CISA

Domain1: IS Audit Process

PolicyIs an executive mandate to identify a topic containing particular risks to avoid or prevent. Policies are high-level documents signed by a person of significant authority with the power to force cooperation

GuidelinesThese are intended to provide advice pertaining to how organizational objectives might be obtained in the absence of a standard

ProceduresThese are cookbook recipes providing a workflow of specific tasks necessary to achieve minimum compliance to a standard. Details are written in step-by-step format from the very beginning to the end.

ISACA Code; 8 Points: Auditors agree to support the implementation of appropriate policies, standards, guidelines, and procedures for information systems. They will also encourage compliance with this objective. Auditors agree to perform their duties with objectivity, professional care, and due diligence in accordance with professional standards implementing the use of best practices. Auditors agree to serve the interests of stakeholders in an honest and lawful manner that reflects a credible image upon their profession. The public expects and trusts auditors to conduct their work in an ethical and honest manner. Auditors promise to maintain privacy and confidentiality of information obtained during their audit except for required disclosure to legal authorities. Information they obtain during the audit will not be used for personal benefit. Auditors agree to undertake only those activities in which they are professionally competent and will strive to improve their competency. Their effectiveness in auditing depends on how evidence is gathered, analyzed, and reported. Auditors promise to disclose accurate results of all work and significant facts to the appropriate parties. Auditors agree to support ongoing professional education to help stakeholders enhance their understanding of information systems security and control. The failure of a CISA to comply with this code of professional ethics may result in an investigation with possible sanctions or disciplinary measures.3 Basic types of audit Internal audits and assessments External audits Independent audits (third party Outside of the customer-supplier influence)In all cases, auditors are called to audit products, processes and systems.Standards

Auditing standardsThere are two basic categories of audit testing: audits either verify that an item necessary of compliance exists (compliance test) or check inside for the substance and integrity of a claim (substantive test).Audit standards: American Institute of Certified Public Accountants (AICPA) and International Federation of Accountants (IFAC) Financial Accounting Standards Board (FASB) with statement on Auditing Standards (SAS).. International Financial Reporting Standards (IFRS), which replaced the Generally Accepted Accounting Principles (GAAP).. COSO U.S. public Company Accounting Oversight Board (PCAOB) of securities and Exchange Commission . it is the standards body for Sarbanes-Oxley OECD providing guidelines for participating countries to promote standardization in multinational business for world trade ISO FISMA ISACA and IT Governance Institute (ITGI) Basel Accord Standard

ISACA IS Audit StandardsThey are organized using a format numbered from 1 to 16S1Audit charter

S2Independence

S3Professional Ethics and Standards of Conduct

S4Professional competence

S5Planning

S6Performance of Audit Work

S7Audit Reporting

S8Follow-up Activities

S9Irregularities and illegal acts

S10It Governance

S11Use of Risk Analysis in Audit planning

S12Audit Materiality

S13Using the work of other people

S14Proper Audit Evidence

S15Effective IT controls

S16Electronic Commerce Controls

Retaining audit documentationIn most cases, the archive of the integrated audit may need to be kept for seven years. Each type of audit may have a longer or shorter retention period, depending on the regulations identified during audit planning.The evidence ruleA good auditor will use sufficient evidence to formulate the auditors opinion.

Chapter 2: Managing IT governanceCorporate governance is often defined by ISACA as Ethical behavior of corporate executives toward shareholders and stakeholders to maximize the return of a financial investmentThree high-level management objectives to be verified by the auditor are as follows: A strategic alignment between IT and the enterprise objectives (formal strategy) A process of monitoring assurance practices for executive management An intervention as required to stop, modify, or fix failures as they occur (corrective action)

IT steering committee or IT strategy committee is used to convey the current business requirements from business executives to IT executive. It should have a formal charter designating the participation of each member. This charter grants responsibility and authority in a concept similar to an audit charter. The representation necessary on the steering committee: Marketing Manufacturing /Software development Sales Finance legal quality control legal quality control research and development program and project management office business continuity Information technology Human resources Labor management Administration

The balanced scorecardThe balanced scorecard is a strategic methodology designed for senior executives.

IT subset of balanced scorecardThe IT balanced scorecard should be a subset of the organizations overall balanced scorecard. As a CISA, you need to understand how the balanced scorecard can be applied specifically to information technology. ISACA describes the scorecard by using three layers that incorporate the more common four perspectives (customer, business process, financial, and growth and learning).The three layers for IT scoring according to ISACA are so follows: Mission (opportunities for future needs) Strategy (common platitudes include the following: attain IT control objectives) Metrics (Develop and implement meaningful IT metrics based on critical success factors and key performance indicators).

