-
2/8/2010
1
Certified Information Systems Auditor Course
2010By Marjan Hussein
MBA, BCOMM,CPA(K),CISA, CIA, CCSA
INFORMATION SYSTEMS AUDIT PROCESS
Domain 1
Domain 1: IS Audit Process (Approximately 10% of exam 20
Questions)
Provide IS audit services in accordance with IS audit standards,
guidelines, and best practices to assist the organization in
ensuring that its information technology and business systems are
protected and controlled.
TASKS
Develop and implement a risk-based IS audit strategy for the
organization in compliance with IS audit standards, guidelines and
best practices.
Plan specific audits to ensure that IT and business systems are
protected and controlled.
Conduct audits in accordance with IS audit standards, guidelines
and best practices to meet planned audit objectives.
Communicate emerging issues, potential risks, and audit results
to key stakeholders.
Advise on the implementation of risk management and control
practices within the organization while maintaining
independence.
Knowledge Statements
Knowledge of ISACA IS Auditing Standards, Guidelines and
Procedures, and Code of Professional Ethics
Knowledge of IS auditing practices and techniques Knowledge of
techniques to gather information and
preserve evidence (e.g., observation, inquiry, interview, CAATs,
electronic media)
Knowledge of the evidence life cycle (e.g., the collection,
protection, chain of custody)
Knowledge of control objectives and controls related to IS (e.g.
COBIT)
-
2/8/2010
2
Knowledge Statements Cont
Knowledge of risk assessment in an audit context Knowledge of
audit planning and management
techniques Knowledge of reporting and communication
techniques (e.g., facilitation, negotiation, conflict
resolution)
Knowledge of control self-assessment (CSA) Knowledge of
continuous audit techniques
Information Systems Audit Process
Management of the IS Audit FunctionOrganization of the IS Audit
FunctionIS audit services can be provided internally or
externallyCharter defines the IS audit functionScope, authority and
responsibility of IS audit functionShould be approved by highest
level of management and Audit CommitteeIS Audit Resource
ManagementMaintain competency through updates of existing skills
and training on new audit techniques and technological
areas.Detailed staff training plans for year and reviewed semi
annuallyIS Audit PlanningLong and short term plans
preparationAnalysis of both plans should be done at least
annuallyEach individual audit assignment must be adequately
planned
Information Systems Audit Process
Individual audit assignmentsUnderstanding of environment under
review during planning is importantTo perform the audit planning
the auditor should:-
Gain an understanding of business mission, purpose, objectives,
processes and technology which include information and processing
requirements such as availability, integrity, confidentiality and
business technology.Identify contents such as policies, standards
and required guidelines, procedures and org structurePerform risk
analysis to help in designing the audit planConduct review of IC
related to ITSet audit scope and objectivesDevelop the audit
approach or audit strategyAssign resourcesAddress engagement
logistics
Information Systems Audit Process
Individual audit assignments
How to gain understanding of businessTouring key organizational
facilitiesReading background materialsReviewing long-term strategic
plans (biz & IT)Interviewing key managers to understand
business issuesReviewing prior reportsIdentify special regulation
applicable to ITIdentify IT functions or related activities that
have been outsourced
-
2/8/2010
3
Information Systems Audit ProcessLaws and regulations effects on
IS Audit PlanningIdentify those government or other external
requirements dealing with:
Electronic data, personal data, copyrights, e-commerce,
e-signatures etcComputer system practices and controlsManner in
which computer program and stored data are usedWay data is
processed and transmittedThe organization or activities of
information technology servicesIS audits
Information Systems Audit ProcessLaws and regulations effects on
IS Audit Planning (cont..)Document pertinent laws and
regulationsAssess whether management of the organization and
Information Systems function have considered relevant external
requirements in making plans, policies, standards and
proceduresReview internal IS dept documents that address adherence
to applicable laws in the industryDetermine adherence to
established procedureEstablish if there are procedures in place to
ensure contracts or agreements with external IT services providers
reflect any legal requirements related to responsibilities.
ISACA Code of Professional Ethics
The Information Systems Audit and Control Association, Inc.
(ISACA) sets forth this Code of Professional Ethics to guide the
professional and personal conduct of members of the association
and/or its certification holders.
Members and ISACA certification holders shall:
1. Support the implementation of, and encourage compliance with,
appropriate standards, procedures and controls for information
systems.
ISACA Code of Professional Ethics (cont..)
2. Perform their duties with objectivity, due diligence and
professional care, in accordance with professional standards and
best practices.
3. Serve in the interest of stakeholders in a lawful and honest
manner, while maintaining high standards of conduct and character,
and not engage in acts discreditable to the profession.
4. Maintain the privacy and confidentiality of information
obtained in the course of their duties unless disclosure is
required by legal authority. Such information shall not be used for
personal benefit or released to inappropriate parties.
-
2/8/2010
4
ISACA Code of Professional Ethics (cont..)
5. Maintain competency in their respective fields and agree to
undertake only those activities, which they can reasonably expect
to complete with professional competence.
6. Inform appropriate parties of the results of work performed;
revealing all significant facts known to them.
7. Support the professional education of stakeholders in
enhancing their understanding of information systems security and
control.
ISACA IS Standards
The specialized nature of IS auditing and the skills and
knowledge necessary to perform such audits require globally
applicable standards that pertain specifically to IS auditing.
Objectives of ISACA standards are to inform:- IS auditor of
minimum level of acceptable performance
required to meet the professional responsibilities set out in
the code of professional ethics
Management and other interested parties of the professional
expectations concerning the work of audit practitioners
Holders of CISA designation of requirements that failure to
comply with these standards may result in investigations by the
ISACA board for disciplinary actions.
Standards define mandatory requirements for IS auditing and
reporting.
ISACA IS Standards (cont..)
