CISA Review - Week 1

8/9/2019 CISA Review - Week 1

1/66

February 2, 20151

#!@

2005 CISA

REVIEW COURSE

Chapter 1

The IS Audit ProcessPresented By: Shiva Goundar & Blesson Samuel


2/66

@

February 2, 20152 #!@

What is CISA?

The CISA program is designed to assess and certifindi!id"a#s in the IS a"dit$ contro# and sec"ritprofession %ho demonstrate e&ceptiona# s'i## and

("dgment) Re*"irements+

, S"ccessf"## comp#ete the CISA E&amination

, Adhere to the Information Sstems A"dit and Contro# Association-s

Code of Professional Ethics, S".mit e!idence of a minim"m of fi!e /5 ears of professiona# IS

a"diting$ contro# or sec"rit %or' e&perience)


3/66

February 2, 20153 #!@

About the CISA Examination

Test 1ate+ Sat"rda$ "ne 33th$ 2005

Consists of 200 m"#tip#e choice *"estions ta'en o!er afo"r ho"r period

E&am *"estions co!er 4 domains

, roportion of *"estions associated %ith each domain %i## !ar as apercentage according to the o!era## significance of the domain%ithin the e&amination

assing grade is a %eighted score of 45

/Range 6 25 to 77$


4/66

February 2, 20154 #!@

CISA Exam Domains

Proess!base" Area+

, The IS Audit Process (10% of examination)

Content Areas#

, Management Planning and !rgani"ation of IS

, Technical Infrastructure and !#erational Practices

, Protection of Information Assets

, $isaster eco&er' and usiness Continuit'

, usiness A##lication S'stem $e&elo#ment AcuisitionIm#lementation and Maintenance

, usiness Process E&aluation and is* Management


5/66

February 2, 20155 #!@

Chapter 1 $ %he IS Au"it Proess


6/66

February 2, 20156 #!@

What is the IS Au"it Proess?

The process of cond"cting IS a"dits inaccordance %ith genera## accepted IS a"ditstandards and g"ide#ines to ens"re that the

organi8ation-s information techno#og and."siness sstems are ade*"ate# contro##ed$monitored and assessed)


7/66

February 2, 20157 #!@

%as&s o' the IS Au"it Proess

1e!e#op and9or imp#ement ris':.ased a"dit strateg and o.(ecti!es

#an specific a"dits to ens"re IS a"dit strateg ; o.(ecti!es areachie!ed

O.tain s"fficient$ re#e!ant$ re#ia.#e "sef"# e!idence Ana#8e information to identif conditions and reach conc#"sions

Re!ie% %or' performed to !erif o.(ecti!es ha!e .een achie!ed

Comm"nicate a"dit res"#ts to 'e managers and sta'eho#ders


8/66

February 2, 20158 #!@

Au"it Charter

1oc"ment c#ear# stating management-so!era## responsi.i#it and o.(ecti!es for thea"dit f"nction /inc#"ding IS a"dit

1efines a"thorities$ scope and responsi.i#itiesof a"dit f"nction

Sho"#d .e appro!ed . highest #e!e# ofmanagement and a"dit committee


9/66

February 2, 20159 #!@

IS Au"it (esoure )ana*ement

IS A"ditors are #imited and techno#og is constant#changing

=eed to "pdate e&isting s'i##s and o.tain training forne% a"dit techni*"es and techno#ogies

S'i##s and 'no%#edge sho"#d .e ta'en into considering%hen p#anning a"dits

=ecessar reso"rces sho"#d .e pro!ided forspecia#i8ed a"dits /soft%are$ net%or' intr"sion tests$penetration testing


10/66

February 2, 201510 #!@

Au"it P+annin* Steps

>ain "nderstanding of the ."siness mission$o.(ecti!es$ and p"rpose

Identif po#icies$ standards$ proced"res$ organi8ationa#

str"ct"re$ etc) E!a#"ate management-s ris' assessment and pri!ac

impact ana#sis

erform ris' ana#sis 9 Cond"ct interna# contro# re!ie%

Set scope and o.(ecti!es 9 1e!e#op approach9strateg

Assign reso"rces9address #ogistics


11/66

February 2, 201511 #!@

n"erstan"in* the -usiness

To"r 'e organi8ationa# faci#ities

Read .ac'gro"nd materia#s /ind"str

p".#ications$ ann"a# reports$ etc) Re!ie% #ong:term strategic p#an

Inter!ie% 'e managers to "nderstand."siness iss"es

Re!ie% prior reports


12/66

February 2, 201512 #!@

E''et o' .a/s (e*u+ation

Each organi8ation %i## need to comp# %ith an"m.er of go!ernmenta# and e&terna#re*"irements$ regard#ess of si8e or ind"str

