CISA Domain 1 - IS Auditing (day 1)

Suriname College of Accountancy

CISA DOMAIN 1:

THE PROCESS OF AUDITING INFORMATION SYSTEMS

1

Cyril Soeri MA RA CISA CIS LIGregory Tai-Apin CISA CIS LI COBIT Foundation

Day 1


CISA Program2

The CISA program consists of the following five domains:

1. The Process of Auditing Information Systems (3 -26 Feb 2015);

2. Governance and Management of IT (17 March – 9 Apr 2015);

3. Information Systems Acquisition, Development and Implementation

(28 Apr – 21 May 2015);

4. Information Systems Operations, Maintenance and Support

(11 Jun – 2 Jul 2015);

5. Protection of Information Systems (21 Jul – 13 Aug 2015).

September 2015: expected early registration date for CISA exam

Exam training sessions: 5 Oct – 9 Oct (daily sessions)

CISA Exam in December 2015


Program of Domain 1 (1a)3

DAY 1 The Process of Auditing Information Systems

The universe of an IT auditor

The ISACA route

Management of the IS Audit Function

Organization of the IS audit function

Audit Planning


Program of Domain 1 (1b)4

DAY 1 (Cont’d): The Process of Auditing Information Systems

ISACA IT audit and Assurance Standards and Guidelines

ISACA Code of Professional Ethics

ISACA IT Audit and Assurance Standards Framework

Auditing Standards

ISACA IT Audit and Assurance Guidelines

ISACA IT Audit and Assurance Tools and Techniques

Information Technology Assurance Framework (ITAF)


Program of Domain 1 (2)5

DAY 2 The Process of Auditing Information Systems (cont’d)

Risk Analysis

Internal Controls

Internal Control Objectives

IS Control Objectives

COBIT

General Controls

IS Controls




Performing an IS Audit (1):

Classification of Audits

Audit Programs

Audit Methodology

Fraud Detection



Day 4 The Process of Auditing Information Systems (cont’d)


Risk-based Auditing

Audit Risk and Materiality

Assessing & Treating Risks

Risk Assessment Techniques



Day 5 The Process of Auditing Information Systems (cont’d)


Audit Objectives

Compliance versus Substantive Testing

Audit Evidence

Interviewing and Observing Personnel in Performance of their Duties

Sampling





Using Services of Other Auditors and Experts

Computer-Assisted Audit Techniques

Evaluation of Strengths and Weaknesses

Communicating Audit Results

Management Implementation of Recommendations

Audit Documentation




Control Self-assessment (CSA)

Objectives

Benefits

Disadvantages

Auditor Role in CSA

Technology drivers for CSA

Traditional vs. CSA approach




The evolving IS Audit Process

Integrated audit

Continuous auditing

Exam training

CISA’s road ahead

Closing session


OVERVIEW

CISA Domain 1: The process of IS Auditing

12


Learning objectives13

There are five tasks within the domain covering the process of auditing information systems:

1. Develop and implement a risk-based IT audit strategy in compliance with IT audit standards to ensure that key areas are included.

2. Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.

3. Conduct audits in accordance with IT audit standards to achieve planned audit objectives.

4. Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary.

5. Conduct follow-ups or prepare status reports to ensure that appropriate actions have been taken by management in a timely manner.


MANAGEMENT OF THE IS AUDIT FUNCTION


14


Organization of the IS Audit function15

Internal IS Audit services:

Audit charter approved by senior management;

External IS Audit services:

Formal contract or statement of work

Suriname College of AccountancyExam training

16

A1-15 (Q) Audit charter

An audit charter should:

A. be dynamic and change often to coincide with the changing natureof technology and the audit profession.

B. clearly state audit objectives for, and the delegation of, authority tothe maintenance and review of internal controls.

C. document the audit procedures designed to achieve the plannedaudit objectives.

D. outline the overall authority, scope and responsibilities of the audit function.


17

A1-15 (A)

D) is the correct answer.

Justification:

A. The audit charter should not be subject to changes in technology and should notsignificantly change over time. The chartcr should be approved at the highest level of management.

B. An audit chartcr will state the authority and reporting requirements for the audit, but not the details of maintenance of internal controls.

C. An audit charter would not be at a detailed level and, therefore, would not includespecific audit objectives or procedures.

D). An audit charter should state management's objectives for and delegation of authority to IS auditors.


