Professional Documents
Culture Documents
Cisa CH 1
Cisa CH 1
2
Copyright 2013 ISACA. All rights reserved.
About Me.
Bharat Raigangar
Director Corporate Service Advisory Inc
Offices in United States of America, UAE & India
President of ISACA UAE Chapter 2010 & 2011 Board Member from 2004 Board Member of Association of Certified Fraud Examiner Certification C-CISO, CRISC, CGEIT, CISM, CISA, CIA, CFE, CICA, CFAP, DBM, MBC
3
Copyright 2013 ISACA. All rights reserved.
About My Organization
Corporate Governance
Information Governance & Control Business Process Re-Engineering
Corporate Risk Management Fraud Management Records Management Business Resilience Health & Safety Specialized Training M&A Risk Advisory General Advisory..
Domains
The Process of Auditing Information System (14%) Governance and Management of IT (14%) Info. System Acquisition, Development and Implementation (19%) Info. System operations, maintenance and support (23%) Protection of Information Asset (30%)
5
Copyright 2013 ISACA. All rights reserved.
Course Agenda
Learning Objectives
Discuss Task and Knowledge Statements Discuss specific topics within the chapter Case studies Sample questions
6
Copyright 2013 ISACA. All rights reserved.
Exam Relevance
Ensure that the CISA candidate
Has the knowledge necessary to provide audit services in accordance with IT audit standards to assist the organization with protecting and controlling information systems The content area in this chapter will represent approximately 14% of the CISA examination (approximately 28 questions).
7
Copyright 2013 ISACA. All rights reserved.
8
Copyright 2013 ISACA. All rights reserved.
Learning Objectives
Ensure that the CISA candidate has the knowledge necessary to provide audit services in accordance with IT audit standards to assist the organization with protecting and controlling information systems.
9
Copyright 2013 ISACA. All rights reserved.
Topics
10
Copyright 2013 ISACA. All rights reserved.
Management of the IS Audit Function ISACA IT Audit and Assurance Std & Guideline Risk Analysis Internal Controls Performing an IS Audit Control Self-Assessment (CSA) Evolving IS Audit Process Case Studies Q&A
T1.1 Develop and implement a risk-based IT audit strategy in compliance with IT audit standards to ensure that key areas are included. T1.2 Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization. T1.3 Conduct audits in accordance with IT audit standards to achieve planned audit objectives.
11
Copyright 2013 ISACA. All rights reserved.
T1.5 Conduct follow-ups or prepare status reports to ensure appropriate actions have been taken by management in a timely manner.
12
Copyright 2013 ISACA. All rights reserved.
13
Copyright 2013 ISACA. All rights reserved.
15
Copyright 2013 ISACA. All rights reserved.
Outlining the overall authority, scope and responsibilities of the audit function
17
Copyright 2013 ISACA. All rights reserved.
18
Copyright 2013 ISACA. All rights reserved.
19
Copyright 2013 ISACA. All rights reserved.
Responsibilities
Correlation of the regulation to financial, operational and IS audit functions
20
Copyright 2013 ISACA. All rights reserved.
Assess whether management and the IS function have considered the relevant external requirements
Review internal IS department documents that address adherence to applicable laws Determine adherence to established procedures
21
Copyright 2013 ISACA. All rights reserved.
The Associations Code of Professional Ethics provides guidance for the professional and personal conduct of members of ISACA and/or certification holders.
22
Copyright 2013 ISACA. All rights reserved.
Guidelines www.isaca.org/guidelines
Tools and Techniques
23
Copyright 2013 ISACA. All rights reserved.
S4 - Competence
S5 - Planning S6 - Performance of Audit Work
S7 - Reporting
S8 - Follow-up Activities
25
Copyright 2013 ISACA. All rights reserved.
S1 - Audit Charter
S2 Independence
27
Copyright 2013 ISACA. All rights reserved.
S4 -Competence
28
Copyright 2013 ISACA. All rights reserved.
S5 - Planning
S7 Reporting
Identify the organization, intended recipients and any restrictions State the scope, objectives, coverage and nature of audit work performed State the findings, conclusions and recommendations and limitations Justify the results reports Be signed, dated and distributed according to the audit charter
30
Copyright 2013 ISACA. All rights reserved.
S8 - Follow-up Activities
Review previous conclusions and recommendations Review previous relevant findings Determine whether appropriate actions have been taken by management in a timely manner
31
Copyright 2013 ISACA. All rights reserved.
32
Copyright 2013 ISACA. All rights reserved.
