Unit 4

UNIT-4 – Information Security
Audit
Unit-4
Demand for IS audit, Auditor Role, Auditee Role,
Process of auditing information system, Preplanning
the audit, Audit process Perform audit, Hierarchy of
internal controls, gathering audit evidence,
conducting audit evidence, Reporting audit evidence,
Strategy planning for organizational control, Issues
register, Risk management tools, Distinct types of
risk tools, Planning Performance
Auditing
• Auditing is the accumulation and evaluation of
evidence about information to determine and report
on the degree of correspondence between the
information and established criteria.
• Auditing should be done by a competent,
independent person.
Information security audit
• An information security audit is an audit of the level
of information security in an organization. It is an independent
review and examination of system records, activities, and
related documents. These audits are intended to improve the
level of information security, avoid improper information
security designs, and optimize the efficiency of the security
safeguards and security processes.
IS AUDIT
• Security audits will help protect critical data, identify security loopholes,
create new security policies and track the effectiveness of security
strategies. Regular audits can help ensure employees stick to security
practices and can catch new vulnerabilities.
Demand for IS audit
• There is a demand for auditing in a free-market economy because the
agency relationship between an absentee owner and a manager produces a
natural conflict of interest due to the information asymmetry that exists
between the owner and manager.
Auditor Role
• An auditor's role in an information security audit is to assess
the security of an organization's computer systems and
networks, and to provide recommendations for
improvement. Their responsibilities include:
• Evaluating security controls: Reviewing and testing the

effectiveness of controls to prevent, detect, and correct
security breaches
• Assessing compliance: Ensuring that the organization

complies with application laws and regulations
Auditor Role contd..
• Assessing compliance: Ensuring that the organization complies with
application laws and regulations
• Analyzing systems: Reviewing system logs and observing control

activities
• Writing reports: Providing technical reports that analyze audit results, and
stakeholder reports that explain the process and recommendations
• Identifying weaknesses: Identifying potential conflicts in the system that

could cause glitches or difficulties
• Making recommendations: Providing suggestions for improvement to help

the system become compliant
Auditor Role contd..
• Staying up to date: Keeping current on open-source resources
and private intelligence resources
• Before conducting an audit, an auditor may meet with IT

management, review the IT organization chart, and research
the company's IT policies and procedures.
Auditee Role
• During an information security audit, the auditee's role is to:
• Cooperate: Allow the auditor to access all information and documentation
requested
• Provide accurate information: Ensure that all data provided is complete and
reliable
• Clarify doubts: Answer any questions or doubts the auditor may have
• Provide evidence: Support the implementation of internal control measures
• An information security audit is a detailed examination of an organization's

information systems. It assesses the effectiveness of security controls,
compliance with regulations, and adherence to internal policies
Audit Process
• Step 1: Preliminary audit assessment
• Step 2:Planning & preparation
• Step 3: Establishing audit objectives
• Step 4: Performing the review
• Step 5: Preparing the Audit Report
Step 1: Preliminary audit assessment
• The auditor is responsible for assessing the current technological
maturity level of a company during the first stage of the audit. This
stage is used to assess the current status of the company and helps
identify the required time, cost and scope of an audit. First, you
need to identify the minimum security requirements:
• Security policy and standards
• Organizational and Personal security
• Communication, Operation and Asset management
• Physical and environmental security
• Access control and Compliance
• IT systems development and maintenance
• IT security incident management
• Disaster recovery and business continuity management
• Risk management
Step2:Planning & preparation
• The auditor should plan a company's audit based on the

