INTRODUCTION

Md. Mushfiqur Rahman, CISA

ITIL-F, CEH, CHFI, ECSA/LPT, MCP,MCTS,MCITP,MCSA,MCSE,SCSA, CCNA, OCP 9i/10g/11g

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 Domain Knowledge we need to Know

Domain 1—The Process of Auditing Information Systems (14%)

Domain 2—Governance and Management of IT (14%)

Domain 3—Information Systems Acquisition, Development and

Implementation (19%)

Domain 4—Information Systems Operations, Maintenance and

Support (23%)

Domain 5—Protection of Information Assets (30%)

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

6/23/2014 Md. Mushfiqur Rahman, CISA
6/23/2014 Md. Mushfiqur Rahman, CISA
6/23/2014 Md. Mushfiqur Rahman, CISA
 Domain - 1

The Process of Auditing Information Systems (14%)

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 Domain - 1

The Process of Auditing Information Systems (14%)

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Exam Relevance
Ensure that the CISA candidate…

 Provide audit services in accordance with IT audit standards

to assist the organization in protecting and controlling
information systems.

 The content area in this chapter will represent approximately

14% of the CISA examination(approximately 28 questions).

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Exam Relevance

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Task & Knowledge Statements

Task and knowledge statements represent the basis

from which exam items are written.

 Tasks: Tasks are the learning objectives that IS

auditors/CISA candidates are expected to know to
perform their job duties. It has 5 task statements.
 knowledge statements: In order to perform all
of the tasks, the IS auditor/CISA candidate should
have a firm grasp of all the knowledge statements
contained within the CISA Review Manual –
Chapter 1. There are 10 knowledge statements.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 Tasks/ Objectives
Audit Process Area, Tasks

5 Tasks Statements:
 1.1 Develop and implement a risk‐based IT audit strategy in
compliance with IT audit standards to ensure that key areas are
included.
 1.2 Plan specific audits to determine whether information
systems are protected, controlled and provide value to the
organization.
 1.3 Conduct audits in accordance with IS audit standards,
guidelines and best practices to meet planned audit objectives.
 1.4 Communicate emerging issues, potential risks, and audit
results to key stakeholders.
 1.5 Advise on the implementation of risk management and control
practices within the organization, while maintaining independence.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Knowledge Statements
Process Area Knowledge Statements

Ten Knowledge Statements (contd.):

1.1 Knowledge of ISACA IT Audit and Assurance Standards,

Guidelines and Tools and Techniques, Code of Professional Ethics and
other applicable standards
1.2 Knowledge of risk assessment concepts, tools and techniques in
an audit context
1.3 Knowledge of control objectives and controls related to
information systems
1.4 Knowledge of audit planning and audit project management
techniques, including follow‐up
1.5 Knowledge of fundamental business processes (e.g. Purchasing,
payroll, accounts payable, accounts receivable) including relevant IT

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Process Area Knowledge Statements.
10 Knowledge Statements

1.6 Knowledge of applicable laws and regulations which affect the

scope, evidence collection and preservation, and frequency of audits

1.7 Knowledge of evidence collection techniques (e.g., observation,

inquiry, inspection, interview, data analysis) used to gather, protect
and preserve audit evidence

1.8 Knowledge of different sampling methodologies

1.9 Knowledge of reporting and communication techniques (e.g.,

facilitation, negotiation, conflict resolution, audit report Structure)

1.10 Knowledge of audit quality assurance systems and frameworks

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

1.2 Management of IS Audit Function

The audit function should be managed and led in a manner

that ensures that the diverse tasks performed and achieved by
the audit team will fulfill audit function objectives, while
preserving audit independence and competence. Furthermore,
managing the audit function should ensure value added
contributions to senior management regarding the efficient
management of IT and achievement of business objectives.

6/23/2014

Md. Mushfiqur Rahman, CISA [email protected]

1.2.1 Organization of IS Audit Function

 Audit charter (or engagement letter)

 Stating management’s responsibility and objectives for, and
delegation of authority to, the IS audit function
 Outlining the overall authority, scope and responsibilities of the
audit function

 Approval of the audit charter

 Change in the audit charter

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

1.2.3 Audit Planning (continued)

 Audit planning
 Short‐term planning
 Long‐term planning
 Things to consider
 New control issues
 Changing technologies
 Changing business processes
 Enhanced evaluation techniques
 Individual audit planning
 Understanding of overall environment
 Business practices and functions
 Information systems and technology

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 Audit Planning Steps

 Gain an understanding of the business’s mission, objectives,

purpose and processes.
 Identify stated contents (policies, standards, guidelines,
procedures, and organization structure)
 Evaluate risk assessment and privacy impact analysis
 Perform a risk analysis.
 Conduct an internal control review.
 Set the audit scope and audit objectives.
 Develop the audit approach or audit strategy.
 Assign personnel resources to audit and address engagement
logistics.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 1.2.4 Effect of Laws and Regulations
(continued)

Regulatory requirements

 Establishment
 Organization
 Responsibilities
 Correlation to financial, operational and IT
audit functions

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 1.2.4 Effect of Laws and Regulations

Steps to determine compliance with external requirements:

 Identify external requirements

 Document pertinent laws and regulations
 Assess whether management and the IS function have
considered the relevant external requirements
 Review internal IS department documents that address
adherence to applicable laws
 Determine adherence to established procedures

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

1.3 ISACA IT Audit and Assurance Standards and
Guidelines

As of 16 August 2010

 Standards (16)
 Guidelines 41 (G19 is cancelled)
 Procedures (11)/ Audit and Assurance
Tools & Technique