T%o areas of concern that impact a"ditscope9o.(ecti!e+

, ?ega# re*"irements p#aced on a"dit /IS a"dit

, ?ega# re*"irements p#aced on a"ditee and9or theirsstems$ data management$ reporting$ etc)


13/66

February 2, 201513 #!@

Steps to Determine .ee+ o' I%

Comp+iane to Externa+ (euirements

Identif go!ernmenta# and other e&terna#re*"irements for+

, E#ectronic data$ coprights$ e:commerce$ etc)

, Comp"ter sstem practices and contro#s

, @anner of storing comp"ters$ programs$ and data

, Organi8ation or acti!ities of information ser!ices


14/66

February 2, 201514 #!@

Steps to Determine .ee+ o' I%

Comp+iane to Externa+ (euirements

1oc"ment pertinent #a%s and reg"#ations

Assess %hether management ha!e considered

re*"irements in ma'ing p#ans and settingpo#icies9standards9proced"res

Re!ie% interna# IS department9 f"nction9acti!it

doc"ments that address adherence 1etermine adherence to these proced"res


15/66

February 2, 20

1515 #!@

ISACA Co"e o' Pro'essiona+ Ethis S"pport the imp#ementation of$ and enco"rage comp#iance %ith$ appropriate standards$ proced"res and

contro#s for information sstems)

erform their d"ties %ith o.(ecti!it$ d"e di#igence and professiona# care$ in accordance %ith professiona#standards and .est practices)

Ser!e in the interest of sta'eho#ders in a #a%f"# and honest manner$ %hi#e maintaining high standards ofcond"ct and character$ and not engage in acts discredita.#e to the profession)

@aintain the pri!ac and confidentia#it of information o.tained in the co"rse of their d"ties "n#ess disc#os"reis re*"ired . #ega# a"thorit) S"ch information sha## not .e "sed for persona# .enefit or re#eased toinappropriate parties)

@aintain competenc in their respecti!e fie#ds and agree to "nderta'e on# those acti!ities$ %hich the canreasona.# e&pect to comp#ete %ith professiona# competence)

Inform appropriate parties of the res"#ts of %or' performed re!ea#ing a## significant facts 'no%n to them)

S"pport the professiona# ed"cation of sta'eho#ders in enhancing their "nderstanding of information sstemssec"rit and contro#)


16/66

February 2, 20

1516 #!@

IS Au"it Stan"ar"s

A"dit Charter

Independence

rofessiona# Ethics and Standards

Competence 9 #anning

erformance of A"dit Wor'

Reporting 9


17/66

February 2, 20

15

17

#!@

IS Au"it 3ui"e+ines Proe"ures

>"ide#ines , ro!ide information on ho% tocomp# %ith IS A"dit Standards+

roced"res , ro!ide e&amp#es of steps an ISa"ditor ma fo##o% to imp#ement standards

(+uidelines and Procedures a&aila,le at ---.isaca.org/standards)


18/66

February 2, 20

15

18

#!@

E+ements o' (is& in In'ormationSeurity

Threats to$ and !"#nera.i#ities of$ processesand9or assets

Impact on assets .ased on threats ;!"#nera.i#ities

ro.a.i#it of threats /Com.ination of #i'e#ihood

and fre*"enc of occ"rrence)


19/66

February 2, 20

15

19

#!@

Purposes o' (is& Ana+ysis

Identif ris's and threats that %o"#d need to .eaddressed . management) Assists IS a"ditorsin their o%n ris' assessment

Assists a"ditor in determining a"dit o.(ecti!es

S"pports ris':.ased a"dit decision

(See Cha#ter for detailed information)


20/66

February 2, 20

15

20

#!@

(is& )iti*ation

After ris's are determined$ contro#s sho"#d .eidentified to mitigate ris's

Co"ntermeas"res sho"#d .e assessed "singcost:.enefit ana#sis+

, Cost of contro# compared to .enefit of minimi8ing ris'

, @anagement-s appetite for ris'

