direct communication/approval from the organization's Audit Committee. CISA REVIEW Chapter 1 – Risks Instructions: Here are five elements of a risk-based audit. Determine the order in which they should be performed. Audit Elements Perform substantive audit procedures Conduct detection risk assessment Conduct inherent risk assessment Develop recommendations Perform tests on reliability and risk prevention CISA REVIEW Chapter 1 – Risks Answer: Here are five elements of a risk-based audit. Determine the order in which they should be performed. The correct order is: 1: Conduct inherent risk assessment 2: Conduct detection risk assessment 3: Perform tests on reliability and risk prevention 4: Perform substantive audit procedures 5: Create recommendations CISA REVIEW Chapter 1 – Risks Instructions: Here are four types of risk and four definitions. Match each risk to its definition. Risk Control risk Detection risk Inherent risk Overall audit risk Descriptions The susceptibility of an audit area to error that could be material, assuming that there were no related internal controls The risk that a material error exists – an error that the internal controls system will not prevent or detect in a timely manner A combination of the individual types of audit risks for each control objective The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they do exist CISA REVIEW Chapter 1 – Risks Answers Each type of risk is followed by its definition. Control risk The risk that a material error exists – an error that the internal controls system will not prevent or detect in a timely manner Detection risk The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they do exist Inherent risk The susceptibility of an audit area to error that could be material, assuming that there were no related internal controls Overall audit risk A combination of the individual types of audit risks for each control objective CISA REVIEW Chapter 1 – Report Audit Findings In advance of presenting an audit report to senior management, the IS auditor should discuss the findings with management of the audited area. These discussions help ensure that there have been no misunderstandings or misinterpretations of fact. They give the auditee the opportunity to clarify items and express views on the findings, conclusions and recommendations. The objective of these discussions is to gain agreement and develop a course of corrective action. Where disagreement occurs, the IS auditor should describe the significance of the findings, and the risks and effects of not taking corrective action. CISA REVIEW Chapter 1 – Audit Report Contents The audit report should contain: •An introduction with a purpose statement describing the audit objectives, and informing the reader why the audit was conducted and what was expected to be achieved •Scope statements – identify the audited activities and supportive information such as the time period audited •Background information and summaries – identify the organizational units and functions reviewed, and provide relevant explanatory information •Status of findings, conclusions and recommendations from prior reports •Information about whether the report covers a scheduled audit or is in response to a request •Identification of related activities that were not audited, to delineate the boundaries of the audit •Description of the nature and extent of auditing steps performed •Results – including findings, conclusions on the adequacy of controls and procedures and recommendations CISA REVIEW Chapter 1 – Audit Report Supporting Documents In addition to the audit report, the IS auditor should also record detailed records in the form of supporting audit documentation. At a minimum, the supporting documentation should include detailed information on the following: •Planning and preparation of the audit scope and objectives •Description and/or walkthroughs on the scoped audit area •Audit program •Audit steps performed and audit evidence gathered •Use of services of other auditors and experts •Audit findings, conclusions and recommendations •Constraints on the conduct of the audit oAvailability of audit staff oAuditee constraints CISA REVIEW Chapter 1 – Audit Report The IS auditor is ultimately responsible to senior management and the organization's audit committee. Even though the IS auditor should discuss the findings with the management staff of the audited entity, this is done only to gain agreement on the findings and develop a course of corrective action. The IS audit director should review the report that the IS auditor prepared, but is not the person who will make the decisions regarding the findings and their potential consequences. The responsibility for reporting to legal authorities rests with the board of directors and their legal counselors. CISA REVIEW Chapter 1 – Management Response In response to the audit results, management should commit to a program of corrective action, with dates by which the action plan will be implemented. Although management is responsible for deciding the appropriate actions to be taken in response to the reported audit findings, the IS auditor is responsible for assessing management actions for timely resolution of the audit findings. However, senior management may decide to assume the risk of not correcting the reported conditions because of cost or other considerations. The IS auditor should follow up to determine whether such a decision has been made. CISA REVIEW Chapter 1 – Control Self-Assessment The principal objective of a CSA program is to shift certain control-monitoring responsibilities to the functional areas and, in this way, enhance the audit function. The program works to educate management about control design and monitoring, concentrating especially on high-risk areas. Line management becomes responsible for both managing and monitoring the controls in its environment. A CSA program is intended to offer support for the monitoring process such as suggestions for the control environment or workshops to empower workers to assess or design the control environment. Each phase of a CSA program should have specific success measures associated with it to assess the value of the program. COBIT includes a generic set of goals and metrics for each process that can be used in creating the CSA program. The role of the IS auditor in this process should be that of a facilitator, and the management of the functional area is the participant. During a CSA workshop, the auditor – instead of performing detailed audit procedures – leads and guides the participants in assessing their environment by providing insight about the objectives of controls based on risk assessment. CISA REVIEW Chapter 1 – Control Self-Assessment Advantages The benefits of CSA include: •Early detection of risks •More effective and improved internal controls •Creation of cohesive teams through employee involvement •Increased employee awareness of organizational objectives, and knowledge of risk and internal controls •Increased communication between operational and top management •Improved audit rating process •Reduction in control cost •Assurance to executive management, stakeholders and customers CISA REVIEW Chapter 1 – Control Self-Assessment Disadvantages Potential disadvantages of CSA include the following: •It could be mistaken for an audit function replacement •It may be regarded as additional workload •Failure to act on improvement suggestions could damage employee morale •Lack of motivation may limit effectiveness in the detection of weak controls CISA REVIEW Chapter 1 – Control Self-Assessment Disadvantages Instructions: Select all that apply. Which of the following are potential benefits of CSA? •Provides early detection of risks •Reduces costs by replacing the audit function with selfmonitoring •Increases employee awareness of internal controls •Works especially well in a very hierarchical management environment CISA REVIEW Chapter 1 – Control Self-Assessment Disadvantages Answer: CSA provides early detection of risks and increases employee awareness of internal controls. Because it is designed to empower staff members to play an active role in assessing their internal controls, it may not work well in organizations with a very hierarchical management environment. CSA is not intended to replace the audit function.