2/8/2010

INFORMATION SYSTEMS AUDIT

PROCESS
Domain 1

Certified Information
Systems Auditor Course
2010
By Marjan Hussein
MBA, BCOMM,CPA(K),CISA, CIA, CCSA

Domain 1: IS Audit Process (Approximately

10% of exam 20 Questions)
Provide IS audit services in accordance with IS
audit standards, guidelines, and best practices
to assist the organization in ensuring that its
information technology and business systems
are protected and controlled.

TASKS
Develop and implement a risk-based IS audit
strategy for the organization in compliance with IS
audit standards, guidelines and best practices.
Plan specific audits to ensure that IT and business
systems are protected and controlled.
Conduct audits in accordance with IS audit
standards, guidelines and best practices to meet
planned audit objectives.
Communicate emerging issues, potential risks,
and audit results to key stakeholders.
Advise on the implementation of risk
management and control practices within the
organization while maintaining independence.

Knowledge Statements
Knowledge of ISACA IS Auditing Standards, Guidelines and
Procedures, and Code of Professional Ethics
Knowledge of IS auditing practices and techniques
Knowledge of techniques to gather information and
preserve evidence (e.g., observation, inquiry, interview,
CAATs, electronic media)
Knowledge of the evidence life cycle (e.g., the collection,
protection, chain of custody)
Knowledge of control objectives and controls related to IS
(e.g. COBIT)

2/8/2010

Knowledge Statements Cont

Knowledge of risk assessment in an audit context
Knowledge of audit planning and management
techniques
Knowledge of reporting and communication
techniques (e.g., facilitation, negotiation, conflict
resolution)
Knowledge of control self-assessment (CSA)
Knowledge of continuous audit techniques

Information Systems Audit Process

Individual audit assignments

Understanding of environment under review during planning is important

To perform the audit planning the auditor should:-

Gain an understanding of business mission, purpose, objectives,

processes and technology which include information and processing
requirements such as availability, integrity, confidentiality and business
technology.
Identify contents such as policies, standards and required guidelines,
procedures and org structure
Perform risk analysis to help in designing the audit plan
Conduct review of IC related to IT
Set audit scope and objectives

Develop the audit approach or audit strategy

Assign resources

Address engagement logistics

Information Systems Audit Process

Information Systems Audit Process

Management of the IS Audit Function

Individual audit assignments

Organization of the IS Audit Function

IS audit services can be provided internally or externally
Charter defines the IS audit function

Scope, authority and responsibility of IS audit function

Should be approved by highest level of management and Audit Committee

How to gain understanding of business

Touring key organizational facilities

Reading background materials

Reviewing long-term strategic plans (biz & IT)

IS Audit Resource Management

Interviewing key managers to understand business issues

Maintain competency through updates of existing skills and training on

new audit techniques and technological areas.

Identify special regulation applicable to IT

Detailed staff training plans for year and reviewed semi annually

Reviewing prior reports

Identify IT functions or related activities that have been outsourced

IS Audit Planning
Long and short term plans preparation

Analysis of both plans should be done at least annually

Each individual audit assignment must be adequately planned

2/8/2010

ISACA Code of Professional Ethics

Information Systems Audit Process

Laws and regulations effects on IS Audit Planning
Identify those government or other external requirements dealing
with:

The Information Systems Audit and Control

Association, Inc. (ISACA) sets forth this Code of
Professional Ethics to guide the professional and
personal conduct of members of the association and/or
its certification holders.

Electronic data, personal data, copyrights, e-commerce, esignatures etc

Computer system practices and controls

Manner in which computer program and stored data are used

Way data is processed and transmitted

Members and ISACA certification holders shall:

IS audits

1.

The organization or activities of information technology services

Information Systems Audit Process

Laws and regulations effects on IS Audit Planning
(cont..)
Document pertinent laws and regulations

Assess whether management of the organization and Information

Systems function have considered relevant external requirements in
making plans, policies, standards and procedures
Review internal IS dept documents that address adherence to
applicable laws in the industry
Determine adherence to established procedure

Establish if there are procedures in place to ensure contracts or

agreements with external IT services providers reflect any legal
requirements related to responsibilities.

Support the implementation of, and encourage

compliance with, appropriate standards, procedures
and controls for information systems.

ISACA Code of Professional Ethics (cont..)

2. Perform their duties with objectivity, due diligence and
professional care, in accordance with professional standards and
best practices.
3. Serve in the interest of stakeholders in a lawful and honest
manner, while maintaining high standards of conduct and
character, and not engage in acts discreditable to the profession.
4. Maintain the privacy and confidentiality of information obtained in
the course of their duties unless disclosure is required by legal
authority. Such information shall not be used for personal benefit
or released to inappropriate parties.

2/8/2010

ISACA IS Standards (cont..)

ISACA Code of Professional Ethics (cont..)

5.

Maintain competency in their respective fields and

agree to undertake only those activities, which they
can reasonably expect to complete with professional
competence.

6. Inform appropriate parties of the results of work

performed; revealing all significant facts known to
them.
7. Support the professional education of stakeholders in
enhancing their understanding of information systems
security and control.

ISACA IS Standards
The specialized nature of IS auditing and the skills and
knowledge necessary to perform such audits require globally
applicable standards that pertain specifically to IS auditing.
Objectives of ISACA standards are to inform: IS auditor of minimum level of acceptable performance
required to meet the professional responsibilities set out in
the code of professional ethics
Management and other interested parties of the
professional expectations concerning the work of audit
practitioners
Holders of CISA designation of requirements that failure to
comply with these standards may result in investigations by
the ISACA board for disciplinary actions.
Standards define mandatory requirements for IS auditing and
reporting.