S1 Audit charter S2 Independence S3 Professional Ethics and
Standards S4 Professional Competence S5 Planning S6 Performance of
Audit Work S7 Reporting S8 Follow up activities S9 Irregularities
and Illegal Acts S10 IT Governance S11 Use of Risk Assessment in
Audit Planning S12 Audit Materiality S13 Using the Work of Other
Experts S14 Audit Evidence S15 IT Controls S16 E-commerce
ISACA IS Auditing Guidelines
Objectives of the guidelines is to provide further information
on how to comply with the ISACA IS Auditing Standards
The IS auditor should: consider them in determining how to
implement the
standards Use professional judgment in applying them Be able to
justify any departure
For index on IS auditing Guidelines refer to the CISA 2010
manual (pg 37 - 40)
-
2/8/2010
5
ISACA IS Auditing Procedures
Provide examples of possible process an IS auditor might follow
in an audit engagement
In determining appropriateness of any specific procedure, IS
auditor should apply their own professional judgment to the
specific circumstances
The procedure documents provide information on how to meet the
standards when performing IS auditing work, but do not set
requirements
It is not mandatory for the IS auditor to follow these
procedures; however, following them will provide assurance that the
standards are being followed by the auditor.
Relationship Between Standards, Guidelines & Procedures
IS Auditing Standards are to be followed by all IS auditors
Guidelines provide assistance on how the IS auditor can
implement standards in various audit assignments
Procedures provide examples of steps the auditor may follow in
specific audit assignments so as to implement the standards.
IS auditor should always use professional judgment in using
guidelines and procedures
Information Technology Assurance Framework (ITAF)
It is a comprehensive and good-practice setting model that:-
Provides guidance on design, conduct and reporting of IT
audit and assurance assignments Defines terms and concepts
specific to IT audit and assurance Establish standards that address
IT audit and assurance
professional roles and responsibilities, knowledge and skills,
and diligence, conduct and reporting requirements.
ITAF includes 3 categories of standards (General code of ethics,
Performance audit planning, supervision, scoping etc and
Reporting)
(Assigned Readings CISA 2010 manual pages 34 45)
RISK ANALYSISRiskThe potential that a given threat will exploit
vulnerabilities of an asset or group of assets to cause loss or
damage to asset. The impact or relative severity of the risk is
proportional to the business value of the loss/damage and to the
estimated frequency of the threat.uncertainty that surrounds future
events and outcomesIt is the expression of the likelihood and
impact of an event with potential to influence achievement of an
organizations objectives.Risk is anything that could prevent
achievement of organizations objectivesAnything that could impact
on the interest of stakeholders
-
2/8/2010
6
Risk Analysis (cont..)Elements of Risk
Threat to, and vulnerabilities of, processes and/or assets (both
physical and information assets)Impact on assets based on threats
and vulnerabilitiesProbabilities of threats (likelihood and
frequency of occurrence)
Total Risk = Threats X Vulnerability X Asset Value
Example of threats are errors, malicious damage/attack, fraud,
theft, equipment failure, software failure
Example of vulnerabilities are, lack of user knowledge, poor
choice of passwords, use of untested technology, transmission over
unprotected communication
Risk Analysis (cont..) Business risks are the likelihood of
those threats that
may negatively impact the assets, processes or objectives of a
specific business.
The nature of risks may be financial, regulatory or operational,
and may arise as a result of interaction of business with its
environment, as a result of strategies, systems and particular
technology, processes, procedures and information used by
business.
The IS auditor is often focused towards high-risk issues
associated with confidentiality, availability or integrity of
sensitive and critical information, and the underlying information
systems and processes that generate, store and manipulate such
information
Risk Analysis (cont)Risk assessment process is characterized as
an iterative life cycle:-1. Identification of business objectives2.
Perform risk assessment to identify threats and determine
the probability of occurrence and the resulting impact and
additional safeguards that would mitigate this impact to acceptable
level
3. Identifying controls for mitigating the identified risks
(preventive, detective and corrective)
4. Assess countermeasures through cost benefit analysis based
on:- Cost compared to benefit of minimizing the risk Management
risk appetite Preferred risk reduction method [terminate,
minimize
occurrence probability, minimize impact, or transfer risk]5.
Monitoring performance levels of risks being managed
Perform periodic Risk Reevaluation
(BO/RA/RM/RT)
Identify Business Objectives (BO)
Identify Information Asset Supporting the BOs
Perform Risk Assessment (RA)
[Threat Vulnerability Probability Impact]
Perform Risk Mitigation (RM)
[Map risks with controls in place]
Perform Risk Treatment (RT)
[Treat significant risks not mitigated by existing controls]
Summary of Risk Assessment Process
-
2/8/2010
7
Risk Analysis (cont..)Purpose of Risk Analysis
Assist the IS Auditor in identifying risks and threats to an IT
environment and Systems selecting certain areas to examine
Helps the IS Auditor in his/her evaluation of controls in audit
planning
Helps in determining the audit objectives Helps in supporting
risk-based audit decision
making.
INTERNAL CONTROLS
Policies, procedures, practices and organizational structures
designed to provide reasonable assurance that an organizations
objectives will be achieved, undesired risks prevented, or detected
and corrected.
INTERNAL CONTROL OBJECTIVES
Statements of desired results or purpose to be achieved by
implemented control procedures. Control is the means by which
control objectives are addressed.
Control Objectives include:
Safeguarding of information technology assets
Compliance to corporate policies or legal requirements
Authorization/input
Internal Control (cont..)
Accuracy and completeness of processing of transaction
Output
Reliability of process
Backup/recovery
Efficiency and economy of operations
Classifications of Controls
Preventative ControlsDetective ControlsCorrective Controls
Internal Control (cont..)
-
2/8/2010
8
IS Control Objectives
IC objectives apply to all areas, whether manual or
automated.
IS control objectives include:- Safeguarding assets. Information
on automated systems is
secured from improper access and kept up to date Assuring
integrity of general operating system environments,
including network management and operations Assuring integrity
of sensitive and critical application system
environments, including accounting/financial and management
information through: Authorization of inputs Accuracy and
completeness of processing of transaction
IS Control Objectives (cont..)