information found in the previous step. Planning an audit helps
the auditor obtain sufficient and appropriate evidence for
each company's specific circumstances. It helps predict audit
costs at a reasonable level, assign the proper manpower and
time line and avoid misunderstandings with clients.
• An auditor should be adequately educated about the company
and its critical business activities before conducting a data
center review. The objective of the data center is to align data
center activities with the goals of the business while
maintaining the security and integrity of critical information
and processes. To adequately determine whether the client's
goal is being achieved, the auditor should perform the
following before conducting the review:
Step2:Planning & preparation
contd..
• Meet with IT management to determine possible areas
of concern
• Review the current IT organization chart
• Review job descriptions of data center employees
• Research all operating systems, software applications,
and data center equipment operating within the data
center
• Review the company's IT policies and procedures
• Evaluate the company's IT budget and systems
planning documentation
• Review the data center's disaster recovery plan
Step 3: Establishing audit objectives
Auditors consider multiple factors that relate to data center procedures and
activities that potentially identify audit risks in the operating environment
and assess the controls in place that mitigate those risks.
Following is a list of objectives the auditor should review:
• Personnel procedures and responsibilities, including systems and
cross-functional training
• Change management processes are in place and followed by IT and
management personnel
• Appropriate backup procedures are in place to minimize downtime and
prevent the loss of important data
• The data center has adequate physical security controls to prevent
unauthorized access to the data center
• Adequate environmental controls are in place to ensure equipment is
protected from fire and flooding
Step 4: Performing the review
• The next step is collecting evidence to satisfy data center audit objectives.
This involves traveling to the data center location and observing processes
and within the data center. The following review procedures should be
conducted to satisfy the pre-determined audit objectives:
• Data centre personnel – All data center personnel should be authorized to
access the data center (key cards, login ID's, secure passwords, etc.).
Datacenter employees are adequately educated about data center equipment
and properly perform their jobs. Vendor service personnel are supervised
when doing work on data center equipment. The auditor should observe
and interview data center employees to satisfy their objectives.
contd…
• Equipment – The auditor should verify that all data center equipment is
working properly and effectively. Equipment utilization reports, equipment
inspection for damage and functionality, system downtime records and
equipment performance measurements all help the auditor determine the
state of data center equipment. Additionally, the auditor should interview
employees to determine if preventative maintenance policies are in place
and performed.
• Policies and Procedures – All data center policies and procedures should be
documented and located at the data center. Important documented
procedures include data center personnel job responsibilities, back up
policies, security policies, employee termination policies, system operating
procedures and an overview of operating systems.
contd…
• Physical security / environmental controls – The auditor should assess the
security of the client's data center. Physical security includes bodyguards,
locked cages, man traps, single entrances, bolted-down equipment, and
computer monitoring systems. Additionally, environmental controls should
be in place to ensure the security of data center equipment. These include
Air conditioning units, raised floors, humidifiers and an uninterruptible
power supply.
• Backup procedures – The auditor should verify that the client has backup
procedures in place in the case of system failure. Clients may maintain a
backup data center at a separate location that allows them to
instantaneously continue operations in the instance of system failure
Step 5: Preparing the Audit Report
• After the audit examination is completed, the audit findings and

suggestions for corrective actions can be communicated to responsible
stakeholders in a formal meeting. This ensures better understanding and
support of the audit recommendations. It also gives the audited
organization an opportunity to express its views on the issues raised.
• Writing a report after such a meeting and describing where agreements
have been reached on all audit issues can greatly enhance audit
effectiveness. Exit conferences also help finalize recommendations that are
practical and feasible.
Step 6: Issuing the review report
The data center review report should summarize the auditor's findings and be
similar in format to a standard review report. The review report should be
dated as of the completion of the auditor's inquiry and procedures. It should
state what the review entailed and explain that a review provides only
"limited assurance" to third parties.
• Typically, a data center review report consolidates the entirety of the audit.
It also offers recommendations surrounding proper implementation of
physical safeguards and advises the client on appropriate roles and
responsibilities of its personnel. Its contents may include:
• The auditors’ procedures and findings
• The auditors’ recommendations
• Objective, scope, and methodologies
• Overview/conclusions
• The report may optionally include rankings of the security vulnerabilities
identified throughout the performance of the audit and the urgency of the
tasks necessary to address them. Rankings like “high”, “low”, and
“medium” can be used to describe the imperativeness of the tasks
1.Preplanning the audit
• Planning Individual Audits
• The auditing process is based on a series of generally accepted auditing
procedures. An audit is simply a systematic review of historical data.
• It involves defining a realistic objective, capturing applicable evidence
(sampling plan), testing the evidence (verification), comparing test results
to audit criteria (evaluation), and generating a report of findings (audit
results).
• The person responsible for managing the audit program will appoint a team
leader for each specific audit.
• Audit Scope Think of the audit scope as boundaries described by
processes to be reviewed, within specific physical locations of the
organization.
• Keep it simple by describing location, units to measure, specific activities,
and a particular process with an applicable time period measured in days,
weeks, or months.
Preplanning the audit contd…
• Audit Criteria Identify a set of policies the client wants to be measured