Obtain written representations from management Have knowledge of any allegations of irregularities or illegal acts Communicate material irregularities or illegal acts Consider appropriate action in case of inability to continue performing the audit Document irregularity- or illegal act-related communications, planning, results, evaluations and conclusions
33
Copyright 2013 ISACA. All rights reserved.
S10 - IT Governance
Review and assess the IS functions alignment with the organizations mission, vision, values, objectives and strategies Review the IS functions statement about the performance and assess its achievement Review and assess the effectiveness of IS resource and performance management processes
34
Copyright 2013 ISACA. All rights reserved.
S10 - IT Governance
(continued)
Review and assess compliance with legal, environmental and information quality, and fiduciary and security requirements Use a risk-based approach to evaluate the IS function Review and assess the organizations control environment Review and assess the risks that may adversely affect the IS environment
35
Copyright 2013 ISACA. All rights reserved.
Planning Use a risk assessment technique in developing the overall IS audit plan Identify and assess relevant risks in planning individual reviews
36
Copyright 2013 ISACA. All rights reserved.
S12 Audit
Materiality
The IS auditor should consider audit materiality and its relationship to audit risk The IS auditor should consider potential weakness or absence of controls when planning for an audit The IS auditor should consider the cumulative effect of minor control deficiencies or weaknesses The IS audit report should disclose ineffective controls or absence of controls
37
Copyright 2013 ISACA. All rights reserved.
The IS auditor should consider using the work of other experts The IS auditor should be satisfied with the qualifications, competencies, etc., of other experts The IS auditor should assess, review and evaluate the work of other experts The IS auditor should determine if the work of other experts is adequate and complete The IS auditor should apply additional test procedures to gain sufficient and appropriate audit evidence The IS auditor should provide appropriate audit opinion
38
Copyright 2013 ISACA. All rights reserved.
39
Copyright 2013 ISACA. All rights reserved.
S15 - IT Controls
S16 - Ecommerce
40
Copyright 2013 ISACA. All rights reserved.
The IS Auditor should evaluate applicable controls and assess risk when reviewing e-commerce environments to ensure that ecommerce transactions are properly controlled.
41
Copyright 2013 ISACA. All rights reserved.
G15 Audit Planning, effective 1 May 2010 G16 Effect of Third Parties on an Organizations IT Controls, effective 1 March 2009 See Outsourced IT Environments Audit/Assurance Program
G17 Effect of Non-audit Role on the IS Auditors Independence, effective 1 May 2010
42
Copyright 2013 ISACA. All rights reserved.
G22
Business-to-consumer (B2C) E-commerce Review, effective 1 December 2008 Withdrawn 14 Jan. 2013See E-commerce and PKI Audit/Assurance Program
System Development Life Cycle (SDLC) Review, effective 1 August 2003 G23 Withdrawn 14 Jan. 2013See Systems Development and Project Management Audit/Assurance Program G24 Internet Banking, effective 1 August 2003 Withdrawn 14 Jan. 2013
43
Copyright 2013 ISACA. All rights reserved.
G28 Computer Forensics, effective 1 September 2004 Withdrawn 14 Jan. 2013 G29 Postimplementation Review, effective 1 January 2005 Withdrawn 14 Jan. 2013 See Systems Development and Project Management Audit/Assurance Program
Privacy, effective 1 June 2005 Withdrawn 14 Jan. 2013See PII Audit/Assurance Program
44
Copyright 2013 ISACA. All rights reserved.
G34 Responsibility, Authority and Accountability, effective 1 March 2006 G35 Follow-up Activities, effective 1 March 2006 G36
Biometric Controls, effective 1 February 2007 Withdrawn 14 Jan. 2013See Biometrics Audit/Assurance Program
G37 Configuration Management, effective 1 November 2007 G38 Access Control, effective 1 February 2008 Withdrawn 14 Jan. 2013See Identity Management Audit/Assurance Program
45
Copyright 2013 ISACA. All rights reserved.
46
Copyright 2013 ISACA. All rights reserved.
IS auditors should apply their own professional judgment to the specific circumstances.
47
Copyright 2013 ISACA. All rights reserved.
Standards Guidelines
48
Copyright 2013 ISACA. All rights reserved.
50
Copyright 2013 ISACA. All rights reserved.
The IS auditor can determine the controls needed to mitigate those risks
51
Copyright 2013 ISACA. All rights reserved.
54
Copyright 2013 ISACA. All rights reserved.
