Upload
faisalcsedu
View
60
Download
0
Tags:
Embed Size (px)
DESCRIPTION
IT Audit
Citation preview
The Information Systems (IS) Audit Process
Chapter 1 -- Page
Process Area TasksFive Tasks:Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices. Plan specific audits to ensure that IT and business systems are protected and controlled. Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives. Communicate emerging issues, potential risks and audit results to key stakeholders.Advise on the implementation of risk management and control practices within the organization while maintaining independence.
Chapter 1 -- Page
Process Area Knowledge StatementsTen Knowledge Statements:
Knowledge of IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics Knowledge of IS auditing practices and techniques Knowledge of techniques to gather information and preserve evidence Knowledge of the evidence life cycle Knowledge of control objectives and controls related to IS
Chapter 1 -- Page
Process Area Knowledge StatementsTen Knowledge Statements (Contd):
Knowledge of risk assessment in an audit context Knowledge of audit planning and management techniques Knowledge of reporting and communication techniques Knowledge of control self-assessment (CSA) Knowledge of continuous audit techniques
Chapter 1 -- Page
Organization of IS Audit FunctionAudit charter (or engagement letter)Stating managements responsibility and objectives for, and delegation of authority to, the IS audit functionOutlining the overall authority, scope and responsibilities of the audit functionApproval of the audit charterChange in the audit charter
Chapter 1 -- Page
IS Audit Resource ManagementLimited number of IS auditorsMaintenance of their technical competenceAssignment of audit staff
Chapter 1 -- Page
Audit PlanningAudit planningShort-term planningLong-term planningThings to considerNew control issuesChanging technologiesChanging business processesEnhanced evaluation techniquesIndividual audit planningUnderstanding of overall environmentBusiness practices and functionsInformation systems and technology
Chapter 1 -- Page
Audit PlanningAudit Planning StepsGain an understanding of the businesss mission, objectives, purpose and processes.Identify stated contents (policies, standards, guidelines, procedures, and organization structure)Evaluate risk assessment and privacy impact analysisPerform a risk analysis.Conduct an internal control review.Set the audit scope and audit objectives.Develop the audit approach or audit strategy.Assign personnel resources to audit and address engagement logistics.
Chapter 1 -- Page
Effect of Laws and RegulationsRegulatory requirements
EstablishmentOrganizationResponsibilitiesCorrelation to financial, operational and IT audit functions
Chapter 1 -- Page
Effect of Laws and RegulationsSteps to determine compliance with external requirements:Identify external requirementsDocument pertinent laws and regulationsAssess whether management and the IS function have considered the relevant external requirementsReview internal IS department documents that address adherence to applicable lawsDetermine adherence to established procedures
Chapter 1 -- Page
ISACA IS Auditing Standards and GuidelinesFramework for the ISACA IS Auditing StandardsStandardsGuidelinesProcedures
Chapter 1 -- Page
ISACA IS Auditing Standards and GuidelinesIS Auditing StandardsAudit charterIndependenceEthics and StandardsCompetencePlanningPerformance of audit workReportingFollow-up activitiesIrregularities and illegal actsIT governanceUse of risk assessment in audit planning
Chapter 1 -- Page
ISACA IS Auditing Standards and Guidelines Irregularities and Illegal Acts (Contd)Obtain written representations from managementHave knowledge of any allegations of irregularities or illegal actsCommunicate material irregularities/illegal actsConsider appropriate action in case of inability to continue performing the auditDocument irregularity/illegal act related communications, planning, results, evaluations and conclusions
Chapter 1 -- Page
IT Risk Assessment Quadrants
Chapter 1 -- Page
ISACA IS Auditing Standards and GuidelinesISACA Auditing ProceduresProcedures developed by the ISACA Standards Board provide examples.The IS auditor should apply their own professional judgment to the specific circumstances. (Index of Procedures)
Chapter 1 -- Page
Internal ControlInternal ControlsPolicies, procedures, practices and organizational structures implemented to reduce risks
Chapter 1 -- Page
Internal ControlComponents of Internal Control System Internal accounting controls Operational controls Administrative controls
Chapter 1 -- Page
Internal ControlInternal Control Objectives Safeguarding of information technology assets Compliance to corporate policies or legal requirements Authorization/input Accuracy and completeness of processing of transactions Output Reliability of process Backup/recovery Efficiency and economy of operations
Chapter 1 -- Page
Internal ControlClassification of Internal Controls Preventive controls Detective controls Corrective controls
Chapter 1 -- Page
Internal ControlIS Control ObjectivesControl objectives in an information systems environment remain unchanged from those of a manual environment. However, control features may be different. The internal control objectives, thus need, to be addressed in a manner specific to IS-related processes
Chapter 1 -- Page
Internal ControlIS Control Objectives (contd)Safeguarding assetsAssuring the integrity of general operating system environmentsAssuring the integrity of sensitive and critical application system environments through: Authorization of the input Accuracy and completeness of processing of transactions Reliability of overall information processing activities Accuracy, completeness and security of the output Database integrity
Chapter 1 -- Page
Internal ControlIS Control Objectives (Contd)Ensuring the efficiency and effectiveness of operations Complying with requirements, policies and procedures, and applicable laws Developing business continuity and disaster recovery plansDeveloping an incident response plan
Chapter 1 -- Page
Internal ControlIS Control Objectives (Contd)COBITA framework with 34 high-level control objectivesPlanning and organizationAcquisition and implementationDelivery and supportMonitoring and evaluationUse of 36 major IT related standards and regulations
Chapter 1 -- Page
Internal ControlGeneral Control Procedures apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.
Chapter 1 -- Page
Internal ControlGeneral Control Procedures (Contd) Internal accounting controls directed at accounting operations Operational controls concerned with the day-to-day operations Administrative controls concerned with operational efficiency and adherence to management policies Organizational logical security policies and procedures Overall policies for the design and use of documents and records Procedures and features to ensure authorized access to assets Physical security policies for all data centers
Chapter 1 -- Page
IS Control Procedures Strategy and direction General organization and management Access to data and programs Systems development methodologies and change control Data processing operations Systems programming and technical support functions Data processing quality assurance procedures Physical access controls Business continuity/disaster recovery planning Networks and communications Database administration
Internal Control
Chapter 1 -- Page
Performing an IS AuditDefinition of Auditing Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.
Chapter 1 -- Page
Performing an IS AuditDefinition of IS Auditing
Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.
Chapter 1 -- Page
Performing an IS AuditClassification of audits:Financial auditsOperational auditsIntegrated audits Administrative auditsInformation systems auditsSpecialized auditsForensic audits
Chapter 1 -- Page
Performing an IS AuditAudit ProgramsBased on the scope and the objective of the particular assignmentIS auditors perspectives Security (confidentiality, integrity and availability) Quality (effectiveness, efficiency) Fiduciary (compliance, reliability) Service and Capacity
Chapter 1 -- Page
Performing an IS AuditGeneral audit proceduresUnderstanding of the audit area/subjectRisk assessment and general audit planDetailed audit planningPreliminary review of audit area/subjectEvaluating audit area/subjectCompliance testing Substantive testingReporting(communicating results)Follow-up
Chapter 1 -- Page
Performing an IS AuditProcedures for testing & evaluating IS controlsUse of generalized audit software to survey the contents of data files Use of specialized software to assess the contents of operating system parameter filesFlow-charting techniques for documenting automated applications and business processUse of audit reports available in operation systemsDocumentation reviewObservation
Chapter 1 -- Page
Performing an IS AuditAudit MethodologyA set of documented audit procedures designed to achieve planned audit objectivesComposed of Statement of scopeStatement of audit objectivesStatement of work programsSet up and approved by the audit managementCommunicated to all audit staff
Chapter 1 -- Page
Performing an IS Audit Typical audit phases Audit subject Identify the area to be auditedAudit objective Identify the purpose of the auditAudit scopeIdentify the specific systems, function or unit of the organization
Chapter 1 -- Page
Performing an IS AuditTypical audit phases (Contd)Pre-audit planningIdentify technical skills and resources neededIdentify the sources of information for test or reviewIdentify locations or facilities to be audited
Chapter 1 -- Page
Performing an IS AuditTypical audit phases (Contd) 5. Audit procedures and steps for data gathering Identify and select the audit approach Identify a list of individuals to interview Identify and obtain departmental policies, standards and guidelines Develop audit tools and methodology
Chapter 1 -- Page
Performing an IS AuditTypical audit phases (Contd)6. Procedures for evaluating test/review result7. Procedures for communication 8. Audit report preparation Identify follow-up review procedures Identify procedures to evaluate/test operational efficiency and effectiveness Identify procedures to test controlsReview and evaluate the soundness of documents, policies and procedures.
