View
390
Download
1
Category
Preview:
Citation preview
Domain 1: The IS Audit ProcessJimmy ArdiansyahArkansas – September 9, 2005
Knowledge Domain
5 TasksTasks related to I S Audit to be carried out by an I S Auditor
10 knowledge statementsWhat are the process requirements an I S Auditor need to know for carrying out an I S Audit
The Five Tasks1. Develop and implement a risk-based IS audit
strategy for the organization in compliance with IS audit standards, guidelines and best practices.
2. Plan specific audits to ensure that IT and business systems are protected and controlled.
3. Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results to key stakeholders.
5. Advise on the implementation of risk management and control practices within the organization while maintaining independence.
Ten Knowledge Statements
1. Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics
2. Knowledge of IS auditing practices and techniques
3. Knowledge of techniques to gather information and preserve evidence
4. Knowledge of the evidence life cycle 5. Knowledge of control objectives and
controls related to IS
6. Knowledge of risk assessment in an audit context
7. Knowledge of audit planning and management techniques
8. Knowledge of reporting and communication techniques
9. Knowledge of control self-assessment (CSA)
10. Knowledge of continuous audit techniques
Task No.1
Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices.
Risk Based Audit Approach
Align audit tests and findings with the business risks.
Audit approach should enable identification of risks.
Focus on critical/high risk areas and not on entire Organization. Focus on risks rather than volume. Audit planning & frequency based on Risk Profile.Reporting focuses on process improvement and risk management.Efficient commitment of Audit resources
Compliance with Standards, Guidelines & Procedures
Risk assessment helps in selecting auditable units and include those in the IS annual plan that have the greatest risk exposure.Risk assessment exercises should be carried out and documented at least on an annual basis. Risk assessment allows the IS auditor to quantify and justify the amount of IS audit resources needed.
3 Types of Risks:
Inherent riskControl riskDetection risk
How should the I S Auditor consider these Risks during the course of an I S Audit?
Inherent Risk
Inherent risk is the susceptibility of an audit area to error which could be material and there are no related internal controls In assessing the inherent risk, the IS auditor should consider both pervasive and detailed IS controls.
Control RiskControl risk is the risk that an error which could occur in an audit area, and which could be material, will not be prevented or detected and corrected on a timely basis by the internal control system.
Control Risk
The IS auditor should assess the control risk as high unless relevant internal controls are:
IdentifiedEvaluated as effectiveTested and proved to be operating appropriately
Detection Risk
Detection risk is the risk that the IS auditor’s substantive procedures will not detect an error which could be material.In determining the level of substantive
testing required, the IS auditor should consider both:The assessment of inherent risk
The conclusion reached on control risk following compliance testingThe higher the assessment of inherent and control risk the more audit evidence the IS auditor should normally obtain from theperformance of substantive audit procedures.
Task No. 2
Plan specific audits to ensure that IT and business systems are protected and controlled.
Plan Specific AuditsThe IS auditor should plan the information systems audit coverage.The IS auditor should develop and document an audit plan.The IS auditor should develop an audit program.
Components of Planning Process
Business requirementsKnowledge RequirementsMaterialityRisk assessmentInternal Control EvaluationDocumentation
Materiality
IS auditor should ordinarily establish levels of planning materiality such that the audit work will be sufficient to meet the audit objectives and will use audit resources efficiently.
Risk Assessment
To provide reasonable assurance that all material items will be adequately covered during the audit work. Should identify areas with relatively high risk of existence of material problems.
Internal Control Evaluation
Provides a basis for reliance upon information being gathered as a part of the auditing project What do you evaluate:
Existence of controls (Compliance Testing)Effectiveness of control (Substantive Testing)Effect of irregular or illegal acts
The Effect of Lack of Controls
Loss of information confidentiality and privacySystems not being available for use when neededUnauthorized access and changes to systems, applications or dataintegrity, loss of data protection or systems unavailability
Examples of I S Controls
Implementation of software packagesSystem security parametersDisaster recovery planningData input validationException report productionLocking of user accounts after invalid attempts to access them.
Effect of Pervasive Controls
Strong pervasive IS controls can contribute to the assurance which may be obtained by an IS auditor in relation to detailed IS controlsWeak pervasive IS controls may undermine strong detailed IS controls or exacerbate weaknesses at the detailed level
Task No.3
Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.
Performance of Audit Work
SupervisionEvidenceDocumentation
Supervision
IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and applicable professional auditing standards are met.
Evidence
During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.
Documentation
The audit process should be documented, describing the audit work performed and the audit evidence that supports supporting the IS auditor's findings and conclusions.
Task No.4
Communicate emerging issues, potential risks and audit results to key stakeholders.
Communicating
The IS auditor should provide a report, in an appropriate form, upon completion of the audit. The report should identify the organization, the intended recipients and any restrictions on circulation.The audit report should state the scope, objectives, period of coverage and the nature, timing and extent of the audit work
performed.
Reporting and Presentation Criteria
Measurable—Provide for consistent measurementObjective—Free from biasComplete—Include all relevant factors to reach a conclusionRelevant—Relate to the subject matter
Types of Services
An IS auditor may perform any of the following: Audit (direct or attest)Review (direct or attest)Agreed-upon procedures
Audit Opinion
The IS auditor’s opinion is restricted because of the nature of internal controls and the inherent limitations of any set of internal controls and their operations. These limitations include:
Management’s usual requirement that the cost of an internal control does not exceed the expected benefits to be derivedMost internal controls tend to be directed at routine rather than non routine transactions/events
Audit Opinion
The possibility that management may not be subject to the same internal controls applicable to other personnelThe possibility that internal controls may become inadequate due to changes in conditions, and compliance with procedures may deteriorate
Task No. 5
Advise on the implementation of risk management and control practices within the organization while maintaining independence.
Other Knowledge Requirements
Knowledge of control self-assessment (CSA) Knowledge of continuous audit techniques
References:
CISA Review Manual ISACA.orgIITG.org
Information
To obtain the copy (.ppt file), please send request to: tek-kom-moderator@yahoogroups.comor visit to:http://komputer-teknologi.net
Recommended