Академический Документы
Профессиональный Документы
Культура Документы
t_
Chapter 1:
L I
Certified lnformation
Systems Auditor'
------+--
The Process of
of Auditing
t_ l
An ISACA. Cer$flcaflon
lnfo rmation Systems
I
L-
Section One: 0verview
l
t.
t_
1.3 ISACA IS Audit and Assurance Standards and Guidelines .................. ............. 31
.-
KNOWLEDGE SIATEMENTS
Section One: 0yerview ib*
:
This chapter on the process of auditing iniormation systems There are l0 knowledge statements within the domain covering
encompasses the entire practice of IS auditing, including the process of auditing information systems:
procedures and a thorough methodology that allows an KSI.I Knowledge of ISACA ITAudit andAssurance
IS auditor to perform an audit cn any given IT area in a Standards, Guidelines, andTools and Techniques; Code
professional nxulner. ofProfessional Ethics; and other applicable standards
KSl.2 Knowledge of risk assessment concepts, tools and
OBJECTIVES techniquesin an audit context
KSl.3 Knowledge of control objectives and controls related to
The objective of this domain is to ensure that the CISA candidate information systems
has the knowledge necessary to provide audit services in KS I .4 Knowledge of audit planning and audit project
accordance with IS audit standards to assist,the organization with management techniques, including follow_up
protecting and conholling information systems. KS I .5 Knowledge of fundamental business processes (e.g.,
purchasing, payroll, accounts payable, accounts
This area represents 14 percent of the CISA exam (approximately receivable) including relevant IT
28 questions). KSl.6 Knowledge of applicable laws and regulations that affect
the scope, evidence collection and preservation, and
frequency ofaudits
TASK AND KNOWLEDGE STATEM ENTS KS1.7 Knowledge of evidence collection techniques (e.g.,
observation, inquiry inspection, interview, data analysis)
TASKS used to gatheq protect and preserve dudit evidence
There are five tasks within the domain the process KSl.8 Knowledge of different sampling methodologies.
of auditing information systems: "of,ering KSl.9 Knowledge of reporting and communication techniques
Tl.l Develop and implement a risk-based IT audit strategy (e.g., facilitation, negotiation, conflict resolution, audit
in compliance with IT audit standards to ensure that key report structure)
areas are included. KS I . l0 Knowledge of audit quality assurance systems and
Tl-2 Plan specific audits to determine whether information frameworks
systems are protecte{ controlled and prcvide value to
the organization. Relationshlp of Task to KnowledSe Statements
Tl.3 Conduct audits in accordance with IT audit standards to The task stratements are vrhat the CISA candidate is expected
achieve planned audit objectives. to know how to perform- The knowledge statements delineate
Tl.4 Report audit findings and make,recommendations to each of the areas in which the CISA candidate must have a
key stakeholders to communicate results and effect good understanding in order to perform the tasks. The task and
change when necessary. knowledge statements are mapped in exhibit 1.1 insofar as it is
T1.5 Conduct follow-ups or prepare status reports to ensure possible to do so. Note that although there is often overlap, each
that appropriate actions have been taken by management task statement will generally map to several knowledge statements.
in a timely manner.
The sections identified in KSlrl-KSl.l0 are described in greater detail in section two of this chapter.
