Professional Documents
Culture Documents
CISAREVIEW
Thematerialprovidedinthisslideshowcame directlyfromCertifiedInformationSystems Auditor(CISA)ReviewMaterial2010byISACA.
CISAREVIEW
Chapter1 LearningObjectives
DevelopandimplementariskbasedISauditstrategyfor theorganizationincompliancewithISauditstandards, guidelinesandbestpractices. PlanspecificauditstoensureITandbusinesssystemsare protectedandcontrolled. ConductauditsinaccordancewithISauditstandards, standards guidelinesandbestpracticestomeetplannedaudit objectives. Communicateemergingissues,potentialrisksandaudit resultstokeystakeholders. Adviseontheimplementationofriskmanagementand controlpracticeswithintheorganization,whilemaintaining independence.
CISAREVIEW
Chapter1 TheISAuditProcess
CISAREVIEW
Chapter1 TheISAuditProcess
ISAuditisdefinedas: collectandevaluateevidencetodetermine whethertheinformationsystemsandrelated resourcesadequatelysafeguardassets, maintain i t i d data t and dsystem t i integrity, t it providerelevantandreliableinformation, achieveorganizationalgoalseffectively,and consumeresourcesefficiently.
AnISAuditisintendedto: assesseswhetherinternalcontrolsprovide reasonableassurancethatbusiness,operational andcontrolobjectiveswillbemet,and that th tundesired d i devents t will illb beprevented, t d or detectedandcorrected,inatimelymanner.
CISAREVIEW
Chapter1 TheISAuditProcess
CISAREVIEW
Chapter1 TheAuditCharter
AnauditcharterestablishestheroleoftheISaudit function. AnISauditcanbeintegratedwithinthefinancialor operationaudit,oritcanbepartofaninternalaudit. Thechartershouldinclude: Aclear l statement t t tof fmanagement's t' responsibility ibilit and d objectivesfortheauditfunction Management'sdelegationofauthoritytotheaudit function Theoverallauthority,scopeandresponsibilitiesofthe auditfunction Thereportinglinesandrelationships
5/12/2013
CISAREVIEW
Chapter1 TheAuditCharter Adefinitionoftheorganizationalindependence ofthe internalaudit,including accountabilityoftheauditand provisionforobjectiveassessmentofitsresource requirements Arecognitionofthecontrolenvironment oftheorganization (operations,resources,services,responsibilitiestoexternal entities) Theinternalaudit'srightofaccesstoallrecords,assets, personnelandpremises,including thoseofpartner organizations Theinternalaudit'sauthoritytoobtaintheinformationand explanationsitconsidersnecessarytofulfillitsresponsibilities Thechartershouldbeapprovedatthehighestmanagement levelandbytheauditcommitteeifavailable. Oncethecharterhasbeenestablished,anychangesmustbe thoroughlyjustified.
CISAREVIEW
Chapter1 AuditObjectives
Auditobjectivesrefertothespecificgoalsoftheaudit. Theseobjectivesoftenarecenteredonsubstantiating thatinternalcontrolsarefunctioningtominimize businessrisk.Theauditobjectives,then,needtobe translatedintospecificISauditobjectives. Forexample example,forafinancialaudit audit,aninternalcontrolis designedtoensuretransactionsarepostedcorrectlyto thegeneralledger.Theauditobjectiveistodetermine whetherthiscontrolisperformingasintended.The correspondingISauditobjectivemightbetomakesure thateditingfeaturesareinplacetodetecterrorsinthe transactioncodingthatmayaffectthepostingofthe transactions.
CISAREVIEW
Chapter1 AuditDocumentation
CISAREVIEW
Chapter1 AuditDocumentation,cont.
Ataminimum,documentation shouldincludearecordofthe: Planningandpreparationoftheauditscopeandobjectives Descriptionand/orwalkthroughsonthescopedauditarea Auditprogram Auditstepsperformedandauditevidence gathered Useofservicesofotherauditorsandexperts Auditfindings,conclusionsandrecommendations Thedocumentation shouldalsoincludeevidence of supervisoryreviewandthereportthatwasissuedasaresult oftheauditwork. Alsonecessaryisanyauditinformationrequired by contractualstipulations,regulations,lawsandprofessional standards.
