CISA REVIEW Chapter 1 * The IS Audit Process

advertisement
CISA REVIEW
The material provided in this slide show came
directly from Certified Information Systems
Auditor (CISA) Review Material 2010 by ISACA.
CISA REVIEW
Chapter 1 – Learning Objectives
• Develop and implement a risk-based IS audit strategy for
the organization in compliance with IS audit standards,
guidelines and best practices.
• Plan specific audits to ensure IT and business systems are
protected and controlled.
• Conduct audits in accordance with IS audit standards,
guidelines and best practices to meet planned audit
objectives.
• Communicate emerging issues, potential risks and audit
results to key stakeholders.
• Advise on the implementation of risk management and
control practices within the organization, while maintaining
independence.
CISA REVIEW
Chapter 1 – The IS Audit Process
IS Audit is defined as:
•collect and evaluate evidence to determine
whether the information systems and related
resources adequately safeguard assets,
•maintain data and system integrity,
•provide relevant and reliable information,
•achieve organizational goals effectively, and
•consume resources efficiently.
CISA REVIEW
Chapter 1 – The IS Audit Process
An IS Audit is intended to:
•assesses whether internal controls provide
reasonable assurance that business, operational
and control objectives will be met, and
•that undesired events will be prevented, or
detected and corrected, in a timely manner.
CISA REVIEW
Chapter 1 – The IS Audit Process
IS auditors are expected to comply with a code
of professional ethics, and to conduct their
work in accordance with specific standards,
guidelines, and procedures.
You will not be tested on the precise text of the
various standards, guidelines and procedures.
Rather, the exam will focus on your
understanding of them and how they are
applied in specific situations.
CISA REVIEW
Chapter 1 – The Audit Charter
An audit charter establishes the role of the IS audit
function.
An IS audit can be integrated within the financial or
operation audit, or it can be part of an internal audit.
The charter should include:
•A clear statement of management's responsibility and
objectives for the audit function
•Management's delegation of authority to the audit
function
•The overall authority, scope and responsibilities of the
audit function
•The reporting lines and relationships
CISA REVIEW
Chapter 1 – The Audit Charter
• A definition of the organizational independence of the
internal audit, including accountability of the audit and
provision for objective assessment of its resource
requirements
• A recognition of the control environment of the organization
(operations, resources, services, responsibilities to external
entities)
• The internal audit's right of access to all records, assets,
personnel and premises, including those of partner
organizations
• The internal audit's authority to obtain the information and
explanations it considers necessary to fulfill its responsibilities
• The charter should be approved at the highest management
level and by the audit committee if available.
• Once the charter has been established, any changes must be
thoroughly justified.
CISA REVIEW
Chapter 1 – Audit Objectives
•Audit objectives refer to the specific goals of the audit.
These objectives often are centered on substantiating
that internal controls are functioning to minimize
business risk. The audit objectives, then, need to be
translated into specific IS audit objectives.
•For example, for a financial audit, an internal control is
designed to ensure transactions are posted correctly to
the general ledger. The audit objective is to determine
whether this control is performing as intended. The
corresponding IS audit objective might be to make sure
that editing features are in place to detect errors in the
transaction coding that may affect the posting of the
transactions.
CISA REVIEW
Chapter 1 – Audit Documentation
In addition to the audit plan, the documentation for
an IS audit includes:
•A description or diagram of the IS environment
•Audit programs
•Minutes of meetings
•Audit evidence
•Findings
•Conclusions and recommendations
•Any report issued as a result of the audit work
•Supervisory review comments, if any
CISA REVIEW
Chapter 1 – Audit Documentation, cont.
At a minimum, documentation should include a record of the:
•Planning and preparation of the audit scope and objectives
•Description and/or walkthroughs on the scoped audit area
•Audit program
•Audit steps performed and audit evidence gathered
•Use of services of other auditors and experts
•Audit findings, conclusions and recommendations
•The documentation should also include evidence of
supervisory review and the report that was issued as a result
of the audit work.
•Also necessary is any audit information required by
contractual stipulations, regulations, laws and professional
standards.
CISA REVIEW
Chapter 1 – IT Audit Program
An effectively planned and developed IT audit program should:
•Identify areas of greatest IT risk exposure to the organization.
•Promote the confidentiality, integrity and availability of
information systems.
•Determine the effectiveness of management's planning and
oversight of IT activities.
•Evaluate the adequacy of operating processes and internal
controls.
•Determine the adequacy of enterprise-wide compliance efforts
related to IT policies and internal control procedures.