Chapter 1 -- Page
Performing an IS AuditWorkpapers (WPs)What are documented in WPs? Audit plans Audit programs Audit activities Audit tests Audit findings and incidents
Chapter 1 -- Page
Performing an IS AuditIdentifythe area to be auditedthe purpose of the auditthe specific systems, function or unit of the organization to be included in the review.technical skills and resources neededthe sources of information for tests or review such as functional flow-charts, policies, standards, procedures and prior audit work papers.locations or facilities to be audited.select the audit approach to verify and test the controlslist of individuals to interviewobtain departmental policies, standards and guidelines for reviewDevelopaudit tools and methodology to test and verify controlprocedures for evaluating the test or review resultsprocedures for communication with management
Identifyfollow-up review proceduresprocedures to evaluate/test operational efficiency and effectivenessprocedures to test controls
Review and evaluate the soundness of documents, policies and proceduresTypical audit phases Summary
Chapter 1 -- Page
Performing an IS AuditWorkpapers (Contd)Do not have to be on paperMust be Dated Initialized Page-numbered Relevant Complete Clear Self-contained and properly labeled Filed and kept in custody
Chapter 1 -- Page
Performing an IS AuditFraud Detection
Managements responsibilityBenefits of a well-designed internal control systemDeterring frauds at the first instanceDetecting frauds in a timely mannerFraud detection and disclosureAuditors role in fraud prevention and detection
Chapter 1 -- Page
Performing an IS AuditAudit Risk
Audit risk is the risk that the information/financial report may contain material error that may go undetected during the audit.
A risk-based audit approach is used to assess risk and assist with an IS auditors decision to perform either compliance or substantive testing.
Chapter 1 -- Page
Performing an IS AuditAudit Risks
Inherent risk Control risk Detection risk Overall audit risk
Chapter 1 -- Page
Performing an IS AuditRisk-based Approach OverviewGather Information and PlanObtain Understanding of Internal ControlPerform Compliance TestsPerform Substantive TestsConclude the Audit
Chapter 1 -- Page
Performing an IS AuditMateriality An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited
Chapter 1 -- Page
Performing an IS AuditRisk Assessment TechniquesEnables management to effectively allocate limited audit resourcesEnsures that relevant information has been obtainedEstablishes a basis for effectively managing the audit departmentProvides a summary of how the individual audit subject is related to the overall organization and to business plans
Chapter 1 -- Page
Performing an IS AuditAudit Objectives - Specific goals of the auditCompliance with legal & regulatory requirementsConfidentialityIntegrityReliability Availability
Chapter 1 -- Page
Performing an IS AuditCompliance vs. Substantive TestingCompliance testdetermines whether controls are in compliance with management policies and proceduresSubstantive testtests the integrity of actual processingCorrelation between the level of internal controls and substantive testing requiredRelationship between compliance and substantive tests
Chapter 1 -- Page
Performing an IS AuditEvidence It is a requirement that the auditors conclusions must be based on sufficient, competent evidence.
Independence of the provider of the evidenceQualification of the individual providing the information or evidenceObjectivity of the evidenceTiming of evidence
Chapter 1 -- Page
Performing an IS AuditTechniques for gathering evidence: Review IS organization structures Review IS policies and procedures Review IS standards Review IS documentation Interview appropriate personnel Observe processes and employee performance
Chapter 1 -- Page
Performing an IS AuditInterviewing and Observing Personnel Actual functionsActual processes/proceduresSecurity awarenessReporting relationships
Chapter 1 -- Page
Performing an IS AuditSamplingGeneral approaches to audit sampling:Statistical samplingNon-statistical samplingMethods of sampling used by auditors:Attribute samplingVariable sampling
Chapter 1 -- Page
Performing an IS AuditSampling (Contd)Attribute samplingStop-or-go samplingDiscovery samplingVariable samplingStratified mean per unitUnstratified mean per unitDifference estimation
Chapter 1 -- Page
Statistical sampling terms:Confident coefficientLevel of riskPrecisionExpected error rateSample meanSample standard deviationTolerable error ratePopulation standard deviation
Performing an IS Audit
Chapter 1 -- Page
Performing an IS Audit
ATTRIBUTE SAMPLE
S=C2*P*Q PRE2
VARIABLE SAMPLE
S=C2*S2 PRE2STATISTICAL SAMPLING FORMULAS
Chapter 1 -- Page
Performing an IS AuditKey steps in choosing a sampleDetermine the objectives of the testDefine the population to be sampledDetermine the sampling method, such as attribute versus variable sampling.Calculate the sample sizeSelect the sampleEvaluating the sample from an audit perspective.
Chapter 1 -- Page
Performing an IS AuditComputer-Assisted Audit TechniquesCAATs enable IS auditors to gather information independentlyCAATs include: Generalized audit software (GAS) Utility software Test data Application software for continuous online audits Audit expert systems
Chapter 1 -- Page
Performing an IS AuditComputer-Assisted Audit Techniques (Contd)Need for CAATs Evidence collectionFunctional capabilitiesFunctions supportedAreas of concern
Chapter 1 -- Page
Performing an IS AuditComputer-Assisted Audit Techniques (Contd)Examples of CAATs used to collect evidenceCAATS as a continuous online approach
Chapter 1 -- Page
Performing an IS AuditComputer-Assisted Audit Techniques (Contd)
Advantages of CAATs
Cost/benefits of CAATs
Chapter 1 -- Page
Performing an IS AuditComputer-Assisted Audit Techniques (Contd)Development of CAATs Documentation retention Access to production data Data manipulation
Chapter 1 -- Page
Performing an IS AuditEvaluation of Strengths and WeaknessesAssess evidenceEvaluate overall control structureEvaluate control proceduresAssess control strengths and weaknesses
Chapter 1 -- Page
Performing an IS AuditJudging Materiality of Findings Materiality is a key issue Assessment requires judgment of the potential effect of the finding if corrective action is not taken
Chapter 1 -- Page
Performing an IS AuditCommunicating Audit ResultsExit interviewCorrect factsRealistic recommendationsImplementation dates for agreed recommendationsPresentation techniquesExecutive summaryVisual presentation
Chapter 1 -- Page
Performing an IS AuditAudit report structure and contentsAn introduction to the reportThe IS auditors overall conclusion and opinion The IS auditors reservations with respect to the auditDetailed audit findings and recommendations A variety of findingsLimitations to auditStatement on the IS audit guidelines followed
Chapter 1 -- Page
Performing an IS AuditManagement Actions to Implement RecommendationsAuditing is an ongoing processTiming of follow-up
Chapter 1 -- Page
Performing an IS AuditAudit DocumentationContents of audit documentationCustody of audit documentationSupport of findings and conclusions
Chapter 1 -- Page
Performing an IS AuditConstraints on the Conduct of the AuditAvailability of audit staffAuditee constraintsProject Management TechniquesDevelop a detailed planReport project activity against the planAdjust the planTake corrective action
Chapter 1 -- Page
Control Self AssessmentControl Self-Assessment (CSA)
A management techniqueA methodologyIn practice, a series of tools
Chapter 1 -- Page
Control Self AssessmentImplementation of CSAFacilitated workshops Hybrid approach
Chapter 1 -- Page
Control Self AssessmentBenefits of CSADisadvantages of CSAObjectives of CSAEnhancement of audit responsibilities (not a replacement)Education for line management in control responsibility and monitoringEmpowerment of workers to assess the control environment
Chapter 1 -- Page
Control Self AssessmentIS Auditors Role in CSAsTechnology Drivers for CSA ProgramTraditional vs. CSA Approach
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessNew Topics:
Automated Work PapersIntegrated AuditingContinuous Auditing
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessAutomated Work PapersRisk analysisAudit programsResultsTest evidences,ConclusionsReports and other complementary information
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessAutomated Work Papers (Contd)Controls over automated work papers:Access to work papersAudit trailsApprovals of audit phasesSecurity and integrity controlsBackup and restorationEncryption for confidentiality
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessIntegrated Auditingprocess whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity
Focuses on risk to the organization (for an internal auditor)Focuses on the risk of providing an incorrect or misleading audit opinion (for external auditor
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessIntegrated Auditing - Typical process:
Identification of relevant key controlsReview and understanding of the design of key controlsTesting that key controls are supported by the IT systemTesting that management controls operate effectivelyA combined report or opinion on control risks, design and weaknesses
