Cisa 01

CISA Examination Preparation Course
Section 1: The Audit Process

Auditing and Auditing Standards
Risk and Auditing
Changes in the Audit Process
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Section Objectives 1-2
After completing this section, you will be

able to:
Define basic auditing and auditing
standards
Describe risk and the auditing process
Explain how technology is causing

changes in the audit process
2009 Security
reserved.
Introduction 1-3
Audit: Examining the controls that protect information
systems to determine their strength
Auditor must not overlook any unusual or suspicious
items
CISA candidate should know
Audit strategies and methodologies
Plans for audits to ensure an organization’s assets are
secure
ISACA procedures to perform audits
Approved auditing practices
ISACA code of ethics
Controlled self-assessment techniques and methods for
continuous audit
Methods for reporting and communicating with
management and co-workers
2009 Security
reserved.
Issues and Challenges of the
1-4
IS Auditor
All organizations must work within
a framework of laws and regulations
These rules may dictate how data is:
Processed
Handled
Stored
Destroyed
Businesses increasingly process
more and more electronic information
If corporates do not practice due care and due
diligence, there may be legal fines, loss of public
confidence, or even jail time
Companies can be held liable if personal data is
disclosed to an unauthorized person
2009 Security
reserved.
Regulatory Standards 1-5
Auditor should be aware of:
HIPAA (Health Insurance and Portability and Accountability
Act): U.S. standards on management of healthcare data
Sarbanes Oxley Act: U.S. financial and accounting disclosure
and accountability
Basel Accord Standard II: European banking requirements
FISMA (Federal Information Security Management Act):
Security standards for U.S. government systems
COSO (Committee for Sponsoring Organizations) an Internal
control framework
SCADA (Supervisory Controls and Data Acquisition) to
enhance security for automated control systems
FACTA (U.S. Fair and Accurate Credit Transaction ACT of 2003)
to reduce fraud and identity theft
2009 Security
reserved.
Verifying Compliance to External
1-6
Regulations
1. Identify with which external requirements the
company is responsible to comply
2. Review specific laws and regulations with which
the organization must be compliant
3. Determine if the organization has considered
these laws and regulations when policies and
procedures were developed
4. Determine if identified policies and procedures
adhere to external laws and requirements
5. Verify that employees are adhering to specified
policies and procedures or if discrepancies exist
2009 Security
reserved.
Audit Planning 1-7
IS audit function should be established through

an audit charter defining what responsibilities
senior management is delegating
Subsequent changes should only be made with
the approval of senior management and the
audit committee
Audit committee:
Is responsible only to senior management and the
board of directors
Should report findings directly to senior
management and the board of directors
2009 Security
reserved.
Audit Planning Process/ Phases 1-8
1. Learn the business

Review the mission statement and
understand its purpose and goals
2. Review documentation
Evaluate existing policies,
procedures, and guidelines
3. Identify threats, risks, and concerns
4. Carry out a risk analysis
5. Identify internal controls
6. Define audit objectives and scope of audit
7. Identify resources needed and assign personnel
2009 Security
reserved.
Standards and Guidelines for ISACA
1-9
IS Auditors
An auditor must understand auditing rules and
guidelines.
Reviewing the ISACA Auditing Standards is
one way to learn more about these rules.
For example, an auditor must know when to
perform a compliance test or substantive test
and the differences between the two.
Compliance tests are used to verify conformity.
Substance verifies the integrity of a claim.
2009 Security
reserved.
ISACA Standards 1-10
Standards: Agreed principles of

protocol
ISACA standards are designed and
developed by the ISACA standards
board.
The standards board meets twice a
year to develop ISACA standards to
help advance the IS auditing
profession.
2009 Security
reserved.
ISACA Standards (cont.) 1-11
Title Description
These documents specify requirements

