Chap1 2007cisareviewcourse-090511232029-phpapp02

Editor's Notes

• #2: Title slide for Chapter 1.
• #3: This is an overview of the major topics within the IS audit process area: Introduction Organization of the IS Audit Function IS Audit Resource Management Audit Planning Laws and regulations ISACA IS auditing standards and guidelines Risk analysis Internal controls Performing an IS audit Control self assessment Emerging changes in IS audit process Case Study
• #4: The objective of the process area is to ensure that the CISA candidate has the knowledge necessary to plan and conduct IS audits in accordance with generally accepted IS audit standards and guidelines to provide a statement of assurance (audit report) that the organization’s business processes supported by information technology are controlled, monitored and adequately assessed.
• #5: The process area represents 10 percent of the CISA examination (approximately 20 questions)
• #6: There are five (5) tasks within the IS audit process area: 1.1 Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices. 1.2 Plan specific audits to ensure that IT and business systems are protected and controlled. 1.3 Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives. 1.4 Communicate emerging issues, potential risks and audit results to key stakeholders. 1.5 Advise on the implementation of risk management and control practices within the organization while maintaining independence.
• #7: There are 10 knowledge statements within the IS audit process area: 1.1 Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics 1.2 Knowledge of IS auditing practices and techniques 1.3 Knowledge of techniques to gather information and preserve evidence (e.g., observation, inquiry, interview, computer-assisted audit techniques (CAATs), electronic media) 1.4 Knowledge of the evidence life cycle (e.g., the collection, protection, chain of custody) 1.5 Knowledge of control objectives and controls related to IS (e.g., CobiT)
• #8: Ten Knowledge statements (cont’d) 1.6 Knowledge of risk assessment in an audit context 1.7 Knowledge of audit planning and management techniques 1.8 Knowledge of reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution) 1.9 Knowledge of control self-assessment (CSA) 1.10 Knowledge of continuous audit techniques
• #9: The role of the IS audit function should be established by an audit charter . IS audit is most likely to be a part of internal audit; therefore, the audit charter may include other audit functions. This charter should state clearly management’s responsibility and objectives for, and delegation of authority to, the IS audit function . This document should outline the overall authority, scope and responsibilities of the audit function . The highest level of management and the audit committee, if available, should approve this charter . Once established, this charter should be changed only if the change can be and is thoroughly justified. ISACA IS Auditing Standards require that the responsibility, authority and accountability of the information systems audit function are appropriately documented in an audit charter or engagement letter.
• #10: IS auditors are a limited resource and IS technology is constantly changing. Therefore, it is important that IS auditors maintain their competency through updates of existing skills and obtain training directed towards new audit techniques and technological areas. Specifically, the IS auditor should understand techniques for managing audit projects with appropriately trained members of the audit staff. ISACA IS Auditing Standards require that the IS auditor is technically competent, having the skills and knowledge necessary to perform the auditor’s work. Further, the IS auditor is to maintain technical competence through appropriate continuing professional education. Skill and knowledge should be taken into consideration when planning audits and assigning staff to specific audit assignments . Refer to page 2 3 of the 200 6 CISA Review Manual for further details.
• #11: Audit planning consists of both short- and long-term planning . Short-term planning takes into account audit issues that will be covered during the year, whereas long-term planning relates to audit plans that will take into account risk-related issues regarding changes in the organization’s IT strategic direction that will affect the organization’s IT environment. Analysis of short- and long-term issues should occur at least annually. This is necessary to take into account new control issues , changing technologies, changing business processes and enhanced evaluation techniques . The results of this analysis for planning future audit activities should be reviewed by senior management, approved by the audit committee, if available, or alternatively by the Board of Directors, and communicated to relevant levels of management. In addition to overall annual planning, each individual audit assignment must be adequately planned. The IS auditor should understand that other considerations, such as risk assessment by management, privacy issues and regulatory requirements, may impact the overall approach to the audit. The IS auditor should also take into consideration system implementation/upgrade deadlines, current and future technologies, requirements of business process owners, and IS resource limitations. When planning an audit, the IS auditor must have an understanding of the overall environment under review. This should include a general understanding of the various business practices and functions relating to the audit subject , as well as the types of information systems and technology supporting the activity. Refer to page s 2 3 - 24 of the 200 6 CISA Review Manual for further details.
• #12: To perform audit planning, the IS auditor should perform the following steps in order: • Gain an understanding of the business’s mission, objectives, purpose and processes, which include information and processing requirements, such as availability, integrity, security and business technology. • Identify stated contents, such as policies, standards and required guidelines, procedures, and organization structure. • Evaluate risk assessment and any privacy impact analysis carried out by management. • Perform a risk analysis. • Conduct an internal control review. • Set the audit scope and audit objectives. • Develop the audit approach or audit strategy. • Assign personnel resources to the audit and address engagement logistics.
• #13: Effect of Laws and Regulations on IS Audit Planning Each organization, regardless of its size or the industry within which it operates, will need to comply with a number of governmental and external requirements related to computer system practices and controls and to the manner in which computers, programs and data are stored and used. Additionally business regulations can impact the way data are processed, transmitted and stored (stock exchange, central banks, etc.) Several countries, because of growing dependencies upon information systems and related technology, are making efforts to establish added layers of regulatory requirements concerning IS audit. The contents of these legal regulations regard: • Establishment of the regulatory requirements • Organization of the regulatory requirements • Responsibilities assigned to the corresponding entities • Correlation to financial, operational and IT audit functions Management personnel, at all levels, should be aware of the external requirements relevant to the goals and plans of the organization and to the responsibilities and activities of the information services department/function/activity.
• #14: The following are steps that an information systems control auditor would perform to determine an organization’s level of compliance with external requirements: • Identify those government or other relevant external requirements dealing with: – Electronic data, copyrights, e-commerce, e-signatures, etc. – Computer system practices and controls – The manner in which computers, programs and data are stored – The organization or the activities of the information services • Document pertinent laws and regulations. • Assess whether the management of the organization and the information systems function have considered the relevant external requirements in making plans and in setting policies, standards and procedures. • Review internal information systems department/function/activity documents that address adherence to laws applicable to the industry. • Determine adherence to established procedures that address these requirements. Note to the instructor: A CISA candidate will not be asked about any specific laws or regulations, but may be questioned about how one would audit for compliance with laws and regulations. Address with the candidates the importance of setting legal advice. Refer to pages 2 4 - 25 of the 200 6 CISA Review Manual for further details.
• #15: Candidates need to be familiar with the Code of Ethics. Questions occasionally appear asking a candidate to distinguish application of specific inclusions in the code, or to distinguish what is, and what isn’t part of the code. Note to the instructor: You need to know the specifics of the code of ethics and be able to explain the importance of each component to the candidates. Read aloud from page 2 6 of 200 6 CISA Review Manual, the stated code of ethics.
• #16: The framework for the ISACA IS Auditing Standards provides for multiple levels, as follows: • Standards define mandatory requirements for IS auditing and reporting. • Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the above standards, use professional judgment in their application and be prepared to justify any departure. • Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when completing information systems auditing work, but do not set requirements.
• #17: The specialized nature of information systems auditing and the skills and knowledge necessary to perform such audits require globally applicable standards that pertain specifically to information systems auditing. One of the most important functions of ISACA is providing information (common body of knowledge per se) to support knowledge requirements. (See Standard S4 Professional Competence.) One of ISACA’s goals is to advance standards to meet this need. The development and dissemination of the IS Auditing Standards is a cornerstone of the association’s professional contribution to the audit community. The IS auditor needs to be aware that there may be additional standards, or even legal requirements through legislation, placed on the auditor. The objectives of the ISACA IS Auditing Standards are to inform: • Information systems auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the Code of Professional Ethics for information systems auditors • Management and other interested parties of the profession’s expectations concerning the work of audit practitioners Note to the instructor: Make the students aware of the importance of compliance with standards. The IT auditor, who is a member of ISACA or a CISA, obviously needs to understand and comply with the ISACA auditing standards. He or she needs to be aware that there may be additional standards, or even legal requirements through legislation, placed on the auditor. Many of the auditors efforts are also to assess the organization’s efforts towards meeting corporate governance and IT governance objectives, support the importance of codes of conduct/ethics for the organization as a whole.
• #18: The ISACA Code of Professional Ethics requires members of ISACA and holders of the CISA designation to comply with the IS Auditing Standards adopted by ISACA. Apparent failure to comply with these may result in an investigation into the member’s or CISA holder’s conduct by ISACA or an appropriate ISACA board or committee. Disciplinary action may ensue. The IS Auditing Standards applicable to information systems auditing are: S1 Audit Charter S2 Independence S3 Professional Ethics and Standards S4 Professional Competence S5 Planning S6 Performance of Audit Work S7 Reporting S8 Follow-up Activities S9 Irregularities and illegal acts S10 IT governance S11 Use of risk assessment in audit planning
• #19: S1 Audit Charter • The purpose, responsibility, authority and accountability of the information systems audit function or information systems audit assignments should be appropriately documented in an audit charter or engagement letter. • The audit charter or engagement letter should be agreed and approved at an appropriate level within the organisation(s). Note to the instructor: Provide some basic background pertaining to the need for professional standards. Ask the candidates the following question and discuss the answer. Q. What attributes are listed under audit charter? A. Purpose, Responsibility, Authority and Accountability Refer to page 2 7 of the 200 6 CISA Review Manual. S2 Independence Professional Independence • In all matters related to the audit, the IS auditor should be independent of the auditee in both attitude and appearance. Organizational Independence • The IS audit function should be independent of the area or activity being reviewed to permit objective completion of the audit assignment. Note to instructor: Ask candidates the following question and discuss the answer: Q. Why is independence so important? A. It permits objective completion (planning, execution, and reporting) of the audit.
• #20: S3 Professional Ethics and Standards • The IS auditor should adhere to the ISACA Code of Professional Ethics. • The IS auditor should exercise due professional care, including observance of applicable professional auditing standards. Note to instructor: Provide some basic background pertaining to the need for professional standards. Ask candidates to describe the importance and need of each standard and guideline. Also ask the candidates to refer to the ISACA Guidelines at the ISACA web site at: www.isaca.org/standards S4 Professional Competence • The IS auditor should be professionally competent, having the skills and knowledge to conduct the audit assignment. • The IS auditor should maintain professional competence through appropriate continuing professional education and training.