Reliability of overall information processing
activitiesAccuracy, completeness and security of output
Database integrity
Ensuring the efficiency and effectiveness of operations
Complying with the users requirements and with organizational
policies and procedures as well as applicable laws and
regulations
IS Control Objectives (cont..)
Developing business continuity and disaster recovery plans
Developing an incidence response time
Change management
COBIT
COBIT is a framework with set of 34 IT processes grouped into 4
domains: planning and organizing, acquiring and implementation,
delivery and support and monitoring and evaluation
By addressing these 34 IT processes, organization can ensure
that adequate governance and control arrangements are provided for
their IT environment
COBIT can be used as a supplementary study material in
understanding control objectives and principles.
-
2/8/2010
9
COBIT cont..
Supporting these IT processes are more than 200 detailed control
objectives necessary for effective implementation
COBIT uses, as primary reference current major framework
standards and regulations relating to IT.
COBIT is directed to Management and staff of Information
services, control departments, audit functions and most
importantly, the business process owners using IT processes to
assure confidentiality, integrity and availability of sensitive and
critical information
General Controls
Controls include policies, procedures and practices established
by management to provide reasonable assurance that specific
objectives will be achieved.
They apply to all areas of the organization General Controls
include: Internal accounting controls - safeguarding of assets
and
reliability of financial records Operational controls - day to
day activities Administrative controls - operational efficiency in
a
functional area and adherence to management policies. They
support operational controls concerned with operating efficiency
and policy adherence
IS Controls
Each general control procedure can be translated into
IS-specific control procedure.
IS control procedures include: Strategy and direction General
organization and management Access to data and programs Systems
development methodologies and change control Data processing
operations Systems programming and technical support fns. Data
processing quality assurance procedures Physical access controls
Business continuity and disaster recovery planning Network and
communications Database administration
Performing IS Audit
-
2/8/2010
10
Auditing
A systematic process by which a competent, independent
person
objectively obtains and evaluates evidence regarding assertions
about an economic entity or event for purpose of forming an opinion
about and reporting on the degree to which the assertion
conforms to an identified set of standards
IS Audit
Defined as any audit that encompasses review and evaluation
(wholly or partially) of automated information processing systems,
related non-automated processes and the interfaces between them
Classification of Audits
Financial audits data (integrity and reliability)
Operational audit - controls Integrated audits data and controls
Administrative audits - operational efficiency Information systems
audit IS Specialized audits reviewing services
performed by third-party providers Forensic audits discovering,
preserving,
disclosing and following up on frauds and crimes
Financial audits:
Assess correctness of financial statements
Often involve detailed substantive testingRelates to information
reliability and
integrity
-
2/8/2010
11
Operational audit
Designed to evaluate internal controls e.g. IS Audit of
application controls, or logical
security
Integrated audits Includes both financial and operational
Performed to assess overall objectives
related to financial information, assets safeguarding,
efficiency
Include both compliance and substantive tests
Administrative Audits
Audits oriented to assess issues related to efficiency and
effectiveness of operational productivity within an
organization.
Information systems audit
Collect and evaluate evidence to determine whether an
information systems and related resources Safeguards assets,
Maintains data and system integrity, Provide relevant and reliable
information Achieve organizational goals effectively and
efficiently Internal controls provide reasonable assurance
that operational and control objectives will be met
-
2/8/2010
12
Specialized audits
These are specialized reviews that examine areas such as service
performed by third parties and forensic auditing
Statement on Auditing Standards (SAS) 70, titled Reports on
Processing of Transactions by Service Organizations is a widely
known standard developed by AICPA
SAS 70 defines the professional standards used by service
auditor to assess the internal control of service organization
Forensic audits
These are audits specialized in discovering, disclosing and
following up on frauds and crimes
The purpose of these reviews is to develop and protect evidence
for review by law enforcement and judicial authorities
Computer forensic investigation include analysis of electronic
devices, such as computers, phones, PDAs, disks, switches, routers,
hubs and other electronic equipment
Admissibility of evidence in court is very important and
therefore computer evidence must be properly handled.
Forensic audit tools such as data mapping for security and
privacy, risk assessment and search for intellectual property for
data protection are being used for prevention, compliance and
assurance.
Audit Programs
Audit work program is the audit strategy and plan It identifies
scope, audit objectives, and audit procedures
to obtain sufficient, relevant and reliable evidence to draw and
support audit conclusions and opinions
IS auditors often evaluate IT functions and systems from
different perspectives such as: Security (confidentiality,
integrity and availability) Quality (effectiveness and efficiency)
Fiduciary (compliance, reliability) Service capacity
General Audit procedures
Steps in performing an audit and includes:- Obtaining and
recording an understanding of the audit
area Detailed audit planning Preliminary review of the audit
area Verifying and evaluating the appropriateness of
controls designed to meet control objectives Testing (compliance
and substantive) Reporting Follow up
-
2/8/2010
13
General Audit procedures (cont..)
The IS auditor must understand the procedures for testing and
evaluating IS controls. These include:- The use of generalized
audit software to survey the
contents of data files The use of specialized software to assess
the contents of
operating system database and application parameter files (or
detect deficiency in system parameters setting)
Flow charting techniques for documenting automated applications
and business processes
The use of audit logs/reports available in operation/application
systems
Documentation review observation
Audit objectives They refer to the specific goals of the audit
Determination of audits objectives is a critical
step in planning an IS audit Center around substantiating that
internal
controls exists to minimize business risk The basic purpose of
any IS audit is to
identify control objectives and the related controls that
address the objective
Management may issue a general objective Key element in
planning: translating to
specific IS audit objectives
Audit process steps
Plan assess risks, develop audit program: objectives,
procedures
Obtain evidence Evaluate evidence strengths and weaknesses
of
controls
Prepare and present report Follow-up - corrective actions taken
by management
Audit methodology A set of documented audit procedures
designed to achieve planned audit objectives.