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Policy, Standards, Guidelines & Procedure

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Definition: Standards, Guidelines & Procedure

 Standards define mandatory requirements for IT audit

and assurance.
 Guidelines provide guidance in applying IT Audit and
Assurance Standards. The objective of the IT Audit and
Assurance Guidelines is to provide further information on
how to comply with the IT Audit and Assurance
Standards.
 Procedure/ Tools and Techniques provide examples
of procedures an IT audit and assurance professional
might follow. The objective of the IT Audit and Assurance
Tools and Techniques is to provide further information on
how to comply with the IT Audit and Assurance
Standards.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 1.3.2 ISACA IT Audit and Assurance Standards Framework

IS Auditing Standards: 16

1. Audit charter 9. Irregularities and illegal acts

2. Independence 10. IT governance
3. Professional Ethics and 11. Use of risk assessment in
Standards audit planning
4. Competence 12. Audit Materiality
5. Planning 13. Using the Work of Other
6. Performance of audit work Experts
7. Reporting 14. Audit Evidence
8. Follow-up activities 15. IT Controls
16. E-commerce

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

1.3.3 ISACA IT Audit and Assurance Guidelines (continued)
IS Auditing Guidelines: 41 (42‐1= 41, G19 is cancelled)

G1 Using the Work of Other Auditors

G2 Audit Evidence Requirement
G3 Use of Computer Assisted Audit Techniques (CAATs)
G4 Outsourcing of IS Activities to Other Organizations
G5 Audit Charter
G6 Materiality Concepts for Auditing Information Systems 1 September
G7 Due Professional Care
G8 Audit Documentation
G9 Audit Considerations for Irregularities and Illegal Acts
G10 Audit Sampling
G11 Effect of Pervasive IS Controls
G12 Organizational Relationship and Independence
G13 Use of Risk Assessment in Audit Planning
G14 Application Systems Review
G15 Audit Planning Revised

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

1.3.3 ISACA IT Audit and Assurance
Guidelines (continued)

G16 Effect of Third Parties on an Organization's IT Controls

G17 Effect of Non-audit Role on the IT Audit and Assurance Professional’s
Independence
G18 IT Governance
G19 Irregularities and Illegal Acts 1 July 2002. Withdrawn 1 September 2008
G20 Reporting
G21 Enterprise Resource Planning (ERP) Systems Review
G22 Business-to-consumer (B2C) E-commerce Review
G23 System Development Life Cycle (SDLC) Review Reviews
G24 Internet Banking
G25 Review of Virtual Private Networks
G26 Business Process Reengineering (BPR) Project Reviews
G27 Mobile Computing
G28 Computer Forensics
G29 Post-implementation Review
G30 Competence

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

1.3.3 ISACA IT Audit and Assurance
Guidelines

G31 Privacy
G32 Business Continuity Plan (BCP) Review From It
Perspective
G33 General Considerations on the Use of the Internet
G34 Responsibility, Authority and Accountability
G35 Follow-up Activities
G36 Biometric Controls
G37 Configuration Management Process
G38 Access Controls
G39 IT Organization
G40 Review of Security Management Practices
G41 Return on Security Investment (ROSI)
G42 Continuous Assurance

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

1.3.4 ISACA IT Audit and Assurance Tools and
Techniques

IT Audit and Assurance Tools and Techniques: 11

P1 IS Risk Assessment
P2 Digital Signatures
P3 Intrusion Detection
P4 Viruses and other Malicious Code
P5 Control Risk Self-assessment
P6 Firewalls
P7 Irregularities and Illegal Acts
P8 Security Assessment—Penetration Testing and Vulnerability
Analysis
P9 Evaluation of Management Controls Over Encryption
Methodologies
P10 Business Application Change Control
P11 Electronic Funds Transfer (EFT)

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 IT Risk Assessment Quadrants

S
e Quadrant II (Medium Risk) Quadrant I (High Risk)
n
s
it
i
Suggested Action(s): Suggested Action(s):
v Accept Mitigate
it
y Mitigate
A
s Transfer
s
e
s Quadrant IV (Low Risk) Quadrant III (Medium Risk)
m
e
n
t Suggested Action(s): Suggested Action(s):
T
r
Accept Accept
a
i
Mitigate
n Transfer
i
n
g

Vulnerability assessment Rating

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

ISACA IS Auditing Standards and Guidelines

 ISACA Auditing Procedures

 Procedures developed by the ISACA

Standards Board provide examples.

 The IS auditor should apply their own

professional judgment to the specific
circumstances.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

1.5 Internal Control (continued)

Internal Controls: Policies, procedures,

practices and organizational structures
implemented to reduce risks

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Internal Control (continued)

 Components of Internal Control System

 Internal accounting controls

 Operational controls
 Administrative controls

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Internal Control (continued)

 Internal Control Objectives

 Safeguarding of information technology assets

 Compliance to corporate policies or legal
requirements
 Authorization/input
 Accuracy and completeness of processing of
transactions
 Output
 Reliability of process
 Backup/recovery
 Efficiency and economy of operations

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Internal Control (continued)

 Classification of Internal Controls

Preventive controls
Detective controls
Corrective controls

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Internal Control (continued)

IS Control Objectives: Control objectives

in an information systems environment
remain unchanged from those of a manual
environment. However, control features
may be different. The internal control
objectives, thus need, to be addressed in a
manner specific to IS-related processes