• #21: S5 Planning The IS auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards. • The IS auditor should develop and document a risk-based audit approach. • The IS auditor should develop and document an audit plan detailing the nature and objectives, timing, extent and resources required. • The IS auditor should develop an audit program and procedures.
• #22: S6 Performance of Audit Work • Supervision—IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and applicable professional auditing standards are met. • Evidence—During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence. • Documentation—The audit process should be documented, describing the audit work and the audit evidence that supports the IS auditor’s findings and conclusions.
• #23: S7 Reporting • The IS auditor should provide a report, in an appropriate form, upon completion of the audit. The report should identify the organisation, the intended recipients and any restrictions on circulation. • The audit report should state the scope, objectives, period of coverage and the nature, timing and extent of the audit work performed. • The report should state the findings, conclusions and recommendations and any reservations, qualifications or limitations in scope that the IS auditor has with respect to the audit. • The IS auditor should have sufficient and appropriate audit evidence to support the results reported. • When issued, the IS auditor’s report should be signed, dated and distributed according to the terms of the audit charter or engagement letter.
• #24: S8 Follow-up Activities • After the reporting of findings and recommendations, the IS auditor should request and evaluate relevant information to conclude whether appropriate action has been taken by management in a timely manner.
• #25: S9 Irregularities and Illegal Acts In planning and performing the audit to reduce audit risk to a low level, the IS auditor should consider the risk of irregularities and illegal acts. • maintain an attitude of professional skepticism during the audit, recognizing the possibility that material misstatements due to irregularities and illegal acts could exist, irrespective of his/her evaluation of the risk of irregularities and illegal acts. • obtain an understanding of the organization and its environment, including internal controls. • obtain sufficient and appropriate audit evidence to determine whether management or others within the organization have knowledge of any actual, suspected or alleged irregularities and illegal acts. • consider unusual or unexpected relationships that may indicate a risk of material misstatements due to irregularities and illegal acts.
• #26: The IS auditor should : • obtain written representations from management at least annually or more frequently depending on the audit engagement. • have knowledge of any allegations of irregularities or illegal acts, or suspected irregularities or illegal acts affecting the organization as communicated by employees, former employees, regulators and others. • i f a material irregularity or illegal act is identified , or information that a material irregularity or illegal act may exist is obtained , the IS auditor should communicate these matters to the appropriate level of management in a timely manner. • If the IS auditor has identified a material irregularity or illegal act involving management or employees who have significant roles in internal control, the IS auditor should communicate these matters in a timely manner to those charged with governance. • The IS auditor should advise the appropriate level of management and those charged with governance of material weaknesses in the design and implementation of internal control to prevent and detect irregularities and illegal acts that may have come to the IS auditor’s attention during the audit. • If the IS auditor encounters exceptional circumstances that affect the IS auditor’s ability to continue performing the audit, the IS auditor should consider whether there is a requirement for the IS auditor to report to those with governance or regulatory authorities, or consider withdrawing from the engagement. • The IS auditor should document all communications, planning, results, evaluations and conclusions relating to material irregularities and illegal acts that have been reported to management, those charged with governance, regulators and others.
• #27: S10 IT Governance • The IS auditor should review and assess whether the IS function aligns with the organization’s mission, vision, values, objectives and strategies. • The IS auditor should review whether the IS function has a clear statement about the performance expected by the business (effectiveness and efficiency) and assess its achievement. • The IS auditor should review and assess the effectiveness of IS resource and performance management processes.
• #28: S10 IT Governance (cont’d) • The IS auditor should review and assess compliance with legal, environmental and information quality, and fiduciary and security requirements. • A risk-based approach should be used by the IS auditor to evaluate the IS function. • The IS auditor should review and assess the control environment of the organization. • The IS auditor should review and assess the risks that may adversely affect the IS environment.
• #29: S11 Use of Risk Assessment in Audit Planning • The IS auditor should use an appropriate risk assessment technique or approach in developing the overall IS audit plan and determining priorities for the effective allocation of IS audit resources. • When planning individual reviews, the IS auditor should identify and assess risks relevant to the area under review.
• #30: The objective of the ISACA IS Auditing Guidelines is to provide further information on how to comply with the ISACA IS Auditing Standards. The IS auditor should: • Consider them in determining how to implement the above standards • Use professional judgment in applying them • Be able to justify any departure G1 Using the Work of Other Auditors, effective 1 June 1998 G2 Audit Evidence Requirement, effective 1 December 1998 G3 Use of Computer Assisted Audit Techniques (CAATs), effective 1 December 1998 G4 Outsourcing of IS Activities to Other Organisations, effective 1 September 1999 G5 Audit Charter, effective 1 September 1999 G6 Materiality Concepts for Auditing Information Systems, effective 1 September 1999 G7 Due Professional Care, effective 1 September 1999 G8 Audit Documentation, effective 1 September 1999 G9 Audit Considerations for Irregularities, effective 1 March 2000 G10 Audit Sampling, effective 1 March 2000 G11 Effect of Pervasive IS Controls, effective 1 March 2000 G12 Organizational Relationship and Independence, effective 1 September 2000 G13 Use of Risk Assessment in Audit Planning, effective 1 September 2000 G14 Application Systems Review, effective 1 November 2001 G15 Planning Revised, effective 1 March 2002 G16 Effect of Third Parties on an Organization’s IT Controls, effective 1 March 2002 G17 Effect of Nonaudit Role on the IS Auditor’s Independence, effective 1 July 2002 G18 IT Governance, effective 1 July 2002 G19 Irregularities and Illegal Acts, effective 1 July 2002
• #31: G20 Reporting, effective 1 January 2003 G21 Enterprise Resource Planning (ERP) Systems Review, effective 1 August 2003 G22 Business-to-consumer (B2C) E-commerce Review, effective 1 August 2003 G23 System Development Life Cycle (SDLC) Review, effective 1 August 2003 G24 Internet Banking, effective 1 August 2003 G25 Review of Virtual Private Networks, effective 1 July 2004 G26 Business Process Reengineering (BPR) Project Reviews, effective 1 July 2004 G27 Mobile Computing, effective 1 September 2004 G28 Computer Forensics, effective 1 September 2004 G29 Post-implementation Review, effective 1 January 2005 G30 Competence, effective 1 June 2005 G31 Privacy, effective 1 June 2005 G32 Business Continuity Plan (BCP) Review From IT Perspective, effective 1 September 2005 G33 General Considerations on the Use of the Internet, effective 1 March 2006 G34 Responsibility, Authority and Accountability, effective 1 March 2006 G35 Follow-up Activities, effective 1 March 2006
• #32: Procedures developed by the ISACA Standards Board provide examples of possible process an IS auditor might follow in an audit engagement. In determining the appropriateness of any specific procedure, IS auditors should apply their own professional judgment to the specific circumstances. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. It is not mandatory for the IS auditor to follow these procedures; however, following these procedures will provide assurance that the standards are being followed by the auditor.
• #33: Index of Procedures P1 IS Risk Assessment, effective 1 July 2002 P2 Digital Signatures, effective 1 July 2002 P3 Intrusion Detection, effective 1 August 2003 P4 Viruses and Other Malicious Code, effective 1 August 2003 P5 Control Risk Self-assessment, effective 1 August 2003 P6 Firewalls, effective 1 August 2003 P7 Irregularities and Illegal Acts, effective 1 November 2003 P8 Security Assessment—Penetration Testing and Vulnerability Analysis, effective 1 September 2004 P9 Evaluation of Management Controls Over Encryption Methodologies, effective 1 January 2005
• #34: Standards defined by ISACA are to be followed by the IS auditor. Guidelines provide assistance on how the auditor can implement standards in various audit assignments. Procedures provide the examples of steps the auditor may follow in specific audit assignment so as to implement the standards. However, the IS auditor should use professional judgment when using guidelines and procedures. See Appendix B on IS Auditing Standards, Guidelines and Procedures. The complete text of these guidelines and procedures is available at www.isaca.org/standards.
• #35: There are many definitions of risk, reflecting that risk means different things to different people. Perhaps one of the most succinct definitions of risk used within the information security business world is provided by the Guidelines for the Management of IT Security published by the International Standards Organization (ISO):  “ The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat.”
• #36: In the context of the definition of risk, risk has the following elements : Threats to, and vulnerabilities of, processes and/or assets (including both physical and information assets) Impact on assets based on threats and vulnerabilities Probabilities of threats (combination of the likelihood and frequency of occurrence) Business risks are those threats that may impact the assets, or processes or objectives of a specific business or organization. The nature of these threats may be financial, regulatory or operational, and may arise as a result of the interaction of the business with its environment or as a result of the strategies, systems and particular technology, processes, procedures and information used by the business. The IS auditor is often focused towards high-risk issues associated with the confidentially, availability or integrity of sensitive and critical information, and the underlying information systems and processes that generate, store and manipulate such information Note to the Instructor: Stress to the CISA candidates that Risk Analysis serves more than one purpose: • It assists the auditor in identifying risks and threats to an IT environment and IS systems that would need to be addressed by management and system-specific internal controls. Depending on the level of risk, this assists the auditor in selecting certain areas to examine. • It helps the auditor in his/her evaluation of controls in audit planning. • It assists the auditor in determining audit objectives. • It supports risk-based audit decision. Refer to page 31 of the 200 6 CISA Review Manual for further details.
• #37: Risk analysis is part of the audit planning and it helps identify risks and vulnerabilities so that the auditor can determine the controls needed to mitigate those risks. In evaluating IT-related business processes applied by an organization, understanding the relationship between risk and control is important for IS audit and control professionals. IS auditors must be able to identify and differentiate risk types and the controls used to mitigate these risks. They must have knowledge of common business risks, related technology risks and relevant controls. They must also be able to evaluate the risk assessment and management techniques used by business managers and to make assessments of risk to help focus and plan audit work. In addition to an understanding of business risk and control, IS auditors must understand that risk exists within the audit process.