,(sr-l Knowleds of ISACA lT Audit and Assurance Standards , Guldellnes, and Tools and Techniques; Code of
Professionat Ethtcs; and other appticable standards
K57.2 Knowledgp of rlsk assessment concepts, tools and techniques in an audit context
The overall audit plan of the organization should be based on business risk
lmpactof 11.4 RiskAnatysis
risk related to the use of lT, and the lS auditor is expected to be aware lS
assessment 0n
| 1.6.3 Audit Methodology
of the need to focus on this risk. ln addition, an audit must focus on the auditing | 1.6.5 Risk-based Auditrng
most critical elemenb of the function under review. For this reason, the 1.6.6 Audit Risk and Materiality
lS auditor should be aware of, and be able to put into practice, the risk 1.6.8 Risk Assessment Techniques
analysis techniques needed to identify and prioritize business risks within
he audit scope. This approach allows the lS auditor to create an audit plan Understanding risk 1 .4 Risk Analysi.:
that applies finite audit resources to where they are most needed. Although analysis concepts within
business risk is the most important driver of the audit program, the lS auditor an auditing context
must also take steps to minimize associated elements such as sampling Applying risk analysis 1.6.5 Risk-basedAuditing
risk, detection risk, materiality of findings, etc., since these may impact the techniques during audit 1.6.6 Aud[ Risk and Materiality
adequacy of the review. planning 1 .6.7 Risk Assessment and Treatment
1.6.8 BiskAssessmentTechniques
l
(hffi#:mffi* Chapter l-The process of Auditing lnformation
Sysf,erns Section One: Overview
\-/;;;*-
To achieve audit objectives within a precise scope and budget, the audit
should be adequatery pranned. The performance of an rS 1.2.2 lS Audit Resource Management
aulitdoes not differ 1.2.3 Audit Planning
substantially from a project. Accordingly, audit planning
requires a similar 1.2.4
level of preplanning to ensure an appropriate and efficient Effect of Laws and Regulations on
use of audit
resources. Auditors need to understand project planning lS Audit Planning
and management
techniques to properly manage the auoii ano avoid lmpact of lS environment 1.6.2 Audit Programs
an inefficient utilization .1.6.3
of resources. The crsA exam wilr not include questions that on lS auditing practices AuditMethodology
are written for a
project managerwho is not an lS auditor. and techniques 1.6.9 Audit 0bjectives
2.11 Auditing [T Governance Structure and
lmplementation
2.13 Auditing Business Continuity
3.13 AuditingApplication Controts
3.14 AuditingSystems Development,
Acquisition and Maintenance
4.6 Auditing lnfrastructure and 0perations
5.5 Auditing lnformation Security
Management Framewok
5.6 Auditing Netwok lnfrasfucture
Security
\-/
Ksl'6 Knowled$e of applicabte lawg and rcgutations that affectthescopejreyide
and frequency audlts. : .:.'€ffiffp,2*:'
of audtts, 'i,:.is p
:q€)qEFF,zo-" 'r"' -fsr:s rt' :-t'+f4!f,i.€f4 -."il***'--
- .- nce -collection and preservagon,
:- ,r:r,
".
r+.i+r,rq.sEiler4. r .A,,
lS audi[ng is a branch of he broader field of auditing. Auditing shndards lmpact of lS environment 1.6.2 Audit ProErams
refer to minimum parameters fiat should be taken into account when on lS auditing practices 1.6.3 AuditMethodology
performing an audil However, there may be guidelines and additional audit and techniques 1.6.9 Audit 0bjectives
procedures ftat an auditor may wish to add in order to develop an opinion 2.11 Auditing lT Govemance Structure and
on he pmper functioning of controls. Most of the basic auditing practices lmplementation
and techniques are equally relevant in an lS audil The lS auditor should 2.13 . Auditing Eusiness Continuity
undershnd the impact of the lS environment on traditional auditing practices 3.13 Auditing Application Contols
and techniques to ensure that he basic objective of $e audit exercise is 3.14 Auditing Systems Development,
achieved. The practices and techniques to be used in a specific lS audit Acquisition and Maintenance
should be determined during trc audit planning stage and incorporated 4.6 Auditing lnfrastructure and Operations
into an audit program. ISACA does not define, or require knowledge of, any 5.5 Auditing lnformation Security
specific audit methodology, but expects the lS auditor t0 be aware of the Management Framework
general principles involved in planning and conducting an effective audit
program.
5.6 AuditingNetworklnfrastructure
Security
Contol self-assessment (CSA) is a process in which an lS auditor can act Points of relevance while 1.6.14 Using the Services of OtherAuditors
in the role of facilitator to the business process owners to help ttrem define using services of other and Experts
and assess appropriate controls. The process owners and the personnel auditors and experts
who run the processes use their knowledge and understanding of tre
business function to evaluate the performance ol controls against the
established control objectives, while taking into account the risk appetite ol
the enterprise. 1.7 ControlSelf-assessment
1.7.1 0bjectives of CSA
Process owners are in an ideal position to define the appropriate controls 1 .7.2 Benefits of CSA
since they have a greater knowledge of the process objectives. Ihe lS 1.7 .3 Disadvantages of CSA
auditor helps the process owners undershnd the need for controls, based on 1.7.4 Auditor Role in CSA
risks to the business processes. Results must be interpreted witr a certain
level of skepticism because process owners are not always objective when
Belevance of different 't.7.5 Technology Drivers for CSA
assessing their own activities.
