Upload
tiwarihere
View
224
Download
1
Embed Size (px)
Citation preview
8/9/2019 CISA Review - Week 1
1/66
February 2, 20151
#!@
2005 CISA
REVIEW COURSE
Chapter 1
The IS Audit ProcessPresented By: Shiva Goundar & Blesson Samuel
8/9/2019 CISA Review - Week 1
2/66
@
February 2, 20152 #!@
What is CISA?
The CISA program is designed to assess and certifindi!id"a#s in the IS a"dit$ contro# and sec"ritprofession %ho demonstrate e&ceptiona# s'i## and
("dgment) Re*"irements+
, S"ccessf"## comp#ete the CISA E&amination
, Adhere to the Information Sstems A"dit and Contro# Association-s
Code of Professional Ethics, S".mit e!idence of a minim"m of fi!e /5 ears of professiona# IS
a"diting$ contro# or sec"rit %or' e&perience)
8/9/2019 CISA Review - Week 1
3/66
February 2, 20153 #!@
About the CISA Examination
Test 1ate+ Sat"rda$ "ne 33th$ 2005
Consists of 200 m"#tip#e choice *"estions ta'en o!er afo"r ho"r period
E&am *"estions co!er 4 domains
, roportion of *"estions associated %ith each domain %i## !ar as apercentage according to the o!era## significance of the domain%ithin the e&amination
assing grade is a %eighted score of 45
/Range 6 25 to 77$
8/9/2019 CISA Review - Week 1
4/66
February 2, 20154 #!@
CISA Exam Domains
Proess!base" Area+
, The IS Audit Process (10% of examination)
Content Areas#
, Management Planning and !rgani"ation of IS
, Technical Infrastructure and !#erational Practices
, Protection of Information Assets
, $isaster eco&er' and usiness Continuit'
, usiness A##lication S'stem $e&elo#ment AcuisitionIm#lementation and Maintenance
, usiness Process E&aluation and is* Management
8/9/2019 CISA Review - Week 1
5/66
February 2, 20155 #!@
Chapter 1 $ %he IS Au"it Proess
8/9/2019 CISA Review - Week 1
6/66
February 2, 20156 #!@
What is the IS Au"it Proess?
The process of cond"cting IS a"dits inaccordance %ith genera## accepted IS a"ditstandards and g"ide#ines to ens"re that the
organi8ation-s information techno#og and."siness sstems are ade*"ate# contro##ed$monitored and assessed)
8/9/2019 CISA Review - Week 1
7/66
February 2, 20157 #!@
%as&s o' the IS Au"it Proess
1e!e#op and9or imp#ement ris':.ased a"dit strateg and o.(ecti!es
#an specific a"dits to ens"re IS a"dit strateg ; o.(ecti!es areachie!ed
O.tain s"fficient$ re#e!ant$ re#ia.#e "sef"# e!idence Ana#8e information to identif conditions and reach conc#"sions
Re!ie% %or' performed to !erif o.(ecti!es ha!e .een achie!ed
Comm"nicate a"dit res"#ts to 'e managers and sta'eho#ders
8/9/2019 CISA Review - Week 1
8/66
February 2, 20158 #!@
Au"it Charter
1oc"ment c#ear# stating management-so!era## responsi.i#it and o.(ecti!es for thea"dit f"nction /inc#"ding IS a"dit
1efines a"thorities$ scope and responsi.i#itiesof a"dit f"nction
Sho"#d .e appro!ed . highest #e!e# ofmanagement and a"dit committee
8/9/2019 CISA Review - Week 1
9/66
February 2, 20159 #!@
IS Au"it (esoure )ana*ement
IS A"ditors are #imited and techno#og is constant#changing
=eed to "pdate e&isting s'i##s and o.tain training forne% a"dit techni*"es and techno#ogies
S'i##s and 'no%#edge sho"#d .e ta'en into considering%hen p#anning a"dits
=ecessar reso"rces sho"#d .e pro!ided forspecia#i8ed a"dits /soft%are$ net%or' intr"sion tests$penetration testing
8/9/2019 CISA Review - Week 1
10/66
February 2, 201510 #!@