Inadditiontotheauditplan,thedocumentationfor anISauditincludes: AdescriptionordiagramoftheISenvironment Auditprograms Minutesofmeetings Auditevidence Findings Conclusionsandrecommendations Anyreportissuedasaresultoftheauditwork Supervisoryreviewcomments,ifany
CISAREVIEW
Chapter1 ITAuditProgram Aneffectivelyplanned anddeveloped ITauditprogramshould: IdentifyareasofgreatestITriskexposuretotheorganization. Promotetheconfidentiality, integrityandavailabilityof informationsystems. Determinetheeffectiveness ofmanagement'splanning and g ofITactivities. oversight Evaluatetheadequacy ofoperatingprocessesandinternal controls. Determinetheadequacy ofenterprisewide complianceefforts relatedtoITpoliciesandinternalcontrolprocedures. Recommendappropriatecorrectiveactiontoaddressdeficient internalcontrols. Followupwithmanagement toensurethatrecommended correctiveactionshavebeeneffectivelyimplemented.
CISAREVIEW
Chapter1 EnterpriseRiskManagement
5/12/2013
CISAREVIEW
Chapter1 EnterpriseRiskManagement
Aneffectiveriskbasedauditingprogramshouldcoverallofan organization'smajoractivities.Thefrequency anddepth ofeach area'sauditwillvaryaccordingtotheriskassessmentofthat area. RiskbasedITauditprogramsshould: Identifytheorganization'sdata,applicationandoperating systems technology, systems, technology facilities, facilities andpersonnel. personnel Identifythebusinessactivitiesandprocesseswithineachof thosecategories. Includeprofilesofsignificantbusinessunits,departments, and productlinesorsystems,andtheirassociatedbusinessrisksand controlfeatures,resultinginadocument describingthe structureofriskandcontrolsthroughouttheorganization. Useameasurement orscoringsystemthatranksandevaluates businessandcontrolrisksforsignificantbusinessunits, departmentsandproducts.
CISAREVIEW
Chapter1 EnterpriseRiskManagement,cont.
RiskbasedITauditprogramsshouldalso: Includeboardorauditcommitteeapprovalofriskassessments andannualriskbasedauditplansthatestablishauditschedules, auditcycles,workprogramscopeandresourceallocationfor eachareaaudited, Implementtheauditplanthroughplanning, execution, reportingandfollowup, Includeaprocessthatregularlymonitorstheriskassessment andupdatesitatleastannuallyforallsignificantbusinessunits, departments, andproductsorsystems.
CISAREVIEW
Chapter1 TestingProceduresforISControls
Itismanagement'sresponsibilitytoestablishandmaintainITcontrols thatmeetinternalcontrolobjectives.Whenwelldesigned,these controlscanbothdeterfraudandenableitsearlydetection. PlanningforappropriateaudittestsrequiresthattheISauditorhavean understandingoftheproceduresfortestingandevaluatingIScontrols. Thesemayinclude: Useofg generalizedauditsoftwaretosurvey ythecontentsofdatafiles (includingsystemlogs) Useofspecializedsoftwaretoassessthecontentsofoperatingsystem parameterfiles(ordetectdeficienciesinsystemparametersettings) Processchartingtechniquesfordocumentingautomatedapplications andbusinessprocesses Theuseofauditlogsorreportsavailableinoperation/application systems Documentationreview Observation
CISAREVIEW
Chapter1 ComplianceandSubstantiveTesting
Testingmayinvolveidentifyingthecontrolsforcompliance withmanagementpoliciesandprocedures thatis, gatheringevidencetodeterminewhethertheyarebeing appliedandfunctioningasexpected. Theauditmayalsoinvolvesubstantive tests,inwhich evidenceisg gatheredtoevaluatetheintegrity g yofselected dataorindividualtransactions.Substantiveproceduresare testsperformedtoobtainauditevidencetodetectmaterial misstatementsinthefinancialstatements. Becauseoftimeandcostconstraints,itisoftenimpossible toverifyalltransactionsoreventsinaspecificgroupof items,soauditorsuseasampleofthatgroup.Thissampling allowsauditorstoinfercharacteristicsoftheentiregroup basedonthecharacteristicsofthesample.
