Вы находитесь на странице: 1из 138

INTRODUCTION

Md. Mushfiqur Rahman, CISA, ITIL-F


CEH, MCP,MCTS,MCITP,MCSA,MCSE,SCSA,
CCNA, OCP 9i/10g/11g

3/30/16

mushfique98@gmail.com

Domain - 1
The Process of Auditing Information Systems (14%)

3/30/16

mushfique98@gmail.com

Exam Relevance
Ensure that the CISA candidate
Provide audit services in accordance with IT audit standards
to assist the organization in protecting and controlling
information systems.
The content area in this chapter will represent approximately
14% of the CISA examination(approximately 28 questions).

3/30/16

mushfique98@gmail.com

Exam Relevance

3/30/16

mushfique98@gmail.com

Task & Knowledge Statements


Task and knowledge statements represent the basis
from which exam items are written.
Tasks: Tasks are the learning objectives that IS
auditors/CISA candidates are expected to know to
perform their job duties. It has 5 task statements.
knowledge statements: In order to perform all
of the tasks, the IS auditor/CISA candidate should
have a firm grasp of all the knowledge statements
contained within the CISA Review Manual
Chapter 1. There are 10 knowledge statements.
3/30/16

mushfique98@gmail.com

Tasks/ Objectives
Audit Process Area, Tasks
5 Tasks Statements:

1.1 Develop and implement a riskbased IT audit strategy in


compliance with IT audit standards to ensure that key areas are
included.
1.2 Plan specific audits to determine whether information
systems are protected, controlled and provide value to the
organization.
1.3 Conduct audits in accordance with IS audit standards,
guidelines and best practices to meet planned audit objectives.
1.4 Communicate emerging issues, potential risks, and audit
results to key stakeholders.
1.5 Advise on the implementation of risk management and control
practices within the organization, while maintaining independence.
3/30/16

mushfique98@gmail.com

Knowledge Statements
Process Area Knowledge Statements
Ten Knowledge Statements (contd.):
1.1 Knowledge of ISACA IT Audit and Assurance Standards,
Guidelines and Tools and Techniques, Code of Professional Ethics and
other applicable standards
1.2 Knowledge of risk assessment concepts, tools and techniques in
an audit context
1.3 Knowledge of control objectives and controls related to
information systems
1.4 Knowledge of audit planning and audit project management
techniques, including followup
1.5 Knowledge of fundamental business processes (e.g. Purchasing,
payroll, accounts payable, accounts receivable) including relevant IT
3/30/16

mushfique98@gmail.com

Process Area Knowledge Statements.


10 Knowledge Statements
1.6 Knowledge of applicable laws and regulations which affect the
scope, evidence collection and preservation, and frequency of audits
1.7 Knowledge of evidence collection techniques (e.g., observation,
inquiry, inspection, interview, data analysis) used to gather, protect
and preserve audit evidence
1.8 Knowledge of different sampling methodologies
1.9 Knowledge of reporting and communication techniques (e.g.,
facilitation, negotiation, conflict resolution, audit report Structure)
1.10 Knowledge of audit quality assurance systems and frameworks
3/30/16

mushfique98@gmail.com

1.2 Management of IS Audit Function

The audit function should be managed and led in a manner


that ensures that the diverse tasks performed and achieved by
the audit team will fulfill audit function objectives, while
preserving audit independence and competence. Furthermore,
managing the audit function should ensure value added
contributions to senior management regarding the efficient
management of IT and achievement of business objectives.

3/30/16

mushfique98@gmail.com

1.2.1 Organization of IS Audit Function

Audit charter (or engagement letter)

Stating managements responsibility and objectives for, and


delegation of authority to, the IS audit function
Outlining the overall authority, scope and responsibilities of the
audit function

Approval of the audit charter


Change in the audit charter

3/30/16

mushfique98@gmail.com

1.2.3 Audit Planning (continued)

Audit planning
Shortterm planning
Longterm planning
Things to consider
New control issues
Changing technologies
Changing business processes
Enhanced evaluation techniques
Individual audit planning
Understanding of overall environment
Business practices and functions
Information systems and technology

3/30/16

mushfique98@gmail.com

Audit Planning Steps


Gain an understanding of the businesss mission, objectives,
purpose and processes.
Identify stated contents (policies, standards, guidelines,
procedures, and organization structure)
Evaluate risk assessment and privacy impact analysis
Perform a risk analysis.
Conduct an internal control review.
Set the audit scope and audit objectives.
Develop the audit approach or audit strategy.
Assign personnel resources to audit and address engagement
logistics.
3/30/16

mushfique98@gmail.com

1.2.4 Effect of Laws and Regulations


(continued)

Regulatory requirements

Establishment
Organization
Responsibilities
Correlation to financial, operational and IT
audit functions

3/30/16

mushfique98@gmail.com

1.2.4 Effect of Laws and Regulations


Steps to determine compliance with external requirements:

Identify external requirements


Document pertinent laws and regulations
Assess whether management and the IS function have
considered the relevant external requirements
Review internal IS department documents that address
adherence to applicable laws
Determine adherence to established procedures

3/30/16

mushfique98@gmail.com

1.3 ISACA IT Audit and Assurance Standards and


Guidelines

As of 16 August 2010
Standards (16)
Guidelines 41 (G19 is cancelled)
Procedures (11)/ Audit and Assurance
Tools & Technique

3/30/16

mushfique98@gmail.com

Policy, Standards, Guidelines & Procedure

3/30/16

mushfique98@gmail.com

Definition: Standards, Guidelines & Procedure


Standards define mandatory requirements for IT audit
and assurance.
Guidelines provide guidance in applying IT Audit and
Assurance Standards. The objective of the IT Audit and
Assurance Guidelines is to provide further information on
how to comply with the IT Audit and Assurance
Standards.
Procedure/ Tools and Techniques provide examples
of procedures an IT audit and assurance professional
might follow. The objective of the IT Audit and Assurance
Tools and Techniques is to provide further information on
how to comply with the IT Audit and Assurance
Standards.
3/30/16

mushfique98@gmail.com

1.3.2 ISACA IT Audit and Assurance Standards Framework

IS Auditing Standards: 16
1. Audit charter
2. Independence
3. Professional Ethics and
Standards
4. Competence
5. Planning
6. Performance of audit work
7. Reporting
8. Follow-up activities

