Upload
balajidxb
View
267
Download
5
Tags:
Embed Size (px)
DESCRIPTION
notes
Citation preview
© Copyright 2013 ISACA. All rights reserved.1
TRUST IN, AND VALUE FROM, INFORMATION SYSTEMS
ISACA®
© Copyright 2013 ISACA. All rights reserved.2
2013 CISA Review Course
CHAPTER 1THE PROCESS OF AUDITING INFORMATION
SYSTEMS
© Copyright 2013 ISACA. All rights reserved.3
About Me….
• Bharat Raigangar– Director – Corporate Service Advisory Inc
» Offices in United States of America, UAE & India
– Country Head of Corporate Security & Fraud Risk• Royal Bank of Scotland – Middle East & Africa
– President of ISACA UAE Chapter – 2010 & 2011– Board Member from 2004– Board Member of Association of Certified Fraud Examiner– Certification – C-CISO, CRISC, CGEIT, CISM, CISA, CIA, CFE,
CICA, CFAP, DBM, MBC
© Copyright 2013 ISACA. All rights reserved.4
About My Organization
• Corporate Governance– Information Governance & Control– Business Process Re-Engineering
• Corporate Risk Management• Fraud Management• Records Management• Business Resilience• Health & Safety• Specialized Training• M&A Risk Advisory• General Advisory…..
© Copyright 2013 ISACA. All rights reserved.5
Domains
• The Process of Auditing Information System (14%)
• Governance and Management of IT (14%)• Info. System Acquisition, Development and
Implementation (19%)• Info. System operations, maintenance and
support (23%)• Protection of Information Asset (30%)
© Copyright 2013 ISACA. All rights reserved.6
Course Agenda
• Learning Objectives
• Discuss Task and Knowledge Statements
• Discuss specific topics within the chapter
• Case studies
• Sample questions
© Copyright 2013 ISACA. All rights reserved.7
Exam Relevance
Ensure that the CISA candidate…Has the knowledge necessary to provide audit services in accordance with IT auditstandards to assist the organization with protecting and controlling information systems
The content area in this chapter will represent approximately 14% of the CISA examination (approximately 28 questions).
© Copyright 2013 ISACA. All rights reserved.8
The Process of Auditing Information Systems
Domain definition:• Provide audit services in accordance with IT
audit standards to assist the organization in protecting and controlling information systems.
© Copyright 2013 ISACA. All rights reserved.9
Learning Objectives
Ensure that the CISA candidate has the knowledge necessary to provide audit services in accordance with IT audit standards to assist the organization with protecting and controlling information systems.
© Copyright 2013 ISACA. All rights reserved.10
Topics
• Management of the IS Audit Function• ISACA IT Audit and Assurance Std & Guideline• Risk Analysis• Internal Controls• Performing an IS Audit• Control Self-Assessment (CSA)• Evolving IS Audit Process• Case Studies• Q&A
© Copyright 2013 ISACA. All rights reserved.11
Domain 1Task Statements
There are five tasks within this domain that a CISA must know how to perform:
T1.1 Develop and implement a risk-based IT audit strategy in compliance with IT audit standards to ensure that key areas are included.
T1.2 Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.
T1.3 Conduct audits in accordance with IT audit standards to achieve planned audit objectives.
© Copyright 2013 ISACA. All rights reserved.12
Domain 1Task Statements
T1. 4 Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary.
T1.5 Conduct follow-ups or prepare status reports to ensure appropriate actions have been taken by management in a timely manner.
© Copyright 2013 ISACA. All rights reserved.13
Domain 1Knowledge Statements
There are 10 knowledge statements within the process of auditing information systems domain:KS1.1 Knowledge of ISACA IT Audit and Assurance Standards,
Guidelines, and Tools and Techniques; Code of Professional Ethics; and other applicable standards
KS1.2 Knowledge of risk assessment concepts, tools and techniques in an audit context
KS1.3 Knowledge of control objectives and controls related to information systems
KS1.4 Knowledge of audit planning and audit project management techniques, including follow-up
© Copyright 2013 ISACA. All rights reserved.14
Domain 1Knowledge Statements
KS1.5 Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) including relevant IT
KS1.6 Knowledge of applicable laws and regulations that affect the scope, evidence collection and preservation, and frequency of audits
KS1.7 Knowledge of evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis) used to gather, protect and preserve audit evidence
© Copyright 2013 ISACA. All rights reserved.15
Domain 1Knowledge Statements
KS1.8 Knowledge of different sampling methodologiesKS1.9 Knowledge of reporting and communication techniques
(e.g., facilitation, negotiation, conflict resolution, audit report structure)
KS1.10 Knowledge of audit quality assurance systems and frameworks
© Copyright 2013 ISACA. All rights reserved.16
1.2.1 Organization of the IS Audit Function
• Audit charter (or engagement letter)– Stating management’s responsibility and objectives
for, and delegation of authority to, the IS audit function
– Outlining the overall authority, scope and responsibilities of the audit function
• Approval of the audit charter
• Change in the audit charter
© Copyright 2013 ISACA. All rights reserved.17
1.2.2 IS Audit Resource Management
• Limited number of IS auditors
• Maintenance of their technical competence
• Assignment of audit staff
© Copyright 2013 ISACA. All rights reserved.18
1.2.3 Audit PlanningShort-term planning Individual Audit Planning
Long-term planning Understanding of overall environment
Things to consider • Business practices and functions
• New control issues • Information systems and technology
• Changing technologies
• Changing business processes
• Enhanced evaluation techniques
© Copyright 2013 ISACA. All rights reserved.19
1.2.3 Audit Planning (cont.)
© Copyright 2013 ISACA. All rights reserved.20
1.2.4 Effect of Laws and Regulations on IS Audit Planning
Regulatory requirements generally describe the:
• Establishment
• Organization
• Responsibilities
• Correlation of the regulation to financial, operational and IS audit functions
© Copyright 2013 ISACA. All rights reserved.21
1.2.4 Effect of Laws and Regulations on IS Audit Planning (cont.)
Steps to determine compliance with external requirements:• Identify external requirements
• Document pertinent laws and regulations
• Assess whether management and the IS function have considered the relevant external requirements
• Review internal IS department documents that address adherence to applicable laws
• Determine adherence to established procedures
© Copyright 2013 ISACA. All rights reserved.22
1.3.1 ISACA Code of Professional Ethics
The Association’s Code of Professional Ethics provides guidance for the professional and personal conduct of members of ISACA and/or certification holders.