, referred ris' red"ction methods /terminate ris'$ red"cepro.a.i#it$ minimi8e impact$ ins"rance


21/66

February 2, 20

15

21

#!@

)onitorin* (is& )ana*ement

Identif changes to en!ironment that %o"#dre*"ire ris' re:assessment$ and re#atedchanges to contro# en!ironment+

, Ris' assessment

, Ris' mitigation

, Ris' e!a#"ation


22/66

February 2, 20

15

22

#!@

Interna+ Contro+s

o#icies$ proced"res$ practices$ andorgani8ationa# str"ct"res p"t into p#ace tored"ce ris's

ro!ide reasona.#e ass"rance that ."sinesso.(ecti!es are met$ and "ndesired ris's arepre!ented or detected and corrected

Contro#s address %hat sho"#d .e achie!ed$and %hat sho"#d .e a!oided


23/66

February 2, 20

15

23

#!@

Contro+ C+assi'iationsC+ass Funtion

re!entati!e 1etect pro.#ems .efore the arise

@onitor operation and inp"ts

Attempt to predict pro.#ems .efore the occ"r ; ma'ead("stments

re!ent an error$ omission or ma#icio"s act

1etecti!e 1etect occ"rrence of an error$ omission$ or ma#icio"s act

Correcti!e @inimi8e impact of threat

Remed pro.#ems from detecti!e contro#s

Identif ca"se of pro.#em 9 Correct errors arising from pro.#em

@odif processes to minimi8e f"t"re occ"rrence


24/66

February 2, 20

15

24

#!@

IS Contro+ 4beties

Safeg"arding assets

Ass"ring integrit of genera# operating sstem en!ironments$net%or' management$ and operations

Ass"ring integrit of sensiti!e critica# and sensiti!e app#icationsstem en!ironments

Ass"ring efficienc and effecti!eness of operations

Comp#ing %ith "ser re*"irements ; organi8ationa# ;

1e!e#oping BC and 1R

1e!e#oping incident response and hand#ing p#ans


25/66

February 2, 20

15

25

#!@

3enera+ Contro+ Proe"ures

Interna# Acco"nting Contro#s ,


26/66


27/66

February 2, 20

15

27

#!@

1efinition of a"diting

Sstematic process. %hich a competent$ independent

person o.(ecti!e#o.tains and e!a#"ates e!idenceregarding assertions a.o"t an economic entit or e!entfor the p"rpose of forming an opinion a.o"t andreporting on the degree to %hich the assertion conforms

to an identified set of standards)

erforming an IS A"dit


28/66

February 2, 20

15

28

#!@


C+assi'iation o' au"its#C+assi'iation o' au"its#


29/66


30/66

February 2, 20

15

30

#!@


A"dit methodo#og9strateg

Statement of scope

Statement of a"dit o.(ecti!es Statement of %or' program

Tpica# a"dit phases


31/66

February 2, 20

15

31

#!@


A"dit ris' and materia#it

A ris':.ased a"dit approach is "sed to assess ris' and assist %ithan IS a"ditor-s decision to perform either comp#iance or s".stanti!e

testing


32/66

February 2, 20

15

32

#!@


Ris':.ased approach

Emphasis on 'no%#edge of the ."siness and techno#og


33/66

February 2, 20

15

33

#!@


Tpes of ris'

Inherent ris' Contro# ris'

1etection ris'

O!era## a"dit ris'


34/66

February 2, 20

15

34

#!@


Ris' Assessment Techni*"es

Ena.#es management to effecti!e# a##ocate #imited a"dit

reso"rces Ens"res that re#e!ant information has .een o.tained

Esta.#ishes a .asis for effecti!e# managing the a"ditdepartment

ro!ides a s"mmar of ho% the indi!id"a# a"dit s".(ect is

re#ated to the o!era## organi8ation and to ."siness p#ans


35/66

February 2, 20

15

35

#!@


Contro# o.(ecti!es !s) a"dit o.(ecti!es

Re#ationship .et%een s".stanti!e andcomp#iance tests

Corre#ation .et%een the #e!e# of interna#contro#s and s".stanti!e testing re*"ired


36/66

February 2, 20

15

36

#!@


E!idence , It is a re*"irement that thea"ditor-s conc#"sions m"st .e .ased ons"fficient$ competent e!idence)

