Professional Documents
Culture Documents
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 1
I - INTRODUCTION
1. Organization of the IS Audit Function
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 2
I - INTRODUCTION
2. IS Audit Resource Management
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 3
I - INTRODUCTION
3. Audit Planning
• Audit planning
– Short-term planning
– Long-term planning
– Things to consider
• New control issues
• Changing technologies
• Changing business processes
• Enhanced evaluation techniques
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 5
I - INTRODUCTION
4. Effect of Laws and Regulations on IS Audit Planning
Regulatory requirements
– Establishment
– Organization
– Responsibilities
– Correlation to financial, operational and IT audit
functions
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 6
I - INTRODUCTION
4. Effect of Laws and Regulations on IS Audit Planning
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 8
II - ISACA IS Auditing Standards and Guidelines
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 9
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 10
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
IS Auditing Standards
1. Audit charter 7. Reporting
2. Independence 8. Follow-up activities
3. Ethics and Standards 9. Irregularities and illegal acts
4. Competence 10. IT governance
5. Planning 11. Use of risk assessment in audit
planning
6. Performance of audit work
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 11
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
1. Audit charter
Purpose, responsibility, authority and accountability
Approval
2. Independence
Professional independence
Organizational independence
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 12
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
4. Competence
Skills and knowledge
5. Planning
• Plan IS audit coverage
• Develop and document a risk-based audit
Approach
• Develop and document an audit plan
• Develop an audit program and procedures
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 14
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
Evidence
Documentation
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 15
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
7. Reporting
Identify the organization, intended recipients and any
restrictions
State the scope, objectives, coverage and nature of audit work
performed
State the findings, conclusions and recommendations and
limitations
Justify the results reported
Be signed, dated and distributed according to the audit charter
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 16
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
8. Follow-up Activities
Review previous conclusions and recommendations
Review previous relevant findings
Determine whether appropriate actions have been
taken by management in a timely manner
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 17
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 18
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 19
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
10. IT Governance
Review and assess the IS function’s alignment with the
organization’s mission, vision, values, objectives and strategies.
Review the IS function’s statement about the performance and
assess its achievement
Review and assess the effectiveness of IS resource and
performance management processes
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 20
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 21
II - ISACA IS Auditing Standards and Guidelines
2. ISACA IS Auditing Standards
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 22
II - ISACA IS Auditing Standards and Guidelines
4. ISACA IS Auditing Procedures
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 23
II - ISACA IS Auditing Standards and Guidelines
5. Relationship among Standards, Guidelines
and Procedures
– Standards
Must be followed by IS auditors
– Guidelines
Provide assistance on how to implement the standards
– Procedures
Provide examples for implementing the standards
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 24
III – Risk Analysis
i. Definition of Risk
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 25
III – Risk Analysis
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 26
III – Risk Analysis
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 27
III – Risk Analysis
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 28
IV – Internal Controls
– Detective controls
– Corrective controls
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 29
IV – Internal Controls
1. Internal Control Objectives
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 30
IV – Internal Controls
1. Internal Control Objectives
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 31
IV – Internal Controls
2. IS Control Objectives
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 32
IV – Internal Controls
2. IS Control Objectives
•Safeguarding assets
•Assuring the integrity of general operating system
environments
•Assuring the integrity of sensitive and critical application
system environments through:
– Authorization of the input
– Accuracy and completeness of processing of transactions
– Reliability of overall information processing activities
– Accuracy, completeness and security of the output
– Database integrity
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 33
IV – Internal Controls
2. IS Control Objectives (Cont)
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 34
IV – Internal Controls
3. CobiT
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 35
IV – Internal Controls
4. General Control Procedures
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 36
IV – Internal Controls
4. General Control Procedures
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 37
IV – Internal Controls
5. IS Control Procedures
• Strategy and direction
• General organization and management
• Access to data and programs
• Systems development methodologies and change control
• Data processing operations
• Systems programming and technical support functions
• Data processing quality assurance procedures
• Physical access controls
• Business continuity/disaster recovery planning
• Networks and communications
• Database administration
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 38
V – Performing an IS Audit
Definition of Auditing
Systematic process by which a competent, independent person objectively
obtains and evaluates evidence regarding assertions about an economic
entity or event for the purpose of forming an opinion about and reporting
on the degree to which the assertion conforms to an identified set of
standards.
Definition of IS Auditing
Any audit that encompasses review and evaluation (wholly or partly) of
automated information processing systems, related non-automated
processes and the interfaces between them.