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessContinuous Auditing - DefinitionA methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessContinuous AuditingDistinctive character short time lapse between the facts to be audited and the collection of evidence and audit reportingDriversbetter monitoring of financial issuesallowing real-time transactions to benefit from real-time monitoringpreventing financial fiascoes and audit scandalsusing software to determine proper financial controls
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessContinuous Auditing vs. Continuous MonitoringContinuous monitoring Management-drivenBased on automated procedures to meet fiduciary responsibilitiesContinuous auditingAudit-drivenDone using automated audit procedures
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessContinuous AuditingEnabler for the Application of Continuous AuditingNew information technology developmentsIncreased processing capabilities Standards Artificial intelligence tools
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessContinuous AuditingIT techniques in a continuous auditing environment Transaction loggingQuery toolsStatistics and data analysis (CAAT)Database management systems (DBMS)Data warehouses, data marts, data mining.Artificial intelligence (AI)Embedded audit modules (EAM)Neural network technologyStandards such as Extensible Business Reporting Language
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessContinuous Auditing - PrerequisitesA high degree of automationAn automated and reliable information-producing processAlarm triggers to report control failuresImplementation of automated audit toolsQuickly informing IS auditors of anomalies/errorsTimely issuance of automated audit reportsTechnically proficient IS auditorsAvailability of reliable sources of evidenceAdherence to materiality guidelinesChange of IS auditors mind-setEvaluation of cost factors
Chapter 1 -- Page
Emerging Changes in IS Audit ProcessContinuous AuditingAdvantagesInstant capture of internal control problemsReduction of intrinsic audit inefficienciesDisadvantagesDifficulty in implementationHigh costElimination of auditors personal judgment and evaluation
Chapter 1 -- Page
Title slide for Chapter 1.
There are five (5) tasks within the IS audit process area:1.1Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices. 1.2Plan specific audits to ensure that IT and business systems are protected and controlled. 1.3Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives. 1.4Communicate emerging issues, potential risks and audit results to key stakeholders.1.5Advise on the implementation of risk management and control practices within the organization while maintaining independence.There are 10 knowledge statements within the IS audit process area:1.1Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics 1.2Knowledge of IS auditing practices and techniques 1.3Knowledge of techniques to gather information and preserve evidence (e.g., observation, inquiry, interview, computer-assisted audit techniques (CAATs), electronic media) 1.4Knowledge of the evidence life cycle (e.g., the collection, protection, chain of custody) 1.5Knowledge of control objectives and controls related to IS (e.g., CobiT) Ten Knowledge statements (contd)1.6Knowledge of risk assessment in an audit context 1.7Knowledge of audit planning and management techniques 1.8Knowledge of reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution) 1.9Knowledge of control self-assessment (CSA) 1.10Knowledge of continuous audit techniquesThe role of the IS audit function should be established by an audit charter. IS audit is most likely to be a part of internal audit; therefore, the audit charter may include other audit functions. This charter should state clearly managements responsibility and objectives for, and delegation of authority to, the IS audit function. This document should outline the overall authority, scope and responsibilities of the audit function.
The highest level of management and the audit committee, if available, should approve this charter.
Once established, this charter should be changed only if the change can be and is thoroughly justified. ISACA IS Auditing Standards require that the responsibility, authority and accountability of the information systems audit function are appropriately documented in an audit charter or engagement letter.IS auditors are a limited resource and IS technology is constantly changing. Therefore, it is important that IS auditors maintain their competency through updates of existing skills and obtain training directed towards new audit techniques and technological areas. Specifically, the IS auditor should understand techniques for managing audit projects with appropriately trained members of the audit staff. ISACA IS Auditing Standards require that the IS auditor is technically competent, having the skills and knowledge necessary to perform the auditors work. Further, the IS auditor is to maintain technical competence through appropriate continuing professional education. Skill and knowledge should be taken into consideration when planning audits and assigning staff to specific audit assignments.
Refer to page 23 of the 2006 CISA Review Manual for further details.
Audit planning consists of both short- and long-term planning. Short-term planning takes into account audit issues that will be covered during the year, whereas long-term planning relates to audit plans that will take into account risk-related issues regarding changes in the organizations IT strategic direction that will affect the organizations IT environment. Analysis of short- and long-term issues should occur at least annually. This is necessary to take into account new control issues, changing technologies, changing business processes and enhanced evaluation techniques. The results of this analysis for planning future audit activities should be reviewed by senior management, approved by the audit committee, if available, or alternatively by the Board of Directors, and communicated to relevant levels of management.
In addition to overall annual planning, each individual audit assignment must be adequately planned. The IS auditor should understand that other considerations, such as risk assessment by management, privacy issues and regulatory requirements, may impact the overall approach to the audit. The IS auditor should also take into consideration system implementation/upgrade deadlines, current and future technologies, requirements of business process owners, and IS resource limitations.
When planning an audit, the IS auditor must have an understanding of the overall environment under review. This should include a general understanding of the various business practices and functions relating to the audit subject, as well as the types of information systems and technology supporting the activity.
Refer to pages 23 - 24 of the 2006 CISA Review Manual for further details.
To perform audit planning, the IS auditor should perform the following steps in order: Gain an understanding of the businesss mission, objectives, purpose and processes, which include information and processing requirements, such as availability, integrity, security and business technology. Identify stated contents, such as policies, standards and required guidelines, procedures, and organization structure. Evaluate risk assessment and any privacy impact analysis carried out by management. Perform a risk analysis. Conduct an internal control review. Set the audit scope and audit objectives. Develop the audit approach or audit strategy. Assign personnel resources to the audit and address engagement logistics.
Effect of Laws and Regulations on IS Audit PlanningEach organization, regardless of its size or the industry within which it operates, will need to comply with a number of governmental and external requirements related to computer system practices and controls and to the manner in which computers, programs and data are stored and used. Additionally business regulations can impact the way data are processed, transmitted and stored (stock exchange, central banks, etc.)
Several countries, because of growing dependencies upon information systems and related technology, are making efforts to establish added layers of regulatory requirements concerning IS audit. The contents of these legal regulations regard:
Establishment of the regulatory requirements Organization of the regulatory requirements Responsibilities assigned to the corresponding entities Correlation to financial, operational and IT audit functions
Management personnel, at all levels, should be aware of the external requirements relevant to the goals and plans of the organization and to the responsibilities and activities of the information services department/function/activity.
The following are steps that an information systems control auditor would perform to determine an organizations level of compliance with external requirements: Identify those government or other relevant external requirements dealing with: Electronic data, copyrights, e-commerce, e-signatures, etc. Computer system practices and controls The manner in which computers, programs and data are stored The organization or the activities of the information services Document pertinent laws and regulations. Assess whether the management of the organization and the information systems function have considered the relevant external requirements in making plans and in setting policies, standards and procedures. Review internal information systems department/function/activity documents that address adherence to laws applicable to the industry. Determine adherence to established procedures that address these requirements.