© Copyright 2013 ISACA. All rights reserved.23
1.3.2 ISACA IS Audit and Assurance Standards Framework
Framework for the ISACA IS Auditing Standards:
• Standards www.isaca.org/standards
• Guidelines www.isaca.org/guidelines
• Tools and Techniques
© Copyright 2013 ISACA. All rights reserved.24
1.3.2 ISACA IS Audit and Assurance Standards Framework (cont.)
Objectives of the ISACA IS Audit and Assurance Standards:• Inform management and other interested parties of
the profession’s expectations concerning the work of audit practitioners
• Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics
© Copyright 2013 ISACA. All rights reserved.25
1.3.2 ISACA IS Audit and Assurance Standards Framework (cont.)
S1 - Audit Charter
S2 - Independence
S3 - Ethics and Standards
S4 - Competence
S5 - Planning
S6 - Performance of Audit Work
S7 - Reporting
S8 - Follow-up Activities
© Copyright 2013 ISACA. All rights reserved.26
1.3.2 ISACA IS Audit and Assurance Standards Framework (cont.)
S9 - Irregularities and illegal acts
S10 - IT governance
S11 - Use of risk assessment in audit planning
S12 - Audit Materiality
S13 - Using the Work of Other Experts
S14 - Audit Evidence
S15 - IT Controls
S16 - E-commerce
© Copyright 2013 ISACA. All rights reserved.27
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
• Purpose, responsibility, authority and accountability
• Approval
S1 - Audit Charter
• Professional independence• Organizational independence
S2 -Independ
ence
© Copyright 2013 ISACA. All rights reserved.28
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
• Code of Professional Ethics• Due professional care
S3 -Professional Ethics and Standards
• Skills and knowledge• Continuing professional educationS4 -Competence
© Copyright 2013 ISACA. All rights reserved.29
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
• Plan IS audit coverage• Develop and document a risk-based audit
approach• Develop and document an audit plan• Develop an audit program and
procedures
S5 - Planning
• Supervision• Evidence• Documentation
S6 -Performance
of Audit Work
© Copyright 2013 ISACA. All rights reserved.30
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
•Identify the organization, intended recipients and any restrictions•State the scope, objectives, coverage and nature of audit work performed•State the findings, conclusions and recommendations and limitations•Justify the results reports•Be signed, dated and distributed according to the audit charter
S7 Reporting
© Copyright 2013 ISACA. All rights reserved.31
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
• Review previous conclusions and recommendations
• Review previous relevant findings• Determine whether appropriate
actions have been taken by management in a timely manner
S8 - Follow-up Activities
© Copyright 2013 ISACA. All rights reserved.32
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
• Consider the risk of irregularities and illegal acts
• Maintain an attitude of professional skepticism
• Obtain an understanding of the organization and its environment
• Consider unusual or unexpected relationships
• Test the appropriateness of internal control
• Assess any misstatement
S9 -Irregularities and Illegal Acts
© Copyright 2013 ISACA. All rights reserved.33
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
•Obtain written representations from management•Have knowledge of any allegations of irregularities or illegal acts•Communicate material irregularities or illegal acts•Consider appropriate action in case of inability to continue performing the audit•Document irregularity- or illegal act-related communications, planning, results, evaluations and conclusions
S9 -Irregularities and Illegal Acts
(continued)
© Copyright 2013 ISACA. All rights reserved.34
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
•Review and assess the IS function’s alignment with the organization’s mission, vision, values, objectives and strategies•Review the IS function’s statement about the performance and assess its achievement•Review and assess the effectiveness of IS resource and performance management processes
S10 - IT Governance
© Copyright 2013 ISACA. All rights reserved.35
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
•Review and assess compliance with legal, environmental and information quality, and fiduciary and security requirements•Use a risk-based approach to evaluate the IS function•Review and assess the organization’s control environment•Review and assess the risks that may adversely affect the IS environment
S10 - IT Governance
(continued)
© Copyright 2013 ISACA. All rights reserved.36
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
• Planning• Use a risk assessment technique in
developing the overall IS audit plan• Identify and assess relevant risks in
planning individual reviews
S11 - Use of Risk Assessment in
Audit
© Copyright 2013 ISACA. All rights reserved.37
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
• The IS auditor should consider audit materiality and its relationship to audit risk
• The IS auditor should consider potential weakness or absence of controls when planning for an audit
• The IS auditor should consider the cumulative effect of minor control deficiencies or weaknesses
• The IS audit report should disclose ineffective controls or absence of controls
S12 – Audit Materiality
© Copyright 2013 ISACA. All rights reserved.38
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
•The IS auditor should consider using the work of other experts•The IS auditor should be satisfied with the qualifications, competencies, etc., of other experts•The IS auditor should assess, review and evaluate the work of other experts•The IS auditor should determine if the work of other experts is adequate and complete•The IS auditor should apply additional test procedures to gain sufficient and appropriate audit evidence•The IS auditor should provide appropriate audit opinion
S13 - Using the Work of Other
Experts
© Copyright 2013 ISACA. All rights reserved.39
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
• Includes procedures performed by the auditor and results of those procedures
• Includes source documents, records and corroborating information
• Includes findings and results of the audit work
• Demonstrates that the work was performed and complies with applicable laws, regulations and policies
S14 -Audit Evidence
© Copyright 2013 ISACA. All rights reserved.40
1.3.2 ISACA IT Audit and Assurance Standards Framework (cont.)
• The IS auditor should evaluate and monitor IT controls that are an integral part of the internal control environment of the organization.
S15 - IT Controls
• The IS Auditor should evaluate applicable controls and assess risk when reviewing e-commerce environments to ensure that e-commerce transactions are properly controlled.