CISAREVIEW
Chapter1 InterviewingandObserving
CISAREVIEW
Chapter1 InterviewingandObserving
Anearlystepinperformanceoftheauditisinterviewing andobservingpersonnelinvolvedinthetasksthatwill beassessedintheaudit.Theauditorshould: Determinewhoisresponsibleforperformingwhich y functions andwhethertheseindividualsareactually doingso. Doawalkthroughoftheprocessesandprocedures. Observethesecurityawarenessoftheindividuals involved. Investigatereportingrelationships,andensurethereis appropriatesegregationofduties.
Question:Whatisthedifferencebetweencompliance testingandsubstantivetesting?
5/12/2013
CISAREVIEW
Chapter1 InterviewingandObserving
CISAREVIEW
1. 2. 3. 4.
Chapter1 TipsforConductingaSuccessfulInterview Knowyourmaterial,thejobfunctionbeingaudited,the inputsandoutputs,andthesubject'sjobresponsibilities. Befamiliarwithkeytermsandacronymsandhowthey areusedwithinthecontextofthejobfunctionunder review. Prepareafewquestions,butdonotreadoffalist. Review i prior i period i dwork kpapersand daudit di reportsto gainanunderstandingofquestionsthatwerenotasked thatshouldhavebeen.Also,askwhatchangeshave occurredthatmayhaveaffectedtheoperationsunder review. Askopenendedquestionswhereverpossible.Avoid questionsthathavedefinite,specificanswers. Providetheintervieweewithanopportunitytoaddor elaborateonanythingbeforeendingtheinterview.
Answer:Whatisthedifferencebetweencompliance testingandsubstantivetesting?
Compliancetestingdetermines whethercontrolsarein compliancewithmanagement policiesandprocedures. Substantivetestingteststheintegrityofactualprocessing.
5. 6.
CISAREVIEW
Chapter1 Sampling
Generalapproachestoauditsamplingincludestatisticalsamplingand nonstatistical(orjudgmental)sampling.Eithertypeofsampling requirestheauditortomakejudgmentsindefiningthepopulation characteristics. Keystepsinchoosingasampleinclude: Determinetheobjectivesofthetest. Definethepopulationtobesampled. Determinethe h sampling l method, h d such hasattribute b versusvariable bl sampling. Calculatethesamplesize. Selectthesample. Evaluatethesamplefromanauditperspective. Determiningwhatconstitutesthesampledependsonseveralfactors suchasaccesstotheindividualsintherepresentativegroup,the availabilityofresourcestouseintheselectionofthesample,andthe technicalexpertiseofthoseinvolvedinthedatacollection.