Components include: Scope Audit objectivesWork programs
-
2/8/2010
14
Audit program Step-by-step set of audit procedures and
instructions that should be performed to complete an audit
A guide for documenting various audit steps performed
Guides on the types and extent of evidential matters to be
reviewed
Provides a trail of the process used Provides accountability for
performance
Audit phases
Audit subject - Identify the area to be audited Audit objective
- Identify purpose of audit Audit scope Pre-audit planning Audit
procedures and steps for data gathering Procedures for evaluating
the test or review
results (organization specific) Procedures for communication
with
management (organizational specific) Audit report
preparation:
Audit phases (cont..)
Practice Question
1-1 Which of the following BEST describes the early stages of an
IS audit?
A. Observing key organizational facilitiesB. Assessing the IS
environmentC. Understanding the business process and
environment applicable to the reviewD. Reviewing prior IS audit
reports
-
2/8/2010
15
Fraud Detection
Management is primarily responsible for establishing,
implementing and maintaining a framework and design of IT controls
to meet the internal control objectives.
A well designed ICS provides good opportunity for deterring
fraud at the first instance and a system that enables timely
detection of frauds
IS auditor should observe and exercise due professional care in
all aspects of their work and be alert to the possible
opportunities that allow a fraud to materialize
Fraud Detection (cont)
IS auditor should be aware and diligent as regards the
possibility and means of perpetrating frauds especially by
exploiting the vulnerabilities and overriding controls in
IT-enabled environment
IS auditor should have knowledge of fraud and fraud indicators,
and during performance of audit work, be alert to the possibility
of frauds and errors
When IS auditor comes across any instances of fraud or
indicators of fraud, he/she may, after careful evaluation,
communicate the need for a detailed investigation to appropriate
authorities
In case of auditor identifying a major fraud or where the risk
associated with the detection is high, audit management should also
consider communicating to the audit committee,in a timely
manner.
Risk-Based Auditing
Business risks include concerns about probable effects of an
uncertain event on achieving established organization
objectives.
By understanding the nature of the business, IS auditors can
identify and categorize the types of risks that will better
determine the risk approach in conducting the audit.
Risk based approach is used to assist an IS auditor in making
the decision to perform either compliance or substantive
testing.
Helps the auditor in determining the nature and extent of
testing.
In addition to risk the auditors are also influenced by the
Internal Controls as well as the knowledge of the business.
Risk-Based Audit Approach
-
2/8/2010
16
1-2 In performing a risk-based audit, which risk assessment is
completed initially by the IS auditor?
A. Detection risk assessmentB. Control risk assessmentC.
Inherent risk assessmentD. Fraud risk assessment
Practice Question
1-3 While developing a risk-based audit program, on which of the
following would the IS auditor MOST likely focus?
A. Business processesB. Critical IT applicationsC. Operational
controlsD. Business strategies
Practice Question
Audit risk and Materiality Risk that information may contain
a
material error that may go undetected during the course of the
audit
Risk within the audit process itself The risk of giving an
incorrect audit opinion Sometimes used to describe the level of
risk
that the IS Auditor is prepared to accept
Audit risk - contCan be categorized as: Inherent risk Control
risk Detection riskOverall audit risk
-
2/8/2010
17
Inherent risk Risk that an error exist which could be
material assuming there are no related compensating controls
Can be categorized as susceptibility of a material misstatement
in the absence of related controls e.g. Complex calculations are
more likely to be
misstated than simple ones Cash is more likely to be stolen than
inventory
Exist independent of an audit Can occur because of the nature of
a
business
Control risk
Risk that a material error exists which will not be prevented or
detected on a timely basis by the system of internal controls
Detection risk The risk that the ISA used an inadequate test
procedure and concludes that material errors do not exist, when
in fact, they do
Can be used to assess and evaluate and ISAs ability to test,
identify and correct material errors
Can be minimized by: Proper statistical sampling procedures A
strong quality control process
Overall audit risk Combination of individual categories of
audit risk assessed for each specific control objective
Objective of audit approach is to limit overall audit risk
-
2/8/2010
18
Materiality and audit risk Materiality is an expression of
relative significance or
importance of a particular matter in the context of the
organization as a whole
Word material is associated with any of the components of risk -
it refers to an error that should be considered significant by any
party concerned
While a given system may not detect a minor error, a combination
of these may end up being material
Requires sound judgment from the auditor Essential when planning
areas to be audited and the specific
tests to be performed Materiality considered in terms of the
total potential impact
to the organization.
Practice Question
1-4 Which of the following types of audit risk assumes an
absence of compensating controls in the area being reviewed?
A. Control riskB. Detection riskC. Inherent riskD. Sampling
risk
Practice Question
1-5 An IS auditor performing a review of an applications
controls finds a weakness in system software that could materially
impact the application. The IS auditor should:
A. disregard these control weaknesses, as a system software
review is beyond the scope of this review.
B. conduct a detailed system software review and report the
control weaknesses.
C. include in the report a statement that the audit was limited
to a review of the applications controls.
D. review the system software controls as relevant and recommend
a detailed system software review.
Audit risk assessment
Used to identify and evaluate risk and their potential
effect
Used to determine high risk areas that should be audited
Planning guideline - An assessment risk should be made: To
provide reasonable assurance that material
items will be adequately covered during the audit work
This assessment should identify areas with relatively high risk
of existence of material problems
-
2/8/2010
19
Audit risk assessment - cont
Risk assessment and other audit techniques should be considered
in deciding:The nature, extent and timing of audit
proceduresAreas or business functions to be auditedThe amount of
time and resources to be
allocated an audit
Audit risk assessment - cont
Using risk assessment to determine areas to be audited:
Enables management to effectively allocate limited resources
Ensures audit activities are directed to high risk areas
Establishes a basis for effectively managing the audit
department
Provides a summary of how the individual audit subject is
related to the overall
Risk Assessment
Assess client strategic business risk
Assess the risk of material misstatement due to error, fraud or
other irregularities
Factors affecting inherent risk Factors affecting control
risk
Audit risk =
Inherent risk ? Control risk ? Detection risk
(Auditee risk) (Auditor risk)
Risk assessment methods Different methods employed to perform
risk
assessments e.g.scoring system, Judgmental A combination of
methods may be used May develop and change over time to best
serve the needs of the organization All rely on subjective
judgment at some point
in the process Evaluate appropriateness of any chosen risk
methodology
-
2/8/2010
20
Scoring method Considers variables such as: technical
complexity, controls in place, financial loss.
