2005 CISA

REVIEW COURSE
Chapter 1
The IS Audit Process
Presented By: Shiva Goundar & Blesson Samuel
1

February 2, 2015

!@

What is CISA?
The CISA program is designed to assess and certify
individuals in the IS audit, control and security
profession who demonstrate exceptional skill and
judgment.
Requirements:
Successfully complete the CISA Examination
Adhere to the Information Systems Audit and Control Associations
Code of Professional Ethics
Submit evidence of a minimum of five (5) years of professional IS
auditing, control or security work experience.

February 2, 20
15

!@

About the CISA Examination

Test Date: Saturday, June 11th, 2005
Consists of 200 multiple choice questions taken over a
four hour period
Exam questions cover 7 domains
Proportion of questions associated with each domain will vary as a
percentage according to the overall significance of the domain
within the examination

Passing grade is a weighted score of 75

(Range = 25 to 99),
3

February 2, 20
15

!@

CISA Exam Domains

Process-based Area:
The IS Audit Process (10% of examination)

Content Areas:

Management, Planning and Organization of IS

Technical Infrastructure and Operational Practices
Protection of Information Assets
Disaster Recovery and Business Continuity
Business Application System Development, Acquisition,
Implementation and Maintenance
Business Process Evaluation and Risk Management

February 2, 20
15

!@

Chapter 1 The IS Audit Process

February 2, 20
15

!@

What is the IS Audit Process?

The process of conducting IS audits in
accordance with generally accepted IS audit
standards and guidelines to ensure that the
organizations information technology and
business systems are adequately controlled,
monitored and assessed.

February 2, 20
15

!@

Tasks of the IS Audit Process

Develop and/or implement risk-based audit strategy and objectives
Plan specific audits to ensure IS audit strategy & objectives are
achieved
Obtain sufficient, relevant, reliable useful evidence
Analyze information to identify conditions and reach conclusions
Review work performed to verify objectives have been achieved
Communicate audit results to key managers and stakeholders
Facilitate and monitor the implementation of risk management and
control practices within organization

February 2, 20
15

!@

Audit Charter
Document clearly stating managements
overall responsibility and objectives for the
audit function (including IS audit)
Defines authorities, scope and responsibilities
of audit function
Should be approved by highest level of
management and audit committee
8

February 2, 20
15

!@

IS Audit Resource Management

IS Auditors are limited and technology is constantly
changing
Need to update existing skills and obtain training for
new audit techniques and technologies
Skills and knowledge should be taken into considering
when planning audits
Necessary resources should be provided for
specialized audits (software, network intrusion tests,
penetration testing)
9

February 2, 20
15

!@

Audit Planning Steps

Gain understanding of the business mission,
objectives, and purpose
Identify policies, standards, procedures, organizational
structure, etc.
Evaluate managements risk assessment and privacy
impact analysis
Perform risk analysis / Conduct internal control review
Set scope and objectives / Develop approach/strategy
Assign resources/address logistics
10

February 2, 20
15

!@

Understanding the Business

Tour key organizational facilities
Read background materials (industry
publications, annual reports, etc.)
Review long-term strategic plan
Interview key managers to understand
business issues
Review prior reports
11

February 2, 20
15

!@

Effect of Laws & Regulation

Each organization will need to comply with a
number of governmental and external
requirements, regardless of size or industry
Two areas of concern that impact audit
scope/objective:
Legal requirements placed on audit (IS audit)
Legal requirements placed on auditee and/or their
systems, data management, reporting, etc.
12

February 2, 20
15

!@

Steps to Determine Level of IT

Compliance to External Requirements
Identify governmental and other external
requirements for:

13

Electronic data, copyrights, e-commerce, etc.

Computer system practices and controls
Manner of storing computers, programs, and data
Organization or activities of information services

February 2, 20
15

!@

Steps to Determine Level of IT

Compliance to External Requirements
Document pertinent laws and regulations
Assess whether management have considered
requirements in making plans and setting
policies/standards/procedures
Review internal IS department/ function/activity
documents that address adherence
Determine adherence to these procedures
14

February 2, 20
15

!@

ISACA Code of Professional Ethics

Support the implementation of, and encourage compliance with, appropriate standards, procedures and
controls for information systems.
Perform their duties with objectivity, due diligence and professional care, in accordance with professional
standards and best practices.
Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of
conduct and character, and not engage in acts discreditable to the profession.
Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure
is required by legal authority. Such information shall not be used for personal benefit or released to
inappropriate parties.
Maintain competency in their respective fields and agree to undertake only those activities, which they can
reasonably expect to complete with professional competence.
Inform appropriate parties of the results of work performed; revealing all significant facts known to them.
Support the professional education of stakeholders in enhancing their understanding of information systems
security and control.