• #38: The process is characterized as an iterative life cycle that begins with identifying business objectives, information assets, and the underlying systems or information resources that generate/store, use or manipulate the assets (hardware, software, databases, networks, facilities, people, etc.) critical to achieving these objectives. The greatest degree of risk management effort may then be directed toward those considered most sensitive or critical to the organization. Once sensitive and/or critical information assets are identified, a risk assessment is performed to identify risks and determine the probability of occurrence and the resulting impact and additional safeguards that would mitigate this impact to a level acceptable to management. Next, during the risk mitigation phase, controls are identified for mitigating identified risks. These controls are risk-mitigating countermeasures that should prevent or reduce the likelihood of a risk event occurring, detect the occurrence of a risk event, minimize the impact, or transfer the risk to another organization. The assessment of countermeasures should be performed through a cost-benefit analysis, where controls to mitigate risks are selected to reduce risks to a level acceptable to management. This analysis process may be based on any of the following: • The cost of the control compared to the benefit of minimizing the risk • Management’s appetite for risk (i.e., the level of residual risk that management is prepared to accept) • Preferred risk-reduction methods (e.g., terminate the risk, minimize probability of occurrence, minimize impact, transfer/insurance) The final phase relates to monitoring performance levels of the risks being managed when identifying any significant changes in the environment that would trigger a risk reassessment , warranting changes to its control environment. It encompasses three processes — risk assessment, risk mitigation and risk reevaluation — in determining whether risks are being mitigated to a level acceptable to management.
• #39: Policies, procedures, practices and organizational structures implemented to reduce risks are also referred to as internal controls . Internal controls are developed to provide reasonable assurance that an organization’s business objectives will be achieved and undesired risk events will be prevented, or detected and corrected, based on either compliance or management-initiated concerns. Control is the means by which control objectives are addressed. Internal control activities and supporting processes are either manual or driven by automated computer information resources. They operate at all levels within an organization to mitigate its exposures to risks that potentially could prevent it from achieving its business objectives. The board of directors and senior management are responsible for establishing the appropriate culture to facilitate an effective and efficient internal control system and for continuously monitoring the effectiveness of the internal control system, though each individual within an organization must take part in this process. Note to the instructor: Stress that there are two key aspects that control needs to address, what you want to achieve and what you want to avoid. Not only do internal controls address business/operational objectives, but need to address undesired events through preventing, detecting, and correcting undesired events. Refer to page 32 of the 2007 CISA Review Manual for further details. Refer to http://pw1.netcom.com/~jstorres/internalaudit/ic_def.html Controls are generally categorized into 3 major classifications: Preventive : These controls are to deter problems before they arise. Detective : Controls that detect and report the occurrence of an error, omission or malicious act.. Corrective : These controls minimize the impact of a threat, remedy problems discovered by detective controls, identify the cause of a problem. Refer to exhibit 1.1 on page 3 3 of the 2007 CISA Review Manual for further details.
• #40: • Internal accounting controls — Primarily directed at accounting operations, such as the safeguarding of assets and the reliability of financial records • Operational controls — Directed at the day-to-day operations, functions and activities to ensure that the operation is meeting the business objectives • Administrative controls — Concerned with operational efficiency in a functional area and adherence to management policies including operational controls. These can be described as supporting the operational controls specifically concerned with operating efficiency and adherence to organizational policy.
• #41: Control objectives include: • Safeguarding of information technology assets • Compliance to corporate policies or legal requirements • Authorization/input • Accuracy and completeness of processing of transactions • Output • Reliability of process • Backup/recovery • Efficiency and economy of operations Change management process for IT and related systems
• #42: Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment. However, control features may be different. Thus, internal control objectives need to be addressed in a manner specific to IS-related processes.
• #43: IS control objectives include: • Safeguarding assets. Information on automated systems is secure from improper access and kept up to date. • Assuring the integrity of general operating system environments, including network management and operations • Assuring the integrity of sensitive and critical application system environments, including accounting/financial and management information (information objectives), through: – Authorization of the input. Each transaction is authorized and entered only once. – Accuracy and completeness of processing of transactions. All transactions are recorded and entered into the computer for the proper period. – Reliability of overall information processing activities – Accuracy, completeness and security of the output – Database integrity
• #44: • Ensuring the efficiency and effectiveness of operations (operational objectives) • Complying with the users’ requirements, organizational policies and procedures, and applicable laws and regulations (compliance objectives) • Developing business continuity and disaster recovery plans • Developing an incident response and handling plan
• #45: Control Objectives for Information and related Technology (CobiT) is a framework with a set of 34 high-level control objectives representing IT processes grouped into four domains: plan and organize, acquire and implement, deliver and support, and monitor and evaluate. By addressing these 34 high-level control objectives, organizations can ensure that adequate governance and control arrangements are provided for their IT environment. Supporting these IT processes are more than 200 detailed control objectives necessary for effective implementation. CobiT use s, as primary references, 36 major standards and regulations relating to IT . CobiT is directed to the management and staff of information services, control departments, audit functions and, most importantly, the business process owners using IT processes to assure confidentiality, integrity and availability of sensitive and critical information. ITGI has also published the IT Governance Implementation Guide, to facilitate enterprises in implementing IT governance using the CobiT framework. CobiT® QuickstartTM provides essentials of CobiT for small and medium enterprises. CobiT Online® provides all the components of CobiT on the Internet for users to adapt and customize CobiT components as per their specific requirements. Note: A CISA candidate will not be asked to identify specifically the CobiT assurance process, the CobiT domains or the set of IT processes defined in each. However, candidates should know what frameworks are, what they do and why they are used by enterprises. Knowledge of the existence, structure and key principles of major standards and frameworks related to IT governance, assurance and security will also be advantageous. CobiT can be used as a supplemental study material in understanding control objectives and principles as detailed in this review material. Please refer to Appendix A for references between the CISA certification domains and the CobiT framework.
• #46: General Control Procedures General controls apply to all areas of the organization. These include policies and practices established by management to provide reasonable assurances that specific objectives will be achieved.
• #47: The control procedures include: • Internal accounting controls that are primarily directed at accounting operations. They concern the safeguarding of the assets and the reliability of financial records. • Operational controls that are concerned with the day-to-day operations, functions and activities, and ensure the operation is meeting the business objectives • Administrative controls that are concerned with operational efficiency in a functional area and adherence to management policies. Administrative controls support the operational controls specifically concerned with operating efficiency and adherence to organizational policies. • Organizational logical security policies and procedures to ensure proper authorization of transactions and activities • Overall policies for the design and use of adequate documents and records to help ensure proper recording of transactions—transactional audit trail • Procedures and features to ensure adequate safeguards over access to and use of assets and facilities • Physical security policies for all data centers
• #48: IS control procedures include policies, procedures and practices (tasks and activities) that are established by management to provide reasonable assurance that specific objectives will be achieved. Each general control procedure can be translated into an IS-specific control procedure. A well-designed information system should have controls built in for all its sensitive or critical functions. For example, the general procedure to ensure adequate safeguards over access to assets and facilities can be translated into an IS-related set of control procedures, covering access safeguards over computer programs, data and computer equipment. The IS auditor should understand the basic control objectives that exist for all functions. IS control procedures include: • Strategy and direction • General organization and management • Access to data and programs • Systems development methodologies and change control • Data processing operations • Systems programming and technical support functions • Data processing quality assurance procedures • Physical access controls • Business continuity/disaster recovery planning • Networks and communications • Database administration
• #49: Auditing can be defined as a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards. Note to the instructor : A discussion on auditing should include audit scope, audit objectives, criteria, audit procedures, evidence, conclusions and opinions, and reporting. Some of these need to be engaged among the CISA candidates at this point. IS audit can be defined as any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related nonautomated processes and the interfaces between them. To perform such a process, several steps are required. Adequate planning is a necessary first step in performing effective IS audits. To effectively use IS audit resources, audit organizations must assess the overall risks for the general and application area being audited and then develop an audit program that consists of objectives and audit procedures to satisfy the audit objectives. The audit process requires the IS auditor to gather evidence, evaluate the strengths and weaknesses of controls based upon the evidence gathered, and prepare an audit report that presents those issues in an objective manner to management. Audit management must ensure the availability of adequate audit resources and a schedule for performing the audits and for follow-up reviews on the status of corrective actions taken by management. A discussion on auditing should include audit scope, audit objectives, criteria, audit procedures, evidence, conclusions and opinions, and reporting.
• #50: The IS auditor should understand the various types of audits that can be performed, internally or externally, and the audit procedures associated with each: • Financial audits —assess the correctness of an organization’s financial statements. A financial audit will often involve detailed, substantive testing. This kind of audit relates to information integrity and reliability. • Operational audits —evaluate the internal control structure in a given process or area. IS audits of application controls or logical security systems are examples of operational audits. • Integrated audits —An integrated audit combines financial and operational audit steps. It is also performed to assess the overall objectives within an organization, related to financial information and assets’ safeguarding, efficiency and compliance. An integrated audit can be performed by external or internal auditors and would include compliance tests of internal controls and substantive audit steps. • Administrative audits —assess issues related to the efficiency of operational productivity within an organization. • Information systems audits —This process collects and evaluates evidence to determine whether the information systems and related resources adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have in effect internal controls that provide reasonable assurance. • Specialized audits —Within the category of IS audits, there are a number of specialized reviews that examine areas such as services performed by third parties and forensic auditing. • Forensic audits —Traditionally, forensic auditing has been defined as an audit specialized in discovering, disclosing and following up on frauds and crimes. In recent years, the forensic professional has been called upon to participate in investigations related to corporate fraud and cybercrime. Refer to page 33 of the 2006 CISA Review Manual for further detail.
• #51: Audit Programs Audit programs for financial, operational, integrated, administrative and IS audits are based on the scope and objective of the particular assignment. IS auditors often evaluate IT functions and systems from different perspectives, such as security (confidentiality, integrity and availability), quality (effectiveness, efficiency), fiduciary (compliance, reliability), service and capacity. It is important to underscore that the audit work program is the audit strategy and plan—it identifies scope, audit objectives and audit procedures to obtain sufficient, competent evidence to draw and support audit conclusions and opinions.