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 Internal Control (continued)
 IS Control Objectives (cont’d)
 Safeguarding assets
 Assuring the integrity of general operating system
environments
 Assuring the integrity of sensitive and critical application
system environments through:
 Authorization of the input
 Accuracy and completeness of processing of
transactions
 Reliability of overall information processing activities
 Accuracy, completeness and security of the output
 Database integrity

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Internal Control (continued)

IS Control Objectives (cont’d)

 Ensuring the efficiency and effectiveness of operations

 Complying with requirements, policies and procedures,
and applicable laws
 Developing business continuity and disaster recovery
plans
 Developing an incident response plan

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Internal Control (continued)

IS Control Objectives (cont’d)

COBIT: COBIT supports IT governance and management by providing

a framework to ensure that IT is aligned with the business, IT enables
the business and maximizes benefits. IT resources are used
responsibly, and IT risks are managed appropriately.
 A framework with 34 high‐level control objectives
 Planning and organization
 Acquisition and implementation
 Delivery and support
 Monitoring and evaluation

 Use of 36 major IT related standards and regulations

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Internal Control (continued)

 General Control Procedures (continued)

apply to all areas of an organization and

include policies and practices established
by management to provide reasonable
assurance that specific objectives will be
achieved.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 Internal Control (continued)

 General Control Procedures (continued)

 Internal accounting controls directed at accounting operations

 Operational controls concerned with the day‐to‐day operations
 Administrative controls concerned with operational efficiency
and adherence to management policies
 Organizational logical security policies and procedures
 Overall policies for the design and use of documents and
records
 Procedures and features to ensure authorized access to assets
 Physical security policies for all data center

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Internal Control (continued)

 IS Control Procedures

 Strategy and direction

 General organization and management
 Access to data and programs
 Systems development methodologies and change control
 Data processing operations
 Systems programming and technical support functions
 Data processing quality assurance procedures
 Physical access controls
 Business continuity/disaster recovery planning
 Networks and communications
 Database administration

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]
Definition of Auditing

Systematic process by which a competent, independent

person objectively obtains and evaluates evidence regarding
assertions about an economic entity or event for the
purpose of forming an opinion about and reporting on the
degree to which the assertion conforms to an identified set
of standards.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Purpose of an Audit

An audit is simply a review of past history. The IS auditor is

expected to follow the defined audit process, establish audit
criteria, gather meaningful evidence, and render an independent
opinion about internal controls. The audit involves applying
various techniques for collecting meaningful evidence, and then
performing a comparison of the audit evidence against the
standard for reference.
Your key to success in auditing is to accurately report your
findings, whether good or bad or indifferent. A good auditor will
produce verifiable results. No one should ever come in behind you
with a different outcome of findings. Your job is to report what
the evidence indicates.

6/23/2014

Md. Mushfiqur Rahman, CISA [email protected]

Classification of audits:

Internal audits and assessments This involves auditing your

own organization to discover evidence of what is occurring inside
the organization (self-assessment). These have restrictions on their
scope, and the findings should not be shared outside the
organization. The findings cannot be used for licensing.
External audits External audits involve your customer auditing
you, or you auditing your supplier. The business audits its
customer or supplier, or vice versa. The goal is to ensure the
expected level of performance as mutually agreed upon in their
contracts.
Independent audits Independent audits are outside of the
customer-supplier influence. Third-party independent audits are
frequently relied on for licensing, certification, or product approval.
A simple example is independent consumer reports.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Classification of audits:

 Financial audits
 Operational audits
 Integrated audits
 Administrative audits
 Information systems audits
 Specialized audits
 Forensic audits

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 Audit Concept (continued...)

The IS auditor should understand the various types of audits that can be performed, internally
or externally, and the audit procedures associated with each:

Financial audits-The purpose of a financial audit is to assess the correctness of an

organization's financial statements. A financial audit will often involve detailed, substantive
testing. This kind of audit relates to information integrity and reliability.

Operational audits- An operational audit is designed to evaluate the internal control Structure
in a given process or area. IS audits of application controls or logical security systems are
examples of operational audits.

integrated audits-An integrated audit combines financial and operational audit steps. It is also
performed to assess the overall objectives within an organization, related to financial
information and assets' safeguarding, efficiency and compliance. An integrated audit can be
performed by external or internal auditors and would include compliance tests of internal
controls and substantive audit steps.

Administrative audits-These are oriented to assess issues related to the efficiency of

operational productivity within an organization.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Audit Concept

IS audits-This Process collects and evaluates evidence to determine whether the

information system and related resources adequately safeguard assets, maintain data
and system integrity. provide relevant and reliable information, achieve organizational
goals effectively, consume resources efficiently, and have in effect internal controls that
provide reasonable assurance and business. operational and control objectives will be
met and that undesired events will be prevented, or detected and corrected, in a timely
manner.
In short: Any audit that encompasses review and evaluation (wholly or partly) of
automated information processing systems, related non-automated processes and the
interfaces between them.

