Chapter 1

IS Audit Process
Chapter Overview
Develop and/or implement a risk-based IS audit strategy and objectives, in compliance with generally accepted
standards, to ensure that the organization's information technology and business processes are adequately
controlled, monitored, and assessed, and are aligned with the organisations business objectives.

Plan specific audits to ensure that the IS audit strategy and objectives are achieved.

Obtain sufficient, reliable, relevant, and useful evidence to achieve the audit objectives.

The Auditing is defined as Systematic process by which a competent, independent person objectively obtains and evaluates
evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting
on the degree to which the assertion conforms to an identified set of standards.
IS auditing is The process of collecting and evaluating evidence to determine whether information systems and IT
environments adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information,
achieve organizational goals effectively, consume resources efficiently, and have in effect internal controls that provide
reasonable assurance that operational and control objectives will be met.

Role of IS auditing
Perform separate IT audits

Perform integrated audits

Perform technical and IT operational audits etc.

Audits primary role is to provide a statement of assurance as to whether adequate and reliable internal controls are in
place and are operating in an efficient and effective manner.
IS auditing involves:
Understanding of business roles in systems under development or purchase of software and project management;

Application of risk-oriented audit approaches;

Application of standards (national or international) to improve and implement quality systems in software
development;
Evaluation of System Development Life Cycle (SDLC) or new development techniques (e.g., prototyping, end-user
computing, rapid systems or application development);

Evaluation of technologies and communication protocols such as EDI, client server model, LAN and WAN, and
integrated voice/data/video systems;

Use of computer assisted audit tools and techniques.

Types of IS Audits
General Control Examination (Known in the past as facility audit)

Application Systems Audit

System Under Development Audit

Technical or Special Topic Audits etc.

Why IS Audit??
Greater reliance on Information Systems and Technology
 Growing Concern for Data Security due to Proliferation of technology

Legal requirement

Complexity of Information Systems and Technology

Audit Process

Audit Mission

Audit Charter

Information Gathering

Risk Analysis

Audit Plan

Short term plan

Long term plan

Abide IS Audit standards, guidelines and procedures

IS Auditing standards:

are to inform IS auditors of the minimum level of acceptable performance required to meet the professional
responsibilities.

Inform the management and other related parties of the professional expectation concerning the work of
practitioners.

Guidelines provide guidance in applying IS Auditing standards.

Procedures provide examples of procedures an IS auditor might follow in an audit engagement.

Audit Phases

Gather information and Plan

Obtain Understanding of Internal Control

Perform Compliance Tests

Perform Substantive Tests

Conclude the Audit

Other Professional Bodies Standards

ISA6 - Risk Assessments And Internal Controls

Addendum 1 To Above - EDP Characteristics And Considerations

Supplement 1 To ISA 6 - EDP Environments - Stand Alone Computers

 Supp. 2 To ISA 6 EDP Environments - On-Line Computers

Supp. 3 To ISA 6 EDP Environments - Database Systems

ISA15: Auditing In A Computer Information Systems Environment

ISA 16: Computer-Assisted Audit Techniques

Audit Mission

Should commensurate with the role of audit within the organization

Should be realistic and ambitious

Should be approved by Audit Committee and the highest level of management

Should be supported by appropriate strategic plans

Audit Charter / Engagement letter

Identifies responsibility, accountability and authority of audit

Should be approved by highest level of management

Should take into consideration current IT environment and challenges faced by the audit

Should comply with relevant laws and regulations

Information Gathering

Reviewing documentation regarding Information Systems

Meeting relevant management representatives

Reviewing reports, industry publications etc.

Reviewing documentation pertaining to current IT Projects

Observation

Risk Assessment

The potential that a given threat will exploit the vulnerabilities of an asset or a group of assets to cause loss or damage to the
assets

Risk analysis is part of the audit planning and it helps identify risks and vulnerabilities so that the auditor can determine
the controls needed to mitigate those risks.

The IS auditor is often focused towards a particular class of risks associated with information and the underlying
information systems and processes.

