CISA LECTURE By

Christine Mukhongo MSC.ITM, BBIT,CISA, CISM, CRISC, CGEIT

0721578689/0733432799
christiemukh@yahoo.com
 CISA MODULE ONE:
CHAPTER 1: INFORMATION SYSTEM AUDITING PROCESS
 PART A: PLANNING
1.1 I.S AUDIT STANDARDS, GUIDELINES AND CODE OF ETHICS
 PART A: PLANNING
INTRODUCTION
Why Audit?
 Ensure effective operations
 Affirm compliance with regulations
 Confirm that the business is functioning well and prepared to meet challenges
 Help gain assurance on the level of protection for information assets
 Assure stakeholders of the financial, operational and ethical wellbeing of the
organization
 STANDARDS
They define mandatory requirements for IS Auditing and reporting.
They inform of critical information such as:
 The minimum level of acceptable performance as set out in the code of
ethics.
 The profession’s expectations concerning the work of practitioners.
 Professional requirements for CISA holders.

Download isaca standards at www.isaca.org/standards

 Categories of ISACA Standards

i. General Standards
They apply to the conduct of assignments.
Deal with an I.S auditor’s ethics, independence, objectivity and due care; knowledge,
competency and skill.
ii. Performance Standards
Deal with the conduct of the assignment such as:
 planning and supervision, scoping, risk and materiality,
 resource mobilization, supervision and assignment management,
 audit and assurance evidence
 exercising of professional judgment.
iii. Reporting Standards
Address the types of reports, means of communication and the info communicated.
 Guidelines

 They provide guidance in applying IS audit and assurance standards;

they’re not mandatory.
 They guide on how to achieve implementation of the Standards.
 The IS auditor should use professional judgment while applying
guidelines; and should justify any departure from the Standards.

NOTE: ISACA’s exam will test ability to apply the Standards and guidelines
within the audit process. The documents may be viewed at
www.isaca.org/standards and www.isaca.org/guidelines.
 Code of Ethics

 Guides the professional and personal conduct of ISACA members and

Certification holders.
 They include:
 Compliance with standards
 Objectivity, due diligence and professional care
 Serve in the interest of stakeholders
 Maintain privacy and confidentiality
 Competency
 Disclosure of all significant facts
 Support professional education.
 1.2 BUSINESS PROCESSES

 It’s necessary that an IS auditor understands and evaluates existing

business processes (its design and implementation) to ensure that
internal controls operate effectively.
 These are controlled by policies, processes, practices and Organizational
structures designed to provide reasonable assurance that a business
process will achieve its objectives.
 A business process owner identifies process requirements, approves
processes and manages process performance.
 I.S Internal Audit Function

An audit charter establishes the role of the IS internal audit function.

Management of IS Audit function

 • Should focus on fulfilling audit function objectives; while
preserving independence and competence. Following the constantly
changing IS technology, an IS auditor should maintain technical
competence through appropriate CPE.
 • Should ensure value-added contributions to senior management
towards efficient management of IT and achievement of objectives.
 • Necessary IT resources should be provided to properly perform IS
audits.
 Audit Planning

 Conducted to establish the overall audit strategy and detail the specific
procedures to be carried out to implement the strategy and complete
the audit.
 Short term (during the current year) and long term (based on the
changes in the organization’s IT strategic direction and environment).
 An auditor must understand the business environment (practices,
functions, IS systems in place).
 Overall approach to individual assignments may be impacted by
considerations such as: changes in application of technology, privacy
issues, regulatory requirements, and periodic risk-assessment results.
 Major areas of concern on regulation are: legal requirements placed on
audit and legal requirements placed on auditee and the management.
Effect of Laws and Regulations on I.S Audit planning
 Business Process Application Controls

Application systems environments

1. E-commerce-Buying and selling of goods online.
 E-commerce types: B2B, B2C, C2C, C2B, B2G and C2G.
 E-commerce architectures: single tier, two tier and three tier.

