5/12/2013

CISAREVIEW
Thematerialprovidedinthisslideshowcame directlyfromCertifiedInformationSystems Auditor(CISA)ReviewMaterial2010byISACA.

CISAREVIEW
Chapter1 LearningObjectives
DevelopandimplementariskbasedISauditstrategyfor theorganizationincompliancewithISauditstandards, guidelinesandbestpractices. PlanspecificauditstoensureITandbusinesssystemsare protectedandcontrolled. ConductauditsinaccordancewithISauditstandards, standards guidelinesandbestpracticestomeetplannedaudit objectives. Communicateemergingissues,potentialrisksandaudit resultstokeystakeholders. Adviseontheimplementationofriskmanagementand controlpracticeswithintheorganization,whilemaintaining independence.

CISAREVIEW
Chapter1 TheISAuditProcess

CISAREVIEW
Chapter1 TheISAuditProcess

ISAuditisdefinedas: collectandevaluateevidencetodetermine whethertheinformationsystemsandrelated resourcesadequatelysafeguardassets, maintain i t i d data t and dsystem t i integrity, t it providerelevantandreliableinformation, achieveorganizationalgoalseffectively,and consumeresourcesefficiently.

AnISAuditisintendedto: assesseswhetherinternalcontrolsprovide reasonableassurancethatbusiness,operational andcontrolobjectiveswillbemet,and that th tundesired d i devents t will illb beprevented, t d or detectedandcorrected,inatimelymanner.

CISAREVIEW
Chapter1 TheISAuditProcess

CISAREVIEW
Chapter1 TheAuditCharter

ISauditorsareexpectedtocomplywithacode ofprofessionalethics,andtoconducttheir workinaccordancewithspecificstandards, guidelines,andprocedures. Youwillnotbetestedontheprecisetextofthe variousstandards,guidelinesandprocedures. Rather,theexamwillfocusonyour understandingofthemandhowtheyare appliedinspecificsituations.

AnauditcharterestablishestheroleoftheISaudit function. AnISauditcanbeintegratedwithinthefinancialor operationaudit,oritcanbepartofaninternalaudit. Thechartershouldinclude: Aclear l statement t t tof fmanagement's t' responsibility ibilit and d objectivesfortheauditfunction Management'sdelegationofauthoritytotheaudit function Theoverallauthority,scopeandresponsibilitiesofthe auditfunction Thereportinglinesandrelationships

5/12/2013

CISAREVIEW
Chapter1 TheAuditCharter Adefinitionoftheorganizationalindependence ofthe internalaudit,including accountabilityoftheauditand provisionforobjectiveassessmentofitsresource requirements Arecognitionofthecontrolenvironment oftheorganization (operations,resources,services,responsibilitiestoexternal entities) Theinternalaudit'srightofaccesstoallrecords,assets, personnelandpremises,including thoseofpartner organizations Theinternalaudit'sauthoritytoobtaintheinformationand explanationsitconsidersnecessarytofulfillitsresponsibilities Thechartershouldbeapprovedatthehighestmanagement levelandbytheauditcommitteeifavailable. Oncethecharterhasbeenestablished,anychangesmustbe thoroughlyjustified.

CISAREVIEW
Chapter1 AuditObjectives

Auditobjectivesrefertothespecificgoalsoftheaudit. Theseobjectivesoftenarecenteredonsubstantiating thatinternalcontrolsarefunctioningtominimize businessrisk.Theauditobjectives,then,needtobe translatedintospecificISauditobjectives. Forexample example,forafinancialaudit audit,aninternalcontrolis designedtoensuretransactionsarepostedcorrectlyto thegeneralledger.Theauditobjectiveistodetermine whetherthiscontrolisperformingasintended.The correspondingISauditobjectivemightbetomakesure thateditingfeaturesareinplacetodetecterrorsinthe transactioncodingthatmayaffectthepostingofthe transactions.