Specialized audits‐Within the category of IS audits, there are a number of specialized

reviews that examine areas such as services performed by third parties and forensic
auditing. Because businesses are becoming increasingly reliant on third-party service
providers, it is important that internal control be evaluated in these environments.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Audit Concept

Forensic audits-Traditionally, forensic auditing has been defined as an audit

specialized in discovering, disclosing and following up on frauds and crimes.
The primary purpose of such a review is the development of evidence for
review by law enforcement and judicial authorities. In recent years, the
forensic professional has been called upon to participate in investigations
related to corporate fraud and cybercrime. In cases where computer
resources may have been misused, further investigation is necessary to
gather evidence for possible criminal activity that can then be reported to
appropriate authorities. A computer forensic investigation includes the
analysis of electronic devices, such as computers, phones, personal digital
assistants (PDAs). disks, switches, routers. Hubs and other electronic
equipment.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Auditor’s Responsibility

As an auditor, you are expected to fulfill a fiduciary relationship. A

fiduciary relationship is simply one in which you are acting for the
benefit of another person and placing the responsibilities to be fair
and honest ahead of your own interest. An auditor must never put
the auditee interests ahead of the truth. People inside and outside of
the auditee organization will depend on your reports to make
decisions.
The auditor is depended on to advise about the internal status of an
organization. Audits are different from inspections or assessments
because the individual performing the audit must be both objective
and impartial. This is a tremendous responsibility.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Comparing Audits to
Assessments

Audit An audit generates a report considered to represent a high

assurance of truth. Audits are used in asset reporting engagements.
Assessment An assessment is less formal and frequently more
cooperative with the people/
objects under scrutiny. Its purpose is to see what exists and to
assess value based on its relevance.
The assessment report is viewed to have lower value (moderate-to-
low value) when
compared to an audit.
The primary goal of an assessment is to help the user/staff work
toward improving their score. However, the audit is the score that
actually counts for regulatory compliance purposes.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Comparing Audits to
Assessments

Auditor The auditor is the competent person performing the audit.

Auditee The organization and people being audited are collectively

called the auditee.

Client The client is the person or organization with the authority to

request the audit. A client may be the audit committee, external
customer, internal audit department, or regulatory group. If the
client is internal to the auditee, that client assumes the auditee role.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Auditor’s Independence
Independent means that you are not related professionally, personally, or
organizationally to the subject of the audit. You cannot be independent if the
audit’s outcome results in your financial gain or if you are involved in the auditee’s
decisions or design of the subject being audited.
an Independence Test
Here is a simple self assessment to help you determine your level of independence:
 Are you auditing something you helped to develop?
 Are you free of any conflicts, circumstances, or attitudes toward the auditee
that might affect the audit outcome?
 Is your personal life free of any relationships, off-duty behavior, or financial
gain that could be perceived as affecting your judgment?
 Do you have any organizational relationships with the auditee, including
business deals, financial obligations, or pending legal actions?
 Do you have a job conflict? Does the organizational structure require your
position to work under the executive in charge of the area being audited?
 Did you receive any gifts of value or special favors?

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Audit Programs

 Based on the scope and the objective of the

particular assignment

 IS auditor’s perspectives
 Security (confidentiality, integrity and availability)
 Quality (effectiveness, efficiency)
 Fiduciary (compliance, reliability)
 Service and Capacity

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

General audit procedures

 Understanding of the audit area/subject

 Risk assessment and general audit plan
 Detailed audit planning
 Preliminary review of audit area/subject
 Evaluating audit area/subject
 Compliance testing
 Substantive testing
 Reporting(communicating results)
 Follow‐up

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Procedures for testing & evaluating IS controls

 Use of generalized audit software to survey the

contents of data files
 Use of specialized software to assess the
contents of operating system parameter files
 Flow‐charting techniques for documenting
automated applications and business process
 Use of audit reports available in operation
systems
 Documentation review
 Observation

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Audit Methodology

 A set of documented audit procedures designed

to achieve planned audit objectives
 Composed of
 Statement of scope
 Statement of audit objectives
 Statement of work programs
 Set up and approved by the audit management
 Communicated to all audit staff

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Typical audit phases

1. Audit subject
 Identify the area to be audited
2. Audit objective
 Identify the purpose of the audit

3. Audit scope
 Identify the specific systems, function or
unit of the organization

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Typical audit phases (Cont’d)

4. Pre-audit planning

 Identify technical skills and resources needed

 Identify the sources of information for test or

review

 Identify locations or facilities to be audited

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Typical audit phases (Cont’d)

5. Audit procedures and steps for data

gathering
 Identify and select the audit approach
 Identify a list of individuals to interview
 Identify and obtain departmental policies,
standards and guidelines
 Develop audit tools and methodology

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Typical audit phases (Cont’d)

6.Procedures for evaluating test/review result

7.Procedures for communication
8.Audit report preparation
 Identify follow‐up review procedures
 Identify procedures to evaluate/test
operational efficiency and effectiveness
 Identify procedures to test controls
 Review and evaluate the soundness of
documents, policies and procedures.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 Typical Audit Phases Summary
Identify
 the area to be audited
 the purpose of the audit
 the specific systems, function or unit
 of the organization to be included in
 the review.
 technical skills and resources needed
 the sources of information for tests or
review such as functional flowcharts,
policies, standards,
 procedures and prior audit work
 papers.
 locations or facilities to be audited.
 select the audit approach to verify
 and test the controls
 list of individuals to interview
 obtain departmental policies, standards
and guidelines for review
6/23/2014 Md. Mushfiqur Rahman, CISA
Develop
 audit tools and methodology to test and
verify control
 procedures for evaluating the test or
review results
 procedures for communication with
management
Report
 follow-up review procedures
 procedures to evaluate/test
 operational efficiency and effectiveness
 procedures to test controls
Review and evaluate the soundness of
documents, policies and procedures
[email protected]
Work‐Papers (WPs) (Cont’d)

 What are documented in WPs?