•Recommend appropriate corrective action to address deficient
internal controls.
•Follow-up with management to ensure that recommended
corrective actions have been effectively implemented.
CISA REVIEW
Chapter 1 – Enterprise Risk Management
The initial steps of risk management include:
•analyzing the value of assets to the business,
•identifying threats to those assets, and
•evaluating how vulnerable each asset is to those
threats.
CISA REVIEW
Chapter 1 – Enterprise Risk Management
An effective risk-based auditing program should cover all of an
organization's major activities. The frequency and depth of each
area's audit will vary according to the risk assessment of that
area.
Risk-based IT audit programs should:
•Identify the organization's data, application and operating
systems, technology, facilities, and personnel.
•Identify the business activities and processes within each of
those categories.
•Include profiles of significant business units, departments, and
product lines or systems, and their associated business risks and
control features, resulting in a document describing the
structure of risk and controls throughout the organization.
•Use a measurement or scoring system that ranks and evaluates
business and control risks for significant business units,
departments and products.
CISA REVIEW
Chapter 1 – Enterprise Risk Management, cont.
Risk-based IT audit programs should also:
•Include board or audit committee approval of risk assessments
and annual risk-based audit plans that establish audit schedules,
audit cycles, work program scope and resource allocation for
each area audited,
•Implement the audit plan through planning, execution,
reporting and follow-up,
•Include a process that regularly monitors the risk assessment
and updates it at least annually for all significant business units,
departments, and products or systems.
CISA REVIEW
Chapter 1 – Testing Procedures for IS Controls
It is management's responsibility to establish and maintain IT controls
that meet internal control objectives. When well-designed, these
controls can both deter fraud and enable its early detection.
Planning for appropriate audit tests requires that the IS auditor have an
understanding of the procedures for testing and evaluating IS controls.
These may include:
•Use of generalized audit software to survey the contents of data files
(including system logs)
•Use of specialized software to assess the contents of operating system
parameter files (or detect deficiencies in system parameter settings)
•Process-charting techniques for documenting automated applications
and business processes
•The use of audit logs or reports available in operation/application
systems
•Documentation review
•Observation
CISA REVIEW
Chapter 1 – Compliance and Substantive Testing
•Testing may involve identifying the controls for compliance
with management policies and procedures – that is,
gathering evidence to determine whether they are being
applied and functioning as expected.
•The audit may also involve substantive tests, in which
evidence is gathered to evaluate the integrity of selected
data or individual transactions. Substantive procedures are
tests performed to obtain audit evidence to detect material
misstatements in the financial statements.
•Because of time and cost constraints, it is often impossible
to verify all transactions or events in a specific group of
items, so auditors use a sample of that group. This sampling
allows auditors to infer characteristics of the entire group
based on the characteristics of the sample.
CISA REVIEW
Chapter 1 – Interviewing and Observing
An early step in performance of the audit is interviewing
and observing personnel involved in the tasks that will
be assessed in the audit. The auditor should:
•Determine who is responsible for performing which
functions – and whether these individuals are actually
doing so.
•Do a walkthrough of the processes and procedures.
•Observe the security awareness of the individuals
involved.
•Investigate reporting relationships, and ensure there is
appropriate segregation of duties.
CISA REVIEW
Chapter 1 – Interviewing and Observing
Question: What is the difference between compliance
testing and substantive testing?
CISA REVIEW
Chapter 1 – Interviewing and Observing
Answer: What is the difference between compliance
testing and substantive testing?
Compliance testing determines whether controls are in
compliance with management policies and procedures.
Substantive testing tests the integrity of actual processing.
CISA REVIEW
1.
2.
3.
4.
5.
6.
Chapter 1 – Tips for Conducting a Successful Interview
Know your material, the job function being audited, the
inputs and outputs, and the subject's job responsibilities.
Be familiar with key terms and acronyms and how they
are used within the context of the job function under
review.
Prepare a few questions, but do not read off a list.
Review prior-period work papers and audit reports to
gain an understanding of questions that were not asked
that should have been. Also, ask what changes have
occurred that may have affected the operations under
review.
Ask open-ended questions wherever possible. Avoid
questions that have definite, specific answers.
Provide the interviewee with an opportunity to add or
elaborate on anything before ending the interview.
CISA REVIEW
Chapter 1 – Sampling
General approaches to audit sampling include statistical sampling and
non-statistical (or judgmental) sampling. Either type of sampling
requires the auditor to make judgments in defining the population
characteristics.
