118
12/24/21 INTRODUCTION DOMAIN 1 –Lecture 1 IS AUDIT PROCESS Joseph Akoki 0803 383 6414 [email protected]

CISA Lecture Domain 1

Tags:

Embed Size (px)

DESCRIPTION

CISA NOTES

Citation preview

  • *INTRODUCTIONDOMAIN 1 Lecture 1IS AUDIT PROCESSJoseph Akoki0803 383 [email protected]

  • *5 Tasks in this DomainDevelop and implement a risk based IS audit strategy for organisation in compliance with IS audit stds, guidelines and best practicesPlan specific audits to ensure that IT and business systems are protected and controlledConduct audit in accordance with IS audit stds, guidelines and best practices to meet planned audit objectivesCommunicate emerging issues, potential risks and audit result to key stakeholdersAdvise on the implementation of risk management and control practices within the organisation while maintaining independence

  • Introduction Information Communication Technology is providing the tools that are revolutionalizing the entire business processes the world over changing professionals from that of information recorders and processors to business strategist making them much more critical to the success of an enterprise. It is there fore a sine qua non to corporate success in the 21st Century *

  • Information or Digital RevolutionAgrarian revolutionIndustrial revolutionInformation revolutionInformation is power e.g. Iraq WarIt is the different btw success and failure of an enterpriseThen information security is key.*

  • Few examplesCitibank sagaCredit card case in USCBN 1980 caseTraffic system hacking in US by a 11years kid in USSeveral server crashesCSCS advert- Dont kill urselveMany more.*

  • Where are we coming from?IT professionals are A-Z of data processingNobody understand what they are doingRecord transaction and generate print out for call over by operationsThey can make or mar the enterpriseCommit a lot of fraud from equipments procurement to data manipulations*

  • THEN

    WHAT IS IS AUDIT?*

  • IS AUDITING DEFINEDThe process of collecting and evaluating evidence to determine whether a computer system safeguard assets, maintains data integrity, allows organisational goals to be achieved effectively, and uses resources efficiently.*

  • IS AUDIT FUNCTIONSImproved safeguarding of assetsImproved data integrityImproved system effectivenessImproved system efficiency*

  • Why CISA OR WHY IS AUDITORS?Business processes running on mission critical applicationsThe need bridge the knowledge gap existing between auditors IT professionalsDependence of auditors on IT professionals during auditThe need to reduce audit risks/liability

    *

  • Why CISA OR WHY IS AUDITORS?The need to provide Management with independence opinion on IT infrastructures and processesCorporate Governance becoming IT GovernanceThe inability of auditors to assess IT processes using conventional audit approach

    *

  • Why IS AUDIT?The need to reduce risk arising from: vagaries in IT processes-African exposuresOversight functionsFraud Critical errors and mistakesInefficient support of the business processesSecurity flawsUnsecured processing environmentIn summary the need for CIA

    *

  • Why IS AUDIT?Because of recent corporate failures such as Enron,Worldcom,and severals scandals attending audit professions e.g. Afribank,Cadbury, AP,to mention but a few local examples*

  • The 21st Century Challenge (a) Understanding business processes that are driven by IT (b) Understanding key controls embedded/lacking in IT processes (c) Understanding of risks (IT or not IT) associated with controls (d) Impact analysis or qualification of risks. *

  • *IS AUDITING DEFINEDThe process of collecting and evaluating evidence to determine whether a computer system safeguard assets, maintains data integrity, allows organisational goals to be achieved effectively, and uses resources efficiently.

  • *IS AUDIT FUNCTIONSImproved safeguarding of assetsImproved data integrityImproved system effectivenessImproved system efficiencyThroughout this domain we shall conceive IS auditing as being a force that enables the organisation to better achieve the four major objectives stated above.

  • *IS AUDIT FUNCTIONSIS audit function should be established by an audit charter ISACA IS Auditing standard require that the responsibility, authority,scope,accountability of the IS audit function are appropriately documented in an audit charter or an engagement letterMost likely be part of internal audit function and as such may include other audit functionsIt is a governance document that state clearly the magt responsibility and objectives for, and delegation of authority to, the IS audit function

  • *Organisation of IS Audit FunctionThe highest level of magt must approve the audit charterOnce established it should only be changed if the change can be thoroughly justified.

  • *IS AUDIT RESOURCE MAGTIS auditors are a limited resource and IS technology is constantly changingIS auditors should maintain their competency thru update of skills directed towards new audit techniques and technological areasIS audit should understand techniques for managing audit projects with appropriately trained members of the audit staffISACA IS auditing stds requires that the IS auditor is technically competent, having the skills and knowledge necessary to perform the auditors work

  • *IS AUDIT RESOURCE MAGTIS auditor should maintain technical competence through appropriate CPE.Skills and knowledge should be taken into consideration when planning audits and assigning staff to specific audit assignmentsA detailed staff training plan should be drawn for the year based on the organisations direction This should be reviewed semi-annually to ensure that the training needs is aligned to the direction that the audit organisation is takingIS audit management should also provide the necessary IT resources needed to properly perform IS audits of a highly specialised nature(e.g. software, scanners for network intrusions tests, penetration test testing)