S1 Audit charter
S2 Independence
S3 Professional Ethics and Standards
S4 Professional Competence
S5 Planning
S6 Performance of Audit Work
S7 Reporting
S8 Follow up activities
S9 Irregularities and Illegal Acts
S10 IT Governance
S11 Use of Risk Assessment in Audit Planning
S12 Audit Materiality
S13 Using the Work of Other Experts
S14 Audit Evidence
S15 IT Controls
S16 E-commerce

ISACA IS Auditing Guidelines

Objectives of the guidelines is to provide further
information on how to comply with the ISACA IS
Auditing Standards
The IS auditor should:
consider them in determining how to implement the
standards
Use professional judgment in applying them
Be able to justify any departure

For index on IS auditing Guidelines refer to the CISA

2010 manual (pg 37 - 40)

2/8/2010

ISACA IS Auditing Procedures

Provide examples of possible process an IS auditor might
follow in an audit engagement
In determining appropriateness of any specific procedure, IS
auditor should apply their own professional judgment to the
specific circumstances
The procedure documents provide information on how to
meet the standards when performing IS auditing work, but
do not set requirements
It is not mandatory for the IS auditor to follow these
procedures; however, following them will provide assurance
that the standards are being followed by the auditor.

Relationship Between Standards,

Guidelines & Procedures
IS Auditing Standards are to be followed by all IS
auditors
Guidelines provide assistance on how the IS auditor
can implement standards in various audit assignments
Procedures provide examples of steps the auditor may
follow in specific audit assignments so as to implement
the standards.
IS auditor should always use professional judgment in
using guidelines and procedures

Information Technology Assurance Framework

(ITAF)
It is a comprehensive and good-practice setting model
that:-

Provides guidance on design, conduct and reporting of IT

audit and assurance assignments
Defines terms and concepts specific to IT audit and assurance
Establish standards that address IT audit and assurance
professional roles and responsibilities, knowledge and skills,
and diligence, conduct and reporting requirements.

ITAF includes 3 categories of standards (General code of

ethics, Performance audit planning, supervision,
scoping etc and Reporting)
(Assigned Readings CISA 2010 manual pages 34 45)

RISK ANALYSIS
Risk
The potential that a given threat will exploit vulnerabilities of
an asset or group of assets to cause loss or damage to asset.
The impact or relative severity of the risk is proportional to the
business value of the loss/damage and to the estimated
frequency of the threat.
uncertainty that surrounds future events and outcomes
It is the expression of the likelihood and impact of an event
with potential to influence achievement of an organizations
objectives.
Risk is anything that could prevent achievement of
organizations objectives

Anything that could impact on the interest of stakeholders

2/8/2010

Risk Analysis (cont)

Risk Analysis (cont..)

Elements of Risk
Threat to, and vulnerabilities of, processes and/or assets (both
physical and information assets)
Impact on assets based on threats and vulnerabilities
Probabilities of threats (likelihood and frequency of occurrence)
Total Risk = Threats X Vulnerability X Asset Value
Example of threats are errors, malicious damage/attack, fraud, theft,
equipment failure, software failure
Example of vulnerabilities are, lack of user knowledge, poor choice of
passwords, use of untested technology, transmission over
unprotected communication

Risk Analysis (cont..)

Business risks are the likelihood of those threats that
may negatively impact the assets, processes or
objectives of a specific business.
The nature of risks may be financial, regulatory or
operational, and may arise as a result of interaction of
business with its environment, as a result of strategies,
systems and particular technology, processes,
procedures and information used by business.
The IS auditor is often focused towards high-risk issues
associated with confidentiality, availability or integrity of
sensitive and critical information, and the underlying
information systems and processes that generate, store
and manipulate such information

Risk assessment process is characterized as an iterative life

cycle:1. Identification of business objectives
2. Perform risk assessment to identify threats and determine
the probability of occurrence and the resulting impact and
additional safeguards that would mitigate this impact to
acceptable level
3. Identifying controls for mitigating the identified risks
(preventive, detective and corrective)
4. Assess countermeasures through cost benefit analysis
based on:

Cost compared to benefit of minimizing the risk

Management risk appetite
Preferred risk reduction method [terminate, minimize
occurrence probability, minimize impact, or transfer risk]

5. Monitoring performance levels of risks being managed

Summary of Risk Assessment Process

Identify Business Objectives
(BO)
Identify Information Asset
Supporting the BOs
Perform periodic Risk
Reevaluation
(BO/RA/RM/RT)

Perform Risk Assessment (RA)

[Threat Vulnerability
Probability Impact]

Perform Risk Mitigation (RM)

[Map risks with controls in
place]

Perform Risk Treatment (RT)

[Treat significant risks not

mitigated by existing controls]

2/8/2010

Risk Analysis (cont..)

Purpose of Risk Analysis
Assist the IS Auditor in identifying risks and
threats to an IT environment and Systems
selecting certain areas to examine
Helps the IS Auditor in his/her evaluation of
controls in audit planning
Helps in determining the audit objectives
Helps in supporting risk-based audit decision
making.

INTERNAL CONTROLS

Internal Control (cont..)

Accuracy and completeness of processing of transaction

Output
Reliability of process
Backup/recovery
Efficiency and economy of operations

Classifications of Controls
Preventative Controls
Detective Controls
Corrective Controls

Internal Control (cont..)

Policies, procedures, practices and organizational structures

designed to provide reasonable assurance that an organizations
objectives will be achieved, undesired risks prevented, or detected
and corrected.
INTERNAL CONTROL OBJECTIVES

Statements of desired results or purpose to be achieved by

implemented control procedures. Control is the means by which
control objectives are addressed.
Control Objectives include:

Safeguarding of information technology assets

Compliance to corporate policies or legal requirements

Authorization/input

2/8/2010

IS Control Objectives
IC objectives apply to all areas, whether manual or
automated.
IS control objectives include: Safeguarding assets. Information on automated systems is
secured from improper access and kept up to date
Assuring integrity of general operating system environments,
including network management and operations
Assuring integrity of sensitive and critical application system
environments, including accounting/financial and
management information through:
Authorization of inputs
Accuracy and completeness of processing of transaction

IS Control Objectives (cont..)

Developing business continuity and disaster recovery
plans
Developing an incidence response time
Change management

COBIT

IS Control Objectives (cont..)