Key steps in choosing a sample include:
•Determine the objectives of the test.
•Define the population to be sampled.
•Determine the sampling method, such as attribute versus variable
sampling.
•Calculate the sample size.
•Select the sample.
•Evaluate the sample from an audit perspective.
Determining what constitutes the sample depends on several factors
such as access to the individuals in the representative group, the
availability of resources to use in the selection of the sample, and the
technical expertise of those involved in the data collection.
CISA REVIEW
Chapter 1 – Computer Assisted Audit Techniques (CAAT)
A software tool is almost a necessity to gather and analyze records from
systems that have different hardware and software environments, or
different data structures, record formats or processing functions.
CAATs offer a way to access and analyze data for a specific audit
objective, and to report the audit findings. The reliability of the
information source provides reassurance on the findings produced.
Advantages of CAATs
•Reduced level of audit risk
•Greater independence from the auditee
•Broader and more consistent audit coverage
•Faster availability of information
•Improved exception identification
•Greater opportunity to quantify internal control weaknesses
•Enhanced sampling
•Cost savings over time
CISA REVIEW
Chapter 1 – Computer Assisted Audit Techniques (CAAT)
The following are examples of documentation that
should be retained in the auditor's fieldwork papers
when using CAATs:
•Online reports detailing high-risk issues for review
•Commented program listings
•Flowcharts
•Sample reports
•Record and file layouts
•Field definitions
•Operating instructions
•Description of applicable source documents
CISA REVIEW
Chapter 1 – Internal Controls
•Internal controls include policies, procedures, practices and
organizational structures that are put in place to reduce risk.
Their intent is to provide reasonable assurance that the
business objectives of the organization will be achieved and
that risk events will be prevented, detected, or corrected.
•To implement the control, a control objective is defined for
an identified risk. Then, specific control activities or
procedures designed to achieve the objective are instituted.
These processes and activities, automated or manual,
function at all levels in the organization to reduce exposure
to risks that could prevent the organization from achieving
its business objectives.
CISA REVIEW
Chapter 1 – Internal Controls
Responsibility for establishing a culture that supports
internal controls resides with the board of directors and
executive management.
A control has two purposes:
•to support the organization's operation objectives, and
•to prevent, detect or correct undesirable events.
Control elements are classified according to those
functions – as preventive, detective or corrective.
CISA REVIEW
Chapter 1 – Internal Controls
Control objectives are management objectives used as the
framework for developing and implementing controls or
control procedures. They are statements of the purposes
that control activities or procedures are designed to serve.
Internal controls typically include:
Internal accounting controls – principally concerned with
accounting operations. Examples: the safeguarding of assets,
the reliability of financial records
Operational controls – related to the basic operations,
functions and activities to ensure the operation is meeting
the business objectives
Administrative controls – focused on operational efficiency
in a functional area and adhering to management policies,
including operational controls
CISA REVIEW
Chapter 1 – Example Control Objective
Control Objective: Controls provide reasonable assurance that the
organization's electronic funds transfer (EFT) system is protected
against unauthorized physical and logical access.
Illustrative controls:
•The responsibility for the development and enforcement of a
security policy is at an organizational level that facilitates
compliance by organization personnel and enables enforcement
of policies and procedures.
•Security policy and procedures are in place, and are
communicated to appropriate employees and contractors.
•Policies and procedures are in place for reporting security
incidents or observed irregularities to an organizational level at
which such matters can be investigated and resolved in a timely
fashion.
•Policies and procedures are established for the security of filing,
retention and destruction of EFT system files.
CISA REVIEW
Chapter 1 – Example Control Objective
Control Objective: Controls provide reasonable assurance
that the organization's electronic funds transfer (EFT) system
is protected against unauthorized physical and logical access.
Illustrative controls, cont:
•Policies and procedures are in place for conducting security system
training.
•Policies and procedures are in place for discontinuing an employee's
(or contractor's) ability to access EFT hardware, software and data when
the employee is terminated or the employee's duties change.
•Access to EFT files or processes is limited based on users' needs.
•Passwords control access to EFT files, personal identification numbers
and privacy data.
•Firewalls or other procedures prevent unauthorized access to data
from an external network.
•Policies and procedures are in place to prevent unauthorized access to
the EFT processing facility.
CISA REVIEW
Chapter 1 – IS Control Objectives
•Safeguarding assets – information on automated systems is secure from improper
access and kept up to date.
•Ensuring the integrity of general operating system environments, including network
management and operations.