  • *AUDIT PLANNINGAudit planning is both short-term and long termShort term takes account audit issues that will be covered during the yearLong term relates to audit plans that will take into account risk-related issues regarding changes in the organisations IT strategic direction that will affect the organisations IT environmentAnalysis of short and long term issues should be occur at least annually

  • *AUDIT PLANNINGIS auditor should understand the following when planning:New control issuesChanging technologiesChanging business processesEnhanced evaluation techniquesThe result of this analysis for planning future audit activities should be reviewed by senior magt and approved by the audit committee if available or BOD and communicated to relevant levels of magt

  • *AUDIT PLANNINGThe IS auditor should understand other consideration such as:Risk assessment by magtPrivacy issues and regulatory requirementsSystem implementation deadlinesCurrent and future technologiesRequirements of business process ownersIS resource limitation

  • *Gaining understanding of the overall environment

    The following steps is necessary:Business mission, objs, purposes and processes which include processing requirements, such as AIS and buz technologyIdentify stated contents such policies, stds and required guidelinesPerform risk analysisConduct internal control reviewDevelop the audit approach/strategyAssign personnel resources and address engagement logistics

  • *STEPS AN IS AUDITOR COULD TAKE TO GAIN UNDERSTANDING OF THE BUSINESS..Touring key organisation facilitiesReading background materialReviewing long-term strategic plansInterviewing key managers to understand business issuesReviewing prior audit reports

  • *CIAL QuadrantsConfidentialityIntegrityAvailabilityLaws & regulations

  • *

    END OF LECTURE 1 & QUESTION TIME (IF ANY)

  • *Effect of laws and regulations on IS audit planningData processing Data storage and usage(e.g backup and recovery procedures)Proprietary ownershipTransmission(CBN, Stock exchange etc)Transborder data flows of personal dataPrivacy issuesData retentionService levels issuesOutsourcing issues

  • *IS auditors Role

    Identify those govt and relevant external requirements:Electronic data,personal data,copyrights,e-commerce,e-signatures Computer system practices and controlThe manner in which computers, program and data are storedThe organisation or the activities of the information servicesIS auditsDocument pertinent laws and regulationAssess whether magt have consider this in drawing out policies, stds and proceduresReview internal information systems dept/activity that address adherence to the laws applicable to the industryDetermine adherence to established procedures that address these requirementsIt is expected that organisation would have a legal compliance function that the IS control practitioner could rely upon.

  • *Examples of IS audit Regulatory Initiatives/ internal control frameworkSarbanes- Oxley Acts of 2002 fro US-evaluating organisation IT Controls and thus provide a new IT governance rules and IS auditor shd consider the impact of SOX as part of audit planning.US Securities and Exchange CommissionCOSO of Treadways CommissionBasle II Committee on Banking Supervision of UK recommends conditions( besides credit exposures) which will improve:Credit risk magtOperational risk mgtThe mgt of IS through clearly defined requirement

  • *ISACA IS AUDITING STANDARDS AND GUIDELINES

    LETS REFER TO PAGES 14-21 of the CISA REVIEW MANUAL 2008

  • *ISACA IS AUDITING GUIDELINESThe objective of ISACA IS Auditing Guidelines is to provide further information on how to comply with ISACA Auditing StandardsThe IS auditor should:Consider them in determining how to implement the above standardsUse professional judgment in applying themBe able to justify any departure

  • *Performing IS Audit

    Required steps:Adequate planningAssess overall risksDevelop audit program to consists of objectives and procedure to satisfy the audit objectivesGather evidence, evaluate the strengths and weakness of controls based on evidence gatheredPrepare audit report that present those issues in an objective mannerFollow up reviews

  • *Classification of auditFinancial audits -assess the correctiveness of an organisations financial statementsOperational audits- assesses the structure and strengths of internal control e.g. IS audits of application controls and logical security systems, HR audits,JIT audits etc.Integrated audits combines the two above, with intergrated approach and it is geared towards overall objectives of the organisation, this could be internal or externalAdministrative audits- assess issues relating to the efficiency of operational productivity within an organisation

  • *Classification of auditIS audits -The process of collecting and evaluating evidence to determine whether a computer system safeguard assets, maintains data integrity, allows organisational goals to be achieved effectively, and uses resources efficiently. Forensic audits traditionally forensic auditing has been defined as an audit specialised in discovering, disclosing and following up on frauds and crimes. Forensic investigation includes the analysis of electronic devices such as computers, phones, PDAs, disks, switches, routers, hubs and other equipments

  • *Classification of auditSpecialised audits IS audits involves a lot of specialised reviews that examines areas such as services provided by 3rd parties and forensic auditing. SAS 70- type reviews provide guidance to enable an independent auditor to issue an opinion on a service organisations description of controls through a service auditors report.