9. Irregularities and illegal acts


10. IT governance
11. Use of risk assessment in
audit planning
12. Audit Materiality
13. Using the Work of Other
Experts
14. Audit Evidence
15. IT Controls
16. E-commerce

3/30/16

mushfique98@gmail.com

1.3.3 ISACA IT Audit and Assurance Guidelines (continued)


IS Auditing Guidelines: 41 (421= 41, G19 is cancelled)
G1 Using the Work of Other Auditors
G2 Audit Evidence Requirement
G3 Use of Computer Assisted Audit Techniques (CAATs)
G4 Outsourcing of IS Activities to Other Organizations
G5 Audit Charter
G6 Materiality Concepts for Auditing Information Systems 1 September
G7 Due Professional Care
G8 Audit Documentation
G9 Audit Considerations for Irregularities and Illegal Acts
G10 Audit Sampling
G11 Effect of Pervasive IS Controls
G12 Organizational Relationship and Independence
G13 Use of Risk Assessment in Audit Planning
G14 Application Systems Review
G15 Audit Planning Revised
3/30/16

mushfique98@gmail.com

1.3.3 ISACA IT Audit and Assurance


Guidelines (continued)
G16 Effect of Third Parties on an Organization's IT Controls
G17 Effect of Non-audit Role on the IT Audit and Assurance Professionals
Independence
G18 IT Governance
G19 Irregularities and Illegal Acts 1 July 2002. Withdrawn 1 September 2008
G20 Reporting
G21 Enterprise Resource Planning (ERP) Systems Review
G22 Business-to-consumer (B2C) E-commerce Review
G23 System Development Life Cycle (SDLC) Review Reviews
G24 Internet Banking
G25 Review of Virtual Private Networks
G26 Business Process Reengineering (BPR) Project Reviews
G27 Mobile Computing
G28 Computer Forensics
G29 Post-implementation Review
G30 Competence

3/30/16

mushfique98@gmail.com

1.3.3 ISACA IT Audit and Assurance


Guidelines
G31 Privacy
G32 Business Continuity Plan (BCP) Review From It
Perspective
G33 General Considerations on the Use of the Internet
G34 Responsibility, Authority and Accountability
G35 Follow-up Activities
G36 Biometric Controls
G37 Configuration Management Process
G38 Access Controls
G39 IT Organization
G40 Review of Security Management Practices
G41 Return on Security Investment (ROSI)
G42 Continuous Assurance
3/30/16

mushfique98@gmail.com

1.3.4 ISACA IT Audit and Assurance Tools and


Techniques

IT Audit and Assurance Tools and Techniques: 11


P1 IS Risk Assessment
P2 Digital Signatures
P3 Intrusion Detection
P4 Viruses and other Malicious Code
P5 Control Risk Self-assessment
P6 Firewalls
P7 Irregularities and Illegal Acts
P8 Security AssessmentPenetration Testing and Vulnerability
Analysis
P9 Evaluation of Management Controls Over Encryption
Methodologies
P10 Business Application Change Control
P11 Electronic Funds Transfer (EFT)
3/30/16

mushfique98@gmail.com

IT Risk Assessment Quadrants


S
e
n
s
it
i
v
it
y
A
s
s
e
s
m
e
n
t
T
r
a
i
n
i
n
g

Quadrant II (Medium Risk)

Quadrant I (High Risk)

Suggested Action(s):
Accept
Mitigate
Transfer

Suggested Action(s):
Mitigate

Quadrant IV (Low Risk)

Quadrant III (Medium Risk)

Suggested Action(s):
Accept

Suggested Action(s):
Accept
Mitigate
Transfer

3/30/16

Vulnerability assessment Rating

mushfique98@gmail.com

ISACA IS Auditing Standards and Guidelines

ISACA Auditing Procedures


Procedures developed by the ISACA
Standards Board provide examples.
The IS auditor should apply their own
professional judgment to the specific
circumstances.
3/30/16

mushfique98@gmail.com

1.5 Internal Control (continued)

Internal Controls: Policies, procedures,


practices and organizational structures
implemented to reduce risks

3/30/16

mushfique98@gmail.com

Internal Control (continued)

Components of Internal Control System


Internal accounting controls
Operational controls
Administrative controls

3/30/16

mushfique98@gmail.com

Internal Control (continued)


Internal Control Objectives
Safeguarding of information technology assets
Compliance to corporate policies or legal
requirements
Authorization/input
Accuracy and completeness of processing of
transactions
Output
Reliability of process
Backup/recovery
Efficiency and economy of operations
3/30/16

mushfique98@gmail.com

Internal Control (continued)

Classification of Internal Controls

Preventive controls
Detective controls
Corrective controls

3/30/16

mushfique98@gmail.com

Internal Control (continued)

IS Control Objectives: Control objectives


in an information systems environment
remain unchanged from those of a manual
environment. However, control features
may be different. The internal control
objectives, thus need, to be addressed in a
manner specific to IS-related processes

3/30/16

mushfique98@gmail.com

Internal Control (continued)


IS Control Objectives (contd)
Safeguarding assets
Assuring the integrity of general operating system
environments
Assuring the integrity of sensitive and critical application
system environments through:
Authorization of the input
Accuracy and completeness of processing of
transactions
Reliability of overall information processing activities
Accuracy, completeness and security of the output
Database integrity
3/30/16

mushfique98@gmail.com

Internal Control (continued)


IS Control Objectives (contd)
Ensuring the efficiency and effectiveness of operations
Complying with requirements, policies and procedures,
and applicable laws
Developing business continuity and disaster recovery
plans
Developing an incident response plan

3/30/16

mushfique98@gmail.com

Internal Control (continued)