18

A1-72 (Q) IS audit charter

An organization's IS audit charter should specify the:

A. short- and long-term plans for IS audit engagements.

B. objectives and scope of IS audit engagements.

C. detailed training plan for the IS audit staff.

D. role of the IS audit function.


19

A1-72 (A)

D is the correct answer.

Justification:

A. Short-term and long-term planning is the responsibility of audit management.

B. The objectives and scope of each IS audit should be agreed on in anengagement letter. The charter would spccify the objectives and scope of the audit function but not of individual engagements.

C. A training plan, based on the audit plan, should be developed by audit management.

D). An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee.


IS Audit Resource Management20

Professional competence through continuing

professional education (CPE);

Necessary IT resources to properly perform IS

audits of a highly specialized nature (e.g., tools,

methodology, work programs).


Audit planning (1)21

Annual planning:

Short term – audit issues to be covered;

Long term – changes in IT strategic direction;

Individual Audit assignments – considerations:

the results of periodic risk assessments,

changes in the application of technology,

evolving privacy issues and regulatory requirements,

system implementation/upgrade deadlines,

current and future technologies,

requirements from business process owners,

IS resource limitations.


Audit planning (2)22

To perform audit planning, the IS auditor should perform the following steps:

1. Gain an understanding of the business's mission, objectives, purpose and processes, which include information and processing requirements such as availability, integrity, security and business technology, and information confidentiality.

2. Identify stated contents such as policies, standards and required guidelines, procedures and organization structure.

3. Perform a risk analysis to help in designing the audit plan.

4. Set the audit scope and audit objectives.

5. Develop the audit approach or audit strategy.

6. Assign personnel resources to the audit.

7. Address engagement logistics.


Effect of laws and regulation on

IS Audit planning (1)23

The contents of IS legal regulations regard:

Establishment of the regulatory requirements

Organization of the regulatory requirements

Responsibilities assigned to the corresponding entities

Correlation to financial, operational and IT audit functions

There are two major areas of concern:

legal requirements placed on audit or IS audit;

legal requirements placed on the auditee and its systems, data

management, reporting, etc.




The following are steps an IS auditor would perform to determine an

organization's level of compliance with external requirements (to be

continued):

Identify those government or other relevant external requirements

dealing with:

Electronic data, personal data, copyrights, e-commerce, e-signatures, etc.

Computer system practices and controls

The manner in which computers, programs and data are stored

The organization or the activities of information technology services

IS audits




Steps to determine an organization's level of compliance (cont’d):

Document applicable laws and regulations;

Assess whether the management of the organization and the IS function have

considered the relevant external requirements in making plans and in setting

policies, standards and procedures, as well as business application features;

Review internal IS department/function/activity documents that address

adherence to laws applicable to the industry;

Determine adherence to established procedures that address these requirements;

Determine if there are procedures in place to ensure contracts or agreements with

external IT services providers reflect any legal requirements related to

responsibilities;


26

A1-99 (Q) Planning

The effect of which of the following should have priority in planning the scope and objectives of an IS audit:

A. Applicable statutory requirements

B. Applicable corporate standards

C. Applicable industry best practices

D. Organizational policies and procedures


27

A1-99 (A)

A is the correct answer.

Justification:

A. The effect of applicable statutory requirements must be factored in while

planning an IS audit— the IS auditor has no options in this respect because there

can be no limitation of scope in respect to statutory requirements.

B. Statutory requirements always take priority over corporate standards.

C. Industry best practices help plan an audit; however, best practices are not

mandatory and can be deviated from to meet organization objectives.

D. Organizational policies and procedures arc important, but statutory requirements

always take priority. Organizational policies must be in alignment with statutory

requirements.


28

A1-101 (Q) Planning

An IS auditor is planning to evaluate the control design effectivenessrelated to an automated billing process. Which of the following is theMOST effective approach for the auditor to adopt?

A. Process narrative

B. Inquiry

C. Reperformance

D. Walk-through


29

A1-101 (A)

D) is the correct answer.

Justification:

A. Process narratives may not be current or complete and may not reflect the actualprocess in operation.

B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of evidence.

C. Repcrformance is used to evaluate the operating effectiveness of the control rather than the design of the control.

D. Walk-throughs involve a combination of inquiry and inspection of evidencewith respect to business process controls. This is the most effective basis for evaluation of the design of the control as it actually exists.