CISAREVIEW
Chapter1 ComputerAssistedAuditTechniques(CAAT)
Asoftwaretoolisalmostanecessitytogatherandanalyzerecordsfrom systemsthathavedifferenthardwareandsoftwareenvironments,or differentdatastructures,recordformatsorprocessingfunctions. CAATsofferawaytoaccessandanalyzedataforaspecificaudit objective,andtoreporttheauditfindings.Thereliabilityofthe informationsourceprovidesreassuranceonthefindingsproduced. AdvantagesofCAATs Reducedlevelofauditrisk Greaterindependencefromtheauditee Broaderandmoreconsistentauditcoverage Fasteravailabilityofinformation Improvedexceptionidentification Greateropportunitytoquantifyinternalcontrolweaknesses Enhancedsampling Costsavingsovertime
CISAREVIEW
Chapter1 ComputerAssistedAuditTechniques(CAAT)
CISAREVIEW
Chapter1 InternalControls
Thefollowingareexamplesofdocumentationthat shouldberetainedintheauditor'sfieldworkpapers whenusingCAATs: Onlinereportsdetailinghighriskissuesforreview Commentedprogramlistings Flowcharts Samplereports Recordandfilelayouts Fielddefinitions Operatinginstructions Descriptionofapplicablesourcedocuments
Internalcontrolsincludepolicies,procedures,practicesand organizationalstructuresthatareputinplacetoreducerisk. Theirintentistoprovidereasonableassurance thatthe businessobjectivesoftheorganizationwillbeachieved and thatriskeventswillbeprevented,detected,orcorrected. Toimplementthecontrol,acontrolobjectiveisdefinedfor anidentifiedrisk.Then,specificcontrolactivitiesor proceduresdesignedtoachievetheobjectiveareinstituted. Theseprocessesandactivities,automatedormanual, functionatalllevelsintheorganizationtoreduceexposure torisksthatcouldpreventtheorganizationfromachieving itsbusinessobjectives.
5/12/2013
CISAREVIEW
Chapter1 InternalControls
CISAREVIEW
Chapter1 InternalControls Controlobjectivesaremanagementobjectivesusedasthe frameworkfordevelopingandimplementingcontrolsor controlprocedures.Theyarestatementsofthepurposes thatcontrolactivitiesorproceduresaredesignedtoserve.
Internalcontrolstypicallyinclude: Internal laccounting i controls l principally i i ll concerned dwith i h accountingoperations.Examples:thesafeguardingofassets, thereliabilityoffinancialrecords Operationalcontrols relatedtothebasicoperations, functionsandactivitiestoensuretheoperationismeeting thebusinessobjectives Administrativecontrols focusedonoperationalefficiency inafunctionalareaandadheringtomanagementpolicies, includingoperationalcontrols
CISAREVIEW
Chapter1 ExampleControlObjective ControlObjective:Controlsprovidereasonableassurancethatthe organization'selectronicfundstransfer(EFT)systemisprotected againstunauthorized physicalandlogicalaccess. Illustrativecontrols: Theresponsibilityforthedevelopment andenforcement ofa securitypolicyisatanorganizationallevelthatfacilitates compliance p by yorganization g p personnelandenablesenforcement ofpoliciesandprocedures. Securitypolicyandprocedures areinplace,andare communicated toappropriateemployeesandcontractors. Policiesandprocedures areinplaceforreportingsecurity incidentsorobservedirregularitiestoanorganizationallevelat whichsuchmatterscanbeinvestigatedandresolvedinatimely fashion. Policiesandprocedures areestablishedforthesecurityoffiling, retentionanddestructionofEFTsystemfiles.
CISAREVIEW
Chapter1 ExampleControlObjective ControlObjective:Controlsprovidereasonableassurance thattheorganization'selectronicfundstransfer(EFT)system isprotectedagainstunauthorizedphysicalandlogicalaccess. Illustrativecontrols,cont:
Policiesandproceduresareinplaceforconductingsecuritysystem training. Policiesandproceduresareinplacefordiscontinuinganemployee's employee s (orcontractor's)abilitytoaccessEFThardware,softwareanddatawhen theemployeeisterminatedortheemployee'sdutieschange. AccesstoEFTfilesorprocessesislimitedbasedonusers'needs. PasswordscontrolaccesstoEFTfiles,personalidentificationnumbers andprivacydata. Firewallsorotherprocedurespreventunauthorizedaccesstodata fromanexternalnetwork. Policiesandproceduresareinplacetopreventunauthorizedaccessto theEFTprocessingfacility.