Reliability of overall information processing activities
Accuracy, completeness and security of output
Database integrity

Ensuring the efficiency and effectiveness of

operations
Complying with the users requirements and with
organizational policies and procedures as well as
applicable laws and regulations

COBIT is a framework with set of 34 IT processes

grouped into 4 domains:

planning and organizing,

acquiring and implementation,
delivery and support and
monitoring and evaluation

By addressing these 34 IT processes,

organization can ensure that adequate
governance and control arrangements are
provided for their IT environment
COBIT can be used as a supplementary study
material in understanding control objectives and
principles.

2/8/2010

COBIT cont..
Supporting these IT processes are more than 200
detailed control objectives necessary for effective
implementation
COBIT uses, as primary reference current major
framework standards and regulations relating to
IT.
COBIT is directed to Management and staff of
Information services, control departments, audit
functions and most importantly, the business
process owners using IT processes to assure
confidentiality, integrity and availability of
sensitive and critical information

IS Controls
Each general control procedure can be translated into ISspecific control procedure.
IS control procedures include:

Strategy and direction

General organization and management
Access to data and programs
Systems development methodologies and change control
Data processing operations
Systems programming and technical support fns.
Data processing quality assurance procedures
Physical access controls
Business continuity and disaster recovery planning
Network and communications
Database administration

General Controls
Controls include policies, procedures and
practices established by management to
provide reasonable assurance that specific
objectives will be achieved.
They apply to all areas of the organization
General Controls include:

Performing IS Audit

Internal accounting controls - safeguarding of assets and

reliability of financial records

Operational controls - day to day activities

Administrative controls - operational efficiency in a

functional area and adherence to management policies. They

support operational controls concerned with operating
efficiency and policy adherence

2/8/2010

Auditing
A systematic process by which a
competent, independent person
objectively obtains and evaluates
evidence regarding assertions about an
economic entity or event for purpose of
forming an opinion about and reporting
on the degree to which the assertion
conforms to an identified set of
standards

IS Audit
Defined as any audit that encompasses review
and evaluation (wholly or partially) of
automated information processing systems,
related non-automated processes and the
interfaces between them

Classification of Audits
Financial audits data (integrity and
reliability)
Operational audit - controls
Integrated audits data and controls
Administrative audits - operational efficiency
Information systems audit IS
Specialized audits reviewing services
performed by third-party providers
Forensic audits discovering, preserving,
disclosing and following up on frauds and
crimes

Financial audits:
Assess correctness of financial
statements
Often involve detailed substantive testing
Relates to information reliability and
integrity

10

2/8/2010

Administrative Audits

Operational audit
Designed to evaluate internal controls e.g.
IS Audit of application controls, or logical
security

Audits oriented to assess issues related to

efficiency and effectiveness of operational
productivity within an organization.

Integrated audits
Includes both financial and operational
Performed to assess overall objectives
related to financial information, assets
safeguarding, efficiency
Include both compliance and substantive
tests

Information systems audit

Collect and evaluate evidence to determine
whether an information systems and related
resources

Safeguards assets,
Maintains data and system integrity,
Provide relevant and reliable information
Achieve organizational goals effectively and
efficiently
Internal controls provide reasonable assurance
that operational and control objectives will be met

11

2/8/2010

Specialized audits
These are specialized reviews that examine areas
such as service performed by third parties and
forensic auditing
Statement on Auditing Standards (SAS) 70, titled
Reports on Processing of Transactions by Service
Organizations is a widely known standard developed
by AICPA
SAS 70 defines the professional standards used by
service auditor to assess the internal control of
service organization

Forensic audits
These are audits specialized in discovering, disclosing and
following up on frauds and crimes
The purpose of these reviews is to develop and protect
evidence for review by law enforcement and judicial
authorities
Computer forensic investigation include analysis of electronic
devices, such as computers, phones, PDAs, disks, switches,
routers, hubs and other electronic equipment
Admissibility of evidence in court is very important and
therefore computer evidence must be properly handled.
Forensic audit tools such as data mapping for security and
privacy, risk assessment and search for intellectual property
for data protection are being used for prevention, compliance
and assurance.

Audit Programs
Audit work program is the audit strategy and plan
It identifies scope, audit objectives, and audit procedures
to obtain sufficient, relevant and reliable evidence to
draw and support audit conclusions and opinions
IS auditors often evaluate IT functions and systems from
different perspectives such as:

Security (confidentiality, integrity and availability)

Quality (effectiveness and efficiency)
Fiduciary (compliance, reliability)
Service
capacity

General Audit procedures

Steps in performing an audit and includes:-

Obtaining and recording an understanding of the audit

area
Detailed audit planning
Preliminary review of the audit area
Verifying and evaluating the appropriateness of
controls designed to meet control objectives
Testing (compliance and substantive)
Reporting
Follow up

12

2/8/2010

General Audit procedures (cont..)

The IS auditor must understand the procedures for
testing and evaluating IS controls. These include:-

The use of generalized audit software to survey the

contents of data files
The use of specialized software to assess the contents of
operating system database and application parameter
files (or detect deficiency in system parameters setting)
Flow charting techniques for documenting automated
applications and business processes
The use of audit logs/reports available in
operation/application systems
Documentation review
observation

Audit objectives
They refer to the specific goals of the audit
Determination of audits objectives is a critical
step in planning an IS audit
Center around substantiating that internal
controls exists to minimize business risk
The basic purpose of any IS audit is to
identify control objectives and the related
controls that address the objective
Management may issue a general objective
Key element in planning: translating to
specific IS audit objectives

Audit process steps

Plan assess risks, develop audit program: objectives,
procedures

Obtain evidence
Evaluate evidence strengths and weaknesses of
controls

Prepare and present report

Follow-up - corrective actions taken by management

Audit methodology
A set of documented audit procedures
designed to achieve planned audit
objectives.
Components include:
Scope
Audit objectives
Work programs

13

2/8/2010

Audit phases (cont..)