 Audit plans
 Audit programs
 Audit activities
 Audit tests
 Audit findings and incidents

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Work‐Papers

Do not have to be on “paper”

 Must be
 Dated
 Initialized
 Page‐numbered
 Relevant
 Complete
 Clear
 Self‐contained and properly labeled
 Filed and kept in custody

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Fraud Detection

 Management’s responsibility
 Benefits of a well‐designed internal
control system
 Deterring frauds at the first instance
 Detecting frauds in a timely manner
 Fraud detection and disclosure
 Auditor’s role in fraud prevention and
detection

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Audit Risk

 Audit risk is the risk that the information/

financial report may contain material error that
may go undetected during the audit.

 A risk‐based audit approach is used to assess

risk and assist with an IS auditor’s decision to
perform either compliance or substantive
testing.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Audit Risks: Types

 Inherent risk
 Control risk
 Detection risk
 Sampling risks
 Nonsampling risks

 Overall audit risk

 Business risks
 Technological risks
 Operational risks
 Residual risks
 Audit risks

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Audit Risks: Types

 Inherent risk: Inherent risk is the risk that an error exists in the
absence of any compensating controls‐an error which could become
significant when combined.

 Control risk: Control risk is the risk that a material error exists that
will not be prevented or detected in a timely manner by the system of
internal controls.

 Detection risk: Detection risk since the use of improper testing

procedures may not detect all material errors.

 Sampling risks These are the risks that an auditor will falsely accept
or erroneously reject an audit sample (evidence).
 Non sampling risks These are the risks that an auditor will fail to
detect a condition because of not applying the appropriate procedure
or using procedures inconsistent with the audit objective (detection
fault).

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Audit Risks: Types

 Business risks These are risks that are inherent in the business or
industry itself. They may be regulatory, contractual, or financial.

 Technological risks These are inherent risks of using automated

technology. Systems do fail.

 Operational risks These are the risks that a process or procedure will
not perform correctly.

 Residual risks These are the risks that remain after all mitigation
efforts are performed.

 Overall audit risk: Is the combination of detection, control and

inherent risks for a given audit assignment.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Risk‐based Approach Overview

 Gather Information and Plan

 Obtain Understanding of Internal
Control
 Perform Compliance Tests
 Perform Substantive Tests
 Conclude the Audit

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Materiality

An auditing concept regarding the importance of

an item of information with regard to its impact or
effect on the functioning of the entity being
audited

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Risk Assessment Techniques

 Enables management to effectively allocate

limited audit resources
 Ensures that relevant information has been
obtained
 Establishes a basis for effectively managing the
audit department
 Provides a summary of how the individual audit
subject is related to the overall organization
and to business plans

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Audit Objectives

It is the Specific goals of the audit

 Compliance with legal & regulatory requirements

 Confidentiality
 Integrity
 Reliability
 Availability

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Compliance vs. Substantive Testing

 Compliance test
 Determines whether controls are in compliance with
management policies and procedures
 Substantive test
 Tests the integrity of actual processing
 A procedure used during accounting audits to check for errors
in balance sheets and other financial documentation. A
substantive test might involve checking a random sample of
transactions for errors, comparing account balances to find
discrepancies, or analysis and review of procedures used to
execute and record transactions.
Auditors gather evidence about these assertions by
undertaking substantive procedures, which may include:

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Compliance vs. Substantive Testing

 physically examining inventory on balance date as

evidence that inventory shown in the accounting
records actually exists (validity assertion); AND
 making inquires of management about the
collectibility of customers' accounts as evidence
that trade debtors is accurate as to its valuation.
 Thus, substantive procedures are performed by
an auditor to detect whether there are any
material misstatements in accounting
transactions.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Compliance vs. Substantive Testing

Examples of substantive procedures are:

 Bank confirmation
 Accounts receivable confirmation
 Inquire of management regarding the collectibility of customer accounts
 Match customer orders to invoices billed
 Match collected funds to invoices billed
 Observe a physical inventory count
 Confirm inventories not on-site
 Match purchasing records to inventory on hand or sold
 Confirm the calculations on an inventory valuation report
 Observe fixed assets
 Match purchase orders and supplier invoices to fixed asset records
 Confirm accounts payable
 Examine accounts payable supporting documents
 Confirm debt
 Analytical analysis of assets, liabilities, revenue, and expenses

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Compliance vs. Substantive Testing

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Evidence

It is a requirement that the auditor’s conclusions must be based

on sufficient, competent evidence.
 Independence of the provider of the
evidence
 Qualification of the individual providing
the information or evidence
 Objectivity of the evidence
 Timing of evidence

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Techniques for gathering evidence:

 Review IS organization structures

 Review IS policies and procedures
 Review IS standards
 Review IS documentation
 Interview appropriate personnel
 Observe processes and employee
performance

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Interviewing and Observing Personnel

 Actual functions
 Actual processes/procedures
 Security awareness
 Reporting relationships

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Sampling (continued)

 General approaches to audit sampling:

Statistical sampling: An objective method of determining the

sample size and selection criteria. This assessment will be
represented as a percentage. The results of a valid statistical
sample are mathematically quantifiable. (the probability of error
must be objectively quantified‐ confidence coefficient)

Non‐statistical sampling: Uses auditor judgment to determine

the method of sampling, the number of items that will be
examined from a population (sample size) and which items to
select (sample selection). These decisions are based on subjective
judgment as to which items/transactions are the most material and
most risky.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Sampling (continued)

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Sampling (continued)

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Sampling (continued)

 Methods of sampling used by auditors:

Attribute sampling: Attribute sampling, generally applied in

compliance testing situations, deals with the presence or
absence of the attribute and provides conclusions that are
expressed in rates of incidence.