Note to the instructor:A CISA candidate will not be asked about any specific laws or regulations, but may be questioned about how one would audit for compliance with laws and regulations. Address with the candidates the importance of setting legal advice.
Refer to pages 24 - 25 of the 2006 CISA Review Manual for further details.
The framework for the ISACA IS Auditing Standards provides for multiple levels, as follows: Standards define mandatory requirements for IS auditing and reporting. Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the above standards, use professional judgment in their application and be prepared to justify any departure. Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when completing information systems auditing work, but do not set requirements.The ISACA Code of Professional Ethics requires members of ISACA and holders of the CISA designation to comply with the IS Auditing Standards adopted by ISACA. Apparent failure to comply with these may result in an investigation into the members or CISA holders conduct by ISACA or an appropriate ISACA board or committee. Disciplinary action may ensue.
The IS Auditing Standards applicable to information systems auditing are:
S1 Audit CharterS2 IndependenceS3 Professional Ethics and StandardsS4 Professional CompetenceS5 PlanningS6 Performance of Audit WorkS7 ReportingS8 Follow-up ActivitiesS9 Irregularities and illegal actsS10 IT governanceS11 Use of risk assessment in audit planningThe IS auditor should: obtain written representations from management at least annually or more frequently depending on the audit engagement. have knowledge of any allegations of irregularities or illegal acts, or suspected irregularities or illegal acts affecting the organization as communicated by employees, former employees, regulators and others. if a material irregularity or illegal act is identified, or information that a material irregularity or illegal act may exist is obtained, the IS auditor should communicate these matters to the appropriate level of management in a timely manner. If the IS auditor has identified a material irregularity or illegal act involving management or employees who have significant roles in internal control, the IS auditor should communicate these matters in a timely manner to those charged with governance. The IS auditor should advise the appropriate level of management and those charged with governance of material weaknesses in the design and implementation of internal control to prevent and detect irregularities and illegal acts that may have come to the IS auditors attention during the audit. If the IS auditor encounters exceptional circumstances that affect the IS auditors ability to continue performing the audit, the IS auditor should consider whether there is a requirement for the IS auditor to report to those with governance or regulatory authorities, or consider withdrawing from the engagement. The IS auditor should document all communications, planning, results, evaluations and conclusions relating to material irregularities and illegal acts that have been reported to management, those charged with governance, regulators and others.
Procedures developed by the ISACA Standards Board provide examples of possible process an IS auditor might follow in an audit engagement. In determining the appropriateness of any specific procedure, IS auditors should apply their own professional judgment to the specific circumstances. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements.
It is not mandatory for the IS auditor to follow these procedures; however, following these procedures will provide assurance that the standards are being followed by the auditor.
Index of Procedures(Refer to page 30 of the 2006 CISA Review Manual for details.)
Policies, procedures, practices and organizational structures implemented to reduce risks are also referred to as internal controls.
Internal controls are developed to provide reasonable assurance that an organizations business objectives will be achieved and undesired risk events will be prevented, or detected and corrected, based on either compliance or management-initiated concerns. Control is the means by which control objectives are addressed. Internal control activities and supporting processes are either manual or driven by automated computer information resources. They operate at all levels within an organization to mitigate its exposures to risks that potentially could prevent it from achieving its business objectives. The board of directors and senior management are responsible for establishing the appropriate culture to facilitate an effective and efficient internal control system and for continuously monitoring the effectiveness of the internal control system, though each individual within an organization must take part in this process.
Note to the instructor: Stress that there are two key aspects that control needs to address, what you want to achieve and what you want to avoid. Not only do internal controls address business/operational objectives, but need to address undesired events through preventing, detecting, and correcting undesired events.
Refer to page 32 of the 2006 CISA Review Manual for further details.Refer to http://pw1.netcom.com/~jstorres/internalaudit/ic_def.html
Internal accounting controls Primarily directed at accounting operations, such as the safeguarding of assets and the reliability of financial records
Operational controls Directed at the day-to-day operations, functions and activities to ensure that the operation is meeting the business objectives
Administrative controls Concerned with operational efficiency in a functional area and adherence to management policies including operational controls. These can be described as supporting the operational controls specifically concerned with operating efficiency and adherence to organizational policy.Control objectives include: Safeguarding of information technology assets Compliance to corporate policies or legal requirements Authorization/input Accuracy and completeness of processing of transactions Output Reliability of process Backup/recovery Efficiency and economy of operationsControls are generally categorized into 3 major classifications:Preventive: These controls are to deter problems before they arise.Detective: Controls that detect and report the occurrence of an error, omission or malicious act..Corrective: These controls minimize the impact of a threat, remedy problems discovered by detective controls, identify the cause of a problem.
Refer to exhibit 1.1 on page 33 of the 2006 CISA Review Manual for further details.
Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an information systems environment remain unchanged from those of a manual environment. However, control features may be different. Thus, internal control objectives need to be addressed in a manner specific to IS-related processes.
Note to the instructor: The CISA candidate should be aware that it is important that the auditor understands the relationships of control objectives and controls; control objectives and audit objectives; criteria and sufficiency and competency of evidence; and audit objective, criteria and audit procedures. Strong understanding of these elements are key for the auditors performance.IS control objectives include: Safeguarding assets. Information on automated systems is secure from improper access and kept up to date. Assuring the integrity of general operating system environments, including network management and operations Assuring the integrity of sensitive and critical application system environments, including accounting/financial and management information (information objectives), through: Authorization of the input. Each transaction is authorized and entered only once. Accuracy and completeness of processing of transactions. All transactions are recorded and entered into the computer for the proper period. Reliability of overall information processing activities Accuracy, completeness and security of the output Database integrity Ensuring the efficiency and effectiveness of operations (operational objectives) Complying with the users requirements, organizational policies and procedures, and applicable laws and regulations (compliance objectives) Developing business continuity and disaster recovery plans Developing an incident response and handling plan
Control Objectives for Information and related Technology (CobiT) is a framework with a set of 34 high-level control objectives representing IT processes grouped into four domains: plan and organize, acquire and implement, deliver and support, and monitor and evaluate. By addressing these 34 high-level control objectives, organizations can ensure that adequate governance and control arrangements are provided for their IT environment. Supporting these IT processes are more than 200 detailed control objectives necessary for effective implementation. CobiT uses, as primary references, 36 major standards and regulations relating to IT. CobiT is directed to the management and staff of information services, control departments, audit functions and, most importantly, the business process owners using IT processes to assure confidentiality, integrity and availability of sensitive and critical information. ITGI has also published the IT Governance Implementation Guide, to facilitate enterprises in implementing IT governance using the CobiT framework. CobiT QuickstartTM provides essentials of CobiT for small and medium enterprises. CobiT Online provides all the components of CobiT on the Internet for users to adapt and customize CobiT components as per their specific requirements.