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 39
V – Performing an IS Audit
1. Classification of Audits
– Financial audits
– Operational audits
– Integrated audits
– Administrative audits
– Information systems audits
– Specialized audits
– Forensic audits
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 40
V – Performing an IS Audit
2. Audit Programs
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 41
V – Performing an IS Audit
2. Audit Programs
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 43
V – Performing an IS Audit
3. Audit Methodology
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 44
V – Performing an IS Audit
3. Audit Methodology
2. Audit objective
Identify the purpose of the audit
3. Audit scope
Identify the specific systems, function or unit of the
organization
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 45
V – Performing an IS Audit
3. Audit Methodology
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 46
V – Performing an IS Audit
3. Audit Methodology
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 47
V – Performing an IS Audit
3. Audit Methodology
Workpapers (WPs)
What are documented in WPs?
– Audit plans
– Audit programs
– Audit activities
– Audit tests
– Audit findings and incidents
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 49
V – Performing an IS Audit
3. Audit Methodology
Workpapers (Cont)
– Do not have to be on “paper”
– Must be
• Dated
• Initialized
• Page-numbered
• Relevant
• Complete
• Clear
• Self-contained and properly labeled
• Filed and kept in custody
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 50
V – Performing an IS Audit
4. Fraud Detection
– Management’s responsibility
– Benefits of a well-designed internal control system
• Deterring frauds at the first instance
• Detecting frauds in a timely manner
– Fraud detection and disclosure
– Auditor’s role in fraud prevention and detection
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 51
V – Performing an IS Audit
5. Audit Risk and Materiality
Audit Risk
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 52
V – Performing an IS Audit
5. Audit Risk and Materiality
• Inherent risk
• Control risk
• Detection risk
• Overall audit risk
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 53
V – Performing an IS Audit
5. Audit Risk and Materiality
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 54
V – Performing an IS Audit
5. Audit Risk and Materiality
Materiality
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 55
V – Performing an IS Audit
6. Risk Assessment Techniques
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 56
V – Performing an IS Audit
7. Audit Objectives
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 57
V – Performing an IS Audit
8. Compliance vs. Substantive Testing
– Compliance test
determines whether controls are in compliance with management
policies and procedures
– Substantive test
tests the integrity of actual processing
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 58
V – Performing an IS Audit
9. Evidence
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 59
V – Performing an IS Audit
9. Evidence
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 60
V – Performing an IS Audit
10. Interviewing and Observing Personnel in action
– Actual functions
– Actual processes/procedures
– Security awareness
– Reporting relationships
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 61
V – Performing an IS Audit
12. Using the Services of Other Auditors and Experts
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 63
V – Performing an IS Audit
13. Computer-assisted Audit Techniques
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 64
V – Performing an IS Audit
13. Computer-assisted Audit Techniques
– Functional capabilities
Functions supported
Areas of concern
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 65
V – Performing an IS Audit
13. Computer-assisted Audit Techniques
– Advantages of CAATs
– Cost/benefits of CAATs
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 66
V – Performing an IS Audit
13. Computer-assisted Audit Techniques
Development of CAATs
• Documentation retention
• Access to production data
• Data manipulation
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 67
V – Performing an IS Audit
14. Evaluation of Audit Strengths and Weaknesses
– Assess evidence
– Evaluate overall control structure
– Evaluate control procedures
– Assess control strengths and weaknesses
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 68
V – Performing an IS Audit
14. Evaluation of Audit Strengths and Weaknesses
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 69
V – Performing an IS Audit
15. Communicating Audit Results
– Exit interview
• Correct facts
• Realistic recommendations
• Implementation dates for agreed recommendations
– Presentation techniques
• Executive summary
• Visual presentation
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 70
V – Performing an IS Audit
15. Communicating Audit Results
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 71
V – Performing an IS Audit
16. Management Implementation of Recommendations
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 72
V – Performing an IS Audit
17. Audit Documentation
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 73
V – Performing an IS Audit
17. Audit Documentation
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 74
V – Performing an IS Audit
17. Audit Documentation
– Constraints on the Conduct of the Audit
Availability of audit staff
Auditee constraints
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 76
V – Performing an IS Audit
Chapter 1 Question
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 77
V – Performing an IS Audit
Chapter 1 Question
A. Business processes
B. Critical IT applications
C. Operational controls
D. Business strategies
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 78
V – Performing an IS Audit
Chapter 1 Question
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 81
V – Performing an IS Audit
Chapter 1 Question
A. Test data
B. Parallel simulation
C. Integrated test facility
D. Embedded audit module
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 82
V – Performing an IS Audit
Chapter 1 Question
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 83
V – Performing an IS Audit
Chapter 1 Question
