Domain1: IS Audit Process
PolicyIs an executive mandate to identify a topic containing
particular risks to avoid or prevent. Policies are high-level
documents signed by a person of significant authority with the
power to force cooperation
GuidelinesThese are intended to provide advice pertaining to how
organizational objectives might be obtained in the absence of a
standard
ProceduresThese are cookbook recipes providing a workflow of
specific tasks necessary to achieve minimum compliance to a
standard. Details are written in step-by-step format from the very
beginning to the end.
ISACA Code; 8 Points: Auditors agree to support the
implementation of appropriate policies, standards, guidelines, and
procedures for information systems. They will also encourage
compliance with this objective. Auditors agree to perform their
duties with objectivity, professional care, and due diligence in
accordance with professional standards implementing the use of best
practices. Auditors agree to serve the interests of stakeholders in
an honest and lawful manner that reflects a credible image upon
their profession. The public expects and trusts auditors to conduct
their work in an ethical and honest manner. Auditors promise to
maintain privacy and confidentiality of information obtained during
their audit except for required disclosure to legal authorities.
Information they obtain during the audit will not be used for
personal benefit. Auditors agree to undertake only those activities
in which they are professionally competent and will strive to
improve their competency. Their effectiveness in auditing depends
on how evidence is gathered, analyzed, and reported. Auditors
promise to disclose accurate results of all work and significant
facts to the appropriate parties. Auditors agree to support ongoing
professional education to help stakeholders enhance their
understanding of information systems security and control. The
failure of a CISA to comply with this code of professional ethics
may result in an investigation with possible sanctions or
disciplinary measures.3 Basic types of audit Internal audits and
assessments External audits Independent audits (third party Outside
of the customer-supplier influence)In all cases, auditors are
called to audit products, processes and systems.Standards
Auditing standardsThere are two basic categories of audit
testing: audits either verify that an item necessary of compliance
exists (compliance test) or check inside for the substance and
integrity of a claim (substantive test).Audit standards: American
Institute of Certified Public Accountants (AICPA) and International
Federation of Accountants (IFAC) Financial Accounting Standards
Board (FASB) with statement on Auditing Standards (SAS)..
International Financial Reporting Standards (IFRS), which replaced
the Generally Accepted Accounting Principles (GAAP).. COSO U.S.
public Company Accounting Oversight Board (PCAOB) of securities and
Exchange Commission . it is the standards body for Sarbanes-Oxley
OECD providing guidelines for participating countries to promote
standardization in multinational business for world trade ISO FISMA
ISACA and IT Governance Institute (ITGI) Basel Accord Standard
ISACA IS Audit StandardsThey are organized using a format
numbered from 1 to 16S1Audit charter
S2Independence
S3Professional Ethics and Standards of Conduct
S4Professional competence
S5Planning
S6Performance of Audit Work
S7Audit Reporting
S8Follow-up Activities
S9Irregularities and illegal acts
S10It Governance
S11Use of Risk Analysis in Audit planning
S12Audit Materiality
S13Using the work of other people
S14Proper Audit Evidence
S15Effective IT controls
S16Electronic Commerce Controls
Retaining audit documentationIn most cases, the archive of the
integrated audit may need to be kept for seven years. Each type of
audit may have a longer or shorter retention period, depending on
the regulations identified during audit planning.The evidence ruleA
good auditor will use sufficient evidence to formulate the auditors
opinion.
Chapter 2: Managing IT governanceCorporate governance is often
defined by ISACA as Ethical behavior of corporate executives toward
shareholders and stakeholders to maximize the return of a financial
investmentThree high-level management objectives to be verified by
the auditor are as follows: A strategic alignment between IT and
the enterprise objectives (formal strategy) A process of monitoring
assurance practices for executive management An intervention as
required to stop, modify, or fix failures as they occur (corrective
action)
IT steering committee or IT strategy committee is used to convey
the current business requirements from business executives to IT
executive. It should have a formal charter designating the
participation of each member. This charter grants responsibility
and authority in a concept similar to an audit charter. The
representation necessary on the steering committee: Marketing
Manufacturing /Software development Sales Finance legal quality
control legal quality control research and development program and
project management office business continuity Information
technology Human resources Labor management Administration
The balanced scorecardThe balanced scorecard is a strategic
methodology designed for senior executives.
IT subset of balanced scorecardThe IT balanced scorecard should
be a subset of the organizations overall balanced scorecard. As a
CISA, you need to understand how the balanced scorecard can be
applied specifically to information technology. ISACA describes the
scorecard by using three layers that incorporate the more common
four perspectives (customer, business process, financial, and
growth and learning).The three layers for IT scoring according to
ISACA are so follows: Mission (opportunities for future needs)
Strategy (common platitudes include the following: attain IT
control objectives) Metrics (Develop and implement meaningful IT
metrics based on critical success factors and key performance
indicators).