against. Then specify the procedures or requirements to compare against
the evidence collected.
• Audit Team It’s unusual for the audit to be done by only one person. In
ISO certification audits, the new standard is to include a surveillance
auditor as a witness for oversight during the engagement. Auditors conduct
the audit with support of technical experts as needed.
Types of Audit:
• Depending on the objectives, the audit can be performed by internal staff,
vendors, or external third parties.
• Here are some possibilities: Internal Audits (or First‐Party Audits) These
represent a self‐declaration of conformity. A moderate level of
independence may be demonstrated by the auditor having no responsibility
in the activity being audited.
• This would be someone with no operational responsibility auditing in a
different area unrelated to their own job. External Audits (or
Second‐Party Audits) Customers, vendors, or someone with interest in the
activity being audited will conduct the audit
• Independent External Audits (or Third‐Party Audits) This is the highest
level of trust because the auditors are not related to the organization being
audited. The conclusions for this audit can be used for licensing or industry
certification.
• Integrated Audit (or Combined Audit) This occurs when two or more
functions are being audited at the same time for the sake of efficiency. Joint
Audit In a joint audit, two or more auditor organizations cooperate to audit
a single auditee.
• There are 10 audit stages to be aware of when performing an
audit. CISAs need to be aware of their duties in each of these
stages:
■ Approving the audit charter or engagement letter
■ Preplanning the audit
■ Performing a risk assessment
■ Determining whether an audit is possible
■ Performing the actual audit
■ Gathering evidence
■ Performing audit tests Analyzing the results
■ Reporting the results
■ Conducting any follow-up activities
Overview of the audit process
• Preplanning Specific Audits The audit charter allows the delegation of an
audit to an external organization via an engagement letter.
• The engagement letter helps define the relationship to an independent
auditor for individual assignments.
• The letter records the understanding between the audit committee and the
independent auditors.
• The primary difference between an engagement letter and an audit charter
is that an engagement letter addresses the independence of the auditor.
Engagement letters should include the following:
• ■ All points outlined in the audit charter
• ■ Independence of the auditors (responsibility)
• ■ Evidence of an agreement to the terms and conditions (authority)
• ■ Agreed‐upon scope with completion dates (accountability)
Steps:
• Audit charter
• Preplanning 2
• Risk assessment
• Is audit possible?
• Gather evidence
• Audit tests
• Analyze results
• Report findings Perform audit
• Is audit possible?
• Conduct follow-up
• An excellent method for determining the scope is to start a