Standards
that are considered mandatory.
These documents provide guidance

Guidelines
and require professional judgment.
These documents provide examples of
Procedures activities and procedures an auditor
can use to maintain standards.
2009 Security
reserved.
Categories of Standards 1-12
There are fourteen (14) categories of standards:
S1 Audit charter
S2 Independence
S3 Professional ethics and standards
S4 Competence
S5 Planning
S6 Performance of audit work
S7 Reporting
S8 Follow-up activities
S9 Irregularities and illegal acts
S10 IT governance
S11 Use of risk assessment in audit planning
S12 Audit materiality
S13 Using the work of other experts
S14 Audit evidence
2009 Security
reserved.
ISACA Code of Ethics (1) 1-13
Members and certification holders shall:

1. Support the implementation of, and encourage
compliance with, appropriate standards, procedures
and controls for information systems.
2. Perform their duties with due diligence and professional
care, in accordance with professional standards and
best practices.
3. Serve in the interest of stakeholders in a lawful and
honest manner, while maintaining high standards of
conduct and character, and not engage in acts
discreditable to the profession.
2009 Security
reserved.
4. Maintain the privacy and confidentiality of information
obtained in the course of their duties, unless disclosure
is required by legal authority.
Such information shall not be used for personal benefit
or released to inappropriate parties.
5. Maintain competency in their respective fields and agree
to undertake only those activities, which they can
reasonably expect to complete with professional
competence.
6. Inform appropriate parties of the results of work
performed, revealing all significant facts known to them.
7. Support the professional education of stakeholders in
enhancing their understanding of information systems
security and control.
2009 Security
reserved.
Failure to comply with this Code of Professional

Ethics can result in an investigation into a
member’s or certification holder’s conduct and,
ultimately, in disciplinary measures.
2009 Security
reserved.
Risk Analysis 1-16
Risk: The potential for harm
Vulnerability: Weakness in a system

or process
Threat: The danger of attack
2009 Security
reserved.
Categories of Risks 1-17
Common categories of risks include:

Audit risk: Risk an auditor will accept
Control risk: Risk that may not be detected by a
system of internal controls
Business risk: Risk that will affect a business'
functional goals
Continuity risk: Risk that may leave a business
unable to recover from a disaster
Detection risk: Risk that an improper test is
performed that will not detect a material error
2009 Security
reserved.
Categories of Risks (cont.) 1-18
Common categories of risks include:

Material risk: An unacceptable risk
Inherent risk: Risk that a material error
will occur because of weak or missing
controls
Security risk: Risk that unauthorized
access will result in data exposure or
loss of integrity
2009 Security
reserved.
Risk Management (1) 1-19
Risk management follows a defined process.

The first step is to develop a risk management
team which:
Needs support and funding from senior management
Should be led by someone with strong project
management skills
Begins with the task of identifying assets
Companies have to identify assets before moving on to the
next step of the risk management process.
Once threats are identified, risk analysis can be
performed.
Risk analysis may be assessed based on dollar figures or
non-dollar values.
2009 Security
reserved.
Rank threats to determine what requires immediate

action.
Some threats may have a high impact but a very low level
of risk.
Others threats may present a high level of risk but result
in a very low impact.
The team should identify high-impact, high-risk
concerns and focus on those items.
The same approach should be used during audits to
ensure audit time is spent on those areas with the
highest risks.
2009 Security
reserved.
Risk categories:
High Impact
Low Impact
Low Risk High Risk
2009 Security
reserved.
Handling Risk (1) 1-22
Risks can be:
Avoided
Reduced
Accepted
Transferred
2009 Security
reserved.
Avoid risk:
Seems like a simple alternative
Do not perform the activity that allows the risk to
be present
Many activities cannot be avoided
Even when risk can be avoided, there may be
an opportunity cost involved
Avoiding the risk eliminates the opportunity for
profit
2009 Security
reserved.
Reduce risk:
One of the most common methods of
dealing
with risks
Examples of risk reduction
Installation of a firewall
Implementation of a new internal
accounting control
2009 Security
reserved.
Accept risk:
The organization makes a conscience
decision to accept the risk
The company retains the potential costs
associated with the risk
For example, a business may be thinking
about building an e-commerce web site
There will be an added risk
There is also the potential for greater revenues
2009 Security
reserved.
Transfer risk:
Place the risk in someone else’s hands
Best example of risk transference is
insurance
There are benefits to the approach, but
there are also some drawbacks
Insurance is an ongoing expense
It is time-consuming and costly to document
and settle relatively small losses
Even small payouts can have an adverse effect
on future insurance costs
2009 Security
reserved.
Risk-Based Audits 1-27
Looks at more than just a risk