IS Control Objectives (contd)
COBIT: COBIT supports IT governance and management by providing
a framework to ensure that IT is aligned with the business, IT enables
the business and maximizes benefits. IT resources are used
responsibly, and IT risks are managed appropriately.
A framework with 34 highlevel control objectives

Planning and organization


Acquisition and implementation
Delivery and support
Monitoring and evaluation

Use of 36 major IT related standards and regulations

3/30/16

mushfique98@gmail.com

Internal Control (continued)

General Control Procedures (continued)

apply to all areas of an organization and


include policies and practices established
by management to provide reasonable
assurance that specific objectives will be
achieved.
3/30/16

mushfique98@gmail.com

Internal Control (continued)

General Control Procedures (continued)

Internal accounting controls directed at accounting operations


Operational controls concerned with the daytoday operations
Administrative controls concerned with operational efficiency
and adherence to management policies
Organizational logical security policies and procedures
Overall policies for the design and use of documents and
records
Procedures and features to ensure authorized access to assets
Physical security policies for all data center

3/30/16

mushfique98@gmail.com

Internal Control (continued)

IS Control Procedures

Strategy and direction


General organization and management
Access to data and programs
Systems development methodologies and change control
Data processing operations
Systems programming and technical support functions
Data processing quality assurance procedures
Physical access controls
Business continuity/disaster recovery planning
Networks and communications
Database administration

3/30/16

mushfique98@gmail.com

3/30/16

mushfique98@gmail.com

Definition of Auditing

Systematic process by which a competent, independent


person objectively obtains and evaluates evidence regarding
assertions about an economic entity or event for the
purpose of forming an opinion about and reporting on the
degree to which the assertion conforms to an identified set
of standards.

3/30/16

mushfique98@gmail.com

Purpose of an Audit
An audit is simply a review of past history. The IS auditor is
expected to follow the defined audit process, establish audit
criteria, gather meaningful evidence, and render an independent
opinion about internal controls. The audit involves applying various
techniques for collecting meaningful evidence, and then
performing a comparison of the audit evidence against the
standard for reference.
Your key to success in auditing is to accurately report your
findings, whether good or bad or indifferent. A good auditor will
produce verifiable results. No one should ever come in behind you
with a different outcome of findings. Your job is to report what
the evidence indicates.

3/30/16

mushfique98@gmail.com

Classification of audits:
Internal audits and assessments This involves auditing your
own organization to discover evidence of what is occurring inside
the organization (self-assessment). These have restrictions on their
scope, and the findings should not be shared outside the
organization. The findings cannot be used for licensing.
External audits External audits involve your customer auditing
you, or you auditing your supplier. The business audits its customer
or supplier, or vice versa. The goal is to ensure the expected level
of performance as mutually agreed upon in their contracts.
Independent audits Independent audits are outside of the
customer-supplier influence. Third-party independent audits are
frequently relied on for licensing, certification, or product approval.
A simple example is independent consumer reports.

3/30/16

mushfique98@gmail.com

Classification of audits:

Financial audits
Operational audits
Integrated audits
Administrative audits
Information systems audits
Specialized audits
Forensic audits

3/30/16

mushfique98@gmail.com

Audit Concept (continued...)


The IS auditor should understand the various types of audits that can be performed, internally
or externally, and the audit procedures associated with each:
Financial audits-The purpose of a financial audit is to assess the correctness of an
organization's financial statements. A financial audit will often involve detailed, substantive
testing. This kind of audit relates to information integrity and reliability.
Operational audits- An operational audit is designed to evaluate the internal control Structure
in a given process or area. IS audits of application controls or logical security systems are
examples of operational audits.
integrated audits-An integrated audit combines financial and operational audit steps. It is also
performed to assess the overall objectives within an organization, related to financial
information and assets' safeguarding, efficiency and compliance. An integrated audit can be
performed by external or internal auditors and would include compliance tests of internal
controls and substantive audit steps.
Administrative audits-These are oriented to assess issues related to the efficiency of
operational productivity within an organization.
3/30/16

mushfique98@gmail.com

Audit Concept
IS audits-This Process collects and evaluates evidence to determine whether the
information system and related resources adequately safeguard assets, maintain data
and system integrity. provide relevant and reliable information, achieve organizational
goals effectively, consume resources efficiently, and have in effect internal controls that
provide reasonable assurance and business. operational and control objectives will be
met and that undesired events will be prevented, or detected and corrected, in a timely
manner.
In short: Any audit that encompasses review and evaluation (wholly or partly) of
automated information processing systems, related non-automated processes and the
interfaces between them.
Specialized auditsWithin the category of IS audits, there are a number of specialized
reviews that examine areas such as services performed by third parties and forensic
auditing. Because businesses are becoming increasingly reliant on third-party service
providers, it is important that internal control be evaluated in these environments.

3/30/16

mushfique98@gmail.com

Audit Concept

Forensic audits-Traditionally, forensic auditing has been defined as an audit


specialized in discovering, disclosing and following up on frauds and crimes.
The primary purpose of such a review is the development of evidence for
review by law enforcement and judicial authorities. In recent years, the
forensic professional has been called upon to participate in investigations
related to corporate fraud and cybercrime. In cases where computer
resources may have been misused, further investigation is necessary to gather
evidence for possible criminal activity that can then be reported to appropriate
authorities. A computer forensic investigation includes the analysis of
electronic devices, such as computers, phones, personal digital assistants
(PDAs). disks, switches, routers. Hubs and other electronic equipment.

3/30/16

mushfique98@gmail.com

Auditors Responsibility

As an auditor, you are expected to fulfill a fiduciary relationship. A


fiduciary relationship is simply one in which you are acting for the
benefit of another person and placing the responsibilities to be fair
and honest ahead of your own interest. An auditor must never put
the auditee interests ahead of the truth. People inside and outside of
the auditee organization will depend on your reports to make
decisions.
The auditor is depended on to advise about the internal status of an
organization. Audits are different from inspections or assessments
because the individual performing the audit must be both objective
and impartial. This is a tremendous responsibility.