CISAREVIEW
Chapter1 AuditDocumentation

CISAREVIEW
Chapter1 AuditDocumentation,cont.
Ataminimum,documentation shouldincludearecordofthe: Planningandpreparationoftheauditscopeandobjectives Descriptionand/orwalkthroughsonthescopedauditarea Auditprogram Auditstepsperformedandauditevidence gathered Useofservicesofotherauditorsandexperts Auditfindings,conclusionsandrecommendations Thedocumentation shouldalsoincludeevidence of supervisoryreviewandthereportthatwasissuedasaresult oftheauditwork. Alsonecessaryisanyauditinformationrequired by contractualstipulations,regulations,lawsandprofessional standards.

Inadditiontotheauditplan,thedocumentationfor anISauditincludes: AdescriptionordiagramoftheISenvironment Auditprograms Minutesofmeetings Auditevidence Findings Conclusionsandrecommendations Anyreportissuedasaresultoftheauditwork Supervisoryreviewcomments,ifany

CISAREVIEW
Chapter1 ITAuditProgram Aneffectivelyplanned anddeveloped ITauditprogramshould: IdentifyareasofgreatestITriskexposuretotheorganization. Promotetheconfidentiality, integrityandavailabilityof informationsystems. Determinetheeffectiveness ofmanagement'splanning and g ofITactivities. oversight Evaluatetheadequacy ofoperatingprocessesandinternal controls. Determinetheadequacy ofenterprisewide complianceefforts relatedtoITpoliciesandinternalcontrolprocedures. Recommendappropriatecorrectiveactiontoaddressdeficient internalcontrols. Followupwithmanagement toensurethatrecommended correctiveactionshavebeeneffectivelyimplemented.

CISAREVIEW
Chapter1 EnterpriseRiskManagement

Theinitialstepsofriskmanagementinclude: analyzingthevalueofassetstothebusiness, identifyingthreatstothoseassets,and evaluatinghowvulnerableeachassetistothose threats.

5/12/2013

CISAREVIEW
Chapter1 EnterpriseRiskManagement
Aneffectiveriskbasedauditingprogramshouldcoverallofan organization'smajoractivities.Thefrequency anddepth ofeach area'sauditwillvaryaccordingtotheriskassessmentofthat area. RiskbasedITauditprogramsshould: Identifytheorganization'sdata,applicationandoperating systems technology, systems, technology facilities, facilities andpersonnel. personnel Identifythebusinessactivitiesandprocesseswithineachof thosecategories. Includeprofilesofsignificantbusinessunits,departments, and productlinesorsystems,andtheirassociatedbusinessrisksand controlfeatures,resultinginadocument describingthe structureofriskandcontrolsthroughouttheorganization. Useameasurement orscoringsystemthatranksandevaluates businessandcontrolrisksforsignificantbusinessunits, departmentsandproducts.

CISAREVIEW
Chapter1 EnterpriseRiskManagement,cont.
RiskbasedITauditprogramsshouldalso: Includeboardorauditcommitteeapprovalofriskassessments andannualriskbasedauditplansthatestablishauditschedules, auditcycles,workprogramscopeandresourceallocationfor eachareaaudited, Implementtheauditplanthroughplanning, execution, reportingandfollowup, Includeaprocessthatregularlymonitorstheriskassessment andupdatesitatleastannuallyforallsignificantbusinessunits, departments, andproductsorsystems.

CISAREVIEW
Chapter1 TestingProceduresforISControls
Itismanagement'sresponsibilitytoestablishandmaintainITcontrols thatmeetinternalcontrolobjectives.Whenwelldesigned,these controlscanbothdeterfraudandenableitsearlydetection. PlanningforappropriateaudittestsrequiresthattheISauditorhavean understandingoftheproceduresfortestingandevaluatingIScontrols. Thesemayinclude: Useofg generalizedauditsoftwaretosurvey ythecontentsofdatafiles (includingsystemlogs) Useofspecializedsoftwaretoassessthecontentsofoperatingsystem parameterfiles(ordetectdeficienciesinsystemparametersettings) Processchartingtechniquesfordocumentingautomatedapplications andbusinessprocesses Theuseofauditlogsorreportsavailableinoperation/application systems Documentationreview Observation

CISAREVIEW
Chapter1 ComplianceandSubstantiveTesting

Testingmayinvolveidentifyingthecontrolsforcompliance withmanagementpoliciesandprocedures thatis, gatheringevidencetodeterminewhethertheyarebeing appliedandfunctioningasexpected. Theauditmayalsoinvolvesubstantive tests,inwhich evidenceisg gatheredtoevaluatetheintegrity g yofselected dataorindividualtransactions.Substantiveproceduresare testsperformedtoobtainauditevidencetodetectmaterial misstatementsinthefinancialstatements. Becauseoftimeandcostconstraints,itisoftenimpossible toverifyalltransactionsoreventsinaspecificgroupof items,soauditorsuseasampleofthatgroup.Thissampling allowsauditorstoinfercharacteristicsoftheentiregroup basedonthecharacteristicsofthesample.