Also examines company
Practices
Tolerance for risk
Existing internal and operational
controls
Can help pinpoint areas that are of high
risk
To be targeted for audit
2009 Security
reserved.
Risk-Based Audit Process 1-28
Gather information and plan

Understand the business
Review audits from prior years
Evaluate financial data
Examine regulatory statutes
Review inherent risk assessments
Determine internal controls and
review their functionality
Control environment and control procedures
2009 Security
reserved.
Risk-Based Audit Process (cont.) 1-29
Examine detection and control risk assessments

Determine total risks
Perform compliance tests
Test controls and verify that they are being applied
Perform substantive testing
Measure the strength of the
process and verify accounts
Conclude the audit
Prepare the report
2009 Security
reserved.
Risk and Auditing 1-30
Auditor must be concerned with a level

of risk that is unacceptable
Sometimes referred to as a material
risk
In auditing, the word material is
associated with a level of risk that the
auditor:
Is unwilling to accept
Considers significant
2009 Security
reserved.
Risk and Auditing (cont.) 1-31
What is considered material:

May vary
Is based on a thorough examination
Even if a risk is judged not to be material, it
must be considered as part of the larger
picture.
A minor error may have little effect on the
security of a system, yet when combined with
other small errors may create a significant
and material error
2009 Security
reserved.
Auditing and the Use of Internal
1-32
Controls
Internal controls are used by
management to
Exercise authority
Effectively manage the organization
Controls typically start with high level
policy and are applied to all areas of the
company.
CISAs use IS controls to verify that IS
systems are maintained in a controlled
state.
2009 Security
reserved.
Auditing and the Use of Internal
1-33
Controls (cont.)
IS controls should protect system:
Integrity
Reliability
Accuracy
Protection should be extended to the:
Network
Data
Operating systems
Applications
Inputs
Outputs
2009 Security
reserved.
Control Categories 1-34
Class Function Example
Prevents problems Access-control software that

before they occur uses passwords, tokens,
Preventive and/or biometrics
Attempts to prevent Intrusion-prevention systems
problems User registration process
Senses and detects
problems as they occur Hashing algorithms
Detective
Attempts to detect Variance reports
problems
Reduces impact of a
threat Backup procedures
Corrective Backup power supplies
Attempts to minimize
the impact of problems
2009 Security
reserved.
COBIT 1-35
Considered a system of best practices
Created by the ISACA (Information

Systems Audit and Control Association)
and the ITGI (IT Governance Institute) in
1992
2009 Security
reserved.
Audit Process 1-36
Auditors:
Have a position of fiduciary responsibility ‫مسؤولية إئتمانية‬
(special trust and confidence)
Are responsible to place the
interest of the company for
which the audit is being
performed, above their own
interests and concerns
This does not include lying
or misrepresenting the truth
to help the company
2009 Security
reserved.
Audit Classification 1-37
While the CISA is primarily concerned with auditing

information systems, there are other types of internal or
external audits that can occur, including:
Administrative audits: Focus on operational productivity
Financial audits: Relate to the correctness of the
organization's financial statement
Financial audits typically include substantive testing
Forensic audits: Focus on recovery of information that
may uncover fraud or crimes committed to alter the
financial figures of an organization
Information recovered from a forensic audit is typically
reviewed by law enforcement
2009 Security
reserved.
Audit Classification (cont.) 1-38
Information system audits: Performed to verify protection

mechanisms provided by information systems and related
systems
Examine internal controls to ensure they operate efficiently
and protect integrity and confidentiality
Operational audits: Examine the internal control structure
of a process or area
Examples: Audits that examine application controls or
logical security systems
Other audits: Includes those that examine compliance
with
Sarbanes-Oxley, Health Insurance Portability Act, ISO
2009 Security
reserved.
Audit Programs 1-39
Audit programs:
Objectives, scope, and methodologies for a
particular audit
Should comply with objective of a particular project
Scope audit objective and procedures should be
defined to develop and support reliable conclusions
and opinions
Information systems can be audited in different ways
Security
Quality
Fiduciary control
Service
Capacity
2009 Security
reserved.
Audit Programs (cont.) 1-40
Procedures for testing and evaluation can

