Professional Documents
Culture Documents
Chapter 7
Business Process Evaluation
and Risk Management
2003 ISACA
Chapter Overview
Research
Observe
Analyze
Adapt
Improve
2003 CISA Review Course Chapter 7 - page 7 © 2003 ISACA
Business Process Re-engineering and
Process Change Projects
BPR audit and evaluation techniques
• IS auditor must ensure:
Consistency with overall culture and strategic
plan of the organization
Risk management:
is the process of identifying vulnerabilities and
threats to an organization’s information
resources in achieving business objectives
IT governance encompasses:
• Information systems
• Technology
• Communications
Input/origination controls
• Input authorization
• Batch controls and balancing
• Error reporting and handling
• Batch integrity of online or database
systems
Input/origination controls
• Processing control procedures
Manual recalculation
Editing
Run-to-run totals
Programmed controls
Etc.
Input/origination controls
• Data file control procedures
Before and after image reporting
Maintenance error reporting and handling
Source documentation retention
internal and external labeling
Correct version usage, data file security controls
One-for-one checking, transaction log
File updating and maintenance authorization
Parity checking
Input/origination controls
• Output controls
Logging and storage of negotiable, sensitive
and critical forms in a secure place
Computer generation of negotiable
instruments, forms and signatures
Report distribution, balancing and
reconciling
Output error handling,
Output report retention
Verification of receipt of reports
Atomicity
Consistency
Isolation
Durability
Digital signatures
Alpha
Application program
Artificial intelligence
Bar code
Benchmark
Electronic data interchange
Hash total
Redundancy check
Table look-ups
2003 CISA Review Course Chapter 7 - page 45 © 2003 ISACA
Chapter 7: Recap
Group discussion
Questions
A. enterprise objectives.
B. IT objectives.
C. audit objectives.
D. finance objectives.
A. reasonableness check.
B. validity check.
C. existence check.
D. limit check.
A. Contingency planning
B. Procedures for transaction authorization
C. Use of access control software
D. Echo controls in telecommunications
A. Range checks
B. Record counts
C. Sequence checking
D. Run-to-run control totals