Certified Information Systems Auditor (CISA) 2019 Information System Auditing Transcript

Certified Information Systems Auditor (CISA) 2019: Information Syst... https://cdn2.percipio.com/secure/c/1639687788.5844b786673fae4406...
Certified Information Systems Auditor (CISA)

2019: Information System Auditing
Discover keys to conducting a successful audit, its driving processes, and its underlying IT solutions in
this 15-video course. Examine controls and audit reporting while preparing for the ISACA Certified
Information Systems Auditor (CISA) exam. Key concepts covered here include: how information systems
(IS) auditing shows whether IT solutions meet business objectives efficiently and effectively; the
expectations of conduct for CISA-certified individuals; and how auditing standards provide guidance for
conducting efficient audits. Learn about various types of documentation when preparing an IS audit; how
to identify client needs that map to business objectives; and different categories of security controls,
including internal business process controls, IT controls, and sampling types. You will learn about control
objectives required to secure organizational assets along with the controls themselves; planning for audit
funding, personnel, and related items; scheduling audit phases; and how to report serious discoveries,
including fraud or serious IT vulnerabilities. Finally, see how to generate audit reports, including existing
controls which have passed or failed communication with stakeholders after audit recommendations are
reported; and how IS auditing identifies weak security controls.
Table of Contents
1. Course Overview
2. The Purpose of Auditing
3. ISACA Code of Conduct
4. ISACA Auditing Standards
5. Organizational Documentation
6. Stakeholder Needs
7. Network Diagrams
8. Security Control Types
9. Control Objectives and Controls
10. Audit Resource Planning
11. Audit Scheduling
12. Urgent Incident Discovery
13. Audit Reporting
14. Audit Findings Remediation Follow-Up
15. Exercise: Controls and IS Auditing
Course Overview
[Video description begins] Topic title: Course Overview. [Video description ends]
Hi, I'm Dan Lachance, I've worked in various IT roles since the 1990s including as a technical trainer, a
programmer, consultant, as well as an IT tech author and editor.
[Video description begins] Your host for this session is Dan Lachance. He is an IT Trainer and a
Consultant. [Video description ends]
I've held IT certifications in Linux, Novell, Lotus, CompTIA, and Microsoft. Some of my specialties over
the years have included networking, IT security, Cloud solutions, Linux management, and configuration
and troubleshooting of many Microsoft products.
The certified information systems auditor or CISA certification recognizes professionals who demonstrate
the skills necessary to run an IS audit related to security. As well as general cyber security tasks including
1 of 15 2021-12-16, 04:07
identifying assets and threats, hardening IT computing environments, and performing IT forensic and
auditing tasks. Understanding the nature of a business, the processes that drive that business and the
underlying IT solutions that support those processes is key to conducting a successful IS audit.
In this course, I'll discuss common IT management frameworks and examine a structured approach to IS
auditing. I'll also talk about the ISACA code of conduct, the purpose of auditing, and ISACA auditing
standards. I'll also explore some different frameworks related to auditing approaches. I'll also talk about IT
governance and also talk about different types of security controls.
The Purpose of Auditing

[Video description begins] Topic title: The Purpose of Auditing. Your host for this session is Dan
Lachance. [Video description ends]
Information System Auditing, otherwise called IS auditing, really deals with two primary concepts. The
first being investigation, where as IS auditors, we investigate the security controls that protect assets. And
then the second portion is to inform stakeholders on the state of those security controls in terms of their
efficacy. So the IS auditing process then begins with gathering evidence based on what we've determined
needs to be audited.
After we determine whether or not the controls are effective, we then report on weak controls and related
remediations. IS audit planning begins with looking at the audit subject. This would include things such as
the location where the audit will take place and any related business processes that will be audited. Then
we have to look at the audit objective, whether it's something specific like looking at determining whether
a payment processing system is secure. Or whether sensitive documents are being retained in accordance
with things like regulations. They're being stored securely and for the right amount of time.
We then have to consider the audit scope when we are planning an audit. Which really details what
exactly will be included in the audit. Then we go through our audit pre-planning, where we either conduct
a risk assessment against assets that have value to the organization, and the threats that go along with
those assets. Or we can use a risk assessment if it was done recently and applies to the audit scope. We
have to think about compliance with laws and regulations and the time frame related to conducting the
audit.
Finally, we need to create an audit program. This really aligns the audit procedure that will be followed
when the audit is conducted. Audit procedures begin with obtaining documentation. So organizational
security policies, departmental policies, process procedures, and data workflows. It's crucial that an IS
auditor has a strong understanding of the purpose of the business. And specifically with the audit's scope,
knowing exactly how business processes are used and how data flows within that business process.
Then there is regulatory compliance, which might include things like the retention of certain types of
documents, or logs, or transactions for a specific period of time. And then we have to consider the audit
tools that will be used during the audit, such as web application fuzzers, which are used to test what
happens when we feed a web app with a lot of random data to make sure it doesn't disclose sensitive
information, to make sure it doesn't crash. We would also look at tools like host vulnerability scanners,
which are used to identify weaknesses.
ISACA Code of Conduct