• #52: General audit procedures are the basic steps in the performance of an audit and usually include: • Obtaining and recording an understanding of the audit area/subject • Risk assessment and general audit plan and schedule • Detailed audit planning • Preliminary review of the audit area/subject • Evaluating the audit area/subject • Compliance testing (often referred to as tests of controls) • Substantive testing • Reporting (communicating results) • Follow-up Note to the instructor: Describe and discuss each audit procedure and its sequence with the class.
• #53: The IS auditor must understand the procedures for testing and evaluating information systems controls. These procedures could include: • The use of generalized audit software to survey the contents of data files (including system logs) • The use of specialized software to assess the contents of operating system parameter files (or detect deficiencies in system parameter settings) • Flow-charting techniques for documenting automated applications and business process • The use of audit reports available in operation systems • Documentation review • Observation
• #54: Audit Methodology An audit methodology is a set of documented audit procedures designed to achieve planned audit objectives. Its components are a statement of scope, a statement of audit objectives and a statement of work programs. The audit methodology should be set up and approved by the audit management to achieve consistency in audit approach. This methodology should be formalized and communicated to all audit staff.
• #55: An early and critical product of the audit process should be an audit program that is the guide for performing and documenting all the following audit steps and the extent and types of evidential matter reviewed. The typical audit phases are: Audit subject • Identify the area to be audited. Audit objective • Identify the purpose of the audit. For example, an objective might be to determine that program source code changes occur in a well-defined an controlled environment. Audit scope • Identify the specific systems, function or unit of the organization to be included in the review. For example, in the previous program changes example, the scope statement might limit the review to a single application system or to a limited period of time.
• #56: Pre-audit planning • Identify technical skills and resources needed. • Identify the sources of information for test or review such as functional flow-charts, policies, standards, procedures and prior audit workpapers. • Identify locations or facilities to be audited.
• #57: Audit procedures and steps for data gathering • Identify and select the audit approach to verify and test the controls. • Identify a list of individuals to interview. • Identify and obtain departmental policies, standards and guidelines for review. • Develop audit tools and methodology to test and verify control.
• #58: Procedures for evaluating the test or review results Procedures fo r communication with management Audit report preparation • Identify follow-up review procedures. • Identify procedures to evaluate/test operational efficiency and effectiveness. • Identify procedures to test controls. • Review and evaluate the soundness of documents, policies and procedures. (Refer to Exhibit 1.2 on Page 38 of the 2006 CISA Review Manual for the typical audit phases listed above.) Although an audit program does not necessarily follow a specific set of steps, the IS auditor typically would follow sequential program steps to gain an understanding of the entity under audit, to evaluate the control structure and to test the controls.
• #59: Any and all audit plans, programs, activities, tests, findings and incidents shall be properly documented in workpapers (WPs).
• #60: Their format and media are optional, but due diligence and best practices require that WPs are dated, initialized, page-numbered, relevant, complete, clear, self-contained and properly labeled, filed and kept in custody. Workpapers do not necessarily have to be on paper—in hard copy. ISACA’s IS Auditing Standards and Guidelines set forth many specifications about WPs, including how to use those of other (previous or contractor’s) auditor’s, or the need to document the audit plan, program and evidence, or the use of CAATs or sampling, etc. WPs can be considered the bridge or interface between the audit objectives and the final report. They should provide a seamless transition—with traceability and chargeability—from objectives to report and from report to objectives. The audit report, in this context, can be viewed as just a particular WP. IS auditors are a scarce and expensive resource. Any technology capable of increasing the audit productivity is welcome. Automating workpapers affect productivity directly in obvious ways and also indirectly (granting access to other auditors, reusing documents or parts of them in recurring audits, etc.). The quest for integrating workpapers in the auditor’s e-environment has resulted in all major audit and project management packages, CAATs and expert systems offering a panoply of automated documentation and import-export features. The quest for integrating workpapers in the auditor’s “e-environment”has resulted in that all major audit- and project-management packages, CAATs and expert systems offer a panoply of automated documentation and import-export features.
• #61: The use of information technology for business has immensely benefited enterprises in terms of significantly increased quality of delivery of information. However, the widespread use of information technology and the Internet suffers from risks that enable the easy perpetration of errors and frauds. Management is primarily responsible for establishing, implementing and maintaining a framework and design of IT controls to meet the internal control objectives. A well-designed internal control system provides good opportunities for deterring fraud at the first instance and a system that enables timely detection of frauds . Internal controls may fail, where such controls are circumvented by exploiting vulnerabilities or through management perpetrated weakness in controls for undue advantage or collusion between people. Legislation and regulations relating to corporate governance cast significant responsibilities on management, auditors and the audit committee regarding detection and disclosure of any frauds , whether material or not. The information systems auditor should observe and exercise due professional care (ISACA Standard 030.020) in all aspects of their work. IS auditors entrusted with assurance functions should ensure reasonable care while performing their work and be alert to the possible opportunities that allow a fraud to materialize. Besides instituting and maintaining a system of internal controls, management looks upon assurance from IS auditors on the state of internal controls for their ability to deter and detect frauds and recommendations for improvement in internal controls. Where during the course of regular assurance work the IS auditor comes across any instance of fraud or indicators of fraud, the IS auditor may, after careful evaluation, communicate the need for a detailed investigation to appropriate authorities. In case of the auditor identifying a major fraud or where the risk associated with the detection is high, audit management should also consider communicating to the audit committee, in a timely manner.
• #62: Audit risk can be defined as the risk that the information/financial report may contain material error that may go undetected during the course of the audit. More and more organizations are moving to a risk-based audit approach that is usually adapted to develop and improve the continuous audit process. This approach is used to assess risk and to assist with an IS auditor’s decision to do either compliance testing or substantive testing. It is important to stress that the risk-based audit approach assists the auditor in determining the nature and extent of testing, besides helping make the decision to complete a compliance or a substantive test. Within this concept, inherent risk, control risk or detection risk should not be of major concern, despite some weaknesses. In a risk-based audit approach, IS auditors are not just relying on risk; they also are relying on internal and operational controls as well as knowledge of the company or the business. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk, allowing practical choices. By understanding the nature of the business, IS auditors can identify and categorize the types of risks that will better determine the risk model or approach in conducting the audit. The risk model assessment can be as simple as creating weights for the types of risks associated with the business and identifying the risks in an equation. On the other hand, risk assessment can be a scheme where risks have been given elaborate weights based on the nature of the business or the significance of the risk. Note to the instructor: Discuss with the CISA candidates the difference between control risk, audit risk and residual risk.
• #63: Audit risk can be categorized as: • Inherent risk —The risk that an error exists that could be material or significant when combined with other errors encountered during the audit, assuming that there are no related compensating controls. Inherent risk can also be categorized as the susceptibility to a material misstatement in the absence of related controls. For example, complex calculations are more likely to be misstated than simple ones and cash is more likely to be stolen than an inventory of coal. Inherent risks exist independent of an audit and can occur because of the nature of the business. • Control risk —The risk that a material error exists that will not be prevented or detected in a timely manner by the internal controls system. For example, the control risk associated with manual reviews of computer logs can be high because activities requiring investigation are often easily missed, owing to the volume of logged information. The control risk associated with computerized data validation procedures is ordinarily low if the processes are consistently applied. • Detection risk —The risk that an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when, in fact, they do. Detection of an error would not be determined during the risk assessment phase of an audit. However, identifying detection risk would better evaluate and assess the auditor’s ability to test, identify and recommend the correction of material errors as the result of a test. • Overall audit risk —The combination of the individual categories of audit risks assessed for each specific control objective. An objective in formulating the audit approach is to limit the audit risk in the area under scrutiny so the overall audit risk is at a sufficiently low level at the completion of the examination. Another objective is to assess and control those risks to achieve the desired level of assurance as efficiently as possible. Audit risk is also used sometimes to describe the level of risk that the IS auditor is prepared to accept during an audit engagement. The auditor may set a target level of risk and adjust the amount of detailed audit work to minimize the overall audit risk. Note: Audit risk should not be confused with statistical sampling risk, which is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is selected.
• #64: Overview of the Risk-based A pproach Gather Information and Plan • Knowledge of business and industry • Regulatory statutes • Prior year’s audit results • Inherent risk assessments • Recent financial information Obtain Understanding of Internal Control • Control environment • Control risk assessment • Control procedures • Equate total risk • Detection risk assessment Perform Compliance Tests • Test policies and procedures • Test segregation of duties Perform Substantive Tests • Analytical procedures • Other substantive audit procedures • Detailed tests of account balances Conclude the Audit • C reate recommendations • W rite audit report
• #65: The concept of materiality requires sound judgment from the IS auditor. The IS auditor may detect a small error that could be considered significant at an operational level, but may not be viewed as significant to upper management. Materiality considerations combined with an understanding of audit risk are essential concepts for planning the areas to be audited and the specific test to be performed in a given audit. Materiality can be more difficult for the IS auditor. For example, a logical security parameter setting that allows a programmer to access, without authorization, the source code for all programs might be a material error. Similarly, access rights to only a few more insignificant programs might not be considered material to the IS auditor. Materiality here is considered in terms of the total potential impact to the organization. Refer to page 41 of the 200 6 CISA Review Manual for details .
• #66: Risk Assessment Techniques An IS auditor could face a large variety of audit subjects, when determining which functional areas should be audited. Each of these may represent different types of audit risks. The IS auditor should evaluate these various risk candidates to determine the high- risk areas that should be audited. Using risk assessment to determine areas to be audited: Enables management to effectively allocate limited audit resources. Ensures that relevant information has been obtained from all levels of management, including boards of directors, IS auditors and functional area management. Generally, the information assists management in effectively discharging their responsibilities and ensures that the audit activities are directed to high business risk areas which will add value to management. Establishes a basis for effectively managing the audit department. Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plans. There are several methods currently employed to perform risk assessments. One such risk assessment approach is a scoring system that is useful in prioritizing audits based on an evaluation of risk factors. It considers variables such as technical complexity, level of control procedures in place and level of financial loss. These variables may or may not be weighted. These risk values are then compared to each other and audits are scheduled accordingly. Refer to page s 38-39 of the 200 6 CISA Review Manual for further details.