Variables may or may not be weighted
Judgmental methodDecision based on: executive management
directives, historical perspectives, business goals and
environmental factors
Audit evidence
The information ISA gathers in the course of performing an IS
audit to meet audit objectives
Must directly relate to the objectives of the review
Gathering of evidential matter is key to the audit process
Mandatory under Standard for Evidence Evidence should be
appropriately organized and
documented to support findings and conclusion
IS Audit Standard 14 Audit Evidence
States that: .The ISA should obtain sufficient and
appropriate audit evidence to draw reasonable conclusions on
which to base the audit results.
The audit findings and conclusions are to be supported by
appropriate analysis and interpretation of this evidence.
-
2/8/2010
21
Audit evidence - cont Sufficient it is complete, adequate,
convincing and would lead another ISA to form the same
conclusions
Reliable if in the auditors opinion, it is valid, factual,
objective and supportable
Relevant if it pertains to the audit objectives and has a
logical relationship to the findings and conclusions it is used to
support
Audit evidence - types Observed processes and existence of
physical items Documentary evidence recorded on
paper or other media Representations Analysis
Audit evidence - cont
Observed processes and existence of physical items e.g.
Inventory of media at an offside
storage locationComputer room security in operationCash
count
Audit evidence - cont
Documentary evidence recorded on paper or other media, can
include: Results of data extractions Records of transactions
Program listings Invoices Activity and control logs System
development documentation
-
2/8/2010
22
Audit evidence - cont
Representations include: written and oral statements, written
procedures and policies, system flowcharts
Audit evidence - cont Analysis includes:
Comparisons Simulations Calculations reasoning (synthesis)
Examples: Benchmarking of IS performance against other
organizations or past performance Comparison of error rates
between applications,
transactions and users
Audit evidence and planning
When planning IS audit work, ISA should take into account: Audit
evidence to be gathered Its use in meeting objectives Its
reliability (source & method)
Reliability - determinants
Independence of provider of evidence Qualifications of the
individual providing
the information or evidence Objectivity of the evidence Timing
of evidence
-
2/8/2010
23
Reliability - cont
Independence of provider of evidence
Example:Corroborative evidence from an independent third party
can be more reliable than evidence from organization being audited
(e.g. Circularization of debtors, bank confirmation)
Reliability - contObjectivity of evidence:Objective evidence is
much better than that requiring considerable judgment and
interpretation Examples: Physical evidence is more reliable than
representations
of an individual - ISAs cash count is direct, objective
evidence.
However, an ISAs analysis of the efficiency of an application,
based upon discussion with certain personnel, may not be objective
audit evidence.
Quality and quantity of Evidence
Quality (competence) when it is both valid and relevant
Quantity - refers to sufficiency of audit evidence
Techniques for gathering evidence
Reviewing Information Systems organizational structures
Reviewing IS policies and procedures Interviewing appropriate
personnel Observing processes and employee
performance
-
2/8/2010
24
Reviewing IS organizational structures
Separation/segregation of duties is a key general control.
Review structures to determine the level of controls they
provide ISAs knowledge of general organizational controls is very
important
Be aware of differences particularly in organization with
cooperative distributed processing or end-user computing
Reviewing IS Policies & Procedures Review whether
appropriate policies and procedures
are in place and whether personnel understand the implemented
policies and procedures
Verify that management assumes responsibility for formulating,
developing, documenting promulgating and controlling policies
covering general aims and directives
Look for minimum level of documentation Review documentation and
determine if it follows
organizations documentation standards Recognize differences in
documentation e.g. for
computer Aided Software Engineering (CASE), prototyping,
database specifications, file layout, self-documented program
listings, documents will not be required or will be in automated
form rather than on paper
Reviewing Information Systems Standards
IS auditor should understand the existing standards in place
within the organization
Reviewing IS documentation standards
Understand the existing documentation in place
Minimum documentation may include: Systems development
initiation documents (e.g. feasibility
study) Functional requirements and design specifications Test
plans and reports Program and operations documents Program change
logs and histories User manuals Operations manuals Security related
documents (e.g. security plans, risk
assessments) QA reports
-
2/8/2010
25
Interviewing appropriate personnel
Organize interview in advance Follow a fixed outline Documented
by interview notes Interview checklist or form is a good
approach Never be accusatory rather interviews be
discovery
Observing processes and employee performance
A key audit technique for many types of reviews
IS auditor should be unobtrusive while making observations
Document everything in sufficient detail to be able to present
it as audit evidence at a later date
Interviewing & observing personnel in the performance of
their duties
Actual functions allows auditor an opportunity to witness how
policies and procedures are internalized
Actual processes / procedures allow ISA to gain evidence of
compliance and observe deviations if any
Security awareness assist verify an individuals understanding
and practice of preventive and detective security measures to
safeguard the companys assets
Reporting relationships to ensure assigned responsibilities and
adequate segregation of duties are being practiced
Compliance testing Tests of control designed to obtain audit
evidence on
both the effectiveness of the controls and their operation
during the audit period
Evidence gathering to determine organizations compliance with
control procedures
Used where there is a trail of documentary evidence e.g. written
authorization to implement a modified program
Broad objective: to provide reasonable assurance that a
particular control on which the ISA plans to rely, is operating as
perceived/intended
Attribute sampling compliance test used to check presence or
absence of an attribute.