S16 - E-commerce
© Copyright 2013 ISACA. All rights reserved.41
1.3.3 ISACA IT Audit and Assurance Guidelines
G1 Using the Work of Other Auditors, effective 1 March 2008
G2 Audit Evidence Requirement, effective 1 May 2008
G3 Use of Computer Assisted Audit Techniques (CAATs), effective 1 March 2008
G4 Outsourcing of IS Activities to Other Organizations, effective 1 May 2008
G5 Audit Charter, effective 1 February 2008
G6 Materiality Concepts for Auditing Information Systems, effective 1 May 2008
G7 Due Professional Care, effective 1 March 2008
G8 Audit Documentation, effective 1 March 2008
© Copyright 2013 ISACA. All rights reserved.42
1.3.3 ISACA IS Auditing Guidelines (cont.)
G9 Audit Considerations for Irregularities, effective 1 September 2008
G10 Audit Sampling, effective 1 August 2008
G11 Effect of Pervasive IS Controls, effective 1 August 2008
G12 Organizational Relationship and Independence, effective 1 August 2008
G13 Use of Risk Assessment in Audit Planning, effective 1 August 2008
G14 Application Systems Review, effective 1 December 2008Withdrawn 14 Jan. 2013—See Generic Applications Audit/Assurance Program
G15 Audit Planning, effective 1 May 2010
G16 Effect of Third Parties on an Organization’s IT Controls, effective 1 March 2009See Outsourced IT Environments Audit/Assurance Program
G17 Effect of Non-audit Role on the IS Auditor’s Independence, effective 1 May 2010
© Copyright 2013 ISACA. All rights reserved.43
1.3.3 ISACA IS Auditing Guidelines (cont.)
G18 IT Governance, effective 1 July 2002 Withdrawn 14 Jan. 2013
G19 Irregularities and Illegal ActsWithdrawn 1 September 2008
G20 Reporting, effective 16 September 2010
G21Enterprise Resource Planning (ERP)Systems Review, effective 16 September 2010 Withdrawn 14 Jan. 2013—See Security, Audit and Control Features SAP ERP, 3rd Edition Audit Programs and ICQs
G22 Business-to-consumer (B2C) E-commerce Review, effective 1 December 2008 Withdrawn 14 Jan. 2013—See E-commerce and PKI Audit/Assurance Program
G23System Development Life Cycle (SDLC) Review, effective 1 August 2003 Withdrawn 14 Jan. 2013—See Systems Development and Project Management Audit/Assurance Program
G24 Internet Banking, effective 1 August 2003 Withdrawn 14 Jan. 2013
© Copyright 2013 ISACA. All rights reserved.44
1.3.3 ISACA IS Auditing Guidelines (cont.)
G25 Review of Virtual Private Networks, effective 1 July 2004 Withdrawn 14 Jan. 2013—See VPN Security Audit/Assurance Program
G26 Business Process Reengineering (BPR) Project Reviews, effective 1 July 2004 Withdrawn 14 Jan. 2013
G27 Mobile Computing, effective 1 September 2004 Withdrawn 14 Jan. 2013See Mobile Computing Security Audit/Assurance Program
G28 Computer Forensics, effective 1 September 2004 Withdrawn 14 Jan. 2013
G29 Postimplementation Review, effective 1 January 2005 Withdrawn 14 Jan. 2013—See Systems Development and Project Management Audit/Assurance Program
G30 Competence, effective 1 June 2005
G31 Privacy, effective 1 June 2005 Withdrawn 14 Jan. 2013—See PII Audit/Assurance Program
© Copyright 2013 ISACA. All rights reserved.45
1.3.3 ISACA IS Auditing Guidelines (cont.)
G32Business Continuity Plan Review From IT Perspective, effective 1 September 2005 Withdrawn 14 Jan. 2013—See Business Continuity Management Audit/Assurance Program
G33 General Considerations on the Use of the Internet, effective 1 March 2006 Withdrawn 14 Jan. 2013—See E-commerce and PKI Audit/Assurance Program
G34 Responsibility, Authority and Accountability, effective 1 March 2006
G35 Follow-up Activities, effective 1 March 2006
G36 Biometric Controls, effective 1 February 2007 Withdrawn 14 Jan. 2013—See Biometrics Audit/Assurance Program
G37 Configuration Management, effective 1 November 2007
G38 Access Control, effective 1 February 2008 Withdrawn 14 Jan. 2013—See Identity Management Audit/Assurance Program
© Copyright 2013 ISACA. All rights reserved.46
1.3.3 ISACA IS Auditing Guidelines (cont.)
G39 IT Organizations, effective 1 May 2008 Withdrawn 14 Jan. 2013
G40 Review of Security Management Practices, effective 1 December 2008 Withdrawn 14 Jan. 2013—See See Security Incident Management Audit/Assurance Program
G41 Return on Security Investment (ROSI), effective 1 May 2010 Withdrawn 14 Jan. 2013
G42 Continuous Assurance, effective 1 May 2010
© Copyright 2013 ISACA. All rights reserved.47
1.3.4 ISACA IS Audit and Assurance Tools and
Techniques
• Guidance and examples of possible processes an IS auditor might follow in an audit engagement.
• IS auditors should apply their own professional judgment to the specific circumstances.
© Copyright 2013 ISACA. All rights reserved.48
1.3.5 Relationship Among Standards, Guidelines and Tools
and TechniquesStandards • Must be followed by IS auditors
Guidelines • Provide assistance on how to implement the
standards
Tools and Techniques • Provide examples for implementing the standards
© Copyright 2013 ISACA. All rights reserved.49
1.3.6 Information TechnologyAssurance Framework (ITAF™)
Section 1000 – General Standards
Section 1200 – Performance Standards
Section 1400 – Reporting Standards
Section 2000 – General Guidelines
Section 2200 – Performance Guidelines
Section 2400– Reporting Guidelines
Section 3000 – Tools and Techniques
© Copyright 2013 ISACA. All rights reserved.50
1.4 Risk Analysis (cont.)
From the IS auditor’s perspective, risk analysis serves more than one purpose:• It assists the IS auditor in identifying risks and threats
to an IT environment and IS system—risks and threats that would need to be addressed by management—and in identifying system specific internal controls. Depending on the level of risk, this assists the IS auditor in selecting certain areas to examine.
© Copyright 2013 ISACA. All rights reserved.51
1.4 Risk Analysis (cont.)
• It helps the IS auditor in his/her evaluation of controls in audit planning.
• It assists the IS auditor in determining audit objectives.
• It supports risk-based audit decision making.