Risks associated with Ecommerce:

 Spread of malware via emails, malicious websites and mobile device
applications; confidentiality; Integrity; Availability; Authentication and
non-repudiation; power shift to customers.
 Business Process Application Controls
I.S Auditor’s role in Ecommerce Business process
Review the following:
• Agreements prepared prior to engaging in the business.
• Security architecture for e-commerce (e.g. internet firewalls, public
key infrastructure, encryption, certificates, PCI DSS compliance and password
management).
• Firewall mechanisms in place
• A process whereby participants can be identified uniquely and
positively.
• Procedures in place to control changes to an ecommerce presence
• Ecommerce application logs
• Methods and procedures to recognize security breaches when they
occur (IDS)
• Protections to ensure individual’s data is not disclosed…..among
others.
 Business Process Application Controls

2. Electronic Data Interchange (EDI)

Types of EDI
i. Traditional EDI
ii. Web-based EDI
EDI Risk and Controls
Risks:
Transaction authorization
Unclear definition of responsibilities
Loss of business continuity
Unauthorized access to electronic transactions
Deletion or manipulation of transactions prior to or after establishment of application
controls.
Loss of or duplication of EDI transmissions.
Loss of confidentiality and improper distribution of EDI transactions while in the possession of
third parties.
 Business Process Application Controls

2. Electronic Data Interchange (EDI) …Cont.

EDI Process controls:
 Set standards for validating the message format and content to avoid transmission
errors.
 Put controls to ensure proper conversion of transmissions.
 Controls to test reasonableness of messages received.
 Safeguard against manipulation of data in active transactions, files and archives.
 Establish procedures to determine messages are from authorized parties and
transmissions are properly authorized.
 Use direct or dedicated transmission channels to reduce the risk of tapping into the
transmission lines.
 Encrypt data using agreed-upon algorithms.
 Use electronic signatures to identify the source and destination.
 Message authentication to ensure that what is sent is received.
 Business Process Application Controls
I.S Auditor’s role in EDI Business process
 Ensure that all inbound EDI transactions are received and translated accurately,
passed to an application, and processed only once by reviewing:
 Internet encryption processes_Confidentiality, Integrity, Authenticity and
nonrepudiation.
 Edit checks to identify erroneous, unusual or invalid transactions
 Computerised checks to assess reasonableness and validity
 Inbound transactions _should be logged on receipt
 Use of control totals on receipt of transactions
 Transaction set totals
 Batch control totals
 Validity of the sender
 Business Process Application Controls
3. E-Mail
Many organizations are moving their email systems to the cloud.
 Business Process Application Controls

4. Point Of Sale Systems

Risk: Storing of card holder data on the POS.

Control:
Avoid storage of card holder (PII) data on the POS or…
Encrypt any card holder data stored on the POS.
 Business Process Application Controls

5. Electronic Banking
Risks include:
 Strategic, operational, reputational, credit, price, foreign exchange, interest rate,
liquidity risks.
An I.S auditor is most concerned with the risks that are heightened by the rapid
introduction and underlying technological complexity of ebanking.
Risk management Challenges:
 Speed of change
 Integration of ebanking websites and associated retail business applications,
 Increased dependency on information technology,
 oversight for outsourcing relationships and other third-party dependencies.
 Significantly magnified importance of security controls, customer authentication
techniques, data protection.
 Business Process Application Controls

5. Electronic Banking
Controls:
Board and management oversight
 Effective oversight of e-banking services,
 comprehensive security control process,
 comprehensive due diligence,
 oversight for outsourcing relationships and other third-party dependencies.
Security controls
 Authentication of e-banking customers, non-repudiation and accountability for e-
banking transactions, segregation of duties, proper authorization controls, data
integrity of transactions, records and information, audit trails for transactions,
confidentiality of key information.
 Business Process Application Controls

5. Electronic Banking
Controls cont….
Legal and reputational risk management
Privacy of customer info, appropriate disclosure for e-banking services, business
continuity, capacity, incident response planning, compliance to banking sector
directives.