Preventive controls
Detective controls Corrective controls
55
Copyright 2013 ISACA. All rights reserved.
56
Copyright 2013 ISACA. All rights reserved.
Administrative controls
57
Copyright 2013 ISACA. All rights reserved.
58
Copyright 2013 ISACA. All rights reserved.
(cont.)
Database integrity
1.5.2 COBIT 5
Governance of Enterprise IT IT Governance Management Control Risk IT Audit
COBIT1 COBIT2 COBIT3
(2009)
Evolution of scope
Val IT 2.0
(2008)
COBIT4.0/4.1
COBIT 5
1996
1998
2000
2005/7
2012
62
Copyright 2013 ISACA. All rights reserved.
64
Copyright 2013 ISACA. All rights reserved.
65
Copyright 2013 ISACA. All rights reserved.
COBIT 5 Enabler Dimensions: All enablers have a set of common dimensions. This set of common dimensions: Provides a common, simple and structured way to deal with enablers Allows an entity to manage its complex interactions Facilitates successful outcomes of the enablers
Source: COBIT 5, figure 13. 2012 ISACA All rights reserved. Copyright 2013 ISACA. All rights reserved.
66
68
Source: COBIT 5, figure 15. 2012 ISACA All rights reserved. Copyright 2013 ISACA. All rights reserved.
Administrative controls concerned with operational efficiency and adherence to management policies Organizational logical security policies and procedures Overall policies for the design and use of documents and records Procedures and features to ensure authorized access to assets
70
Copyright 2013 ISACA. All rights reserved.
1.5.4 IS Controls
Strategy and direction of the IT function General organization and management of the IT function Access to IT resources, including data and programs Systems development methodologies and change control Operations procedures Systems programming and technical support functions
71
Copyright 2013 ISACA. All rights reserved.
72
Copyright 2013 ISACA. All rights reserved.
Definition of IS auditing
Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related nonautomated processes and the interfaces between them.
73
Copyright 2013 ISACA. All rights reserved.
Compliance audits Financial audits Operational audits Integrated audits Administrative audits IS audits Specialized audits Forensic audits
Walkthroughs
Reperformance of controls
77
Copyright 2013 ISACA. All rights reserved.
Composed of:
Statement of scope
Set up and approved by the audit management Communicated to all audit staff
78
Copyright 2013 ISACA. All rights reserved.
Audit phases
79
Copyright 2013 ISACA. All rights reserved.
Audit subject Audit objective Audit scope Preaudit planning Audit procedures and steps for data gathering Procedures for evaluating the test or review results Procedures for communication with management Audit report preparation
Identify the specific systems, function or unit of the organization to be included in the review. For example, in the previous program changes example, the scope statement might limit the review to a single application system or to a limited period of time.
Identify technical skills and resources needed. Identify the sources of information for test or review such as functional flow charts, policies, standards, procedures and prior audit work papers. Identify locations or facilities to be audited.
80
Copyright 2013 ISACA. All rights reserved.
Procedures for evaluating the test or review results Procedures for communication with management Audit report preparation
81
Copyright 2013 ISACA. All rights reserved.
Audit activities
Audit tests Audit findings and incidents
82
Copyright 2013 ISACA. All rights reserved.
83
Copyright 2013 ISACA. All rights reserved.
84
Copyright 2013 ISACA. All rights reserved.
Detection risk
Overall audit risk
85
Copyright 2013 ISACA. All rights reserved.
86
Copyright 2013 ISACA. All rights reserved.
87
Copyright 2013 ISACA. All rights reserved.
requirements
Confidentiality Integrity Reliability
Availability
89
Copyright 2013 ISACA. All rights reserved.
Determines whether controls are in compliance with management policies and procedures Tests the integrity of actual processing
Substantive test
90
Copyright 2013 ISACA. All rights reserved.
91
Copyright 2013 ISACA. All rights reserved.
1.6.11 Evidence
It is a requirement that the auditors conclusions be based on sufficient, competent evidence:
Independence of the provider of the evidence Qualification of the individual providing the
information or evidence
Objectivity of the evidence
Review IS organization structures Review IS policies and procedures Review IS standards Review IS documentation Interview appropriate personnel
93
Copyright 2013 ISACA. All rights reserved.
1.6.12 Interviewing and Observing Personnel in Performance of Their Duties Actual functions Actual processes/procedures Security awareness Reporting relationships Observation drawbacks
94
Copyright 2013 ISACA. All rights reserved.