[Video description begins] Topic title: ISACA Code of Conduct. Your host for this session is Dan
ISACA, stands for Information Systems Audit and Control Association. It's an international association
with the overarching goal is proper IT governance. Now, specifically for Certified Information System
2 of 15 2021-12-16, 04:07
Auditors or CISA, this is going to be important. The CISA certification provides an assurance to clients
that business processes and supporting IT solutions are secure through proper auditing processes.
The ISACA Code of Conduct includes seven items, the first of which is to support the implementation of,
and encourage compliance with appropriate standards, procedures, and controls for information systems.
This comes straight from the ISACA site. The next item in the ISACA Code of Conduct is to perform
duties, with respect to CISA auditors. With objectivity, due diligence, and professional care, in accordance
with professional standards and best practices.
The third item in the code of conduct is to serve in the interest of stakeholders in a lawful and honest
manner. While maintaining high standards of conduct and character, and not engage in acts discreditable
to the profession. Because if it's deemed that this is occurring, then you could lose your CISA certification
from ISACA. The next item in the code of conduct is to maintain the privacy and confidentiality of
information that you might learn about through the course of the IS audit.
[Video description begins] The fourth item in the ISACA Code of Conduct is: Maintain the privacy and
confidentiality of information obtained in the course of their duties unless disclosure is required by legal
authority. Such information shall not be used for personal benefit or released to inappropriate parties.
[Video description ends]
And nine times out of ten you will be exposed to sensitive information, whether it's data or unique
business processes that are unique to that specific organization. The next item in the code of conduct is to
maintain competency. This means that as IS auditors we need to make sure that we are always keeping up-
to-date with the latest auditing standards. Also making sure that we also keep up-to-date with the latest
threats related to IT security. The sixth code of conduct item is to inform appropriate parties of the results
of the work performed.
[Video description begins] The fifth item in the ISACA Code of Conduct is: Maintain competency in their
respective fields and agree to undertake only those activities, which they can reasonably expect to
complete with professional competence. [Video description ends]
That would be the clients, because a very big part of IS auditing is to inform stakeholders of our audit
findings.
[Video description begins] The sixth item in the ISACA Code of Conduct is: Inform appropriate parties of
the results of work performed; revealing all significant facts known to them. [Video description ends]
Finally, the last part of the ISACA Code of Conduct is to support the professional education of
stakeholders. To make sure that they understand how the underlying technology supports their information
systems and any weaknesses that need to be addressed.
ISACA Auditing Standards