I.S Auditor’s concern in Electronic Banking process:

 Strategic, operational, reputational risks.
 Business Process Application Controls

6. EFT
Risks: Loss of huge amounts of money.

Controls: access security, authorization of processing.

I.S Auditor’s role in EFT Business process

 Review physical security of unissued plastic cards, procedure used to generate PINs,
procedure used to issue cards and PINs, conditions under which the consumer uses
the access devices.
 Ensure that reasonable authentication methods are required to access EFT systems,
data encryption for all transactions, determine conditions under which the PIN
might be accessible in a clear mode.
 Review contract with the switch vendor and third party audit of switch operations.
 Business Process Application Controls

7. Automated Teller Machine

I.S Auditor’s role in use of ATMs

Review Physical security, measures to establish proper customer identification and
maintain their confidentiality, file maintenance and retention system, exception
reports, daily reconciliation of transactions, encryption key change management
procedure.
 Business Process Application Controls

8. Electronic Finance

Risks:

Controls:

I.S Auditor’s role in use of Electronic Finance

 Business Process Application Controls

9. Integrated Manufacturing Systems

Risks:
Controls:
I.S Auditor’s role in use of IMS

10. INDUSTRIAL CONTROL SYSTEMS (ICS)

 Business Process Application Controls

10. Industrial Control Systems (ICS)

Risks:
 Blocked or delayed flow of information through ICS_disrupted ICS operation.
 Unauthorised changes to instructions, commands or alarm thresholds_ damaged,
disabled or shut down systems thus environmental impact or endangered human
lives.
 Inaccurate information such as unauthorised changes sent to system operators.
 Modification of software, software infection or configuration settings
 Business Process Application Controls

10. Industrial Control Systems (ICS)

Controls:
 Restricted logical access (using DMZ, separate authentication mechanisms and
credentials for corporate and ICS networks, multiple-layered network topology with
most critical communication occurring in the most secure layer).
 Restricted physical access to networks and devices.
 Protect ICS components from exploitation (using security patches, disabling all
unused ports and services, restricted user privileges, audit trail monitoring, file
integrity checking software)
 Quick system restoration after an incident.
 Using The Services Of Other Auditors And Experts
What to consider:
 Legal and regulatory restrictions on outsourcing.
 Audit charter or contractual stipulations
 Impact on overall and specific IS audit objectives.
 Impact on IS audit risk and professional liability
 Independence and objectivity of other auditors and experts
 Professional competence, qualifications and competence
 Scope of work proposed to be outsourced and approach
 Supervisory and audit management controls
 Method and modalities of communication of results of audit work
 Compliance with legal and regulatory stipulations
 Compliance with applicable professional standards
 Testimonials/references and background checks
 Using The Services Of Other Auditors And Experts

What to consider cont…..

 Access to systems, premises and records
 Confidentiality restrictions to protect customer-related information
 Use of computer-assisted auditing techniques (CAATS) and other tools to be used by
the external service provider.
 Standards and methodologies for performance of work and documentation.
 Non-disclosure agreements.
 Using The Services Of Other Auditors And Experts

When outsourcing auditing services, the professional liability is not delegated

therefore the outsourcing entity should:
 Clearly communicate the audit objectives, scope and methodology through a formal
engagement letter.
 Establish a monitoring process for regular review of the work with regard to
planning, supervision, review and documentation.
 Assess the usefulness and appropriateness of reports of such external providers and
assess the impact of significant findings on the overall audit objectives.
 1.3 TYPES OF CONTROLS
 An effective control is one that prevents, detects and/or contains an incident and
enables recovery from a risk event.
 Organizations design, develop, implement and monitor information systems through
policies,role, procedures, practices and organizational structures to address these
types of risk.=(Controls).
 Internal controls provide reasonable assurance to management that the business
objectives will be achieved, and risk events prevented or detected and corrected.
These controls can be either manual or automated.
 The BOD and senior management are responsible for establishing the appropriate
culture to facilitate an effective and efficient internal control system and for
continuously monitoring the effectiveness of the internal control system.
 Each individual must take part in the process of establishing the appropriate
culture.
 Classification of controls:

1. Preventive
2. Detective
3. Corrective
4. Deterrent

NOTE: A CISA candidate should understand the purpose and differences between the
above controls and be able to recognize examples of each.
 Control objectives and control measures
 A control objective is an objective of one or more operational area(s) or role(s) to
be achieved in order to contribute to the fulfilment of strategic goal(s) of the
company.
 A statement of the desired result or purpose to be achieved by implementing
control activities; they may relate to:
 Effectiveness and efficiency of operations, reliability of financial reporting,
compliance with applicable laws and regulations, safeguarding assets.
 Each control should have a control objective; control objectives need to be
addressed relevant to specific IS-related processes.
 A control measure is an activity contributing to the fulfilment of a control objective
 I.S Control objectives are:
 Statements of the desired result or purpose to be achieved by implementing
controls around IS processes.
 Comprised of policies, procedures, practices and organizational structures
 Designed to provide reasonable assurance that business objectives will be achieved
and undesired events will be prevented, or detected and corrected.
 Organizational management should make choices relating to control objectives by:
 Selecting applicable control objectives
 Deciding on which control objectives will be implemented.
 Choosing how to implement them (frequency, span, automation….).
 Accepting the risk of not implementing
 Specific IS control objectives include:
 Safeguarding assets
 Ensuring SDLC is established and operates effectively.
 Ensuring integrity of general OS environments, network management and
operations.
 Ensuring integrity of sensitive and critical application system environments.
 Ensuring appropriate identification and authentication of users of IS resources
 Complying with user requirements, organizational policies and procedures and
applicable laws and regulations.
 Ensuring availability of IT services by developing efficient BCP/DRPs.
 Enhancing protection of data and systems by developing an incident response plan.
 Ensuring integrity and reliability by implementing effective change management
procedures.
 Ensuring that outsourced IS processes and services and contract terms have clearly
defined SLAs
 Evaluation Of The Control Environment

An I.S auditor reviews evidence gathered during the audit to determine if the
operations reviewed are well controlled and effective.
I.S auditor also assesses the strengths and weaknesses of the controls evaluated and
determines if they are effective in meeting the control objectives.
A control matrix is used in assessing the proper level of controls i.e. it summarizes your
processes and controls.
 Evaluation Of The Control Environment

Sample control matrix

 Evaluation Of The Control Environment
 A strong control may compensate for a weak control in another area.
 While a compensating control situation occurs when one stronger control supports a
weaker one, overlapping controls are two strong controls.
 A control objective will not be achieved by considering one control adequate.
 An I.S auditor should perform a variety of testing procedures and evaluate how the
controls relate to one another.
 General Controls

They apply to all areas of an organization and include:

• Internal accounting controls-for accounting operations
• Operational controls-for day to day operations, functions and activities
• Administrative controls-concern operational efficiency
• Organizational security policies and procedures-to ensure proper usage of assets
• Overall policies to help ensure proper recording of transactions
• Procedures and practices-to ensure adequate safeguards over access to and use of
assets
• Physical and logical security policies for all facilities-data centres and IT resources
 I.S Specific Controls
 Strategy and direction of the IT function
 General organization and management of the IT function
 Access to IT resources, including data and programs
 Systems development methodologies and change control
 Operations procedures
 Systems programming and technical support functions
 Quality assurance (QA) procedures
 Physical access controls
 BCP/DRP
 I.S Specific Controls Cont….

 Networks and communication technology ( e.g LANs, WANs, wireless)

 Db administration
 Protection and detective mechanisms against internal and external attacks.

Note: A CISA candidate should understand concepts regarding IS controls and how to
apply them in planning an audit.