discussion asking questions about six key areas.
• Management What are the business rules and objectives?
Has management formally adopted a standard to be
followed? Does management require their systems to be
certified? Does executive management provide accreditation
of the complete hardware/software system before it enters
production?
2. Audit process Perform audit
• An excellent method for determining the scope is
to start a discussion asking questions about six key
areas.
• Management What are the business rules and
objectives? Has management formally adopted a
standard to be followed? Does management
require their systems to be certified? Does
executive management provide accreditation of the
complete hardware/software system before it
enters production?
Audit process Perform audit
• Data What data is involved? Is this customer data, engineering data, fi
nancial data? Are there any regulations governing data restrictions,
acceptable or unacceptable use?
• Intended Usage in Their Workflow How is this data used? What is it for?
Possibly a manual operation? Is it part of a software application? Ask for
their workfl ow diagram.
• Technology Platform Is this data controlled in a computer program? In a
file cabinet? Transmitted wirelessly on cell phones? Will you have an
impressive multimedia presentation leveraging advantages of Apple Macs?
Is Oracle Financials the platform? Is the telephone service using Voice over
Internet Protocol (VoIP)? Does the user require their LCD display in a pair
of sunglasses? Is the goal to reduce end‐user support? Will you be
switching from Microsoft to Unix servers for cost savings in user
licensing?
Audit process Perform audit contd…
• Facilities Where does the work get done? Are the main systems located here or
somewhere else? How much space is required to accommodate the staff? Where are
the customers located? Where are the subcontractors located for the work that is
outsourced? How many facilities are involved? Do we need special security clearance
to gain access? Is normal HIPAA drug screen testing required for persons with
privileged access, including auditors? Normally HIPAA drug screening is required.
• People Involved Who are the people we will work with on the client side? Who are
the people on the auditee side? Using the skills matrix for reference, who is available
to be on the audit team? Do we have the appropriate technical experts available? Who
are the observers and auditors in training on this project? Do any of the participants
have a travel conflict or schedule restriction?
• The next audit objective is to plan the specific audit project necessary to address the
audit objectives. Analysis of your audit planning method should occur at least
annually to incorporate the constant stream of new developments in both the industry
and the auditing field.
Audit process Perform audit contd…
Understanding the Variety of Audits
• Each audit is actually an individual project linked to an ongoing audit
program. As the IS auditor, you may be asked to perform a variety of
audits, including the following:
• Product or Service Efficiency, effectiveness, controls, and life‐cycle costs
Processes Methods or results System Design or configuration General
Controls Preventive, detective, and corrective Organizational Plans Present
and future objectives To be successful, you should engage your team in a
fact‐finding mission.
• Always take into consideration which business requirements are unique to
the auditee or common to their industry.
• Each business has its own opportunities, challenges, and constraints.
3. Hierarchy of internal controls
• Every auditor should consider two fundamental issues concerning internal
control:
• Issue 1: Management is often exempt from controls. Management has the
responsibility of installing controls for the organization, yet some of the
executives are exempt from their own controls., where multiple executives
fraudulently altered records.
• One of the fundamental purposes of an audit is to determine whether
executives are providing an honest and truthful representation based in fact.
Hierarchy of internal controls contd..
• Issue 2: How controls are implemented determines the level of assurance.
Implementing strong controls contributes to the level of assurance, which
may be confirmed by the auditor.
• Strong assurance means it represents a 95 percent or greater degree of truth.
Unsatisfactory implementation of controls compromises the overall
objectives.
• No auditor can provide a satisfactory report if the controls are improperly
implemented or insufficient for their objective.
• ISACA based these standards on common auditing guidelines for fi nancial
audits as well as government guidelines for auditing in computer
environments.
• Information systems controls are composed of four high‐level controls:
general controls, pervasive IS controls, detailed IS controls, and
application controls. This clarification is required because portions of the
financial audit techniques may not be appropriate for some IS audits.
Computer environments can be rather complex and abstract. The controls
are summarized here:
• General Controls (Overall) This is the parent class of controls governing
all areas of the business. Examples of general controls include creating
accurate job descriptions and separating duties to prevent employees from
writing their own paychecks.
• We expect management to implement administrative controls to govern the
behavior of their entire enterprise. General controls also include defining an
organizational structure, establishing HR policies, monitoring workers and
the work environment, as well as budgeting, auditing, and reporting
• Pervasive Controls (Follows Technology) A pervasive order or pervasive
control defines the direction and behavior required for technology to
function properly. The concept of a pervasive control is to permeate the
area by using a greater depth of control integration over a wide area of infl
uence.
• Internal controls are used to regulate how the business operates in every
area of every department. The IS function uses pervasive controls in the
same manner as a manufacturing operation, bank, or government office.
Pervasive controls are a subset of general controls, with extra definition
focused on managing and monitoring a specific technology.
• For example, pervasive IS controls govern the operation of the information
systems no matter what, even if the topic is about using your BlackBerry,
iPhone, or laptop for business. Anyone using these electronic aids or other
IT aids will have duties to follow, including acceptable use, backups, data
sync, and security issues
• Pervasive IS controls are used across all internal departments and external
contractors. Proper implementation of pervasive IS controls improves the
reliability of the following:
• ■ Overall service delivery
• ■ Secure software development
• ■ System security plan as implemented on each device
• ■ Security administration and detection capability
• ■ Disaster recovery
• ■ Business revenue continuity
• Detailed Controls (Tasks) Specific procedures require additional detailed
controls to ensure that workers perform the job correctly. Detailed controls
refer to specific steps or tasks to be performed. I
• In the finance department, a specific set of controls is practiced when
creating a trial balance report.
• Detailed IS controls work in the same manner to specify how system
security parameters are set, how input data is verified before being accepted
into an application, or how to lock a user account after unsuccessful logon
attempts.
• Application Controls (Embedded in Programs) This is the
lowest subset in the control family. All activity should have
filtered through the general controls, and then the pervasive
controls and detailed controls, before it reaches the
application‐controls level.
• The higher‐level controls help protect the integrity of the
application and its data. Leaving an application exposed