CISAREVIEW
Chapter1 InterviewingandObserving

CISAREVIEW
Chapter1 InterviewingandObserving

Anearlystepinperformanceoftheauditisinterviewing andobservingpersonnelinvolvedinthetasksthatwill beassessedintheaudit.Theauditorshould: Determinewhoisresponsibleforperformingwhich y functions andwhethertheseindividualsareactually doingso. Doawalkthroughoftheprocessesandprocedures. Observethesecurityawarenessoftheindividuals involved. Investigatereportingrelationships,andensurethereis appropriatesegregationofduties.

Question:Whatisthedifferencebetweencompliance testingandsubstantivetesting?

5/12/2013

CISAREVIEW
Chapter1 InterviewingandObserving

CISAREVIEW
1. 2. 3. 4.
Chapter1 TipsforConductingaSuccessfulInterview Knowyourmaterial,thejobfunctionbeingaudited,the inputsandoutputs,andthesubject'sjobresponsibilities. Befamiliarwithkeytermsandacronymsandhowthey areusedwithinthecontextofthejobfunctionunder review. Prepareafewquestions,butdonotreadoffalist. Review i prior i period i dwork kpapersand daudit di reportsto gainanunderstandingofquestionsthatwerenotasked thatshouldhavebeen.Also,askwhatchangeshave occurredthatmayhaveaffectedtheoperationsunder review. Askopenendedquestionswhereverpossible.Avoid questionsthathavedefinite,specificanswers. Providetheintervieweewithanopportunitytoaddor elaborateonanythingbeforeendingtheinterview.

Answer:Whatisthedifferencebetweencompliance testingandsubstantivetesting?
Compliancetestingdetermines whethercontrolsarein compliancewithmanagement policiesandprocedures. Substantivetestingteststheintegrityofactualprocessing.

5. 6.

CISAREVIEW
Chapter1 Sampling
Generalapproachestoauditsamplingincludestatisticalsamplingand nonstatistical(orjudgmental)sampling.Eithertypeofsampling requirestheauditortomakejudgmentsindefiningthepopulation characteristics. Keystepsinchoosingasampleinclude: Determinetheobjectivesofthetest. Definethepopulationtobesampled. Determinethe h sampling l method, h d such hasattribute b versusvariable bl sampling. Calculatethesamplesize. Selectthesample. Evaluatethesamplefromanauditperspective. Determiningwhatconstitutesthesampledependsonseveralfactors suchasaccesstotheindividualsintherepresentativegroup,the availabilityofresourcestouseintheselectionofthesample,andthe technicalexpertiseofthoseinvolvedinthedatacollection.

CISAREVIEW
Chapter1 ComputerAssistedAuditTechniques(CAAT)
Asoftwaretoolisalmostanecessitytogatherandanalyzerecordsfrom systemsthathavedifferenthardwareandsoftwareenvironments,or differentdatastructures,recordformatsorprocessingfunctions. CAATsofferawaytoaccessandanalyzedataforaspecificaudit objective,andtoreporttheauditfindings.Thereliabilityofthe informationsourceprovidesreassuranceonthefindingsproduced. AdvantagesofCAATs Reducedlevelofauditrisk Greaterindependencefromtheauditee Broaderandmoreconsistentauditcoverage Fasteravailabilityofinformation Improvedexceptionidentification Greateropportunitytoquantifyinternalcontrolweaknesses Enhancedsampling Costsavingsovertime

CISAREVIEW
Chapter1 ComputerAssistedAuditTechniques(CAAT)

