Professional Documents
Culture Documents
i. General Standards
They apply to the conduct of assignments.
Deal with an I.S auditor’s ethics, independence, objectivity and due care; knowledge,
competency and skill.
ii. Performance Standards
Deal with the conduct of the assignment such as:
planning and supervision, scoping, risk and materiality,
resource mobilization, supervision and assignment management,
audit and assurance evidence
exercising of professional judgment.
iii. Reporting Standards
Address the types of reports, means of communication and the info communicated.
Guidelines
NOTE: ISACA’s exam will test ability to apply the Standards and guidelines
within the audit process. The documents may be viewed at
www.isaca.org/standards and www.isaca.org/guidelines.
Code of Ethics
Conducted to establish the overall audit strategy and detail the specific
procedures to be carried out to implement the strategy and complete
the audit.
Short term (during the current year) and long term (based on the
changes in the organization’s IT strategic direction and environment).
An auditor must understand the business environment (practices,
functions, IS systems in place).
Overall approach to individual assignments may be impacted by
considerations such as: changes in application of technology, privacy
issues, regulatory requirements, and periodic risk-assessment results.
Major areas of concern on regulation are: legal requirements placed on
audit and legal requirements placed on auditee and the management.
Effect of Laws and Regulations on I.S Audit planning
Business Process Application Controls
Control:
Avoid storage of card holder (PII) data on the POS or…
Encrypt any card holder data stored on the POS.
Business Process Application Controls
5. Electronic Banking
Risks include:
Strategic, operational, reputational, credit, price, foreign exchange, interest rate,
liquidity risks.
An I.S auditor is most concerned with the risks that are heightened by the rapid
introduction and underlying technological complexity of ebanking.
Risk management Challenges:
Speed of change
Integration of ebanking websites and associated retail business applications,
Increased dependency on information technology,
oversight for outsourcing relationships and other third-party dependencies.
Significantly magnified importance of security controls, customer authentication
techniques, data protection.
Business Process Application Controls
5. Electronic Banking
Controls:
Board and management oversight
Effective oversight of e-banking services,
comprehensive security control process,
comprehensive due diligence,
oversight for outsourcing relationships and other third-party dependencies.
Security controls
Authentication of e-banking customers, non-repudiation and accountability for e-
banking transactions, segregation of duties, proper authorization controls, data
integrity of transactions, records and information, audit trails for transactions,
confidentiality of key information.
Business Process Application Controls
5. Electronic Banking
Controls cont….
Legal and reputational risk management
Privacy of customer info, appropriate disclosure for e-banking services, business
continuity, capacity, incident response planning, compliance to banking sector
directives.
6. EFT
Risks: Loss of huge amounts of money.
8. Electronic Finance
Risks:
Controls:
Risks:
Controls:
I.S Auditor’s role in use of IMS
Risks:
Blocked or delayed flow of information through ICS_disrupted ICS operation.
Unauthorised changes to instructions, commands or alarm thresholds_ damaged,
disabled or shut down systems thus environmental impact or endangered human
lives.
Inaccurate information such as unauthorised changes sent to system operators.
Modification of software, software infection or configuration settings
Business Process Application Controls
1. Preventive
2. Detective
3. Corrective
4. Deterrent
NOTE: A CISA candidate should understand the purpose and differences between the
above controls and be able to recognize examples of each.
Control objectives and control measures
A control objective is an objective of one or more operational area(s) or role(s) to
be achieved in order to contribute to the fulfilment of strategic goal(s) of the
company.
A statement of the desired result or purpose to be achieved by implementing
control activities; they may relate to:
Effectiveness and efficiency of operations, reliability of financial reporting,
compliance with applicable laws and regulations, safeguarding assets.
Each control should have a control objective; control objectives need to be
addressed relevant to specific IS-related processes.
A control measure is an activity contributing to the fulfilment of a control objective
I.S Control objectives are:
Statements of the desired result or purpose to be achieved by implementing
controls around IS processes.
Comprised of policies, procedures, practices and organizational structures
Designed to provide reasonable assurance that business objectives will be achieved
and undesired events will be prevented, or detected and corrected.
Organizational management should make choices relating to control objectives by:
Selecting applicable control objectives
Deciding on which control objectives will be implemented.
Choosing how to implement them (frequency, span, automation….).
Accepting the risk of not implementing
Specific IS control objectives include:
Safeguarding assets
Ensuring SDLC is established and operates effectively.
Ensuring integrity of general OS environments, network management and
operations.
Ensuring integrity of sensitive and critical application system environments.
Ensuring appropriate identification and authentication of users of IS resources
Complying with user requirements, organizational policies and procedures and
applicable laws and regulations.
Ensuring availability of IT services by developing efficient BCP/DRPs.
Enhancing protection of data and systems by developing an incident response plan.
Ensuring integrity and reliability by implementing effective change management
procedures.
Ensuring that outsourced IS processes and services and contract terms have clearly
defined SLAs
Evaluation Of The Control Environment
An I.S auditor reviews evidence gathered during the audit to determine if the
operations reviewed are well controlled and effective.
I.S auditor also assesses the strengths and weaknesses of the controls evaluated and
determines if they are effective in meeting the control objectives.
A control matrix is used in assessing the proper level of controls i.e. it summarizes your
processes and controls.
Evaluation Of The Control Environment
Note: A CISA candidate should understand concepts regarding IS controls and how to
apply them in planning an audit.