  • *AUDIT PROGRAMSAudit program is a road map for the IS auditor.The audit programs should focus on major activities and key controls within and around such activitiesAudit program devt shd take a structured approach in which audit subject is broken down into phases, tasks, and steps.It provides methodology, suggested steps and procedures, assignment of work and basis for a summary record of work

  • *AUDIT PROGRAMSGeneral audit procedures are the basic steps in the performance of an audit and usually include:Obtaining and recording an understanding of audit subject/areaRisk assessment and general audit plan and scheduleDetailed audit planningPreliminary review of the audit area/subjectEvaluating the audit area/subjectCompliance testing (often referred to as test of controls) Substantive testingReporting( communicating results)Follow-up

  • *AUDIT PROGRAMSThe IS auditor must understand the procedures for testing and evaluating information systems controls. These procedures could include:The use GAS to survey the contents of data files (including system log)The use of specialised software to assess the contents of operating parameter filesFlow- charting techniques for documenting automated applications and business processThe use of audit reports available in operating systemsDocumentation reviewObservation

  • *Audit proceduresThese are detailed steps, instructions, or guidelines provided for the collection and accumulation of a particular type of audit evidence during auditCould be verbal or written, when written it need to be approved by audit supervisorsThey should be clear to enable auditors to understand what is to be accomplished

  • *Audit proceduresExamples of an audit procedure might be,Obtain physical inventory sheets and verify the accuracy..Note any exceptions.Usually audit procedures start with using action word such as review, verify, look,observe,analyse, confirm,recompute,count,etcIS auditor shd have a sufficient understanding of these procedures to allow for the planning of appropriate audit tests

  • *AUDIT METHODOLOGYThis is set of documented audit procedures designed to achieve planned audit objectivesIt contains statement of scope, audit objectives and work programsShould be set up and approved by the audit managementAnd communicated to all audit staff (refer to Exhibit 1.2 in page 25 of Review Manual)

  • *WORKING PAPERS (WPs)Any audit plans, programs, tests, activities, findings and incidents shall be properly documented in working papersThe format and media is optional but due diligence and best practices require that WPs are dated ,initialised,paged-numbered,relevant, complete,clear,self-contained and properly labeled, filed and kept in custody WPs can be considered the bridge or interface between the audit objectives and the final report and should therefore provide a seamless transtionThe audit report in this context should view

  • *WORKING PAPERS (WPs)The audit report in this context should viewed as just a particular WPWPs do not necessarily have to be in hard copy

  • *FRAUD DETECTIONMagt is primarily responsible for establishing, implementing and maintaining a framework and design of IT controls to meet the internal control objectivesA well designed internal control system provides good opportunities for deterring fraud and a system that enable timely detection of fraudInternal control may fail due to circumvention of controls by exploiting vulnerabilities or through mgt perpetrated weakness in controls for undue advantage or collusion between people

  • * FRAUD DETECTIONLegislation and regulations relating to corporate governance cast significant responsibilities on magt, auditors, audit committee regarding detection and disclosure of any fraud whether material or notIS auditors entrusted with assurance functions should ensure reasonable care while performing their work and be alert to the possible opportunities that allows fraud to materialiseDuring the course of regular assurance work the IS auditors comes across any instance of fraud or indicators of fraud, he/she may after careful examination and evaluation, communicate the need for a detailed investigation to appropriate authoritiesIn case of the auditor identifying a major fraud or where the risk associated with the detection is high, audit management should consider communication to the audit committee, in a timely manner.

  • *RISK ANALYSISRisk analysis is part of audit planning and it helps identify risks and vulnerabilities so that the auditor can determine the controlsRisk mean different things to different peopleIn general, risk is any event that negatively affect the accomplishment of an objective

  • *RISK ANALYSISThe potential that a given threat will exploit vulnerabilities of an asset or group of an assets to cause loss or damage to the assets. The impact or the relative severity of the risk is proportional to the business value of the loss/ damage and to the estimated frequency of the threatRisk in IT concept has three elements:Threat to, and vulnerabilities of, processes and/or assetsImpact on assets based on threats and vulnerabilitiesProbability of threats( combination of the likelihood and frequency of occurrence

  • *RISK ANALYSISBusiness risk s are those threats that may negatively impact the assets, processes or objectives of a specific business or organisationThese threat may be: financial regulatoryOperationalThe IS auditor often focus on high risk areas associated with CIA of sensitive and critical information

  • * STEPS IN RISK ANALYSISIdentification of business objective, information assets and the underlying systemsClassification of systems- critical, sensitiveIdentify risks and determine the probability of occurrence and the resulting impactIdentify controls that will:DetectMinimise the impactTransfer the risk to another organisationPerform CBA to select controls to reduce the risk to a level acceptable to mgtCBA is based on the following:Cost as compared to the benefitMgt appetite for risk-level of risk acceptable to mgtPreferred risk reduction methods- e.g. terminate the risk, minimise the probability of occurrence, minimise the impact, transfer/insuranceMonitoring performance levels of the risks when there is significant changes in the environment. This involves:Risk reassessmentRisk mitigation risk re-evaluation

  • *RISK ANALYSISRisk analysis serve the following purposes:Assisting the IS auditor: in identifying risks and threatsIn evaluation of controls in audit planningIn determining audit objectivesIn supporting risk- based audit decision

  • *INTERNAL CONTROLSThese are policies, procedures, practices and organisational structures implemented to reduce risks They operate at all levels of the within an organisation to mitigate corporate exposure to risksThe BOD and the senior mgt are responsible for establishing the appropriate culture to facilitate effective internal control systemThere are two key aspects that control should address:What should be achieved andWhat should be avoided