without the higher‐level controls makes as much sense as
leaving a child defenseless in the woods to fend for herself.
Just like children, the application needs to be sheltered and
protected from harm.
• Management is responsible for having applications tested
prior to production through a recognized test method.
4. Gathering audit evidence
• Every good auditor understands the necessity of collecting tangible and
reliable evidence. Although you may really like or admire the people who
are the subject of the audit, your final auditor’s report must be based on
credible factual
• Consider for a moment something not related to IS auditing: police
investigations or famous television courtroom dramas. Every good
detective story is based on careful observation and common sense. A
successful detective searches for clues in several places. Witnesses are
interviewed to collect their versions of the story.
• Homes and offices are tirelessly searched for the minutest shred of relevant
evidence. Detectives constantly ask whether the suspected individual had
the motive, opportunity, and means to carry out the crime. The trail of clues
is sorted in an attempt to determine which clues represent the greatest value
and best tell the story.
Gathering audit evidence contd..
• Material clues are the most sought after. From time to time, the clues are
reviewed, and the witnesses re‐interviewed.
• The detective orders a stakeout to monitor suspects. Ultimately, the
suspects and clues of evidence are brought together in one place for the
purpose of a technical reenactment. Under a watchful eye, the materially
relevant portions of the crime are re‐created in an attempt to unmask the
perpetrator.
• In the movies, the detective is fabulously successful, and the criminal is
brought to justice. Unfortunately, IS auditing is not so dramatic or thrilling
to watch.
• A CISA candidate needs to possess a thorough understanding of evidence,
because IS auditing is centered on properly collecting and reviewing
evidence. Let’s start with a short discussion on the characteristics of good
evidence. evidence that will support your statements.
1. Using Evidence to Prove a Point
2. Understanding Types of Evidence
3. Selecting Audit Samples
4. Recognizing Typical Evidence for IS Audits Using
Computer‐Assisted Audit Tools Understanding Electronic Discovery
5. Grading of Evidence
6. Timing of Evidence
7. Following the Evidence Life Cycle
1.Using Evidence to Prove a Point
• There are two primary types of evidence, according to legal
definition: Direct Evidence This proves existence of a fact without
inference or presumption. Inference is when you draw a logical and
reasonable proposition from another that is supposed to be true.
Direct evidence includes the unaltered testimony of an eyewitness
and written documents.
• Indirect Evidence Indirect evidence uses a hypothesis without
direct evidence to make a claim that consists of both inference and
presumption. Indirect evidence is based on a chain of
circumstances leading to a claim, with the intent to prove the
existence or nonexistence of certain facts. Indirect evidence is also
known as circumstantial evidence.
3.Selecting Audit Samples
• Audit samples are selected for the purpose of collecting representative
evidence to be subjected to either compliance testing or substantive testing
• You should consider a selection technique that will provide the most
relevant evidence supported by appropriate analytical procedures. You can
design two basic types of audit to fulfill your requirements:
• statistical and non statistical.
• Statistical Sampling Statistical sampling uses mathematical techniques that
result in an outcome that is mathematically quantifiable.
• Statistical samples are usually presented as a percentage. The purpose of
statistical sampling is to gain an objective representation.
• Samples are selected by an objective mathematical process. You should be
aware that if the client has strong internal controls, the sample sizes may be
smaller because the odds of fraud or failure will be lower.
• Examples of statistical sampling include the following:
• Random Sampling Samples are selected at random.
• Cell Sampling Random selection is performed at predefi ned intervals.
• Fixed Interval Sampling The sample existing at every n + interval
increment is selected for testing.
• Nonstatistical Sampling Nonstatistical sampling is based on your judgment
(also referred to as judgmental sampling).
• You determine the sample size, the method of generating the sample, and
the number of items to be analyzed.
• The results of judgmental sampling are unlikely to represent the actual
population.
• This is a subjective process usually based on elements of risk or
materiality. An example of nonstatistical sampling is haphazard sampling,
in which the samples are randomly drawn for testing.
• 3.Recognizing Typical Evidence for IS Audits
• You will attempt to gather audit evidence by using techniques similar to
those used by a detective. Some of the data you gather will be of high
value, and other data may be of low value. You will need to continually
assess the quality and quantity of evidence. You may discover evidence
through your own observations, by reviewing internal documentation, by
using CAAT, or by reviewing correspondence and minutes of meetings.
• Examples of the various types of audit evidence include the
following:
• ■ Documentary evidence, which can include a business
record of transactions, receipts, invoices, and logs
• ■ Data extraction, which uses automated tools to mine
details from data files
• ■ Auditee claims, which are representations made in oral or
written statements
• ■ Analysis of plans, policies, procedures, and flowcharts
• ■ Results of compliance and substantive audit tests
• ■ Auditor’s observations of auditee work or re‐performance
of the selected process
• Using Computer‐Assisted Audit Tools Computer‐assisted audit tools
(CAATs) are invaluable for compiling evidence during IS audits. The
auditor will find several advantages of using CAATs in the analytical audit
procedure.
• These tools are capable of executing a variety of automated compliance
tests and substantive tests that would be nearly impossible to perform
manually. These specialized tools may include multifunction audit utilities,
which can analyze logs, perform vulnerability tests, or verify specific
implementation of compliance in a system configuration compared to
intended controls.
• Understanding CAAT Techniques and Limitations CAAT includes the
following types of software tools and techniques:
• ■ Host evaluation tools to read the system configuration settings and
evaluate the host for known vulnerabilities
• ■ Network traffic and protocol analysis using a sniffer
• ■ Mapping and tracing tools that use a tracer‐bullet approach to follow
processes through a software application using test data
• ■ Testing the configuration of specific application software such as a SQL
database
• ■ Software license counting across the network
• ■ Testing for password compliance on user login accounts and special
scripts to check for insecurely stored unencrypted program to program
passwords Many CAATs have a built‐in report writer that can generate
more than one type of predefined report of findings on your behalf.
• Some of the concerns for or against using CAAT include the following:
■ Auditor’s level of computer knowledge and experience
■ Level of risk and complexity of the audit environment
■ Cost and time constraints
■ Specialized training requirements
■ Speed, efficiency, and accuracy over manual operations
■ Need for continuous online auditing
■ Security of the data extracted by CAAT
• Using CAAT for Continuous Online Audit The new audit tools offer the
advantage of providing continuous online auditing. You should be aware of
the six types of continuous online auditing techniques:
• Online event monitors include automated tools designed to read and