Note: A CISA candidate will not be asked to identify specifically the CobiT assurance process, the CobiT domains or the set of IT processes defined in each. However, candidates should know what frameworks are, what they do and why they are used by enterprises. Knowledge of the existence, structure and key principles of major standards and frameworks related to IT governance, assurance and security will also be advantageous. CobiT can be used as a supplemental study material in understanding control objectives and principles as detailed in this review material. Please refer to Appendix A for references between the CISA certification domains and the CobiT framework.General Control ProceduresGeneral controls apply to all areas of the organization. These include policies and practices established by management to provide reasonable assurances that specific objectives will be achieved. The control procedures include: Internal accounting controls that are primarily directed at accounting operations. They concern the safeguarding of the assets and the reliability of financial records. Operational controls that are concerned with the day-to-day operations, functions and activities, and ensure the operation is meeting the business objectives Administrative controls that are concerned with operational efficiency in a functional area and adherence to management policies. Administrative controls support the operational controls specifically concerned with operating efficiency and adherence to organizational policies. Organizational logical security policies and procedures to ensure proper authorization of transactions and activities Overall policies for the design and use of adequate documents and records to help ensure proper recording of transactionstransactional audit trail Procedures and features to ensure adequate safeguards over access to and use of assets and facilities Physical security policies for all data centers
IS control procedures include policies, procedures and practices (tasks and activities) that are established by management to provide reasonable assurance that specific objectives will be achieved.Each general control procedure can be translated into an IS-specific control procedure. A well-designed information system should have controls built in for all its sensitive or critical functions. For example, the general procedure to ensure adequate safeguards over access to assets and facilities can be translated into an IS-related set of control procedures, covering access safeguards over computer programs, data and computer equipment. The IS auditor should understand the basic control objectives that exist for all functions.IS control procedures include: Strategy and direction General organization and management Access to data and programs Systems development methodologies and change control Data processing operations Systems programming and technical support functions Data processing quality assurance procedures Physical access controls Business continuity/disaster recovery planning Networks and communications Database administrationAuditing can be defined as a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.
Note to the instructor: A discussion on auditing should include audit scope, audit objectives, criteria, audit procedures, evidence, conclusions and opinions, and reporting. Some of these need to be engaged among the CISA candidates at this point.IS audit can be defined as any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related nonautomated processes and the interfaces between them.
To perform such a process, several steps are required. Adequate planning is a necessary first step in performing effective IS audits. To effectively use IS audit resources, audit organizations must assess the overall risks for the general and application area being audited and then develop an audit program that consists of objectives and audit procedures to satisfy the audit objectives. The audit process requires the IS auditor to gather evidence, evaluate the strengths and weaknesses of controls based upon the evidence gathered, and prepare an audit report that presents those issues in an objective manner to management.Audit management must ensure the availability of adequate audit resources and a schedule for performing the audits and for follow-up reviews on the status of corrective actions taken by management. A discussion on auditing should include audit scope, audit objectives, criteria, audit procedures, evidence, conclusions and opinions, and reporting. The IS auditor should understand the various types of audits that can be performed, internally or externally, and the audit procedures associated with each: Financial audits assess the correctness of an organizations financial statements. A financial audit will often involve detailed, substantive testing. This kind of audit relates to information integrity and reliability. Operational audits evaluate the internal control structure in a given process or area. IS audits of application controls or logical security systems are examples of operational audits. Integrated audits An integrated audit combines financial and operational audit steps. It is also performed to assess the overall objectives within an organization, related to financial information and assets safeguarding, efficiency and compliance. An integrated audit can be performed by external or internal auditors and would include compliance tests of internal controls and substantive audit steps. Administrative audits assess issues related to the efficiency of operational productivity within an organization. Information systems audits This process collects and evaluates evidence to determine whether the information systems and related resources adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have in effect internal controls that provide reasonable assurance. Specialized audits Within the category of IS audits, there are a number of specialized reviews that examine areas such as services performed by third parties and forensic auditing. Forensic audits Traditionally, forensic auditing has been defined as an audit specialized in discovering, disclosing and following up on frauds and crimes. In recent years, the forensic professional has been called upon to participate in investigations related to corporate fraud and cybercrime. Refer to page 33 of the 2006 CISA Review Manual for further detail.
Audit ProgramsAudit programs for financial, operational, integrated, administrative and IS audits are based on the scope and objective of the particular assignment. IS auditors often evaluate IT functions and systems from different perspectives, such as security (confidentiality, integrity and availability), quality (effectiveness, efficiency), fiduciary (compliance, reliability), service and capacity.
It is important to underscore that the audit work program is the audit strategy and planit identifies scope, audit objectives and audit procedures to obtain sufficient, competent evidence to draw and support audit conclusions and opinions.
General audit procedures are the basic steps in the performance of an audit and usually include: Obtaining and recording an understanding of the audit area/subject Risk assessment and general audit plan and schedule Detailed audit planning Preliminary review of the audit area/subject Evaluating the audit area/subject Compliance testing (often referred to as tests of controls) Substantive testing Reporting (communicating results) Follow-up
Note to the instructor:Describe and discuss each audit procedure and its sequence with the class.
The IS auditor must understand the procedures for testing and evaluating information systems controls. These procedures could include: The use of generalized audit software to survey the contents of data files (including system logs) The use of specialized software to assess the contents of operating system parameter files (or detect deficiencies in system parameter settings) Flow-charting techniques for documenting automated applications and business process The use of audit reports available in operation systems Documentation review ObservationAudit MethodologyAn audit methodology is a set of documented audit procedures designed to achieve planned audit objectives. Its components are a statement of scope, a statement of audit objectives and a statement of work programs.The audit methodology should be set up and approved by the audit management to achieve consistency in audit approach. This methodology should be formalized and communicated to all audit staff.An early and critical product of the audit process should be an audit program that is the guide for performing and documenting all the following audit steps and the extent and types of evidential matter reviewed.
The typical audit phases are:Audit subject Identify the area to be audited. Audit objective Identify the purpose of the audit. For example, an objective might be to determine that program source code changes occur in a well-defined an controlled environment. Audit scope Identify the specific systems, function or unit of the organization to be included in the review. For example, in the previous program changes example, the scope statement might limit the review to a single application system or to a limited period of time.
Pre-audit planning Identify technical skills and resources needed. Identify the sources of information for test or review such as functional flow-charts, policies, standards, procedures and prior audit workpapers. Identify locations or facilities to be audited. Audit procedures and steps for data gathering Identify and select the audit approach to verify and test the controls. Identify a list of individuals to interview. Identify and obtain departmental policies, standards and guidelines for review. Develop audit tools and methodology to test and verify control.
Procedures for evaluating the test or review results Procedures for communication with management Audit report preparation Identify follow-up review procedures. Identify procedures to evaluate/test operational efficiency and effectiveness. Identify procedures to test controls. Review and evaluate the soundness of documents, policies and procedures.
(Refer to Exhibit 1.2 on Page 38 of the 2006 CISA Review Manual for the typical audit phases listed above.)
Although an audit program does not necessarily follow a specific set of steps, the IS auditor typically would follow sequential program steps to gain an understanding of the entity under audit, to evaluate the control structure and to test the controls.Any and all audit plans, programs, activities, tests, findings and incidents shall be properly documented in workpapers (WPs). The typical audit phases are:Identifythe area to be auditedthe purpose of the auditthe specific systems, function or unit of the organization to be included in the review.technical skills and resources neededthe sources of information for tests or review such as functional flow-charts, policies, standards, procedures and prior audit work papers.locations or facilities to be audited.select the audit approach to verify and test the controlslist of individuals to interviewobtain departmental policies, standards and guidelines for review
Developaudit tools and methodology to test and verify controlprocedures for evaluating the test or review resultsprocedures for communication with management
Identifyfollow-up review proceduresprocedures to evaluate/test operational efficiency and effectivenessprocedures to test controls
Review and evaluate the soundness of documents, policies and procedures
Their format and media are optional, but due diligence and best practices require that WPs are dated, initialized, page-numbered, relevant, complete, clear, self-contained and properly labeled, filed and kept in custody. Workpapers do not necessarily have to be on paperin hard copy.
ISACAs IS Auditing Standards and Guidelines set forth many specifications about WPs, including how to use those of other (previous or contractors) auditors, or the need to document the audit plan, program and evidence, or the use of CAATs or sampling, etc.
WPs can be considered the bridge or interface between the audit objectives and the final report. They should provide a seamless transitionwith traceability and chargeabilityfrom objectives to report and from report to objectives. The audit report, in this context, can be viewed as just a particular WP.
IS auditors are a scarce and expensive resource. Any technology capable of increasing the audit productivity is welcome. Automating workpapers affect productivity directly in obvious ways and also indirectly (granting access to other auditors, reusing documents or parts of them in recurring audits, etc.).