Audit program
Step-by-step set of audit procedures and
instructions that should be performed to
complete an audit
A guide for documenting various audit steps
performed
Guides on the types and extent of evidential
matters to be reviewed
Provides a trail of the process used
Provides accountability for performance

Practice Question

Audit phases

Audit subject - Identify the area to be audited

Audit objective - Identify purpose of audit
Audit scope
Pre-audit planning
Audit procedures and steps for data gathering
Procedures for evaluating the test or review
results (organization specific)
Procedures for communication with
management (organizational specific)
Audit report preparation:

1-1

Which of the following BEST describes the

early stages of an IS audit?
A. Observing key organizational facilities
B. Assessing the IS environment
C. Understanding the business process and
environment applicable to the review
D. Reviewing prior IS audit reports

14

2/8/2010

Fraud Detection
Management is primarily responsible for
establishing, implementing and maintaining a
framework and design of IT controls to meet the
internal control objectives.
A well designed ICS provides good opportunity for
deterring fraud at the first instance and a system
that enables timely detection of frauds
IS auditor should observe and exercise due
professional care in all aspects of their work and
be alert to the possible opportunities that allow a
fraud to materialize

Fraud Detection (cont)

Risk-Based Auditing
Business risks include concerns about probable effects of an
uncertain event on achieving established organization
objectives.
By understanding the nature of the business, IS auditors can
identify and categorize the types of risks that will better
determine the risk approach in conducting the audit.
Risk based approach is used to assist an IS auditor in making
the decision to perform either compliance or substantive
testing.
Helps the auditor in determining the nature and extent of
testing.
In addition to risk the auditors are also influenced by the
Internal Controls as well as the knowledge of the business.

Risk-Based Audit Approach

IS auditor should be aware and diligent as regards the

possibility and means of perpetrating frauds especially by
exploiting the vulnerabilities and overriding controls in ITenabled environment
IS auditor should have knowledge of fraud and fraud
indicators, and during performance of audit work, be alert to
the possibility of frauds and errors
When IS auditor comes across any instances of fraud or
indicators of fraud, he/she may, after careful evaluation,
communicate the need for a detailed investigation to
appropriate authorities
In case of auditor identifying a major fraud or where the risk
associated with the detection is high, audit management
should also consider communicating to the audit committee,
in a timely manner.

15

2/8/2010

Practice Question
1-2

In performing a risk-based audit, which risk

assessment is completed initially by the IS
auditor?
A.
B.
C.
D.

Detection risk assessment

Control risk assessment
Inherent risk assessment
Fraud risk assessment

Practice Question
1-3

While developing a risk-based audit

program, on which of the following would the
IS auditor MOST likely focus?
A.
B.
C.
D.

Business processes
Critical IT applications
Operational controls
Business strategies

Audit risk and Materiality

Risk that information may contain a
material error that may go undetected
during the course of the audit
Risk within the audit process itself
The risk of giving an incorrect audit opinion
Sometimes used to describe the level of risk
that the IS Auditor is prepared to accept

Audit risk - cont

Can be categorized as:
Inherent risk
Control risk
Detection risk
Overall audit risk

16

2/8/2010

Inherent risk
Risk that an error exist which could be
material assuming there are no related
compensating controls
Can be categorized as susceptibility of a
material misstatement in the absence of
related controls e.g.

Complex calculations are more likely to be

misstated than simple ones
Cash is more likely to be stolen than inventory

Detection risk
The risk that the ISA used an inadequate test
procedure and concludes that material errors do
not exist, when in fact, they do
Can be used to assess and evaluate and ISAs
ability to test, identify and correct material errors
Can be minimized by:
Proper statistical sampling procedures
A strong quality control process

Exist independent of an audit

Can occur because of the nature of a
business

Control risk
Risk that a material error exists which will
not be prevented or detected on a timely
basis by the system of internal controls

Overall audit risk

Combination of individual categories of
audit risk assessed for each specific
control objective
Objective of audit approach is to limit
overall audit risk

17

2/8/2010

Practice Question

Materiality and audit risk

Materiality is an expression of relative significance or
importance of a particular matter in the context of the
organization as a whole
Word material is associated with any of the components of
risk - it refers to an error that should be considered
significant by any party concerned
While a given system may not detect a minor error, a
combination of these may end up being material
Requires sound judgment from the auditor
Essential when planning areas to be audited and the specific
tests to be performed
Materiality considered in terms of the total potential impact
to the organization.

Practice Question
1-4

Which of the following types of audit risk

assumes an absence of compensating
controls in the area being reviewed?
A.
B.
C.
D.

Control risk
Detection risk
Inherent risk
Sampling risk

1-5

An IS auditor performing a review of an applications

controls finds a weakness in system software that
could materially impact the application. The IS
auditor should:
A.
B.
C.
D.

disregard these control weaknesses, as a system

software review is beyond the scope of this review.
conduct a detailed system software review and report
the control weaknesses.
include in the report a statement that the audit was
limited to a review of the applications controls.
review the system software controls as relevant and
recommend a detailed system software review.

Audit risk assessment

Used to identify and evaluate risk and their
potential effect
Used to determine high risk areas that should
be audited
Planning guideline - An assessment risk
should be made:
To provide reasonable assurance that material
items will be adequately covered during the audit
work
This assessment should identify areas with
relatively high risk of existence of material
problems

18

2/8/2010

Risk Assessment

Audit risk assessment - cont

Assess client strategic business risk

Risk assessment and other audit

techniques should be considered in
deciding:

The nature, extent and timing of audit

procedures
Areas or business functions to be audited
The amount of time and resources to be
allocated an audit

Assess the risk of material misstatement due to error, fraud or other

irregularities

Audit risk
=

Factors affecting inherent risk

Factors affecting control risk

Inherent risk ?

Control risk ?