[Video description begins] Topic title: ISACA Auditing Standards. Your host for this session is Dan
An effective IS audit means following standard guidelines. And here, we're going to take a look at ISACA
auditing standards. First thing to bear in mind is the Information Technology Assurance Framework or
ITAF. This is a set of standards that is published by ISACA.
It's a risk-based approach to taking a look at business processes and data. And the resulting underlying
technology that supports those items to make sure that security controls are in place to protect assets. It
also means that we have to adhere to the ISACA Code of Conduct, the seven items that all ISACA-
certified individuals must adhere to.
3 of 15 2021-12-16, 04:07
Such as maintaining client confidentiality, because during the course of an IS audit it's inevitable that
you'll be exposed to sensitive information. There are also guidelines for IS auditing that result in audit
efficiency so that the audit takes place in a timely manner. And that the audit report results are effective in
conveying information to the client. About the state of their security controls for their prioritized assets.
There are numerous ISACA auditing standards.
Here we have a couple of them, such as Standard 1001, the Audit Charter, which defines things like the
audit purpose, the audit scope, and access to resources in conducting the audit. Then we've got things like
Standard 1005 listed here at the bottom, Due Professional Care, where audit activity is executed with
integrity, care, and communication. This means as IS auditors, we need to make sure that we are
documenting our steps along the way while we follow auditing standards.
[Video description begins] A table appears on the screen. It has 2 columns: Standard and Summary. The
1st Standard is 1001 Audit Charter. Its Summary is: Audit purpose, scope, and access to resources. The
2nd Standard is 1002, 1003 Organisational and Professional Independence. Its Summary is: Objectivity
and no interference in all audit phases. The 3rd Standard is 1004 Reasonable Expectation. Its Summary
is: Audit execution as per IS audit assurance standards in a timely fashion. The 4th Standard is 1005 Due
Professional Care. Its Summary is: Audit activity execution with integrity, care, and communication.
Other standards would include, for example, 1007 Assertions, where we verify internal as well as third-
party controls, security control's validity.
1st Standard is 1006 Proficiency. Its Summary is: Skills competency, continuing education, and
subcontracting. The 2nd Standard is: 1007 Assertions. Its Summary is: Verify internal and third party
control assertion validity. The 3rd Standard is 1008 Criteria. Its Summary is: Criteria against which
controls are compared. The 4th Standard is 1201 Engagement Planning. Its Summary is: Audit objective,
scope, and timeline. [Video description ends]
So if we've got a security control that's already in place, and perhaps a previous audit has determined that
it was effective. It may have been at that time, but when we conduct the most current audit, we have to
revisit that. Because over time what once might have been effective as a security control may no longer be
effective.
Also, we've got auditing standard 1201, which deals with engagement planning. The engagement in this
case being the actual audit that's being performed. Where we look at the audit objective scope and the
timeline. Other standards would include 1204, Materiality, where weak or absent security controls could
result in a failure to meet control objectives. Control objective is a standard about what the control should
do.
Such as to protect data at rest, where the control is the actual solution that actually results in that
protection. Also, we've got a standard such as 1205 for Evidence, where any conclusions that we draw
from the audit need to be objective, and they need to be based not on opinion but strictly on the evidence
gathered. And remember we will be documenting tools and techniques that resulted in that evidence
during the course of the IS audit.
1st Standard is 1202 Risk Assessment in Planning. Its summary is: Risk-based approach used for the audit
plan. The 2nd Standard is: 1203 Performance and Supervision. Its Summary is: Ensure audit objective
completion in accordance with laws, regulations, and audit milestone schedules. The 3rd Standard is 1204
Materiality. Its Summary is: Weak or absent controls result in a failure to meet control objectives. The 4th
Standard is and 1205 Evidence. Its Summary is: Audit conclusions are objective and based solely on
evidence. [Video description ends]
Other ISACA auditing standards would include 1206, Using the Work of Other Experts. So if we don't
4 of 15 2021-12-16, 04:07
have the correct skill set within our audit team. We need to either get someone as part of the team that has
the correct skills to assess security controls or we can outsource a part of the work. Again, everything
needs to be documented properly.
Then 1401, Reporting, to make sure that we communicate our audit findings and educate the stakeholders,
that would be the client. And then 1402, the standard that deals with Follow-up Activities. So that we can
revisit any audit recommendations after an agreed upon period of time to ensure that any controls that
need to be changed or put in place have been done so effectively.
[Video description begins] Another table appears with four rows and two columns. The first column is
Standard. It consists of different ISACA Auditing Standards in each row: 1206 Using the Work of Other
Experts, 1207 Irregularity and Illegal Acts, 1401 Reporting, and 1402 Follow-up Activities. The second
column is Summary. Summary for the second row is: Assume that some form of fraud might be
encountered. [Video description ends]
Organizational Documentation
[Video description begins] Topic title: Organizational Documentation. Your host for this session is Dan
A crucial aspect of an IS audit is to make sure that we have good information on which to base the audit.
And so organizational documentation is very important. We're talking about audit information gathering.
We need to make sure that any documentation that we use in our audit falls within the audit scope. It's got
to be relevant to what is being audited.
We also need to make sure that any documentation that we base any findings on is up-to-date. Now there
are many different types of documents that we have to consider. Let's start by talking about organizational
charts, which really outline the employee hierarchy within the organization. We can also see job-role
relationships, which can allow us to identify things like overlapping roles, so that reduces the efficiency
and may not be needed.
And also roles that might result in a conflict of interest, which might necessitate segregation of duties, for
instance, within a certain process. But then we have to look at the business processes themselves within
the organization, and any related documentation. Such as, how those processes are used to achieve
organizational objectives. We have to make sure that processes are efficient. We might even gather that
type of information from employee on boarding materials like instruction manuals.
And we have to take a look at the underlying supporting technology related to that business process. Bear
in mind that any existing security controls that may at one time have been effective may no longer be
effective. So part of a thorough IS audit is of course to revisit all security controls that fall within the
audit's scope. Other types of documentation that you would be interested in as an IS auditor would be
things like network diagrams. Now that we'd have to make, we'd have to make sure would fall within the
appropriate audit scope. For instance, if we're only interested in auditing a small subset of the network,
then we only need to see that part of the network diagram.
However, depending on dependencies, we might have to look on a larger scale at a wider network diagram
to determine for instance where the resultant data flow ends. And so we have to be careful and take a look
at the scope of our audit but then look beyond it at dependencies. We might have to look at network
diagrams to determine details about hosts and their addressing information on the network as well as their
placement within the network. Infrastructure devices like routers, switches, wireless access points, not
only determining that they are placed correctly but whether in fact they should be there in the first place.
Then security control placement, things like VPN devices, firewall appliances, to make sure that they are
in a location that makes sense from a security perspective. Then we have to look at the common network
traffic flows, and that's where the whole network diagram kicks in where we mentioned we might have to
5 of 15 2021-12-16, 04:07
see a broader network diagram to actually understand the information flow. A risk assessment is a
prioritized list of assets and related threats. Now, we might have existing security controls that we have to
revisit and make changes to due to new threats that didn't exist previously.
Other documentation might include product and service documentation for the specific business lead,
types of services they offer and the details related to that or the products that they might sell or even
manufacture. So in other words, know the business purpose of the client that you're performing the IS
audit for. This is absolutely essential. You need to understand how products and services are made
available, how they're sold, and how they're supported after they are sold to the customer. We might even
look to past audit reports.
Were there any recommendations that were made in the past that have or perhaps have not been acted
upon? We can also take a look at business and technological changes that affect the organization that have
changed since the last audit occurred. That might include something for example like ransomware, which
has become more and more prevalent.
And so it's part of what we have to consider when it comes to protection of data and making sure it's
available. We then need to consider other organizational documentation in the form of organizational
security policies of which there could be many. Like a VPN policy, an e-mail acceptable use policy, the
usage of social media within the organization and what is allowed and what is not.
How mobile devices are to be used, how documents are shared within the organization, both physical and
electronic documents, and how they are destroyed. And finally, policies such as a clean desk policy which
might prevent sensitive documentation from physically residing in paper form on desks when people
aren't around. So there's a lot of documentation that can feed into the information gathering phase of
conducting an IS audit.
Stakeholder Needs
[Video description begins] Topic title: Stakeholder Needs. Your host for this session is Dan Lachance.
While we must adhere to IS auditing standards, not every audit will be exactly the same. And that's
because the client or the organization being audited will always be a little bit different, so we always have
to consider stakeholder needs. The first order of business is to make sure that you know your client.
If you don't truly understand what type of business the client is in, then you're gonna have a difficult time
understanding business objectives that are met through business processes and the underlying technology
that supports those processes. So we should also know things like the history of our client. The products
and services that they offer and support. Any processes that result in making those products and services
available and generating revenue for things like shareholders.
Any outsourcing dependencies, always consider the weakest link in the chain. So if we've got a client that
we're performing an IS audit for that outsources either some services or the creation of a product. Then we
have to consider all of the security controls in that external client. Because there is an outsourcing
dependency in the supply chain that we must consider. We should also look to previous audit reports to
see what the state of the organization was and its security controls at that point in time, with an
understanding that things change.
We might also look to using questionnaires. Such as properly designed questionnaires that are distributed
either physically or electronically to the appropriate parties within the organization. So we can learn more
about stakeholder needs. Stakeholder needs are based on assets that have value to the organization.
Whether that is personnel or business processes, data, which is always considered an asset in this day and
age, and the threats to those items.
6 of 15 2021-12-16, 04:07
[Video description begins] Screen title: Stakeholder Needs - Compliance. [Video description ends]
Compliance is also a big part of stakeholder needs, following standards such as PCI DSS, which is used to
determine how secure an environment is where it deals with cardholder information, such as credit card
information for payment. Then we have to think about regulations that might apply to a specific
organization, for the industry it's in and the legal jurisdiction that affects it.
There might also be contractual obligations that we have to consider as part of our IS audit that must be
met. For example, we might have a smaller organization that has a defense contract. And so there are
more stringent security controls that might apply than if that client did not have that Department of
Defense contract, so we have to consider that as well. And then of course, laws, again, based on the
jurisdiction that applies to the client.
[Video description begins] Screen title: Stakeholder Needs. [Video description ends]
Stakeholder needs also affect the audit scope. So whether we're looking at auditing a specific department
or a specific business process, or one part of a network, or an entire large scale network to make sure, for
example, it supports the PCI DSS cardholder processing standards.
We might even look to a specific host or we might be looking at a scope of a particular database to make
sure that sensitive data that gets read from and written to that database is properly secured. Now, all of this
will serve to allow us to build an engagement letter with the client, so that we can actually start planning
further. And then of course, ultimately execute the IS audit and report on our findings.
Network Diagrams
[Video description begins] Topic Title: Network Diagrams. Your host for this session is Dan Lachance.
Screen Title: IS Auditing and Network Diagrams. [Video description ends]
Planning and performing an IS audit goes much deeper than understanding the technology and the
security that goes along with that technology. We also have to be able to apply the auditing process to the
organization because in the end, the technology really is only there to support business processes. So we
need to understand the underlying technology that supports business processes, which ultimately serves
business objectives.
So as IS auditors then, when it comes to network diagrams and conducting an IS audit, we need to be able
to identify any risks with the use of that technology on the network. Then we need to be able to identify
any weaknesses that must be addressed. And then we have to determine even further details like how
specific security controls will be tested, such as testing a network firewall through a penetration test. So in
the end, we need to make sure that the configuration for the network, if that's part of the scope of the
audit, complies with security requirements.
Now the security requirements will stem from things like organizational security policies which in turn,
might be influenced by laws, regulations or even contracts that the client might have with organizations
where further security requirements are stipulated. Pictured on the screen on the left, we have an on-
premises network that includes servers that would include holding things like databases. We've got
intranet websites.
We've got mobile devices and wireless networks. Each of which is common in today's use of technology
to serve business needs. However, it's not without risk. So for example, at the server and database level,
we have a risk of things like server hardware or software failure. So if any of that fails, we lose
availability to that data in the databases. Then we've got intranet websites which could be susceptible to
common web application attacks like SQL injection.
[Video description begins] Sequel Injection is abbreviated to SQL injection. [Video description ends]
7 of 15 2021-12-16, 04:07
Then we've got malware that could be within an app that users are downloading from an app store. It's
been known to happen. Just because an app is in a mobile device app store doesn't mean it's not without its
risk. Then we've got on the wireless network side of things MAC spoofing, which can be used by
malicious users to gain access to a wireless network that uses MAC address filtering with the MAC
addresses unique hardware address which is different for every Wi-Fi card.
There's also tools out there that allow malicious users to crack WPA and WPA2 security that we might use
to try to secure our wireless networks. And so we have to consider all of these technical details because in
the end, this technology only exists to serve the business. So we have to apply our auditing standards
against this technology. Then we've got another issue these days in the form of a public cloud provider
where organizations might, for example, have a public website hosted in the public cloud.
And they might have virtual machines deployed in the public cloud to support the website or to support a
testing environment if they're building new software. And then we might have the same types of issues in
terms of risks that could apply in the cloud as they would on-premises, like SQL injection attacks.
Although the scope here for a public website would be much broader because we've got a site that's
exposed to the Internet. And if a public website is compromised, that might be a bigger deal than if an
intranet website, for example, that only hosts employee documentation might experience.
So not everything is equal. When we talk about exploiting a website through SQL injection or any other
attack, always look at the context and what type of data is on that. Of course, we always have to think
about the fact that if we've got a failure at the hardware level, how valuable really is the hardware
compared to the data that it stores or processes?
In the virtual machine side of things, we have to consider, again, server hardware or software failure. Now
what's different in the public cloud is responsibility. Because in the public cloud as a cloud customer, we
are not responsible for the hardware. However, we would be responsible for the deployment and
management of any virtual machines that would deploy on the cloud provider hardware.
Security Control Types

