Академический Документы
Профессиональный Документы
Культура Документы
Certified Information
Systems Auditor Course
2010
By Marjan Hussein
MBA, BCOMM,CPA(K),CISA, CIA, CCSA
TASKS
Develop and implement a risk-based IS audit
strategy for the organization in compliance with IS
audit standards, guidelines and best practices.
Plan specific audits to ensure that IT and business
systems are protected and controlled.
Conduct audits in accordance with IS audit
standards, guidelines and best practices to meet
planned audit objectives.
Communicate emerging issues, potential risks,
and audit results to key stakeholders.
Advise on the implementation of risk
management and control practices within the
organization while maintaining independence.
Knowledge Statements
Knowledge of ISACA IS Auditing Standards, Guidelines and
Procedures, and Code of Professional Ethics
Knowledge of IS auditing practices and techniques
Knowledge of techniques to gather information and
preserve evidence (e.g., observation, inquiry, interview,
CAATs, electronic media)
Knowledge of the evidence life cycle (e.g., the collection,
protection, chain of custody)
Knowledge of control objectives and controls related to IS
(e.g. COBIT)
2/8/2010
Detailed staff training plans for year and reviewed semi annually
IS Audit Planning
Long and short term plans preparation
2/8/2010
IS audits
1.
2/8/2010
ISACA IS Standards
The specialized nature of IS auditing and the skills and
knowledge necessary to perform such audits require globally
applicable standards that pertain specifically to IS auditing.
Objectives of ISACA standards are to inform: IS auditor of minimum level of acceptable performance
required to meet the professional responsibilities set out in
the code of professional ethics
Management and other interested parties of the
professional expectations concerning the work of audit
practitioners
Holders of CISA designation of requirements that failure to
comply with these standards may result in investigations by
the ISACA board for disciplinary actions.
Standards define mandatory requirements for IS auditing and
reporting.
S1 Audit charter
S2 Independence
S3 Professional Ethics and Standards
S4 Professional Competence
S5 Planning
S6 Performance of Audit Work
S7 Reporting
S8 Follow up activities
S9 Irregularities and Illegal Acts
S10 IT Governance
S11 Use of Risk Assessment in Audit Planning
S12 Audit Materiality
S13 Using the Work of Other Experts
S14 Audit Evidence
S15 IT Controls
S16 E-commerce
2/8/2010
RISK ANALYSIS
Risk
The potential that a given threat will exploit vulnerabilities of
an asset or group of assets to cause loss or damage to asset.
The impact or relative severity of the risk is proportional to the
business value of the loss/damage and to the estimated
frequency of the threat.
uncertainty that surrounds future events and outcomes
It is the expression of the likelihood and impact of an event
with potential to influence achievement of an organizations
objectives.
Risk is anything that could prevent achievement of
organizations objectives
2/8/2010
2/8/2010
INTERNAL CONTROLS
Classifications of Controls
Preventative Controls
Detective Controls
Corrective Controls
2/8/2010
IS Control Objectives
IC objectives apply to all areas, whether manual or
automated.
IS control objectives include: Safeguarding assets. Information on automated systems is
secured from improper access and kept up to date
Assuring integrity of general operating system environments,
including network management and operations
Assuring integrity of sensitive and critical application system
environments, including accounting/financial and
management information through:
Authorization of inputs
Accuracy and completeness of processing of transaction
COBIT
2/8/2010
COBIT cont..
Supporting these IT processes are more than 200
detailed control objectives necessary for effective
implementation
COBIT uses, as primary reference current major
framework standards and regulations relating to
IT.
COBIT is directed to Management and staff of
Information services, control departments, audit
functions and most importantly, the business
process owners using IT processes to assure
confidentiality, integrity and availability of
sensitive and critical information
IS Controls
Each general control procedure can be translated into ISspecific control procedure.
IS control procedures include:
General Controls
Controls include policies, procedures and
practices established by management to
provide reasonable assurance that specific
objectives will be achieved.
They apply to all areas of the organization
General Controls include:
Performing IS Audit
2/8/2010
Auditing
A systematic process by which a
competent, independent person
objectively obtains and evaluates
evidence regarding assertions about an
economic entity or event for purpose of
forming an opinion about and reporting
on the degree to which the assertion
conforms to an identified set of
standards
IS Audit
Defined as any audit that encompasses review
and evaluation (wholly or partially) of
automated information processing systems,
related non-automated processes and the
interfaces between them
Classification of Audits
Financial audits data (integrity and
reliability)
Operational audit - controls
Integrated audits data and controls
Administrative audits - operational efficiency
Information systems audit IS
Specialized audits reviewing services
performed by third-party providers
Forensic audits discovering, preserving,
disclosing and following up on frauds and
crimes
Financial audits:
Assess correctness of financial
statements
Often involve detailed substantive testing
Relates to information reliability and
integrity
10
2/8/2010
Administrative Audits
Operational audit
Designed to evaluate internal controls e.g.