Decoding the IT strategy
The auditor should remain aware that a shadow organization
represents a genuine control failure. This lack of integration
represents an ongoing concern in the areas of cost control,
duplication of effort, or a political difference in both direction
and objectives.
PMO vs Doing it all yourself
Here is a short list of the policies required to address issues
faced by IT governance:Intellectual property: the IS auditor should
understand how the organization is attempting to protect its
intellectual propertyData integrity: the goal is to ensure that
data is accurate and safely storedBackup and restoration: what are
the plans and procedures for data backup and restoration? The
number one issue in IT is loss of data due to faulty backupSecurity
management: Without security controls, ensuring data integrity is
impossible. Internal controls prevent unauthorized
modifications.Mandatory versus Discretionary controls: The
organization needs to clearly identify its management directives
for implementation of controls.Mandatory control: the strongest
type of control. The implementation may be administrative or
technical. It is designed to force compliance without
exception.Discretionary controls: the weakest type of control is
discretionary. In a discretionary control, the user or delegated
person of authority determines what is acceptable.Monitoring: It
should provide valuable metrics necessary to compare alignment to
business objectives.Incident response: A response is required for
skilled individuals to deal with technical problems or the failure
of internal controls.
Audit Program objectives and scopeEvery audit will contain a
list of objectives. High-level objectives may come from executive
mandate, regulations, or industry standards. The auditor should
expect audit program objectives to vary according to department,
task, the subject matter, or a particular step in their process
workflow. Larger organizations have more audit objectives and
smaller organizations usually have fewer because management has
better control with fewer communication problems in a smaller
organization.Table below demonstrates a simplified view of some
audit program objectives that a company would encounter:
The audit planning issues should be considered regardless of the
size of the organization: Number of geographic locations Diversity
of products Activities outsourced to third party (subcontract)
Needs for certification, accreditation, or registration Concerns
raised from interested parties Complexity of regulations or
contracts to be audited Type, scope, and number of activities to be
audited Participation required by external subcontractors Audit
frequency Follow-up on recommendations in previous audits Cost,
resource, and time requirements Discontinuation of low-profit
activities, layoffs, failing productsPlanning individual audits
Audit Scope Audit criteria Audit team
The audit charter outlines the responsibility, authority and
accountability of the auditor. Responsibility: Provides scope with
goals and objectives Authority: Grants the right to perform an
audit and the right to obtain access relevant to the audit
Accountability: Defines mutually agreed-upon actions between the
audit committee and the auditor, complete with reporting
requirements.
Role of the audit committee
Each organization should have an audit committee composed of
business executives. Each audit committee member is required to be
financially literate, with the ability to read and understand
financial statements.The purpose of the audit committee is to
provide advice to the executive accounting officer concerning
internal control strategies, priorities, and assurances.The audit
committee manages planned audit activities and the results of both
internal and external audits. The committee is authorized to engage
outside experts for independent assurance.
Understanding the variety of audit
Risk Assessment: Inherent risk: These are natural or built-in
risks that always exist. Detection risks: these are the risks that
an auditor will not be able to detect what is being sought. It
would be terrible to report no negative results when material
condition (faults) actually exist. Detection risks include sampling
and nonsampling risks. Sampling risks: these are the risks that an
auditor will falsely accept or erroneously reject an audit sample
(evidence). Nonsampling risks: these are the risks that an auditor
will fail to detect a condition because of not applying the
appropriate procedure or using procedures inconsistent with the
audit objective (detection fault) Control risks: that an auditor
loses control, errors could be introduced, or errors may not be
corrected in a timely manner. Business risks: these are risks that
are inherent in the business or industry itself (regulatory,
contractual, financial) Technological risks: these are inherent
risks of using automated technology Operational risks: these are
the risks that a process or procedure will not perform correctly
Residual risks: these are the risks that remain after all
mitigation efforts are performed Audit risks: the combination of
inherent, detection, control , and residual risks. These are the
same risks facing normal business operations.
Risk assessment activities
Using data collection techniques: Staff observation Document
review Interviews Workshop Computer assisted audit tools (CAAT)
Surveys
Understanding the hierarchy of internal controls
General controlsParent class of controls governing all areas of
the business (jobs description, separating duties)
Pervasive IS controlsThe direction and behavior required for
technology to function properly.
Detailed IS controlsSpecific steps or tasks to be performed.(how
security parameters are set , how to lock a user account)
Application controls (embedded in programs)Lowest subset in the
control family. All activity should have filtered through the
general controls, and then the pervasive controls and detailed
controls, before it reaches the application-controls level.
Types of evidence: Direct evidence: this proves existence of a
fact without inference or presumption. Inference is when you draw a
logical and reasonable proposition from another that is supposed to
be true. Direct evidence includes the unaltered testimony of an
eyewitness and written documents. Indirect evidence: uses a
hypothesis without direct evidence to make a claim that consists of
both inference and presumption. Indirect is also known as
circumstantial evidence.Selecting Audit SamplingAudit samples are
selected for the purpose of collecting representative evidence to
be subjected to either compliance testing or substantive testing.
