Introduction to Audit

What is Audit?
1
Audit is a process to assess and review of an organization’s internal policies, controls, and activities in
accordance with guideline, framework or compliances.

2
Audit can be used to assess the presence and effectiveness of IT controls and to ensure that those
controls are compliant with stated policies.

3
Audits provide reasonable assurance that organizations are compliant with applicable regulations and
other industry requirements.
Ethics in Auditing

1. Auditors agree to support the implementation of appropriate policies, standards, guidelines, and
procedures for information systems. They will also encourage compliance with this objective.

2. Auditors agree to perform their duties with objectivity, professional care, and due diligence in
accordance with professional standards implementing the use of best practices.

3. Auditors agree to serve the interests of stakeholders in an honest and lawful manner that reflects a
credible image upon their profession. The public expects and trusts auditors to conduct their work in an
ethical and honest manner.

4. Auditors promise to maintain privacy and confidentiality of information obtained during their audit
except for required disclosure to legal authorities. Information they obtain during the audit will not be
used for personal benefit.
Ethics in Auditing

4. Auditors agree to undertake only those activities in which they are professionally competent and will
strive to improve their competency. Their effectiveness in auditing depends on how evidence is
gathered, analyzed, and reported.

5. Auditors promise to disclose accurate results of all work and significant facts to the appropriate parties.

6. Auditors agree to support ongoing professional education to help stakeholders enhance their
understanding of information systems security and control.

7. The failure of a CISA to comply with this code of professional ethics may result in an investigation
with possible sanctions or disciplinary measures.
The IT audit's agenda may be summarized by the following questions:
▪ Integrity - Will the information provided by the system always be accurate, reliable, and timely?

▪ Confidentiality - Will the information in the systems be disclosed only to authorized users?

▪ Availability - Will the organization's computer systems be available for the business at all times when
required?
Classifying Basic Types of Audits
1

1 Internal Audits and Assessments

• This involves auditors within their own organization looking to discover evidence of what is occurring
inside the organization (self-assessment).

External Audits
2 • In an external audit, a customer audits their vendor/supplier to verify integrity of transactions, internal
controls, compliance, or the entire relationship.
• Business audits its customer or supplier, or vice versa.
• The goal is to ensure the expected level of performance as mutually agreed upon in their contracts.

Independent Audits
• Independent audits are outside of the customer-supplier influence.
3
• Third-party independent auditors are relied on for licensing, certification, or product approval.
Types of Audits

1 Product audits check the attributes against the design specification (size, color, markings).

2 Process audits evaluate the process method to determine whether the activities or sequence of activities
meet the published requirements.

3 System audits seek to evaluate the management of the system, including its configuration. The auditor is
interested in the team members’ activities, control environment, event monitoring, how customer needs are
determined, who provides authorization, how changes are implemented, preventative maintenance, and so
forth, including incident response capability.

1
4
Financial audits verify financial records, transactions, and account balances. This type of audit is used to
check the integrity of financial records and accounting practices compared to well-known accounting
standards.
Types of Audits

5
Compliance audits verify implementation of and adherence to a standard or regulation. This could include
ISO standards and all government regulations. A compliance audit usually includes tests for the presence of
a working control.

6 Administrative audits verify that appropriate policies and procedures exist and have been implemented as
intended. This type of audit usually tests for the presence of required documentation.

Surveillance audits verify that the auditee is continuing to follow the correct procedures. This type of
7
audit is a routine checkup occurring between the certification and recertification audits.
What is Assessment?
1
An IT security assessment is a key activity that involves the management of risk — an uncertainty that
might lead to a loss.

2
“ Assessment is an evaluation process against the security perimeters and controls in the organization
with respect to the standard or compliance. “
Assessment v/s Audit
1
Assessment is one part of the Audit. Because Audit provides an assurance to the organization.

2 Audit findings might place blame on specific individuals or groups within an organization.
Assessments, on the other hand, are nonattributive.

3 The consequences of failing an audit can create a sense of fear, whereas an assessment simply identifies
gaps to improve security operations and achieve goals.
.
Importance and Requirement of Audit
1
Audit is required to save organization’s IT assets, Data and Reputation from the cyber attackers. Also to
be saved from law/compliance penalties.

2
Audit provides a report stating the observations and gaps with the security controls, design, application
or system which can be patched or implemented in order to make the organization more robust against
the cyber attacks.

3
Audit can also provide the best budget solution to invest smartly in the security after the assessment and
the findings.
Differentiating Between Auditor and Auditee Roles

1 Auditor The auditor is the competent person performing the audit.

2 Auditee The organization and people being audited are collectively called the auditee.

3 Client The client is the person or organization with the authority to request the audit.
Applying an Independence Test

1
When determining whether you are able to perform a fair audit, you should conduct an independence test

Independent means that you are not related professionally, personally, or organizationally to the subject of
2 the audit. You cannot be independent if the audit’s outcome results in your financial gain or if you are
1 involved in the auditee’s decisions or design of the subject being audited.
Applying an Independence Test
Understanding the Various Auditing Standards

The framework for the IS Auditing Standards provides multiple levels of guidance:
Standards
• define mandatory requirements for IS auditing and reporting
They inform:
-IS auditors of the minimum level of acceptable performance required to meet the
professional responsibilities set out in the ISACA Code of Professional Ethics

-Management and other interested parties of the profession’s expectations concerning

the work of practitioners

-Holders of the Certified Information Systems Auditor™ (CISA®) designation of

requirements.
Understanding the Various Auditing Standards

Guidelines
• Provide assistance on how to implement the standards

Procedures
• Provide examples for implementing the standards
Understanding the Various Auditing Standards

1 Committee of Sponsoring Organizations (COSO) an internal control framework that is the basis for
standards used in global commerce. COSO is the parent for the standards used by governments around the
world.

2
U.S. National Institute of Standards and Technology (NIST), providing a foundation of modern IS
standards used worldwide. When combined with British Standards/ISO (BS/ISO), you get a wonderful
amount of useful guidance.

3 Information Systems Audit and Control Association(ISACA) standards, guidelines, procedures and the
Control Objectives for Information Technologies(COBIT) framework provide an IT-only view. The
association uses portions of COSO standards blended with a handful of ISO IT standards.
ISACA IS Auditing Standards

▪ S1 Audit charter
▪ S2 Independence
▪ S3 Ethics and Standards
▪ S4 Competence
▪ S5 Planning
▪ S6 Performance of audit work
▪ S7 Reporting
ISACA IS Auditing Standards

▪ S8 Follow-up activities
▪ S9 Irregularities and illegal acts
▪ S10 IT Governance
▪ S11 Use of risk assessment in audit planning
▪ S12 Audit Materiality
▪ S13 Using the work of other Experts
▪ S14 Audit Evidence
▪ S15 IT Controls
▪ S16 Electronic Commerce
End

Any Questions?
Let’s Go for the next Topic. 🡪