IS Audit of application controls, or logical
security
Integrated audits
Includes both financial and operational
Performed to assess overall objectives
related to financial information, assets
safeguarding, efficiency
Include both compliance and substantive
tests
Safeguards assets,
Maintains data and system integrity,
Provide relevant and reliable information
Achieve organizational goals effectively and
efficiently
Internal controls provide reasonable assurance
that operational and control objectives will be met
11
2/8/2010
Specialized audits
These are specialized reviews that examine areas
such as service performed by third parties and
forensic auditing
Statement on Auditing Standards (SAS) 70, titled
Reports on Processing of Transactions by Service
Organizations is a widely known standard developed
by AICPA
SAS 70 defines the professional standards used by
service auditor to assess the internal control of
service organization
Forensic audits
These are audits specialized in discovering, disclosing and
following up on frauds and crimes
The purpose of these reviews is to develop and protect
evidence for review by law enforcement and judicial
authorities
Computer forensic investigation include analysis of electronic
devices, such as computers, phones, PDAs, disks, switches,
routers, hubs and other electronic equipment
Admissibility of evidence in court is very important and
therefore computer evidence must be properly handled.
Forensic audit tools such as data mapping for security and
privacy, risk assessment and search for intellectual property
for data protection are being used for prevention, compliance
and assurance.
Audit Programs
Audit work program is the audit strategy and plan
It identifies scope, audit objectives, and audit procedures
to obtain sufficient, relevant and reliable evidence to
draw and support audit conclusions and opinions
IS auditors often evaluate IT functions and systems from
different perspectives such as:
12
2/8/2010
Audit objectives
They refer to the specific goals of the audit
Determination of audits objectives is a critical
step in planning an IS audit
Center around substantiating that internal
controls exists to minimize business risk
The basic purpose of any IS audit is to
identify control objectives and the related
controls that address the objective
Management may issue a general objective
Key element in planning: translating to
specific IS audit objectives
Obtain evidence
Evaluate evidence strengths and weaknesses of
controls
Audit methodology
A set of documented audit procedures
designed to achieve planned audit
objectives.
Components include:
Scope
Audit objectives
Work programs
13
2/8/2010
Audit program
Step-by-step set of audit procedures and
instructions that should be performed to
complete an audit
A guide for documenting various audit steps
performed
Guides on the types and extent of evidential
matters to be reviewed
Provides a trail of the process used
Provides accountability for performance
Practice Question
Audit phases
1-1
14
2/8/2010
Fraud Detection
Management is primarily responsible for
establishing, implementing and maintaining a
framework and design of IT controls to meet the
internal control objectives.
A well designed ICS provides good opportunity for
deterring fraud at the first instance and a system
that enables timely detection of frauds
IS auditor should observe and exercise due
professional care in all aspects of their work and
be alert to the possible opportunities that allow a
fraud to materialize
Risk-Based Auditing
Business risks include concerns about probable effects of an
uncertain event on achieving established organization
objectives.
By understanding the nature of the business, IS auditors can
identify and categorize the types of risks that will better
determine the risk approach in conducting the audit.
Risk based approach is used to assist an IS auditor in making
the decision to perform either compliance or substantive
testing.
Helps the auditor in determining the nature and extent of
testing.
In addition to risk the auditors are also influenced by the
Internal Controls as well as the knowledge of the business.
15
2/8/2010
Practice Question
1-2
Practice Question
1-3
Business processes
Critical IT applications
Operational controls
Business strategies
16
2/8/2010
Inherent risk
Risk that an error exist which could be
material assuming there are no related
compensating controls
Can be categorized as susceptibility of a
material misstatement in the absence of
related controls e.g.
Detection risk
The risk that the ISA used an inadequate test
procedure and concludes that material errors do
not exist, when in fact, they do
Can be used to assess and evaluate and ISAs
ability to test, identify and correct material errors
Can be minimized by:
Proper statistical sampling procedures
A strong quality control process
Control risk
Risk that a material error exists which will
not be prevented or detected on a timely
basis by the system of internal controls
17
2/8/2010
Practice Question
Practice Question
1-4
Control risk
Detection risk
Inherent risk
Sampling risk
1-5
18
2/8/2010
Risk Assessment
Audit risk
=
Inherent risk ?
Control risk ?
(Auditee risk)
Detection
risk
(Auditor risk)
19
2/8/2010
Scoring method
Considers variables such as:
Audit evidence
Judgmental method
technical complexity,
controls in place,
financial loss.
States that:
20
2/8/2010
21
2/8/2010
Comparisons
Simulations
Calculations
reasoning (synthesis)
Examples:
Reliability - determinants
Independence of provider of evidence
Qualifications of the individual providing
the information or evidence
Objectivity of the evidence
Timing of evidence
22
2/8/2010
Reliability - cont
Independence of provider of evidence
Example:
Corroborative evidence from an
independent third party can be more
reliable than evidence from organization
being audited (e.g. Circularization of
debtors, bank confirmation)
Reliability - cont
Objectivity of evidence:
Objective evidence is much better than that
requiring considerable judgment and
interpretation
Examples:
23
2/8/2010
Reviewing IS documentation
standards
Understand the existing documentation in
place
Minimum documentation may include:
24
2/8/2010
Compliance testing
Tests of control designed to obtain audit evidence on
both the effectiveness of the controls and their
operation during the audit period
Evidence gathering to determine organizations
compliance with control procedures
Used where there is a trail of documentary evidence
e.g. written authorization to implement a modified
program
Broad objective: to provide reasonable assurance that a
particular control on which the ISA plans to rely, is
operating as perceived/intended
Attribute sampling compliance test used to check
presence or absence of an attribute.