[Video description begins] Topic Title: Security Control Types. Your host for this session is Dan Lachance.
Screen Title: Security Controls. [Video description ends]
Using technology to partake in business these days is pretty much inevitable, and with the use of that
technology, risk is introduced. So security controls must be the focus of our IS audit. What is been put in
place to protect assets by reducing risk? And so a big part of security controls is risk mitigation, and then
mapping security controls to control objectives. So a control objective, for example, might be to protect
sensitive data at rest, so stored data. Whereas the control might be to use a specific encryption solution to
carry out that control objective.
There are many different categories of security controls. Preventative controls are designed, as the word
implies, to prevent negative incidents from occurring. Such as having thorough employee background
checks before hiring new personnel, user training and awareness, for instance, to make sure people are
aware of the latest social engineering and malware threats, so they don't click on links in suspicious email
messages.
Performing data backups is preventative because we have data availability if something negative happens,
like files are deleted or encrypted with ransomware or become corrupt. We can also use firewall access
control lists, ACLs, which normally run on routers or even specialized firewall appliances. Which can
prevent certain types of network traffic from entering the network or leaving the network. Job rotation is
at the personal level. It allows us to place people in different job roles. And with this knowledge,
personnel might not be interested in partaking in illegal or fraudulent activities.
If they know that somebody else might occupy that job role. Door locks are also preventative, to prevent
8 of 15 2021-12-16, 04:07
someone from breaking into a building, or perhaps even a room. Security guards can be considered
preventative because they might have the ability to prevent a crime from happening. Or a negative
incident from occurring. Detective controls, like the name implies, can detect that something has occurred.
Either through log file review or through the use of an Intrusion Detection System, an IDS, which can
detect suspicious activity and report on it.
Alarm systems are detective, they can detect for instance if a window has been opened after hours. Job
rotation is not only preventative but also listed here as detective. Because as a new person takes upon a
new job role, they might detect irregularities from the previous occupant of that role. Security guards can
be detective as well, they might detect that something has occurred. Corrective or recovery controls allow
us to restore a system or data back to a functional state. That might include the act of restoring data from
backup or reimaging a failed server, or patching a vulnerable host.
Deterrent security controls, as the name implies, will deter bad behavior from the beginning. Such as
having perimeter fencing around a sensitive facility, or having lighting inside and outside the facility.
Including in parkades and parking lots. Having signage that might warn of video surveillance systems.
Security guards can also be deterrent, the mere fact or the presence of the security guard can prevent
negative activity from occurring. Compensating controls are alternative controls or a second choice to a
primary control that for one reason or another we cannot implement.
It could be due to the fact that the primary control is too expensive, so it's cost prohibitive. Or it could be
due to the fact that implementing and managing that primary control is too complex. And so examples of
compensating controls might include, at the personnel level, segregation of duties. To prevent a single
person from having control of a business process from beginning to end. And also perhaps using network
isolation on which we might place legacy devices on that network segment.
That might not support modern requirements, like password complexity. But by placing those legacy
devices on a network. We might be able to force connectivity to that network through an authentication
server that does support password complexity. And when it comes to your IS audit and looking at security
controls. Make sure you approach existing controls with a healthy dose of professional scepticism.
Because existing controls might be out of your scope of responsibility. They might actually not be
effective, they might not have been effective when they were implemented. And over time, they might
have become less effective at protecting assets. So we need to be aware of this as we conduct our IS audit,
which really focuses on looking at controls.
Control Objectives and Controls