• #67: A control objective refers to how an internal control should function, while an audit objective refers to the specific goals of the audit. An audit may incorporate several audit objectives. Audit objectives often focus on substantiating that internal controls exist to minimize business risks. These audit objectives include assuring compliance with legal and regulatory requirements as well as the confidentiality, integrity, reliability and availability of information resources. Management may give the IS auditor a general control objective to review and evaluate when performing an audit. A key element in planning an information systems audit is to translate basic audit objectives into specific information systems audit objectives. For example, in a financial/operational audit, an internal control objective could be to ensure that transactions are properly posted to the general ledger accounts. However, in the information systems audit, the objective could be extended to ensure that editing features are in place to detect errors in the coding of transactions that may impact the account-posting activities. Refer to page 42 of the 200 6 CISA Review Manual for further details.
• #68: There is a difference between evidence gathering for the purpose of testing an organization’s compliance with control procedures and evidence gathering to evaluate the integrity of individual transactions, data or other information. The former procedures are called compliance tests and the latter are called substantive tests . A compliance test determines if controls are being applied in a manner that complies with management policies and procedures. For example, if the IS auditor is concerned about whether program library controls are working properly, the IS auditor might select a sample of programs to determine if the source and object versions are the same. The broad objective of any compliance test is to provide IS auditors with reasonable assurance that the particular control on which the IS auditor plans to rely is operating as the IS auditor perceived in the preliminary evaluation. It is important that the IS auditor understands the specific objective of a compliance test and the control being tested. Compliance tests can be used to test the existence and effectiveness of a defined process, which may include a trail of documentary and/or automated evidence, for example, to provide assurance that only authorized modifications are made to production programs. A substantive test substantiates the integrity of actual processing. It provides evidence of the validity and integrity of the balances in the financial statements and the transactions that support these balances. IS auditors use substantive tests to test for monetary errors directly affecting financial statement balances. An IS auditor might develop a substantive test to determine if the tape library inventory records are stated correctly. To perform this test, the IS auditor might take a thorough inventory or might use a statistical sample, which will allow the IS auditor to develop a conclusion regarding the accuracy of the entire inventory. There is a direct correlation between the level of internal controls and the amount of substantive testing required. If the results of testing controls (compliance tests) reveal the presence of adequate internal controls, then the IS auditor is justified in minimizing the substantive procedures. Conversely, if the testing of control reveals weaknesses in controls that may raise doubts about the completeness, accuracy or validity of the accounts, substantive testing can alleviate those doubts. Refer to Exhibit 1.4 on page 43 of the 200 6 CISA Review Manual for relationship between compliance and substantive tests .
• #69: Evidence is any information used by the IS auditor to determine whether the entity or data being audited follows the established audit criteria or objectives. It may include the auditor’s observations, notes taken from interviews, material extracted from correspondence and internal documentation or the results of audit test procedures. Some evidence is more reliable than others. Note to the instructor: Candidates must take into account the rules of evidence and sufficiency and competency of evidence as required by audit standards. Determinants for evaluating the reliability of audit evidence include: Independence of the provider of the evidence : Evidence obtained from outside sources is more reliable than from within the organization. This is why confirmation letters are used for verification of accounts receivable balances. Qualification of the individual providing the information or evidence : Whether the providers of information or evidence are inside or outside of the organization, the IS auditor should always consider the qualifications of the persons providing the information. Objectivity of the evidence : Objective evidence is more reliable than evidence that requires considerable judgment or interpretation. An IS auditor’s count of a cash fund is direct, objective evidence, but his analysis of the efficiency of an application, based upon discussions with certain personnel, may not be objective audit evidence. Timing of evidence— The IS auditor should consider the time during which information exists or is available in determining the nature, timing and extent of substantive testing and, if applicable, compliance testing. For example, audit evidence processed by electronic data interchange (EDI), document image processing (DIP) and dynamic systems such as spreadsheets may not be retrievable after a specified period of time if changes to the files are not controlled or the files are not backed up Refer to page 4 4 of the 200 6 CISA Review Manual for further details.
• #70: Review information systems organization structures The IS auditor should understand general organizational controls and be able to evaluate these controls in the organization under audit. Review IS policies and procedures The IS auditor should review whether appropriate policies and procedures are in place, determine whether personnel understand the implemented policies and procedures, and ensure that they are being followed. • Reviewing information systems standards T he IS auditor should understand the existing standards in place within the organization. Review information systems documentation A first step in reviewing the documentation for an information system is to understand the existing documentation in place within the organization. The IS auditor should look for a minimum level of information systems documentation. Note to the instructor: The CISA candidates should have a clear understanding that all of these reviews are part of an audit, but an audit is NOT just review work. An audit includes examination, which incorporates by necessity, the testing of controls, audit evidence. Therefore, includes the results of audit tests. Interviewing appropriate personnel The purpose of such interviews is to gather audit evidence. Personnel interviews are discovery in nature and should never be accusatory. Observing processes and employee performance The observation of processes is a key audit technique for many types of reviews. The IS auditor should be unobtrusive while making observations and should document everything in sufficient detail to be able to present it, if required, as audit evidence at a later date. Refer to pages 4 4 -4 5 of the 2006 CISA Review Manual for further details.
• #71: Interviewing and Observing Personnel in the Performance of Their Duties Observing personnel in the performance of their duties assists an IS auditor in identifying: • Actual functions—Observation is the best test to ensure that the individual who is assigned and authorized to perform a particular function is the person who is actually doing the job. It allows the IS auditor an opportunity to witness how policies and procedures are understood and practiced. • Actual processes/procedures—Performing a walk-through of the process/procedure allows the IS auditor to gain evidence of compliance and observe deviations, if any. • Security awareness—Security awareness should be observed to verify an individual’s understanding and practice of good preventive and detective security measures to safeguard the company’s assets and data. • Reporting relationships—Reporting relationships should be observed to ensure that assigned responsibilities and adequate segregation of duties are being practiced. Interviewing information processing personnel and management should provide adequate assurance that the staff has the required technical skills to perform the job. This is an important factor that contributes to an effective and efficient operation.
• #72: Sampling is used when time and cost considerations preclude a total verification of all transactions or events in a predefined population. It is used to infer characteristics about a population, based on the results of examining the characteristics of a sample of the population. Audit Sampling general approaches. Statistical and non-statistical are the two general approaches to sampling. Note to the instructor: Ask candidates to define statistical and non-statistical sampling. 1. Statistical sampling. An objective method of determining the sample size and selection of criteria. The IS auditor quantitatively decides how closely the sample should represent the population (assessing sample precision), and the number of times in 100 the sample should represent the population (the reliability or confidence level). This assessment will be represented as a percentage. 2. Non-statistical sampling. Uses auditor judgment to determine the method of sampling, the number of items that will be examined from a population (sample size) and which items to select (sample selection). These decisions are based on subjective judgment as to which items/transactions are the most material and most risky. Within the two general approaches are two primary methods of sampling: Attribute sampling - Generally applied in compliance testing situations and deals with the presence or absence of the attribute and provides conclusions that are expressed in rates of incidence. Variable sampling - Generally applied in substantive testing situations and deals with population characteristics that vary, such as dollars and weights, and provides conclusions related to deviations from the norm. Note to the instructor: Candidates will be expected to know the difference between attribute and variable sampling and when each approach should be applied. (See next slide)
• #73: Within attribute sampling are three different types of proportional sampling : Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quantity (attribute) in a population. It answers the question of “how many?” Stop-or-go sampling is a sampling model that helps prevent excessive sampling of an attribute by allowing an audit test to be stopped at the earliest possible moment. Discovery sampling is a sampling model that can be used when the expected occurrence rate is extremely low. Discovery sampling is more often used when the objective of the audit is to seek out (discover) fraud or other irregularities. Variable sampling refers to a number of types of quantitative sampling methods Stratified mean per unit is a statistical model in which the population is divided into groups and samples are drawn from the various groups. Unstratified mean per unit is a statistical model whereby a sample mean is calculated and projected as an estimated total. Difference estimation is a statistical model used to estimate the total difference between audited values and book (unaudited) values based on differences obtained from sample observations. Refer to pages 4 6-47 of the 200 6 CISA Review Manual for further detail.
• #74: Candidates must be familiar with statistical sampling terms. Confidence coefficient (also referred to as confidence level or reliability factor) is a percentage expression (90 percent, 95 percent, 99 percent, etc.) of the probability that the characteristics of the sample are a true representation of the population. Level of risk is equal to one minus the confidence coefficient. For example, if the confidence coefficient is 95 percent, the level of risk is five percent (100 percent-95 percent). Precision , set by the IS auditor, represents the acceptable range difference between the sample and the actual population. For attribute sampling this figure is stated as a percentage. For variable sampling this figure is stated as a monetary amount or a number. The higher the precision amount, the smaller the sample size, and the greater the risk of fairly large total error amounts going undetected. The smaller the precision amount, the greater the sample size. A very low precision level may lead to an unnecessarily large sample size. Expected error rate , is an estimate stated as a percent of the errors that may exist. The greater the expected error rate, the greater the sample size. This figure is applied to attribute sampling formulas, but not to variable sampling formulas. Sample mean is the sum of all sample values, divided by the size of the sample. It measures the average size of the sample. Sample standard deviation computes the variance of the sample values from the mean of the sample. It measures the spread(s) or dispersion of the sample values. Tolerable error rate describes the maximum misstatement or number of errors that can exist without an account being materially misstated. Tolerable rate is used for the planned upper limit of the precision range for compliance testing. The term is expressed as a percentage. Precision range or precision mean the same thing when used in substantive testing. Population standard deviation is a mathematical concept that measures the relationship to the normal distribution. The greater the standard deviation, the larger the sample size. This figure is applied to variable sampling formulas, but not to attribute sampling formulas.
• #75: It is also important for the auditor to know the key steps in the construction and selection of sample for an audit test: Determine the objectives of the test Define the population to be sampled Determine the sampling method, such as attribute versus variable sampling. Calculate the sample size Select the sample Evaluating the sample from an audit perspective. It is important to know that tools exist to analyze all of the data, not just those available through computer-assisted audit techniques.