Some of the risks associated with information technology are:

Improper use of technology

Repetition of errors

Cascading of errors
 Illogical processing

Inability to control technology

Equipment failure

Incorrect data entry

Concentration of data

Elements of Risk

The threats to information system asset are:

Unauthorized access Hardware failure

Utility failure Natural disasters

Loss of key personnel Human errors

Tampering Disgruntled employees

Safety of personnel

Impact on assets based on threats and vulnerabilities

Physical destruction of assets

Loss of data

Theft of the information

Indirect theft of assets

Delay loss

Reduced productivity & income, extra expense, license penalties etc.

Delay damage/service outage

Fraud via IT

Altered or omitted data

Application or file tampering

Unauthorized disclosure of IT data

Accidental, intentional and malicious acts

Physical theft

Petty, insider, breaking & entering, armed robbery

Probabilities of threats (combination of the likelihood and frequency of occurrence)

High loss per event High loss per event

High frequency of Low frequency of

occurrence occurrence
 Low loss per event Low loss per event

High frequency of Low frequency of

occurrence occurrence

Controls

The policies, procedures, practices and organizational structures, designed to provide reasonable assurance that
business objectives will be achieved and that undesired events will be prevented or detected and corrected.

Internal control includes all measures and practices that are used to mitigate exposures to risks that could potentially
prevent an organization from achieving its objectives. Internal control is not solely a procedure or policy that is
performed at a certain point in time, but rather it is continually operating at all levels within an organization.

Main objectives of the internal control process

Safeguarding of assets (security objectives);

Efficiency and effectiveness of operations (operational objectives);

Reliability and completeness of accounting/financial and management information (information objectives); and,

Compliance with organizational policies and procedures as well as applicable laws and regulations (compliance
objectives).

Information Systems Control

Preventive (in order to avoid occurrence)

Detective (in order to detect or identify occurrences)

Corrective (In order to correct or restore controls)

Chapter 2 Management Plannng and Organization of IS

Chapter Overview
Information Systems Strategy
Policies and Procedures
IS Management Practices
IS Organizational Structure and Responsibilities
Auditing the Management, Planning and Organization of IS

The objective of this content area is to ensure that the IS Auditor

Understands and can evaluate the strategies, policies, standards, procedures and related
practices for the management, planning and organization of IS."

Chapter Summary: According to the Certification

Board, this Content Area will represent approximately 11% of the CISA examination.
(approximately 22 questions)
Overall business strategies and policies, identifying the areas concerning information
processing, and gaining an understanding of the business practices and functions.
Identifying significant functional areas, tasks and reporting responsibilities of IS
departments to gain an understanding of the organization's information processing
environment through review of relevant documentation, inquiry and observation
Evaluating management practices, procedures and organizational structure of IS
departments to assess their adequacy by determining whether they are efficient and
effective and include appropriate controls.
Testing the controls to determine compliance with appropriate standards by applying
suitable audit techniques.
Assessing the organizational control environment to determine that control objectives
were achieved by analyzing test results and other audit evidence.

Information Systems Strategy.

Strategic Planning
Long-range planning for the organization
Long-range planning for the IS department
Steering Committee(s)

The IS Department should have long range (i.e. greater than one year, typically between 3 and 5 years) and
short range (i.e., one year or business cycle) plans. These plans should be consistent with the organization's
broader plans for attaining the organizations goals.
Typical objectives normally associated with strategic planning are:
Long-Range Planning for the Organization - should address issues pertinent to its contribution to the
organization's achievement of long-range goals.
Long-Range Planning for the Information Systems Department - should be consistent with--and integrated
into--senior management's long-range plans and recognize organizational goals, organization changes,
technological advances, and regulatory requirements.
Steering Committee

An organizations senior management should appoint a planning or steering committee to oversee

information systems department activities. Its duties and responsibilities should be defined in a formal charter.
Strategic Planning
Short-range planning for the organization and for the IS department
Review of planning for the organization
and for the IS department
 Short-Range Planning for the Organization and for the Information Systems Department - should ensure
that appropriate Information Systems Department resources are allocated on a basis consistent with the
overall organization's short range plans.
Review of Planning for the Organization and for the Information Systems Department - Management
reports should be provided for senior management's review of the organization's progression toward
identified goals.