• Part of audit planning
• Helps identify risks and vulnerabilities
• The IS auditor can determine the controls needed to mitigate those risks
© Copyright 2013 ISACA. All rights reserved.52
1.4 Risk Analysis (cont.)
IS auditors must be able to:• Be able to identify and differentiate risk types and the
controls used to mitigate these risks• Have knowledge of common business risks, related
technology risks and relevant controls• Be able to evaluate the risk assessment and management
techniques used by business managers, and to make assessments of risk to help focus and plan audit work
• Have an understand that risk exists within the audit process
© Copyright 2013 ISACA. All rights reserved.53
1.4 Risk Analysis (cont.)
In analyzing the business risks arising from the use of IT, it is important for the IS auditor to have a clear understanding of:• The purpose and nature of business, the environment in which the
business operates and related business risks
• The dependence on technology and related dependencies that process and deliver business information
• The business risks of using IT and related dependencies and how they impact the achievement of the business goals and objectives
• A good overview of the business processes and the impact of IT and related risks on the business process objectives
© Copyright 2013 ISACA. All rights reserved.54
1.4 Risk Analysis (cont.)
© Copyright 2013 ISACA. All rights reserved.55
1.5 Internal Controls
Policies, procedures, practices and organizational
structures implemented to reduce risks• Classification of internal controls– Preventive controls
– Detective controls
– Corrective controls
© Copyright 2013 ISACA. All rights reserved.56
1.5 Internal Controls (cont.)
© Copyright 2013 ISACA. All rights reserved.57
1.5 Internal Controls (cont.)
Internal control system• Internal accounting controls
• Operational controls
• Administrative controls
© Copyright 2013 ISACA. All rights reserved.58
1.5.1 IS Control Objectives
Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment.
© Copyright 2013 ISACA. All rights reserved.59
1.5.1 IS Control Objectives (cont.)
• Safeguarding assets
• Ensuring the integrity of general operating system environments
• Ensuring the integrity of sensitive and critical application system environments through:– Authorization of the input
– Validation of the input
– Accuracy and completeness of processing of transactions
– All transactions are recorded accurately and entered into the system for the proper period
– Reliability of overall information processing activities
– Accuracy, completeness and security of the output
– Database integrity
© Copyright 2013 ISACA. All rights reserved.60
1.5.1 IS Control Objectives (cont.)
• Ensuring appropriate identification and authentication of users of IS resources
• Ensuring the efficiency and effectiveness of operations
• Complying with requirements, policies and procedures, and applicable laws
• Developing business continuity and disaster recovery plans
• Developing an incident response plan
• Implementing effective change management procedures
© Copyright 2013 ISACA. All rights reserved.61
1.5.2 COBIT 5
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
An business framework from ISACA, at www.isaca.org/cobit
Audit
COBIT1
2005/720001998
Evo
lutio
n of
sco
pe
1996 2012
Val IT 2.0(2008)
Risk IT(2009)
61© 2012 ISACA® All rights reserved.
© Copyright 2013 ISACA. All rights reserved.62
1.5.2 COBIT 5 (cont.)
The five COBIT 5 principles are:1. Meeting Stakeholder Needs2. Covering the Enterprise End-to-end3. Applying a Single Integrated Framework 4. Enabling a Holistic Approach5. Separating Governance From Management
© Copyright 2013 ISACA. All rights reserved.
Meeting Stakeholder Needs
• Stakeholder needs have to be transformed into an enterprise’s practical strategy.
• The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customised goals within the context of the enterprise, IT-related goals and enabler goals.
63Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.
© Copyright 2013 ISACA. All rights reserved.
Covering the Enterprise End-to-end
64
Key components of a governance system
Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved.
Source: COBIT® 5, figure 8. © 2012 ISACA® All rights reserved.
© Copyright 2013 ISACA. All rights reserved.65
Applying a Single, Integrated Framework
There are many IT-related standards and best practices, each providing guidance on a subset of IT activities. COBIT 5 aligns with other relevant standards and frameworks at a high level, and thus can serve as the overarching framework for governance and management of enterprise IT.
© Copyright 2013 ISACA. All rights reserved.
Enabling a Holistic ApproachCOBIT 5 Enabler Dimensions:• All enablers have a set of common dimensions. This set of common
dimensions:– Provides a common, simple and structured way to deal with enablers– Allows an entity to manage its complex interactions – Facilitates successful outcomes of the enablers
66Source: COBIT® 5, figure 13. © 2012 ISACA® All rights reserved.
© Copyright 2013 ISACA. All rights reserved.67
Separating Governance From Management
• Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
© Copyright 2013 ISACA. All rights reserved.
Separating Governance From Management (cont.)
COBIT 5 is not prescriptive, but it advocates that organisations implement governance and management processes such that the key areas are covered, as shown.
68 Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.
© Copyright 2013 ISACA. All rights reserved.69
1.5.3 General Controls
Apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.
• Internal accounting controls directed at accounting operations– Operational controls concerned with the day-to-day
operations
© Copyright 2013 ISACA. All rights reserved.70
1.5.3 General Controls (cont.)
– Administrative controls concerned with operational efficiency and adherence to management policies
– Organizational logical security policies and procedures
– Overall policies for the design and use of documents and records
– Procedures and features to ensure authorized access to assets
– Physical security policies for all data centers
© Copyright 2013 ISACA. All rights reserved.71
1.5.4 IS Controls
• Strategy and direction of the IT function
• General organization and management of the IT function
• Access to IT resources, including data and programs
• Systems development methodologies and change control
• Operations procedures
• Systems programming and technical support functions
© Copyright 2013 ISACA. All rights reserved.72
1.5.4 IS Controls (cont.)
• Quality assurance procedures
• Physical access controls
• Business continuity/disaster recovery planning
• Networks and communications
• Database administration
• Protection and detective mechanisms against internal and external attacks
© Copyright 2013 ISACA. All rights reserved.73
1.6 Performing an IS Audit
Definition of auditing Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.
Definition of IS auditing Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.