15

February 2, 20
15

!@

IS Audit Standards
Audit Charter
Independence
Professional Ethics and Standards
Competence / Planning
Performance of Audit Work
Reporting / Follow-up Activities
16

February 2, 20
15

!@

IS Audit Guidelines & Procedures

Guidelines Provide information on how to
comply with IS Audit Standards:
Procedures Provide examples of steps an IS
auditor may follow to implement standards
(Guidelines and Procedures available at www.isaca.org/standards)

17

February 2, 20
15

!@

Elements of Risk in Information

Security
Threats to, and vulnerabilities of, processes
and/or assets
Impact on assets based on threats &
vulnerabilities
Probability of threats (Combination of likelihood
and frequency of occurrence.

18

February 2, 20
15

!@

Purposes of Risk Analysis

Identify risks and threats that would need to be
addressed by management. Assists IS auditors
in their own risk assessment
Assists auditor in determining audit objectives
Supports risk-based audit decision
(See Chapter 7 for detailed information)

19

February 2, 20
15

!@

Risk Mitigation
After risks are determined, controls should be
identified to mitigate risks
Countermeasures should be assessed using
cost-benefit analysis:
Cost of control compared to benefit of minimizing risk
Managements appetite for risk
Preferred risk reduction methods (terminate risk, reduce
probability, minimize impact, insurance)
20

February 2, 20
15

!@

Monitoring Risk Management

Identify changes to environment that would
require risk re-assessment, and related
changes to control environment:
Risk assessment
Risk mitigation
Risk evaluation

21

February 2, 20
15

!@

Internal Controls
Policies, procedures, practices, and
organizational structures put into place to
reduce risks
Provide reasonable assurance that business
objectives are met, and undesired risks are
prevented or detected and corrected
Controls address what should be achieved,
and what should be avoided
22

February 2, 20
15

!@

Control Classifications
Class
Preventative

Function
Detect problems before they arise
Monitor operation and inputs
Attempt to predict problems before they occur & make
adjustments
Prevent an error, omission or malicious act

Detective

Detect occurrence of an error, omission, or malicious act

Corrective

Minimize impact of threat

Remedy problems from detective controls
Identify cause of problem / Correct errors arising from problem
Modify processes to minimize future occurrence

23

February 2, 20
15

!@

IS Control Objectives
Safeguarding assets
Assuring integrity of general operating system environments,
network management, and operations
Assuring integrity of sensitive critical and sensitive application
system environments
Assuring efficiency and effectiveness of operations
Complying with user requirements & organizational P&P
Developing BCP and DRP
Developing incident response and handling plans

24

February 2, 20
15

!@

General Control Procedures

Internal Accounting Controls Focused on
accounting operations.
Operational Controls Focused on day-to-day
operations, functions, and activities
Administrative controls Support operational
controls associated with operating efficiency
and adherence to organizational policies
25

February 2, 20
15

!@

IS Control Procedures
Strategy & Direction / General Organization & Management
Access to Data and Programs
Systems Development and Change Control
Data Processing Operations / Data Processing QA
Systems Programming and Technical Support
Physical Access Controls
BCP/DRP
Networks & Communication
Database Administration

26

February 2, 20
15

!@

Performing an IS Audit
Definition of auditing
Systematic process by which a competent, independent
person objectively obtains and evaluates evidence
regarding assertions about an economic entity or event
for the purpose of forming an opinion about and
reporting on the degree to which the assertion conforms
to an identified set of standards.

27

February 2, 20
15

!@

Performing an IS Audit
Classification of audits:

28

Financial audits
Operational audits
Integrated audits
Administrative audits
Information systems audits
Specialized audits
e.g. SAS70
Forensic audits
February 2, 20
15

!@

Performing an IS Audit
General audit procedures

29

Understanding of the audit area/subject

Risk assessment and general audit plan
Detailed audit planning
Preliminary review of audit area/subject
Evaluating audit area/subject
Compliance testing
Substantive testing
Reporting(communicating results)
Follow-up

February 2, 20
15

!@

Performing an IS Audit
Audit methodology/strategy
Statement of scope
Statement of audit objectives
Statement of work program