• #76: Due to the scarce availability of IS auditors and the need for IT security specialists and other subject matter experts to conduct audits of highly specialized areas, the audit department or auditors entrusted with providing assurance may require the services of other auditors or experts. Of late, outsourcing of IS assurance and security services is increasingly becoming a common practice. External experts could include experts in specific technologies, such as networking, automated teller machine (ATM), wireless, systems integration and digital forensics, or subject matter experts such as specialists in a particular industry or area of specialization, such as banking, securities trading, insurance, legal experts etc. When a part or the whole of IS audit services are proposed to be outsourced to another audit or external service provider, the following should be considered with regard to using the services of other auditors and experts: • Restrictions on outsourcing of audit/security services provided by laws and regulations • Audit charter or contractual stipulations • Impact on overall and specific IS audit objectives • Impact on IS audit risk and professional liability • Independence and objectivity of other auditors and experts • Professional competence, qualifications and experience
• #77: Scope of work proposed to be outsourced and approach • Supervisory and audit management controls • Method and modalities of communication of results of audit work • Compliance with legal and regulatory stipulations • Compliance with applicable professional standards Based on the nature of assignment, the following may also require special consideration: • Testimonials/references and background checks • Access to systems, premises and records • Confidentiality restrictions to protect customer-related information • Use of CAATS and other tools to be used by the external audit service provider • Standards and methodologies for performance of work and documentation The IS auditor or entity outsourcing the services should monitor the relationship to ensure the objectivity and independence throughout the duration of the arrangement. It is important to understand that often, even though a part of or the whole of the audit work may be delegated to an external service provider, the related professional liability is not necessarily delegated. Hence, it is the responsibility of the IS auditor or entity employing the services of external service providers to: • Clearly communicate the audit objectives, scope and methodology through a formal engagement letter • Put in place a monitoring process for regular review of the work of the external service provider with regard to planning, supervision, review and documentation • Assess the usefulness and appropriateness of reports of such external providers and assess the impact of significant findings on the overall audit objectives
• #78: The candidate should have a thorough understanding of computer-assisted audit techniques CAATs and know where and when to apply them. CAATs are a significant tool for IS auditors to gather information independently and provide a means to gain access and to analyze data for a predetermined audit objective and to report the audit findings with emphasis on the reliability of the records produced and maintained in the system. The reliability of the source of the information used provides reassurance on findings generated. CAATs include: Generalized audit software (ACL, IDEA, etc.) - provides an independent means to gain access to data for analysis. The effective and efficient use of the software requires and understanding of its capabilities and limitations. Generalized audit software (GAS) refers to standard software that has the capability to directly read and access data from various database platforms, flat file systems and ASCII formats. IS auditors can directly access the data stored in a computer and perform various types of mathematical computations and statistical analysis. Utility software - is a subset of software, such as database management systems report generators, that provide evidence to the auditors about system control effectiveness. Test data - involve the auditors using a sample set of data to assess whether logic errors exist in a program and whether the program meets its objectives. Application software for continuous online audits - review of an application system will provide information about internal controls built in the system. Audit expert systems - give direction and valuable information to all levels of auditors while carrying out the audit because the query-based system is built on the knowledge base of the senior auditors or managers.
• #79: Need for CAATs The audit findings and conclusions are to be supported by appropriate analysis and interpretation of the evidence. Today’s information processing environments pose a stiff challenge to the IS auditor to collect sufficient, relevant and useful evidence since the evidence exists on magnetic media and can only be examined using CAATs. With systems having different hardware and software environments, different data structure, record formats, processing functions, etc., it is almost impossible for the IS auditors to collect evidence without a software tool to collect and analyze the records. Functional Capabilities of CAATs Generalized audit software provides IS auditors the ability to use high-level problem solving software to invoke functions to be performed on data files. The following functions supported in generalized audit software are: File access - Enables the reading of different record formats and file structures File reorganization - Enables the indexing, sorting, merging, and linking with another file Data Selection - Enables global filtration conditions and selection criteria Statistical functions - Enables sampling, stratification and frequency analysis Arithmetical functions - Enables arithmetic operators and functions Areas of Concern Integrity, reliability, and security of the CAATs beforehand Integrity of the information systems and security environment Confidentiality and security of data as required by the clients
• #80: Examples of CAATs: Generalized audit software ACL, IDEA, etc. Utility software SQL commands Third party access control software Application systems Options, reports built in the system CAATs as a Continuous Online Audit Approach An increasingly important advantage of CAATs is the ability to improve audit efficiency, particularly in paperless environments, through continuous online auditing techniques. To this end, IS auditors must develop audit techniques that are appropriate for use with advanced computerized systems. In addition, they must be involved in the creation of advanced systems at the very early stages of development and implementation, and they must make greater use of automated tools that are suitable for use within their organization’s automated environment. This is in the form of the continuous audit approach (for more detailed information on continuous online auditing, see chapter 7, Business Process Evaluation and Risk Management). Note to the instructor: Discuss with candidates the advantages/benefits of CAATs. CAATs offer the following advantages: • Reduced level of audit risk • Greater independence from the auditee • Broader and more consistent audit coverage • Faster availability of information • Improved exception identification • Greater flexibility of run times • Greater opportunity to quantify internal control weaknesses • Enhanced sampling • Cost savings over time Cost/benefits of CAATs Like any other process, an IS auditor should weigh the costs/benefits of CAATs before going through the effort, time and expense of purchasing or developing them. Issues to consider include: • Ease of use, both for existing audit staff and future staff • Training requirements • Complexity of coding and maintenance • Flexibility of uses • Installation requirements • Processing efficiencies (especially with a PC CAAT) • Effort required to bring the source data into the CAATs for analysis
• #81: When developing CAATs, the following are examples of documentation to be retained: Online reports detailing high risk-issues for review Commented program listings Flowcharts Sample reports Record and file layouts Field definitions Operating instructions Description of applicable source documents The CAATs documentation should be referenced to the audit program and clearly identify the audit procedures and objectives being served. When requesting access to production data for use with CAATs, the IS auditor should request read-only access. Any data manipulation done by the IS auditor should be done to copies of production files in a controlled environment that ensures production data are not exposed to unauthorized updating.
• #82: After developing an audit program and gathering audit evidence, the next step is an evaluation of the information gathered in order to develop an audit opinion. This requires the IS auditor to consider a series of strengths and weaknesses and then to develop audit opinions and recommendations. The IS auditor should assess the results of the evidence gathered for compliance with the control requirements or objectives established during the planning stage of the audit. This requires considerable judgment, as controls are often unclear. A control matrix is often utilized in assessing the proper level of controls. As part of the information systems review, the IS auditor may discover a variety of strong and weak controls. All should be considered when evaluating the overall control structure . In some instances, one strong control may compensate for a weak control in another area. The IS auditor should be aware of compensating controls in areas where controls have been identified as weak. A control objective will not normally be achieved due to one control being considered adequate. They must be evaluated to determine how they relate to each other. Evaluate the totality of control by considering the strengths and weaknesses of control procedures. Assess the strengths and weaknesses of the controls evaluated and then determine if they are effective in meeting the control objectives established as part of the audit planning process. Refer to pages 4 9 - 50 of the 200 6 CISA Review Manual for further details.
• #83: Judging materiality of findings The concept of materiality is a key issue when deciding which findings to bring forward in an audit report. Key to determining the materiality of audit findings is the assessment of what would be significant to different levels of management. Assessment requires judgment of the potential effect of the finding if corrective action is not taken. Assess what is significant to different levels of management. Discuss examples of what might be important to different levels of management and why. Note to the instructor: The IS auditor must use judgment when deciding which findings to present to various levels of management. The IS auditor should always judge which findings are material to various levels of management and should report them accordingly. Refer to page 50 of the 200 6 CISA Review Manual for further details.
• #84: Communicating audit results The exit interview , conducted at the end of the audit, provides the IS auditor with the opportunity to discuss findings and recommendations with management. The objectives and scope of the audit can be discussed and the IS audit process can be explained. During the exit interview, the IS auditor should: • Ensure that the facts presented in the report are correct • Ensure that the recommendations are realistic and cost-effective, and if not, seek alternatives through negotiation with the audited area • Recommend implementation dates for agreed recommendations The IS auditor will frequently be asked to present the results of audit work to various levels of management. The IS auditor should have a thorough understanding of the presentation techniques necessary to communicate these results. Presentation techniques could include the following: • Executive summary —An easy-to-read, concise report, it presents findings to management in an understandable manner. Most executive managers are not well versed in computer jargon; therefore, executive summaries should minimize the use of complex terminology. Findings and recommendations should be communicated from a business perspective. Detailed attachments can be more technical in nature since operations management will require the detail to correct the reported situations. • Visual presentation —This may include overhead transparencies, slides or computer graphics. Before communicating the results of an audit to senior management, the IS auditor should discuss the findings with the management staff of the audited entity. The goal of such a discussion would be to gain agreement on the findings and develop a course of corrective action. Refer to page 51 of the 200 6 CISA Review Manual for further details.
• #85: The exact format of an audit report vary by organization. However, the skilled IS auditor should understand the basic components of an audit report and how it communicates audit findings to management. The IS auditor should become familiar with the ISACA S7 Reporting and S8 Follow-up Activities standards. There is no specific format for an IS audit report, yet the organization’s audit policies and procedures will dictate the format generally. Audit reports, however, usually will have the following structure and content: • An introduction to the report, including a statement of audit objectives and scope, the period of audit coverage, and a general statement on the nature and extent of audit procedures examined during the audit • The IS auditor’s overall conclusion and opinion on the adequacy of controls and procedures examined during the audit • The IS auditor’s reservations or qualifications with respect to the audit. This may state that the controls or procedures examined were found to be adequate or inadequate. The balance of the audit report should support that conclusion and the overall evidence gathered during the audit should provide an even greater level of support. Detailed audit findings and recommendations and the decision to include or not include findings in an audit report. These should be based on the materiality of the findings and the intended recipient of the audit report. An audit report directed to the audit committee of the board of directors, for example, may not include findings that are important to local management but have little control significance to the overall organization. The decision of what to include in various levels of audit reports depends upon the guidance provided by upper management. • A variety of findings , some of which may be quite material while others are minor in nature • Limitations to audit • Statement on the IS audit guidelines followed The ISACA IS Auditing Guideline, Report Content and Form, specifies that the report should include all significant audit findings. When a finding requires explanation, the IS auditor should describe the finding, its cause and its risk. When appropriate, the IS auditor should provide the explanation in a separate document and make reference to it in the report. Refer to page s 51-52 of the 200 6 CISA Review Manual for further details.