(Auditee risk)

Detection
risk

(Auditor risk)

Audit risk assessment - cont

Risk assessment methods

Using risk assessment to determine areas to be

audited:
Enables management to effectively allocate
limited resources
Ensures audit activities are directed to high
risk areas
Establishes a basis for effectively managing
the audit department
Provides a summary of how the individual
audit subject is related to the overall

Different methods employed to perform risk

assessments e.g.scoring system, Judgmental
A combination of methods may be used
May develop and change over time to best
serve the needs of the organization
All rely on subjective judgment at some point
in the process
Evaluate appropriateness of any chosen risk
methodology

19

2/8/2010

Scoring method
Considers variables such as:

Audit evidence

Variables may or may not be weighted

The information ISA gathers in the course of

performing an IS audit to meet audit objectives
Must directly relate to the objectives of the
review
Gathering of evidential matter is key to the audit
process
Mandatory under Standard for Evidence
Evidence should be appropriately organized and
documented to support findings and conclusion

Judgmental method

IS Audit Standard 14 Audit

Evidence

technical complexity,
controls in place,
financial loss.

Decision based on:

executive management directives,
historical perspectives,
business goals and
environmental factors

States that:

.The ISA should obtain sufficient and

appropriate audit evidence to draw
reasonable conclusions on which to base the
audit results.
The audit findings and conclusions are to be
supported by appropriate analysis and
interpretation of this evidence.

20

2/8/2010

Audit evidence - cont

Audit evidence - cont

Sufficient it is complete, adequate,

convincing and would lead another ISA to
form the same conclusions
Reliable if in the auditors opinion, it is valid,
factual, objective and supportable
Relevant if it pertains to the audit objectives
and has a logical relationship to the findings
and conclusions it is used to support

Observed processes and existence of

physical items e.g.
Inventory of media at an offside
storage location
Computer room security in operation
Cash count

Audit evidence - types

Observed processes and existence of
physical items
Documentary evidence recorded on
paper or other media
Representations
Analysis

Audit evidence - cont

Documentary evidence recorded on
paper or other media, can include:
Results of data extractions
Records of transactions
Program listings
Invoices
Activity and control logs
System development documentation

21

2/8/2010

Audit evidence - cont

Representations include:

written and oral statements,

written procedures and policies,
system flowcharts

Audit evidence - cont

Analysis includes:

Comparisons
Simulations
Calculations
reasoning (synthesis)

Examples:

Benchmarking of IS performance against other

organizations or past performance
Comparison of error rates between applications,
transactions and users

Audit evidence and planning

When planning IS audit work, ISA
should take into account:
Audit evidence to be gathered
Its use in meeting objectives
Its reliability (source & method)

Reliability - determinants
Independence of provider of evidence
Qualifications of the individual providing
the information or evidence
Objectivity of the evidence
Timing of evidence

22

2/8/2010

Reliability - cont
Independence of provider of evidence
Example:
Corroborative evidence from an
independent third party can be more
reliable than evidence from organization
being audited (e.g. Circularization of
debtors, bank confirmation)

Quality and quantity of Evidence

Quality (competence) when it is both
valid and relevant
Quantity - refers to sufficiency of audit
evidence

Reliability - cont

Techniques for gathering evidence

Objectivity of evidence:
Objective evidence is much better than that
requiring considerable judgment and
interpretation
Examples:

Reviewing Information Systems

organizational structures
Reviewing IS policies and procedures
Interviewing appropriate personnel
Observing processes and employee
performance

Physical evidence is more reliable than representations

of an individual - ISAs cash count is direct, objective
evidence.
However, an ISAs analysis of the efficiency of an
application, based upon discussion with certain
personnel, may not be objective audit evidence.

23

2/8/2010

Reviewing IS organizational structures

Separation/segregation of duties is a key
general control.
Review structures to determine the level
of controls they provide ISAs knowledge of
general organizational controls is very important

Reviewing Information Systems

Standards
IS auditor should understand the existing
standards in place within the organization

Be aware of differences particularly in

organization with cooperative distributed processing or

end-user computing

Reviewing IS Policies & Procedures

Review whether appropriate policies and procedures
are in place and whether personnel understand the
implemented policies and procedures
Verify that management assumes responsibility for
formulating, developing, documenting promulgating and
controlling policies covering general aims and directives
Look for minimum level of documentation
Review documentation and determine if it follows
organizations documentation standards
Recognize differences in documentation e.g. for
computer Aided Software Engineering (CASE),
prototyping, database specifications, file layout, selfdocumented program listings, documents will not be
required or will be in automated form rather than on
paper

Reviewing IS documentation
standards
Understand the existing documentation in
place
Minimum documentation may include:

Systems development initiation documents (e.g. feasibility

study)
Functional requirements and design specifications
Test plans and reports
Program and operations documents
Program change logs and histories
User manuals
Operations manuals
Security related documents (e.g. security plans, risk
assessments)
QA reports

24

2/8/2010

Interviewing appropriate personnel

Organize interview in advance

Follow a fixed outline
Documented by interview notes
Interview checklist or form is a good
approach
Never be accusatory rather interviews be
discovery

Observing processes and

employee performance
A key audit technique for many types of
reviews
IS auditor should be unobtrusive while
making observations
Document everything in sufficient detail
to be able to present it as audit evidence
at a later date

Interviewing & observing personnel in

the performance of their duties
Actual functions allows auditor an opportunity to witness how
policies and procedures are internalized

Actual processes / procedures allow ISA to gain evidence

of compliance and observe deviations if any

Security awareness assist verify an individuals understanding

and practice of preventive and detective security measures to safeguard

the companys assets

Reporting relationships to ensure assigned responsibilities

and adequate segregation of duties are being practiced

Compliance testing
Tests of control designed to obtain audit evidence on
both the effectiveness of the controls and their
operation during the audit period
Evidence gathering to determine organizations
compliance with control procedures
Used where there is a trail of documentary evidence
e.g. written authorization to implement a modified
program
Broad objective: to provide reasonable assurance that a
particular control on which the ISA plans to rely, is
operating as perceived/intended
Attribute sampling compliance test used to check
presence or absence of an attribute.

25

2/8/2010

Substantive testing

Relationship between compliance

and substantive testing (cont..)