  • *INTERNAL CONTROLSControl could either be :PreventiveDetect problem before they ariseMonitor both operations and inputsAttempt to predict potential problem b4 occurrence and make adjustmentsPrevent errors ,omissions or malicious act from occurringDetectiveUse controls that detect and report the occurrence of an error, omission or malicious actCorrectiveRemedy problemsMinimise the impact of a threatIdentify the cause of a problem see exhibit 1.2 in page 23-24 for more details

  • *INTERNAL CONTROL OBJECTIVESThese are statements of the desired result or a purpose to be achieved by implementing control procedures in a particular activityThese include the following:Internal accounting controlsOperational controlsAdministrative controls

  • *INTERNAL CONTROL OBJECTIVESControls objectives include:Safeguarding of information assetsCompliance to corporate policies or legal requirementsAuthorisation/inputAccuracy and completeness of transaction processesOutputReliability of processBackup/recoveryEfficiency and economy of operationsChange mgt process for IT and related systems

  • *IS CONTROL OBJECTIVESInternal control objectives applies to all areas whether manual or automatedControl objectives in an IS environment remain unchanged from those of a manual environmentBut IC objectives need be addressed in a manner specific to IS related processes

  • *IS CONTROL OBJECTIVESIS control objectives include:Safeguarding assetsAssuring the integrity of general operating systems environmentEnsuring the efficiency and effectiveness of operationsComplying with the users requirements, organisational policies and applicable laws and regulationsDeveloping business continuity and disaster recovery plansDeveloping an incident response and handling planChange mgt

  • *COBITControl Objectives for Information and related Technology34 high level control objectives representing IT processes grouped into 4 domains:Plan and organiseAcquire and implementDeliver and supportMonitor and evaluateTo ensure that adequate governance and control arrangements are provided for their IT environmentHave more than 200 detailed control objectives and uses 36 major standards and regulations relating to IT

  • *COBITdirected to the magt and staff of information services, control departments, audit functions and, most importantly the business process owners using IT processes to assure CIA of sensitive and critical informationSpecific COBIT process will not be tested but candidates must know the framework applications

  • *GENERAL CONTROL PROCEDURESApplies to all areas of the organisation generally called internal controls which include:Internal accounting controlsOperational controlsAdministrative controlsLogical security policies and proceduresOverall policies for the design and use of adequate documents and records to help ensure proper recordingProcedures and features to ensure adequate safeguards over access to and use of assets and facilitiesPhysical security policies for all data centers

  • *IS CONTROL PROCEDURESEach general control procedure can be translated into an IS specific control procedureIS control procedures include:Strategy and directionGeneral organisation and mgtAccess to data and programsSystem devt methodologies and change controlData processing operations

  • *IS CONTROL PROCEDURESSystems programming and technical support functionsData processing quality assurance proceduresPhysical access controlsBC/DRPNetwork and communicationsDatabase administration

  • *Audit risk and MaterialityRisk-based audit approach assists the auditor in determining the nature and extent of testing, besides helping make the decision to complete a compliance or a substantive testWithin this concept, inherent risk, control risk or detection risk should not be the main concern of the auditor despite major weaknessesIS auditors are not just relying on risk; they also are relying on internal and operational controls as well as knowledge of the company or the businessThis type of risk assessment decision can help relate the CBA of the control to the known risk, allowing practical choices

  • *AUDIT AND MATERIALITYSee exhibit 1.4 page 32 for a risk-based audit approachGather information and planObtain understanding of internal controlPerform compliance testsPerform substantive testsConclude the audit

    Audit risk can be defined as the risk that information/financial report may contain material error that may go undetected during the course of the audit

  • *AUDIT AND MATERIALITY

    Audit risk can be categorised asInherent risk- the risk that an error exists that could be material or significant when combined with other errors encountered during audit, assuming there are no related compensating controls.Inherent risks exist independent of an audit and can occur because of the nature of the business

  • *AUDIT AND MATERIALITYControl risk- the risk that a material error exists that will not prevented or detected in a timely manner by the internal controls systemDetection risk- the risk that an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when in fact they do

    AUDIT=IR x CR x DR

  • *AUDIT AND MATERIALITYAudit risk is also sometimes used to describe the level of risk that the IS auditor is prepared to accept during an audit engagementNB: Audit risk should not be confused with statistical sampling risk, which is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is selected

  • * MATERIALITYThe word materiality, associated with any of these components of risks, refers to an error that should be considered significant to any party concerned with the item in questionMateriality consideration combined with audit risk are essential concept for planning areas to be audited as well as specific test to be performed in a given auditThe assessment of whatever is material is a matter of professional judgment

  • *MATERIALITYType of errors:Known errors-detected errorsLikely errors-estimated errorsPossible errors- errors implicit in sampling workDue professional care requires that auditor consider the relative materiality or significance of matters to which audit procedures are applied

  • * MATERIALITYWho should set materiality?The auditor and auditee should arrive at an understanding about the levels of materiality and the assurance level to be applied in an audit ,this understanding should be based on cost-benefit considerationsAuditor judgment plays an important role in materiality and the amount of audit and the amount of audit work to be performed and in evaluating evidence collectedThe concept of materiality requires a sound judgment from the IS auditor

  • *MaterialityTherefore is defined as the magnitude of a misstatement that would influence the judgment of a reasonable user of financial statementFrom an IS audit point of view the concept not only refer to financial statements but also to the business operations and computer systems

    materiality is to be evaluated: from a financial standpoint in relation to the financial statement as a wholefrom operations standpoint it should be in relation to a specific operation under consideration as well as all other operation affected by itfrom computer system standpoint it should be in relation to a specific information system under consideration as well as all other interfacing system affected by itMaterial weaknesses in either business operation or computer systems may or may not directly affect the financial statement.