The quest for integrating workpapers in the auditors e-environment has resulted in all major audit and project management packages, CAATs and expert systems offering a panoply of automated documentation and import-export features.
The quest for integrating workpapers in the auditors e-environmenthas resulted in that all major audit- and project-management packages, CAATs and expert systems offer a panoply of automated documentation and import-export features.The use of information technology for business has immensely benefited enterprises in terms of significantly increased quality of delivery of information. However, the widespread use of information technology and the Internet suffers from risks that enable the easy perpetration of errors and frauds. Management is primarily responsible for establishing, implementing and maintaining a framework and design of IT controls to meet the internal control objectives. A well-designed internal control system provides good opportunities for deterring fraud at the first instance and a system that enables timely detection of frauds. Internal controls may fail, where such controls are circumvented by exploiting vulnerabilities or through management perpetrated weakness in controls for undue advantage or collusion between people.Legislation and regulations relating to corporate governance cast significant responsibilities on management, auditors and the audit committee regarding detection and disclosure of any frauds, whether material or not.The information systems auditor should observe and exercise due professional care (ISACA Standard 030.020) in all aspects of their work. IS auditors entrusted with assurance functions should ensure reasonable care while performing their work and be alert to the possible opportunities that allow a fraud to materialize. Besides instituting and maintaining a system of internal controls, management looks upon assurance from IS auditors on the state of internal controls for their ability to deter and detect frauds and recommendations for improvement in internal controls.Where during the course of regular assurance work the IS auditor comes across any instance of fraud or indicators of fraud, the IS auditor may, after careful evaluation, communicate the need for a detailed investigation to appropriate authorities. In case of the auditor identifying a major fraud or where the risk associated with the detection is high, audit management should also consider communicating to the audit committee, in a timely manner.Audit risk can be defined as the risk that the information/financial report may contain material error that may go undetected during the course of the audit.
More and more organizations are moving to a risk-based audit approach that is usually adapted to develop and improve the continuous audit process. This approach is used to assess risk and to assist with an IS auditors decision to do either compliance testing or substantive testing. It is important to stress that the risk-based audit approach assists the auditor in determining the nature and extent of testing, besides helping make the decision to complete a compliance or a substantive test.
Within this concept, inherent risk, control risk or detection risk should not be of major concern, despite some weaknesses. In a risk-based audit approach, IS auditors are not just relying on risk; they also are relying on internal and operational controls as well as knowledge of the company or the business. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk, allowing practical choices.
By understanding the nature of the business, IS auditors can identify and categorize the types of risks that will better determine the risk model or approach in conducting the audit. The risk model assessment can be as simple as creating weights for the types of risks associated with the business and identifying the risks in an equation. On the other hand, risk assessment can be a scheme where risks have been given elaborate weights based on the nature of the business or the significance of the risk.
Note to the instructor: Discuss with the CISA candidates the difference between control risk, audit risk and residual risk.
Audit risk can be categorized as: Inherent risk The risk that an error exists that could be material or significant when combined with other errors encountered during the audit, assuming that there are no related compensating controls. Inherent risk can also be categorized as the susceptibility to a material misstatement in the absence of related controls. For example, complex calculations are more likely to be misstated than simple ones and cash is more likely to be stolen than an inventory of coal. Inherent risks exist independent of an audit and can occur because of the nature of the business. Control risk The risk that a material error exists that will not be prevented or detected in a timely manner by the internal controls system. For example, the control risk associated with manual reviews of computer logs can be high because activities requiring investigation are often easily missed, owing to the volume of logged information. The control risk associated with computerized data validation procedures is ordinarily low if the processes are consistently applied. Detection risk The risk that an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when, in fact, they do. Detection of an error would not be determined during the risk assessment phase of an audit. However, identifying detection risk would better evaluate and assess the auditors ability to test, identify and recommend the correction of material errors as the result of a test. Overall audit risk The combination of the individual categories of audit risks assessed for each specific control objective. An objective in formulating the audit approach is to limit the audit risk in the area under scrutiny so the overall audit risk is at a sufficiently low level at the completion of the examination. Another objective is to assess and control those risks to achieve the desired level of assurance as efficiently as possible.
Audit risk is also used sometimes to describe the level of risk that the IS auditor is prepared to accept during an audit engagement. The auditor may set a target level of risk and adjust the amount of detailed audit work to minimize the overall audit risk.
Note: Audit risk should not be confused with statistical sampling risk, which is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is selected. Overview of the Risk-based Approach Gather Information and Plan Knowledge of business and industry Regulatory statutes Prior years audit results Inherent risk assessments Recent financial informationObtain Understanding of Internal Control Control environment Control risk assessment Control procedures Equate total risk Detection risk assessmentPerform Compliance Tests Test policies and procedures Test segregation of dutiesPerform Substantive Tests Analytical procedures Other substantive audit procedures Detailed tests of account balancesConclude the Audit Create recommendations Write audit reportThe concept of materiality requires sound judgment from the IS auditor. The IS auditor may detect a small error that could be considered significant at an operational level, but may not be viewed as significant to upper management. Materiality considerations combined with an understanding of audit risk are essential concepts for planning the areas to be audited and the specific test to be performed in a given audit.
Materiality can be more difficult for the IS auditor. For example, a logical security parameter setting that allows a programmer to access, without authorization, the source code for all programs might be a material error. Similarly, access rights to only a few more insignificant programs might not be considered material to the IS auditor. Materiality here is considered in terms of the total potential impact to the organization.
Refer to page 41 of the 2006 CISA Review Manual for details.Risk Assessment TechniquesAn IS auditor could face a large variety of audit subjects, when determining which functional areas should be audited. Each of these may represent different types of audit risks. The IS auditor should evaluate these various risk candidates to determine the high- risk areas that should be audited.Using risk assessment to determine areas to be audited:Enables management to effectively allocate limited audit resources.Ensures that relevant information has been obtained from all levels of management, including boards of directors, IS auditors and functional area management. Generally, the information assists management in effectively discharging their responsibilities and ensures that the audit activities are directed to high business risk areas which will add value to management.Establishes a basis for effectively managing the audit department.Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plans.There are several methods currently employed to perform risk assessments. One such risk assessment approach is a scoring system that is useful in prioritizing audits based on an evaluation of risk factors. It considers variables such as technical complexity, level of control procedures in place and level of financial loss. These variables may or may not be weighted. These risk values are then compared to each other and audits are scheduled accordingly.
Refer to pages 38-39 of the 2006 CISA Review Manual for further details.
A control objective refers to how an internal control should function, while an audit objective refers to the specific goals of the audit. An audit may incorporate several audit objectives.
Audit objectives often focus on substantiating that internal controls exist to minimize business risks. These audit objectives include assuring compliance with legal and regulatory requirements as well as the confidentiality, integrity, reliability and availability of information resources. Management may give the IS auditor a general control objective to review and evaluate when performing an audit.
A key element in planning an information systems audit is to translate basic audit objectives into specific information systems audit objectives. For example, in a financial/operational audit, an internal control objective could be to ensure that transactions are properly posted to the general ledger accounts. However, in the information systems audit, the objective could be extended to ensure that editing features are in place to detect errors in the coding of transactions that may impact the account-posting activities.
Refer to page 42 of the 2006 CISA Review Manual for further details.