• #86: The IS auditor is expected to understand that auditing is an ongoing process. The IS auditor is not effective if audits are performed and reports issued but not followed up on to determine if management has taken appropriate corrective actions. IS auditors should have a follow-up program to determine if agreed corrective actions have been implemented. The timing of follow-up will depend upon the criticality of the findings and would be subject to the IS auditor’s judgment. The results of the follow-up should be communicated to appropriate levels of management. The level of the IS auditor’s follow-up review will depend upon several factors. In some instances, the IS auditor may merely need to inquire as to the current status. In other instances, the IS auditor may have to perform certain audit steps to determine if the corrective actions agreed to by management have been implemented.
• #87: Audit Documentation IS audit documentation includes the audit plan, a description or diagram of the information systems environment, audit programs, minutes of meetings, audit evidence, findings, conclusions and recommendations, any report issued as a result of the audit work, and supervisory review comments if any. The audit documentations should be maintained in safe custody and be available for a period that satisfies legal, professional and organizational requirements. However, the exact contents of documentation depend on each audit entity, its scope and objectives. ISACA has published guideline 060.020.010, Audit Documentation. Audit documentation should support the finding and conclusions/opinion . Time of evidence sometimes will be very crucial to supporting audit findings and conclusions. The IS auditor should take enough care to ensure that the evidence gathered and documented will be able to support audit findings and conclusions. An IS auditor should be able to prepare adequate working papers, narratives, questionnaires and understandable system flowcharts.
• #88: Documentation should include, at a minimum, a record of the: • Planning and preparation of the audit scope and objectives • Description and/or walkthroughs on the scoped audit area • Audit program • Audit steps performed and audit evidence gathered • Use of services of other auditors and experts • Audit findings, conclusions and recommendations It is also recommended that documentation include: • A copy of the report issued as a result of the audit work • Evidence of supervisory review Documents should include audit information that is required by laws and regulations, contractual stipulations, and professional standards. Audit documentation is necessary evidence supporting the conclusions reached and, hence, should be clear, complete, easily retrievable and sufficiently comprehensible. Audit documentation is generally the property of the auditing entity and should be accessible only to authorized personnel under specific or general permission. Where access to audit documentation is requested by external parties, the auditor should obtain appropriate prior approval of senior management/client. The IS auditor/IS audit department should also develop policies regarding custody, retention requirements and release of audit documentation.
• #89: Constraints on the Conduct of the Audit Although an audit organization may be staffed with people who have an appropriate mix of required skills, constraints may limit the availability of this staff . These constraints may range from holidays to time off for professional conferences to conflicts with other audit projects. For example, IS auditors may be asked to support the external auditors with computerassisted procedures at year-end. Thus, these IS auditors may not be available during this period for other audit projects. Auditee constraints may include: • Recent employee turnover or unavailability • Infringement on deadline dates or cyclical processing dates • Overall lack of knowledge or documentation To understand these constraints on the conduct of an audit, the IS auditor should have a good understanding of overall project management techniques. Often, these constraints can be minimized or avoided by adequate planning. Project Management Techniques Project management techniques for managing and administering audit projects, whether automated or manual, include the following basic steps: • Develop a detailed plan —The plan should spread the necessary audit steps across a time line. Realistic estimates should be made of the time requirements for each task with proper consideration given to the availability of the auditee. • Report project activity against the plan —There should be some type of reporting system in place such that IS auditors can report their actual progress against planned audit steps. • Adjust the plan and take corrective action —Actual accomplishments should be measured against the established plan on a continuous basis. Changes should be made in IS auditor assignments or in planned schedules, as required.
• #90: 1. C Inherent risks exist independently of an audit and can occur because of the nature of the business. To successfully conduct an audit, it is important to be aware of the related business processes. To perform the audit, the IS auditor needs to understand the business process and, by understanding the business process, the IS auditor better understands the inherent risks.
• #91: 2. C The risk of an error existing that could be material or significant when combined with other errors encountered during the audit, there being no related compensating controls, is the inherent risk. Control risk is the risk that a material error exists that will not be prevented or detected in a timely manner by the system of internal controls. Detection risk is the risk of an IS auditor using an inadequate test procedure that concludes that material errors do not exist, when they do. Sampling risk is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is taken.
• #92: 3. A A risk-based audit approach focuses on the understanding of the nature of the business and being able to identify and categorize risk. Business risks impact the long-term viability of a specific business. Thus, an IS auditor using a risk-based audit approach must be able to understand business processes.
• #93: 4. A The test entries in ITF can affect the live data, as testing in ITF involves the processing of test data on live programs. Choices B, C and D, although issues associated with ITF, are not as important as the primary requirement to separate test data from production data.
• #94: 5. B Continuous and intermittent simulation (CIS) is a moderately complex set of programs that, during a process run of a transaction, simulates the instruction execution of its application. As each transaction is entered, the simulator decides whether the transaction meets certain predetermined criteria and, if so, audits the transaction. If not, the simulator waits until it encounters the next transaction that meets the criteria. Audits hooks, which are of low complexity, focus on specific conditions instead of detailed criteria in identifying transactions for review. ITF is incorrect because its focus is on test vs. live data. SCARF/EAM focuses on controls vs. data.
• #95: 6. C Understanding the business process and environment applicable to the review is most representative of what occurs early on in the course of an audit. The other choices relate to activities actually occurring within this process.
• #96: 7. A Test data use a set of hypothetical transactions to verify the program logic and internal control in a short time and for an auditor with minimal IT background. In a parallel simulation, the results produced for an actual program are compared with the results from a program written for the IS auditor; this technique can be time-consuming and requires IT expertise. An integrated test facility enables test data to be continually evaluated when transactions are processed online; this technique is time-consuming and requires IT expertise. An embedded audit module is a programmed module that is inserted into an application program to test controls; this technique is time-consuming and requires IT expertise.
• #97: 8. C Generalized audit software facilitates the IS auditor to directly access and interrogate the data. The most important advantage of using GAS is that it helps in identifying data of interest to the IS auditor. GAS does not involve testing of application software directly. Hence, GAS helps in testing controls embedded in programs indirectly by testing data. GAS cannot identify unauthorized access to data if this information is not stored in the audit log file. However, this information may not always be available. Hence, this is not one of the primary reasons for using GAS. Vouching involves verification of documents. GAS could help in selecting transactions for vouching. Using GAS does not reduce transaction vouching.
• #98: 9. D The IS auditor is not expected to ignore control weaknesses just because they are outside the scope of a current review. Further, the conduct of a detailed systems software review may hamper the audit’s schedule and the IS auditor may not be technically competent to do such a review at this time. If there are control weaknesses that have been discovered by the IS auditor, they should be disclosed. By issuing a disclaimer, this responsibility would be waived. Hence, the appropriate option would be to review the systems software as relevant to the review and recommend a detailed systems software review for which additional resources may be recommended.
• #99: Control self-assessment (CSA) can be defined as a management technique that assures stakeholders, customers and other parties that the internal control system of the business is reliable. It also ensures that employees are aware of the risks to the business and they conduct periodic proactive reviews of controls. It is a methodology used to review key business objectives, risks involved in achieving the business objectives and internal controls designed to manage these business risks in a formal, documented collaborative process. In practice , CSA is a series of tools on a continuum of sophistication ranging from simple questionnaires to facilitated workshops, designed to gather information about the organization by asking those with a day-to-day working knowledge of an area as well as their managers. The basic tools used during a CSA project are the same whether the project is technical, financial or operational. These tools include management meetings, client workshops, worksheets, rating sheets and the CSA project approach. Like the continuum of tools used to gather information, there are diverse approaches to the levels below management that are queried; some organizations even include outsiders (such as clients or trading partners) when making CSA assessments.
• #100: The CSA program can be implemented by various methods. For small business units within organizations, it can be implemented by facilitated workshops where functional management and control professionals such as auditors can come together and deliberate how best to evolve a control structure for the business unit. In the organizations with offices located at various locations, it may not be practical to organize facilitated workshops. In this case, hybrid approach is needed. A questionnaire based on the control structure can be used. Operational managers can periodically complete the questionnaire, which can be then analyzed and evaluated for effectiveness of the controls. However, a hybrid approach will be effective only if the analysis and readjustment of the questionnaire is performed using a life-cycle approach, as shown in exhibit 1.5 .
• #101: Some of the benefits of a CSA include the following: • Early detection of risks • More effective and improved internal controls • Creation of cohesive teams through employee involvement • Increased employee awareness of organizational objectives and knowledge of risk and internal controls • Increased communication between operational and top management • Highly motivated employees
• #102: Improved audit rating process • Reduction in control cost • Assurance provided to stakeholders and customers • Necessary assurance given to top management about the adequacy of internal controls, as required by the various regulatory agencies and laws such as the US Sarbanes-Oxley Act
• #103: CSA does potentially contain several disadvantages, which include: • It could be mistaken as an audit function replacement. • It may be regarded as an additional workload (e.g., one more report to be submitted to management). • Failure to act on improvement suggestions could damage employee morale. • Lack of motivation may limit effectiveness in the detection of weak controls.
• #104: There are several objectives associated with adopting a CSA program. The primary objective is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional areas. It is not intended to replace audit’s responsibilities, but to enhance them. Clients, such as line managers, are responsible for controls in their environment; they also should be responsible for monitoring them. CSA programs also must educate management about control design and monitoring, particularly concentration on areas of high risk. These programs are not just policies requiring clients to comply with control standards. Instead, they offer a variety of support ranging from written suggestions outlining acceptable control environments to in-depth workshops. When workshops are included in the program, an additional objective, the empowerment of workers to assess or even design the control environment, may be included in the program. Refer to page 55 of the 2006 CISA Review Manual for more detail.
