Professional Documents
Culture Documents
Module 2_ Business Processes
Module 2_ Business Processes
Module 2_ Business Processes
IS AUDITOR
ORGANIZATIONAL INDEPENDENCE
Understand and be able to evaluate the business
processes of the organization they are auditing. ● Free from conflicts of interest and undue
● This includes a test and evaluation of the design influence in all matters related to audit and
and implementation of the operation of controls assurance engagement.
and the monitoring and testing of evidence to ● Any impairment of independence (in fact or
ensure that the internal controls within the appearance) is identified and disclosed to the
business processes operate effectively. appropriate parties.
AUTHORITY
AUDIT CHARTER
● Provides the right of access to records, the
● An audit charter is an overarching
limitations and processes to be audited.
document that covers the entire scope of
audit activities in an entity
RESPONSIBILITY ● engagement letter – more focused on a
● To add value to the enterprise, ensuring that particular audit exercise that is sought to be
organizational perspectives such as strategy, initiated in an organization with a specific
mission and regulatory/compliance objective in mind
expectations are integrated in its work, and to
abide by professional expectations. INDEPENDENCE IN FACT
○ Auditors - watchdogs
1
Module 2: Business Processes
● The state of mind that permits the expression ● privacy and confidentiality of information
of a conclusion without being affected by obtained during the course of the auditor's
influences that compromise professional duties should be maintained.
judgment, allowing an individual to act with ● information should not be used for personal
integrity, and exercise objectivity and benefit, nor should the information be
professional skepticism. disclosed unless required by legal authority.
2
Module 2: Business Processes
3
Module 2: Business Processes
● buying and selling of goods online as well as ● presentation tier displays information that
customer support or relationships between users can access directly such as a web page
businesses or an operating system's graphical user
● technology used can include the internet, interface
multimedia, web browsers, proprietary ● The application tier controls an application's
networks, automated teller machines and functionality by performing detailed
home banking, and the traditional approach processing
to electronic data interchange. ○ data for analyzing website usage
● To provide full functionality and achieve back
-end efficiencies, an ecommerce system may
TYPES OF E-COMMERCE
involve connections to inhouse legacy systems
accounting. inventory management or an
BUSINESS TO CONSUMER (B to C) enterprise resource planning system or
● Business conducted between organizations business partner systems
● For security reasons, persistent customer data
BUSINESS TO BUSINESS (B to B) should not be stored on web servers that are
exposed directly to the Internet data tier is
● Business conducted between organizations usually comprised of the database servers,
and its customers (personalization. file shares, etc. and the data access layer that
membership, ordering. invoicing. shipping. encapsulates the persistence mechanisms and
inventory replacement, etc.) exposes the data
CONSUMER TO BUSINESS (C to B)
THINGS TO CONSIDER
● Business conducted between a consumer and
o business. This is when customers sell their ● Databases play a key role in most
products or services to a business e-commerce systems maintaining data for
website pages analyzing webs usage
BUSINESS TO GOVERNMENT (B to G) ● To provide full functionality and achieve back
-end efficiencies, an e-commerce system may
● Business conducted between an organization involve connections to in-house legacy
and a public administration where the systems accounting. inventory management
governmental organization promotes or an enterprise resource planning system—or
awareness and growth of e-commerce business partner systems
● For security reasons, persistent customer data
CONSUMER TO CONSUMER (C to C) should not be stored on web servers that are
● Business conducted between customers exposed directly to the Internet
primarily using a third-party platform
E-COMMERCE RISKS
CONSUMER TO GOVERNMENT (C to G)
● Business conducted between a consumer and CONFIDENTIALITY
a public administration
● Potential consumers are concerned about
providing unknown vendors with personal
TYPICAL E-COMMERCE ARCHITECTURES (sometimes sensitive) information for a
number of reasons including the possible theft
SINGLE-TIER ARCHITECTURE of credit card information from the vendor
following a purchase
● client-based application running on a single
computer
INTEGRITY
4
Module 2: Business Processes
● The Internet allows customers to do business provide real interaction to customers and
on a 24/7 weekly basis. Hence, high customize responses to individual customers.
availability is important, with any system’s
failure becoming immediately apparent to
WHAT SHOULD IS AUDITOR REVIEW IN
customers or business partner
E-COMMERCE
5
Module 2: Business Processes
● Features within the e-commerce architecture ● necessary in mapping the transaction, writing
to keep all components from failing and allow the partner's profile and tells the system
them to repair themselves, if they should fail where to send each transaction and how to
● Plans and procedures to continue handle errors and exceptions
e-commerce activities in the event of an ○ Para siyang blueprint ng buyer and seller
extended outage of required resources for
normal processing
EDI SYSTEM SOFTWARE
● Commonly understood practices and
procedures to define management’s ● includes transmission, translation and storage
intentions for the security of e-commerce of transactions initiated by or destined for
● Shared responsibilities within an organization application processing
for ecommerce security ○ Mas dominant ang web-based EDI
● Communications from vendors to customers ● EDI is also an application system in that the
about the level of security in an ecommerce functions it performs are based on business
architecture needs and activities. The applications,
● Regular programs of audit and assessment of transactions and trading partners supported
the security of e-commerce environments and will change over time, and the intermixing of
applications to provide assurance that transactions, purchase orders, shipping notices,
controls are present and effective invoices and payments in the EDI process
makes it necessary to include application
processing procedures and controls in the EDI
MODULE 2 - PART 3
process.