  • *RISK ASSESSMENT TECHNIQUESThere are many assessment methodologies, computerised and non-computerised available from which the IS auditor may chooseThese range from simple classifications of high, medium and low, based on the IS auditors judgment, to complex and apparently scientific calculations to provide a numeric risk ratingOne of such risk assessment approach is a scoring system that is useful in prioritizing audits based on an evaluation of risk factorAnother form is judgmental-which s based on business knowledge, executive mgt directives, historical perspectives, business goal and environmental factors

  • *RISK ASSESSMENT TECHNIQUESUsing risk assessment to determine areas to be audited:Enables mgt to effectively allocate limited audit resourcesEnsures that relevant information has been obtained from all levels of mgt, including BODEstablishes a basis for effectively managing the audit deptProvides a summary of how the individual audit subject is related to the overall organisation as well as to the business plans

  • *COMPLIANCE vs SUBSTANTIVE TESTINGThe identification of key control points will allow the IS auditor to develop a preliminary understanding through compliance tests of those controls to determine if they are working as expected.The results of these compliance tests allow the IS auditor to design more extensive compliance or substantive testsThere is a difference btw evidence gathering for the purpose of testing an organisations compliance with control procedures and evidence gathering to evaluate the integrity of individual transactions, data or informationThe former procedures are called compliance tests and the latter called substantive tests.

  • *COMPLIANCE vs SUBSTANTIVE TESTINGA compliance test determines if controls are being applied in manner that complies with management policies and proceduresIt is important that the IS auditor understands the specific objective of a compliance test and the control being testedCompliance test can be used to test the existence and effectiveness of a defined process which may include a trail of documentary and/or automated evidence

  • *COMPLIANCE vs SUBSTANTIVE TESTINGA substantive test the integrity of actual processingIt provides evidence of the validity and integrity of the balances in the financial statements and the transaction that support these balancesIS auditors use substantive tests to test for monetary errors directly affecting financial statement balancesAn IS auditor may use substantive test to determine if the tape library inventory records are correctly statedThere is therefore a correlation between the level of internal controls and the amount of substantive testing required

  • *COMPLIANCE vs SUBSTANTIVE TESTINGIf the result of the testing of controls (compliance tests) reveal the presence of adequate internal controls, then IS auditors is justified in minimising the substantive proceduresConversely, if the testing of control reveals weaknesses in controls that may raise doubt the completeness, accuracy or validity of the accounts, substantive testing can alleviate those doubtSee Exhibit 1.5 page 37

  • *EVIDENCEThis is any information used by the IS auditor to determine whether the entity or data being audited follows the established audit criteria or objectivesIt is the requirement that the auditors conclusions must be based on sufficient, relevant and competent evidenceWhen planning the audit work, the IS auditor should take into account the type of audit evidence to be gathered

  • *EVIDENCEAudit evidence may include IS auditors observations, notes taken from interviews, material extracted from correspondence and internal documentation or the results of audit test procedures

  • *EVIDENCEQUALITY OF A GOOD EVIDENCESufficiencyRelevanceCompetence

  • *EVIDENCEDeterminants for evaluating the reliability of audit evidence include:Independence of the providerQualification of the providerObjectivity of the evidenceTiming of the evidenceBoth quality and quantity of evidence must be assessed by the auditorThese two xteristics are referred to by the IFAC as competent (quality) and sufficient (quantity) Evidential matter is competent when it is both valid and relevant

  • *EVIDENCEThe following are techniques for gathering evidence:Reviewing information systems organisation structuredReviewing IS policies and proceduresReviewing information systems standardsReviewing information system documentationInterviewing appropriate personnelObserving processes and employee performance

  • *INTERVIEWING AND OBSERVING PERSONNEL IN THE PERFORMANCE OF THEIR DUTIESThis assist the IS auditor in identifying:Actual functionsActual processes/proceduresSecurity awarenessReporting relationships

  • *SAMPLINGSampling is used when time and cost considerations preclude a total verification of all transactions or events in a predefined populationAs a general rule the larger the sample the more representative the sample is of the population

  • *SAMPLINGThe two general approaches to audit sampling are statistical and non-statisticalStatistical sampling:An objective method of determining sample size and selection criteriaIS auditor quantitatively decides how closely the sample shd represent the population (sample precision) and the nos of times in 100 the sample represent

  • *SAMPLINGNon-statistical sampling:Judgmental sampling-sample size and selectionDecisions based on subjective judgmentMost risky

  • *SAMPLINGThere are two approaches:Attribute sampling:expressed in rates of incidenceApplied in compliance testingDeals with presence and absence of the attributesVariable sampling:dollar,weight,etcUsed in substantive testing situation