Planning/Steering Committee
Board representation
Steering committee
Board Representation
The board should have a member responsible for information technology who understands the
risks and issues.
Steering Committee
Provides an organization with direction in harmony with the corporate mission and objectives. The
cofor mmittee consists of various managers that are representative of all the business areas in the
organization. Their goal is to review and act upon all requests new system needs in accordance with the
corporate objectives. To this end it is the responsibility of the committee to ensure efficient use of data
processing resources and set the priorities, examine costs and provide support for various projects.
Policies and Procedures
Policies
Procedures
Human Resources Policies/Practices
Outsourcing Practices
Policies are high level documents. They represent the corporate philosophy of an organization. To be
effective, they must be clear and concise. Management must create a positive control environment by
assuming responsibility for formulating, developing, documenting, promulgating and controlling policies
covering general goals and directives.
Management should take the steps necessary to ensure that employees affected by a specific policy receive
a full explanation of the policy and that they understand its intent.
In addition to corporate policies that set the tone for the organization as a whole, individual divisions and
departments should define lower level policies. These would apply to the employees and operations of
these units and would focus at the operational level.
A top-down approach to the development of lower level policies in instances when they are derived from
corporate policies is desirable, as it ensures consistency across the organization.
Management should review all policies. Policies need to be updated to reflect significant changes within
the organization or department.

Written IS policies should originate at the corporate level to ensure uniformity.

Policies should be clear and concise to allow for easy compliance and
enforcement.

Human Resource Policies/Practices

Hiring practices
Employee handbook
Promotion policies
Training
Hiring Practices
Hiring practices are important to ensure that the most effective and efficient staff is chosen and that the
company is in compliance with legal recruitment requirements.
Employee Handbook
Distributed to all employees upon being hired, should explain items such as: security policies and
procedures, company expectations, employee benefits, etc.
Promotion Policies
 Must be fair and understood by employees. Policies should be based on objective criteria and consider an
individual's performance, education, experience and level of responsibility.
Training
Training should be provided on a fair and regular basis to all employees. This is particularly important
when new hardware and/or software is being implemented. Training should include relevant management
training, project management training, and technical training.
Human Resource Policies/ Practices
Scheduling and time reporting
Employee performance evaluations
Required vacations
Termination policies
Scheduling and Time Reporting
Proper scheduling provides for a more efficient operation and use of computing resources. Time reporting
allows management to monitor the scheduling process.
Employee Performance Evaluations
Employee assessment must be a standard and regular feature for all IS staff. The HR department should
ensure that IS managers and employees set mutually agreed goals/expected results.
Required Vacations
Ensures that at least once a year someone else performs the function.
Termination Policies
Established to provide clearly defined steps for employee separation.
Outsourcing Practices
Reasons for embarking on outsourcing
Services provided by a third party
Possible advantages of outsourcing
Possible disadvantages of outsourcing
Business risks from outsourcing
Audit/security concerns of outsourcing

IS MANAGEMENT PRACTICES

Management Principles
IS Assessment Methods
Quality Management
IS Standards
CMM

Management Principles
People management
Management of change
Focus on good processes
Security
Handling third parties

People management
Personnel in a typical IS department is highly qualified, highly educated and usually do not feel
that their jobs are at risk. IT professionals are prepared to switch jobs frequently and normal perks of
money and a managerial job title are not an inducement. Therefore, employee training and development
and challenging assignments are very important.
Management of change
Not only is turnover of people more frequent, but the department is constantly in a state of flux
handling demands for new applications and new technologies. It is important for an IS department to stay
abreast of technology and proactively embrace change whenever necessary.
Focus on good processes
 Because of the rate of change, it is important for IS departments to implement and enforce good
processes. There must be documented procedures for all aspects of the department whether it be
programming standards, testing or back ups of data.
Security
The concern for security is far more important and pervasive within IS than most other
departments. The Internet has intensified this concern. The IS department must be equally concerned about
business continuity and disaster recovery.
Handling third parties
IS departments have many vendors who must all work together to deliver the desired results.