•Ensuring the integrity of sensitive and critical application system environments,
including accounting/financial and management information through:
oAuthorization of the input – each transaction is authorized and entered only
once.
oAccuracy and completeness of processing of transactions – all transactions are
recorded and entered into the computer for the proper period.
oAccuracy, completeness and security of the output.
oDatabase integrity and availability.
•Complying with the users' requirements, organizational policies and procedures, and
applicable laws and regulations.
•Developing business continuity and disaster recovery plans.
•Developing an incident response and handling plan.
•Managing change.
CISA REVIEW
Chapter 1 – IS Control Objectives
Identify for each example whether it is a preventative, detective
or corrective control?
Preventative
Using internal audit functions
Completing programmed edit checks
Checking calculations in duplicate
Controlling access to physical facilities
Using encryption software to prevent
unauthorized disclosure of data
Reviewing past-due account reports
Creating contingency plans
Checking hash totals
Implementing backup procedures
Detective
Corrective
CISA REVIEW
Chapter 1 – IS Control Objectives
Answer: Identify for each example whether it is a preventative,
detective or corrective control?
Preventative
Using internal audit functions
Completing programmed edit checks
X
X
Controlling access to physical facilities
X
Using encryption software to prevent
unauthorized disclosure of data
X
X
Creating contingency plans
Checking hash totals
Implementing backup procedures
Corrective
X
Checking calculations in duplicate
Reviewing past-due account reports
Detective
X
X
X
CISA REVIEW
Chapter 1 – COBIT
COBIT is a governance framework and supporting tool set that IT organizations can use to ensure
that IT is working as effectively as possible to minimize risk and maximize the benefits of
technology investments.
The COBIT control framework links IT initiatives to the business requirements, organizes IT activities
into a generally accepted process model, identifies the major IT resources to be leveraged and
defines the management control objectives to be considered.
CISA REVIEW
Chapter 1 – COBIT
•The growing adoption of IT best practices has been driven by a
requirement for the IT industry to better manage the quality and
reliability of IT in business, and to respond to a growing number of
regulatory and contractual requirements. The danger, however, is that
implementation of these potentially helpful best practices will be costly
and unfocused if they are treated as purely technical guidance. To be
most effective, best practices should be applied within the business
context, focusing on where their use would provide the most benefit to
the organization.
•Senior management, business management, auditors, compliance
officers and IT managers should work together to make sure that IT best
practices lead to cost-effective and well-controlled IT delivery. When
developing control recommendations, management should ensure that
the controls are well-designed and efficient, that the overall IT
operations environment is taken into consideration, and that the
controls ultimately assist management in achieving its long-term IT
strategic goals.
CISA REVIEW
Chapter 1 – General Controls
To provide reasonable assurance that specific objectives will be
achieved, management institutes general control procedures and
practices.
•Strategy and direction
•General organization and management
•Access to data and programs
•Systems development methodologies and change control
•Data processing operations
•Systems programming and technical support functions
•Data processing quality assurance procedures
•Physical access controls
•Business continuity and disaster recovery planning
•Networks and communications
•Database administration
CISA REVIEW
Chapter 1 – Application Controls
IT application or program controls are fully-automated (i.e., performed
automatically by the systems) and designed to ensure the complete and
accurate processing of data. These controls may also help ensure the
privacy and security of data transmitted between applications.
Categories of IT application controls may include:
•Completeness checks - controls that ensure all records were processed
from initiation to completion.
•Validity checks - controls that ensure only valid data is input or
processed.
•Authentication - controls that provide an authentication mechanism in
the application system.
•Authorization - controls that ensure only approved business users have
access to the application system.
•Input controls - controls that ensure data integrity fed from upstream
sources into the application system.
Source - Wikipedia
CISA REVIEW
Chapter 1 – Risk Based Audits
A growing number of organizations are moving to a risk-based audit approach. This
approach can influence an IS auditor's decision to perform either compliance testing or
substantive testing. Identifying risks and vulnerabilities allows the auditor to determine
the controls needed to mitigate those risks.
In a risk-based audit approach, IS auditors are not just relying on risk. You are also
relying on internal and operational controls, as well as knowledge of the organization.
This type of risk assessment decision can help relate the cost-benefit analysis of the
control to the known risk, allowing for practical choices and better cost-benefit
recommendations to management.