● In reviewing EDI, an IS auditor should be
aware of the two approaches related to EDI:
ELECTRONIC DATA INTERCHANGE
the traditional proprietary version of EDI used
● the electronic transmission of transactions by large companies and government parties,
(information) between two organizations and the development of EDI through the
● promotes a more efficient paperless publicly available commercial infrastructure
environment can replace the use of standard offered through the Internet.
documents, including invoices or purchase ● The difference between the approaches relates
orders to cost, where use of a public commercial
infrastructure such as the Internet provides
EDI SYSTEM REQUIRES significantly reduced costs versus development
of a customized proprietary approach. From a
security standpoint, risk associated with not
COMMUNICATION SOFTWARE having a completely trustworthy relationship
● moves data from one point to another, flags arise in addressing Internet security and risk.
the start and end of an EDI transmission, and
determines how acknowledgments are FUNCTIONS OF TRADITIONAL EDI
transmitted and reconciled (more in-depth
discussion of communications software can
be found in Domain 4 of CISA Review Manual) COMMUNICATION HANDLER
○ Moves data from one point ● Process for transmitting and receiving
○ Software na nag communicate between electronic documents between trading
two system partners via dial-up lines, public-switched
network, multiple dedicated lines or a
TRANSLATION SOFTWARE value-added network (VAN)
● helps build a map and shows how the data ● VAN receives all the outbound transactions
fields from the application correspond to from an organization, sorts them by
elements of an EDI standard. Later, it uses destination and passes them to recipients
this map to convert data back and forth when they log on to check their mailbox and
between the application and EDI formats receive transmissions
- Di dumadaan sa internet. May sariling line
yung parties - facilitated by a value added
EDI STANDARD
network
6
Module 2: Business Processes
7
Module 2: Business Processes
8
Module 2: Business Processes
9
Module 2: Business Processes
10
Module 2: Business Processes
● EFT is the electronic transfer of funds between notification to communicate to the sender
a buyer, a seller and their respective financial that a successful transmission occurred.
institutions. ● Data encryption standards are set.
○ Kahit sino kahit di buyer seller (ex. Parents ● Standards for unintelligible transmissions are
mo binigyan ka ng allowance) set.
● EFT allows parties to move money from one ○ Unintelligible transmission - may maling
account to another account, replacing data tapos di mo nabasa
traditional check writing and cash collection ● Regulatory requirements for enforceability of
procedures. electronic data transmitted and received are
○ Ex. InstaPay, PesoNet explicitly stated.
● EFT transactions usually function via an
internal bank transfer from one party’s
AUTOMATED TELLER MACHINE (ATM)
account to another or via a clearinghouse
network. ● An ATM is a specialized form of the POS
terminal that is designed for the unattended
use by a customer of a financial institution.
WHAT SHOULD IS AUDITOR REVIEW IN EFT
● These machines customarily allow a range of
● physical security of unissued plastic cards banking and debit operations—especially
● the procedures used to generate PINs, financial deposits and cash withdrawals.
procedures used to issue cards and PINs
● conditions under which the consumer uses the
RECOMMENDED INTERNAL CONTROL
access devices
GUIDELINES FOR ATM
● contract with the switch and the third-party
audit of the switch operations ● Written policies and procedures covering
● interface between the EFT system and the personnel, security controls, operations,
application systems that process the accounts disaster recovery credit and check
from which funds are transferred authorization, floor limits, override,
● availability of funds or adequacy of credit settlement, and balancing
limits should be verified before funds are ● Reconciliation of all general ledger accounts
transferred related to retail EFTs and review of exception
● backup arrangements or other methods used items and suspense accounts
to ensure continuity of operations ○ Since possible na ibang ATM ang
● alternative audit trails available ginagamit sa general ledger
● Procedures for PIN issuance and protection
during storage
SECURITY IN AN EFT ENVIRONMENT
● Procedures for the security of PINs during
ENSURES THAT:
delivery and the restriction of access to a
● All the equipment and communication customer’s account after a small number of
linkages are tested to effectively and reliably unsuccessful attempts
transmit and receive data. ● Systems designed, tested and controlled to
○ During SDLC → user acceptance testing preclude retrieval of stored PINs in any non
○ May mga di gumaganang equipment encrypted form. Application programs and
● Each party uses security procedures that are other software containing formulas,
reasonably sufficient for affecting the algorithms and data used to calculate PINs
authorized transmission of data and for must be subject to the highest level of access
protecting business records and data from for security purposes.