IS Assessment Methods
IS budgets
Capacity and growth planning
User satisfaction
Industry standards/benchmarking
Financial management practices
Goal accomplishments
IS Budgets
Allow forecasting, monitoring and analyzing financial information. They allow for an adequate allocation
of funds, especially in an IS environment where expenses can be cost-intensive
Capacity and Growth Planning
Used to assess whether the operation is running as efficiently and effectively as possible. This activity must
be reflective of the long and short range business plans and must be considered within the budgeting
process.

Use simulation or modeling techniques to identify any shortfalls in capacity or bottlenecks that
may adversely affect service and budget for augmented or replacement equipment.
Determining unused capacity and saturation point of the present system.
Estimating growth rate of existing system.
Determining system up gradation point by comparing the growth rate of system with system
saturation point.
User Satisfaction
It is one of the measures to ensure an effective information processing operation. Users and IT should agree
on a level of service, which should be periodically audited.
Industry Standards / Benchmarking
Provide a means of determining the level of performance provided by similar information processing
facility environments. These statistics can be obtained from vendor user groups, industry publications and
professional associations.
Financial Management Practices
Critical to have sound financial management practices in place.
Goal Accomplishment
comparing performance with predefined goals.

QUALITY MANAGEMENT
ISO Standards
Capability Maturity Model (CMM)
Quality Management
Quality management is the means by which IS department-based processes are controlled, measured and improved.
Processes in this context are defined as a set of tasks that when properly performed produces the desired results.
Quality Management
Software development, maintenance and implementation
Acquisition of hardware and software
Day-to-day operations
Security
Human resource management
General administration
 Standards to Assist the Organization
ISO standard interpretation
ISO 9000 2000
ISO 9126
Capability Maturity Model
ISO 9000
Provides guidelines on how to choose the appropriate Standards
ISO 9001
Provides guideline for companies in design, development, production, installation or servicing.
ISO 9002
Provides guidelines for companies in production, installation or servicing.
ISO 9003
For companies in final inspection and testing.
ISO 9004
A guideline to aid in interpretation of the standards
ISO 9126
Provides the definition of the characteristics and associated quality evaluation process used when specifying the quality requirements
of software products.
ISO 9000 2000

Quality Measures of ISO 9000

Leadership
Human Resource Development and Management
Management of Process Quality
Customer Focus and Satisfaction

Capability Maturity Model (CMM)

Maturity Levels
Process Capabilities
Key Process Areas
Goals
Common Features
Key Practices

IS ORGANIZATIONAL STRUCTURE AND RESPONSIBILITIES

Management Structures
Line management
Project management
IS Responsibilities and Duties
Operations
Data entry -- online and batch
Control group
Librarian
Operations
Includes all the staff required to run the computer efficiently and effectively. Can be sub-divided into three categories.
Physical Security
Data Security and Processing Controls.
Data Entry
Generally, in modern on-line environments, data entry is performed by personnel in the user departments.
On-Line Data Entry
An on-line system provides various screen edits to perform basic input verification of the data entered, e.g. range
checks, alpha-numeric checks, limit checks, and valid predefined value checks from an internal table. The department
manager or supervisor would be required to provide for an adequate separation of duties by being responsible for
overrides and resubmission of errors or rejected entries.
Batch Data Entry
Data entry within the typical information systems department is often the responsibility of the Data Control
Department.
Control Group
The input/output control group should be in a separate area where only authorized personnel are
permitted entry. The supervisor of the Control Group usually reports to the IPF Operations Manager.
Librarian
 The librarian is required to record, issue and receive, and safeguard all program and data files that are maintained on
computer tapes and/or disks in an IPF.