-
2/8/2010
26
Substantive testing Tests of detailed activities and
transactions, or analytical
review tests, designed to obtain audit evidence on the
completeness, accuracy or existence of those activities or
transactions during the audit period
Evidence gathering that evaluate the integrity of individual
transactions, data and other information
Provides evidence of the validity and propriety of the balances
in the financial statements and the transactions that support these
balances
Minimized if compliance testing reveal presence of adequate
controls
Conversely if compliance testing reveals weaknesses in controls
that raise doubts about the completeness, accuracy or validity of
accounts, substantive testing can alleviate those doubts (variable
sampling used)
Relationship between compliance and substantive testing
Review system to identify controls Test compliance to get
reasonable assurance
that the controls are functioning Evaluate controls to determine
reliance, nature
and extent of substantive tests Use substantive tests to
validate data:
Test of balances and transactions Analytical review
procedures
Relationship between compliance and substantive testing
(cont..)
Sampling
Population consists of the entire group of items that need to be
examined
Sample is a subset of population members Used to infer
characteristics about a population,
based on the results of examining characteristics of a sample of
the population
Sample must represent as closely as possible the characteristics
of the whole population
-
2/8/2010
27
Why sampling
Ideal to examine the entire population
Considerations: Time Cost
General Sampling approaches
Statistical sampling uses objective method
Non-statistical (or Judgmental sampling) uses subjective
judgment
Statistical sampling
Uses objective method to determine: Sample size Selection
criteria Sample precision Reliability or confidence level
NB: to be a statistical sample, each item in the population
should have an equal opportunity of being selected
Can infer population characteristics from sample Preferred
method
Non-statistical or judgmental sampling
uses subjective judgment to determine:Method of sampling Sample
size Sample selection which items to select
May not infer population characteristics from sample
not preferred method
-
2/8/2010
28
Sampling risk
Both statistical and judgmental sampling require ISA
judgment
Risk that the auditor will draw the wrong conclusion from the
sample
Statistical sampling allows ISA to quantify probability of error
(confidence coefficient)
Methods of sampling Attribute sampling
Variable sampling
Attribute sampling
Selecting items with certain attributes or characteristics (all
items over a certain size)
Also known as proportional sampling Deals with presence or
absence of an
attribute or characteristic Generally used in compliance testing
Conclusions expressed in rates of
incidence
Attribute sampling: types
Attribute sampling or fixed sample size attribute sampling or
frequency estimation used to estimate rate of occurrence of
specific quality in a population (how many?)
Stop-or-go sampling audit tests stopped at the earliest possible
moment (relatively few errors)
Discovery sampling when expected occurrence is extremely low.
Used to seek out fraud, circumvention of regulations and other
irregularities
-
2/8/2010
29
Variable sampling
Used to estimate the average or total value of population based
on a sample
Also known as- dollar estimation or - mean estimation sampling
or - quantitative sampling
Used to estimate the dollar value or some other unit of measure
such as weight, height etc.
Generally applied in substantive testing Provides conclusions
related to deviations from norm Example is review of balances for
material transactions
Variable sampling: Types
Stratified mean per unit Population divided into groups and
samples drawn
from them Produces a smaller sample size
Un-stratified mean per unit: Sample mean is calculated and
projected as an
estimated total Difference estimation:
Used to estimate total difference between audited values and
book values (un-audited values) based on sample
Statistical sampling terms
Confidence coefficient (also referred to as confidence level or
reliability factor)
Level of risk: one minus confidence coefficient Precision-
acceptable range difference between the
sample and actual population (set by auditor) Expected error
rate - EER Sample size Sample mean average size of the sample
Sample standard deviation Tolerable error rate max no of errors
that can exist
without an account being materially misstated Population
standard deviation
Confidence coefficient
Also referred to as confidence level or reliability factor
The probability that the characteristics of the sample are a
true representation of the population
95% considered a high degree of comfort If internal controls are
strong, confidence
level may be lowered The greater the confidence coefficient,
the
larger the sample
-
2/8/2010
30
Level of risk
One minus confidence coefficient E.g. if confidence coefficient
is 95%
level of risk is 5%
Precision
Set by the ISA Represents acceptable range between sample
and population For attribute sampling stated as a percentage For
variable sampling stated as a monetary
amount or number The higher the precision amount, the
smaller
the sample size, the higher the risk of error The lower the
precision amount, the greater
the sample size
Expected error rate
An estimate of errors that may exist Expressed as a percentage
The greater the expected error rate, the
greater the sample size Applied to attribute sampling
Others
Sample mean average size of the sample Sample standard deviation
measures spread
or dispersion of sample values Tolerable error rate - Maximum
misstatement
or number of errors that can exist without an account being
materially misstated
Population standard deviation measures relationship to standard
deviation The greater the standard deviation, the larger the
sample size Applied to variable sampling
-
2/8/2010
31
Using the Services of other Auditors and Experts
Circumstances that may lead to using services of other
auditors:- Scarcity of IS auditors and the need for IT security
specialists Highly specialized areas
Outsourcing of IS assurance and security services is
increasingly becoming a common practice
Possible areas of outsourcing include Networking, ATM, Wireless,
System Integration etc.
Considerations before using services of other auditors and
experts:- Any restriction by law and regulations Audit charter or
contractual stipulations Impact on overall and specific IS audit
objectives Impact on IS audit risk and professional liability
Independence and objectivity of other auditors/experts Professional
competence, qualifications and experience Scope of the work to be
outsourced and the approach Supervisory and audit management
control Methods and modalities of communication of audit results
etc.
Using the Services of other Auditors and Experts (cont..)
Other special considerations would include:-
Testimonials/references and background checks Access to systems,
premises and records Confidentiality restrictions to protect
customer related information Use of CAATs and other tools Standards
and methodologies for performance of work and
documentation Nondisclosure agreements
IS auditor responsibilities:- Clearly communicating the audit
objectives, scope and
methodology through a formal engagement letter Put in place
monitoring process for regular review of the third
party work Assess usefulness and appropriateness of reports and
impacts of
their significant findings on the overall audit objectives.