Independence of the pro!ider of the e!idence

"a#ification of the indi!id"a# pro!iding theinformation or e!idence

O.(ecti!it of the e!idence

Timing of e!idence


37/66

February 2, 20

15

37

#!@


Techni*"es for gathering e!idence+

Re!ie% IS organi8ation str"ct"res

Re!ie% IS po#icies$ proced"res and standards Re!ie% IS doc"mentation

Inter!ie% appropriate personne#

O.ser!e processes and emp#oee performance)


38/66

February 2, 20

15

38

#!@


Samp#ing

>enera# approaches to a"dit samp#ing+

Statistica# samp#ing=on:statistica# samp#ing

@ethods of samp#ing "sed . a"ditors+

Attri."te samp#ingVaria.#e samp#ing


39/66

February 2, 20

15

39

#!@


Samp#ing /Contin"edF Attri."te samp#ing

Samp#e:si8e attri."te samp#ing

Stop:or:go samp#ing1isco!er samp#ing

Varia.#e samp#ing

Stratified mean per "nitUnstratified mean per "nit1ifference estimation


40/66

February 2, 20

15

40

#!@

Statistica# samp#ing terms+ Confident coefficient

?e!e# of ris'

recision

E&pected error rate Samp#e mean

Samp#e standard de!iation

To#era.#e error rate

op"#ation standard de!iation

Ge steps in choosing a samp#e



41/66

February 2, 20

15

41

#!@


Comp"ter:assisted a"dit techni*"es

CAATs are a significant too# for IS a"ditors to gatherinformation independent#

CAATs inc#"de+

>enera#i8ed a"dit soft%are /AC?$ I1EA$ etc) Uti#it soft%are

Test data App#ication soft%are for contin"o"s on#ine a"dits

A"dit e&pert sstems


42/66

February 2, 20

15

42

#!@



=eed for CAATs

E!idence co##ection


43/66

February 2, 20

15

43

#!@


E&amp#es of CAATs "sed to co##ect e!idence

Contin"o"s on#ine a"dit approach



44/66

February 2, 20

15

44

#!@



1e!e#opment of CAATs

1oc"mentation retention

Access to prod"ction data

1ata manip"#ation


45/66

February 2, 20

15

45

#!@


E!a#"ation of strengths and%ea'nesses

Assess e!idence

E!a#"ate o!era## contro# str"ct"re

E!a#"ate contro# proced"res

Assess contro# strengths and %ea'nesses


46/66

February 2, 20

15

46

#!@

"dging @ateria#it of


47/66

February 2, 20

15

47

#!@


Comm"nicating a"dit res"#ts

A"dit report str"ct"re and contents

E&it inter!ie%

resentation techni*"es

E&ec"ti!e s"mmar

Vis"a# presentation

Ora# presentation


48/66

February 2, 20

15

48

#!@


@anagement actions to imp#ementrecommendations

A"diting is an ongoing process

Timing of fo##o%:"p

A"dit 1oc"mentation


49/66

February 2, 20

15

49

#!@

A"dit reso"rce management

IS a"ditors are a #imited reso"rce

Appropriate s'i##s and 'no%#edge

Constraints on the cond"ct of the a"dit

ro(ect management techni*"es



50/66

February 2, 20

15

50

#!@

Contro+ Se+'!Assessment

@ethodo#og to re!ie% 'e ."sinesso.(ecti!es$ associated ris's$ and contro#s tomanage those ris's

erformed . management and9or %or' teams

IS a"ditors ser!e as contro# e&perts andfaci#itators


51/66

February 2, 20

15

51

#!@

Contro+ Se+'!Assessment %oo+s

@anagement meetings

C#ient %or'shops

Wor'sheets

Rating Sheets

"estionnaires

CSA ro(ect Approach


52/66

February 2, 20

15

52

#!@

CSA Proet Approah

rimar o.(ecti!e is #e!erage ; enhanceinterna# a"dit . shifting responsi.i#it ofmonitoring contro#s to f"nctiona# areas

@"st ed"cate management contro# design andmonitoring

Sho"#d determine meas"re of s"ccess for eachphase to determine !a#"e of CSA and its f"t"re"se


53/66

February 2, 20

15

53

#!@

%ra"itiona+ s6 CSA Approah

%ra"itiona+ 7istoria+ CSA

Assigns d"ties9 s"per!ises staff Empo%ered9acco"nta.#eemp#oees

o#ic9r"#e dri!en Contin"o"s impro!ement9 #earning

c"r!e?imited emp#oee participation E&tensi!e emp#oee participation

and training

=arro% sta'eho#der foc"s Broad sta'eho#der foc"s

A"ditors and other specia#ists Staff at a## #e!e#s$ in a## f"nctions$are primar contro# ana#sts