improper access. ○ Top secret: how to generate pins
○ For the confidentiality of information ● Controls over plastic card procurement, which
● There are guidelines set for the receipt of should be adequate and include a written
data and to ensure that the receipt date and agreement between the card manufacturer
time for data transmitted are the date and and the bank that details control procedures
time the data have been received. and methods of resolution to be followed if
○ Kung kailan mo siya tinransmit sa isa problems occur
ganon din sa kabila ● Controls and audit trails of the transactions
● On receipt of data, the receiving party will that have been made in the ATM. This should
immediately transmit an acknowledgment or include internal registration in the ATM, either
11
Module 2: Business Processes
in internal paper or digital media, depending ● Phone technology that allows a computer to
on regulation or laws in each country and on detect voice and touch tones using a normal
the hosts that are involved in the transaction. phone call.
○ Ex. “Press 1” chuchuchu
● The caller uses the telephone keypad to select
IS AUDITOR’S ROLE IN USE OF ATM
from preset menu choices provided by the
To perform an audit of ATMs, an IS auditor should IVR.
undertake the following actions: ● The IVR system then responds with
● Review controls (physical security) to prevent prerecorded or dynamically generated audio
introduction of malware. to further direct callers or route the caller to a
● Review measures to establish proper customer customer service representative.
identification and maintenance of their
confidentiality. An IS auditor should ensure that there are controls
● Review file maintenance and retention system over such systems in place to prevent unauthorized
to trace transactions. individuals from entering system-level commands
○ Retention system - policy of organization that may permit them to change or rerecord menu
regarding safe keeping of documents. options.
Dinedestroy agad yung documents
depending sa law or policy
PURCHASE ACCOUNTING SYSTEM
● Review exception reports to provide an audit
trail. Most purchase accounting systems perform three
○ Exception reports - iba-iba yung tawag basic accounting functions:
per banks
○ Ex. suspicious activity, maraming ACCOUNTS PAYABLE PROCESSING
unsuccessful attempts - pwedeng lumabas
● Recording transactions in the accounts
sa report
payable records
● Review daily reconciliation of ATM
- Minsan yung mga businesses uses A/P
transactions including:
para mamaximize yung use of funds
○ Review SoD in the opening of the ATM
and recount of deposit.
GOODS RECEIVED PROCESSING
■ Dapat dalawa sila doon
○ Review the procedures made for the ● Recording details of goods received but not
retained cards. yet invoiced
■ Hiwalay dapat ang custody ng pin
and cards ORDER PROCESSING
■ Destroy unclaimed cards (dapat) ● Recording goods ordered but not yet received
● Review encryption key change management - Kabaliktaran ng goods received
procedures. processing
○ Review physical security measures to
ensure security of the ATM and the
money contained in the ATM. IMAGE PROCESSING
■ Common: installation of CCTVs ● Method of manipulating or altering an image
○ Review the ATM card slot, keypad and to achieve a desired result, typically for
enclosure to prevent skimming of card improving its visual quality or extracting
data and capture of PIN during entry. useful information from it. It involves a
■ Skimming of ATM - doon sa slot variety of techniques and algorithms to
mismo ng ATM, ireread na niya yung modify or analyze images, and it is a
card, yung keypad fake din siya fundamental component of computer vision,
nakaconnect, once na nakaconnect artificial intelligence, and many other fields.
pwede makuha info mo ○ Example: filter
■ As a precautionary measure, tignan
mo yung atm mo BENEFITS FROM USING IMAGING SYSTEM
Most businesses that perform image processing
INTERACTIVE VOICE RESPONSE (IVR) obtain benefits from using the imaging system.
12
Module 2: Business Processes
13
Module 2: Business Processes
ICS CONTROLS
● Restricting logical access to the ICS network
and network activity. This includes using a
demilitarized zone (DMZ) network
architecture with firewalls to prevent network
traffic from passing directly between the
corporate and ICS networks and having
separate authentication mechanisms and
credentials for users of the corporate and ICS
networks.
○ This can be achieved by installing access
control software.
● The ICS should also use a network topology
that has multiple layers, with the most
critical communications occurring in the
most secure and reliable layer.