Tests of detailed activities and transactions, or analytical

review tests, designed to obtain audit evidence on the
completeness, accuracy or existence of those activities
or transactions during the audit period
Evidence gathering that evaluate the integrity of
individual transactions, data and other information
Provides evidence of the validity and propriety of the
balances in the financial statements and the
transactions that support these balances
Minimized if compliance testing reveal presence of
adequate controls
Conversely if compliance testing reveals weaknesses in
controls that raise doubts about the completeness,
accuracy or validity of accounts, substantive testing can
alleviate those doubts (variable sampling used)

Relationship between compliance and

substantive testing
Review system to identify controls
Test compliance to get reasonable assurance
that the controls are functioning
Evaluate controls to determine reliance, nature
and extent of substantive tests
Use substantive tests to validate data:
Test of balances and transactions
Analytical review procedures

Sampling
Population consists of the entire group of items
that need to be examined
Sample is a subset of population members
Used to infer characteristics about a population,
based on the results of examining characteristics
of a sample of the population
Sample must represent as closely as possible
the characteristics of the whole population

26

2/8/2010

Why sampling
Ideal to examine the entire
population
Considerations:
Time
Cost

Statistical sampling
Uses objective method to determine:
Sample size
Selection criteria
Sample precision
Reliability or confidence level

NB: to be a statistical sample, each item in the

population should have an equal opportunity of being
selected

Can infer population characteristics from sample

Preferred method

General Sampling approaches

Statistical sampling

uses objective method

Non-statistical (or Judgmental sampling)

uses subjective judgment

Non-statistical or judgmental sampling

uses subjective judgment to determine:
Method of sampling
Sample size
Sample selection which items to select

May not infer population characteristics

from sample
not preferred method

27

2/8/2010

Sampling risk
Both statistical and judgmental sampling
require ISA judgment
Risk that the auditor will draw the wrong
conclusion from the sample
Statistical sampling allows ISA to quantify
probability of error (confidence
coefficient)

Methods of sampling
Attribute sampling
Variable sampling

Attribute sampling
Selecting items with certain attributes or
characteristics (all items over a certain
size)
Also known as proportional sampling
Deals with presence or absence of an
attribute or characteristic
Generally used in compliance testing
Conclusions expressed in rates of
incidence

Attribute sampling: types

Attribute sampling or fixed sample size attribute
sampling or frequency estimation used to
estimate rate of occurrence of specific quality in
a population (how many?)
Stop-or-go sampling audit tests stopped at the
earliest possible moment (relatively few errors)
Discovery sampling when expected
occurrence is extremely low. Used to seek out
fraud, circumvention of regulations and other
irregularities

28

2/8/2010

Variable sampling
Used to estimate the average or total value of
population based on a sample
Also known as
- dollar estimation or
- mean estimation sampling or
- quantitative sampling

Used to estimate the dollar value or some other unit of

measure such as weight, height etc.
Generally applied in substantive testing
Provides conclusions related to deviations from norm
Example is review of balances for material transactions

Variable sampling: Types

Stratified mean per unit

Population divided into groups and samples drawn

from them
Produces a smaller sample size

Un-stratified mean per unit:

Sample mean is calculated and projected as an

estimated total

Difference estimation:

Used to estimate total difference between audited

values and book values (un-audited values) based
on sample

Statistical sampling terms

Confidence coefficient (also referred to as confidence
level or reliability factor)
Level of risk: one minus confidence coefficient
Precision- acceptable range difference between the
sample and actual population (set by auditor)
Expected error rate - EER Sample size
Sample mean average size of the sample
Sample standard deviation
Tolerable error rate max no of errors that can exist
without an account being materially misstated
Population standard deviation

Confidence coefficient
Also referred to as confidence level or
reliability factor
The probability that the characteristics of the
sample are a true representation of the
population
95% considered a high degree of comfort
If internal controls are strong, confidence
level may be lowered
The greater the confidence coefficient, the
larger the sample

29

2/8/2010

Level of risk

One minus confidence coefficient

E.g. if confidence coefficient is 95%
level of risk is 5%

Precision
Set by the ISA
Represents acceptable range between sample
and population
For attribute sampling stated as a percentage
For variable sampling stated as a monetary
amount or number
The higher the precision amount, the smaller
the sample size, the higher the risk of error
The lower the precision amount, the greater
the sample size

Expected error rate

An estimate of errors that may exist
Expressed as a percentage
The greater the expected error rate, the
greater the sample size
Applied to attribute sampling

Others
Sample mean average size of the sample
Sample standard deviation measures spread
or dispersion of sample values
Tolerable error rate - Maximum misstatement
or number of errors that can exist without an
account being materially misstated
Population standard deviation measures
relationship to standard deviation
The greater the standard deviation, the larger the
sample size
Applied to variable sampling

30

2/8/2010

Using the Services of other Auditors and

Experts

Circumstances that may lead to using services of other auditors: Scarcity of IS auditors and the need for IT security specialists
Highly specialized areas

Outsourcing of IS assurance and security services is increasingly

becoming a common practice
Possible areas of outsourcing include Networking, ATM, Wireless,
System Integration etc.
Considerations before using services of other auditors and experts:

Any restriction by law and regulations

Audit charter or contractual stipulations
Impact on overall and specific IS audit objectives
Impact on IS audit risk and professional liability
Independence and objectivity of other auditors/experts
Professional competence, qualifications and experience
Scope of the work to be outsourced and the approach
Supervisory and audit management control
Methods and modalities of communication of audit results etc.

Using the Services of other Auditors and

Experts (cont..)

Other special considerations would include:-

Testimonials/references and background checks

Access to systems, premises and records
Confidentiality restrictions to protect customer related information
Use of CAATs and other tools
Standards and methodologies for performance of work and
documentation
Nondisclosure agreements

IS auditor responsibilities:-

Clearly communicating the audit objectives, scope and

methodology through a formal engagement letter
Put in place monitoring process for regular review of the third
party work
Assess usefulness and appropriateness of reports and impacts of
their significant findings on the overall audit objectives.