Knowledge of the relationship between risk and control is important for IS auditors. As
an IS auditor, you must be able to
•Differentiate types of risks related to business, technology and audit
•Identify relevant controls to mitigate these risks
•Evaluate the organization's risk assessment and management techniques
•Assess risk in order to plan audit work
CISA REVIEW
Chapter 1 – Risk Based Audits
Risk-based IS audit programs should include:
•Profiles of significant business units, departments and
products, including:
oData
oApplications and operating systems
oTechnology
oFacilities
oPersonnel
•Associated business risks and control features
•Board or audit committee approval of risk assessments
and annual risk-based audit plans
•A documented process to monitor the risk assessment
and updates it (at least annually) for all significant business
units, departments and products
CISA REVIEW
Chapter 1 – Risk Based Audit Approach
Gather Information and Plan
•Knowledge of business and industry
•Prior year's audit results
•Recent financial information
•Regulatory statutes
•Inherent risk assessment
Obtain Understanding of Internal Control
•Control environment
•Control procedures
•Detection risk assessment
•Control risk assessment
•Equate total risk
CISA REVIEW
Chapter 1 – Risk Based Audit Approach, cont.
Perform Compliance Tests
•Identify key controls to be tested
•Perform tests on reliability, risk prevention, and adherence to organization policies and
procedures
Perform Substantive Tests
•Analytical procedures
•Detailed tests of account balances
•Other substantive audit procedures
Conclude the Audit
•Create recommendations
•Write audit report
CISA REVIEW
Chapter 1 – Risk Identification
When identifying risk, there are three elements to assess:
•Threats to, and vulnerabilities of, processes and assets (including
both physical and information assets)
•Impact on assets based on threats and vulnerabilities
•Probabilities of threats (combination of the likelihood and
frequency of occurrence)
Although auditors need to be aware of all potential risks,
operational risk is the primary risk associated with information
technology. Operational risk (also referred to as transaction risk) is
the risk of loss resulting from inadequate or failed processes,
people or systems.
CISA REVIEW
Chapter 1 – Responding to Risks
After identifying and quantifying risks, the decision must be
made as to how to respond to them.
Below are the main response strategies for risks.
•Risk avoidance
•Risk acceptance
•Risk transference
•Risk mitigation
Audit planning should address the highest-risk areas within
the organization, given the resources available to the internal
audit department. Changes to the audit plan may require
direct communication/approval from the organization's
Audit Committee.
CISA REVIEW
Chapter 1 – Risks
Instructions: Here are five elements of a risk-based audit. Determine the order in which
they should be performed.
Audit Elements
Perform substantive audit procedures
Conduct detection risk assessment
Conduct inherent risk assessment
Develop recommendations
Perform tests on reliability and risk prevention
CISA REVIEW
Chapter 1 – Risks
Answer: Here are five elements of a risk-based audit. Determine the order in which they
should be performed.
The correct order is:
1: Conduct inherent risk assessment
2: Conduct detection risk assessment
3: Perform tests on reliability and risk prevention
4: Perform substantive audit procedures
5: Create recommendations
CISA REVIEW
Chapter 1 – Risks
Instructions: Here are four types of risk and four definitions. Match each risk to its
definition.
Risk
Control risk
Detection risk
Inherent risk
Overall audit risk
Descriptions
The susceptibility of an audit area to error that could be material, assuming that there
were no related internal controls
The risk that a material error exists – an error that the internal controls system will not
prevent or detect in a timely manner
A combination of the individual types of audit risks for each control objective
The risk of an IS auditor using an inadequate test procedure and concluding that
material errors do not exist when, in fact, they do exist
CISA REVIEW
Chapter 1 – Risks
Answers
Each type of risk is followed by its definition.
Control risk
The risk that a material error exists – an error that the internal controls system will not
prevent or detect in a timely manner
Detection risk
The risk of an IS auditor using an inadequate test procedure and concluding that
material errors do not exist when, in fact, they do exist
Inherent risk
The susceptibility of an audit area to error that could be material, assuming that there
were no related internal controls
Overall audit risk
A combination of the individual types of audit risks for each control objective
CISA REVIEW
Chapter 1 – Report Audit Findings
In advance of presenting an audit report to senior
management, the IS auditor should discuss the findings
with management of the audited area. These
discussions help ensure that there have been no
misunderstandings or misinterpretations of fact. They
give the auditee the opportunity to clarify items and
express views on the findings, conclusions and
recommendations.
The objective of these discussions is to gain agreement
and develop a course of corrective action. Where
disagreement occurs, the IS auditor should describe the
significance of the findings, and the risks and effects of
not taking corrective action.