Decoding the IT strategy

The auditor should remain aware that a shadow organization represents a genuine control failure. This lack of integration represents an ongoing concern in the areas of cost control, duplication of effort, or a political difference in both direction and objectives.

PMO vs Doing it all yourself

Here is a short list of the policies required to address issues faced by IT governance:Intellectual property: the IS auditor should understand how the organization is attempting to protect its intellectual propertyData integrity: the goal is to ensure that data is accurate and safely storedBackup and restoration: what are the plans and procedures for data backup and restoration? The number one issue in IT is loss of data due to faulty backupSecurity management: Without security controls, ensuring data integrity is impossible. Internal controls prevent unauthorized modifications.Mandatory versus Discretionary controls: The organization needs to clearly identify its management directives for implementation of controls.Mandatory control: the strongest type of control. The implementation may be administrative or technical. It is designed to force compliance without exception.Discretionary controls: the weakest type of control is discretionary. In a discretionary control, the user or delegated person of authority determines what is acceptable.Monitoring: It should provide valuable metrics necessary to compare alignment to business objectives.Incident response: A response is required for skilled individuals to deal with technical problems or the failure of internal controls.

Audit Program objectives and scopeEvery audit will contain a list of objectives. High-level objectives may come from executive mandate, regulations, or industry standards. The auditor should expect audit program objectives to vary according to department, task, the subject matter, or a particular step in their process workflow. Larger organizations have more audit objectives and smaller organizations usually have fewer because management has better control with fewer communication problems in a smaller organization.Table below demonstrates a simplified view of some audit program objectives that a company would encounter:

The audit planning issues should be considered regardless of the size of the organization: Number of geographic locations Diversity of products Activities outsourced to third party (subcontract) Needs for certification, accreditation, or registration Concerns raised from interested parties Complexity of regulations or contracts to be audited Type, scope, and number of activities to be audited Participation required by external subcontractors Audit frequency Follow-up on recommendations in previous audits Cost, resource, and time requirements Discontinuation of low-profit activities, layoffs, failing productsPlanning individual audits Audit Scope Audit criteria Audit team

The audit charter outlines the responsibility, authority and accountability of the auditor. Responsibility: Provides scope with goals and objectives Authority: Grants the right to perform an audit and the right to obtain access relevant to the audit Accountability: Defines mutually agreed-upon actions between the audit committee and the auditor, complete with reporting requirements.

Role of the audit committee

Each organization should have an audit committee composed of business executives. Each audit committee member is required to be financially literate, with the ability to read and understand financial statements.The purpose of the audit committee is to provide advice to the executive accounting officer concerning internal control strategies, priorities, and assurances.The audit committee manages planned audit activities and the results of both internal and external audits. The committee is authorized to engage outside experts for independent assurance.

Understanding the variety of audit

Risk Assessment: Inherent risk: These are natural or built-in risks that always exist. Detection risks: these are the risks that an auditor will not be able to detect what is being sought. It would be terrible to report no negative results when material condition (faults) actually exist. Detection risks include sampling and nonsampling risks. Sampling risks: these are the risks that an auditor will falsely accept or erroneously reject an audit sample (evidence). Nonsampling risks: these are the risks that an auditor will fail to detect a condition because of not applying the appropriate procedure or using procedures inconsistent with the audit objective (detection fault) Control risks: that an auditor loses control, errors could be introduced, or errors may not be corrected in a timely manner. Business risks: these are risks that are inherent in the business or industry itself (regulatory, contractual, financial) Technological risks: these are inherent risks of using automated technology Operational risks: these are the risks that a process or procedure will not perform correctly Residual risks: these are the risks that remain after all mitigation efforts are performed Audit risks: the combination of inherent, detection, control , and residual risks. These are the same risks facing normal business operations.

Risk assessment activities

Using data collection techniques: Staff observation Document review Interviews Workshop Computer assisted audit tools (CAAT) Surveys

Understanding the hierarchy of internal controls

General controlsParent class of controls governing all areas of the business (jobs description, separating duties)

Pervasive IS controlsThe direction and behavior required for technology to function properly.

Detailed IS controlsSpecific steps or tasks to be performed.(how security parameters are set , how to lock a user account)

Application controls (embedded in programs)Lowest subset in the control family. All activity should have filtered through the general controls, and then the pervasive controls and detailed controls, before it reaches the application-controls level.

Types of evidence: Direct evidence: this proves existence of a fact without inference or presumption. Inference is when you draw a logical and reasonable proposition from another that is supposed to be true. Direct evidence includes the unaltered testimony of an eyewitness and written documents. Indirect evidence: uses a hypothesis without direct evidence to make a claim that consists of both inference and presumption. Indirect is also known as circumstantial evidence.Selecting Audit SamplingAudit samples are selected for the purpose of collecting representative evidence to be subjected to either compliance testing or substantive testing. Two basic types of audit samples can be designed by the auditor: Statistical and nonstatistical.