30

A1-3 (Q) Audit plan

An IS auditor is developing an audit plan for a repeat client. The IS auditor reviews the prior-year audit plan and finds that the previous plan was designed to review the company's network and email systems, which werenewly implemented last year, but the plan did not include reviewing the e-commerce web server. The company IT manager indicates that this year the organization prefers to focus the audit on a newly-implemented enterpriseresource planning (ERP) application. How should the IS auditor respond?

A. Audit the new ERP application as requested by the IT manager.

B. Audit the e-commerce server because it was not audited last year.

C. Determine the highest-risk systems and plan the audit based on the results.

D. Audit both the e-commerce server and the ERP application.


31

A1-3 (A)

C is the correct answer.

Justification:

A. Auditing the new enterprise resource planning (ERP) application does not reflect a risk-based approach. Although ERP systems typically contain sensitive data and may present risk of data loss or disclosure to the organization, without a risk assessment, the decision to solely audit the ERP system is not a risk-baseddecision.

B. Auditing the e-commerce server because it was not audited last year does not reflect a risk-basedapproach. In addition, the IT manager may know about problems with the e-commerce server and may beintentionally trying to steer the audit away from that vulnerable area. Although at first glance e-commcrcemay seem to be the most risky area, an assessment must be conducted rather than relying on the judgmentof the IS auditor or IT manager.

C. The best course of action is to conduct a risk assessment and design the audit plan to cover the areasof highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach andsupporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources."

D. The creation of the audit plan should be performed in cooperation with management and based on risk. The IS auditor should not arbitrarily decide on what needs to be audited.


ISACA IT AUDIT AND ASSURANCE

STANDARDS AND GUIDELINES


32


ISACA Code of Professional Ethics (1)33

Members and ISACA certification holders shall (to be cont’d):

1. Support the implementation of, and encourage compliance with appropriate standards, procedures and controls for information systems.

2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.

3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.


ISACA Code of Professional Ethics (2)34

Members and ISACA certification holders shall (cont’d):

4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.

5. Maintain competency in their respective fields and agree to undertake only those activities that they can reasonably expect to complete with professional competence.

6. Inform appropriate parties of the results of work performed, revealing all significant facts known to them.

7. Support the professional education of stakeholders in enhancing their understanding of IS security and control.


ISACA IT Audit and Assurance Standards Framework

35

The framework for the ISACA IT audit and assurance standards provides for multiple levels as follows:

Standards define mandatory requirements for IT audit and assurance and reporting.

Guidelines provide guidance in applying IT audit and assurance standards. The IS auditor should consider them in determining how to achieve implementation of the above standards, use professional judgment in their application and be prepared to justify any difference.

Tools & Techniques: Procedures provide examples of processes an IS auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when completing IS auditing work, but do not set requirements.


ISACA IS Auditing Standards36

S1 Audit Charter S9 Irregularities and Illegal Acts

S2 Independence S10 IT Governance

S3 Professional Ethics and Standards S11 Use of Risk Assessment in Audit Planning

S4 Professional Competence S12 Audit Materiality

S5 Planning S13 Using the Work of Other Experts

S6 Performance of Audit Work S14 Audit Evidence

S7 Reporting S15 IT Controls

S8 Followup Activities S16 Ecommerce


ISACA IT Audit and Assurance Guidelines37

G1 Using the Work of Other Auditors G22 Businesstoconsumer (B2C) Ecommerce Review

G2 Audit Evidence Requirement G23 System Development Life Cycle (SDLC) Review

G3 Use of ComputerAssisted Audit Techniques (CAATs) G24 Internet Banking

G4 Outsourcing of IS Activities to Other Organizations G25 Review of Virtual Private Networks

G5 Audit Charter G26 Business Process Reengineering (BPR) Project Reviews

G6 Materiality Concepts for Auditing Information Systems G27 Mobile Computing

G7 Due Professional Care G28 Computer Forensics

G8 Audit Documentation G29 Postimplementation Review

G9Audit Considerations for Irregularities G30 Competence

G10 Audit Sampling G31 Privacy

G11 Effect of Pervasive IS Controls G32 Business Continuity Plan Review From IT Perspective

G12 Organizational Relationship and Independence G33 General Considerations on the Use of the Internet