CISAREVIEW
Chapter1 InternalControls

Thefollowingareexamplesofdocumentationthat shouldberetainedintheauditor'sfieldworkpapers whenusingCAATs: Onlinereportsdetailinghighriskissuesforreview Commentedprogramlistings Flowcharts Samplereports Recordandfilelayouts Fielddefinitions Operatinginstructions Descriptionofapplicablesourcedocuments

Internalcontrolsincludepolicies,procedures,practicesand organizationalstructuresthatareputinplacetoreducerisk. Theirintentistoprovidereasonableassurance thatthe businessobjectivesoftheorganizationwillbeachieved and thatriskeventswillbeprevented,detected,orcorrected. Toimplementthecontrol,acontrolobjectiveisdefinedfor anidentifiedrisk.Then,specificcontrolactivitiesor proceduresdesignedtoachievetheobjectiveareinstituted. Theseprocessesandactivities,automatedormanual, functionatalllevelsintheorganizationtoreduceexposure torisksthatcouldpreventtheorganizationfromachieving itsbusinessobjectives.

5/12/2013

CISAREVIEW
Chapter1 InternalControls

CISAREVIEW
Chapter1 InternalControls Controlobjectivesaremanagementobjectivesusedasthe frameworkfordevelopingandimplementingcontrolsor controlprocedures.Theyarestatementsofthepurposes thatcontrolactivitiesorproceduresaredesignedtoserve.

Responsibilityforestablishingaculturethatsupports internalcontrolsresideswiththeboardofdirectorsand executivemanagement. Acontrolhastwopurposes: tosupporttheorganization'soperationobjectives,and toprevent,detectorcorrectundesirableevents. Controlelementsareclassifiedaccordingtothose functions aspreventive,detectiveorcorrective.

Internalcontrolstypicallyinclude: Internal laccounting i controls l principally i i ll concerned dwith i h accountingoperations.Examples:thesafeguardingofassets, thereliabilityoffinancialrecords Operationalcontrols relatedtothebasicoperations, functionsandactivitiestoensuretheoperationismeeting thebusinessobjectives Administrativecontrols focusedonoperationalefficiency inafunctionalareaandadheringtomanagementpolicies, includingoperationalcontrols

CISAREVIEW
Chapter1 ExampleControlObjective ControlObjective:Controlsprovidereasonableassurancethatthe organization'selectronicfundstransfer(EFT)systemisprotected againstunauthorized physicalandlogicalaccess. Illustrativecontrols: Theresponsibilityforthedevelopment andenforcement ofa securitypolicyisatanorganizationallevelthatfacilitates compliance p by yorganization g p personnelandenablesenforcement ofpoliciesandprocedures. Securitypolicyandprocedures areinplace,andare communicated toappropriateemployeesandcontractors. Policiesandprocedures areinplaceforreportingsecurity incidentsorobservedirregularitiestoanorganizationallevelat whichsuchmatterscanbeinvestigatedandresolvedinatimely fashion. Policiesandprocedures areestablishedforthesecurityoffiling, retentionanddestructionofEFTsystemfiles.

CISAREVIEW
Chapter1 ExampleControlObjective ControlObjective:Controlsprovidereasonableassurance thattheorganization'selectronicfundstransfer(EFT)system isprotectedagainstunauthorizedphysicalandlogicalaccess. Illustrativecontrols,cont:
Policiesandproceduresareinplaceforconductingsecuritysystem training. Policiesandproceduresareinplacefordiscontinuinganemployee's employee s (orcontractor's)abilitytoaccessEFThardware,softwareanddatawhen theemployeeisterminatedortheemployee'sdutieschange. AccesstoEFTfilesorprocessesislimitedbasedonusers'needs. PasswordscontrolaccesstoEFTfiles,personalidentificationnumbers andprivacydata. Firewallsorotherprocedurespreventunauthorizedaccesstodata fromanexternalnetwork. Policiesandproceduresareinplacetopreventunauthorizedaccessto theEFTprocessingfacility.