Au"it P+annin* Steps
>ain "nderstanding of the ."siness mission$o.(ecti!es$ and p"rpose
Identif po#icies$ standards$ proced"res$ organi8ationa#
str"ct"re$ etc) E!a#"ate management-s ris' assessment and pri!ac
impact ana#sis
erform ris' ana#sis 9 Cond"ct interna# contro# re!ie%
Set scope and o.(ecti!es 9 1e!e#op approach9strateg
Assign reso"rces9address #ogistics
8/9/2019 CISA Review - Week 1
11/66
February 2, 201511 #!@
n"erstan"in* the -usiness
To"r 'e organi8ationa# faci#ities
Read .ac'gro"nd materia#s /ind"str
p".#ications$ ann"a# reports$ etc) Re!ie% #ong:term strategic p#an
Inter!ie% 'e managers to "nderstand."siness iss"es
Re!ie% prior reports
8/9/2019 CISA Review - Week 1
12/66
February 2, 201512 #!@
E''et o' .a/s (e*u+ation
Each organi8ation %i## need to comp# %ith an"m.er of go!ernmenta# and e&terna#re*"irements$ regard#ess of si8e or ind"str
T%o areas of concern that impact a"ditscope9o.(ecti!e+
, ?ega# re*"irements p#aced on a"dit /IS a"dit
, ?ega# re*"irements p#aced on a"ditee and9or theirsstems$ data management$ reporting$ etc)
8/9/2019 CISA Review - Week 1
13/66
February 2, 201513 #!@
Steps to Determine .ee+ o' I%
Comp+iane to Externa+ (euirements
Identif go!ernmenta# and other e&terna#re*"irements for+
, E#ectronic data$ coprights$ e:commerce$ etc)
, Comp"ter sstem practices and contro#s
, @anner of storing comp"ters$ programs$ and data
, Organi8ation or acti!ities of information ser!ices
8/9/2019 CISA Review - Week 1
14/66
February 2, 201514 #!@
Steps to Determine .ee+ o' I%
Comp+iane to Externa+ (euirements
1oc"ment pertinent #a%s and reg"#ations
Assess %hether management ha!e considered
re*"irements in ma'ing p#ans and settingpo#icies9standards9proced"res
Re!ie% interna# IS department9 f"nction9acti!it
doc"ments that address adherence 1etermine adherence to these proced"res
8/9/2019 CISA Review - Week 1
15/66
February 2, 20
1515 #!@
ISACA Co"e o' Pro'essiona+ Ethis S"pport the imp#ementation of$ and enco"rage comp#iance %ith$ appropriate standards$ proced"res and
contro#s for information sstems)
erform their d"ties %ith o.(ecti!it$ d"e di#igence and professiona# care$ in accordance %ith professiona#standards and .est practices)
Ser!e in the interest of sta'eho#ders in a #a%f"# and honest manner$ %hi#e maintaining high standards ofcond"ct and character$ and not engage in acts discredita.#e to the profession)
@aintain the pri!ac and confidentia#it of information o.tained in the co"rse of their d"ties "n#ess disc#os"reis re*"ired . #ega# a"thorit) S"ch information sha## not .e "sed for persona# .enefit or re#eased toinappropriate parties)
@aintain competenc in their respecti!e fie#ds and agree to "nderta'e on# those acti!ities$ %hich the canreasona.# e&pect to comp#ete %ith professiona# competence)
Inform appropriate parties of the res"#ts of %or' performed re!ea#ing a## significant facts 'no%n to them)
S"pport the professiona# ed"cation of sta'eho#ders in enhancing their "nderstanding of information sstemssec"rit and contro#)
8/9/2019 CISA Review - Week 1
16/66
February 2, 20
1516 #!@
IS Au"it Stan"ar"s
A"dit Charter
Independence
rofessiona# Ethics and Standards
Competence 9 #anning
erformance of A"dit Wor'
Reporting 9
8/9/2019 CISA Review - Week 1
17/66
February 2, 20
15
17
#!@
IS Au"it 3ui"e+ines Proe"ures