Variable sampling: Variable sampling, generally applied in

substantive testing situations, deals with population
characteristics that vary, such as monetary values and weights
(or any other measurement), and provides conclusions related
to deviations from the norm.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Sampling (continued)

 Attribute Sampling

Stop‐or‐go sampling: A sampling model that helps prevent excessive

sampling of an attribute by allowing an audit test to be stopped at the
earliest possible moment. Stop‐or‐go sampling is used when the IS
auditor believes that relatively few errors will be found in a population.

Discovery Sampling: A sampling model that can be used when the

expected occurrence rate is extremely low. Discovery sampling is most
often used when the objective of the audit is to seek out (discover)
fraud circumvention of regulations or other irregularities.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Sampling (continued)

 Variable sampling

 Stratified mean per unit: A statistical model in which the population

is divided into groups and samples are drawn from the various groups.
Stratified mean sampling is used to produce a smaller overall sample
size relative to un-stratified mean per unit. Examples are teenagers
from the ages of 13 to 19, people from the ages of 20 to 29, people
 from the ages of 30 to 39, and those who are male or female, smokers
or nonsmokers, and so on.
Un-stratified mean per unit: A statistical model in which a sample mean
is calculated and projected as an estimated total.

Difference estimation: A statistical model used to estimate the total

difference between audited values and book (unaudited) values based on
differences obtained from sample observations. Un-stratified mean per unit
Difference estimation

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Statistical sampling terms: (contd.)

 Confident coefficient
 Level of risk
 Precision
 Expected error rate
 Sample mean
 Sample standard deviation
 Tolerable error rate
 Population standard deviation

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Statistical sampling terms: (contd.)

Confident coefficient: Confidence coefficient (also referred to as confidence

leve1 or reliability factor)‐A percentage expression (90 percent, 95 percent, 99
percent, etc.) of the probability that the characteristics of the sample are a true
representation of the population.
Level of risk: Equal to one minus the confidence coefficient. For example, if
the confidence coefficient is 95 percent, the level of risk is five percent (100
percent minus 95 percent).
Precision: Set by the IS auditor, it represents the acceptable range difference
between the sample and the actual population. For attribute sampling, this
figure is stated as a percentage. For variable sampling, this figure is stated as a
monetary amount or a number.
Expected error rate: An estimate stated as a percent of the errors that may
exist. The greater the expected error rate, the greater the sample size.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Statistical sampling terms:

Sample mean: The sum of a1l sample values, divided by the size of the
sample. The sample mean measures the average value of the sample.

Sample standard deviation: Computes the variance of the sample values

from the mean of the sample. Sample standard deviation measures the
spread or dispersion of the sample values.

Tolerable error rate: Describes the maximum misstatement or number of

errors that can exist without an account being materiality misstated.
Tolerable rate is used for the planned upper limit of the precision range for
compliance testing.

Population standard deviation: A mathematical concept that measures

the relationship to the normal distribution. The greaterthe standard
deviation, the larger the sample size.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Key steps in choosing a sample

 Determine the objectives of the test

 Define the population to be sampled
 Determine the sampling method, such as
attribute versus variable sampling.
 Calculate the sample size
 Select the sample
 Evaluating the sample from an audit
perspective.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Computer‐Assisted Audit Techniques. Contd.

 CAATs enable IS auditors to gather information

independently
 CAATs include:
 Generalized audit software (GAS)
 Utility software
 Test data
 Application software for continuous
online audits
 Audit expert systems

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Computer‐Assisted Audit Techniques. Contd.

 Need for CAATs

 Evidence collection
 Functional capabilities
Functions supported
Areas of concern

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Computer‐Assisted Audit Techniques. Contd.

 Examples of CAATs used to collect evidence

 CAATS as a continuous online approach

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Computer‐Assisted Audit Techniques.
Contd.

 Development of CAATs

Documentation retention
Access to production data
Data manipulation

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Evaluation of Strengths and Weaknesses

 Assess evidence
 Evaluate overall control structure
 Evaluate control procedures
 Assess control strengths and weaknesses

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Judging Materiality of Findings

 Materiality is a key issue

 Assessment requires judgment of the potential

effect of the finding if corrective action is not
taken

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Communicating Audit Results

 Exit interview
 Correct facts
 Realistic recommendations
 Implementation dates for agreed
recommendations
 Presentation techniques
 Executive summary
 Visual presentation

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Audit report structure and contents

 An introduction to the report

 The IS auditor’s overall conclusion and opinion
 The IS auditor’s reservations with respect to
the audit
 Detailed audit findings and recommendations
 A variety of findings
 Limitations to audit
 Statement on the IS audit guidelines followed

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Management Implementation of Recommendations

 Auditing is an ongoing process

 Timing of follow‐up

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Audit Documentation

 Contents of audit documentation

 Custody of audit documentation
 Support of findings and conclusions

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Control Self‐Assessment (CSA), Contd.

The Primary objective is to leverage the

internal audit function by shifting some of the
control monitoring responsibilities to the
functional areas.

 A management technique
 A methodology
 In practice, a series of tools

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Control Self‐Assessment (CSA), Contd.

 Implementation of CSA
 Facilitated workshops
 Hybrid approach

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Control Self Assessment

 Benefits of CSA
 Early Detection of Risk
 More Effective and improved internal controls
 Highly Motivated Employee
 Improved Audit Rating process
 Assurance to Top Management and Stakeholders
 Disadvantages of CSA
 It may be regarded as an additional workload
 Failure to act on improvement suggestions could
damage employee morale.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Control Self Assessment

IS Auditor’s Role in CSAs: When CSA in place, auditors becomes internal

control professionals and assessment facilitators.