correlate system logs or transaction logs on your behalf. This type of event
monitoring tool will usually generate automated reports with alarms for
particular events. A few examples include software that reads event logs,
intrusion detection systems, virus scanners, and software that detects confi
guration changes, such as the commercial product Tripwire. (Low
complexity.)
• Embedded Program Audit Hooks
• Software developers can write embedded application hooks into their
program to generate red‐flag alerts to auditors, ideally before the problem
gets out of hand. This method will fl ag selected transactions to be
examined. (Low complexity.)
• Continuous and Intermittent Simulation (CIS) Audit
• In continuous and intermittent simulation, the application software always
tests for transactions that meet certain criteria. When the criteria are met,
the software runs an audit of the transaction (intermittent test). Then the
computer waits until the next transaction meeting those criteria occurs. This
provides for a continuous audit as selected transactions occur. (Medium
complexity.)
• Snapshot Audit
• This technique uses a series of sequential data captures that are referred to
as snapshots. The snapshots are taken in a logical sequence that a
transaction will follow. The snapshots produce an audit trail, which you can
then review. (Medium complexity.)
• Embedded Audit Module (EAM) This integrated audit testing module
allows you to create a set of dummy transactions that will be processed
along with live, genuinetransactions. You then compare the output data
against your own calculations. This allows substantive integrity testing
without disrupting the normal processing schedule. EAM is also known as
integrated test facility. (High complexity.)
• System Control Audit Review File with Embedded Audit
Modules(SCARF/EAM) The theory is straightforward. A system‐level
audit program is installed on the system to selectively monitor the
embedded audit modules inside the application software. Few systems of
this nature are in use. The idea is popular with auditors; however, a
programmer must write the modules. (High complexity.)
4.Grading of Evidence
All evidence is graded according to four criteria. This grading aids you in
assessing the evidence value.
• It is important to obtain the best possible evidence. The four characteristics
are as follows: Material Relevance Evidence with material relevance
influences the decision because of a logical relationship with the issues.
Materially relevant evidence indicates a fact that will help determine that a
particular action was more or less probable. T
• he purpose of material evidence is to ascertain whether the same conclusion
would have been reached without considering that item of evidence.
Evidence is irrelevant if it is not related to the issue and has no logical
tendency to prove the issue under investigation
• Evidence Objectivity
• Evidence objectivity refers to its ability to be accepted and understood with
very little judgment required. The more judgment required, the less
objective the evidence. As you increase the amount of judgment necessary
to support your claims, the evidence quickly becomes subjective or
circumstantial, which is the opposite of objective. Objective evidence is in
a state of unbiased reality during examination, without influence by another
source
• Competency of the Evidence Provider Evidence supplied by a person with
direct involvement is preferred. The source of this person’s knowledge will
affect the evidence value and accuracy. A secondhand story still holds
value by providing information that may lead to the evidence you are
seeking.
• Evidence Objectivity
• Evidence objectivity refers to its ability to be accepted and understood with
very little judgment required. The more judgment required, the less
objective the evidence. As you increase the amount of judgment necessary
to support your claims, the evidence quickly becomes subjective or
circumstantial, which is the opposite of objective. Objective evidence is in
a state of unbiased reality during examination, without influence by another
source
• Competency of the Evidence Provider Evidence supplied by a person with
direct involvement is preferred. The source of this person’s knowledge will
affect the evidence value and accuracy. A secondhand story still holds
value by providing information that may lead to the evidence you are
seeking.
• Evidence Independence
• Evidence independence is similar to auditor independence, meaning the
provider should not have any gain or loss by providing the evidence.
Evidence supplied by a person with a bias is often questionable.
6.Timing of Evidence
• An additional factor to consider in regard to evidence is timing. Evidence
timing indicates whether evidence is received when it is requested or
several hours or days later.
• In electronic systems, the timing has a secondary meaning: Electronic
evidence may be available only during a limited window of time before it is
overwritten or the software changes to a new version
7.Following the Evidence Life Cycle