Computer Aided Audit Techniques

(CAATs)

Any computer based tool for automating audit

procedures
Provides a means to:

gain access and to analyze data for a predetermined period

report on audit findings with emphasis on reliability of
records produced and maintained in the system

CAATs Examples
These include:

Generalized audit software e.g. ACL, IDEA

Utility software e.g. DBMS report writers
SQL commands
Third party Access Control Software
Application Systems
Options and reports build into system
Spreadsheets??

31

2/8/2010

Need for CAATs

Evidence exists in electronic form

Differences in HW, SW environments, data
structures, record formats, processing
functions, etc
What else???

Functional capabilities of CAATs

File access reading different file structures and

record formats
File reorganization indexing, sorting, merging,
linking
Data selection filtration conditions, selection
criteria
Statistical functions sampling, stratifications,
frequency analysis
Arithmetic functions - arithmetic operators and
functions

Generalized audit software

Provides an independent means to gain access to

data for analysis
Effective and efficient use require understanding of
its capabilities and limitations
Reads and accesses data from various DB
platforms, flat file formats, ASCII formats
Features include:

Mathematical computations
Stratifications
Statistical analysis
Sequence checks
Duplicate checks
Re-computations

CAATs advantages

Reduced level of audit risk

Enhances independence from auditee
Broader and more consistent audit coverage
Faster availability of information
Improved exception identification
Greater flexibility of run times
Greater opportunity to quantify IC weaknesses
Enhanced sampling
Cost savings over time

32

2/8/2010

CAATs: Things to consider

Cost benefit analysis

Ease of use
Training requirements
Complexity of coding and maintenance
Flexibility of uses
Installation requirements
Processing efficiencies
Effort required to obtain source data into
CAAT

CAATs areas of concern

CAATs things to do

CAATs development documentation

Integrity, reliability and security of CAAT

Integrity of IS and security environment
Confidentiality and security of data

Request read only access to production

data
Keep data confidential

Commented program listings

Flowcharts
Sample reports
Record and file layouts
Field definitions
Operating instructions

33

2/8/2010

Practice Question
1-6

The PRIMARY use of generalized audit

software (GAS) is to:
A.
B.
C.
D.

test controls embedded in programs.

test unauthorized access to data.
extract data of relevance to the audit.
reduce the need for transaction vouching.

Evaluating evidence
Involve judgments based on experience
Use evidence gathered to assess compliance
with control objectives
Assess strengths and weaknesses in controls
to determine if these are effective in meeting
control objectives established in planning
Control matrix may be used to illustrate areas
where controls may be weak or lacking
Always check for compensating controls
before reporting a control weakness
A control objective may be met by a number of
controls

Judging materiality of findings

Key: judging what is significant to
different levels of management
Requires judgment of potential effect of
finding if corrective action is not taken
ISA decides what to discuss with auditee
and what to report

Communicating Audit Results

ISAs are ultimately responsible to Senior Mgt and to
the Audit Committee of the Board of Directors
Before communicating the results of an audit to
Senior Mgt the ISA should discuss the findings with
Mgt staff responsible for area audited
Presentation technique could include executive
summary and visual presentation

34

2/8/2010

Audit Report Structure and Contents

Introduction including statement of audit objectives and
scope and general statement on the nature and extent of
audit procedures used during the audit
ISAs overall conclusion and opinion on the adequacy of
controls and procedures examined during the audit
ISAs reservations or qualifications with respect to the audit
Detailed audit findings and recommendation
Limitation to audit
Statement of IS guidelines followed

Management Actions to Implement

Recommendations
ISA will not be effective if audits are performed, reports
issued, but no follow-up in done to determine if
management has taken appropriate corrective actions
ISA should have a follow-up program to determine if
agreed corrective actions have been implemented
The timing of the follow-up will depend on criticality of the
findings and would be subject to ISAs judgment
The results of the follow-up should be communicated to
appropriate levels of management

Audit Documentation
Documentation should include, at a minimum, a
record of:
The planning and preparation of audit scope and
objectives
The information system environment
The audit program
The audit steps performed and audit evidence
gathered
Audit findings, conclusions and recommendations
Any report issued as a result of the audit work
Supervisory review

Control Self-Assessment (CSA)

A management technique that assures stakeholders,
customers and other parties that the internal control system
of the business is reliable
It ensures that employees are aware of the risks to the
business and they conduct periodic reviews of controls
Methodology used to review key business objectives, risks
involved in achieving the business objectives and internal
controls designed to manage these business risks in a formal,
documented and collaborative process.
In CSA mgt and working teams are directly involved in
judging and monitoring the effectiveness of existing controls

35

2/8/2010

Control Self-Assessment (CSA)

CSA program can be implemented using various ways ranging
from use of questionnaires to facilitated workshops
Primary objective is to leverage the Internal Audit function by
shifting some of the control monitoring responsibilities to the
functional areas.
A critical success factor (CSF) in CSA is to conduct a meeting
with the business units representatives, including appropriate
and relevant staff and management to identify the business
units primary objectives, which is to determine the purpose of
the business unit and supporting objectives
COBIT management guidelines provides generic sets of CSFs,
KPIs, and KGIs for each process used in designing and
monitoring CSA program

Control Self-Assessment (CSA)

Control Self-Assessment (CSA)

Benefits of CSA

Early detection of risks

More effective and improved internal controls
Creation of cohesive teams through employee involvement
Increased employee awareness of organizational objectives and
knowledge of risk and internal controls
Increased communication between operational and top management
Highly motivated employees
Improved audit rating processes
Reduction in control cost
Assurance provided to stakeholders and customers
Necessary assurance given to top management about adequacy of
internal controls, as required by the various regulatory agencies and laws
e.g. Sarbanes-Oxley Act

Control Self-Assessment (CSA)

Disadvantages of CSA
It could be mistaken as an audit function
replacement
It is regarded as an additional workload (e.g. one
more report to be submitted to management)
Failure to act on improvement suggestions could
damage employee morale.
Lack of motivation may limit effectiveness in the
detection of weak controls