Technology Drivers for CSA Program: Some of the technology drives

includes combination of hardware and software to support CSA selection,
and the use of an electronic meeting system and computer‐supported
decision aids to facilitate group decision making.

Traditional vs. CSA Approach: The traditional approach can be

summarized as any approach in which the primary responsibility for
analyzing and reporting on internal control and risk is assigned to auditors,
and to a lesser extent, controller departments and outside consultants. The
CSA Approach, emphasizes management and accountability over
developing and monitoring internal controls of an organization’s sensitive
and critical business process.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]
Emerging Changes in IS Audit Process

 New Topics:
Automated Work Papers
Integrated Auditing
Continuous Auditing

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Automated Work Papers

Automated Work Papers (Cont’d)

 Risk analysis
 Audit programs
 Results
 Test evidences
 Conclusions
 Reports and other complementary
information

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Automated Work Papers

Controls over automated work papers:

 Access to work papers

 Audit trails
 Approvals of audit phases
 Security and integrity controls
 Backup and restoration
 Encryption for confidentiality

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Integrated Auditing

Integrated Auditing

process whereby appropriate audit disciplines are combined

to assess key internal controls over an operation, process or
entity

 Focuses on risk to the organization (for an internal

auditor)

 Focuses on the risk of providing an incorrect or

misleading audit opinion (for external auditor

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Integrated Auditing ‐ Typical process:

 Identification of relevant key controls

 Review and understanding of the design of key
controls
 Testing that key controls are supported by the
IT system
 Testing that management controls operate
effectively
 A combined report or opinion on control risks,
design and weaknesses

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Continuous Auditing

Continuous Auditing: “A methodology that

enables independent auditors to provide written
assurance on a subject matter using a series of
auditors’ reports issued simultaneously with, or a
short period of time after, the occurrence of events
underlying the subject matter”

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Continuous Auditing vs. Continuous Monitoring

 Continuous Monitoring
 Management‐driven
 Based on automated procedures to meet
fiduciary responsibilities

 Continuous Auditing
 Audit‐driven
 Done using automated audit procedures

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Continuous Auditing Enabler for the Application
of Continuous Auditing

 New information technology

 Increased processing capabilities
 Standards
 Artificial intelligence tools

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

IT Techniques in a Continuous Auditing Environment

 Transaction logging
 Query tools
 Statistics and data analysis (CAAT)
 Database management systems (DBMS)
 Data warehouses, data marts, data mining.
 Artificial intelligence (AI)
 Embedded audit modules (EAM)
 Neural network technology
 Standards such as Extensible Business
Reporting Language

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Continuous Auditing ‐ Prerequisites

 A high degree of automation

 An automated and reliable information‐producing process
 Alarm triggers to report control failures
 Implementation of automated audit tools
 Quickly informing IS auditors of anomalies/errors
 Timely issuance of automated audit reports
 Technically proficient IS auditors
 Availability of reliable sources of evidence
 Adherence to materiality guidelines
 Change of IS auditors’ mind‐set
 Evaluation of cost factors

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Continuous Auditing

 Advantages

 Instant capture of internal control problems

 Reduction of intrinsic audit inefficiencies

 Disadvantages

 Difficulty in implementation
 High cost
 Elimination of auditors’ personal judgment and
evaluation

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Question

Practice Questions (contd.)

Q. What does fiduciary responsibility mean?

A. To use information gained for personal interests without

breaching confidentiality of the client.
B. To act for the benefit of another person and place the
responsibilities to be fair and honest ahead of your own interest.
C. To follow the desires of the client and maintain total
confidentiality even if illegal acts are discovered. The auditor shall
never disclose information from an audit in order to protect the
client.
D. None of the above.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Question

Practice Questions (contd.)

Answer is B. Accountants, auditors, and lawyers
act on behalf of their client’s best interests unless
doing so places them in violation of the law. It is
the highest standard of duty implied by law for a
trustee and guardian.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Question

Q: What are the different types of audits?

A. Forensic, accounting, verification, regulatory

B. Integrated, operational, compliance,
administrative
C. Financial, SAS-74, compliance, administrative
D. Information systems, SAS-70, regulatory,
procedural

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Question

Practice Questions (contd.)

Answer is B. All of the audit types are valid
except procedural, SAS-74, verification, and
regulatory. The valid audit types are financial,
operational (SAS-70), integrated (SAS-94),
compliance, administrative, forensic, and
information systems. A forensic audit is used to
discover information about a possible crime.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Question

Practice Questions (contd.)

Q: How does the auditor derive a final
opinion?
A. From evidence gathered and the auditor’s
observations
B. By representations and assurances of
management
C. By testing the compliance of language used in
organizational policies
D. Under advice of the audit committee

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Question

Practice Questions (contd.)

Q: Answer is A. A final opinion is based on
evidence gathered and testing. The purpose of an
audit is to challenge the assertions of
management. Evidence is gathered that will
support or disprove claims.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Question

Practice Questions (contd.)

Q: Which of the following BEST describes the
early stages of an IS audit?
A. Observing key organizational facilities
B. Assessing the IS environment
C. Understanding the business process and
environment applicable to the review
D. Reviewing prior IS audit reports

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Answer

1‐1‐C: Understanding the business process and

environment applicable to the review is most
representative of what occurs early on in the
course of an audit. The other choices relate to
activities actually occurring within this process.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Questions (contd.)