• The evidence will pass through seven life‐cycle phases that are necessary
in every audit.
• Every IS auditor must remain aware of the legal demands that are always
present with regard to evidence handling. Failure to maintain a proper chain
of custody may disqualify the evidence.
• Evidence handling is just as important for SOX compliance as it would be
for suspected criminal activity. Evidence handling is crucial for compliance
to most industry regulations.
• Identification You must identify items that may be objective evidence
lending support to the purpose of the audit. Thoroughly document the
characteristics of the evidence location or surroundings before proceeding
to the collection stage.
• All evidence should be labeled, dated, and notated with a short description
about its purpose or discovery. From this point forward, you should log the
evidence movements into a tracking record. Your client will not be happy if
evidence is misplaced.
• Initial Preservation Storage
• A major problem with evidence is the challenge of preserving it in its
original state. The preservation and storage process is a vital component in
the chain of custody. The custodian of the evidence must be able to prove
that the evidence has been protected and no alteration has occurred. The
slightest change will transform the evidence without changing its identity.
Electronic evidence requires special handling procedures to overcome
future claims that the evidence has been altered (evidence tampering).
• Analysis In this phase, the evidence samples are examined by observation,

scientifi c test, and qualitative and quantitative measurement. The entire
process and results should be well documented. Individual tests may need
to be rerun if errors are discovered with the test procedure, sample, or
personnel executing the test.
• Postanalysis Preservation Storage
• After testing, the evidence and samples must be returned to preservation
and secure storage. The evidence will continue to stay in storage except
during presentation or retesting. Be aware that proper handling is
paramount for success in legal proceedings. Evidence used in legal trials
may be retrieved and returned multiple times for use in court presentations
prior to fi nal release for return to the owner. The US legal process allows
for trials in at least three separate courts as the case progresses through to fi
nal appeal.
• Presentation
• The evidence and findings are to be presented in support of the auditor’s
report. A variety of details may be included or omitted depending on the
nature of the report. Reports of system performance offer little detail when
compared to reports of criminal activity.
• Return to Owner
• The evidence is returned to the owner after the audit test results are
successfully evaluated, or after legal proceedings are officially concluded
by order of the final court.
• It is important to notice the distinction. In noncriminal activity, the
evidence is promptly returned when the audit is concluded.
• Evidence may be held in preservation storage for several years if situations
of suspected criminal activity exist.
Conducting Audit Evidence
1.Compliance Testing
2. Substantive Testing
3.Tolerable Error Rate
4.Recording Test Results
1. Compliance Testing
• Compliance testing tests for the presence or absence of something.
Compliance testing includes verifying that policies and procedures have
been put in place, and checking that user access rights, program change
control procedures, and system audit logs have been activated.
• An example of a compliance test is comparing the list of persons with
physical access to the datacenter against the HR list of current employees.
Compliance testing is based on one of Attribute Sampling Generally
popular in compliance testing, the objective of attribute sampling is to
determine whether an attribute is present or absent in the subject sample.
the following types of audit samples:
• The result is specified by the rate of occurrence—for example, the presence
of 1 in 100 units would be 1 percent.
• Stop‐and‐Go Sampling
• Used when few errors are expected, stop‐and‐go allows the test to occur
without excessive effort in sampling and provides the opportunity to stop
testing at the earliest possible opportunity. It is a simple form of testing to
reinforce any claim that errors are unlikely in the sample population
• Discovery Sampling This 100 percent sampling is used to detect fraud or
when the likelihood of evidence existing is low. Forensics is an excellent
example of discovery sampling. This is an attempt to discover evidence.
• Precision or Expected Error Rate The precision rate indicates the
acceptable margin of error between audit samples and the total quantity of
the subject population.
• This is usually expressed as a percentage, such as 5 percent. To obtain a
low error rate, it is necessary to use a large sample in testing. Auditors are
justified in using a smaller sample size when the total population is
expected to be error‐free.
• A larger sample is required when errors are expected to be present in the
population. The larger sample can yield a higher average.
• When you expect errors, examine more data to determine whether the
actual errors are within a tolerable error rate (maximum errors you would
accept). You can determine error levels by reviewing the findings of a prior
audit and by considering changes in the organization’s procedures.
• Use the risk‐based audit strategy to determine whether your samples and
tests are telling the truth about the auditee
2.Substantive Testing
Substantive testing seeks to verify the content and integrity of evidence.
Substantive tests may include complex calculations to verify account
balances, perform physical inventory counts, or execute sample
transactions to verify the accuracy of supporting documentation.
Substantive tests use audit samples selected by dollar value or to project
(forecast or estimate) a total for groups with related characteristics.
Substantive testing is based on one of the following types of audit samples:
• Variable Sampling
• Used to designate dollar values or weights (effectiveness) of an entire
subject population by prorating from a smaller sample. Consider the
challenge of counting large volumes of currency by its weight.
• Variable sampling could be used to count currency by multiplying the
physical weight of one unit by the total weight of the combined sample and
then multiplying by the face value printed on the bill or coin.
• A demonstration is a single $50 bill weighing 1.0 gram, with the entire
sample of $50 bills weighing 61 grams altogether. The combined sample