3/30/16

mushfique98@gmail.com

Comparing Audits to
Assessments
Audit An audit generates a report considered to represent a high
assurance of truth. Audits are used in asset reporting engagements.
Assessment An assessment is less formal and frequently more
cooperative with the people/
objects under scrutiny. Its purpose is to see what exists and to
assess value based on its relevance.
The assessment report is viewed to have lower value (moderate-tolow value) when
compared to an audit.
The primary goal of an assessment is to help the user/staff work
toward improving their score. However, the audit is the score that
actually counts for regulatory compliance purposes.

3/30/16

mushfique98@gmail.com

Comparing Audits to
Assessments
Auditor The auditor is the competent person performing the audit.
Auditee The organization and people being audited are collectively
called the auditee.
Client The client is the person or organization with the authority to
request the audit. A client may be the audit committee, external
customer, internal audit department, or regulatory group. If the client
is internal to the auditee, that client assumes the auditee role.

3/30/16

mushfique98@gmail.com

Auditors Independence
Independent means that you are not related professionally, personally, or
organizationally to the subject of the audit. You cannot be independent if the audits
outcome results in your financial gain or if you are involved in the auditees
decisions or design of the subject being audited.
an Independence Test
Here is a simple self assessment to help you determine your level of independence:

Are you auditing something you helped to develop?

Are you free of any conflicts, circumstances, or attitudes toward the auditee
that might affect the audit outcome?

Is your personal life free of any relationships, off-duty behavior, or financial


gain that could be perceived as affecting your judgment?

Do you have any organizational relationships with the auditee, including


business deals, financial obligations, or pending legal actions?

Do you have a job conflict? Does the organizational structure require your
position to work under the executive in charge of the area being audited?

Did you receive any gifts of value or special favors?

3/30/16

mushfique98@gmail.com

Audit Programs

Based on the scope and the objective of the


particular assignment
IS auditors perspectives

Security (confidentiality, integrity and availability)


Quality (effectiveness, efficiency)
Fiduciary (compliance, reliability)
Service and Capacity

3/30/16

mushfique98@gmail.com

General audit procedures

Understanding of the audit area/subject


Risk assessment and general audit plan
Detailed audit planning
Preliminary review of audit area/subject
Evaluating audit area/subject
Compliance testing
Substantive testing
Reporting(communicating results)
Followup

3/30/16

mushfique98@gmail.com

Procedures for testing & evaluating IS controls

Use of generalized audit software to survey the


contents of data files
Use of specialized software to assess the
contents of operating system parameter files
Flowcharting techniques for documenting
automated applications and business process
Use of audit reports available in operation
systems
Documentation review
Observation
3/30/16

mushfique98@gmail.com

Audit Methodology
A set of documented audit procedures designed
to achieve planned audit objectives
Composed of

Statement of scope
Statement of audit objectives
Statement of work programs
Set up and approved by the audit management
Communicated to all audit staff

3/30/16

mushfique98@gmail.com

Typical audit phases


1. Audit subject
Identify the area to be audited
2. Audit objective
Identify the purpose of the audit
3. Audit scope
Identify the specific systems, function or
unit of the organization
3/30/16

mushfique98@gmail.com

Typical audit phases (Contd)


4. Pre-audit planning
Identify technical skills and resources needed
Identify the sources of information for test or
review
Identify locations or facilities to be audited

3/30/16

mushfique98@gmail.com

Typical audit phases (Contd)


5. Audit procedures and steps for data
gathering
Identify and select the audit approach
Identify a list of individuals to interview
Identify and obtain departmental policies,
standards and guidelines
Develop audit tools and methodology

3/30/16

mushfique98@gmail.com

Typical audit phases (Contd)

6.
7.
8.

Procedures for evaluating test/review result


Procedures for communication
Audit report preparation
Identify followup review procedures
Identify procedures to evaluate/test operational
efficiency and effectiveness
Identify procedures to test controls
Review and evaluate the soundness of
documents, policies and procedures.
3/30/16

mushfique98@gmail.com

Typical Audit Phases Summary


Identify
the area to be audited
the purpose of the audit
the specific systems, function or unit
of the organization to be included in
the review.
technical skills and resources needed
the sources of information for tests or
review such as functional flowcharts,
policies, standards,
procedures and prior audit work
papers.
locations or facilities to be audited.
select the audit approach to verify
and test the controls
list of individuals to interview
obtain departmental policies, standards
and guidelines for review

Develop
audit tools and methodology to test and
verify control
procedures for evaluating the test or
review results
procedures for communication with
management
Report

follow-up review procedures


procedures to evaluate/test
operational efficiency and effectiveness
procedures to test controls

Review and evaluate the soundness of


documents, policies and procedures

3/30/16

mushfique98@gmail.com

WorkPapers (WPs) (Contd)


What are documented in WPs?

Audit
Audit
Audit
Audit
Audit

plans
programs
activities
tests
findings and incidents

3/30/16

mushfique98@gmail.com

WorkPapers
Do not have to be on paper
Must be
Dated
Initialized
Pagenumbered
Relevant
Complete
Clear
Selfcontained and properly labeled
Filed and kept in custody
3/30/16

mushfique98@gmail.com

Fraud Detection
Managements responsibility
Benefits of a welldesigned internal
control system
Deterring frauds at the first instance
Detecting frauds in a timely manner

Fraud detection and disclosure


Auditors role in fraud prevention and
detection

3/30/16

mushfique98@gmail.com

Audit Risk

Audit risk is the risk that the information/


financial report may contain material error that
may go undetected during the audit.
A riskbased audit approach is used to assess
risk and assist with an IS auditors decision to
perform either compliance or substantive testing.

3/30/16

mushfique98@gmail.com

Audit Risks: Types

Inherent risk
Control risk
Detection risk

Sampling risks
Nonsampling risks

Overall audit risk


Business risks
Technological risks
Operational risks
Residual risks
Audit risks

3/30/16

mushfique98@gmail.com

Audit Risks: Types

Inherent risk: Inherent risk is the risk that an error exists in the
absence of any compensating controlsan error which could become
significant when combined.