● Restricting physical access to the ICS
network and devices. Unauthorized physical
ICS RISK FACTORS
access to components could cause serious
● Blocked or delayed flow of information disruption of the ICS’s functionality. A
through ICS networks, which could disrupt combination of physical access controls
ICS operation. should be used, such as locks, card readers
● Unauthorized changes to instructions, and/or guards.
commands or alarm thresholds, which could ● Protecting individual ICS components from
damage, disable or shut down equipment, exploitation. This includes deploying security
create environmental impacts, and/or patches in as expeditious a manner as
endanger human life. possible, after testing them under field
○ It is important to take note that no matter conditions; disabling all unused ports and
how expensive the IT assets of an services; restricting ICS user privileges to only
organization have, the safety of human life those that are required for each person’s role;
remains the top priority. tracking and monitoring audit trails; and
● Inaccurate information sent to system using security controls such as antivirus
operators, either to disguise unauthorized software and file integrity checking software,
changes or to cause the operators to initiate where technically feasible, to prevent, deter,
inappropriate actions, which could have detect and mitigate malware.
various negative effects. ● Maintaining functionality during adverse
○ Thus it is imperative to verify the conditions. This involves designing the ICS so
authorization and propriety of the that each critical component has a redundant
transmitted information counterpart. Additionally, if a component
● ICS software or configuration settings fails, it should fail in a manner that does not
modified, or ICS software infected with generate unnecessary traffic on the ICS or
malware, which could have various negative other networks, or does not cause another
effects. A compromised system would render problem elsewhere, such as a cascading
it ineffective. event.
○ It is important to add layers of control, ● Restoring the system after an incident.
such as antivirus software to prevent the Incidents are inevitable, and an incident
infection of malware on the other hand response plan is essential. A major
any modification of the system should be characteristic of a good security program is
scrutinized, and tested prior to its release how quickly a system can be recovered after
to the live production. an incident has occurred.
● Interference with the operation of safety
systems, which could endanger human life.
ARTIFICIAL INTELLIGENCE
○ Hence, safety protocols should always be
in place. ● Knowledge is acquired and used.
● Goals are generated and achieved.
14
Module 2: Business Processes
15
Module 2: Business Processes
16
Module 2: Business Processes
evidence is not obtained through additional situated, the chief audit executive should
test procedures. be wary of the prudential requirements to
comply with the regulations.
FACTORS TO BE CONSIDERED ● Compliance with applicable professional
standards
● Restrictions on outsourcing of audit/security
○ Just like the IS auditors who are governed
services provided by laws and regulations
by ISACA, other professionals should
○ There are some jurisdictions that might not
adhere with their respective and globally
allow the outsourcing of the audit function.
accepted standards. We should also
Hence the chief audit executive should be
consider their compliance on the code of
aware of the laws and regulations
ethics of their profession.
governing the organization.
● Audit charter or contractual stipulations
○ Outsourcing for outsourcing services OTHER REQUIREMENTS
should be documented in the audit charter ● Testimonials/references and background
in order for the work of the expert to be checks.
considered in the audit objectives of the IS ○ Due diligence should be performed on the
audit function. character in capability of the expert.
● Impact on overall and specific IS audit ● Access to systems, premises and records.
objectives ○ Considering that the experts are outsiders
○ Is the hiring of experts really necessary? from the organization, their access should
○ Is the function to be audited critical? be on a need to know basis their access to
○ The IS audit function should conduct cost the records, whether physical or logical
benefit analysis before engaging the work should be revoked once their assignment
of other experts. is finished.
● Impact on IS audit risk and professional ● Confidentiality restrictions to protect
liability customer-related information.
○ It is important to understand that ○ Confidential information should not be
although a part or the whole of the audit compromised when securing the services
work may be delegated to an external of the expert.
service provider, the related professional ● Use of computer-assisted auditing techniques
liability is not necessarily delegated. At the and other tools to be used by the external
end of the day, the responsibility still rests audit service provider.
with the IS audit function. ○ Only the tools, methodologies necessary
● Scope of work proposed to be outsourced and for their objective should be granted to the
approach expert. Likewise, this should be
○ This should be documented in the agreed-upon and documented in the
agreement between the IS audit function engagement letter or contract.
and third party experts. We should clearly ● Standards and methodologies for
communicate the audit objectives, scope, performance of work and documentation.
and methodology through a formal ○ As much as possible, this should be
engagement letter. aligned with the methodologies of the ICS
● Supervisory and audit management controls audit function.
○ Monitoring process for regular review of ● Nondisclosure agreements.
the work of the external service provider ○ Third party experts should be required to
with regard to planning, supervision, sign this contract since it provides legal
review, and documentation should be indemnification in case information were
established by IS audit function. disclosed by the experts, without the
● Method and modalities of communication of consent or permission of the organization.
results of audit work
○ This should also be agreed upon with the
experts.
● Compliance with legal and regulatory
stipulations
○ If outsourcing is allowed under the
jurisdiction where the organization is
17