• A management technique
• A methodology
• In practice, a series of tools
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 85
VI - Control Self-Assessment
Implementation of CSA
Facilitated workshops
Hybrid approach
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 86
VI - Control Self-Assessment
1. Benefits of CSA
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 88
VI - Control Self-Assessment
2. Disadvantages of CSA
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 89
VI - Control Self-Assessment
Objectives of CSA
– Enhancement of audit responsibilities (not a
replacement)
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 90
VI - Control Self-Assessment
3. Auditor Role in CSA
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 91
VI - Control Self-Assessment
4. Technology Drivers for CSA
Traditional approach
CSA approach
Emphasizes management and accountability over
developing and monitoring internal controls of an
organization’s sensitive and critical business
processes
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 93
VI - Control Self-Assessment
Chapter 1 Question
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 94
VII - Emerging changes in the IS audit process
1. Automated Work papers
– Risk analysis
– Audit programs
– Results
– Test evidences,
– Conclusions
– Reports and other complementary information
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 95
VII - Emerging changes in the IS audit process
1. Automated Work papers
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 96
VII - Emerging changes in the IS audit process
2. Integrated Auditing
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 97
VII - Emerging changes in the IS audit process
2. Integrated Auditing
Typical process:
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 98
VII - Emerging changes in the IS audit process
3. Continuous Auditing
Definition
“A methodology that enables independent auditors to
provide written assurance on a subject matter using a
series of auditors’ reports issued simultaneously with, or a
short period of time after, the occurrence of events
underlying the subject matter”
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 99
VII - Emerging changes in the IS audit process
3. Continuous Auditing
– Distinctive character
• short time lapse between the facts to be audited and the
collection of evidence and audit reporting
– Drivers
• better monitoring of financial issues
• allowing real-time transactions to benefit from real-time
monitoring
• preventing financial fiascoes and audit scandals
• using software to determine proper financial controls
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 100
VII - Emerging changes in the IS audit process
3. Continuous Auditing
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 101
VII - Emerging changes in the IS audit process
3. Continuous Auditing
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 102
VII - Emerging changes in the IS audit process
3. Continuous Auditing
Prerequisites
– A high degree of automation
– An automated and reliable information-producing process
– Alarm triggers to report control failures
– Implementation of automated audit tools
– Quickly informing IS auditors of anomalies/errors
– Timely issuance of automated audit reports
– Technically proficient IS auditors
– Availability of reliable sources of evidence
– Adherence to materiality guidelines
– Change of IS auditors’ mind-set
– Evaluation of cost factors
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 104
VII - Emerging changes in the IS audit process
3. Continuous Auditing
– Advantages
• Instant capture of internal control problems
• Reduction of intrinsic audit inefficiencies
– Disadvantages
• Difficulty in implementation
• High cost
• Elimination of auditors’ personal judgment and evaluation
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 105
VIII - Chapter 1 Case Study
1. Case study Scenario
The IS auditor has been asked to perform preliminary work that will assess the readiness of the
organization for a review to measure compliance with new regulatory requirements. These
requirements are designed to ensure that management is taking an active role in setting up and
maintaining a well-controlled environment and, accordingly, will assess management’s review and
testing of the general IT control environment. Areas to be assessed include logical and physical
security, change management, production control and network management, IT governance, and
end-user computing. The IS auditor has been given six months to perform this preliminary work, so
sufficient time should be available. It should be noted that in previous years, repeated problems have
been identified in the areas of logical security and change management, so these areas will most
likely require some degree of remediation. Logical security deficiencies noted included the sharing of
administrator accounts and failure to enforce adequate controls over passwords. Change
management deficiencies included improper segregation of incompatible duties and failure to
document all changes. Additionally, the process for deploying operating system updates to servers
was found to be only partially effective. In anticipation of the work to be performed by the IS auditor,
the chief information officer (CIO) requested direct reports to develop narratives and process flows
describing the major activities for which IT is responsible. These were completed, approved by the
various process owners and the CIO, and then forwarded to the IS auditor for examination.
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 106
VIII - Chapter 1 Case Study
2. Case study Questions
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 107
VIII - Chapter 1 Case Study
2. Case study Questions
2. When testing program change management, how should the sample be
selected?
A. Change management documents should be selected at random and
examined for appropriateness
B. Changes to production code should be sampled and traced to appropriate
authorizing documentation
C. Change management documents should be selected based on system
criticality and examined for appropriateness
D. Changes to production code should be sampled and traced back to
system-produced logs indicating the date and time of the change
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 108