Professional Documents
Culture Documents
Cisa 01
Cisa 01
Cisa 01
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Section Objectives 1-2
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Issues and Challenges of the
1-4
IS Auditor
All organizations must work within
a framework of laws and regulations
These rules may dictate how data is:
Processed
Handled
Stored
Destroyed
Businesses increasingly process
more and more electronic information
If corporates do not practice due care and due
diligence, there may be legal fines, loss of public
confidence, or even jail time
Companies can be held liable if personal data is
disclosed to an unauthorized person
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Regulatory Standards 1-5
Auditor should be aware of:
HIPAA (Health Insurance and Portability and Accountability
Act): U.S. standards on management of healthcare data
Sarbanes Oxley Act: U.S. financial and accounting disclosure
and accountability
Basel Accord Standard II: European banking requirements
FISMA (Federal Information Security Management Act):
Security standards for U.S. government systems
COSO (Committee for Sponsoring Organizations) an Internal
control framework
SCADA (Supervisory Controls and Data Acquisition) to
enhance security for automated control systems
FACTA (U.S. Fair and Accurate Credit Transaction ACT of 2003)
to reduce fraud and identity theft
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Verifying Compliance to External
1-6
Regulations
1. Identify with which external requirements the
company is responsible to comply
2. Review specific laws and regulations with which
the organization must be compliant
3. Determine if the organization has considered
these laws and regulations when policies and
procedures were developed
4. Determine if identified policies and procedures
adhere to external laws and requirements
5. Verify that employees are adhering to specified
policies and procedures or if discrepancies exist
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Planning 1-7
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Planning Process/ Phases 1-8
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Standards and Guidelines for ISACA
1-9
IS Auditors
An auditor must understand auditing rules and
guidelines.
Reviewing the ISACA Auditing Standards is
one way to learn more about these rules.
For example, an auditor must know when to
perform a compliance test or substantive test
and the differences between the two.
Compliance tests are used to verify conformity.
Substance verifies the integrity of a claim.
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
ISACA Standards 1-10
Title Description
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Categories of Standards 1-12
There are fourteen (14) categories of standards:
S1 Audit charter
S2 Independence
S3 Professional ethics and standards
S4 Competence
S5 Planning
S6 Performance of audit work
S7 Reporting
S8 Follow-up activities
S9 Irregularities and illegal acts
S10 IT governance
S11 Use of risk assessment in audit planning
S12 Audit materiality
S13 Using the work of other experts
S14 Audit evidence
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
ISACA Code of Ethics (1) 1-13
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
ISACA Code of Ethics (2) 1-14
4. Maintain the privacy and confidentiality of information
obtained in the course of their duties, unless disclosure
is required by legal authority.
Such information shall not be used for personal benefit
or released to inappropriate parties.
5. Maintain competency in their respective fields and agree
to undertake only those activities, which they can
reasonably expect to complete with professional
competence.
6. Inform appropriate parties of the results of work
performed, revealing all significant facts known to them.
7. Support the professional education of stakeholders in
enhancing their understanding of information systems
security and control.
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
ISACA Code of Ethics (3) 1-15
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Risk Analysis 1-16
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Categories of Risks 1-17
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Categories of Risks (cont.) 1-18
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Risk Management (1) 1-19
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Risk Management (2) 1-20
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Risk Management (3) 1-21
Risk categories:
High Impact
Low Impact
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Handling Risk (1) 1-22
Avoided
Reduced
Accepted
Transferred
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Handling Risk (2) 1-23
Avoid risk:
Seems like a simple alternative
Do not perform the activity that allows the risk to
be present
Many activities cannot be avoided
Even when risk can be avoided, there may be
an opportunity cost involved
Avoiding the risk eliminates the opportunity for
profit
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Handling Risk (3) 1-24
Reduce risk:
One of the most common methods of
dealing
with risks
Examples of risk reduction
Installation of a firewall
Implementation of a new internal
accounting control
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Handling Risk (4) 1-25
Accept risk:
The organization makes a conscience
decision to accept the risk
The company retains the potential costs
associated with the risk
For example, a business may be thinking
about building an e-commerce web site
There will be an added risk
There is also the potential for greater revenues
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Handling Risk (5) 1-26
Transfer risk:
Place the risk in someone else’s hands
Best example of risk transference is
insurance
There are benefits to the approach, but
there are also some drawbacks
Insurance is an ongoing expense
It is time-consuming and costly to document
and settle relatively small losses
Even small payouts can have an adverse effect
on future insurance costs
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Risk-Based Audits 1-27
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Risk-Based Audit Process (cont.) 1-29
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Risk and Auditing 1-30
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Auditing and the Use of Internal
1-32
Controls
Internal controls are used by
management to
Exercise authority
Effectively manage the organization
Controls typically start with high level
policy and are applied to all areas of the
company.