Two basic types of audit samples can be designed by the auditor:
Statistical and nonstatistical.
Random sampling: Samples are selected at random.Cell sampling:
random selection is performed at predefined intervals.Fixed
Interval Sampling: The sample existing at every n+ interval
increment is selected for testing.Using Computer-Assisted Audit
ToolsThese tools are capable of executing a variety of automated
compliance tests and substantive tests that would be nearly
impossible to perform manually. They include multifunction audit
utilities, which can analyze logs, perform vulnerability tests, or
verify implementation of compliance in a system configuration
compared to intended controls.CAAT includes the following types of
software tools and techniques: Host evaluation tools to read the
system configuration setting and evaluate the host for known
vulnerabilities. Network traffic and protocol analysis using a
sniffer Mapping and tracing tools that use a tracer-bullet approach
to follow processes through a software application using test data
Testing the configuration of specific application software such as
SQL database Software license counting across the network Testing
for password compliance on user login accountsUsing CAAT for
continuous online auditSix types of continuous online auditing
techniques: Online Event Monitors: include automated tools designed
to read and correlate system logs or transaction logs on behalf of
the auditor. Embedded Program Audit Hooks: A software developer can
write embedded application hooks into their program to generate
red-flag alert to an auditor, hopefully before the problem gets out
of hand. Continuous and intermittent simulation (CIS) Audit: In
continuous and intermittent simulation, the application software
always tests for transactions that meet a certain criteria. When
the criteria are met, the software runs an audit of the transaction
(intermittent test). Then the computer waits until the next
transaction meeting criteria occurs. Snapshot Audit: This technique
uses a series of sequential data captures that are referred to as
snapshots. The snapshots are taken in a logical sequence that a
transaction will follow. The snapshots produce an audit trail,
which is reviewed by the auditor. Embedded Audit M(EAM): This
integrated audit testing module allows the auditor to create a set
of dummy transactions that will be processed along with live,
genuine transactions. System Control Audit Review file with
Embedded Audit Modules (SCARF/EAM) the Theory is straightforward. A
system-level audit program is installed on the system to
selectively monitor the embedded audit modules inside the
application software.
Grading of evidenceFour criteria: Material relevance; Evidence
objectivity; Competency of evidence provider; Evidence
independenceTiming of evidence is also important.
Following the evidence lifecycle
Conducting Audit Evidence TestingThe basic test methods used
will be either compliance testing or substantive testing.Compliance
Testing for the presence or absence of something. It includes
verifying that policies and procedures have been put in place, and
checking that user access rights, program change control
procedures, and system audit logs have been activated. (Exp.
Compare the list of persons with physical access to the data center
against the HR list of current employees)Compliance testing is
based on one of the following types of audit samples:Attribute
samplingDetermine whether an attribute is present or absent in the
subject sampleThe result is specified by the rate of occurrence-for
example, the presence of 1 in 100 units would be 1%
Stop-and-Go SamplingUsed when few errors are expected.
Stop-and-go allows the test to occur without excessive effort in
sampling and provides the opportunity to stop testing at the
earliest possible opportunity.
Discovery samplingThis 100% percent is used to detect fraud or
when the likelihood of evidence existing is low. Forensics is an
excellent example of discovery sampling.
Precision, or Expected Error Rate The precision rate indicates
the acceptable margin of error between audit samples and the total
quantity of the subject population.
Substantive testingSubstantive testing seeks to verify the
content and integrity of evidence. Substantive tests may include
complex calculations to verify account balances, perform physical
inventory counts, or execute sample transactions to verify the
accuracy of supporting documentation. This test is based on one of
the following types of audit samples:
Variable samplingUsed to designate dollar value or weights
(effectiveness) of an entire subject population by prorating from a
smaller sample.
Unstratified mean estimationUsed in an attempt to project an
estimated total for the whole subject population.
Stratified mean estimationUsed to calculate an average by group,
similar to demographics, whereby the entire population is divided
(stratified) into smaller groups based on similar
characteristics.
Difference estimationUsed to determine the difference between
audited and unaudited claims of value.
Each finding of evidence can be classified into one of these
common reporting statements, presented in order of most desirable
to least desirable: Noteworthy achievement: Conformity Opportunity
for Improvement Concern NonconformityExample of illegal activities:
Fraud Theft Suppression Racketeering Regulatory violations
Networking technology Basic
IS Network infrastructure
Information systems lifecycle
ISO 9126: Software qualityIt is a variation of ISO 9001. This
standard also defines requirements for evaluating software products
and measuring specific quality aspect. The six quality attributes
are as follows: Functionality of the software processes Ease of use
Reliability with consistent performance Efficiency of resources
Portability between environments Maintainability with regards to
making modifications