36

2/8/2010

Auditors Role in CSA

Auditors become Internal Control professionals and
assessment facilitators
Auditors role enhanced when Audit Dept embark on
CSA program
Auditors value becomes more evident when mgt
takes responsibility and ownership for internal
control systems under their authority through
process improvements in their control structures and
active monitoring

Technology Drivers for CSA Program

Combination of hardware and software to
support CSA selection
Use of electronic meeting system and
computer-supported decision aids to facilitate
group decision making
In case of questionnaire approach, the same
principle applies for the analysis and
readjustment of the questionnaire

Traditional VS CSA Approach

In traditional approach the primary responsibility for
analyzing and reporting on internal control and risk was
assigned to auditors and, to a lesser extent, controller
departments and outside consultants
This approach created and reinforced the notion that
auditors and consultants, not management and work teams,
are responsible for assessing and reporting on IC
The CSA approach emphasizes management and
accountability over developing and monitoring IC of an
organizations sensitive and critical business processes

EMERGING CHANGES IN THE IS AUDIT

PROCESS
Areas that address changes in IS audit process
in order to keep pace with innovations and
technology include:
Automated work papers,
Integrated auditing, and
Continuous auditing

37

2/8/2010

Automated Work Papers

Specialized applications are used in automating audit working
papers (e.g. risk analysis, audit programs, results, test
evidences, conclusions reports and other complimentary
information)
Although auditors often use office automation packages such
as word processors or spreadsheets, standard audit work
paper packages are being implemented in audit departments
and are proving useful and appropriate to help facilitate audit
work
When automating work papers rules regarding integrity,
confidentiality and availability of audit records should be
applied that are equivalent to those required for hard copy.

Integrated Auditing
A process whereby audit disciplines are combined to assess
key internal controls over an operation, process or entity.
Integrated approach focuses on risk. Risk assessment aims to
understand and identify risks arising from the entity and its
environment
IT audit help understand and identify risks in information
management, IT infrastructure, IT Governance and IT
operations
Other audits seek to understand organizational environment,
business risks and business controls
IT systems provide a first line of preventive and detective
controls, and integrated audit depends on a sound
assessment of their efficiency and effectiveness

Practice Question

Automated Work Papers

Minimum controls include but not limited to:

Access to work papers

Audit trails
Automated features to provide and record approval
Security and integrity controls regarding the OS, DB and
communication channels
Backup and restore procedures
Encryption techniques to provide confidentiality

1-7

Which of the following is MOST effective for

implementing a control self-assessment
(CSA) within business units?
A.
B.
C.
D.

Informal peer reviews

Facilitated workshops
Process flow narratives
Data flow diagrams

38

2/8/2010

Integrated Auditing cont

Integrated audit process
involves:

Identification of relevant key

controls
Reviewing and obtaining an
understanding of the design
of key controls
Testing that key controls are
supported by the IT system
Testing that management
controls operate effectively
A combined report or
opinion on control risks,
design and weaknesses

Continuous Auditing
A methodology that enables independent auditors to provide
assurance on a subject matter using a series of auditors
reports issued simultaneously with, or a short period of time
after, the occurrence of events underlying the subject matter
Has edge over periodic auditing because it captures internal
control problems as they occur, thus preventing negative
effects
Implementation can reduce audit inefficiencies, such as
delays, planning time, inefficiency of audit process itself,
overheads due to work segmentation etc.

Continuous Auditing cont

Drivers of continuous auditing include; better monitoring of
financial issues within a company, ensuring that real-time
transactions also benefit from real-time monitoring,
prevention of financial and audit scandals, e.g. Enron and
WorldCom, and use of software to determine that financial
controls are proper
Embedded audit modules allow an auditor to trap predefined
types of events, or directly inspect abnormal transactions
Continuous auditing often incorporate new information
technology development, increased processing capabilities of
current hardware and software, standards and artificial
intelligence tools

Continuous Auditing cont..

For continuous auditing to succeed there must be:
A high degree of automation
An automated and highly reliable process in producing
information about subject matter soon after occurrence
of events underlying the subject matter
Alarm triggers to report timely control failures
Implementation of highly automated audit tools that
require the IS auditor to be involved in setting up
parameters
Quickly informing IS auditor of the results of automated
audit procedures, particularly when the process has
identified anomalies or errors

39

2/8/2010

Continuous Auditing cont..

For continuous auditing to succeed there must be (cont..):
Quick and timely issuance of automated audit reports
Technically proficient IS auditors
Availability of reliable sources of audit evidence
Adherence of materiality guidelines
Evaluation of cost factors
Change of mind-set required for IS auditors to embrace
continuous reporting

Continuous Auditing cont

Advantages

Instant capture of internal control problems

Reduction of intrinsic audit inefficiencies

Disadvantages

Difficulty in implementation
High cost

Elimination of auditors personal judgment and

evaluation

Practice Question

Continuous Auditing cont

IT techniques used in continuous auditing must work at all
data levels, transaction and databases and include:

Transaction logging
Query tools
Statistics and data analysis (CAAT)
Database Management System (DBMS)
Data warehouses, data marts, data mining
Artificial intelligence (AI)
Embedded audit modules (EAM)
Neural network technology
Standards such as Extensible Business Reporting Language (XBRL)

1-8

The FIRST step in planning an audit is to:

A.
B.
C.
D.

define audit deliverables.

finalize the audit scope and audit objectives
gain an understanding of the businesss
objectives.
develop the audit approach or audit strategy.

40

2/8/2010

Practice Question
1-9

The approach an IS auditor should use to

plan IS audit coverage should be based on:
A. risk.
B. materiality.
C. professional skepticism.
D. detective control.

Practice Question
1-10

A company performs a daily backup of critical data

and software files and stores the backup tapes at an
offsite location. The backup tapes are used to
restore the files in case of a disruption. This is a:
A. preventive control.
B. management control.
C. corrective control.
D. detective control.

41