Typical audit phases

30

February 2, 20
15

!@

Performing an IS Audit
Audit risk and materiality
A risk-based audit approach is used to assess risk and assist with
an IS auditors decision to perform either compliance or substantive
testing

31

February 2, 20
15

!@

Performing an IS Audit
Risk-based approach
Emphasis on knowledge of the business and technology
Focuses on assessing the effectiveness of a combination
of controls
Linkage between risk assessment and testing focusing on
control objectives.
Focuses on the business from a management perspective

32

February 2, 20
15

!@

Performing an IS Audit
Types of risk
Inherent risk
Control risk
Detection risk
Overall audit risk

33

February 2, 20
15

!@

Performing an IS Audit
Risk Assessment Techniques

34

Enables management to effectively allocate limited audit

resources
Ensures that relevant information has been obtained
Establishes a basis for effectively managing the audit
department
Provides a summary of how the individual audit subject is
related to the overall organization and to business plans

February 2, 20
15

!@

Performing an IS Audit

35

Control objectives vs. audit objectives

Relationship between substantive and

compliance tests

Correlation between the level of internal

controls and substantive testing required

February 2, 20
15

!@

Performing an IS Audit
Evidence It is a requirement that the
auditors conclusions must be based on
sufficient, competent evidence.

36

Independence of the provider of the evidence

Qualification of the individual providing the
information or evidence
Objectivity of the evidence
Timing of evidence

February 2, 20
15

!@

Performing an IS Audit
Techniques for gathering evidence:

37

Review IS organization structures

Review IS policies, procedures and standards
Review IS documentation
Interview appropriate personnel
Observe processes and employee performance.

February 2, 20
15

!@

Performing an IS Audit
Sampling
General approaches to audit sampling:
Statistical sampling
Non-statistical sampling

Methods of sampling used by auditors:

Attribute sampling
Variable sampling

38

February 2, 20
15

!@

Performing an IS Audit
Sampling (Continued)
Attribute sampling
Sample-size attribute sampling
Stop-or-go sampling
Discovery sampling

Variable sampling
Stratified mean per unit
Unstratified mean per unit
Difference estimation

39

February 2, 20
15

!@

Performing an IS Audit
Statistical sampling terms:

Confident coefficient
Level of risk
Precision
Expected error rate
Sample mean
Sample standard deviation
Tolerable error rate
Population standard deviation

Key steps in choosing a sample

40

February 2, 20
15

!@

Performing an IS Audit
Computer-assisted audit techniques
CAATs are a significant tool for IS auditors to gather

information independently

CAATs include:
Generalized audit software (ACL, IDEA, etc.)

41

Utility software
Test data
Application software for continuous online audits
Audit expert systems

February 2, 20
15

!@

Performing an IS Audit
Computer-assisted audit techniques
Need for CAATs
Evidence collection

Functional capabilities
Functions supported
Areas of concern

42

February 2, 20
15

!@

Performing an IS Audit
Computer-assisted audit techniques
Examples of CAATs used to collect evidence
Continuous online audit approach

43

February 2, 20
15

!@

Performing an IS Audit
Computer-assisted audit techniques
Development of CAATs
Documentation retention
Access to production data
Data manipulation

44

February 2, 20
15

!@

Performing an IS Audit
Evaluation of strengths and
weaknesses

45

Assess evidence
Evaluate overall control structure
Evaluate control procedures
Assess control strengths and weaknesses

February 2, 20
15

!@

Performing an IS Audit
Judging Materiality of Findings
Materiality is a key issue
Assessment requires judgment of the potential effect
of the finding if corrective action is not taken

46

February 2, 20
15

!@

Performing an IS Audit
Communicating audit results

Audit report structure and contents

Exit interview

Presentation techniques

47

Executive summary

Visual presentation

Oral presentation
February 2, 20
15

!@

Performing an IS Audit
Management actions to implement
recommendations
Auditing is an ongoing process
Timing of follow-up

Audit Documentation

48

February 2, 20
15

!@

Performing an IS Audit
Audit resource management

49

IS auditors are a limited resource

Appropriate skills and knowledge
Constraints on the conduct of the audit
Project management techniques

February 2, 20
15

!@

Control Self-Assessment
Methodology to review key business
objectives, associated risks, and controls to
manage those risks
Performed by management and/or work teams
IS auditors serve as control experts and
facilitators

50

February 2, 20
15

!@

Control Self-Assessment Tools

Management meetings
Client workshops
Worksheets
Rating Sheets
Questionnaires
CSA Project Approach
51