[Video description begins] Topic Title: Control Objectives and Controls. Your host for this session is Dan
A structured approach to IS auditing means understanding control objectives and controls. Control
objectives and controls are important because we need to think about mapping specific audit objectives to
how controls get tested. Remember, controls are put in place to protect assets, to reduce risk, and we're
really talking about an IS audit through a risk-based approach. So we can have multiple security controls
that might be used to satisfy a single control objective.
So imagine that the control objective is to protect card holder data. So to remain compliant with PCI DSS.
Well, we might achieve that through numerous means, such as by implementing network firewalls, having
malware scanning in place, and also encrypting data at rest. So that's an example of three controls that
map to a single control objective.
Control objectives can be influenced by laws or regulations, and also by contractual obligations related to
security. The control objective exists to represent a desired state. What are we striving to do? For example,
maybe the desired state is to make sure that data is always available, even in the event of some kind of a
9 of 15 2021-12-16, 04:07
disaster like a fire, flood or an act of terrorism or a malicious attack.
Also, another desired state might be financial transaction integrity to make sure that financial transactions
and resultant financial documents can be trusted as being true. Another desired state may be data
confidentiality. So we might need to make sure that encryption mechanisms are used to maintain the
confidentiality of sensitive data. If the control objective is user awareness of latest social engineering
threats, maybe our control would be to have monthly or quarterly lunch and learn sessions.
[Video description begins] A table appears on the screen. It has two columns: Control Objective and
Control(s). Under Control Objective the following points is listed: No more than 2 hours of data may be
lost. Under Control(s) the following point is listed: Back up data every 1.5 hours. [Video description ends]
Now as an IS auditor, we have to look at these things and determine what is appropriate. And often, it's
not just based on technology. If the control objective is user awareness of latest social engineering threats,
maybe our control would be to have monthly or quarterly lunch and learn sessions.
[Video description begins] The following point appears under Control Objective: User awareness of latest
social engineering threats. The following point appears underControl(s): Monthly or quarterly lunch and
learn sessions. [Video description ends]
Now as an IS auditor, we have to look at these things and determine what is appropriate. And often, it's
not just based on technology.
[Video description begins] The following point appears under Control Objective: Financial spreadsheet
user accountability. The following point appears underControl(s): Separate user accounts Audit file
system access to spreadsheet files. [Video description ends]
We might have a control objective of financial spreadsheet user accountability. The controls might be to
have separate user accounts so we can track which user was doing what to the spreadsheet and then to
audit file system access to those files.
[Video description begins] The following point appears under Control Objective: Encryption of
personally identifiable information (PII). The following point appears underControl(s): Force PII storage
on Windows BitLocker disk volumes. [Video description ends]
We might have a control objective which requires encryption of personally identifiable information, PII.
Things like social security numbers, credit card numbers, addresses. And so the control might be to force
PII storage on Windows BitLocker disk volumes. So if we're using Windows machines, BitLocker ensures
that the entire disk volume is encrypted. And so even if the machine is off and the disk is stolen, the data
is still protected.
[Video description begins] The following point appears under Control Objective: High importance e-mail
messages are authentic. The following point appears underControl(s): E-mail digital signatures. [Video
description ends]
We might have a control objective that says high importance emails need to be authentic. Well, how do we
do that? Well, the control might be to implement email digital signatures which give assurances that a
message came from who it says it came from and that it's not been tampered with.
[Video description begins] The following point appears under Control Objective: Accurate migration of
data between systems. The following point appears underControl(s): XML file format. [Video description
ends]
We might also have a control objective that states, we need accurate migration of data between dissimilar
systems. That might even include migrating from on-premises into the public cloud. And so maybe a
control is to make sure that we export data in an XML file format, which is a universal standard which
10 of 15 2021-12-16, 04:07
allows importing into other dissimilar systems. So it's important, then, when you conduct an IS audit to
understand control objectives and the controls that will satisfy that objective.
Audit Resource Planning