CISAREVIEW
Chapter1 ISControlObjectives
Safeguardingassets information onautomated systemsissecurefromimproper accessandkeptuptodate. Ensuringtheintegrityofgeneraloperating systemenvironments,including network managementandoperations. Ensuringtheintegrityofsensitiveandcriticalapplication systemenvironments, includingaccounting/financial andmanagement information through: oAuthorizationoftheinput eachtransaction isauthorizedandenteredonly once. oAccuracyandcompleteness ofprocessingoftransactions alltransactions are recordedandenteredintothecomputerfortheproperperiod. oAccuracy,completenessandsecurityoftheoutput. oDatabaseintegrityandavailability. Complyingwiththeusers'requirements,organizational policiesandprocedures,and applicablelawsandregulations. Developingbusiness continuity anddisasterrecoveryplans. Developinganincident responseandhandling plan. Managingchange.

CISAREVIEW
Chapter1 ISControlObjectives
Identifyforeachexamplewhetheritisapreventative, detective orcorrectivecontrol?
Preventative Usinginternalauditfunctions Completingprogrammededitchecks Checkingcalculations induplicate Controllingaccesstophysical facilities Usingencryptionsoftwaretoprevent unauthorizeddisclosureofdata Reviewingpastdue account reports Creatingcontingency plans Checkinghashtotals Implementingbackupprocedures Detective Corrective

5/12/2013

CISAREVIEW
Chapter1 ISControlObjectives
Answer:Identifyforeachexamplewhetheritisapreventative, detectiveorcorrectivecontrol?
Preventative Usinginternalauditfunctions Completingprogrammededitchecks Checkingcalculations induplicate Controllingaccesstophysical facilities Usingencryptionsoftwaretoprevent unauthorizeddisclosureofdata Reviewingpastdue account reports Creatingcontingency plans Checkinghashtotals Implementingbackupprocedures X X X X X X X X Detective X Corrective

CISAREVIEW
Chapter1 COBIT
COBITisagovernanceframework andsupportingtoolsetthatITorganizationscanusetoensure thatITisworkingaseffectivelyaspossibletominimizeriskandmaximizethebenefitsof technologyinvestments. TheCOBITcontrol framework linksITinitiativestothebusinessrequirements, organizesITactivities intoagenerallyacceptedprocessmodel,identifiesthemajorITresourcestobeleveragedand definesthemanagement control objectivestobeconsidered.

CISAREVIEW
Chapter1 COBIT
ThegrowingadoptionofITbestpracticeshasbeendrivenbya requirementfortheITindustrytobettermanagethequalityand reliabilityofITinbusiness,andtorespondtoagrowingnumberof regulatoryandcontractualrequirements.Thedanger,however,isthat implementationofthesepotentiallyhelpfulbestpracticeswillbecostly andunfocusediftheyaretreatedaspurelytechnicalguidance.Tobe mosteffective,bestpracticesshouldbeappliedwithinthebusiness context,focusing f i onwhere h their h i usewould ldprovide id the h mostbenefit b fi to theorganization. Seniormanagement,businessmanagement,auditors,compliance officersandITmanagersshouldworktogethertomakesurethatITbest practicesleadtocosteffectiveandwellcontrolledITdelivery.When developingcontrolrecommendations,managementshouldensurethat thecontrolsarewelldesignedandefficient,thattheoverallIT operationsenvironmentistakenintoconsideration,andthatthe controlsultimatelyassistmanagementinachievingitslongtermIT strategicgoals.

CISAREVIEW
Chapter1 GeneralControls Toprovidereasonableassurancethatspecificobjectiveswillbe achieved,management institutesgeneralcontrolprocedures and practices.
Strategyanddirection Generalorganizationandmanagement Accesstodataandprograms Systemsdevelopmentmethodologiesandchangecontrol Dataprocessingoperations Systemsprogrammingandtechnicalsupportfunctions Dataprocessingqualityassuranceprocedures Physicalaccesscontrols Businesscontinuityanddisasterrecoveryplanning Networksandcommunications Databaseadministration