CISAREVIEW
Chapter1 ISControlObjectives
Safeguardingassets information onautomated systemsissecurefromimproper accessandkeptuptodate. Ensuringtheintegrityofgeneraloperating systemenvironments,including network managementandoperations. Ensuringtheintegrityofsensitiveandcriticalapplication systemenvironments, includingaccounting/financial andmanagement information through: oAuthorizationoftheinput eachtransaction isauthorizedandenteredonly once. oAccuracyandcompleteness ofprocessingoftransactions alltransactions are recordedandenteredintothecomputerfortheproperperiod. oAccuracy,completenessandsecurityoftheoutput. oDatabaseintegrityandavailability. Complyingwiththeusers'requirements,organizational policiesandprocedures,and applicablelawsandregulations. Developingbusiness continuity anddisasterrecoveryplans. Developinganincident responseandhandling plan. Managingchange.
CISAREVIEW
Chapter1 ISControlObjectives
Identifyforeachexamplewhetheritisapreventative, detective orcorrectivecontrol?
Preventative Usinginternalauditfunctions Completingprogrammededitchecks Checkingcalculations induplicate Controllingaccesstophysical facilities Usingencryptionsoftwaretoprevent unauthorizeddisclosureofdata Reviewingpastdue account reports Creatingcontingency plans Checkinghashtotals Implementingbackupprocedures Detective Corrective
5/12/2013
CISAREVIEW
Chapter1 ISControlObjectives
Answer:Identifyforeachexamplewhetheritisapreventative, detectiveorcorrectivecontrol?
Preventative Usinginternalauditfunctions Completingprogrammededitchecks Checkingcalculations induplicate Controllingaccesstophysical facilities Usingencryptionsoftwaretoprevent unauthorizeddisclosureofdata Reviewingpastdue account reports Creatingcontingency plans Checkinghashtotals Implementingbackupprocedures X X X X X X X X Detective X Corrective
CISAREVIEW
Chapter1 COBIT
COBITisagovernanceframework andsupportingtoolsetthatITorganizationscanusetoensure thatITisworkingaseffectivelyaspossibletominimizeriskandmaximizethebenefitsof technologyinvestments. TheCOBITcontrol framework linksITinitiativestothebusinessrequirements, organizesITactivities intoagenerallyacceptedprocessmodel,identifiesthemajorITresourcestobeleveragedand definesthemanagement control objectivestobeconsidered.
CISAREVIEW
Chapter1 COBIT
ThegrowingadoptionofITbestpracticeshasbeendrivenbya requirementfortheITindustrytobettermanagethequalityand reliabilityofITinbusiness,andtorespondtoagrowingnumberof regulatoryandcontractualrequirements.Thedanger,however,isthat implementationofthesepotentiallyhelpfulbestpracticeswillbecostly andunfocusediftheyaretreatedaspurelytechnicalguidance.Tobe mosteffective,bestpracticesshouldbeappliedwithinthebusiness context,focusing f i onwhere h their h i usewould ldprovide id the h mostbenefit b fi to theorganization. Seniormanagement,businessmanagement,auditors,compliance officersandITmanagersshouldworktogethertomakesurethatITbest practicesleadtocosteffectiveandwellcontrolledITdelivery.When developingcontrolrecommendations,managementshouldensurethat thecontrolsarewelldesignedandefficient,thattheoverallIT operationsenvironmentistakenintoconsideration,andthatthe controlsultimatelyassistmanagementinachievingitslongtermIT strategicgoals.
CISAREVIEW
Chapter1 GeneralControls Toprovidereasonableassurancethatspecificobjectiveswillbe achieved,management institutesgeneralcontrolprocedures and practices.