[Video description begins] Topic title: Audit Resource Planning. Your host for this session is Dan
Part of planning your IS audit is resource planning. What tools and personnel and budgetary requirements
must be in place to conduct the audit properly? So we have to consider whether we're talking about
internal versus external audits. Internal audits are carried out by personnel that are part of the
organization. Naturally external audits use third parties. We then have to think about the team members,
the tools that will be used, the budget. So let's start by talking about external audit teams. With external
audit teams, because they're not part of the organization directly, then we're going to have to have
meetings and correspondence between the client and the external audit team to get things moving along.
Because the external audit team may not be familiar with the client organization. Now there will be
exceptions where they might be if they've conducted a previous audit. But again, things can change
quickly. Companies might adopt new business lines, there might be mergers or acquisitions, and so either
way, meetings are a big part of this. So there might be new internal control changes even that have
changed since the last audit. And so external auditors might not be aware of this type of thing also. So
external audit teams need to be informed about the audit objective and the scope of the audit, what should
be covered, what should be audited.
Planning the audit means looking at skillsets and tools. Do we need to outsource specialized skills that our
immediate audit team might not have? And that might include something like auditing a Storage Area
Network, or a SAN. So sometimes depending on the nature of what we're auditing, we might need some
very specialized expertise to carry out the audit correctly. And that's part of an auditing best practice, is to
know when your team does not have the correct skill set and you need to go to a 3rd party. We also have
to consider any hardware or software tools that might be used to conduct an audit.
Now remember, an IS audit does not have to always include technology. So maybe what we need to do is
increase user awareness of social engineering threats. And that can be done through a lunch and learn
mechanism. Which isn't directly related to technology, at least not the solution. Although, the overall
discussion piece is related to technology. Then we have to think about budgeting. There's a limited amount
of time and resources that we can allocate to a given IS audit for it to remain relevant. So we have to think
about external auditors that will have to travel and have related expenses, that has to be paid for somehow.
External audit service fees of course for the work to be conducted in the first place. If we're dealing with
an internal audit team, while we may not have the direct expense associated with paying a third party, we
still have time allocation, training and conferences. In other words that internal audit team is putting their
time in conducting an audit when they might be doing something else that might generate revenue for the
organization. So it's still a budgeting concern.
Then after the audit is complete we look at the audit report, we take a look at any recommended
remediations, and determine which one should be implemented. So there's a cost associated with
implementing those remediations, that's yet another part of audit resource planning. The cost of
implementing these types of remediations might include technology solutions like requiring more storage
for logs and tracking as a result of an audit recommendation. Or maybe the creation of scripts to test
security controls. That would be another cost for the time required by personnel to create and test these
scripts thoroughly.
Audit Scheduling
11 of 15 2021-12-16, 04:07
[Video description begins] Topic Title: Audit Scheduling. Your host for this session is Dan Lachance.
In a way, part of planning an IS audit is similar to project management in the sense of managing
resources, and also as we're going to talk about managing time. So it's important to think about audit
scheduling. It's part of the initial audit engagement letter or sometimes it's called the statement of work or
SoW. That would be between the client being audited and the auditing teams, especially if they're external
auditors. We also would have to think about scheduling as it relates to invoicing. Now that would
certainly be true if you're talking about having external auditors outside of the organization performing the
audit.
Now you might also have to deal with scheduling even sometimes with internal audit teams in a larger
organization where departmental chargeback is being employed. Audit scheduling deals with things like
when the audit will begin. There should also be scheduled periodic progress updates as the audit is under
way. There should also be periodic audit status meetings. So rather than just communicating, for example,
via email, there should be face-to-face or video conference meetings so that the client knows the current
state of the audit.
Then there should be a schedule related to when there will be final deliverables or reports made available
to the client based on evidence from the audit findings. Finally, there should be scheduled an audit closing
meeting to close out the audit after the reports have been made available to the client and the findings
have been discussed with the client. To make sure that there is an understanding of any remediations that
should be put in place.Scheduling should also be put in place for scheduling the remediation follow-up
meeting.
Now the timing from when the audit completes and there's an audit close meeting will vary from one audit
to another, of course. But we don't want to wait too long to make sure that remediation or compensating
controls of some type have been put in place. So we take a look at whether those were put in place. And in
some cases, due to the complexity of the control, certainly if it's a technological type of security control.
The client might need direction with how to actually apply that control so it meets control objectives. And
in some cases, it might also require outsourcing that expertise. But all of these items have to be considered
in a time-lined approach.
Urgent Incident Discovery