CISAREVIEW
Chapter1 ApplicationControls
ITapplicationorprogramcontrolsarefullyautomated(i.e.,performed automaticallybythesystems)anddesignedtoensurethecompleteand accurateprocessingofdata.Thesecontrolsmayalsohelpensurethe privacyandsecurityofdatatransmittedbetweenapplications. CategoriesofITapplicationcontrolsmayinclude: Completenesschecks controlsthatensureallrecordswereprocessed frominitiationtocompletion. Validitychecks controlsthatensureonlyvaliddataisinputor processed. Authentication controlsthatprovideanauthenticationmechanismin theapplicationsystem. Authorization controlsthatensureonlyapprovedbusinessusershave accesstotheapplicationsystem. Inputcontrols controlsthatensuredataintegrityfedfromupstream sourcesintotheapplicationsystem. Source Wikipedia

CISAREVIEW
Chapter1 RiskBasedAudits
Agrowingnumberoforganizations aremovingtoariskbasedauditapproach.This approachcaninfluence anISauditor'sdecision toperformeithercompliance testingor substantivetesting.Identifying risksandvulnerabilities allowstheauditortodetermine thecontrolsneededtomitigatethoserisks. Inariskbasedauditapproach,ISauditorsarenotjustrelyingonrisk.Youarealso relyingoninternalandoperationalcontrols, aswellasknowledgeoftheorganization. Thistypeofriskassessmentdecision canhelprelatethecostbenefit analysisofthe controltotheknownrisk,allowingforpracticalchoicesandbettercostbenefit recommendations tomanagement. Knowledgeoftherelationship betweenriskandcontrolisimportant forISauditors. As anISauditor, youmustbeableto Differentiatetypesofrisksrelatedtobusiness, technology andaudit Identifyrelevantcontrolstomitigate theserisks Evaluatetheorganization's riskassessment andmanagement techniques Assessriskinordertoplanauditwork

5/12/2013

CISAREVIEW
Chapter1 RiskBasedAudits

CISAREVIEW
Chapter1 RiskBasedAuditApproach
GatherInformationandPlan Knowledgeofbusinessandindustry Prioryear'sauditresults Recentfinancialinformation Regulatorystatutes Inherentriskassessment ObtainUnderstandingofInternalControl Controlenvironment Controlprocedures Detectionriskassessment Controlriskassessment Equatetotalrisk

RiskbasedISauditprogramsshouldinclude: Profilesofsignificantbusinessunits,departmentsand products,including:

oData oApplicationsandoperatingsystems oTechnology oFacilities oPersonnel

Associatedbusinessrisksandcontrolfeatures Boardorauditcommitteeapprovalofriskassessments andannualriskbasedauditplans Adocumentedprocesstomonitortheriskassessment andupdatesit(atleastannually)forallsignificantbusiness units,departmentsandproducts

CISAREVIEW
Chapter1 RiskBasedAuditApproach,cont.
PerformComplianceTests Identifykeycontrolstobetested Performtestsonreliability,riskprevention,andadherencetoorganizationpoliciesand procedures PerformSubstantiveTests Analyticalprocedures Detailedtestsofaccount balances Othersubstantiveauditprocedures ConcludetheAudit Createrecommendations Writeauditreport

CISAREVIEW
Chapter1 RiskIdentification
Whenidentifyingrisk,therearethreeelementstoassess: Threatsto,andvulnerabilitiesof,processesandassets(including bothphysicalandinformationassets) Impactonassetsbasedonthreatsandvulnerabilities Probabilitiesofthreats(combinationofthelikelihoodand f frequency of foccurrence) ) Althoughauditorsneedtobeawareofallpotentialrisks, operationalriskistheprimaryriskassociatedwithinformation technology.Operationalrisk(alsoreferred toastransactionrisk)is theriskoflossresultingfrominadequate orfailedprocesses, peopleorsystems.

CISAREVIEW
Chapter1 RespondingtoRisks

CISAREVIEW
Chapter1 Risks
Instructions: Herearefiveelementsofariskbasedaudit.Determinetheorderinwhich theyshouldbeperformed. AuditElements Performsubstantive auditprocedures Conductdetectionriskassessment Conductinherentriskassessment D l recommendations Develop d i Performtestsonreliabilityandriskprevention

Afteridentifyingandquantifyingrisks,thedecisionmustbe madeastohowtorespondtothem. Belowarethemainresponsestrategiesforrisks. Riskavoidance Riskacceptance Risktransference Riskmitigation Auditplanningshouldaddressthehighestriskareaswithin theorganization,giventheresourcesavailabletotheinternal auditdepartment.Changestotheauditplanmayrequire directcommunication/approvalfromtheorganization's AuditCommittee.