• #105: The auditor’s role in CSAs should be considered enhanced when audit departments establish a CSA program. When these programs are established, auditors become internal control professionals and assessment facilitators. Their value in this role is evident when management takes responsibility and ownership for internal control systems under their authority through process improvements in their control structures, including an active monitoring component. For an auditor to be effective in this facilitative and innovative role, the auditor must understand the business process being assessed. This can be attained via traditional audit tools, such as a preliminary survey or walk-through. Also, the auditors must remember that they are the facilitators and the management client is the participant in the CSA process. For example, during a CSA workshop, instead of the auditor performing detailed audit procedures, the auditor will lead and guide the clients in assessing their environment by providing insight about the objectives of controls based on risk assessment. The managers, with a focus on improving the productivity of the process, might suggest replacement of preventive controls. In this case, the auditor is better placed to explain the risks associated with such changes.
• #106: The development of techniques for empowerment, information gathering and decision making is a necessary part of a CSA program implementation. Some of the technology drivers include the combination of hardware and software to support CSA selection and the use of an electronic meeting system and computer-supported decision aids to facilitate group decision making. Group decision making is an essential component of a workshop-based CSA where employee empowerment is a goal. In case of a questionnaire approach, the same principle applies for the analysis and readjustment of the questionnaire.
• #107: The traditional approach can be summarized as any approach in which the primary responsibility for analyzing and reporting on internal control and risk is assigned to auditors and, to a lesser extent, controller departments and outside consultants. This approach has created and reinforced the notion that auditors and consultants, not management and work teams, are responsible for assessing and reporting on internal control. The CSA approach, on the other hand, emphasizes management and accountability over developing and monitoring internal controls of an organization’s sensitive and critical business processes. A summary of attributes or focus that distinguishes each from the other is described in exhibit 1.6.
• #108: 10. B Facilitated workshops work well within business units. Process flow narratives and data flow diagrams would not be as effective, since they would not necessarily identify and assess all control issues. Informal peer reviews similarly would be less effective for the same reason.
• #109: Increasingly, audit teams are creating their audit work papers ( risk analysis, audit programs, results, test evidences, conclusions, reports and other complementary information such as business information) in automated format, using specialized applications designed for this purpose. Although auditors often use office automation packages such as text/word processors or spreadsheets, standard audit workpaper packages are being implemented in more and more medium to large audit departments and are proving to be useful and appropriate to help facilitate audit work.
• #110: In such cases, rules regarding integrity, confidentiality and availability of audit records should be applied that are equivalent to those required for hard copy or printed documents. Minimum controls that should be addressed include: • Access to work papers (profiles and access rights, i.e., no one should be authorized to change or delete audit records when an audit work has been completed and report issued, after audit management approval) • Audit trails (i.e., when a document has been changed, who has performed the modification, automated update of a document version, when it is changed). • Automated features to provide and record approvals (e.g., by audit director, managers, etc.) of audit phases (audit program, conclusions, reports) • Security and integrity controls regarding the operating system, databases and communication channels (server under audit control, corporate network, exporting documents, exclusive server, etc.) • Backup and restore procedures • Encryption techniques to provide confidentiality
• #111: Integrated auditing can be defined as the process whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity. The integrated approach focuses on risk. For an internal audit function, this will focus on risk to the entity. For an external auditor, the focus will be on the risk of providing an incorrect or misleading audit opinion. A risk analysis assessment aims to understand and identify risks arising from the entity and its environment, including relevant internal controls. At this stage, the role of IT audit is typically to understand and identify risks under topical areas such as information management, IT infrastructure, IT governance and IT operations. Other audit specialists will seek to understand the organizational environment, business risks and business controls. A key element of the integrated approach is discussion of the risks arising among the whole audit team, with consideration of impact and likelihood. Detailed audit work then focuses on the relevant controls in place to manage these risks. IT systems frequently provide a first line of preventive and detective controls, and the integrated audit approach depends on a sound assessment of their efficiency and effectiveness. Refer to Exhibit 1.7 on page 5 8 of the 200 6 CISA Review Manual for an approach of integrated auditing .
• #112: The integrated audit process typically involves: • Identification of relevant key controls • Review and understanding of the design of key controls • Testing that key controls are supported by the IT system • Testing that management controls operate effectively • A combined report or opinion on control risks, design and weaknesses The integrated audit demands a focus on business risk and a drive for creative control solutions. It is a team effort of auditors with different skill sets. Using this approach permits a single audit of an auditable entity with one comprehensive report. An additional benefit is that this approach assists in staff development and retention by providing greater variety and the ability to see how all of the elements (both functional and IT) mesh together to form the complete picture.
• #113: Continuous auditing —“A methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter” (from CICA/AICPA research report). C ontinuous IS (and non-IS) auditing is typically done using automated audit procedures.
• #114: The focus on increased effectiveness and efficiency of assurance, internal auditing and control has spurred the development of new studies and examination of new ideas concerning continuous auditing, as opposed to more traditional periodic auditing reviews. Several research studies and documents addressing the subject carry different definitions of continuous auditing. All of them, however, recognize that a distinctive character of continuous auditing is the short time lapse between the facts to be audited and the collection of evidence and audit reporting. Traditional financial reports and the traditional audit style sometimes prove to be not enough because they lack the essential element in today’s business environment—updated information. Therefore, continuous auditing appears to be gaining more and more followers. Some of the drivers of continuous auditing are a better monitoring of financial issues within a company, ensuring that realtime transactions also benefit from real-time monitoring, prevention of financial fiascoes and audit scandals, such as Enron and WorldCom, and the use of software to determine that financial controls are proper. Continuous auditing involves a large amount of work because the company practicing continuous auditing will not provide one report at the end of a quarter, but will provide financial reports on a more frequent basis. Continuous auditing is not a recent development. Traditional application systems may contain embedded audit modules. These would allow an auditor to trap predefined types of events, or to directly inspect abnormal or suspect conditions and transactions.
• #115: To properly understand the implications and requirements of continuous auditing, a clear distinction has to be made between continuous auditing and continuous monitoring: • Continuous monitoring —Provided by IS management tools, it is typically based on automated procedures, in order to meet fiduciary responsibilities. For instance, real-time antivirus or intrusion detection systems (IDSs) may operate in a continuous monitoring fashion. • Continuous auditing —“A methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter” (from CICA/AICPA research report). Also continuous IS (and non-IS) auditing is typically done using automated audit procedures. Continuous auditing should be independent of continuous control or monitoring activities. When both continuous monitoring and auditing take place, continuous assurance can be established.
• #116: Efforts on the subject of continuous auditing often incorporate new information technology developments, increased processing capabilities of current hardware and software, standards and artificial intelligence tools . Continuous auditing attempts to facilitate the collection and analysis of data at the very moment of the action. Data must be gathered from different applications that are working within different environments, transactions must be screened, the transaction environment has to be analyzed to detect trends and exceptions, and a typical patterns must be exposed (i.e.: a transaction with significantly higher or lower value than typical for a given business partner). If all of this must happen in real time, perhaps even before final sign-off of a transaction, it is mandatory to adopt and combine various top-level IT techniques. The IT environment is a natural enabler for the application of continuous auditing , because of the intrinsic automated nature of its underlying processes.
• #117: IT techniques that are used to operate in a continuous auditing environment must work at all data levels—single input; transaction and databases—and include: • Transaction logging • Query tools • Statistics and data analysis (CAAT) • Database management systems (DBMS) • Data warehouses, data marts, data mining. • Artificial intelligence (AI) • Embedded audit modules (EAM) • Neural network technology • Standards such as Extensible Business Reporting Language (XBRL)
• #118: Prerequisites/preconditions for continuous auditing to succeed include: • A high degree of automation • An automated and highly reliable process in producing information about subject matter soon after the occurrence of events underlying the subject matter • Alarm triggers to report timely control failures • Implementation of highly automated audit tools that require the IS auditor to be involved in setting up the parameters • Quickly infor m ing IS auditors of the results of automated procedures, particularly when the process has identified anomalies or errors • The quick and timely issuance of automated audit reports • Technically proficient IS auditors • Availability of reliable sources of evidence • Adherence to materiality guidelines • Change of mind-set required for IS auditors to embrace continuous reporting • Evaluation of cost factors
• #119: Continuous auditing has an intrinsic edge over point-in-time or periodic auditing, because it captures internal control problems as they occur , preventing negative effects. Implementation can also reduce possible or intrinsic audit inefficiencies , such as delays, planning time, inefficiencies of the audit process itself, overheads due to work segmentation, multiple quality or supervisory reviews, or discussions concerning the validity of findings. Full top management support, dedication, and extensive experience and technical knowledge is necessary to do all this, while minimizing the impact on the underlying audited business processes. The auditing layers and rules may also need continual adjustment and updating. Besides difficulty and cost, continuous auditing has an inherent disadvantage in that internal control experts and auditors might be resistant to trust an automated tool in lieu of their personal judgment and evaluation . The implementation of continuous auditing involves many factors; however, the task is not impossible. There is an increasing desire to provide auditing over information in a real-time environment (or as close real-time as possible). Refer to page s 5 8 - 60 of the 200 6 CISA Review Manual for further detail.
• #120: The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well-controlled environment and, accordingly, will assess management’s review and testing of the general IT control environment. Areas to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation. Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible duties and failure to document all changes. Additionally, the process for deploying operating system updates to servers was found to be only partially effective. In anticipation of the work to be performed by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination.
• #121: A An IT risk assessment should be performed first to ascertain which areas present the greatest risks and what controls mitigate those risks. Although narratives and process flows have been created, the organization has not yet assessed which controls are critical. All other choices would be undertaken after performing the IT risk assessment.
• #122: B When testing a control, it is advisable to trace from the item being controlled to the relevant control documentation. When a sample is instead chosen from a set of control documents, there is no way to assure that every change was accompanied by appropriate control documentation. Accordingly, changes to production code provide the most appropriate basis for selecting a sample. These sampled changes should then be traced to appropriate authorizing documentation. In contrast, selecting from the population of change management documents will not reveal any changes that bypassed the normal approval and documentation process. Similarly, comparing production code changes to system-produced logs will not provide evidence of proper approval of changes prior to their being migrated to production.