CISAs use IS controls to verify that IS
systems are maintained in a controlled
state.
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Auditing and the Use of Internal
1-33
Controls (cont.)
IS controls should protect system:
Integrity
Reliability
Accuracy
Protection should be extended to the:
Network
Data
Operating systems
Applications
Inputs
Outputs
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Control Categories 1-34
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
COBIT 1-35
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Process 1-36
Auditors:
Have a position of fiduciary responsibility مسؤولية إئتمانية
(special trust and confidence)
Are responsible to place the
interest of the company for
which the audit is being
performed, above their own
interests and concerns
This does not include lying
or misrepresenting the truth
to help the company
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Classification 1-37
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Classification (cont.) 1-38
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Programs 1-39
Audit programs:
Objectives, scope, and methodologies for a
particular audit
Should comply with objective of a particular project
Scope audit objective and procedures should be
defined to develop and support reliable conclusions
and opinions
Information systems can be audited in different ways
Security
Quality
Fiduciary control
Service
Capacity
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Programs (cont.) 1-40
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Methodology (1) 1-41
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Methodology (2) 1-42
Approved by management
Thoroughly documented
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Methodology Steps (1) 1-43
1. Audit subject:
Identify which areas are to be audited
2. Audit objective:
Define why the audit is occurring
For example, the objective might be to ensure
access to private information such as, social
security numbers, is controlled.
3. Audit scope:
Identify which specific functions or systems are to be
examined
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Methodology Steps (2) 1-44
4. Pre-audit planning:
Identify:
What skills are needed for the audit
How many auditors are required
What other resources are needed
Policies and procedures
Plans of the audit
Controls to be verified and tested
5. Data gathering:
Identify:
Interviewees
Processes to be tested and verified
Documents needed (policies, procedures, and standards)
Develop procedures to test controls.
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Methodology Steps (3) 1-45
6. Evaluating test results:
Review and evaluate identified processes
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Automated Work Papers 1-46
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Automated Work Papers & Controls 1-47
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Objectives of the Audit 1-48
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Compliance vs. Substantive Testing 1-49
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Sampling 1-51
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Sampling (cont.) 1-52
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Embedded Modules 1-53
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Integrated Test Facilities 1-55
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Evidence 1-56
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Evidence (cont.) 1-57
Be Sufficient Sufficient
Be Usable
Be Reliable
Usable
Be Relevant
Reliable
Achieve audit objectives
Effectively
Relevant
Effective
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Evidence Reliability 1-58
Item Description
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Observing and Interviewing
1-59
Employees
Auditors should observe auditees in the
performance of their duties to gather evidence and
understanding how procedures, job roles, and
documentation match actual duties.
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Detection of Fraud 1-60
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Detection of Fraud (cont.) 1-61
Fraud Indicators
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Audit Closing 1-62
Interviewing employees
Reviewing documentation
Performing testing
Making personal observations
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Changes in the IS Audit Process 1-64
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
The Control Self-Assessment
1-65
Process
CSA is an attempt to overcome the shortcomings
of the traditional auditing approach.
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
The Control Self-Assessment
1-66
Process (cont.)
Unlike traditional auditing, management is
accountable for these internal controls.
CSA Traditional
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Integrated Auditing 1-68
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Integrated Auditing (cont.) 1-69
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Continuous Auditing 1-70
Continuous auditing
Can help meet the demand for instant information
Works well for automated processes that capture,
manipulate, store, and disseminate data
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Continuous Auditing (cont.) 1-71
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Summary 1-73
QUESTIONS?
2009 Security
© 2013 Global Knowledge Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.