© Copyright 2013 ISACA. All rights reserved.74
1.6.1 Classification of Audits
• Compliance audits
• Financial audits
• Operational audits
• Integrated audits
• Administrative audits
• IS audits
• Specialized audits
• Forensic audits
© Copyright 2013 ISACA. All rights reserved.75
1.6.2 Audit Programs
• Based on the scope and objective of the particular assignment
• IS auditor’s perspectives:
– Security (confidentiality, integrity and availability)
– Quality (effectiveness, efficiency)
– Fiduciary (compliance, reliability)
– Service and capacity
© Copyright 2013 ISACA. All rights reserved.76
1.6.2 Audit Programs (cont.)
General audit procedures• Understanding of the audit area/subject• Risk assessment and general audit plan• Detailed audit planning• Preliminary review of audit area/subject• Evaluating audit area/subject• Verifying and evaluating controls• Compliance testing • Substantive testing• Reporting (communicating results)• Follow-up
© Copyright 2013 ISACA. All rights reserved.77
1.6.2 Audit Programs (cont.)
Procedures for Testing and Evaluating IS Controls• Use of generalized audit software to survey the contents of data files
• Use of specialized software to assess the contents of operating system parameter files
• Flow-charting techniques for documenting automated applications and business process
• Use of audit reports available in operation systems
• Documentation review
• Observation
• Walkthroughs
• Reperformance of controls
© Copyright 2013 ISACA. All rights reserved.78
1.6.3 Audit Methodology
A set of documented audit procedures designed to achieve planned audit objectives
• Composed of: – Statement of scope
– Statement of audit objectives
– Statement of audit programs
• Set up and approved by the audit management
• Communicated to all audit staff
© Copyright 2013 ISACA. All rights reserved.79
1.6.3 Audit Methodology (cont.)
Audit phases• Audit subject • Audit objective• Audit scope• Preaudit planning• Audit procedures and steps for data gathering• Procedures for evaluating the test or review results• Procedures for communication with management• Audit report preparation
© Copyright 2013 ISACA. All rights reserved.80
Audit Phases Description
Identify Audit subject Identify the area to be audited.
Define the audit objective Identify the purpose of the audit.
For example, an objective might be to determine whether program source code changes occur in a well-defined andcontrolled environment.
Define the audit scope Identify the specific systems, function or unit of the organization to be included in the review.
For example, in the previous program changes example, the scope statement might limit the review to a single application system or to a limited period of time.
Perform the pre-audit planning
• Identify technical skills and resources• needed.• Identify the sources of information for test or review such as
functional flow charts, policies, standards, procedures and prior audit work papers.• Identify locations or facilities to be audited.
1.6.3 Audit Methodology (cont.)
© Copyright 2013 ISACA. All rights reserved.81
1.6.3 Audit Methodology (cont.)
Audit Phase - Continued Description
Audit procedures and steps for data gathering
• Identify and select the audit approach to verify and test the controls.• Identify a list of individuals to interview.• Identify and obtain departmental policies,• standards and guidelines for review.• Develop audit tools and methodology to test• and verify control.
Procedures for evaluating the test or review results
Organization-specific
Procedures for communicationwith management
Organization-specific
Audit report preparation • Identify follow-up review procedures.• Identify procedures to evaluate/test• operational efficiency and effectiveness.• Identify procedures to test controls.• Review and evaluate the soundness of documents,
policies and procedures.
© Copyright 2013 ISACA. All rights reserved.82
1.6.3 Audit Methodology (cont.)
What is documented in work papers (WPs)?• Audit plans
• Audit programs
• Audit activities
• Audit tests
• Audit findings and incidents
© Copyright 2013 ISACA. All rights reserved.83
1.6.4 Fraud Detection• Management’s responsibility
• Benefits of a well-designed internal control system– Deterring fraud at the first instance
– Detecting fraud in a timely manner
• Fraud detection and disclosure
• Auditor’s role in fraud prevention and detection
© Copyright 2013 ISACA. All rights reserved.84
1.6.5 Risk-based Auditing
© Copyright 2013 ISACA. All rights reserved.85
1.6.6 Audit Risk and Materiality
Audit risk categories
• Inherent risk
• Control risk
• Detection risk
• Overall audit risk
© Copyright 2013 ISACA. All rights reserved.86
1.6.7 Risk Assessment and Treatment
Assessing security risks
• Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization
• Should be performed periodically to address changes in the environment, security requirements and when significant changes occur
© Copyright 2013 ISACA. All rights reserved.87
1.6.7 Risk Assessment and Treatment (cont.)
Treating security risks
• Each risk identified in a risk assessment needs to be treated
• Possible risk responses include:
-Risk mitigation
-Risk acceptance
-Risk avoidance
-Risk transfer/sharing
© Copyright 2013 ISACA. All rights reserved.88
1.6.8 Risk Assessment Techniques
• Enables management to effectively allocate limited audit resources
• Ensures that relevant information has been obtained from all levels of management
• Establishes a basis for effectively managing the audit department
• Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plan
© Copyright 2013 ISACA. All rights reserved.89
1.6.9 Audit ObjectivesSpecific goals of the audit• Compliance with legal and regulatory
requirements• Confidentiality• Integrity• Reliability • Availability
© Copyright 2013 ISACA. All rights reserved.90
1.6.10 Compliance vs. Substantive Testing
• Compliance test– Determines whether controls are in compliance with
management policies and procedures
• Substantive test– Tests the integrity of actual processing
• Correlation between the level of internal controls and substantive testing required
• Relationship between compliance and substantive tests
© Copyright 2013 ISACA. All rights reserved.91
1.6.10 Compliance vs. Substantive Testing (cont.)
© Copyright 2013 ISACA. All rights reserved.92
1.6.11 Evidence
It is a requirement that the auditor’s conclusions be based on sufficient, competent evidence:• Independence of the provider of the evidence• Qualification of the individual providing the
information or evidence• Objectivity of the evidence• Timing of the evidence
© Copyright 2013 ISACA. All rights reserved.93
1.6.11 Evidence (cont.)
Techniques for gathering evidence:• Review IS organization structures• Review IS policies and procedures • Review IS standards• Review IS documentation • Interview appropriate personnel• Observe processes and employee performance
© Copyright 2013 ISACA. All rights reserved.94
1.6.12 Interviewing and Observing Personnel in Performance of Their Duties
• Actual functions
• Actual processes/procedures
• Security awareness
• Reporting relationships
• Observation drawbacks
© Copyright 2013 ISACA. All rights reserved.95
1.6.13 Sampling
General approaches to audit sampling:
• Statistical sampling
• Non-statistical sampling
© Copyright 2013 ISACA. All rights reserved.96
1.6.13 Sampling (cont.)
• Attribute sampling– Stop-or-go sampling
– Discovery sampling
• Variable sampling– Stratified mean per unit
– Unstratified mean per unit
– Difference estimation
© Copyright 2013 ISACA. All rights reserved.97
1.6.13 Sampling (cont.)
Statistical sampling terms:
• Confident coefficient
• Level of risk
• Precision
• Expected error rate
© Copyright 2013 ISACA. All rights reserved.98
1.6.13 Sampling (cont.)
Statistical sampling terms (continued):