  • *SAMPLINGOther attribute sampling:Stop-or-go sampling:Helps prevent excessive sampling of an attribute by allowing an audit test to be stopped at the earliest possible momentIt is used when the IS auditor believes that relatively few errors will be found in the populationDiscovery sampling:Used when occurrence is extremely lowWhen the objective is to seek out (discover) fraudCircumvention of regulations or other irregularities

  • *SAMPLINGVariable sampling models:Stratified mean per unitUnstratified mean per unitDifference estimation

  • *SAMPLING SAMPLING TERMSConfidence co-efficientLevel of riskPrecisionExpected error rateSample meanSample standard deviationTolerable error ratePopulation standard deviation

  • *SAMPLINGKey steps in the construction and selection of a sample for an audit test include:Determine the objectives of the testDefine the population to be sampled and the methodCalculate the sample sizeEvaluate the sample from an audit perspective

  • *SAMPLINGKey concepts to remember :A good sample should be:Representative-sample estimates the true population xteristics as possibleCorrective-locate as many error items as possible so that they can be correctedProtective-an attempt to include the maximum number of high-value items in the samplePreventive-gives auditees no idea which items will be selected during the audit

  • *CAATHelp the auditor in gathering and analysing information from different environments with varied data structure, record format, processing functions, etcHelps the auditor in independently accessing data from different database platform for analysisFeatures includes; mathematical computation, stratification, statistical analysis, sequence checking, duplicate checking and recomputationThese tools includes; GAS, utility software, test data, application software tracing, mapping, and expert systems

  • *CAATExamples includes:File accessFile reorganisationData selectionStatistical functionsArithmetical functions

  • *CAATThese tools and techniques can be used in performing:Test of details of transactions and balancesAnalytical review proceduresCompliance tests of IS general controlsCompliance tests of IS application controlsPenetration and OS vulnerability assessment testingSee page 44 for CAAT summary

  • *COMMUNICATING AUDIT RESULTSThe exit interview should round up an audit and this should achieve the following:Ensure that facts presented in the report are correctEnsure that the recommendations are realistic and cost- effective if not seek alternativeRecommend implementation dates for agreed recommendations

  • *COMMUNICATING AUDIT RESULTSPresentation techniques could include:Executive summary-report synopsisVisual presentationIS auditor should discuss the findings with the auditee mgt for gaining agreement on the findings and develop corrective actionsIn cases where there is disagreement, the IS auditor should elaborate on the significance of the finding and the risks and the effect of not correcting the control weaknessSometimes auditees mgt may request assistance from the IS auditor in implementing the recommended control enhancementsThe IS auditor should communicate the difference between the IS auditors role and that of a consultant, and give careful consideration to how assisting the auditee may adversely affect the IS auditors independence.

  • *AUDIT REPORT STRUCTURE AND CONTENTSThe audit reports are the end product of IS audit workFor findings and recommendationsAudit report format vary by organisationThere is no specific format for IS audit report

  • *AUDIT REPORT STRUCTURE AND CONTENTSAudit reports, however, usually will have the following structure and content:IntroductionConclusionReservation and qualificationDetailed audit findingsLimitations to auditStatement on the IS audit guidelines followed

  • *AUDIT REPORT STRUCTURE AND CONTENTSIS auditor should exercise independence in the reporting processMgt evaluate responses to the findings stating corrective actions to be taken and timing for implementationMgt may not be able to implement all the audit recommendations immediatelyIS auditor should discuss the recommendations dates while in the process of releasing the audit reportIS auditor must realise that various constraints such as, staff limitations, budgets or other projectsMgt should develop firm program for corrective actionIt is important to obtain a commitment from the auditee/mgt on the date by which the action plan will be done as the IS auditor might want to report to the upper mgt on the progress of implementing recommendations.

  • *MAGT ACTION TO IMPLEMENT RECOMMENDATIONSIS auditor should realise that auditing is an ongoing processIS auditor should have effective follow-up program to determine if corrective action are being followedAlthough IS auditor who work for external audit firms may not necessary follow this processThey may only achieve these tasks if agreed with audited entity

  • *AUDIT DOCUMENTATIONThis include:Audit planA description or diagram of the IS environmentAudit programsMinutes of meetingsAudit evidenceFindingsConclusions and recommendationsFollow-up documentationsMust be kept in safe custody according to retention policiesExact content is organisation specific( see ISACA guideline 060.020.010-Audit Documentation)

  • *AUDIT DOCUMENTATIONIncludes:The planning and preparation of the audit scope and objectivesThe information systems environmentThe audit programThe audit steps performed and audit evidence gatheredThe audit findings, conclusions and recommendationsAny report issued as a result of the workSupervisory review

  • *CONSTRAINTS ON THE CONDUCT OF THE AUDITAuditors:Availability of audit staffHolidaysTime-off for professional conferencesAuditees:Recent employee turnover or availabilityInfringement on deadline dates or cyclical processing datesOverall lack of knowledge or documentationTo understand these constraints IS auditors should have a good understanding of overall project mgt techniques

  • *Project Mgt TechniquesCould be automated or manualIt include the following basic steps:Develop a detail planReport project activity against the planAdjust the plan and take corrective