There is a difference between evidence gathering for the purpose of testing an organizations compliance with control procedures and evidence gathering to evaluate the integrity of individual transactions, data or other information. The former procedures are called compliance tests and the latter are called substantive tests.A compliance test determines if controls are being applied in a manner that complies with management policies and procedures. For example, if the IS auditor is concerned about whether program library controls are working properly, the IS auditor might select a sample of programs to determine if the source and object versions are the same. The broad objective of any compliance test is to provide IS auditors with reasonable assurance that the particular control on which the IS auditor plans to rely is operating as the IS auditor perceived in the preliminary evaluation.It is important that the IS auditor understands the specific objective of a compliance test and the control being tested. Compliance tests can be used to test the existence and effectiveness of a defined process, which may include a trail of documentary and/or automated evidence, for example, to provide assurance that only authorized modifications are made to production programs.A substantive test substantiates the integrity of actual processing. It provides evidence of the validity and integrity of the balances in the financial statements and the transactions that support these balances. IS auditors use substantive tests to test for monetary errors directly affecting financial statement balances. An IS auditor might develop a substantive test to determine if the tape library inventory records are stated correctly. To perform this test, the IS auditor might take a thorough inventory or might use a statistical sample, which will allow the IS auditor to develop a conclusion regarding the accuracy of the entire inventory.There is a direct correlation between the level of internal controls and the amount of substantive testing required. If the results of testing controls (compliance tests) reveal the presence of adequate internal controls, then the IS auditor is justified in minimizing the substantive procedures. Conversely, if the testing of control reveals weaknesses in controls that may raise doubts about the completeness, accuracy or validity of the accounts, substantive testing can alleviate those doubts.
Refer to Exhibit 1.4 on page 43 of the 2006 CISA Review Manual for relationship between compliance and substantive tests.
Evidence is any information used by the IS auditor to determine whether the entity or data being audited follows the established audit criteria or objectives. It may include the auditors observations, notes taken from interviews, material extracted from correspondence and internal documentation or the results of audit test procedures. Some evidence is more reliable than others. Note to the instructor: Candidates must take into account the rules of evidence and sufficiency and competency of evidence as required by audit standards.Determinants for evaluating the reliability of audit evidence include:Independence of the provider of the evidence: Evidence obtained from outside sources is more reliable than from within the organization. This is why confirmation letters are used for verification of accounts receivable balances.Qualification of the individual providing the information or evidence: Whether the providers of information or evidence are inside or outside of the organization, the IS auditor should always consider the qualifications of the persons providing the information. Objectivity of the evidence: Objective evidence is more reliable than evidence that requires considerable judgment or interpretation. An IS auditors count of a cash fund is direct, objective evidence, but his analysis of the efficiency of an application, based upon discussions with certain personnel, may not be objective audit evidence.Timing of evidenceThe IS auditor should consider the time during which information exists or is available in determining the nature, timing and extent of substantive testing and, if applicable, compliance testing. For example, audit evidence processed by electronic data interchange (EDI), document image processing (DIP) and dynamic systems such as spreadsheets may not be retrievable after a specified period of time if changes to the files are not controlled or the files are not backed up
Refer to page 44 of the 2006 CISA Review Manual for further details.
Review information systems organization structuresThe IS auditor should understand general organizational controls and be able to evaluate these controls in the organization under audit.Review IS policies and proceduresThe IS auditor should review whether appropriate policies and procedures are in place, determine whether personnel understand the implemented policies and procedures, and ensure that they are being followed. Reviewing information systems standardsThe IS auditor should understand the existing standards in place within the organization.Review information systems documentationA first step in reviewing the documentation for an information system is to understand the existing documentation in place within the organization. The IS auditor should look for a minimum level of information systems documentation.
Note to the instructor: The CISA candidates should have a clear understanding that all of these reviews are part of an audit, but an audit is NOT just review work. An audit includes examination, which incorporates by necessity, the testing of controls, audit evidence. Therefore, includes the results of audit tests.
Interviewing appropriate personnelThe purpose of such interviews is to gather audit evidence. Personnel interviews are discovery in nature and should never be accusatory.Observing processes and employee performanceThe observation of processes is a key audit technique for many types of reviews. The IS auditor should be unobtrusive while making observations and should document everything in sufficient detail to be able to present it, if required, as audit evidence at a later date.
Refer to pages 44-45 of the 2006 CISA Review Manual for further details.
Interviewing and Observing Personnel in the Performance of Their Duties
Observing personnel in the performance of their duties assists an IS auditor in identifying:
Actual functionsObservation is the best test to ensure that the individual who is assigned and authorized to perform a particular function is the person who is actually doing the job. It allows the IS auditor an opportunity to witness how policies and procedures are understood and practiced. Actual processes/proceduresPerforming a walk-through of the process/procedure allows the IS auditor to gain evidence of compliance and observe deviations, if any. Security awarenessSecurity awareness should be observed to verify an individuals understanding and practice of good preventive and detective security measures to safeguard the companys assets and data. Reporting relationshipsReporting relationships should be observed to ensure that assigned responsibilities and adequate segregation of duties are being practiced.
Interviewing information processing personnel and management should provide adequate assurance that the staff has the required technical skills to perform the job. This is an important factor that contributes to an effective and efficient operation.Sampling is used when time and cost considerations preclude a total verification of all transactions or events in a predefined population. It is used to infer characteristics about a population, based on the results of examining the characteristics of a sample of the population. Audit Sampling general approaches.Statistical and non-statistical are the two general approaches to sampling.
Note to the instructor: Ask candidates to define statistical and non-statistical sampling.1. Statistical sampling. An objective method of determining the sample size and selection of criteria. The IS auditor quantitatively decides how closely the sample should represent the population (assessing sample precision), and the number of times in 100 the sample should represent the population (the reliability or confidence level). This assessment will be represented as a percentage.2. Non-statistical sampling. Uses auditor judgment to determine the method of sampling, the number of items that will be examined from a population (sample size) and which items to select (sample selection). These decisions are based on subjective judgment as to which items/transactions are the most material and most risky.
Within the two general approaches are two primary methods of sampling: Attribute sampling - Generally applied in compliance testing situations and deals with the presence or absence of the attribute and provides conclusions that are expressed in rates of incidence.Variable sampling - Generally applied in substantive testing situations and deals with population characteristics that vary, such as dollars and weights, and provides conclusions related to deviations from the norm.
Note to the instructor:Candidates will be expected to know the difference between attribute and variable sampling and when each approach should be applied. (See next slide)
Within attribute sampling are three different types of proportional sampling: Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quantity (attribute) in a population. It answers the question of how many?Stop-or-go sampling is a sampling model that helps prevent excessive sampling of an attribute by allowing an audit test to be stopped at the earliest possible moment.Discovery sampling is a sampling model that can be used when the expected occurrence rate is extremely low. Discovery sampling is more often used when the objective of the audit is to seek out (discover) fraud or other irregularities.
Variable sampling refers to a number of types of quantitative sampling methods Stratified mean per unit is a statistical model in which the population is divided into groups and samples are drawn from the various groups.Unstratified mean per unit is a statistical model whereby a sample mean is calculated and projected as an estimated total.Difference estimation is a statistical model used to estimate the total difference between audited values and book (unaudited) values based on differences obtained from sample observations.
Refer to pages 46-47 of the 2006 CISA Review Manual for further detail.
Candidates must be familiar with statistical sampling terms.Confidence coefficient (also referred to as confidence level or reliability factor) is a percentage expression (90 percent, 95 percent, 99 percent, etc.) of the probability that the characteristics of the sample are a true representation of the population. Level of risk is equal to one minus the confidence coefficient. For example, if the confidence coefficient is 95 percent, the level of risk is five percent (100 percent-95 percent).Precision, set by the IS auditor, represents the acceptable range difference between the sample and the actual population. For attribute sampling this figure is stated as a percentage. For variable sampling this figure is stated as a monetary amount or a number. The higher the precision amount, the smaller the sample size, and the greater the risk of fairly large total error amounts going undetected. The smaller the precision amount, the greater the sample size. A very low precision level may lead to an unnecessarily large sample size.Expected error rate, is an estimate stated as a percent of the errors that may exist. The greater the expected error rate, the greater the sample size. This figure is applied to attribute sampling formulas, but not to variable sampling formulas.Sample mean is the sum of all sample values, divided by the size of the sample. It measures the average size of the sample.Sample standard deviation computes the variance of the sample values from the mean of the sample. It measures the spread(s) or dispersion of the sample values.Tolerable error rate describes the maximum misstatement or number of errors that can exist without an account being materially misstated. Tolerable rate is used for the planned upper limit of the precision range for compliance testing. The term is expressed as a percentage. Precision range or precision mean the same thing when used in substantive testing.Population standard deviation is a mathematical concept that measures the relationship to the normal distribution. The greater the standard deviation, the larger the sample size. This figure is applied to variable sampling formulas, but not to attribute sampling formulas.