• Sample mean
• Sample standard deviation
• Tolerable error rate
• Population standard deviation
© Copyright 2013 ISACA. All rights reserved.99
1.6.13 Sampling (cont.)
Key steps in choosing a sample:• Determine the objectives of the test
• Define the population to be sampled
• Determine the sampling method, such as attribute versus variable sampling
• Calculate the sample size
• Select the sample
• Evaluating the sample from an audit perspective
© Copyright 2013 ISACA. All rights reserved.100
1.6.14 Using the Services of Other Auditors and Experts
Considerations when using services of other auditors and experts:
• Restrictions on outsourcing of audit/security services provided by laws and regulations
• Audit charter or contractual stipulations
• Impact on overall and specific IS audit objectives
• Impact on IS audit risk and professional liability
• Independence and objectivity of other auditors and experts
© Copyright 2013 ISACA. All rights reserved.101
1.6.14 Using the Services of Other Auditors and Experts (cont.)
Considerations when using services of other auditors and experts:• Professional competence, qualifications and experience
• Scope of work proposed to be outsourced and approach
• Supervisory and audit management controls
• Method and modalities of communication of results of audit work
• Compliance with legal and regulatory stipulations
• Compliance with applicable professional standards
© Copyright 2013 ISACA. All rights reserved.102
1.6.15 Computer-assisted Audit Techniques
• CAATs enable IS auditors to gather information independently
• CAATs include:– Generalized audit software (GAS)
– Utility software
– Debugging and scanning software
– Test data
– Application software tracing and mapping
– Expert systems
© Copyright 2013 ISACA. All rights reserved.103
1.6.15 Computer-assisted Audit Techniques (cont.)
• Features of generalized audit software (GAS):– Mathematical computations– Stratification– Statistical analysis– Sequence checking
• Functions supported by GAS:– File access– File reorganization– Data selection– Statistical functions– Arithmetical functions
© Copyright 2013 ISACA. All rights reserved.104
1.6.15 Computer-assisted Audit Techniques (cont.)
Items to consider before utilizing CAATs:• Ease of use for existing and future audit staff
• Training requirements
• Complexity of coding and maintenance
• Flexibility of uses
• Installation requirements
• Processing efficiencies
• Confidentiality of data being processed
© Copyright 2013 ISACA. All rights reserved.105
1.6.15 Computer-assisted Audit Techniques (cont.)
Documentation that should be retained:• Online reports• Commented program listings• Flowcharts• Sample reports• Record and file layouts• Field definitions• Operating instructions• Description of applicable source documents
© Copyright 2013 ISACA. All rights reserved.106
1.6.15 Computer-assisted Audit Techniques (cont.)
CAATs as a continuous online audit approach:
• Improves audit efficiency
• IS auditors must: – develop audit techniques for use with advanced
computerized systems
– be involved in the creation of advanced systems
– make greater use of automated tools
© Copyright 2013 ISACA. All rights reserved.107
1.6.16 Evaluation of Audit Strengths and Weaknesses
• Assess evidence
• Evaluate overall control structure
• Evaluate control procedures
• Assess control strengths and weaknesses
© Copyright 2013 ISACA. All rights reserved.108
1.6.16 Evaluation of Audit Strengths and Weaknesses (cont.)
Judging materiality of findings
• Materiality is a key issue
• Assessment requires judgment of the potential effect of the finding if corrective action is not taken
© Copyright 2013 ISACA. All rights reserved.109
1.6.17 Communicating Audit Results
Exit interview– Correct facts
– Realistic recommendations
– Implementation dates for agreed recommendations
Presentation techniques– Executive summary
– Visual presentation
© Copyright 2013 ISACA. All rights reserved.110
1.6.17 Communicating Audit Results (cont.)
Audit report structure and contents
• An introduction to the report
• Audit findings presented in separate sections
• The IS auditor’s overall conclusion and opinion
• The IS auditor’s reservations with respect to the audit
• Detailed audit findings and recommendations
• A variety of findings
© Copyright 2013 ISACA. All rights reserved.111
1.6.18 Management Implementation of Recommendations
• Auditing is an ongoing process
• Timing of follow-up
© Copyright 2013 ISACA. All rights reserved.112
1.6.19 Audit Documentation
Audit documentation includes:• Planning and preparation of the audit scope and
objectives
• Description on the scoped audit area
• Audit program
• Audit steps performed and evidence gathered
• Other experts used
• Audit findings, conclusions and recommendations
© Copyright 2013 ISACA. All rights reserved.113
1.7 Control Self-Assessment
• A management technique
• A methodology
• In practice, a series of tools
• Can be implemented by various methods
© Copyright 2013 ISACA. All rights reserved.114
1.7 Control Self-Assessment (cont.)
© Copyright 2013 ISACA. All rights reserved.115
1.7.1 Objectives of CSA
• Leverage the internal audit function by shifting some control monitoring responsibilities to functional areas
• Enhancement of audit responsibilities, not a replacement
• Educate management about control design and monitoring
• Empowerment of workers to assess the control environment
© Copyright 2013 ISACA. All rights reserved.116
1.7.2 Benefits of CSA
• Early detection of risks• More effective and improved internal controls• Increased employee awareness of organizational
objectives• Highly motivated employees• Improved audit rating process• Reduction in control cost• Assurance provided to stakeholders and customers
© Copyright 2013 ISACA. All rights reserved.117
1.7.3 Disadvantages of CSA
• Could be mistaken as an audit function replacement
• May be regarded as an additional workload
• Failure to act on improvement suggestions could damage employee morale
• Lack of motivation may limit effectiveness in the detection of weak controls
© Copyright 2013 ISACA. All rights reserved.118
1.7.4 Auditor Role in CSA
• Internal control professionals
• Assessment facilitators
© Copyright 2013 ISACA. All rights reserved.119
1.7.5 Technology Drivers for CSA
• Combination of hardware and software
• Use of an electronic meeting system
• Computer-supported decision aids
• Group decision making is an essential component
© Copyright 2013 ISACA. All rights reserved.120
1.7.6 Traditional vs. CSA Approach
• Traditional Approach– Assigns duties/supervises staff– Policy/rule driven– Limited employee participation– Narrow stakeholder focus
• CSA Approach– Empowered/accountable employees– Continuous improvement/learning curve– Extensive employee participation and training– Broad stakeholder focus
© Copyright 2013 ISACA. All rights reserved.121
1.8.1 Integrated Auditing
Process whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity.