>"ide#ines , ro!ide information on ho% tocomp# %ith IS A"dit Standards+
roced"res , ro!ide e&#es of steps an ISa"ditor ma fo##o% to imp#ement standards
(+uidelines and Procedures a&aila,le at ---.isaca.org/standards)
8/9/2019 CISA Review - Week 1
18/66
February 2, 20
15
18
#!@
E+ements o' (is& in In'ormationSeurity
Threats to$ and !"#nera.i#ities of$ processesand9or assets
Impact on assets .ased on threats ;!"#nera.i#ities
ro.a.i#it of threats /Com.ination of #i'e#ihood
and fre*"enc of occ"rrence)
8/9/2019 CISA Review - Week 1
19/66
February 2, 20
15
19
#!@
Purposes o' (is& Ana+ysis
Identif ris's and threats that %o"#d need to .eaddressed . management) Assists IS a"ditorsin their o%n ris' assessment
Assists a"ditor in determining a"dit o.(ecti!es
S"pports ris':.ased a"dit decision
(See Cha#ter for detailed information)
8/9/2019 CISA Review - Week 1
20/66
February 2, 20
15
20
#!@
(is& )iti*ation
After ris's are determined$ contro#s sho"#d .eidentified to mitigate ris's
Co"ntermeas"res sho"#d .e assessed "singcost:.enefit ana#sis+
, Cost of contro# compared to .enefit of minimi8ing ris'
, @anagement-s appetite for ris'
, referred ris' red"ction methods /terminate ris'$ red"cepro.a.i#it$ minimi8e impact$ ins"rance
8/9/2019 CISA Review - Week 1
21/66
February 2, 20
15
21
#!@
)onitorin* (is& )ana*ement
Identif changes to en!ironment that %o"#dre*"ire ris' re:assessment$ and re#atedchanges to contro# en!ironment+
, Ris' assessment
, Ris' mitigation
, Ris' e!a#"ation
8/9/2019 CISA Review - Week 1
22/66
February 2, 20
15
22
#!@
Interna+ Contro+s
o#icies$ proced"res$ practices$ andorgani8ationa# str"ct"res p"t into p#ace tored"ce ris's
ro!ide reasona.#e ass"rance that ."sinesso.(ecti!es are met$ and "ndesired ris's arepre!ented or detected and corrected
Contro#s address %hat sho"#d .e achie!ed$and %hat sho"#d .e a!oided
8/9/2019 CISA Review - Week 1
23/66
February 2, 20
15
23
#!@
Contro+ C+assi'iationsC+ass Funtion
re!entati!e 1etect pro.#ems .efore the arise
@onitor operation and inp"ts
Attempt to predict pro.#ems .efore the occ"r ; ma'ead("stments
re!ent an error$ omission or ma#icio"s act
1etecti!e 1etect occ"rrence of an error$ omission$ or ma#icio"s act
Correcti!e @inimi8e impact of threat
Remed pro.#ems from detecti!e contro#s
Identif ca"se of pro.#em 9 Correct errors arising from pro.#em
@odif processes to minimi8e f"t"re occ"rrence
8/9/2019 CISA Review - Week 1
24/66
February 2, 20
15
24
#!@
IS Contro+ 4beties
Safeg"arding assets
Ass"ring integrit of genera# operating sstem en!ironments$net%or' management$ and operations
Ass"ring integrit of sensiti!e critica# and sensiti!e app#icationsstem en!ironments
Ass"ring efficienc and effecti!eness of operations
Comp#ing %ith "ser re*"irements ; organi8ationa# ;
1e!e#oping BC and 1R
1e!e#oping incident response and hand#ing p#ans
8/9/2019 CISA Review - Week 1
25/66
February 2, 20
15
25
#!@
3enera+ Contro+ Proe"ures
Interna# Acco"nting Contro#s ,
8/9/2019 CISA Review - Week 1
26/66
8/9/2019 CISA Review - Week 1
27/66
February 2, 20
15
27
#!@
1efinition of a"diting
Sstematic process. %hich a competent$ independent
person o.(ecti!e#o.tains and e!a#"ates e!idenceregarding assertions a.o"t an economic entit or e!entfor the p"rpose of forming an opinion a.o"t andreporting on the degree to %hich the assertion conforms