IS Responsibilities and Duties

Security administration
Quality assurance
Database administration
Security Administration
Security administration must begin with management's commitment. Upper management should develop and enforce a
written policy that clearly states the standards and procedures to be followed.
Quality Assurance (QA)
The QA group usually performs testing and verification to ensure that programs, program changes, and documentation
adhere to standards and naming conventions prior to programs being moved into production.

Data Base Administration

The Data Base Administrator (DBA) is responsible for the actual design, definition, and the proper maintenance of the
corporate data bases. Since the DBA should have no application programming or end user responsibilities, he/she
should be prohibited from accessing the production data within the data bases for which this person administers.

IS RESPONSIBILITIES AND DUTIES

Systems analysis
Application programming
Systems programming
Network management
Help desk administration

Systems Analysis
Systems analysts are specialists who design systems based on the needs of the user. This individual is
responsible for interpreting the needs of the user and determining the programs and the programmers necessary to
create the particular application.
Applications Programming
The applications programming area is made up of the applications programmers who are responsible for
developing new and maintaining systems in production. They should work in a test environment only and should
not move test versions into the production environment.
Systems Programming
Systems programmers are responsible for maintaining the systems software including the operating system.
This function may allow for unrestricted access to the entire system.
Network Management
This position is responsible for technical and administrative control over the local area network. Depending
upon the policy of the company, this position can report to the director of the IPF or may report to the end-user
manager.
Help Desk Administration
It is a unit within an organization that responds to technical questions from users. Most software companies
have help-desks. Questions and answers can be delivered by telephone, fax or e-mail. Help desk personnel may
use third party help desk software that enables them to quickly find answers to common questions.

SEPARATION OF DUTIES WITHIN IS

Transaction authorization
Reconciliation
Custody of assets
Access to data

Separation of Duties Control Matrix

Transaction Authorization
Transaction authorization is the responsibility of the user department. Authorization is delegated to the degree that it
relates to the particular level of responsibility of the authorized individual in the department. Periodic checks must be performed
by both management and audit to detect the unauthorized entry of transactions.
Reconciliation
 Reconciliation is the ultimate responsibility of the user. In some organizations, limited reconciliation of applications
may be performed by the Data Control group with the use of control totals and balancing sheets. This type of independent
verification increases the level of confidence that the applications ran successfully and that the data is in proper balance.
Custody of Assets
Custody of corporate assets must be determined and assigned appropriately. The "data owner" has responsibility for
determining authorization levels required to provide adequate security, while the data security administration group is often
responsible for implementing and enforcing the security system.

Separation of Duties within IS

Authorization Forms
User Authorization Tables
Exception Reporting
Audit Trails
Transaction Logs

AUDITING THE MANAGEMENT,

PLANNING AND ORGANIZATION OF IS

Reviewing Documentation
Interviewing and Observing Personnel in the Performance of Duties
Reviewing Contractual Commitments

Reviewing Documentation
Information technology strategies, security policy documentation, organization/functional charts
and steering committee reports, job descriptions, system development and program change procedures,
operations procedures, and human resource manuals provide valuable evidence to the IS auditor.
Interviewing and Observing Personnel in the Performance of Their Duties.
The candidate should be able to evaluate the information provided from an interview for the audit
and how the Observation technique can also be one of the most confident ways to ensure integrity in the
identification of personnel duties.

The Review of Contractual Commitments

Represents one of the IS auditors compliance reviews that should help verify management participation in
the contracting process ensuring a proper level of timely contract compliance.

Interviewing and Observing Personnel in the Performance of their Duties

Actual functions
Security awareness
Reporting relationships

Actual Functions
Observation is the best test to ensure that the individual who is assigned and authorized to perform
a particular function is the person who is actually doing the job.
Security Awareness
Security awareness should be observed to verify an individual's understanding and practice of
good preventive and detective security measures to safeguard the company's assets and data.
Reporting Relationships
Reporting relationships should be observed to ensure that assigned responsibilities and adequate
separation of duties are being practiced.
Reviewing Contractual Commitments
Development of contract requirements
Contract bidding process
Contract selection process
 Contract acceptance
Contract maintenance
Contract compliance