  • *CONTROL SELF ASSESSMENT(CSA)Magt technique that assures stakeholders, customers and other parties that the internal control system of the business is reliableIt ensures that employees are aware of the risks to business and they conduct periodic proactive reviews of controlsIt is methodology used to review key business objectives, risks involved in achieving the business objectivesIn practice, CSA is a series of tools on a continuum of sophistication ranging from simple questionnaires to facilitated workshops, designed to gather information

  • *CONTROL SELF ASSESSMENT(CSA)It can be implemented by various methodsFor small business units within an organisation, it can be through workshopsIn large organisation it could be through questionnaires or hybrid of the twoSee Exhibit 1.6

  • *OBJECTIVES OF CSATo leverage the internal audit function by shifting control monitoring responsibilities to the functional areasIt is not intended to replace audits responsibilities BUT to enhance themClients, such as line managers, are responsible for controls in their environment; they also should be responsible for monitoring themCSA must educate magt about control design and monitoring, particularly concentration on high riskA generic set of CSFs,KPIs, and KGIs for each process,which can be used in designing and monitoring the CSA program has been provided in COBIT magt guidelines

  • *BENEFITS OF CSAEarly detection of risksMore effective and improved internal controlsIncreased employee awareness of organisational objectives and knowledge of risks and internal controlsIncreased communication btw operational and top magtImproved audit rating processReduction in control costAssurance provided to stakeholders and customersNecessary assurance provided to stakeholders and customers

  • *DISADVANTAGES OF CSAIt could be mistaken as an audit function replacementIt is regarded as additional workload i.e. additional reported to magtFailure to act on improvement suggestions could damage employee moraleLack of motivation may limit effectiveness in the detection of weak controls

  • *AUDITORS ROLEShould be considered enhanced when audit department embark on a CSA programWhen these programs are established, auditors become internal control professionals and assessment facilitatorsProcess improvement in control structuresFor auditor to be effective in this facilitative and innovative role he/she must understand the business process being assessedMust remember they are facilitators and the management client is the participant in the CSA process

  • *TRADITIONAL Vs. CSA APPROACH

    TRADITIONAL HISTORICALCSAAssign duties/supervises staffEmpowered/accountable employeePolicy/rule- drivenContinuous improvement/ learning curveLimited employee participationExtensive employee participation and trainingNarrow stakeholder focusBroad stakeholder focusAuditors and other specialistsStaff at all levels, in all functions, are the primary control analysisReportersReporters

  • *Emerging changes in the IS audit processAutomated work papersIntegrated AuditingContinuous Auditing

  • *AUTOMATED WORK PAPERSAudit documentation driven by automationCIA rules must be appliedMinimum control include:Access to WPsAudit trailsAutomated features to provide and record approvalsSecurity and integrity controls regarding O/S, DBs and comm.channelsBackup and restore proceduresEncryption techniques

  • *INTEGRATED AUDITINGThis combines financial, operational and IS audit to evaluate riskThis involves:Identification of relevant key controlsReview and understanding of the design of key controlsTesting that key controls are supported by the IT systemTesting that management controls operate effectively A combined report or opinion on control risks, design and weakness

  • *CONTINUOUS AUDITINGThis is an emerging issue world wideAs result of corporate failure e.g. Enron,Worldcom,Parmalot,etcContinuous auditing is different from continuous monitoringIt rides on complete automation

  • *CONTINUOUS AUDITINGIT techniques that are used to operate CA environment must work at all levelsThis include:Transaction loggingQuery toolsStatistics and data analysis (CAAT)Database magt system (DBMS)Data warehouses, data marts, data miningEmbedded audit modules (EAM)Artificial intelligenceNeural network technologyStandard such as Extensible Business Reporting Language

  • *THIS IS A COMFORTABLE POINT TO SAY.

    THANK YOU AND BEST OF LUCK

    ********


Course Catalog for Mortgage Lenders · CISA - 07 - PINs CISA - 08 - Customer Requests CISA - 09 - Interactive Voice Response Systems CISA - 10 - Clean Desk Policy CISA - 11 - Media

Course Catalog for Mortgage Lenders · CISA - 07 - PINs CISA - 08 - Customer Requests CISA - 09 - Interactive Voice Response Systems CISA - 10 - Clean Desk Policy CISA - 11 - Media

Documents
Introduction: Themes in the Study of Life · PowerPoint ® Lecture ... •Domain Bacteria and domain Archaea ... Fig. 1-15 (a) DOMAIN BACTERIA (b) DOMAIN ARCHAEA (c) DOMAIN EUKARYA

Introduction: Themes in the Study of Life · PowerPoint ® Lecture ... •Domain Bacteria and domain Archaea ... Fig. 1-15 (a) DOMAIN BACTERIA (b) DOMAIN ARCHAEA (c) DOMAIN EUKARYA

Documents
Technical University Eindhoven: Domain lecture - September2006

Technical University Eindhoven: Domain lecture - September2006

Technology
CS1Q Computer Systems Lecture 19 Simon Gay. Lecture 19CS1Q Computer Systems - Simon Gay2 Domain Names Domain names such as have a hierarchical