[Video description begins] Topic title: Urgent Incident Discovery. Your host for this session is Dan
During the course of executing your IS audit, you might at some point discover incidents that are urgent in
nature that need to be dealt with immediately. So as an auditor, you have a responsibility to communicate
the finding to the client right away. Now these communication mechanisms would have been established
initially during audit planning. The other thing to think about is whether or not the incident is technical in
nature, or whether it's more user related. For example, in the case of fraud or collusion between multiple
employees.
So sometimes these urgent incidents are intentional. Such as collusion with internal employees or with a
malware infection, but other times it might be unintentional. With urgent incidents, we have to see how
that maps to the ISACA Auditing Standard 1204 Materiality. This specific auditing standard focuses just
on this, urgent incident discovery. Where we've got weak or absent controls that result in a failure to meet
control objectives. Such as to ensure that we don't have collusion between employees that control the
business process from beginning to end.
Then in some cases, you might even uncover incidents of fraud. Now this could be internal or it could be
external for people outside of the company that perpetrated this type of crime. Now it could be the result
of ineffective internal controls such as allowing a single employee to control multiple processes. Such as
12 of 15 2021-12-16, 04:07
ordering equipment and also dealing with the payables on that order of equipment once invoices are
received. So there needs to be preventative controls to ensure that ideally this doesn't happen.
But it could be a failure of a preventative control that results in an urgent incident discovery. That is
material that can actually affect the outcome in some cases of the audit itself. Sometimes we'll also have
detective controls that can kick in if preventative controls fail. An example of this at the technical level
let's say, might be an intrusion prevention system. That doesn't detect suspicious activity that we then
uncover later by reviewing log files. Other times, urgent incidents might have nothing to do specifically
with technology.
Rather it might be something to deal with fraud, for example, Repo 105, which we might also term as
fraud 101 in joking terms. This is a term that was coined by the Lehman Brothers, it's an accounting
fraudulent type of term. So it really deals with illegal financial statement manipulation where the
perpetrators will record short term loans as sales values to inflate figures. Now this is definitely a form of
fraud and this is one of the things that could be uncovered during the course of an IS audit. So why do
people do this?
Why would people partake in things like fraud? Well, naturally greed plays a part in it, but often people
think they can get away with it for the long term. Also, sometimes there are external pressure points such
as shareholder and market expectations. For things like quarterly financial reportings that will drive
people to falsify financial documents. In order to make sure they meet or exceed shareholder and market
expectations. Either way, often these things can be uncovered during an IS audit. The key though is to
report this type of serious incident that might get uncovered immediately to the appropriate stakeholders.
Audit Reporting
[Video description begins] Topic title: Audit Reporting. Your host for this session is Dan Lachance. [Video
description ends]
One of the final phases of IS auditing is audit reporting, where there are two main purposes. The first of
which is to educate stakeholders as to the position of security controls, at least for the audit scope, things
that were looked at. The next is to remediate any weaknesses to protect assets. Remember, we're talking
about a risk-based approach here to our IS audit. So with audit reporting, we could be looking at having a
single report or on a larger scale, depending on the scope and the audit objective, it could be numerous
reports that are related that are generated, even created by different audit team members.
Some cases might also require certified signatures for some or all portions of the audit, such as those
perhaps from charted accountants, if that's the type of audit that we are looking at with processes for IS
security. Always remember that when it comes to audit reporting, we need to be, as auditors, 100%
objective. And what that means is based on our findings, any conclusions that we draw will be based
solely on evidence, nothing more, no opinions, not what we think should happen, in terms of reporting the
findings.
So we need to clearly state the findings, conclusions that were drawn, and then any recommendations
based on the findings and conclusions. We then should also clearly state any information sources that were
used to come up with the findings and conclusions. Such as running a network vulnerability scan or
sending out a questionnaire to employees to learn more about who is responsible for which parts of a
specific business process. Then we have to also provide fieldwork documentation.
Now, this is crucial because it outlines the tools that were used in resulting in our findings and
conclusions, as well as techniques that were used. So with audit reporting, we have to consider the
recipients. This would be part of the original statement of work, in terms of part of the deliverables, the
timing on when reports are sent and to which parties. We should also determine whether an audit report
has the ability to be copied, printed, or forwarded. Depending on the solution being used, this could be
limited.
13 of 15 2021-12-16, 04:07
Then we have to think about audit report file integrity to prevent tampering with the results. There have
been documented cases that have made public headlines in the past, certainly, where the results of an audit
have been tampered with to look more favorable to the organization that was audited. And again, why
would that happen?
Well, greed. There's also meeting shareholder expectations and meeting quarterly projections for revenue
and so on. The other part of audit reporting could involve documented management responses. So if we've
made recommendations to implement certain types of remediations, we might require a response, a formal
response from management of the organization or the department that was audited that stipulates a
timeline related to which specific controls will be implemented, as per the audit report recommendations.
Audit Findings Remediation Follow-Up