1.6.13 Sampling
General approaches to audit sampling: Statistical sampling Non-statistical sampling
95
Copyright 2013 ISACA. All rights reserved.
Variable sampling
Stratified mean per unit Unstratified mean per unit
Difference estimation
96
Copyright 2013 ISACA. All rights reserved.
97
Copyright 2013 ISACA. All rights reserved.
98
Copyright 2013 ISACA. All rights reserved.
100
Copyright 2013 ISACA. All rights reserved.
Utility software
Debugging and scanning software Test data
Mathematical computations Stratification Statistical analysis Sequence checking File access File reorganization Data selection Statistical functions Arithmetical functions
Processing efficiencies
Confidentiality of data being processed
104
Copyright 2013 ISACA. All rights reserved.
107
Copyright 2013 ISACA. All rights reserved.
Assessment requires judgment of the potential effect of the finding if corrective action is not taken
108
Copyright 2013 ISACA. All rights reserved.
Presentation techniques
Executive summary Visual presentation
109
Copyright 2013 ISACA. All rights reserved.
111
Copyright 2013 ISACA. All rights reserved.
113
Copyright 2013 ISACA. All rights reserved.
114
Copyright 2013 ISACA. All rights reserved.
Assessment facilitators
118
Copyright 2013 ISACA. All rights reserved.
119
Copyright 2013 ISACA. All rights reserved.
CSA Approach
Empowered/accountable employees
Continuous improvement/learning curve Extensive employee participation and training Broad stakeholder focus
120
Copyright 2013 ISACA. All rights reserved.
121
Copyright 2013 ISACA. All rights reserved.
Process involves:
122
Copyright 2013 ISACA. All rights reserved.
Drivers
Better monitoring of financial issues Allows real-time transactions to benefit from realtime monitoring Prevents financial fiascoes and audit scandals Uses software to determine proper financial controls
123
Copyright 2013 ISACA. All rights reserved.
Continuous monitoring
Provided by IS management tools Based on automated procedures to meet fiduciary responsibilities
Continuous auditing
Audit-driven Completed using automated audit procedures
124
Copyright 2013 ISACA. All rights reserved.
125
Copyright 2013 ISACA. All rights reserved.
126
Copyright 2013 ISACA. All rights reserved.
Transaction logging Query tools Statistics and data analysis (CAAT) Database management systems (DBMS) Data warehouses, data marts and data mining Intelligent agents Embedded audit modules (EAM) Neural network technology Standards such as Extensible Business Reporting Language
Disadvantages
Difficulty in implementation High cost Elimination of auditors personal judgment and evaluation
128
Copyright 2013 ISACA. All rights reserved.
129
Copyright 2013 ISACA. All rights reserved.
130
Copyright 2013 ISACA. All rights reserved.
D.
Begin testing controls that the IS auditor feels are most critical.
Correct Ans: A
131
Copyright 2013 ISACA. All rights reserved.
Correct Ans: B
132
Copyright 2013 ISACA. All rights reserved.
133
Copyright 2013 ISACA. All rights reserved.
Correct Ans: C
134
Copyright 2013 ISACA. All rights reserved.
Correct Ans: A
135
Copyright 2013 ISACA. All rights reserved.
Correct Ans: A
136
Copyright 2013 ISACA. All rights reserved.
137
Copyright 2013 ISACA. All rights reserved.
138
Copyright 2013 ISACA. All rights reserved.
C.
D.
Correct Ans: D
139
Copyright 2013 ISACA. All rights reserved.
Correct Ans: D
140
Copyright 2013 ISACA. All rights reserved.
Practice Question
1-1 Which of the following establishes the overall authority to perform an IS audit? A. The audit scope, with goals and objectives B. A request from management to perform an audit C. The approved audit charter D. The approved audit schedule
Correct Ans: C
141
Copyright 2013 ISACA. All rights reserved.
Practice Question
1-2 In performing a risk-based audit, which risk assessment is completed initially by the IS auditor?
A. B. C. D. Detection risk assessment Control risk assessment Inherent risk assessment Fraud risk assessment
142
Copyright 2013 ISACA. All rights reserved.
Practice Question
1-3 While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus?
A. B. C. D. Business processes Critical IT applications Operational controls Business strategies
143
Copyright 2013 ISACA. All rights reserved.
Practice Question
1-4 Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed?
A. B. C. D. Control risk Detection risk Inherent risk Sampling risk
144
Copyright 2013 ISACA. All rights reserved.