weight would indicate a total quantity of 61 bills for an estimated dollar
value of $3,050. This is a common technique for forecasting quantity and
value of inventory based on particular characteristics.
• Unstratified Mean Estimation Used in an attempt to project an estimated
total for the whole subject population.
• Stratified Mean Estimation Used to calculate an average by group, similar
to demographics, whereby the entire population is divided (stratifi ed) into
smaller groups based on similar characteristics. Examples are teenagers
from the ages of 13 to 19, people from the ages of 20 to 29, people from the
ages of 30 to 39, and those who are male or female, smokers or
nonsmokers, and so on.
• Difference Estimation Used to determine the difference between audited
and unaudited claims of value
4.Tolerable Error Rate
A tolerable error rate is used to indicate the maximum number of errors that
can exist without declaring a material misstatement.
■ For compliance tests, a tolerable error rate is the maximum deviation from a
procedure that as the auditor you are willing to accept. Hint: If you want to
remain an auditor, it had better be a very small deviation.
■ In substantive testing, auditors use their judgment concerning material
relevance and conclude whether the audit objective has been achieved.
The test procedure and results should indicate a truthful pass or fail. A
smart auditor will always lean toward the conservative side for safety in
their measurement. Regardless of the audit sample and test method used,
auditors are presumed to have a high degree of confidence when the audit
coefficient is 95 percent or higher.
The audit coefficient represents your level of confidence about the audit
results. It is also referred to as a reliability factor.
5. Recording Test Results
Each finding of evidence can be classified into one of these common
reporting statements, presented in order of most desirable to least desirable:
Noteworthy Achievement
The auditee has demonstrated that some aspect in the process or system is
being done very well.
The auditee’s efforts are very effective, and the auditor wants to bring
recognition where credit is due. The auditee has exceeded the requirements.
Conformity
The testing of evidence proves that the auditee is accomplishing their stated
objectives. Minimum requirements have been met
Opportunity
for Improvement A specific item found is not in violation but should be
targeted as an opportunity for improvement. For example, if the level of
work integration is low, fixing this issue could reduce waste or the amount
of manual effort required
• Concern The evidence and auditor’s observations indicate the possibility
for future problems that need to be understood by management. Examples
include overreliance, inefficiency, cascading problems, and the likelihood
of failure.
• Nonconformity Testing indicates that a violation exists that needs to be
corrected. The violation found may be of minor or major significance.
Nonconformities include system defects or missing control capabilities.
Reporting audit evidence
• Reporting is the process by which the auditor conveys to management their
findings, including the following:
■ Audit scope
■ Audit objectives
■ Methods and criteria us
■ Nature of findings
■ Extent of work performed
■ Applicable dates of coverage
In addition, your final report should state any restrictions, reservations, or
qualifications (concerns) that you have in relation to the audit. You may
provide a final opinion or no opinion based on these potential limitations. If
you offer an opinion, it may be qualified or unqualified:
A qualified opinion means there are restrictions on the nature or the content
of the findings.
An unqualified opinion has no restrictions on its use because the findings
have no reservations.
• Statement on Auditing Standards (SAS), the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) internal controls
framework, and the IT Governance Institute (ISACA‐ITGI) publish several
points of information that should be included in the fi nal report. Consult
their publications for specifi c details. In summary, the recommendations
include the following:
■ A title that includes the word independent (for an external audit)
■ The applicable date of the report
■ Identification of the parties and subject matter
■ An executive summary
■ Any visual representations, charts, graphs, or diagrams
■ A statement of the standards followed during the audit
■
A statement of the procedures performed, and whether they were agreed to by
the specified parties
■ Any necessary disclaimers
■ A statement of additional procedures, if performed
■ A statement of restrictions on the use of the report
■ A statement of any auditor concerns, reservations, or qualifications to the
audit
■ Detailed findings and your opinion
■ Your signature and contact information Your signature attests that the audit
report and stated findings are true and correct. Attestation is the act of
providing your assurance via a signature that the contents of a document
are authentic and genuine.
• After producing the final report, you will need to meet with the auditee and
management to review the findings.
• The primary purpose of this meeting is not to change your findings but to
obtain acceptance and agreement by the auditee.
• This is the final quality‐control check before issuing your final report. You
want to ensure that the facts are correctly presented in your report. A final
copy of this report and of your working notes will need to be placed into
the audit archive for document retention

Unit 4

Uploaded by

Copyright:

Available Formats

Unit 4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit 4

Uploaded by

Copyright:

Available Formats

UNIT-4 – Information Security

• Evaluating security controls: Reviewing and testing the

• Assessing compliance: Ensuring that the organization

• Analyzing systems: Reviewing system logs and observing control

• Identifying weaknesses: Identifying potential conflicts in the system that

• Making recommendations: Providing suggestions for improvement to help

• Before conducting an audit, an auditor may meet with IT

• An information security audit is a detailed examination of an organization's

• The auditor should plan a company's audit based on the

• After the audit examination is completed, the audit findings and

• Audit Criteria Identify a set of policies the client wants to be measured

• An excellent method for determining the scope is to start a

• Online event monitors include automated tools designed to read and

7.Following the Evidence Life Cycle

• Analysis In this phase, the evidence samples are examined by observation,

You might also like