Computer Aided Audit Techniques (CAATs)
Any computer based tool for automating audit procedures
Provides a means to: gain access and to analyze data for a
predetermined period report on audit findings with emphasis on
reliability of
records produced and maintained in the system
CAATs Examples
These include: Generalized audit software e.g. ACL, IDEA Utility
software e.g. DBMS report writers SQL commands Third party Access
Control Software Application Systems Options and reports build into
system Spreadsheets??
-
2/8/2010
32
Need for CAATs Evidence exists in electronic form Differences in
HW, SW environments, data
structures, record formats, processing functions, etc
What else???
Functional capabilities of CAATs
File access reading different file structures and record
formats
File reorganization indexing, sorting, merging, linking
Data selection filtration conditions, selection criteria
Statistical functions sampling, stratifications, frequency
analysis
Arithmetic functions - arithmetic operators and functions
Generalized audit software
Provides an independent means to gain access to data for
analysis
Effective and efficient use require understanding of its
capabilities and limitations
Reads and accesses data from various DB platforms, flat file
formats, ASCII formats
Features include: Mathematical computations Stratifications
Statistical analysis Sequence checks Duplicate checks
Re-computations
CAATs advantages
Reduced level of audit risk Enhances independence from auditee
Broader and more consistent audit coverage Faster availability of
information Improved exception identification Greater flexibility
of run times Greater opportunity to quantify IC weaknesses Enhanced
sampling Cost savings over time
-
2/8/2010
33
CAATs: Things to consider Cost benefit analysis Ease of use
Training requirements Complexity of coding and maintenance
Flexibility of uses Installation requirements Processing
efficiencies Effort required to obtain source data into
CAAT
CAATs areas of concern
Integrity, reliability and security of CAAT Integrity of IS and
security environment Confidentiality and security of data
CAATs things to do
Request read only access to production data
Keep data confidential
CAATs development documentation
Commented program listings Flowcharts Sample reports Record and
file layouts Field definitions Operating instructions
-
2/8/2010
34
Practice Question
1-6 The PRIMARY use of generalized audit software (GAS) is
to:
A. test controls embedded in programs. B. test unauthorized
access to data. C. extract data of relevance to the audit.D. reduce
the need for transaction vouching.
Evaluating evidence Involve judgments based on experience Use
evidence gathered to assess compliance
with control objectives Assess strengths and weaknesses in
controls
to determine if these are effective in meeting control
objectives established in planning
Control matrix may be used to illustrate areas where controls
may be weak or lacking
Always check for compensating controlsbefore reporting a control
weakness
A control objective may be met by a number of controls
Judging materiality of findings
Key: judging what is significant to different levels of
management
Requires judgment of potential effect of finding if corrective
action is not taken
ISA decides what to discuss with auditee and what to report
Communicating Audit Results
ISAs are ultimately responsible to Senior Mgt and to the Audit
Committee of the Board of Directors
Before communicating the results of an audit to Senior Mgt the
ISA should discuss the findings with Mgt staff responsible for area
audited
Presentation technique could include executive summary and
visual presentation
-
2/8/2010
35
Audit Report Structure and Contents
Introduction including statement of audit objectives and scope
and general statement on the nature and extent of audit procedures
used during the audit
ISAs overall conclusion and opinion on the adequacy of controls
and procedures examined during the audit
ISAs reservations or qualifications with respect to the audit
Detailed audit findings and recommendation Limitation to audit
Statement of IS guidelines followed
Management Actions to Implement Recommendations
ISA will not be effective if audits are performed, reports
issued, but no follow-up in done to determine if management has
taken appropriate corrective actions
ISA should have a follow-up program to determine if agreed
corrective actions have been implemented
The timing of the follow-up will depend on criticality of the
findings and would be subject to ISAs judgment
The results of the follow-up should be communicated to
appropriate levels of management
Audit Documentation
Documentation should include, at a minimum, a record of: The
planning and preparation of audit scope and
objectives The information system environment The audit program
The audit steps performed and audit evidence
gathered Audit findings, conclusions and recommendations Any
report issued as a result of the audit work Supervisory review
Control Self-Assessment (CSA)
A management technique that assures stakeholders, customers and
other parties that the internal control system of the business is
reliable
It ensures that employees are aware of the risks to the business
and they conduct periodic reviews of controls
Methodology used to review key business objectives, risks
involved in achieving the business objectives and internal controls
designed to manage these business risks in a formal, documented and
collaborative process.
In CSA mgt and working teams are directly involved in judging
and monitoring the effectiveness of existing controls
-
2/8/2010
36
Control Self-Assessment (CSA)
CSA program can be implemented using various ways ranging from
use of questionnaires to facilitated workshops
Primary objective is to leverage the Internal Audit function by
shifting some of the control monitoring responsibilities to the
functional areas.
A critical success factor (CSF) in CSA is to conduct a meeting
with the business units representatives, including appropriate and
relevant staff and management to identify the business units
primary objectives, which is to determine the purpose of the
business unit and supporting objectives
COBIT management guidelines provides generic sets of CSFs, KPIs,
and KGIs for each process used in designing and monitoring CSA
program
Control Self-Assessment (CSA)
Control Self-Assessment (CSA)
Benefits of CSA Early detection of risks More effective and
improved internal controls Creation of cohesive teams through
employee involvement Increased employee awareness of organizational
objectives and
knowledge of risk and internal controls Increased communication
between operational and top management Highly motivated employees
Improved audit rating processes Reduction in control cost Assurance
provided to stakeholders and customers Necessary assurance given to
top management about adequacy of
internal controls, as required by the various regulatory
agencies and laws e.g. Sarbanes-Oxley Act
Control Self-Assessment (CSA)
Disadvantages of CSA
It could be mistaken as an audit function replacement
It is regarded as an additional workload (e.g. one more report
to be submitted to management)
Failure to act on improvement suggestions could damage employee
morale.