include:
Auditing through observation
Reviewing documentation
Documenting system and process using
flowcharting
Using audit software controls to examine log files
and data records
Using specialized software packages to examine
system parameter files
2009 Security
reserved.
Audit Methodology (1) 1-41
Documented approach for performing an audit in a

manner that is:
Consistent
Accountable
Repeatable
Designed to meet audit objectives by defining a
statement of:
Work
Scope
Audit objectives
2009 Security
reserved.
Audit Methodology (2) 1-42
To provide a highly repeatable process,

methodology should be :
Approved by management
Thoroughly documented
All audit employees need to be trained

and have knowledge of the methodology
2009 Security
reserved.
Audit Methodology Steps (1) 1-43
1. Audit subject:
Identify which areas are to be audited
2. Audit objective:
Define why the audit is occurring
For example, the objective might be to ensure
access to private information such as, social
security numbers, is controlled.
3. Audit scope:
Identify which specific functions or systems are to be
examined
2009 Security
reserved.
4. Pre-audit planning:
Identify:
What skills are needed for the audit
How many auditors are required
What other resources are needed
Policies and procedures
Plans of the audit
Controls to be verified and tested
5. Data gathering:
Identify:
Interviewees
Processes to be tested and verified
Documents needed (policies, procedures, and standards)
Develop procedures to test controls.
2009 Security
reserved.
6. Evaluating test results:
Review and evaluate identified processes
7. Communicating with management:

Document preliminary results
Communicate results to management
8. Prepare audit report:

Identify follow-up items
Identify procedures to test and verify controls
Review and evaluate policies, procedures and standards
2009 Security
reserved.
Automated Work Papers 1-46
Audit teams are moving to advanced

methods for automating work papers
For example, CAATs (Computer-Assisted

Audit Techniques) are software audit
tools used for statistical sampling
techniques and data analysis
2009 Security
reserved.
Automated Work Papers & Controls 1-47
Electronic work paper controls should be applied

at the level of their paper-based counterparts for:
Confidentiality
Integrity
Availability
Items to consider include:
Encryption
Backups
Automation
Audit trails
Access controls
2009 Security
reserved.
Objectives of the Audit 1-48
The underlying purpose of any IS audit is to

identify control objectives.
The challenge is to take basic control objectives

and correlate them to corresponding specific
information systems objectives.
While management may give the auditor a general

control objective to review during the audit, the
goal will always be to verify the confidentiality,
integrity, and availability of information resources.
2009 Security
reserved.
Compliance vs. Substantive Testing 1-49
Compliance ‫ )ا إلمتثا (ل‬testing verifies that controls

in the environment are operating properly
Controls work as designed
Controls comply with the organization’s

policies and procedures
Controls operate as perceived during initial

review
2009 Security
reserved.
Compliance vs. Substantive Testing 1-50
Substantive testing (‫)اختبار ا لموضوعية ا لتفصيلي‬:

Verifies the integrity of the actual process
Verifies validity
Sometimes called transaction integrity
Examines the process for the potential of
material errors
Substantive testing examines details,

compliance testing tests controls
2009 Security
reserved.
Sampling 1-51
Two basic types of audit sampling, statistical and

non-statistical:
Statistical sampling is based on probability
Every item of the population has a known chance of
selection
Prominent feature of statistical sampling is the ability
to measure risk and use quantitative assessment
Auditor decides sample size and confidence level
Non-statistical sampling uses auditor judgment to
determine sample size and which items to select
Also known as judgmental sampling
2009 Security
reserved.
Sampling (cont.) 1-52
Each sampling type has two subgroups of