Practice Question
1-5 An IS auditor performing a review of an applications controls finds a weakness in system software that could materially impact the application. The IS auditor should:
A. B. C. D. disregard these control weaknesses, as a system software review is beyond the scope of this review. conduct a detailed system software review and report the control weaknesses. include in the report a statement that the audit was limited to a review of the applications controls. review the system software controls as relevant and recommend a detailed system software review.
145
Copyright 2013 ISACA. All rights reserved.
Practice Question
1-6 Which of the following is the MOST important reason why an audit planning process should be reviewed at periodic intervals?
A. B. C. D. To plan for deployment of available audit resources To consider changes to the risk environment To provide inputs for documentation of the audit charter To identify the applicable IS audit standards
146
Copyright 2013 ISACA. All rights reserved.
Practice Question
1-7 Which of the following is MOST effective for implementing a control self-assessment (CSA) within business units?
A. B. C. D. Informal peer reviews Facilitated workshops Process flow narratives Data flow diagrams
147
Copyright 2013 ISACA. All rights reserved.
Practice Question
1-8 The FIRST step in planning an audit is to:
A.
B. C.
D.
148
Copyright 2013 ISACA. All rights reserved.
Practice Question
1-9 The approach an IS auditor should use to plan IS audit coverage should be based on:
A. B. risk. materiality.
C.
D.
professional skepticism.
Sufficiency of audit evidence.
149
Copyright 2013 ISACA. All rights reserved.
Practice Question
1-10 A company performs a daily backup of critical data and software files and stores the backup tapes at an offsite location. The backup tapes are used to restore the files in case of a disruption. This is a:
A. B. C. D. preventive control. management control. corrective control. detective control.
150
Copyright 2013 ISACA. All rights reserved.
Practice 11
1, In a risk-based audit approach, the IS auditor must consider the inherent risk as well as considering:
A. how to eliminate the risk through the application of controls. B. the balance of loss potential vs. the cost to implement controls. C. whether the risk is material, regardless of managements tolerance for risk. D. whether the residual risk is higher than the insurance coverage purchased.
B Determining the correct balance between the loss potential and the cost to implement controls is a very important part of an effective risk mitigation strategy. The best internal control is one where the benefit of implementing the control at least matches the cost. Eliminating risk is very difficult to achieve and often impossible to attain. Hence, the IS auditor should not recommend that risk be eliminated since this is not likely to be cost-effective for the organization. Whether the risk is material is not the correct answer since the risk tolerance of management determines what is material. Insurance coverage is not necessarily the only control to consider for mitigating residual
151
Copyright 2013 ISACA. All rights reserved.
Practice 12
12. Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling B. Variable sampling C. Stratified mean per unit D. Difference estimation
A Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.
152
Copyright 2013 ISACA. All rights reserved.
Practice 13
13. Which of the following is the MOST critical step to perform when planning an IS audit?
A. Review findings from prior audits. B. Develop plans to conduct a physical security review of the data center facility. C. Review IS security policies and procedures. D. Perform a risk assessment.
D Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IT Audit and Assurance Standard S11 (Use of Risk Assessment in Audit Planning). In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation. Detection risk (the risk that a material error is not detected by the IS auditor) is increased for the IS auditor if a risk assessment is not conducted. The review of findings from prior audits is a necessary part of the engagement, but this step is not as critical as conducting a risk assessment. A physical security review of the data center facility is important, but not as critical as performing a risk assessment. Reviewing IS security policies and procedures would normally be conducted during fieldwork, not planning.
153
Copyright 2013 ISACA. All rights reserved.
Practice 14
14. While planning an audit, an assessment of risk should be made to provide: A. reasonable assurance that the audit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work. A The ISACA IS Auditing Guideline G15 on planning the IS audit states, An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems. Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.
154
Copyright 2013 ISACA. All rights reserved.
Practice 15
15. After reviewing the disaster recovery plan (DRP) of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting?
A. Obtaining management approval of the corrective actions B. Confirming factual accuracy of the findings C. Assisting management in the implementation of corrective actions D. Clarifying the scope and limitations of the audit
B The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on corrective action. Management approval of the corrective actions is not required since this is not the role of the auditor. Implementation of corrective actions should be done after the factual accuracy of findings has been established, but the work of implementing corrective action is not typically assigned to the IS auditor since this would impair the auditors independence. Clarifying the scope and limitations of the audit should be done during the entrance meeting, not during the exit meeting.
155
Copyright 2013 ISACA. All rights reserved.
Conclusion
156
Copyright 2013 ISACA. All rights reserved.