Control risk: Control risk is the risk that a material error exists that
will not be prevented or detected in a timely manner by the system of
internal controls.

Detection risk: Detection risk since the use of improper testing


procedures may not detect all material errors.

Sampling risks These are the risks that an auditor will falsely accept or
erroneously reject an audit sample (evidence).
Non sampling risks These are the risks that an auditor will fail to
detect a condition because of not applying the appropriate procedure or
using procedures inconsistent with the audit objective (detection fault).

3/30/16

mushfique98@gmail.com

Audit Risks: Types

Business risks These are risks that are inherent in the business or
industry itself. They may be regulatory, contractual, or financial.

Technological risks These are inherent risks of using automated


technology. Systems do fail.

Operational risks These are the risks that a process or procedure will
not perform correctly.

Residual risks These are the risks that remain after all mitigation
efforts are performed.

Overall audit risk: Is the combination of detection, control and


inherent risks for a given audit assignment.

3/30/16

mushfique98@gmail.com

Riskbased Approach Overview

Gather Information and Plan


Obtain Understanding of Internal
Control
Perform Compliance Tests
Perform Substantive Tests
Conclude the Audit
3/30/16

mushfique98@gmail.com

Materiality

An auditing concept regarding the importance of


an item of information with regard to its impact or
effect on the functioning of the entity being
audited

3/30/16

mushfique98@gmail.com

Risk Assessment Techniques

Enables management to effectively allocate


limited audit resources
Ensures that relevant information has been
obtained
Establishes a basis for effectively managing the
audit department
Provides a summary of how the individual audit
subject is related to the overall organization
and to business plans

mushfique98@gmail.com

Audit Objectives
It is the Specific goals of the audit

Compliance with legal & regulatory requirements


Confidentiality
Integrity
Reliability
Availability

3/30/16

mushfique98@gmail.com

Compliance vs. Substantive Testing

Compliance test
Determines whether controls are in compliance with
management policies and procedures

Substantive test
Tests the integrity of actual processing

A procedure used during accounting audits to check for errors


in balance sheets and other financial documentation. A
substantive test might involve checking a random sample of
transactions for errors, comparing account balances to find
discrepancies, or analysis and review of procedures used to
execute
and
record
transactions.
Auditors gather evidence about these assertions by
undertaking substantive procedures, which may include:

3/30/16

mushfique98@gmail.com

Compliance vs. Substantive Testing

physically examining inventory on balance date as


evidence that inventory shown in the accounting
records actually exists (validity assertion); AND
making inquires of management about the
collectibility of customers' accounts as evidence
that trade debtors is accurate as to its valuation.

Thus, substantive procedures are performed by


an auditor to detect whether there are any
material misstatements in accounting
transactions.

3/30/16

mushfique98@gmail.com

Compliance vs. Substantive Testing

Examples of substantive procedures are:

Bank confirmation
Accounts receivable confirmation
Inquire of management regarding the collectibility of customer accounts
Match customer orders to invoices billed
Match collected funds to invoices billed
Observe a physical inventory count
Confirm inventories not on-site
Match purchasing records to inventory on hand or sold
Confirm the calculations on an inventory valuation report
Observe fixed assets
Match purchase orders and supplier invoices to fixed asset records
Confirm accounts payable
Examine accounts payable supporting documents
Confirm debt
Analytical analysis of assets, liabilities, revenue, and expenses

3/30/16

mushfique98@gmail.com

Compliance vs. Substantive Testing

3/30/16

mushfique98@gmail.com

Evidence
It is a requirement that the auditors conclusions must be
based on sufficient, competent evidence.

Independence of the provider of the


evidence
Qualification of the individual providing
the information or evidence
Objectivity of the evidence
Timing of evidence

3/30/16

mushfique98@gmail.com

Techniques for gathering evidence:

Review IS organization structures


Review IS policies and procedures
Review IS standards
Review IS documentation
Interview appropriate personnel
Observe processes and employee
performance

3/30/16

mushfique98@gmail.com

Interviewing and Observing Personnel

Actual functions
Actual processes/procedures
Security awareness
Reporting relationships

3/30/16

mushfique98@gmail.com

Sampling (continued)

General approaches to audit sampling:

Statistical sampling: An objective method of determining the


sample size and selection criteria. This assessment will be
represented as a percentage. The results of a valid statistical
sample are mathematically quantifiable. (the probability of error
must be objectively quantified confidence coefficient)
Nonstatistical sampling: Uses auditor judgment to determine
the method of sampling, the number of items that will be examined
from a population (sample size) and which items to select (sample
selection). These decisions are based on subjective judgment as to
which items/transactions are the most material and most risky.

3/30/16

mushfique98@gmail.com

Sampling (continued)

3/30/16

mushfique98@gmail.com

Sampling (continued)

3/30/16

mushfique98@gmail.com

Sampling (continued)
Methods of sampling used by auditors:
Attribute sampling: Attribute sampling, generally applied in
compliance testing situations, deals with the presence or
absence of the attribute and provides conclusions that are
expressed in rates of incidence.
Variable sampling: Variable sampling, generally applied in
substantive testing situations, deals with population
characteristics that vary, such as monetary values and weights
(or any other measurement), and provides conclusions related
to deviations from the norm.

3/30/16

mushfique98@gmail.com

Sampling (continued)

Attribute Sampling

Stoporgo sampling: A sampling model that helps prevent excessive


sampling of an attribute by allowing an audit test to be stopped at the
earliest possible moment. Stoporgo sampling is used when the IS
auditor believes that relatively few errors will be found in a population.
Discovery Sampling: A sampling model that can be used when the
expected occurrence rate is extremely low. Discovery sampling is most
often used when the objective of the audit is to seek out (discover)
fraud circumvention of regulations or other irregularities.

mushfique98@gmail.com

Sampling (continued)

Variable sampling

Stratified mean per unit: A statistical model in which the population


is divided into groups and samples are drawn from the various groups.
Stratified mean sampling is used to produce a smaller overall sample
size relative to un-stratified mean per unit. Examples are teenagers
from the ages of 13 to 19, people from the ages of 20 to 29, people
from the ages of 30 to 39, and those who are male or female, smokers
or nonsmokers, and so on.
Un-stratified mean per unit: A statistical model in which a sample mean
is calculated and projected as an estimated total.