Random sampling: Samples are selected at random.Cell sampling: random selection is performed at predefined intervals.Fixed Interval Sampling: The sample existing at every n+ interval increment is selected for testing.Using Computer-Assisted Audit ToolsThese tools are capable of executing a variety of automated compliance tests and substantive tests that would be nearly impossible to perform manually. They include multifunction audit utilities, which can analyze logs, perform vulnerability tests, or verify implementation of compliance in a system configuration compared to intended controls.CAAT includes the following types of software tools and techniques: Host evaluation tools to read the system configuration setting and evaluate the host for known vulnerabilities. Network traffic and protocol analysis using a sniffer Mapping and tracing tools that use a tracer-bullet approach to follow processes through a software application using test data Testing the configuration of specific application software such as SQL database Software license counting across the network Testing for password compliance on user login accountsUsing CAAT for continuous online auditSix types of continuous online auditing techniques: Online Event Monitors: include automated tools designed to read and correlate system logs or transaction logs on behalf of the auditor. Embedded Program Audit Hooks: A software developer can write embedded application hooks into their program to generate red-flag alert to an auditor, hopefully before the problem gets out of hand. Continuous and intermittent simulation (CIS) Audit: In continuous and intermittent simulation, the application software always tests for transactions that meet a certain criteria. When the criteria are met, the software runs an audit of the transaction (intermittent test). Then the computer waits until the next transaction meeting criteria occurs. Snapshot Audit: This technique uses a series of sequential data captures that are referred to as snapshots. The snapshots are taken in a logical sequence that a transaction will follow. The snapshots produce an audit trail, which is reviewed by the auditor. Embedded Audit M(EAM): This integrated audit testing module allows the auditor to create a set of dummy transactions that will be processed along with live, genuine transactions. System Control Audit Review file with Embedded Audit Modules (SCARF/EAM) the Theory is straightforward. A system-level audit program is installed on the system to selectively monitor the embedded audit modules inside the application software.

Grading of evidenceFour criteria: Material relevance; Evidence objectivity; Competency of evidence provider; Evidence independenceTiming of evidence is also important.

Following the evidence lifecycle

Conducting Audit Evidence TestingThe basic test methods used will be either compliance testing or substantive testing.Compliance Testing for the presence or absence of something. It includes verifying that policies and procedures have been put in place, and checking that user access rights, program change control procedures, and system audit logs have been activated. (Exp. Compare the list of persons with physical access to the data center against the HR list of current employees)Compliance testing is based on one of the following types of audit samples:Attribute samplingDetermine whether an attribute is present or absent in the subject sampleThe result is specified by the rate of occurrence-for example, the presence of 1 in 100 units would be 1%

Stop-and-Go SamplingUsed when few errors are expected. Stop-and-go allows the test to occur without excessive effort in sampling and provides the opportunity to stop testing at the earliest possible opportunity.

Discovery samplingThis 100% percent is used to detect fraud or when the likelihood of evidence existing is low. Forensics is an excellent example of discovery sampling.

Precision, or Expected Error Rate The precision rate indicates the acceptable margin of error between audit samples and the total quantity of the subject population.

Substantive testingSubstantive testing seeks to verify the content and integrity of evidence. Substantive tests may include complex calculations to verify account balances, perform physical inventory counts, or execute sample transactions to verify the accuracy of supporting documentation. This test is based on one of the following types of audit samples:

Variable samplingUsed to designate dollar value or weights (effectiveness) of an entire subject population by prorating from a smaller sample.

Unstratified mean estimationUsed in an attempt to project an estimated total for the whole subject population.

Stratified mean estimationUsed to calculate an average by group, similar to demographics, whereby the entire population is divided (stratified) into smaller groups based on similar characteristics.

Difference estimationUsed to determine the difference between audited and unaudited claims of value.

Each finding of evidence can be classified into one of these common reporting statements, presented in order of most desirable to least desirable: Noteworthy achievement: Conformity Opportunity for Improvement Concern NonconformityExample of illegal activities: Fraud Theft Suppression Racketeering Regulatory violations

Networking technology Basic

IS Network infrastructure

Information systems lifecycle

ISO 9126: Software qualityIt is a variation of ISO 9001. This standard also defines requirements for evaluating software products and measuring specific quality aspect. The six quality attributes are as follows: Functionality of the software processes Ease of use Reliability with consistent performance Efficiency of resources Portability between environments Maintainability with regards to making modifications