5/12/2013

CISAREVIEW
Chapter1 Risks
Answer: Herearefiveelementsofariskbasedaudit.Determinetheorderinwhichthey shouldbeperformed. Thecorrectorderis: 1: Conductinherentriskassessment 2: Conductdetection riskassessment 3: Performtestsonreliabilityandriskprevention 4 Perform 4: P f substantive b i audit di procedures d 5: Createrecommendations

CISAREVIEW
Chapter1 Risks
Instructions: Herearefourtypesofriskandfourdefinitions. Matcheachrisktoits definition. Risk Controlrisk Detectionrisk Inherentrisk O Overall llaudit di risk ik Descriptions Thesusceptibility ofanauditareatoerrorthatcouldbematerial,assumingthatthere werenorelatedinternalcontrols Theriskthatamaterialerrorexists anerrorthattheinternalcontrolssystemwillnot preventordetectinatimelymanner Acombination oftheindividualtypesofauditrisksforeachcontrolobjective TheriskofanISauditorusinganinadequate testprocedureandconcluding that materialerrorsdonotexistwhen,infact,theydoexist

CISAREVIEW
Chapter1 Risks
Answers Eachtypeofriskisfollowedbyitsdefinition. Controlrisk Theriskthatamaterialerrorexists anerrorthattheinternalcontrolssystemwillnot preventordetectinatimelymanner Detectionrisk Th risk The i kof fanISauditor di using i ani inadequate d testprocedure d and dconcluding l di that h materialerrorsdonotexistwhen,infact,theydoexist Inherentrisk Thesusceptibility ofanauditareatoerrorthatcouldbematerial,assumingthatthere werenorelatedinternalcontrols Overallauditrisk Acombination oftheindividualtypesofauditrisksforeachcontrolobjective

CISAREVIEW
Chapter1 ReportAuditFindings

Inadvanceofpresentinganauditreporttosenior management,theISauditorshoulddiscussthefindings withmanagementoftheauditedarea.These discussionshelpensurethattherehavebeenno misunderstandingsormisinterpretationsoffact.They givetheauditee theopportunitytoclarifyitemsand expressviewsonthefindings,conclusionsand recommendations. Theobjectiveofthesediscussionsistogainagreement anddevelopacourseofcorrectiveaction.Where disagreementoccurs,theISauditorshoulddescribethe significanceofthefindings,andtherisksandeffectsof nottakingcorrectiveaction.

CISAREVIEW
Chapter1 AuditReportContents
Theauditreportshouldcontain: Anintroductionwithapurposestatementdescribingtheauditobjectives,and informingthereaderwhytheauditwasconductedandwhatwasexpectedto beachieved Scopestatements identifytheauditedactivitiesandsupportiveinformation suchasthetimeperiodaudited Backgroundinformationandsummaries identifytheorganizationalunitsand functionsreviewed,andproviderelevantexplanatoryinformation Statusoffindings,conclusionsandrecommendationsfrompriorreports Informationaboutwhetherthereportcoversascheduledauditorisin responsetoarequest Identificationofrelatedactivitiesthatwerenotaudited,todelineatethe boundariesoftheaudit Descriptionofthenatureandextentofauditingstepsperformed Results including findings,conclusionsontheadequacyofcontrolsand proceduresandrecommendations

CISAREVIEW
Chapter1 AuditReportSupportingDocuments Inadditiontotheauditreport,theISauditorshouldalsorecord detailedrecordsintheformofsupportingaudit documentation.Ataminimum,thesupportingdocumentation shouldincludedetailedinformationonthefollowing: Planningandpreparationoftheauditscopeandobjectives Descriptionand/orwalkthroughsonthescopedauditarea Auditprogram Auditstepsperformedandauditevidencegathered Useofservicesofotherauditorsandexperts Auditfindings,conclusionsandrecommendations Constraintsontheconductoftheaudit
oAvailabilityofauditstaff oAuditee constraints

5/12/2013

CISAREVIEW
Chapter1 AuditReport
TheISauditorisultimatelyresponsibletoseniormanagement and theorganization'sauditcommittee.EventhoughtheISauditor shoulddiscussthefindingswiththemanagement staffofthe auditedentity,thisisdoneonlytogainagreement onthefindings anddevelopacourseofcorrectiveaction.TheISauditdirector shouldreviewthereport p thattheISauditorprepared, p p butisnot thepersonwhowillmakethedecisionsregardingthefindingsand theirpotentialconsequences.Theresponsibilityforreportingto legalauthoritiesrestswiththeboardofdirectorsandtheirlegal counselors.