[Video description begins] Topic title: Audit Reporting. Your host for this session is Dan Lachance. Screen
title: Audit Findings Remediation Follow-Up. [Video description ends]
Generally speaking, the overall purpose of an IS audit is to identify weaknesses in security controls. And
then to make recommendations to do something about it, to reduce those vulnerabilities. So, the first thing
to do is to perform the audit, and then to report findings and conclusions based on evidence only, so this is
objective.
And then to make recommendations on how to improve the organization's security posture as related to
the scope of what was covered by the audit. Finally, the auditing team needs to follow up. Because if
recommendations have been made, a follow-up needs to ensue to make sure that those recommendations
have been put in place.
The ISACA Standard 2402, the auditing standard, is called Follow-up Activities. It's an important part of
the IS audit process. And it really focuses on timely actions taken by management. Now the management
in this context is your client that you've performed the IS audit for. Timely actions taken by them based on
your audit report recommendations. So timing for this is specified originally in the audit statement of
work.
[Video description begins] Statement of Work is abbreviated to SoW. [Video description ends]
So we have the scheduling for the commencement of the audit, periodic status reports, and meetings. And
of course, the final deliverables and the deadline dates for that, for the audit, and then, of course, a
scheduled follow-up. Now, the timing will vary, but again, that's what's stipulated in the statement of
work. Sometimes, what some organizations will do is conduct internal audits.
Only to verify that the remediations have been put in place and that they're effective. So we might have a
third party external audit team perform a specific audit. And then based on their findings and
recommendations, an internal audit team will then take over from there. Where the scope will be just on
the recommendations made by the initial audit team.
So controls that fail testing then need to be dealt with. They need to be added to a near future testing list to
be dealt with. Otherwise, it could expose the company to unacceptable risk. And in some cases, if the
desired control that addresses a control objective is too complex or too expensive or somehow just not
feasible. Then we look to compensating controls that will still protect that asset and reduce risk.
Exercise: Controls and IS Auditing

[Video description begins] Topic title: Exercise: Controls and IS Auditing. Your host for this session is
Dan Lachance. [Video description ends]
This exercise is all about the IS auditing process and controls. The first thing you will do is explain the
14 of 15 2021-12-16, 04:07
purpose of information system or IS auditing. Following that, you'll provide an example for each of the
following control types.
You'll provide an example of a deterrent control, a preventative control, and also a corrective control.
Finally, you'll provide an example of a control objective and a related control. Now's a good time to pause
the video to think about each of these items carefully and then come back to see the solution.
[Video description begins] A Solution banner appears. [Video description ends]
The purpose of IS auditing is to check that existing controls adequately protect assets.
[Video description begins] Information System is abbreviated to IS. [Video description ends]
It identifies the current security posture of the organization to stakeholders, within the scope of what was
covered by the audit, of course. For control type examples, an example of a deterrent control would be a
video surveillance camera. Even if it's a dummy one that doesn't actually work, it can deter malicious
actors from perpetrating negative activity or crimes.
Even computer sign-on banners that pop up when you sign on to a system could serve as a deterrent
because there might be a warning that the system is only to be used for business purposes only, or else
preventative controls come in the form of things like a firewall access control list, or ACL, that can
prevent known bad traffic from entering host or leaving a host, or entering or leaving a network.
Employee background checks can be preventative because if we do a thorough background check on a

prospective hire and determine that they have an extensive criminal past, we could not continue with the
hiring process and prevent potential fraud down the road. Corrective controls would include things like
applying patches.
There might be a deficiency in an app or in an operating system or even in firmware and when we apply a
patch, it corrects that issue. We could also use data backups to recover data if, for example, data becomes
corrupted. So the corrective action here is recovering from the backup to get data back to a point where
it's usable. A control objective is really a statement about something that must be done, but not how it is to
be done.
[Video description begins] Screen title: Control Objectives and Control. [Video description ends]
So as an example, maybe we need to make sure that an important database is available, so people can still
access the contents of the database, even in the event of a natural disaster like a flood or a fire or perhaps
even a power outage.
So the control that might address that control objective in this particular example might be to replicate that
database to a different geographical region where you might have a data center, or another branch office
or you might even be doing this in the public cloud by replicating to another geographical region where
the cloud provider has a presence.
15 of 15 2021-12-16, 04:07

Certified Information Systems Auditor (CISA) 2019 Information System Auditing Transcript

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Certified Information Systems Auditor (CISA) 2019 Information System Auditing Transcript

Uploaded by

Copyright:

Available Formats

Certified Information Systems Auditor (CISA) 2019: Information Syst... https://cdn2.percipio.com/secure/c/1639687788.5844b786673fae4406...

Certified Information Systems Auditor (CISA)

The Purpose of Auditing

ISACA Code of Conduct

ISACA Auditing Standards

Security Control Types

Control Objectives and Controls

disaster like a fire, flood or an act of terrorism or a malicious attack.

Audit Resource Planning

Urgent Incident Discovery

Audit Findings Remediation Follow-Up

Exercise: Controls and IS Auditing

[Video description begins] A Solution banner appears. [Video description ends]

Employee background checks can be preventative because if we do a thorough background check on a

You might also like