to an identified set of standards)
erforming an IS A"dit
8/9/2019 CISA Review - Week 1
28/66
February 2, 20
15
28
#!@
erforming an IS A"dit
C+assi'iation o' au"its#C+assi'iation o' au"its#
8/9/2019 CISA Review - Week 1
29/66
8/9/2019 CISA Review - Week 1
30/66
February 2, 20
15
30
#!@
erforming an IS A"dit
A"dit methodo#og9strateg
Statement of scope
Statement of a"dit o.(ecti!es Statement of %or' program
Tpica# a"dit phases
8/9/2019 CISA Review - Week 1
31/66
February 2, 20
15
31
#!@
erforming an IS A"dit
A"dit ris' and materia#it
A ris':.ased a"dit approach is "sed to assess ris' and assist %ithan IS a"ditor-s decision to perform either comp#iance or s".stanti!e
testing
8/9/2019 CISA Review - Week 1
32/66
February 2, 20
15
32
#!@
erforming an IS A"dit
Ris':.ased approach
Emphasis on 'no%#edge of the ."siness and techno#og
8/9/2019 CISA Review - Week 1
33/66
February 2, 20
15
33
#!@
erforming an IS A"dit
Tpes of ris'
Inherent ris' Contro# ris'
1etection ris'
O!era## a"dit ris'
8/9/2019 CISA Review - Week 1
34/66
February 2, 20
15
34
#!@
erforming an IS A"dit
Ris' Assessment Techni*"es
Ena.#es management to effecti!e# a##ocate #imited a"dit
reso"rces Ens"res that re#e!ant information has .een o.tained
Esta.#ishes a .asis for effecti!e# managing the a"ditdepartment
ro!ides a s"mmar of ho% the indi!id"a# a"dit s".(ect is
re#ated to the o!era## organi8ation and to ."siness p#ans
8/9/2019 CISA Review - Week 1
35/66
February 2, 20
15
35
#!@
erforming an IS A"dit
Contro# o.(ecti!es !s) a"dit o.(ecti!es
Re#ationship .et%een s".stanti!e andcomp#iance tests
Corre#ation .et%een the #e!e# of interna#contro#s and s".stanti!e testing re*"ired
8/9/2019 CISA Review - Week 1
36/66
February 2, 20
15
36
#!@
erforming an IS A"dit
E!idence , It is a re*"irement that thea"ditor-s conc#"sions m"st .e .ased ons"fficient$ competent e!idence)
Independence of the pro!ider of the e!idence
"a#ification of the indi!id"a# pro!iding theinformation or e!idence
O.(ecti!it of the e!idence
Timing of e!idence
8/9/2019 CISA Review - Week 1
37/66
February 2, 20
15
37
#!@
erforming an IS A"dit
Techni*"es for gathering e!idence+
Re!ie% IS organi8ation str"ct"res
Re!ie% IS po#icies$ proced"res and standards Re!ie% IS doc"mentation
Inter!ie% appropriate personne#
O.ser!e processes and emp#oee performance)
8/9/2019 CISA Review - Week 1
38/66
February 2, 20
15
38
#!@
erforming an IS A"dit
Samp#ing
>enera# approaches to a"dit samp#ing+
Statistica# samp#ing=on:statistica# samp#ing
@ethods of samp#ing "sed . a"ditors+
Attri."te samp#ingVaria.#e samp#ing
8/9/2019 CISA Review - Week 1
39/66
February 2, 20
15
39
#!@
erforming an IS A"dit
Samp#ing /Contin"edF Attri."te samp#ing
Samp#e:si8e attri."te samp#ing
Stop:or:go samp#ing1isco!er samp#ing
Varia.#e samp#ing
Stratified mean per "nitUnstratified mean per "nit1ifference estimation
8/9/2019 CISA Review - Week 1
40/66
February 2, 20
15
40
#!@
Statistica# samp#ing terms+ Confident coefficient
?e!e# of ris'
recision
E&pected error rate Samp#e mean
Samp#e standard de!iation
To#era.#e error rate
op"#ation standard de!iation
Ge steps in choosing a samp#e
erforming an IS A"dit
8/9/2019 CISA Review - Week 1
41/66
February 2, 20
15
41
#!@
erforming an IS A"dit