Difference estimation: A statistical model used to estimate the total


difference between audited values and book (unaudited) values based on
differences obtained from sample observations. Un-stratified mean per unit
Difference estimation
3/30/16

mushfique98@gmail.com

Statistical sampling terms: (contd.)


Confident coefficient
Level of risk
Precision
Expected error rate
Sample mean
Sample standard deviation
Tolerable error rate
Population standard deviation
3/30/16

mushfique98@gmail.com

Statistical sampling terms: (contd.)

Confident coefficient: Confidence coefficient (also referred to as confidence


leve1 or reliability factor)A percentage expression (90 percent, 95 percent, 99
percent, etc.) of the probability that the characteristics of the sample are a true
representation of the population.
Level of risk: Equal to one minus the confidence coefficient. For example, if
the confidence coefficient is 95 percent, the level of risk is five percent (100
percent minus 95 percent).
Precision: Set by the IS auditor, it represents the acceptable range difference
between the sample and the actual population. For attribute sampling, this
figure is stated as a percentage. For variable sampling, this figure is stated as a
monetary amount or a number.
Expected error rate: An estimate stated as a percent of the errors that may
exist. The greater the expected error rate, the greater the sample size.

3/30/16

mushfique98@gmail.com

Statistical sampling terms:


Sample mean: The sum of a1l sample values, divided by the size of the
sample. The sample mean measures the average value of the sample.
Sample standard deviation: Computes the variance of the sample values
from the mean of the sample. Sample standard deviation measures the
spread or dispersion of the sample values.
Tolerable error rate: Describes the maximum misstatement or number of
errors that can exist without an account being materiality misstated.
Tolerable rate is used for the planned upper limit of the precision range for
compliance testing.
Population standard deviation: A mathematical concept that measures
the relationship to the normal distribution. The greaterthe standard
deviation, the larger the sample size.

3/30/16

mushfique98@gmail.com

Key steps in choosing a sample


Determine the objectives of the test
Define the population to be sampled
Determine the sampling method, such as
attribute versus variable sampling.
Calculate the sample size
Select the sample
Evaluating the sample from an audit
perspective.

3/30/16

mushfique98@gmail.com

ComputerAssisted Audit Techniques. Contd.

CAATs enable IS auditors to gather information


independently
CAATs include:

Generalized audit software (GAS)


Utility software
Test data
Application software for continuous
online audits
Audit expert systems
3/30/16

mushfique98@gmail.com

ComputerAssisted Audit Techniques. Contd.

Need for CAATs

Evidence collection
Functional capabilities

Functions supported
Areas of concern

3/30/16

mushfique98@gmail.com

ComputerAssisted Audit Techniques. Contd.

Examples of CAATs used to collect evidence


CAATS as a continuous online approach

3/30/16

mushfique98@gmail.com

ComputerAssisted Audit Techniques.


Contd.
Development of CAATs

Documentation retention
Access to production data
Data manipulation

3/30/16

mushfique98@gmail.com

Evaluation of Strengths and Weaknesses

Assess evidence
Evaluate overall control structure
Evaluate control procedures
Assess control strengths and weaknesses

3/30/16

mushfique98@gmail.com

Judging Materiality of Findings

Materiality is a key issue


Assessment requires judgment of the potential
effect of the finding if corrective action is not
taken

3/30/16

mushfique98@gmail.com

Communicating Audit Results


Exit interview
Correct facts
Realistic recommendations
Implementation dates for agreed
recommendations
Presentation techniques
Executive summary
Visual presentation

3/30/16

mushfique98@gmail.com

Audit report structure and contents

An introduction to the report


The IS auditors overall conclusion and opinion
The IS auditors reservations with respect to
the audit
Detailed audit findings and recommendations
A variety of findings
Limitations to audit
Statement on the IS audit guidelines followed

3/30/16

mushfique98@gmail.com

Management Implementation of Recommendations

Auditing is an ongoing process


Timing of followup

3/30/16

mushfique98@gmail.com

Audit Documentation

Contents of audit documentation


Custody of audit documentation
Support of findings and conclusions

3/30/16

mushfique98@gmail.com

Control SelfAssessment (CSA), Contd.


The Primary objective is to leverage the
internal audit function by shifting some of the
control monitoring responsibilities to the
functional areas.
A management technique
A methodology
In practice, a series of tools
3/30/16

mushfique98@gmail.com

Control SelfAssessment (CSA), Contd.

Implementation of CSA
Facilitated workshops
Hybrid approach

3/30/16

mushfique98@gmail.com

Control Self Assessment


Benefits of CSA
Early Detection of Risk
More Effective and improved internal controls
Highly Motivated Employee
Improved Audit Rating process
Assurance to Top Management and Stakeholders
Disadvantages of CSA
It may be regarded as an additional workload
Failure to act on improvement suggestions could
damage employee morale.