CISA REVIEW
Chapter 1 – Audit Report Contents
The audit report should contain:
•An introduction with a purpose statement describing the audit objectives, and
informing the reader why the audit was conducted and what was expected to
be achieved
•Scope statements – identify the audited activities and supportive information
such as the time period audited
•Background information and summaries – identify the organizational units and
functions reviewed, and provide relevant explanatory information
•Status of findings, conclusions and recommendations from prior reports
•Information about whether the report covers a scheduled audit or is in
response to a request
•Identification of related activities that were not audited, to delineate the
boundaries of the audit
•Description of the nature and extent of auditing steps performed
•Results – including findings, conclusions on the adequacy of controls and
procedures and recommendations
CISA REVIEW
Chapter 1 – Audit Report Supporting Documents
In addition to the audit report, the IS auditor should also record
detailed records in the form of supporting audit
documentation. At a minimum, the supporting documentation
should include detailed information on the following:
•Planning and preparation of the audit scope and objectives
•Description and/or walkthroughs on the scoped audit area
•Audit program
•Audit steps performed and audit evidence gathered
•Use of services of other auditors and experts
•Audit findings, conclusions and recommendations
•Constraints on the conduct of the audit
oAvailability of audit staff
oAuditee constraints
CISA REVIEW
Chapter 1 – Audit Report
The IS auditor is ultimately responsible to senior management and
the organization's audit committee. Even though the IS auditor
should discuss the findings with the management staff of the
audited entity, this is done only to gain agreement on the findings
and develop a course of corrective action. The IS audit director
should review the report that the IS auditor prepared, but is not
the person who will make the decisions regarding the findings and
their potential consequences. The responsibility for reporting to
legal authorities rests with the board of directors and their legal
counselors.
CISA REVIEW
Chapter 1 – Management Response
In response to the audit results, management should commit to a
program of corrective action, with dates by which the action plan
will be implemented.
Although management is responsible for deciding the appropriate
actions to be taken in response to the reported audit findings, the
IS auditor is responsible for assessing management actions for
timely resolution of the audit findings.
However, senior management may decide to assume the risk of
not correcting the reported conditions because of cost or other
considerations. The IS auditor should follow up to determine
whether such a decision has been made.
CISA REVIEW
Chapter 1 – Control Self-Assessment
The principal objective of a CSA program is to shift certain control-monitoring
responsibilities to the functional areas and, in this way, enhance the audit
function.
The program works to educate management about control design and
monitoring, concentrating especially on high-risk areas. Line management
becomes responsible for both managing and monitoring the controls in its
environment. A CSA program is intended to offer support for the monitoring
process such as suggestions for the control environment or workshops to
empower workers to assess or design the control environment.
Each phase of a CSA program should have specific success measures associated
with it to assess the value of the program. COBIT includes a generic set of goals
and metrics for each process that can be used in creating the CSA program.
The role of the IS auditor in this process should be that of a facilitator, and the
management of the functional area is the participant. During a CSA workshop,
the auditor – instead of performing detailed audit procedures – leads and
guides the participants in assessing their environment by providing insight
about the objectives of controls based on risk assessment.
CISA REVIEW
Chapter 1 – Control Self-Assessment Advantages
The benefits of CSA include:
•Early detection of risks
•More effective and improved internal controls
•Creation of cohesive teams through employee involvement
•Increased employee awareness of organizational objectives, and
knowledge of risk and internal controls
•Increased communication between operational and top
management
•Improved audit rating process
•Reduction in control cost
•Assurance to executive management, stakeholders and
customers
CISA REVIEW
Chapter 1 – Control Self-Assessment Disadvantages
Potential disadvantages of CSA include the following:
•It could be mistaken for an audit function replacement
•It may be regarded as additional workload
•Failure to act on improvement suggestions could damage
employee morale
•Lack of motivation may limit effectiveness in the detection of
weak controls
CISA REVIEW
Chapter 1 – Control Self-Assessment Disadvantages
Instructions: Select all that apply.
Which of the following are potential benefits of CSA?
•Provides early detection of risks
•Reduces costs by replacing the audit function with selfmonitoring
•Increases employee awareness of internal controls
•Works especially well in a very hierarchical management
environment
CISA REVIEW
Chapter 1 – Control Self-Assessment Disadvantages
Answer:
CSA provides early detection of risks and increases employee
awareness of internal controls. Because it is designed to empower
staff members to play an active role in assessing their internal
controls, it may not work well in organizations with a very
hierarchical management environment. CSA is not intended to
replace the audit function.
Download