Lack of motivation may limit effectiveness in the detection of
weak controls
-
2/8/2010
37
Auditors Role in CSA
Auditors become Internal Control professionals and assessment
facilitators
Auditors role enhanced when Audit Dept embark on CSA program
Auditors value becomes more evident when mgt takes
responsibility and ownership for internal control systems under
their authority through process improvements in their control
structures and active monitoring
Technology Drivers for CSA Program
Combination of hardware and software to support CSA
selection
Use of electronic meeting system and computer-supported decision
aids to facilitate group decision making
In case of questionnaire approach, the same principle applies
for the analysis and readjustment of the questionnaire
Traditional VS CSA Approach
In traditional approach the primary responsibility for analyzing
and reporting on internal control and risk was assigned to auditors
and, to a lesser extent, controller departments and outside
consultants
This approach created and reinforced the notion that auditors
and consultants, not management and work teams, are responsible for
assessing and reporting on IC
The CSA approach emphasizes management and accountability over
developing and monitoring IC of an organizations sensitive and
critical business processes
EMERGING CHANGES IN THE IS AUDIT PROCESS
Areas that address changes in IS audit process in order to keep
pace with innovations and technology include: Automated work
papers, Integrated auditing, and Continuous auditing
-
2/8/2010
38
Automated Work Papers
Specialized applications are used in automating audit working
papers (e.g. risk analysis, audit programs, results, test
evidences, conclusions reports and other complimentary
information)
Although auditors often use office automation packages such as
word processors or spreadsheets, standard audit work paper packages
are being implemented in audit departments and are proving useful
and appropriate to help facilitate audit work
When automating work papers rules regarding integrity,
confidentiality and availability of audit records should be applied
that are equivalent to those required for hard copy.
Automated Work Papers
Minimum controls include but not limited to: Access to work
papers Audit trails Automated features to provide and record
approval Security and integrity controls regarding the OS, DB
and
communication channels
Backup and restore procedures Encryption techniques to provide
confidentiality
Integrated Auditing
A process whereby audit disciplines are combined to assess key
internal controls over an operation, process or entity.
Integrated approach focuses on risk. Risk assessment aims to
understand and identify risks arising from the entity and its
environment
IT audit help understand and identify risks in information
management, IT infrastructure, IT Governance and IT operations
Other audits seek to understand organizational environment,
business risks and business controls
IT systems provide a first line of preventive and detective
controls, and integrated audit depends on a sound assessment of
their efficiency and effectiveness
Practice Question
1-7 Which of the following is MOST effective for implementing a
control self-assessment (CSA) within business units?
A. Informal peer reviewsB. Facilitated workshopsC. Process flow
narrativesD. Data flow diagrams
-
2/8/2010
39
Integrated Auditing cont Integrated audit process
involves: Identification of relevant key
controls Reviewing and obtaining an
understanding of the design of key controls
Testing that key controls are supported by the IT system
Testing that management controls operate effectively
A combined report or opinion on control risks, design and
weaknesses
Continuous Auditing
A methodology that enables independent auditors to provide
assurance on a subject matter using a series of auditors reports
issued simultaneously with, or a short period of time after, the
occurrence of events underlying the subject matter
Has edge over periodic auditing because it captures internal
control problems as they occur, thus preventing negative
effects
Implementation can reduce audit inefficiencies, such as delays,
planning time, inefficiency of audit process itself, overheads due
to work segmentation etc.
Continuous Auditing cont
Drivers of continuous auditing include; better monitoring of
financial issues within a company, ensuring that real-time
transactions also benefit from real-time monitoring, prevention of
financial and audit scandals, e.g. Enron and WorldCom, and use of
software to determine that financial controls are proper
Embedded audit modules allow an auditor to trap predefined types
of events, or directly inspect abnormal transactions
Continuous auditing often incorporate new information technology
development, increased processing capabilities of current hardware
and software, standards and artificial intelligence tools
Continuous Auditing cont..
For continuous auditing to succeed there must be: A high degree
of automation An automated and highly reliable process in
producing
information about subject matter soon after occurrence of events
underlying the subject matter
Alarm triggers to report timely control failures Implementation
of highly automated audit tools that
require the IS auditor to be involved in setting up
parameters
Quickly informing IS auditor of the results of automated audit
procedures, particularly when the process has identified anomalies
or errors
-
2/8/2010
40
Continuous Auditing cont..
For continuous auditing to succeed there must be (cont..): Quick
and timely issuance of automated audit reports Technically
proficient IS auditors Availability of reliable sources of audit
evidence Adherence of materiality guidelines Evaluation of cost
factors Change of mind-set required for IS auditors to embrace
continuous reporting
Continuous Auditing cont
IT techniques used in continuous auditing must work at all data
levels, transaction and databases and include: Transaction logging
Query tools Statistics and data analysis (CAAT) Database Management
System (DBMS) Data warehouses, data marts, data mining Artificial
intelligence (AI) Embedded audit modules (EAM) Neural network
technology Standards such as Extensible Business Reporting Language
(XBRL)
Advantages Instant capture of internal control problems
Reduction of intrinsic audit inefficiencies
Disadvantages Difficulty in implementation High cost Elimination
of auditors personal judgment and
evaluation
Continuous Auditing cont
Practice Question
1-8 The FIRST step in planning an audit is to:A. define audit
deliverables. B. finalize the audit scope and audit objectives C.
gain an understanding of the businesss
objectives.D. develop the audit approach or audit strategy.
-
2/8/2010
41
Practice Question
1-9 The approach an IS auditor should use to plan IS audit
coverage should be based on:
A. risk.B. materiality.C. professional skepticism.D. detective
control.
Practice Question
1-10 A company performs a daily backup of critical data and
software files and stores the backup tapes at an offsite location.
The backup tapes are used to restore the files in case of a
disruption. This is a:
A. preventive control.B. management control.C. corrective
control.D. detective control.