3/30/16

mushfique98@gmail.com

Control Self Assessment


IS Auditors Role in CSAs: When CSA in place, auditors becomes internal
control professionals and assessment facilitators.
Technology Drivers for CSA Program: Some of the technology drives
includes combination of hardware and software to support CSA selection,
and the use of an electronic meeting system and computersupported
decision aids to facilitate group decision making.
Traditional vs. CSA Approach: The traditional approach can be
summarized as any approach in which the primary responsibility for
analyzing and reporting on internal control and risk is assigned to auditors,
and to a lesser extent, controller departments and outside consultants. The
CSA Approach, emphasizes management and accountability over developing
and monitoring internal controls of an organizations sensitive and critical
business process.
3/30/16

mushfique98@gmail.com

3/30/16

mushfique98@gmail.com

Emerging Changes in IS Audit Process

New Topics:

Automated Work Papers


Integrated Auditing
Continuous Auditing

3/30/16

mushfique98@gmail.com

Automated Work Papers


Automated Work Papers (Contd)

Risk analysis
Audit programs
Results
Test evidences
Conclusions
Reports and other complementary
information
3/30/16

mushfique98@gmail.com

Automated Work Papers


Controls over automated work papers:

Access to work papers


Audit trails
Approvals of audit phases
Security and integrity controls
Backup and restoration
Encryption for confidentiality
3/30/16

mushfique98@gmail.com

Integrated Auditing
Integrated Auditing
process whereby appropriate audit disciplines are combined
to assess key internal controls over an operation, process or
entity
Focuses on risk to the organization (for an internal
auditor)
Focuses on the risk of providing an incorrect or
misleading audit opinion (for external auditor

3/30/16

mushfique98@gmail.com

Integrated Auditing Typical process:

Identification of relevant key controls


Review and understanding of the design of key
controls
Testing that key controls are supported by the
IT system
Testing that management controls operate
effectively
A combined report or opinion on control risks,
design and weaknesses

mushfique98@gmail.com

Continuous Auditing
Continuous Auditing: A methodology that enables
independent auditors to provide written assurance
on a subject matter using a series of auditors
reports issued simultaneously with, or a short period
of time after, the occurrence of events underlying
the subject matter

3/30/16

mushfique98@gmail.com

Continuous Auditing vs. Continuous Monitoring

Continuous Monitoring
Managementdriven
Based on automated procedures to meet
fiduciary responsibilities
Continuous Auditing
Auditdriven
Done using automated audit procedures

3/30/16

mushfique98@gmail.com

Continuous Auditing Enabler for the Application


of Continuous Auditing

New information technology


Increased processing capabilities
Standards
Artificial intelligence tools

3/30/16

mushfique98@gmail.com

IT Techniques in a Continuous Auditing Environment


Transaction logging

Query tools
Statistics and data analysis (CAAT)
Database management systems (DBMS)
Data warehouses, data marts, data mining.
Artificial intelligence (AI)
Embedded audit modules (EAM)
Neural network technology
Standards such as Extensible Business
Reporting Language

3/30/16

mushfique98@gmail.com

Continuous Auditing Prerequisites

A high degree of automation


An automated and reliable informationproducing
process
Alarm triggers to report control failures
Implementation of automated audit tools
Quickly informing IS auditors of anomalies/errors
Timely issuance of automated audit reports
Technically proficient IS auditors
Availability of reliable sources of evidence
Adherence to materiality guidelines
Change of IS auditors mindset
Evaluation of cost factors
3/30/16

mushfique98@gmail.com

Continuous Auditing
Advantages
Instant capture of internal control problems
Reduction of intrinsic audit inefficiencies

Disadvantages
Difficulty in implementation
High cost
Elimination of auditors personal judgment and
evaluation

3/30/16

mushfique98@gmail.com

Practice Question
Practice Questions (contd.)
Q. What does fiduciary responsibility mean?
A. To use information gained for personal interests without
breaching confidentiality of the client.
B. To act for the benefit of another person and place the
responsibilities to be fair and honest ahead of your own interest.
C. To follow the desires of the client and maintain total
confidentiality even if illegal acts are discovered. The auditor shall
never disclose information from an audit in order to protect the
client.
D. None of the above.

3/30/16

mushfique98@gmail.com

Practice Question
Practice Questions (contd.)
Answer is B. Accountants, auditors, and lawyers
act on behalf of their clients best interests unless
doing so places them in violation of the law. It is
the highest standard of duty implied by law for a
trustee and guardian.

3/30/16

mushfique98@gmail.com

Practice Question
Q: What are the different types of audits?
A. Forensic, accounting, verification, regulatory
B. Integrated, operational, compliance,
administrative
C. Financial, SAS-74, compliance, administrative
D. Information systems, SAS-70, regulatory,
procedural

3/30/16

mushfique98@gmail.com

Practice Question
Practice Questions (contd.)
Answer is B. All of the audit types are valid
except procedural, SAS-74, verification, and
regulatory. The valid audit types are financial,
operational (SAS-70), integrated (SAS-94),
compliance, administrative, forensic, and
information systems. A forensic audit is used to
discover information about a possible crime.

3/30/16

mushfique98@gmail.com

Practice Question
Practice Questions (contd.)
Q: How does the auditor derive a final
opinion?
A. From evidence gathered and the auditors
observations
B. By representations and assurances of
management
C. By testing the compliance of language used in
organizational policies
D. Under advice of the audit committee
3/30/16

mushfique98@gmail.com

Practice Question
Practice Questions (contd.)
Q: Answer is A. A final opinion is based on
evidence gathered and testing. The purpose of an
audit is to challenge the assertions of
management. Evidence is gathered that will
support or disprove claims.

3/30/16

mushfique98@gmail.com

Practice Question
Practice Questions (contd.)
Q: Which of the following BEST describes the
early stages of an IS audit?
A. Observing key organizational facilities
B. Assessing the IS environment
C. Understanding the business process and
environment applicable to the review
D. Reviewing prior IS audit reports

3/30/16

mushfique98@gmail.com

Answer
11C: Understanding the business process and
environment applicable to the review is most
representative of what occurs early on in the
course of an audit. The other choices relate to
activities actually occurring within this process.

3/30/16

mushfique98@gmail.com

Practice Questions (contd.)


Q: In performing a riskbased audit,
which risk assessment is completed
initially by the IS auditor?
A. Detection risk assessment
B. Control risk assessment
C. Inherent risk assessment
D. Fraud risk assessment

3/30/16

mushfique98@gmail.com

Answer
12C: Inherent risks exist independently of an audit and
can occur because of the nature of the business. To
successfully conduct an audit, it is important to be aware of
the related business processes. To perform the audit the IS
auditor needs to understand the business process, and by
understanding the business process, the IS auditor better
understands the inherent risks.