Q: In performing a risk‐based audit,

which risk assessment is completed
initially by the IS auditor?
A. Detection risk assessment
B. Control risk assessment
C. Inherent risk assessment
D. Fraud risk assessment

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Answer

1‐2‐C: Inherent risks exist independently of an audit and can

occur because of the nature of the business. To successfully
conduct an audit, it is important to be aware of the related
business processes. To perform the audit the IS auditor
needs to understand the business process, and by
understanding the business process, the IS auditor better
understands the inherent risks.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Questions (contd.)

Q: While developing a risk‐based audit program, on

which of the following would the IS auditor MOST
likely focus?

A. Business processes
B. Critical IT applications
C. Operational controls
D. Business strategies

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Answer

1‐3‐A: A risk‐based audit approach focuses on the

understanding of the nature of the business and
being able to identify and categorize risk.
Business risks impact the long‐term viability of a
specific business. Thus, an IS auditor using a
risk‐based audit approach must be able to
understand business processes.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Questions (contd.)

Q: Which of the following types of audit risk

assumes an absence of compensating controls
in the area being reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Answer

1‐4‐C: The risk of an error existing that could be material or

significant when combined with other errors encountered during
the audit, there being no related compensating controls, is the
inherent risk. Control risk is the risk that a material error exists
that will not be prevented or detected in a timely manner by the
system of internal controls. Detection risk is the risk of an IS
auditor using an inadequate test procedure that concludes that
material errors do not exist, when they do. Sampling risk is the
risk that incorrect assumptions are made about the characteristics
of a population from which a sample is taken.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Questions (contd.)

Q: An IS auditor performing a review of an application's controls finds a

weakness in system software that could materially impact the application. The
IS auditor should:

A. disregard these control weaknesses since a system software review is

beyond the scope of this review.
B. conduct a detailed system software review and report the control
weaknesses.
C. include in the report a statement that the audit was limited to a review of
the application's controls.
D. review the system software controls as relevant and recommend a detailed
system software review.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Answer

1‐5‐D: The IS auditor is not expected to ignore control weaknesses

just because they are outside the scope of a current review.
Further, the conduct of a detailed systems software review may
hamper the audit's schedule and the IS auditor may not be
technically competent to do such a review at this time. If there are
control weaknesses that have been discovered by the IS auditor,
they should be disclosed. By issuing a disclaimer, this responsibility
would be waived. Hence, the appropriate option would be to review
the systems software as relevant to the review and recommend a
detailed systems software review for which additional resources
may be recommended.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Questions (contd.)

Q: The PRIMARY use of generalized audit

software (GAS) is to:

A. test controls embedded in programs.

B. test unauthorized access to data.
C. extract data of relevance to the audit.
D. reduce the need for transaction vouching.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Answer

1‐6‐C: Generalized audit software facilitates direct access to and

interrogation of the data by the IS auditor. The most important advantage
of using GAS is that it helps in identifying data of interest to the IS auditor.
GAS does not involve testing of application software directly. Hence, GAS
indirectly helps in testing controls embedded in programs by testing data.
GAS cannot identify unauthorized access to data if this information is not
stored in the audit log file. However, this information may not always be
available. Hence, this is not one of the primary reasons for using GAS.
Vouching involves verification of documents. GAS could help in selecting
transactions for vouching. Using GAS does not reduce transaction vouching.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Questions (contd.)

Q: Which of the following is MOST effective

for implementing a control self‐assessment
(CSA) within business units?

A. Informal peer reviews

B. Facilitated workshops
C. Process flow narratives
D. Data flow diagrams

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Answer

1‐7‐B: Facilitated workshops work well within

business units. Process flow narratives and data
flow diagrams would not be as effective since they
would not necessarily identify and assess all
control issues. Informal peer reviews similarly
would be less effective for the same reason.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Questions (contd.)

Q: The FIRST step in planning an audit is to:

A. define audit deliverables.

B. finalize the audit scope and audit objectives.
C. gain an understanding of the business‘
objectives.
D. develop the audit approach or audit strategy.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Answer

1‐8‐C: The first step in audit planning is to gain an

understanding of the business's mission, objectives and
purpose, which in turn identifies the relevant policies,
standards, guidelines, procedures, and organization
structure. All other choices are dependent upon having a
thorough understanding of the business's objectives and
purpose.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Questions (contd.)

Q: The approach an IS auditor should

use to plan IS audit coverage should
be based on:
A. risk.
B. materiality.
C. professional skepticism.
D. sufficiency of audit evidence.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Answer

1‐9‐A: Standard S5, Planning, establishes

standards and provides guidance on planning an
audit. It requires a risk‐based approach.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Practice Questions

Q: A company performs a daily backup of critical data

and software files, and stores the backup tapes at an
offsite location. The backup tapes are used to restore
the files in case of a disruption. This is a:

A. preventive control.
B. management control.
C. corrective control.
D. detective control.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

Answer

1‐10‐C: A corrective control helps to correct or minimize the impact of

a problem. Backup tapes can be used for restoring the files in case of
damage of files, thereby reducing the impact of a disruption.
Preventive controls are those that prevent problems before they arise.
Backup tapes cannot be used to prevent damage to files and hence
cannot be classified as a preventive control. Management controls
modify processing systems to minimize a repeat occurrence of the
problem. Backup tapes do not modify processing systems and hence
do not fit the definition of a management control. Detective controls
help to detect and report problems as they occur. Backup tapes do
not aid in detecting errors.

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 Question
&
Answer

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]

 THANK YOU
wish All The Best

6/23/2014 Md. Mushfiqur Rahman, CISA [email protected]