Comp"ter:assisted a"dit techni*"es
CAATs are a significant too# for IS a"ditors to gatherinformation independent#
CAATs inc#"de+
>enera#i8ed a"dit soft%are /AC?$ I1EA$ etc) Uti#it soft%are
Test data App#ication soft%are for contin"o"s on#ine a"dits
A"dit e&pert sstems
8/9/2019 CISA Review - Week 1
42/66
February 2, 20
15
42
#!@
erforming an IS A"dit
Comp"ter:assisted a"dit techni*"es
=eed for CAATs
E!idence co##ection
8/9/2019 CISA Review - Week 1
43/66
February 2, 20
15
43
#!@
Comp"ter:assisted a"dit techni*"es
E&#es of CAATs "sed to co##ect e!idence
Contin"o"s on#ine a"dit approach
erforming an IS A"dit
8/9/2019 CISA Review - Week 1
44/66
February 2, 20
15
44
#!@
erforming an IS A"dit
Comp"ter:assisted a"dit techni*"es
1e!e#opment of CAATs
1oc"mentation retention
Access to prod"ction data
1ata manip"#ation
8/9/2019 CISA Review - Week 1
45/66
February 2, 20
15
45
#!@
erforming an IS A"dit
E!a#"ation of strengths and%ea'nesses
Assess e!idence
E!a#"ate o!era## contro# str"ct"re
E!a#"ate contro# proced"res
Assess contro# strengths and %ea'nesses
8/9/2019 CISA Review - Week 1
46/66
February 2, 20
15
46
#!@
"dging @ateria#it of
8/9/2019 CISA Review - Week 1
47/66
February 2, 20
15
47
#!@
erforming an IS A"dit
Comm"nicating a"dit res"#ts
A"dit report str"ct"re and contents
E&it inter!ie%
resentation techni*"es
E&ec"ti!e s"mmar
Vis"a# presentation
Ora# presentation
8/9/2019 CISA Review - Week 1
48/66
February 2, 20
15
48
#!@
erforming an IS A"dit
@anagement actions to imp#ementrecommendations
A"diting is an ongoing process
Timing of fo##o%:"p
A"dit 1oc"mentation
8/9/2019 CISA Review - Week 1
49/66
February 2, 20
15
49
#!@
A"dit reso"rce management
IS a"ditors are a #imited reso"rce
Appropriate s'i##s and 'no%#edge
Constraints on the cond"ct of the a"dit
ro(ect management techni*"es
erforming an IS A"dit
8/9/2019 CISA Review - Week 1
50/66
February 2, 20
15
50
#!@
Contro+ Se+'!Assessment
@ethodo#og to re!ie% 'e ."sinesso.(ecti!es$ associated ris's$ and contro#s tomanage those ris's
erformed . management and9or %or' teams
IS a"ditors ser!e as contro# e&perts andfaci#itators
8/9/2019 CISA Review - Week 1
51/66
February 2, 20
15
51
#!@
Contro+ Se+'!Assessment %oo+s
@anagement meetings
C#ient %or'shops
Wor'sheets
Rating Sheets
"estionnaires
CSA ro(ect Approach
8/9/2019 CISA Review - Week 1
52/66
February 2, 20
15
52
#!@
CSA Proet Approah
rimar o.(ecti!e is #e!erage ; enhanceinterna# a"dit . shifting responsi.i#it ofmonitoring contro#s to f"nctiona# areas
@"st ed"cate management contro# design andmonitoring
Sho"#d determine meas"re of s"ccess for eachphase to determine !a#"e of CSA and its f"t"re"se
8/9/2019 CISA Review - Week 1
53/66
February 2, 20
15
53
#!@
%ra"itiona+ s6 CSA Approah
%ra"itiona+ 7istoria+ CSA
Assigns d"ties9 s"per!ises staff Empo%ered9acco"nta.#eemp#oees
o#ic9r"#e dri!en Contin"o"s impro!ement9 #earning
c"r!e?imited emp#oee participation E&tensi!e emp#oee participation
and training
=arro% sta'eho#der foc"s Broad sta'eho#der foc"s
A"ditors and other specia#ists Staff at a## #e!e#s$ in a## f"nctions$are primar contro# ana#sts
Reporters Reporters
3
8/9/2019 CISA Review - Week 1
54/66
February 2, 20
15
54
#!@
I% 3oernane
Corporate >o!ernance , Ethica# corporate .eha!ior. directors or others charged %ith go!ernance in thecreation and presentation of %ea#th for a##sta'eho#ders