3/30/16

mushfique98@gmail.com

Practice Questions (contd.)


Q: While developing a riskbased audit program, on
which of the following would the IS auditor MOST
likely focus?
A. Business processes
B. Critical IT applications
C. Operational controls
D. Business strategies

3/30/16

mushfique98@gmail.com

Answer
13A: A riskbased audit approach focuses on the
understanding of the nature of the business and
being able to identify and categorize risk. Business
risks impact the longterm viability of a specific
business. Thus, an IS auditor using a riskbased
audit approach must be able to understand
business processes.

3/30/16

mushfique98@gmail.com

Practice Questions (contd.)


Q: Which of the following types of audit risk
assumes an absence of compensating controls
in the area being reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk

3/30/16

mushfique98@gmail.com

Answer
14C: The risk of an error existing that could be material or
significant when combined with other errors encountered during
the audit, there being no related compensating controls, is the
inherent risk. Control risk is the risk that a material error exists
that will not be prevented or detected in a timely manner by the
system of internal controls. Detection risk is the risk of an IS
auditor using an inadequate test procedure that concludes that
material errors do not exist, when they do. Sampling risk is the
risk that incorrect assumptions are made about the characteristics
of a population from which a sample is taken.

3/30/16

mushfique98@gmail.com

Practice Questions (contd.)


Q: An IS auditor performing a review of an application's controls finds a
weakness in system software that could materially impact the application. The
IS auditor should:

A. disregard these control weaknesses since a system software review is


beyond the scope of this review.
B. conduct a detailed system software review and report the control
weaknesses.
C. include in the report a statement that the audit was limited to a review of
the application's controls.
D. review the system software controls as relevant and recommend a detailed
system software review.

3/30/16

mushfique98@gmail.com

Answer
15D: The IS auditor is not expected to ignore control weaknesses
just because they are outside the scope of a current review.
Further, the conduct of a detailed systems software review may
hamper the audit's schedule and the IS auditor may not be
technically competent to do such a review at this time. If there are
control weaknesses that have been discovered by the IS auditor,
they should be disclosed. By issuing a disclaimer, this responsibility
would be waived. Hence, the appropriate option would be to review
the systems software as relevant to the review and recommend a
detailed systems software review for which additional resources
may be recommended.

3/30/16

mushfique98@gmail.com

Practice Questions (contd.)


Q: The PRIMARY use of generalized audit
software (GAS) is to:
A. test controls embedded in programs.
B. test unauthorized access to data.
C. extract data of relevance to the audit.
D. reduce the need for transaction vouching.

3/30/16

mushfique98@gmail.com

Answer
16C: Generalized audit software facilitates direct access to and
interrogation of the data by the IS auditor. The most important advantage
of using GAS is that it helps in identifying data of interest to the IS auditor.
GAS does not involve testing of application software directly. Hence, GAS
indirectly helps in testing controls embedded in programs by testing data.
GAS cannot identify unauthorized access to data if this information is not
stored in the audit log file. However, this information may not always be
available. Hence, this is not one of the primary reasons for using GAS.
Vouching involves verification of documents. GAS could help in selecting
transactions for vouching. Using GAS does not reduce transaction vouching.

3/30/16

mushfique98@gmail.com

Practice Questions (contd.)

Q: Which of the following is MOST effective


for implementing a control selfassessment
(CSA) within business units?
A. Informal peer reviews
B. Facilitated workshops
C. Process flow narratives
D. Data flow diagrams

3/30/16

mushfique98@gmail.com

Answer
17B: Facilitated workshops work well within
business units. Process flow narratives and data
flow diagrams would not be as effective since they
would not necessarily identify and assess all
control issues. Informal peer reviews similarly
would be less effective for the same reason.

3/30/16

mushfique98@gmail.com

Practice Questions (contd.)


Q: The FIRST step in planning an audit is to:
A. define audit deliverables.
B. finalize the audit scope and audit objectives.
C. gain an understanding of the business objectives.
D. develop the audit approach or audit strategy.

3/30/16

mushfique98@gmail.com

Answer
18C: The first step in audit planning is to gain an
understanding of the business's mission, objectives and
purpose, which in turn identifies the relevant policies,
standards,
guidelines,
procedures,
and
organization
structure. All other choices are dependent upon having a
thorough understanding of the business's objectives and
purpose.

3/30/16

mushfique98@gmail.com

Practice Questions (contd.)


Q: The approach an IS auditor should
use to plan IS audit coverage should
be based on:
A. risk.
B. materiality.
C. professional skepticism.
D. sufficiency of audit evidence.

3/30/16

mushfique98@gmail.com

Answer
19A: Standard S5, Planning, establishes
standards and provides guidance on planning an
audit. It requires a riskbased approach.

3/30/16

mushfique98@gmail.com

Practice Questions
Q: A company performs a daily backup of critical data
and software files, and stores the backup tapes at an
offsite location. The backup tapes are used to restore
the files in case of a disruption. This is a:
A. preventive control.
B. management control.
C. corrective control.
D. detective control.

3/30/16

mushfique98@gmail.com

Answer
110C: A corrective control helps to correct or minimize the impact of
a problem. Backup tapes can be used for restoring the files in case of
damage of files, thereby reducing the impact of a disruption.
Preventive controls are those that prevent problems before they arise.
Backup tapes cannot be used to prevent damage to files and hence
cannot be classified as a preventive control. Management controls
modify processing systems to minimize a repeat occurrence of the
problem. Backup tapes do not modify processing systems and hence
do not fit the definition of a management control. Detective controls
help to detect and report problems as they occur. Backup tapes do not
aid in detecting errors.

3/30/16

mushfique98@gmail.com

Question
&
Answer
3/30/16

mushfique98@gmail.com

THIS IS A COMFORTABLE POINT TO


SAY.

THANK YOU
AND BEST OF LUCK

3/30/16

mushfique98@gmail.com