It is also important for the auditor to know the key steps in the construction and selection of sample for an audit test:Determine the objectives of the testDefine the population to be sampledDetermine the sampling method, such as attribute versus variable sampling.Calculate the sample sizeSelect the sampleEvaluating the sample from an audit perspective.
The candidate should have a thorough understanding of computer-assisted audit techniques CAATs and know where and when to apply them.
CAATs are a significant tool for IS auditors to gather information independently and provide a means to gain access and to analyze data for a predetermined audit objective and to report the audit findings with emphasis on the reliability of the records produced and maintained in the system. The reliability of the source of the information used provides reassurance on findings generated.
CAATs include:Generalized audit software (ACL, IDEA, etc.) - provides an independent means to gain access to data for analysis. The effective and efficient use of the software requires and understanding of its capabilities and limitations. Generalized audit software (GAS) refers to standard software that has the capability to directly read and access data from various database platforms, flat file systems and ASCII formats. IS auditors can directly access the data stored in a computer and perform various types of mathematical computations and statistical analysis.Utility software - is a subset of software, such as database management systems report generators, that provide evidence to the auditors about system control effectiveness.Test data - involve the auditors using a sample set of data to assess whether logic errors exist in a program and whether the program meets its objectives.Application software for continuous online audits - review of an application system will provide information about internal controls built in the system.Audit expert systems - give direction and valuable information to all levels of auditors while carrying out the audit because the query-based system is built on the knowledge base of the senior auditors or managers.
Need for CAATsThe audit findings and conclusions are to be supported by appropriate analysis and interpretation of the evidence. Todays information processing environments pose a stiff challenge to the IS auditor to collect sufficient, relevant and useful evidence since the evidence exists on magnetic media and can only be examined using CAATs. With systems having different hardware and software environments, different data structure, record formats, processing functions, etc., it is almost impossible for the IS auditors to collect evidence without a software tool to collect and analyze the records.Functional Capabilities of CAATsGeneralized audit software provides IS auditors the ability to use high-level problem solving software to invoke functions to be performed on data files. The following functions supported in generalized audit software are:File access - Enables the reading of different record formats and file structuresFile reorganization - Enables the indexing, sorting, merging, and linking with another fileData Selection - Enables global filtration conditions and selection criteriaStatistical functions - Enables sampling, stratification and frequency analysisArithmetical functions - Enables arithmetic operators and functions
Areas of ConcernIntegrity, reliability, and security of the CAATs beforehandIntegrity of the information systems and security environmentConfidentiality and security of data as required by the clientsExamples of CAATs:Generalized audit software ACL, IDEA, etc.Utility softwareSQL commandsThird party access control softwareApplication systemsOptions, reports built in the system
CAATs as a Continuous Online Audit ApproachAn increasingly important advantage of CAATs is the ability to improve audit efficiency, particularly in paperless environments, through continuous online auditing techniques. To this end, IS auditors must develop audit techniques that are appropriate for use with advanced computerized systems. In addition, they must be involved in the creation of advancedsystems at the very early stages of development and implementation, and they must make greater use of automated tools that are suitable for use within their organizations automated environment. This is in the form of the continuous audit approach (for more detailed information on continuous online auditing, see chapter 7, Business Process Evaluation and Risk Management).
Note to the instructor:Discuss with candidates the advantages/benefits of CAATs.
CAATs offer the following advantages: Reduced level of audit risk Greater independence from the auditee Broader and more consistent audit coverage Faster availability of information Improved exception identification Greater flexibility of run times Greater opportunity to quantify internal control weaknesses Enhanced sampling Cost savings over time
Cost/benefits of CAATsLike any other process, an IS auditor should weigh the costs/benefits of CAATs before going through the effort, time and expense of purchasing or developing them. Issues to consider include: Ease of use, both for existing audit staff and future staff Training requirements Complexity of coding and maintenance Flexibility of uses Installation requirements Processing efficiencies (especially with a PC CAAT) Effort required to bring the source data into the CAATs for analysisWhen developing CAATs, the following are examples of documentation to be retained:Online reports detailing high risk-issues for reviewCommented program listingsFlowchartsSample reportsRecord and file layoutsField definitionsOperating instructionsDescription of applicable source documentsThe CAATs documentation should be referenced to the audit program and clearly identify the audit procedures and objectives being served. When requesting access to production data for use with CAATs, the IS auditor should request read-only access.
Any data manipulation done by the IS auditor should be done to copies of production files in a controlled environment that ensures production data are not exposed to unauthorized updating.
After developing an audit program and gathering audit evidence, the next step is an evaluation of the information gathered in order to develop an audit opinion. This requires the IS auditor to consider a series of strengths and weaknesses and then to develop audit opinions and recommendations.The IS auditor should assess the results of the evidence gathered for compliance with the control requirements or objectives established during the planning stage of the audit. This requires considerable judgment, as controls are often unclear. A control matrix is often utilized in assessing the proper level of controls.
As part of the information systems review, the IS auditor may discover a variety of strong and weak controls. All should be considered when evaluating the overall control structure. In some instances, one strong control may compensate for a weak control in another area. The IS auditor should be aware of compensating controls in areas where controls have been identified as weak.
A control objective will not normally be achieved due to one control being considered adequate. They must be evaluated to determine how they relate to each other. Evaluate the totality of control by considering the strengths and weaknesses of control procedures.Assess the strengths and weaknesses of the controls evaluated and then determine if they are effective in meeting the control objectives established as part of the audit planning process.
Refer to pages 49-50 of the 2006 CISA Review Manual for further details.
Judging materiality of findingsThe concept of materiality is a key issue when deciding which findings to bring forward in an audit report. Key to determining the materiality of audit findings is the assessment of what would be significant to different levels of management. Assessment requires judgment of the potential effect of the finding if corrective action is not taken. Assess what is significant to different levels of management. Discuss examples of what might be important to different levels of management and why.
Note to the instructor:The IS auditor must use judgment when deciding which findings to present to various levels of management. The IS auditor should always judge which findings are material to various levels of management and should report them accordingly.
Refer to page 50 of the 2006 CISA Review Manual for further details.
Communicating audit results
The exit interview, conducted at the end of the audit, provides the IS auditor with the opportunity to discuss findings and recommendations with management. The objectives and scope of the audit can be discussed and the IS audit process can be explained. During the exit interview, the IS auditor should: Ensure that the facts presented in the report are correct Ensure that the recommendations are realistic and cost-effective, and if not, seek alternatives through negotiation with the audited area Recommend implementation dates for agreed recommendationsThe IS auditor will frequently be asked to present the results of audit work to various levels of management. The IS auditor should have a thorough understanding of the presentation techniques necessary to communicate these results.Presentation techniques could include the foll
![PezzeYoung-Ch04-Process.ppt [호환 모드]dslab.konkuk.ac.kr/Class/2010/10Hongik/Lecture Note... · 2012. 9. 13. · Title: Microsoft PowerPoint - PezzeYoung-Ch04-Process.ppt [호환](https://img.dokumen.tips/doc/110x75/5fd602c962465d2926647490/pezzeyoung-ch04-eeoedslabkonkukackrclass201010hongiklecture-note.jpg)
![Streamlining your Veterans Certification process.ppt [Read-Only] your Veterans Certificatio… · Certification Process Great Lakes Conference 2013 Kimberly Blair‐Chambers, Associate](https://img.dokumen.tips/doc/110x75/5fad680f5b64cc741035ab13/streamlining-your-veterans-certification-read-only-your-veterans-certificatio.jpg)