technology drivers 1 .7.6 Traditional vs. GSA Approach
for CSA in the cunent
business environment
Relevance of different
approaches ol CSA in a
given context
(ili3#*iffimr* Chapter |-The Process of Auditing Information Systems Sec.tion One: Overview
.- \-/;;;*
1-3 A A risk-based audit approach focuses on the l-8 c The first step in audit planning is to gain an
understanding ofthe nature ctfthe business and understanding of the business,s mission,
being objectives
able to identifu and categoriie risk. Business and purpose, which in turn identifies tfr"
risks
impact the long-term viabiliry of a specific business. policies, standards, guidelines, procedures,
."i"r-i
Thus, an IS auditor using a risk_based audit approach and
organization structure. All otherchoices
must be able to understand business processes. are
upon having a thorough understan{ing of
{eryndent
the business's objectives and purpose.
14 C The risk level or eiposure without taking into
account t}re actions that management has taken
or l-9 A Standard 55, Plaruring, establishes standards
and
might take is inherent risk. Control risk is ttre risk
P.rfides guidance on planning an audit. It requires a
that a material error exists tlpl will not be prevented risk-based approach.
or detected in a timely manner by the system
of
intemal controls. Detection risk is the risk that 1-10 C A corrective control helps to correct or minimize
a
material misstatement with a management assertion the impact of a problem. Backup tapes can
will not be detected by the auditor,s substantive be
u.sed for restoring the files in case of damage
tests. It consists of two components, sampling of
files, thereby reducing the impact of a disription.
risk and nonsampling risk. Sampling risk is the Preventive controls are those that avert probiems
risk that incorrect assumptions.are made about the before they arise. Backup tapes cannot be used
characteristics of a population flom which a to prevent damage to files and hence cannot
sample be
is taken. Nonsampling risk is the detection risk classified as a preventive contol. Management
not
related to sampling; it can be due to a variety
of confrols modifr processing systems to minimize
a
reasons, including, but not limited to, human repeat occurrence ofthe problem. Backup tapes
error. do
not modify processing systems and henci
1-5 D The IS auditor is not expectedto ignore control do not fit
the definition of a management conkol.
weaknessesjust because they are outside the Detective
scope conkols help to detect and report problems
as they
ofa current review. Furtheg the conduct ofa detailed occur. Backup tapes do not aid in detecting
systems software review may hamper the audit,s
errorsl
schedule and the IS auditor may not be technically
competent to do such a review. at this time. If there
are contol weaknesses that have been discovered
by
the IS auditoq they should be disclosed. By
issuing a
disclaimer, this responsibility would be waived. Hince,
the appropriate option would be to review the
systems
software as relevant to the review and recommend a
detailed systems software review for w{rich additional
resowces may be recommended.
2A
CISA Review Manual 2Ol4
ISACA, All Rights Reserved.
I
I
(hsffiml*ili." Chapter |-The Process of Auditing lnformation Sysfems Section Two: Content
\-/ *;;*
1.2 MANAGEMENT OFTHE ISAUDIT Preferably, a detailed stafftraining plan should be drawn for the
FUNCTION year based on the organization's direction in terms of technology
and related risk that needs to be addressed. This should be
The audit function should be managed and led in a manner that
ensures that the diverse tasks performed and achieved by the
reviewed periodically to ensure that the training effiorts and
audit team will fulfill audit function objectives, while preserving results are aligned to the direction that the audit organization is
audit independence and cornpetence. Furthermore, managing taking. Additionally, IS audit management should also provide the
the audit function should ensure value added contributions to necessary IT resources to .oroperly perform IS audits ofa highly
senior management regarding the efficient management of IT and specialized nature (e.g., tools, methodology, work programs).
achievement of business objectives.
1.2.3 AUDIT PTANNI-NG
1.2.1 ORGAN|ZAT|0N OFTHE tS AUDTI FUNCTTON Annual Planning
IS audit services can be provided externally or internally. Audit plaruiing consists of both short- and long-term planning.