Strategyanddirection Generalorganizationandmanagement Accesstodataandprograms Systemsdevelopmentmethodologiesandchangecontrol Dataprocessingoperations Systemsprogrammingandtechnicalsupportfunctions Dataprocessingqualityassuranceprocedures Physicalaccesscontrols Businesscontinuityanddisasterrecoveryplanning Networksandcommunications Databaseadministration
CISAREVIEW
Chapter1 ApplicationControls
ITapplicationorprogramcontrolsarefullyautomated(i.e.,performed automaticallybythesystems)anddesignedtoensurethecompleteand accurateprocessingofdata.Thesecontrolsmayalsohelpensurethe privacyandsecurityofdatatransmittedbetweenapplications. CategoriesofITapplicationcontrolsmayinclude: Completenesschecks controlsthatensureallrecordswereprocessed frominitiationtocompletion. Validitychecks controlsthatensureonlyvaliddataisinputor processed. Authentication controlsthatprovideanauthenticationmechanismin theapplicationsystem. Authorization controlsthatensureonlyapprovedbusinessusershave accesstotheapplicationsystem. Inputcontrols controlsthatensuredataintegrityfedfromupstream sourcesintotheapplicationsystem. Source Wikipedia
CISAREVIEW
Chapter1 RiskBasedAudits
Agrowingnumberoforganizations aremovingtoariskbasedauditapproach.This approachcaninfluence anISauditor'sdecision toperformeithercompliance testingor substantivetesting.Identifying risksandvulnerabilities allowstheauditortodetermine thecontrolsneededtomitigatethoserisks. Inariskbasedauditapproach,ISauditorsarenotjustrelyingonrisk.Youarealso relyingoninternalandoperationalcontrols, aswellasknowledgeoftheorganization. Thistypeofriskassessmentdecision canhelprelatethecostbenefit analysisofthe controltotheknownrisk,allowingforpracticalchoicesandbettercostbenefit recommendations tomanagement. Knowledgeoftherelationship betweenriskandcontrolisimportant forISauditors. As anISauditor, youmustbeableto Differentiatetypesofrisksrelatedtobusiness, technology andaudit Identifyrelevantcontrolstomitigate theserisks Evaluatetheorganization's riskassessment andmanagement techniques Assessriskinordertoplanauditwork
5/12/2013
CISAREVIEW
Chapter1 RiskBasedAudits
CISAREVIEW
Chapter1 RiskBasedAuditApproach
GatherInformationandPlan Knowledgeofbusinessandindustry Prioryear'sauditresults Recentfinancialinformation Regulatorystatutes Inherentriskassessment ObtainUnderstandingofInternalControl Controlenvironment Controlprocedures Detectionriskassessment Controlriskassessment Equatetotalrisk
CISAREVIEW
Chapter1 RiskBasedAuditApproach,cont.
PerformComplianceTests Identifykeycontrolstobetested Performtestsonreliability,riskprevention,andadherencetoorganizationpoliciesand procedures PerformSubstantiveTests Analyticalprocedures Detailedtestsofaccount balances Othersubstantiveauditprocedures ConcludetheAudit Createrecommendations Writeauditreport
CISAREVIEW
Chapter1 RiskIdentification
Whenidentifyingrisk,therearethreeelementstoassess: Threatsto,andvulnerabilitiesof,processesandassets(including bothphysicalandinformationassets) Impactonassetsbasedonthreatsandvulnerabilities Probabilitiesofthreats(combinationofthelikelihoodand f frequency of foccurrence) ) Althoughauditorsneedtobeawareofallpotentialrisks, operationalriskistheprimaryriskassociatedwithinformation technology.Operationalrisk(alsoreferred toastransactionrisk)is theriskoflossresultingfrominadequate orfailedprocesses, peopleorsystems.
CISAREVIEW
Chapter1 RespondingtoRisks
CISAREVIEW
Chapter1 Risks
Instructions: Herearefiveelementsofariskbasedaudit.Determinetheorderinwhich theyshouldbeperformed. AuditElements Performsubstantive auditprocedures Conductdetectionriskassessment Conductinherentriskassessment D l recommendations Develop d i Performtestsonreliabilityandriskprevention
Afteridentifyingandquantifyingrisks,thedecisionmustbe madeastohowtorespondtothem. Belowarethemainresponsestrategiesforrisks. Riskavoidance Riskacceptance Risktransference Riskmitigation Auditplanningshouldaddressthehighestriskareaswithin theorganization,giventheresourcesavailabletotheinternal auditdepartment.Changestotheauditplanmayrequire directcommunication/approvalfromtheorganization's AuditCommittee.