IT >o!ernance , Str"ct"re of re#ationships andprocesses to direct and contro# enterprise to achie!eits goa#s . adding !a#"e %hi#e .a#ancing ris' !s)
ret"rn o!er IT and its processes(See Cha#ter for detailed information)
Ch 3 >#
8/9/2019 CISA Review - Week 1
55/66
February 2, 20
15
55
#!@
Chapter 3+ >#ossar
Administrati!e contro#s
Attri."te samp#ing
A"dit ris'
Comp#iance testing
CAATs
Contro# ris'
Em.edded a"dit mod"#es
@ateria#it
Ch t 3 R
8/9/2019 CISA Review - Week 1
56/66
February 2, 20
15
56
#!@
Chapter 3+ Recap
>ro"p disc"ssion
"estions
8/9/2019 CISA Review - Week 1
57/66
Ch t 3 ti
8/9/2019 CISA Review - Week 1
58/66
February 2, 20
15
58
#!@
Chapter 3+ "estions
2)The reason for ha!ing contro#s in an IS en!ironment+
A) remains "nchanged from a man"a# en!ironment$ ."t the imp#emented contro#feat"res ma .e different)
B) changes from a man"a# en!ironment$ therefore the imp#emented contro#feat"res ma .e different)
C) changes from a man"a# en!ironment$ ."t the imp#emented contro# feat"res %i##.e the same)
1) remains "nchanged from a man"a# en!ironment and the imp#emented contro#
feat"res %i## a#so .e the same
Ch t 3 ti
8/9/2019 CISA Review - Week 1
59/66
February 2, 20
15
59
#!@
Chapter 3+ "estions
H) Which of the fo##o%ing tpes of ris's ass"mes an a.sence ofcompensating contro#s in the area .eing re!ie%ed
A) Contro# ris'
B) 1etection ris'
C) Inherent ris'
1) Samp#ing ris'
Ch t 3 ti
8/9/2019 CISA Review - Week 1
60/66
February 2, 20
15
60
#!@
Chapter 3+ "estions
J) An IS a"ditor is cond"cting s".stanti!e a"dit tests of ane% acco"nts recei!a.#e mod"#e) The IS a"ditor has atight sched"#e and #imited comp"ter e&pertise) Which
%o"#d .e the BEST a"dit techni*"e to "se in this sit"ation
A) Test data
B) ara##e# sim"#ation
C) Integrated test faci#it
1) Em.edded a"dit mod"#e
8/9/2019 CISA Review - Week 1
61/66
Ch t 3 ti
8/9/2019 CISA Review - Week 1
62/66
February 2, 20
15
62
#!@
Chapter 3+ "estions
L) Which of the fo##o%ing BEST descri.es the ear# stages of
an IS a"dit
A) O.ser!ing 'e organi8ationa# faci#ities)
B) Assessing the IS en!ironment)
C) Understanding ."siness process and en!ironment app#ica.#eto the re!ie%)
1) Re!ie%ing prior IS a"dit reports)
Ch t 3 ti
8/9/2019 CISA Review - Week 1
63/66
February 2, 20
15
63
#!@
Chapter 3+ "estions
8686 The doc"ment "sed . the top management oforgani8ations to de#egate a"thorit to the IS a"ditf"nction is the+
A) #ong:term a"dit p#an)B) a"dit charter)
C) a"dit p#anning methodo#og)
1) steering committee min"tes
8/9/2019 CISA Review - Week 1
64/66
Ch t 3 ti
8/9/2019 CISA Review - Week 1
65/66
February 2, 20
15
65
#!@
Chapter 3+ "estions
:6:6 Whi#e de!e#oping a ris':.ased a"dit program$ %hich of the
fo##o%ing %o"#d the IS a"ditor @OST #i'e# foc"s on
A) B"siness processesB) Critica# IT app#ications
C) Corporate o.(ecti!es
1) B"siness strategies
Ch t 3 ti
8/9/2019 CISA Review - Week 1
66/66
February 2 2066
106106 Which of the fo##o%ing is a s".stanti!e a"dit test
A) Verifing that a management chec' has .een performed reg"#ar#
B) O.ser!ing that "ser I1s and pass%ords are re*"ired to sign on
the comp"terC) Re!ie%ing reports #isting short shipments of goods recei!ed
1) Re!ie%ing an aged tria# .a#ance of acco"nts recei!a.#e
Chapter 3+ "estions