CISAREVIEW
Chapter1 ManagementResponse
Inresponsetotheauditresults,management shouldcommittoa programofcorrectiveaction,withdatesbywhichtheactionplan willbeimplemented. Althoughmanagement isresponsiblefordeciding theappropriate actionstobetakeninresponsetothereportedauditfindings,the ISauditorisresponsibleforassessingmanagement actionsfor timelyresolutionoftheauditfindings. However,seniormanagement maydecide toassumetheriskof notcorrectingthereportedconditionsbecause ofcostorother considerations.TheISauditorshouldfollowuptodetermine whethersuchadecisionhasbeenmade.

CISAREVIEW
Chapter1 ControlSelfAssessment
Theprincipal objectiveofaCSAprogramistoshiftcertaincontrolmonitoring responsibilities tothefunctionalareasand,inthisway,enhancetheaudit function. Theprogramworkstoeducatemanagementaboutcontroldesignand monitoring,concentratingespeciallyonhighriskareas.Linemanagement becomesresponsibleforbothmanagingandmonitoringthecontrolsinits environment.ACSAprogramisintendedtooffersupportforthemonitoring processsuchassuggestionsforthecontrolenvironmentorworkshopsto empowerworkerstoassessordesignthecontrolenvironment. EachphaseofaCSAprogramshouldhavespecificsuccessmeasuresassociated withittoassessthevalueoftheprogram.COBITincludesagenericsetofgoals andmetricsforeachprocessthatcanbeusedincreatingtheCSAprogram. TheroleoftheISauditorinthisprocessshouldbethatofafacilitator,andthe managementofthefunctionalareaistheparticipant.DuringaCSAworkshop, theauditor insteadofperformingdetailedauditprocedures leadsand guidestheparticipantsinassessingtheirenvironmentbyprovidinginsight abouttheobjectivesofcontrolsbasedonriskassessment.

CISAREVIEW
Chapter1 ControlSelfAssessmentAdvantages
ThebenefitsofCSAinclude: Earlydetectionofrisks Moreeffectiveandimprovedinternalcontrols Creationofcohesiveteamsthroughemployee involvement Increasedemployee awarenessoforganizationalobjectives,and knowledgeofriskandinternalcontrols Increasedcommunication between operationalandtop management Improvedauditratingprocess Reductionincontrolcost Assurancetoexecutivemanagement, stakeholdersand customers

CISAREVIEW
Chapter1 ControlSelfAssessmentDisadvantages
Potentialdisadvantages ofCSAinclude thefollowing: Itcouldbemistakenforanauditfunctionreplacement Itmayberegarded asadditionalworkload Failuretoactonimprovement suggestionscoulddamage employeemorale Lackofmotivationmaylimiteffectiveness inthedetection of weakcontrols

CISAREVIEW
Chapter1 ControlSelfAssessmentDisadvantages
Instructions:Selectallthatapply. WhichofthefollowingarepotentialbenefitsofCSA? Providesearlydetection ofrisks Reducescostsbyreplacing theauditfunctionwithself monitoring Increasesemployee awarenessofinternalcontrols Worksespeciallywellinaveryhierarchicalmanagement environment

5/12/2013

CISAREVIEW
Chapter1 ControlSelfAssessmentDisadvantages
Answer: CSAprovidesearlydetection ofrisksandincreasesemployee awarenessofinternalcontrols.Becauseitisdesigned toempower staffmemberstoplayanactiveroleinassessingtheirinternal controls,itmaynotworkwellinorganizationswithavery hierarchicalmanagement environment.CSAisnotintended to replacetheauditfunction.

10