5/12/2013
CISAREVIEW
Chapter1 Risks
Answer: Herearefiveelementsofariskbasedaudit.Determinetheorderinwhichthey shouldbeperformed. Thecorrectorderis: 1: Conductinherentriskassessment 2: Conductdetection riskassessment 3: Performtestsonreliabilityandriskprevention 4 Perform 4: P f substantive b i audit di procedures d 5: Createrecommendations
CISAREVIEW
Chapter1 Risks
Instructions: Herearefourtypesofriskandfourdefinitions. Matcheachrisktoits definition. Risk Controlrisk Detectionrisk Inherentrisk O Overall llaudit di risk ik Descriptions Thesusceptibility ofanauditareatoerrorthatcouldbematerial,assumingthatthere werenorelatedinternalcontrols Theriskthatamaterialerrorexists anerrorthattheinternalcontrolssystemwillnot preventordetectinatimelymanner Acombination oftheindividualtypesofauditrisksforeachcontrolobjective TheriskofanISauditorusinganinadequate testprocedureandconcluding that materialerrorsdonotexistwhen,infact,theydoexist
CISAREVIEW
Chapter1 Risks
Answers Eachtypeofriskisfollowedbyitsdefinition. Controlrisk Theriskthatamaterialerrorexists anerrorthattheinternalcontrolssystemwillnot preventordetectinatimelymanner Detectionrisk Th risk The i kof fanISauditor di using i ani inadequate d testprocedure d and dconcluding l di that h materialerrorsdonotexistwhen,infact,theydoexist Inherentrisk Thesusceptibility ofanauditareatoerrorthatcouldbematerial,assumingthatthere werenorelatedinternalcontrols Overallauditrisk Acombination oftheindividualtypesofauditrisksforeachcontrolobjective
CISAREVIEW
Chapter1 ReportAuditFindings
Inadvanceofpresentinganauditreporttosenior management,theISauditorshoulddiscussthefindings withmanagementoftheauditedarea.These discussionshelpensurethattherehavebeenno misunderstandingsormisinterpretationsoffact.They givetheauditee theopportunitytoclarifyitemsand expressviewsonthefindings,conclusionsand recommendations. Theobjectiveofthesediscussionsistogainagreement anddevelopacourseofcorrectiveaction.Where disagreementoccurs,theISauditorshoulddescribethe significanceofthefindings,andtherisksandeffectsof nottakingcorrectiveaction.
CISAREVIEW
Chapter1 AuditReportContents
Theauditreportshouldcontain: Anintroductionwithapurposestatementdescribingtheauditobjectives,and informingthereaderwhytheauditwasconductedandwhatwasexpectedto beachieved Scopestatements identifytheauditedactivitiesandsupportiveinformation suchasthetimeperiodaudited Backgroundinformationandsummaries identifytheorganizationalunitsand functionsreviewed,andproviderelevantexplanatoryinformation Statusoffindings,conclusionsandrecommendationsfrompriorreports Informationaboutwhetherthereportcoversascheduledauditorisin responsetoarequest Identificationofrelatedactivitiesthatwerenotaudited,todelineatethe boundariesoftheaudit Descriptionofthenatureandextentofauditingstepsperformed Results including findings,conclusionsontheadequacyofcontrolsand proceduresandrecommendations
CISAREVIEW
Chapter1 AuditReportSupportingDocuments Inadditiontotheauditreport,theISauditorshouldalsorecord detailedrecordsintheformofsupportingaudit documentation.Ataminimum,thesupportingdocumentation shouldincludedetailedinformationonthefollowing: Planningandpreparationoftheauditscopeandobjectives Descriptionand/orwalkthroughsonthescopedauditarea Auditprogram Auditstepsperformedandauditevidencegathered Useofservicesofotherauditorsandexperts Auditfindings,conclusionsandrecommendations Constraintsontheconductoftheaudit
oAvailabilityofauditstaff oAuditee constraints
5/12/2013
CISAREVIEW
Chapter1 AuditReport
TheISauditorisultimatelyresponsibletoseniormanagement and theorganization'sauditcommittee.EventhoughtheISauditor shoulddiscussthefindingswiththemanagement staffofthe auditedentity,thisisdoneonlytogainagreement onthefindings anddevelopacourseofcorrectiveaction.TheISauditdirector shouldreviewthereport p thattheISauditorprepared, p p butisnot thepersonwhowillmakethedecisionsregardingthefindingsand theirpotentialconsequences.Theresponsibilityforreportingto legalauthoritiesrestswiththeboardofdirectorsandtheirlegal counselors.