February 2, 20
15

!@

CSA Project Approach

Primary objective is leverage & enhance
internal audit by shifting responsibility of
monitoring controls to functional areas
Must educate management control design and
monitoring
Should determine measure of success for each
phase to determine value of CSA and its future
use
52

February 2, 20
15

!@

Traditional vs. CSA Approach

Traditional Historical

CSA

Assigns duties/ supervises staff

Empowered/accountable
employees

Policy/rule driven

Continuous improvement/ learning

curve

Limited employee participation

Extensive employee participation

and training

Narrow stakeholder focus

Broad stakeholder focus

Auditors and other specialists

Staff at all levels, in all functions,

are primary control analysts

Reporters

Reporters

53

February 2, 20
15

!@

IT Governance
Corporate Governance Ethical corporate behavior
by directors or others charged with governance in the
creation and presentation of wealth for all
stakeholders
IT Governance Structure of relationships and
processes to direct and control enterprise to achieve
its goals by adding value while balancing risk vs.
return over IT and its processes
(See Chapter 7 for detailed information)

54

February 2, 20
15

!@

Chapter 1: Glossary
Administrative controls
Attribute sampling
Audit risk
Compliance testing
CAATs
Control risk
Embedded audit modules
Materiality

55

February 2, 20
15

!@

Chapter 1: Recap

Group discussion

Questions

56

February 2, 20
15

!@

Chapter 1: questions
1.

An IS auditor, performing a review of an applications controls,

discovers a weakness in system software, which could
materially impact the application. The IS auditor should:
A.
B.
C.
D.

57

disregard these control weaknesses as a system software review is beyond the

scope of this review.
conduct a detailed system software review and report the control weaknesses.
include in the report a statement that the audit was limited to a review of the
applications controls.
review the system software controls as relevant and recommend a detailed
system software review.

February 2, 20
15

!@

Chapter 1: Questions
2. The reason for having controls in an IS environment:
A.
B.
C.
D.

58

remains unchanged from a manual environment, but the implemented control

features may be different.
changes from a manual environment, therefore the implemented control
features may be different.
changes from a manual environment, but the implemented control features will
be the same.
remains unchanged from a manual environment and the implemented control
features will also be the same

February 2, 20
15

!@

Chapter 1: Questions
3.

Which of the following types of risks assumes an absence of

compensating controls in the area being reviewed?
A.
B.
C.
D.

59

Control risk
Detection risk
Inherent risk
Sampling risk

February 2, 20
15

!@

Chapter 1: Questions
4.

An IS auditor is conducting substantive audit tests of a

new accounts receivable module. The IS auditor has a
tight schedule and limited computer expertise. Which
would be the BEST audit technique to use in this situation?
A. Test data
B. Parallel simulation
C. Integrated test facility
D. Embedded audit module

60

February 2, 20
15

!@

Chapter 1: Questions
5.

The PRIMARY purpose of compliance tests is to verify

whether:

A. controls are implemented as prescribed.

B. documentation is accurate and current.
C. access to users is provided as specified.
D. data validation procedures are provided

61

February 2, 20
15

!@

Chapter 1: Questions
6.

Which of the following BEST describes the early stages of

an IS audit?
A. Observing key organizational facilities.
B. Assessing the IS environment.
C. Understanding business process and environment applicable
to the review.
D. Reviewing prior IS audit reports.

62

February 2, 20
15

!@

Chapter 1: Questions
7.

63

The document used by the top management of

organizations to delegate authority to the IS audit
function is the:
A.

long-term audit plan.

B.

audit charter.

C.

audit planning methodology.

D.

steering committee minutes

February 2, 20
15

!@

Chapter 1: Questions
8.

Before reporting results of an audit to senior management,

an IS auditor should:
A. Confirm the findings with auditees.
B. Prepare an executive summary and send it to auditee management.
C. Define recommendations and present the findings to the audit
committee.
D. Obtain agreement from the auditee on findings and actions to be
taken.

64

February 2, 20
15

!@

Chapter 1: Questions
9.

While developing a risk-based audit program, which of the

following would the IS auditor MOST likely focus on?
A.
B.
C.
D.

65

Business processes
Critical IT applications
Corporate objectives
Business strategies

February 2, 20
15

!@

Chapter 1: Questions
10. Which of the following is a substantive audit test?
A. Verifying that a management check has been performed regularly
B. Observing that user IDs and passwords are required to sign on
the computer
C. Reviewing reports listing short shipments of goods received
D. Reviewing an aged trial balance of accounts receivable

66

February 2, 20
15

!@