G13 Use of Risk Assessment in Audit Planning G34 Responsibility, Authority and Accountability

G14 Application Systems Review G35 Followup Activities

G16 Effect of Third Parties on Organization's IT Controls G36 Biometric Controls

G17 Effect of Nonaudit Role on IS Auditor's Independence G37 Configuration Management

G18 IT Governance G38 Access Control

G19 Irregularities and Illegal Acts G39 IT Organizations

G20 Reporting G40 Review of Security Management Practices

G21 Enterprise Resource Planning (ERP) Systems Review G41 Return on Security Investment (ROSI)

G42 Continuous Assurance


ISACA IT Audit and Assurance Tools and Techniques38

P1 IS Risk Assessment

P2 Digital Signatures

P3 Intrusion Detection

P4 Viruses and Other Malicious Code

P5 Control Risk Selfassessment

P6 Firewalls

P7 Irregularities and Illegal Acts

P8 Security Assessment—Penetration Testing and Vulnerability Analysis

P9 Evaluation of Management Controls Over Encryption Methodologies

P10 Business Application Change Control

P11 Electronic Funds Transfer (EFT)

Suriname College of AccountancyInformation Technology Assurance Framework

(ITAF) (1)39

General Standards—The guiding principles under which the IT assurance profession operates.

Performance Standards—Deal with the conduct of the assignment.

Reporting Standards—Address the types of reports, means of communication and the information communicated.

Guidelines—Provide the IT audit and assurance professional with information and direction about an audit or assurance area.

Tools and Techniques——Provide specific information on various methodologies, tools and templates.


40

A1-37 (Q) Data flow diagrams

Data flow diagrams are used by IS auditors to:

A. order data hierarchically.

B. highlight high-level data definitions.

C. graphically summarize data paths and storage.

D. portray step-by-step details of data generation.


41

A1-37 (A)


Justification:

A. Data flow diagrams do not order data in a hierarchy.

B. A data dictionary may be used to document data definitions, but the data flow diagram is used to document how data move through a process.

C. Data How diagrams are used as aids to graph or chart data flow and storage. They trace data from their origination to destination, highlighting the paths andstorage of data.

D. The purpose of a data flow diagram is to track the movement of data through a process and is not primarily to document or indicate how data are generated.


42

A1-39 (Q) Organizational chart

An IS auditor reviews an organizational chart PRIMARILY for:

A. an understanding of workflows.

B. investigating various communication channels.

C. understanding the responsibilities and authority of individuals.

D. investigating the network connected to different employees.


43

A1-39 (A)


Justification:

A. A workflow diagram would provide information about the roles of different employees. This is not the purpose of an organizational chart.

B. The organizational chart is a key tool for an auditor to understand roles andresponsibilities and reporting lines, but is not used for examining communicationschannels.

C. An organizational chart provides information about the responsibilities andauthority of individuals in the organization. This helps an IS auditor to know ifthere is a proper segregation of functions.

D. A network diagram will provide information about the usage of variouscommunication channels and will indicate the connection of users to the network.


44

A1-88 (Q) Independence

Which of the following responsibilities would MOST likely compromisethe independence of an IS auditor when reviewing the risk management process?

A. Participating in the design of the risk management framework

B. Advising on different implementation techniques

C. Facilitating risk awareness training

D. Performing a due diligence review of the risk management processes


45

A1-88 (A)

A is the correct answer.

Justification:

A. Participating in the design of the risk management framework involvesdesigning controls, which will compromise the independence of the IS auditor toaudit the risk management process.

B. Advising on different implementation techniques will not compromise the IS auditor's independence because the IS auditor will not be involved in the decision-making process.

C. Facilitating awareness training will not hamper the IS auditor's independencebecause the auditor will not be involved in the decision-making process.

D. Due diligence reviews are a type of audit generally related to mergers andacquisitions.


[email protected] / [email protected]

MOB: 719 00 47 / 89 29 293

SURINAME COLLEGE OF ACCOUNTANCY

FLUSTRAAT 35

PARAMARIBO, SURINAME

TEL +597 - 531 330 / 531 350

FAX +597 - 531 340

WEBSITE: SURINAMECOLLEGEOFACCOUNTANCY.COM

46

Q&A

mailto:[email protected]

mailto:[email protected]

Documents

CISA Domain 1 - IS Auditing (day 1)