CISAREVIEW
Chapter1 ManagementResponse
Inresponsetotheauditresults,management shouldcommittoa programofcorrectiveaction,withdatesbywhichtheactionplan willbeimplemented. Althoughmanagement isresponsiblefordeciding theappropriate actionstobetakeninresponsetothereportedauditfindings,the ISauditorisresponsibleforassessingmanagement actionsfor timelyresolutionoftheauditfindings. However,seniormanagement maydecide toassumetheriskof notcorrectingthereportedconditionsbecause ofcostorother considerations.TheISauditorshouldfollowuptodetermine whethersuchadecisionhasbeenmade.
CISAREVIEW
Chapter1 ControlSelfAssessment
Theprincipal objectiveofaCSAprogramistoshiftcertaincontrolmonitoring responsibilities tothefunctionalareasand,inthisway,enhancetheaudit function. Theprogramworkstoeducatemanagementaboutcontroldesignand monitoring,concentratingespeciallyonhighriskareas.Linemanagement becomesresponsibleforbothmanagingandmonitoringthecontrolsinits environment.ACSAprogramisintendedtooffersupportforthemonitoring processsuchassuggestionsforthecontrolenvironmentorworkshopsto empowerworkerstoassessordesignthecontrolenvironment. EachphaseofaCSAprogramshouldhavespecificsuccessmeasuresassociated withittoassessthevalueoftheprogram.COBITincludesagenericsetofgoals andmetricsforeachprocessthatcanbeusedincreatingtheCSAprogram. TheroleoftheISauditorinthisprocessshouldbethatofafacilitator,andthe managementofthefunctionalareaistheparticipant.DuringaCSAworkshop, theauditor insteadofperformingdetailedauditprocedures leadsand guidestheparticipantsinassessingtheirenvironmentbyprovidinginsight abouttheobjectivesofcontrolsbasedonriskassessment.
CISAREVIEW
Chapter1 ControlSelfAssessmentAdvantages
ThebenefitsofCSAinclude: Earlydetectionofrisks Moreeffectiveandimprovedinternalcontrols Creationofcohesiveteamsthroughemployee involvement Increasedemployee awarenessoforganizationalobjectives,and knowledgeofriskandinternalcontrols Increasedcommunication between operationalandtop management Improvedauditratingprocess Reductionincontrolcost Assurancetoexecutivemanagement, stakeholdersand customers
CISAREVIEW
Chapter1 ControlSelfAssessmentDisadvantages
Potentialdisadvantages ofCSAinclude thefollowing: Itcouldbemistakenforanauditfunctionreplacement Itmayberegarded asadditionalworkload Failuretoactonimprovement suggestionscoulddamage employeemorale Lackofmotivationmaylimiteffectiveness inthedetection of weakcontrols
CISAREVIEW
Chapter1 ControlSelfAssessmentDisadvantages
Instructions:Selectallthatapply. WhichofthefollowingarepotentialbenefitsofCSA? Providesearlydetection ofrisks Reducescostsbyreplacing theauditfunctionwithself monitoring Increasesemployee awarenessofinternalcontrols Worksespeciallywellinaveryhierarchicalmanagement environment
5/12/2013
CISAREVIEW
Chapter1 ControlSelfAssessmentDisadvantages
Answer: CSAprovidesearlydetection ofrisksandincreasesemployee awarenessofinternalcontrols.Becauseitisdesigned toempower staffmemberstoplayanactiveroleinassessingtheirinternal controls,itmaynotworkwellinorganizationswithavery hierarchicalmanagement environment.CSAisnotintended to replacetheauditfunction.
10