Reporters Reporters

3


54/66

February 2, 20

15

54

#!@

I% 3oernane

Corporate >o!ernance , Ethica# corporate .eha!ior. directors or others charged %ith go!ernance in thecreation and presentation of %ea#th for a##sta'eho#ders

IT >o!ernance , Str"ct"re of re#ationships andprocesses to direct and contro# enterprise to achie!eits goa#s . adding !a#"e %hi#e .a#ancing ris' !s)

ret"rn o!er IT and its processes(See Cha#ter for detailed information)

Ch 3 >#


55/66

February 2, 20

15

55

#!@

Chapter 3+ >#ossar

Administrati!e contro#s

Attri."te samp#ing

A"dit ris'

Comp#iance testing

CAATs

Contro# ris'

Em.edded a"dit mod"#es

@ateria#it

Ch t 3 R


56/66

February 2, 20

15

56

#!@

Chapter 3+ Recap

>ro"p disc"ssion

"estions


57/66

Ch t 3 ti


58/66

February 2, 20

15

58

#!@

Chapter 3+ "estions

2)The reason for ha!ing contro#s in an IS en!ironment+

A) remains "nchanged from a man"a# en!ironment$ ."t the imp#emented contro#feat"res ma .e different)

B) changes from a man"a# en!ironment$ therefore the imp#emented contro#feat"res ma .e different)

C) changes from a man"a# en!ironment$ ."t the imp#emented contro# feat"res %i##.e the same)

1) remains "nchanged from a man"a# en!ironment and the imp#emented contro#

feat"res %i## a#so .e the same

Ch t 3 ti


59/66

February 2, 20

15

59

#!@

Chapter 3+ "estions

H) Which of the fo##o%ing tpes of ris's ass"mes an a.sence ofcompensating contro#s in the area .eing re!ie%ed

A) Contro# ris'

B) 1etection ris'

C) Inherent ris'

1) Samp#ing ris'

Ch t 3 ti


60/66

February 2, 20

15

60

#!@

Chapter 3+ "estions

J) An IS a"ditor is cond"cting s".stanti!e a"dit tests of ane% acco"nts recei!a.#e mod"#e) The IS a"ditor has atight sched"#e and #imited comp"ter e&pertise) Which

%o"#d .e the BEST a"dit techni*"e to "se in this sit"ation

A) Test data

B) ara##e# sim"#ation

C) Integrated test faci#it

1) Em.edded a"dit mod"#e


61/66

Ch t 3 ti


62/66

February 2, 20

15

62

#!@

Chapter 3+ "estions

L) Which of the fo##o%ing BEST descri.es the ear# stages of

an IS a"dit

A) O.ser!ing 'e organi8ationa# faci#ities)

B) Assessing the IS en!ironment)

C) Understanding ."siness process and en!ironment app#ica.#eto the re!ie%)

1) Re!ie%ing prior IS a"dit reports)

Ch t 3 ti


63/66

February 2, 20

15

63

#!@

Chapter 3+ "estions

8686 The doc"ment "sed . the top management oforgani8ations to de#egate a"thorit to the IS a"ditf"nction is the+

A) #ong:term a"dit p#an)B) a"dit charter)

C) a"dit p#anning methodo#og)

1) steering committee min"tes


64/66

Ch t 3 ti


65/66

February 2, 20

15

65

#!@

Chapter 3+ "estions

:6:6 Whi#e de!e#oping a ris':.ased a"dit program$ %hich of the

fo##o%ing %o"#d the IS a"ditor @OST #i'e# foc"s on

A) B"siness processesB) Critica# IT app#ications

C) Corporate o.(ecti!es

1) B"siness strategies

Ch t 3 ti


66/66

February 2 2066

106106 Which of the fo##o%ing is a s".stanti!e a"dit test

A) Verifing that a management chec' has .een performed reg"#ar#

B) O.ser!ing that "ser I1s and pass%ords are re*"ired to sign on

the comp"terC) Re!ie%ing reports #isting short shipments of goods recei!ed

1) Re!ie%ing an aged tria# .a#ance of acco"nts recei!a.#e

Chapter 3+ "estions

Documents

CISA Review - Week 1