• Focuses on risk to the organization (for an internal auditor)
• Focuses on the risk of providing an incorrect or misleading audit opinion (for an external auditor)
© Copyright 2013 ISACA. All rights reserved.122
1.8.1 Integrated Auditing (cont.)
Process involves:• Identification of risks faced by
organization and of relevant key controls
• Review and understanding of the design of key controls
• Testing that key controls are supported by the IT system
• Testing that management controls operate effectively
• A combined report or opinion on control risks, design and weaknesses
© Copyright 2013 ISACA. All rights reserved.123
1.8.2 Continuous Auditing
• Distinctive character – Short time lapse between the facts to be audited and
the collection of evidence and audit reporting
• Drivers– Better monitoring of financial issues– Allows real-time transactions to benefit from real-time
monitoring– Prevents financial fiascoes and audit scandals– Uses software to determine proper financial controls
© Copyright 2013 ISACA. All rights reserved.124
1.8.2 Continuous Auditing (cont.)
Continuous auditing vs. continuous monitoring
• Continuous monitoring – Provided by IS management tools
– Based on automated procedures to meet fiduciary responsibilities
• Continuous auditing– Audit-driven
– Completed using automated audit procedures
© Copyright 2013 ISACA. All rights reserved.125
1.8.2 Continuous Auditing (cont.)
Application of continuous auditing due to:
• New information technology developments
• Increased processing capabilities
• Standards
• Artificial intelligence tools
© Copyright 2013 ISACA. All rights reserved.126
1.8.2 Continuous Auditing (cont.)
Prerequisites:
• A high degree of automation• An automated and reliable information-producing process• Alarm triggers to report control failures• Implementation of automated audit tools• Quickly informing IS auditors of anomalies/errors• Timely issuance of automated audit reports• Technically proficient IS auditors• Availability of reliable sources of evidence• Adherence to materiality guidelines• Change of IS auditors’ mindset• Evaluation of cost factors
© Copyright 2013 ISACA. All rights reserved.127
1.8.2 Continuous Auditing (cont.)
IT techniques in a continuous auditing environment: • Transaction logging• Query tools• Statistics and data analysis (CAAT)• Database management systems (DBMS)• Data warehouses, data marts and data mining• Intelligent agents• Embedded audit modules (EAM)• Neural network technology• Standards such as Extensible Business Reporting Language
© Copyright 2013 ISACA. All rights reserved.128
1.8.2 Continuous Auditing (cont.)
• Advantages– Instant capture of internal control problems
– Reduction of intrinsic audit inefficiencies
• Disadvantages– Difficulty in implementation
– High cost
– Elimination of auditors’ personal judgment and evaluation
© Copyright 2013 ISACA. All rights reserved.129
1.9.1 Case Study A Scenario
The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well-controlled environment and, accordingly, will assess management’s review and testing of the general IT control environment.
Areas to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation.
© Copyright 2013 ISACA. All rights reserved.130
1.9.1 Case Study A Scenario (continued)
Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible duties and failure to document all changes. Additionally, the process for deploying operating system updates to servers was found to be only partially effective.
In anticipation of the work to be performed by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination.
© Copyright 2013 ISACA. All rights reserved.131
Case Study A Question
1. What should the IS auditor do FIRST?A. Perform an IT risk assessment.
B. Perform a survey audit of logical access controls.
C. Revise the audit plan to focus on risk-based auditing.
D. Begin testing controls that the IS auditor feels are most critical.
Correct Ans: A
© Copyright 2013 ISACA. All rights reserved.132
Case Study A Question
2. When testing program change management, how should the sample be selected?
A. Change management documents should be selected at random and examined for appropriateness.
B. Changes to production code should be sampled and traced to appropriate authorizing documentation.
C. Change management documents should be selected based on system criticality and examined for appropriateness.
D. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change.
Correct Ans: B
© Copyright 2013 ISACA. All rights reserved.133
1.9.2 Case Study B Scenario
An IS auditor is planning to review the security of a financial application for a large company with several locations worldwide. The application system is made up of a web interface, a business logic layer and a database layer. The application is accessed locally through a LAN and remotely through the Internet via a virtual private network (VPN) connection.
© Copyright 2013 ISACA. All rights reserved.134
Case Study B Question
1. The MOST appropriate type of CAATs tool the auditor should use to test security configuration settings for the entire application system is:
A. generalized audit software.
B. test data.
C. utility software.
D. expert system.
Correct Ans: C
© Copyright 2013 ISACA. All rights reserved.135
Case Study B Question
2. Given that the application is accessed through the Internet, how should the auditor determine
whether to perform a detailed review of the firewall rules and virtual private network (VPN) configuration settings?
A. Documented risk analysis
B. Availability of technical expertise
C. Approach used in previous audit
D. IS auditing guidelines and best practices
Correct Ans: A
© Copyright 2013 ISACA. All rights reserved.136
Case Study B Question
3. During the review, if the auditor detects that the transaction authorization control objective cannot be met due to a lack of clearly defined roles and privileges in the application, the auditor should FIRST:
A. review the authorization on a sample of transactions.
B. immediately report this finding to upper management.
C. request that auditee management review the appropriateness of access rights for all users.
D. use a generalized audit software to check the integrity of the database.
Correct Ans: A
© Copyright 2013 ISACA. All rights reserved.137
1.9.3 Case Study C Scenario
An IS auditor has been appointed to carry out IS audits in an entity for a period of 2 years. After accepting the appointment, the IS auditor noted that:
– The entity has an audit charter that detailed, among other things, the scope and responsibilities of the IS audit function and specifies the audit committee as the overseeing body for audit activity.
– The entity is planning a major increase in IT investment, mainly on account of implementation of a new ERP application, integrating business processes across units dispersed geographically. The ERP implementation is expected to become operational within the next 90 days. The servers supporting the business applications are hosted offsite by a third-party service provider.
© Copyright 2013 ISACA. All rights reserved.138
1.9.3 Case Study C Scenario (continued)
– The entity has a new incumbent as chief information security officer (CISO), who reports to the chief financial officer (CFO).
– The entity is subject to regulatory compliance requirements that require its management to certify the effectiveness of the internal control system as it relates to financial reporting. The entity has been recording growth at double the industry average consistently over the last two years. However, the entity has seen increased employee turnover as well.