25
2/8/2010
Substantive testing
Sampling
Population consists of the entire group of items
that need to be examined
Sample is a subset of population members
Used to infer characteristics about a population,
based on the results of examining characteristics
of a sample of the population
Sample must represent as closely as possible
the characteristics of the whole population
26
2/8/2010
Why sampling
Ideal to examine the entire
population
Considerations:
Time
Cost
Statistical sampling
Uses objective method to determine:
Sample size
Selection criteria
Sample precision
Reliability or confidence level
27
2/8/2010
Sampling risk
Both statistical and judgmental sampling
require ISA judgment
Risk that the auditor will draw the wrong
conclusion from the sample
Statistical sampling allows ISA to quantify
probability of error (confidence
coefficient)
Methods of sampling
Attribute sampling
Variable sampling
Attribute sampling
Selecting items with certain attributes or
characteristics (all items over a certain
size)
Also known as proportional sampling
Deals with presence or absence of an
attribute or characteristic
Generally used in compliance testing
Conclusions expressed in rates of
incidence
28
2/8/2010
Variable sampling
Used to estimate the average or total value of
population based on a sample
Also known as
- dollar estimation or
- mean estimation sampling or
- quantitative sampling
Difference estimation:
Confidence coefficient
Also referred to as confidence level or
reliability factor
The probability that the characteristics of the
sample are a true representation of the
population
95% considered a high degree of comfort
If internal controls are strong, confidence
level may be lowered
The greater the confidence coefficient, the
larger the sample
29
2/8/2010
Level of risk
Precision
Set by the ISA
Represents acceptable range between sample
and population
For attribute sampling stated as a percentage
For variable sampling stated as a monetary
amount or number
The higher the precision amount, the smaller
the sample size, the higher the risk of error
The lower the precision amount, the greater
the sample size
Others
Sample mean average size of the sample
Sample standard deviation measures spread
or dispersion of sample values
Tolerable error rate - Maximum misstatement
or number of errors that can exist without an
account being materially misstated
Population standard deviation measures
relationship to standard deviation
The greater the standard deviation, the larger the
sample size
Applied to variable sampling
30
2/8/2010
Circumstances that may lead to using services of other auditors: Scarcity of IS auditors and the need for IT security specialists
Highly specialized areas
IS auditor responsibilities:-
CAATs Examples
These include:
31
2/8/2010
Mathematical computations
Stratifications
Statistical analysis
Sequence checks
Duplicate checks
Re-computations
CAATs advantages
32
2/8/2010
CAATs things to do
33
2/8/2010
Practice Question
1-6
Evaluating evidence
Involve judgments based on experience
Use evidence gathered to assess compliance
with control objectives
Assess strengths and weaknesses in controls
to determine if these are effective in meeting
control objectives established in planning
Control matrix may be used to illustrate areas
where controls may be weak or lacking
Always check for compensating controls
before reporting a control weakness
A control objective may be met by a number of
controls
34
2/8/2010
Audit Documentation
Documentation should include, at a minimum, a
record of:
The planning and preparation of audit scope and
objectives
The information system environment
The audit program
The audit steps performed and audit evidence
gathered
Audit findings, conclusions and recommendations
Any report issued as a result of the audit work
Supervisory review
35
2/8/2010
36
2/8/2010
37
2/8/2010
Integrated Auditing
A process whereby audit disciplines are combined to assess
key internal controls over an operation, process or entity.
Integrated approach focuses on risk. Risk assessment aims to
understand and identify risks arising from the entity and its
environment
IT audit help understand and identify risks in information
management, IT infrastructure, IT Governance and IT
operations
Other audits seek to understand organizational environment,
business risks and business controls
IT systems provide a first line of preventive and detective
controls, and integrated audit depends on a sound
assessment of their efficiency and effectiveness
Practice Question
1-7
38
2/8/2010
Continuous Auditing
A methodology that enables independent auditors to provide
assurance on a subject matter using a series of auditors
reports issued simultaneously with, or a short period of time
after, the occurrence of events underlying the subject matter
Has edge over periodic auditing because it captures internal
control problems as they occur, thus preventing negative
effects
Implementation can reduce audit inefficiencies, such as
delays, planning time, inefficiency of audit process itself,
overheads due to work segmentation etc.
39
2/8/2010
Disadvantages
Difficulty in implementation
High cost
Practice Question
Transaction logging
Query tools
Statistics and data analysis (CAAT)
Database Management System (DBMS)
Data warehouses, data marts, data mining
Artificial intelligence (AI)
Embedded audit modules (EAM)
Neural network technology
Standards such as Extensible Business Reporting Language (XBRL)
1-8
40
2/8/2010
Practice Question
1-9
Practice Question
1-10
41