sampling techniques, attribute sampling and
variable sampling:
Attribute sampling: Used primarily for compliance
testing
Records deviations by measuring the rate of
occurrence of a certain attribute in the sample
Variable sampling: Used primarily for substantive
testing
Measures characteristics of the sample population
Dollar amounts
Other units of measure
2009 Security
reserved.
Embedded Modules 1-53
Designed to be an integral part of an

application
Designed to identify and report

specific transactions or other
information based on pre-determined
criteria
Identifies reportable items occurring

as part of real-time processing
2009 Security
reserved.
Parallel Simulation 1-54
Test technique that examines real results

compared to those generated by the
auditor
2009 Security
reserved.
Integrated Test Facilities 1-55
Uses data that represents fake entities:

Products
Items
Departments
ITF is processed on actual production systems
Test data is similar to ITF except it uses
theoretical transactions to validate
Program logic
Control mechanisms
2009 Security
reserved.
Evidence 1-56
Any information obtained by the auditor that can be

used to aid in rendering an opinion
Can be obtained from:
Interviews
Work papers
Direct observation
Internal documentation
Compliance testing
Substantive testing
All evidence is not created equal
2009 Security
reserved.
Evidence (cont.) 1-57
Evidence obtained by the auditor should:
Be Sufficient Sufficient
Be Usable
Be Reliable
Usable
Be Relevant
Reliable
Achieve audit objectives
Effectively
Relevant
Effective
2009 Security
reserved.
Evidence Reliability 1-58
Item Description
Evidence from inside sources is not

Is the provider of the
considered as reliable as evidence obtained
evidence independent?
from outside sources.
The person providing the evidence has to
Is the evidence provider
have their qualifications reviewed to validate
qualified?
their credibility.
Some evidence requires considerable
How objective is the
judgment; others (such as dollar amounts)
evidence?
are easy to evaluate.
Backups, the write process, and updates can
When is the evidence
affect when and how long evidence is
available?
available.
2009 Security
reserved.
Observing and Interviewing
1-59
Employees
Auditors should observe auditees in the
performance of their duties to gather evidence and
understanding how procedures, job roles, and
documentation match actual duties.
2009 Security
reserved.
Detection of Fraud 1-60
Common law defines four general elements that

must be present for fraud to exist:
1. A material false statement
2. Knowledge the statement was false
3. Reliance on the false statement
4. Resulting damages or losses
2009 Security
reserved.
Detection of Fraud (cont.) 1-61
Fraud Indicators
No clear lines of authority
A lack of documents and records
Lack of independent checks and

balances
No or poor separation of duties
Few internal controls
2009 Security
reserved.
Audit Closing 1-62
The auditor is ready to compile information and

form conclusions after:
Interviewing employees
Reviewing documentation
Performing testing
Making personal observations
Conclusions should be recorded in the audit

opinion
2009 Security
reserved.
Audit Closing (cont.) 1-63
The audit opinion should include:

Name of organization being audited
Title, date, and signature
Statement of audit objectives
Audit scope
Any limitations of scope
Audience
Standards used in the audit
A detail of the findings
Conclusions, reservations, and qualifications
Suggestions for corrective actions
Other significant events
2009 Security
reserved.
Changes in the IS Audit Process 1-64
Changes occur in all industries and auditing is

no different.
SOX is an example of a legal change that will affect
audit process.
Under SOX, auditors will no longer be able to use
certain common audit strategies.
Not all changes are driven by laws and mandates,
others occur because of:
Advances in the field of audit
Invention of new techniques
2009 Security
reserved.
The Control Self-Assessment
1-65
Process
CSA is an attempt to overcome the shortcomings
of the traditional auditing approach.
CSAs can best be defined as a methodology

designed to assure stakeholders, customers, and
employees that internal controls have been
designed to minimize risks.
CSAs are used to verify the reliability of internal

controls.
2009 Security
reserved.
1-66
Process (cont.)
Unlike traditional auditing, management is
accountable for these internal controls.
Management is directly involved in the design of

the controls that protect critical assets. This
Improves the overall level of security because
stakeholders are directly responsible
Tends to motivate employees
Improves periodic audit ratings
CSAs also tend to raise the level of control:

Risk can be detected sooner, which reduces cost
2009 Security
reserved.
1-67
Process
CSA Traditional
Empowers employees and Places responsibility on the auditing

gives them responsibility staff and management
Offers a method for continuous

Is limited by policies and rules
improvement
Involves employees and raises

Offers little employee participation
their level of awareness
Involves staff and employees

Leaves control and monitoring in the
and makes them the first line of
hands of auditors and specialists
control
2009 Security
reserved.
Integrated Auditing 1-68
The idea is to combine audit disciplines to

more efficiently assess internal controls
One key advantage is that it allows auditors to
see the bigger picture
Integrated auditing combines:
Operational audit function

Financial audit function
IS audit function
2009 Security
reserved.
Integrated Auditing (cont.) 1-69
Integrated auditing requires that:
Key controls be identified

Key controls be reviewed and understood
Key controls be tested
Management controls be tested
Control risks, design problems, and

weaknesses are delivered in a single report.
2009 Security
reserved.
Continuous Auditing 1-70
Changes in technology mean:

Transactions occur quickly when coupled with items,
such as JIT (just in time)
The need for instant information is much greater
Continuous auditing
Can help meet the demand for instant information
Works well for automated processes that capture,
manipulate, store, and disseminate data
2009 Security
reserved.
Continuous Auditing (cont.) 1-71
Continuous assurance can be achieved by

combining:
Continuous auditing
Continuous monitoring
Continuous auditing allows auditors to quickly

provide written reports that provide assurance
Continuous monitoring is provided by tools, such

as anti-virus
These monitoring tools are used to meet fiduciary
responsibilities
2009 Security
reserved.
Continuous Auditing (cont.) 1-72
With time and effort a continuous auditing

environment can be developed
Auditors should look to acquire the skills needed

for this methodology to meet the demands of the
changing audit environment
2009 Security
reserved.
Summary 1-73
In this domain we:
Defined basic auditing and auditing

standards
Described the risk and the auditing process
Explained how technology is causing

changes in the audit process
2009 Security
reserved.
Q&A 1-74
QUESTIONS?
2009 Security
reserved.

Cisa 01

Uploaded by

Copyright:

Available Formats

You might also like

Cisa 01

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisa 01

Uploaded by

Copyright:

Available Formats

CISA Examination Preparation Course

Section 1: The Audit Process

Risk and Auditing

Changes in the Audit Process

After completing this section, you will be

Describe risk and the auditing process

Explain how technology is causing

IS audit function should be established through

1. Learn the business

Standards: Agreed principles of

These documents specify requirements

These documents provide guidance

Members and certification holders shall:

Failure to comply with this Code of Professional

Risk: The potential for harm

Vulnerability: Weakness in a system

Threat: The danger of attack

Common categories of risks include:

Common categories of risks include:

Risk management follows a defined process.

Rank threats to determine what requires immediate

Low Risk High Risk

Risks can be:

Looks at more than just a risk

Gather information and plan

Examine detection and control risk assessments

Auditor must be concerned with a level

What is considered material:

Class Function Example

Prevents problems Access-control software that

Considered a system of best practices

Created by the ISACA (Information

While the CISA is primarily concerned with auditing

Information system audits: Performed to verify protection

Procedures for testing and evaluation can

Documented approach for performing an audit in a

To provide a highly repeatable process,

All audit employees need to be trained

7. Communicating with management:

8. Prepare audit report:

Audit teams are moving to advanced

For example, CAATs (Computer-Assisted

Electronic work paper controls should be applied

The underlying purpose of any IS audit is to

The challenge is to take basic control objectives

While management may give the auditor a general

Compliance ‫ )ا إلمتثا (ل‬testing verifies that controls

Controls work as designed

Controls comply with the organization’s

Controls operate as perceived during initial

Substantive testing (‫)اختبار ا لموضوعية ا لتفصيلي‬:

Substantive testing examines details,

Two basic types of audit sampling, statistical and

Each sampling type has two subgroups of

Designed to be an integral part of an

Designed to identify and report

Identifies reportable items occurring

Test technique that examines real results