© Copyright 2013 ISACA. All rights reserved.139
1. The FIRST priority of the IS auditor in year 1 should be to study the:
A. previous IS audit reports and plan the audit schedule.
B. audit charter and plan the audit schedule.
C. impact of the new incumbent as CISO.
D. impact of the implementation of a new ERP on the IT environment and plan the audit schedule.
Correct Ans: D
Case Study C Question
© Copyright 2013 ISACA. All rights reserved.140
Case Study C Question2. How should the IS auditor evaluate backup and batch
processing within computer operations?A. Plan and carry out an independent review of computer
operations.
B. Rely on the service auditor’s report of the service provider.
C. Study the contract between the entity and the service provider.
D. Compare the service delivery report to the service level agreement.
Correct Ans: D
© Copyright 2013 ISACA. All rights reserved.141
Practice Question
1-1 Which of the following establishes the overall authority to perform an IS audit?A. The audit scope, with goals and objectivesB. A request from management to perform an
auditC. The approved audit charterD. The approved audit schedule
• Correct Ans: C
© Copyright 2013 ISACA. All rights reserved.142
1-2 In performing a risk-based audit, which risk assessment is completed initially by the IS auditor?
A. Detection risk assessment
B. Control risk assessment
C. Inherent risk assessment
D. Fraud risk assessment
Practice Question
© Copyright 2013 ISACA. All rights reserved.143
1-3 While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus?
A. Business processes
B. Critical IT applications
C. Operational controls
D. Business strategies
Practice Question
© Copyright 2013 ISACA. All rights reserved.144
Practice Question
1-4 Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk
© Copyright 2013 ISACA. All rights reserved.145
Practice Question
1-5 An IS auditor performing a review of an application’s controls finds a weakness in system software that could materially impact the application. The IS auditor should:
A. disregard these control weaknesses, as a system software review is beyond the scope of this review.
B. conduct a detailed system software review and report the control weaknesses.
C. include in the report a statement that the audit was limited to a review of the application’s controls.
D. review the system software controls as relevant and recommend a detailed system software review.
© Copyright 2013 ISACA. All rights reserved.146
1-6 Which of the following is the MOST important reason why an audit planning process should be reviewed at periodic intervals?
A. To plan for deployment of available audit resources
B. To consider changes to the risk environment
C. To provide inputs for documentation of the audit charter
D. To identify the applicable IS audit standards
Practice Question
© Copyright 2013 ISACA. All rights reserved.147
Practice Question
1-7 Which of the following is MOST effective for implementing a control self-assessment (CSA) within business units?
A. Informal peer reviews
B. Facilitated workshops
C. Process flow narratives
D. Data flow diagrams
© Copyright 2013 ISACA. All rights reserved.148
Practice Question
1-8 The FIRST step in planning an audit is to:A. define audit deliverables.
B. finalize the audit scope and audit objectives
C. gain an understanding of the business’s objectives.
D. develop the audit approach or audit strategy.
© Copyright 2013 ISACA. All rights reserved.149
Practice Question
1-9 The approach an IS auditor should use to plan IS audit coverage should be based on:
A. risk.
B. materiality.
C. professional skepticism.
D. Sufficiency of audit evidence.
© Copyright 2013 ISACA. All rights reserved.150
Practice Question
1-10 A company performs a daily backup of critical data and software files and stores the backup tapes at
an offsite location. The backup tapes are used to restore the files in case of a disruption. This is a:
A. preventive control.
B. management control.
C. corrective control.
D. detective control.
© Copyright 2013 ISACA. All rights reserved.151
Practice 11
1, In a risk-based audit approach, the IS auditor must consider the inherent risk as well as considering:
A. how to eliminate the risk through the application of controls. B. the balance of loss potential vs. the cost to implement controls. C. whether the risk is material, regardless of management’s tolerance for risk. D. whether the residual risk is higher than the insurance coverage purchased.
• B Determining the correct balance between the loss potential and the cost to implement controls is a very important part of an effective risk mitigation strategy. The best internal control is one where the benefit of implementing the control at least matches the cost. Eliminating risk is very difficult to achieve and often impossible to attain. Hence, the IS auditor should not recommend that risk be eliminated since this is not likely to be cost-effective for the organization. Whether the risk is material is not the correct answer since the risk tolerance of management determines what is material. Insurance coverage is not necessarily the only control to consider for mitigating residual
© Copyright 2013 ISACA. All rights reserved.152
Practice 1212. Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling B. Variable sampling C. Stratified mean per unit D. Difference estimation
• A Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.
© Copyright 2013 ISACA. All rights reserved.153
Practice 13
13. Which of the following is the MOST critical step to perform when planning an IS audit?
A. Review findings from prior audits. B. Develop plans to conduct a physical security review of the data center facility. C. Review IS security policies and procedures. D. Perform a risk assessment.
D Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IT Audit and Assurance Standard S11 (Use of Risk Assessment in Audit Planning). In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation. Detection risk (the risk that a material error is not detected by the IS auditor) is increased for the IS auditor if a risk assessment is not conducted. The review of findings from prior audits is a necessary part of the engagement, but this step is not as critical as conducting a risk assessment. A physical security review of the data center facility is important, but not as critical as performing a risk assessment. Reviewing IS security policies and procedures would normally be conducted during fieldwork, not planning.
© Copyright 2013 ISACA. All rights reserved.154
Practice 1414. While planning an audit, an assessment of risk should be made to provide: • A. reasonable assurance that the audit will cover material items. • B. definite assurance that material items will be covered during the audit work. • C. reasonable assurance that all items will be covered by the audit. • D. sufficient assurance that all items will be covered during the audit work.
A The ISACA IS Auditing Guideline G15 on planning the IS audit states, “An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems.” Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.
© Copyright 2013 ISACA. All rights reserved.155
Practice 1515. After reviewing the disaster recovery plan (DRP) of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting?
A. Obtaining management approval of the corrective actions B. Confirming factual accuracy of the findings C. Assisting management in the implementation of corrective actions D. Clarifying the scope and limitations of the audit
B The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on corrective action. Management approval of the corrective actions is not required since this is not the role of the auditor. Implementation of corrective actions should be done after the factual accuracy of findings has been established, but the work of implementing corrective action is not typically assigned to the IS auditor since this would impair the auditor’s independence. Clarifying the scope and limitations of the audit should be done during the entrance meeting, not during the exit meeting.
© Copyright 2013 ISACA. All rights reserved.156
Conclusion
• Chapter 1 Quick Reference Review– Page 29 of CISA Review Manual 2013