CS1Q Computer Systems Lecture 19 Simon Gay. Lecture 19CS1Q Computer Systems - Simon Gay2 Domain Names Domain names such as have a hierarchical

Documents
Lecture # 8 Requirements and Domain Classes

Lecture # 8 Requirements and Domain Classes

Documents
EE 122: Lecture 20 (Domain Name Server - DNS)

EE 122: Lecture 20 (Domain Name Server - DNS)

Documents
CISA EXAM PREP COURSE: SESSION 3...Domain 3: Information Systems Acquisition, Development and Implementation, 18% Domain 5: Protection of Information Assets, 25% Domain 4: Information

CISA EXAM PREP COURSE: SESSION 3...Domain 3: Information Systems Acquisition, Development and Implementation, 18% Domain 5: Protection of Information Assets, 25% Domain 4: Information

Documents
LECTURE 12: FREQUENCY DOMAIN ANALYSIS

LECTURE 12: FREQUENCY DOMAIN ANALYSIS

Documents
1 Lecture 2: Elaboration Tasks and Domain Modeling

1 Lecture 2: Elaboration Tasks and Domain Modeling

Documents
CISA Dumps Isaca CISA - vcecollection.net

CISA Dumps Isaca CISA - vcecollection.net

Documents
Active Directory Lecture 3 – Domain Services Primer

Active Directory Lecture 3 – Domain Services Primer

Documents
Application Engineering Lecture 2: Domain and

Application Engineering Lecture 2: Domain and

Documents
Object Oriented System Development Lecture 2 Domain model ... · Object Oriented System Development Lecture 2 Domain model (Analysis) Rogardt Heldal . Datavetenskap Rogardt Heldal

Object Oriented System Development Lecture 2 Domain model ... · Object Oriented System Development Lecture 2 Domain model (Analysis) Rogardt Heldal . Datavetenskap Rogardt Heldal

Documents
Lecture 4 Image Enhancement in the Frequency Domain

Lecture 4 Image Enhancement in the Frequency Domain

Documents
Lecture Time Domain Analysis of 1st Order Systems

Lecture Time Domain Analysis of 1st Order Systems

Documents
Lecture #1 DNS: Domain Name System

Lecture #1 DNS: Domain Name System

Documents
CS 268: Lecture 9 Intra-domain Routing Protocols

CS 268: Lecture 9 Intra-domain Routing Protocols

Documents
Lecture 7 Frequency Domain Methods - web.stanford.edu

Lecture 7 Frequency Domain Methods - web.stanford.edu

Documents
Lecture Time Domain Analysis of 2nd Order Systems

Lecture Time Domain Analysis of 2nd Order Systems

Documents
CISA Lecture Domain 11

CISA Lecture Domain 11

Documents
CISA, CISA Training, CISA Certification Training

CISA, CISA Training, CISA Certification Training

Education
NIPF Report - · PDF fileCISA FOR AFFAIRS . CISA . CISA . CISA . CISA . CISA FOR AFFAIRS . Title: NIPF Report Author: Sammy Mwirigi Created Date: 8/15/2017 7:43:04 PM

NIPF Report - · PDF fileCISA FOR AFFAIRS . CISA . CISA . CISA . CISA . CISA FOR AFFAIRS . Title: NIPF Report Author: Sammy Mwirigi Created Date: 8/15/2017 7:43:04 PM

Documents
CISA Review Class Domain 4 - Bayukbayuk.com/publications/Bayuk-D4-2000.pdf · Understand the issues • Business Requirements •Overview •Policy •Example • Audit Approach

CISA Review Class Domain 4 - Bayukbayuk.com/publications/Bayuk-D4-2000.pdf · Understand the issues • Business Requirements •Overview •Policy •Example • Audit Approach

Documents
Lecture 9: Compensator Design in Frequency Domain 1

Lecture 9: Compensator Design in Frequency Domain 1

Documents
Building Domain Ontologies From Lecture Notes

Building Domain Ontologies From Lecture Notes

Documents
Lecture 16 Time Domain Analysis

Lecture 16 Time Domain Analysis

Documents
Ivan Marsic Rutgers University LECTURE 6: Domain Modeling

Ivan Marsic Rutgers University LECTURE 6: Domain Modeling

Documents
TI1220 Lecture 14: Domain-Specific Languages

TI1220 Lecture 14: Domain-Specific Languages

Technology
Revolution PRO - cisa · CISA Revolution PRO > CISA Revolution PRO is the new range of CISA locks designed to provide greater security for armoured doors. > CISA Revolution PRO locks

Revolution PRO - cisa · CISA Revolution PRO > CISA Revolution PRO is the new range of CISA locks designed to provide greater security for armoured doors. > CISA Revolution PRO locks

Documents
Jae Gianelloni, CPA, CISA, CISSP - lvissa.orglvissa.org/mentor_slides/LVISSA CISSP Course Winter 2017 Domain 1... · Jae Gianelloni, CPA, CISA, CISSP Director of Internal Audit

Jae Gianelloni, CPA, CISA, CISSP - lvissa.orglvissa.org/mentor_slides/LVISSA CISSP Course Winter 2017 Domain 1... · Jae Gianelloni, CPA, CISA, CISSP Director of Internal Audit

Documents