Short-term planning takes into account audit issues that will be
The role of the iS internal audit function should be established covered during the year, lvhereas long-term planning relates to
by an audit charter approved by senior management. IS audit can audit plans that will take into account risk-related issues regarding
be a part of internal audit, fi-rnction as an independent group, or changes in the organization's IT strategic direction that will affect
the organization's IT environment.
1.2.4 EFFECT OF LAWS AND REGUI..ATIONS ON A similar exampt. of ."gututo.y requirement are the
IS Basel
AUDIT P1ANNING Accords (I, II and III). The Basel Accords regulate
the minimum
Each organization, regardless of its size or the amount of capital for financial organizationJased
industry within on the level
which it operates, will need to comply with a number of risk they face. The Bavl Committee on Banking
of Supervision
govemmental and external requirements related recommends conditions and capital requirements
to computer that should be
system practices and controls and to the manner
.
fulfilled to manage risk exposure. fh"r"
in which will ideally
computers, programs and data are stored and result in an improvement in: "onaition,
used. Additionally, . Credit risk
business regulations can impact the way
data are processed, . Operational risk
kansmitted and stored (stock exchange, central
banrs, etc.) . Market risk
Special attention should be given to these issues
in industries
that are closely regulated. The banking industry The following aIe steps an IS auditor would perform
worldwide has to determine
severe penalties for banks and their officers an organizaiion's level of compliance with
should a bank be eiternal requirements:
unable to provide an adequate level ofservice . Identifr those government
due to security or other relevant external
breaches. Inadequate security in a bank's requirements dealing with:
online portal can result
in loss of customer funds. In several countries Internet
service - Electronic data, personal data, copyrights, e_commerce,
prwiders (ISPs) are subject to laws regarding e-signatures, etc.
confidentialiry and
service availability. - Computer system practices and controls
- The manner in which computers, programs and data are stored
Because of growing dependency on information systems
a
and
-The organization or the activities of infomration technology_
related technology, several countries are making services
efforts to add
tegat regrrtations conceming IS audit. The of these )egal - IS audis
regulations pertains to: "o.,,Ir, . Document applicable laws
and regulations.
. Establishment of regulatory . Assess whether the
requirements management;f the organization and the IS
' Responsibilities assigned to corresponding entities function have considereil the relevant extJrnal requirements
in
. Financial, operational and making plans and in setting policies, standards
IT audiifunctions and p.ocedu.es,
as well as business application featLres.
Managei-rent personnel as well as audit management,
at all levels,
' Review internal tS departrnent/fu nction/activ ity documents that
should be aware of the external requirements aooress adherence to laws applicable to the
lelevant to the goals industry.
*1 qlTr of the organization, and to the responsibilities and . Determine adherence to established
procedures that address
activities of the information services departrnent/fu these requirements.
nction/activity.
There are two major areas of concern: legal
requkements
' Determine if there are procedures in place to ensure contracts or
(l:rws, regulatory and contractual agreemJnts) agreements with external IT services providers reflect any legal
placed on audit
or IS audit, and legal requirements placed onihe requirements related to responsibilities.
auditee and its
systems, data management, reporting, etc.
These areas would
rmpact audit scope and audit objectives. The It is expected that the organization would have
latter is important a legal cornpliance
to internal and external auditors Legal issues function on which the IS conhol practitioner coulfrety.
also impact the
organizations'business operations in t"..,of comptiance with
ergonomic regulations, the US Health lnsurance portability
and Accountability Act (HIPAA), protection
of personal Data
Directives and Electronic Commerce within
the European
Community, fraud prevention within banking
organizations, etc.
Audttinf Standards
The IS audit and assurance standards applicable to IS
auditing are:
General
. 1001 Audit Charter:
- 1001 . I The IS audit and assurance function shall
document the audit function appropriately in an audit
charter, indicating purpose, responsibility, authorify and
1.3.2 ISACA IS AUDITAND ASSURANCE STANDARDS
accountability
FRAMEWORK
- 1001.2 The IS audit and assurance function shall have the
The specialized nature of IS auditing and the skills and knowledge audit charter agreed upon and approved at an appropriate
necessary to perfbrm such audits require globally applicable level within the enterprise.
standards that pertain specifically to IS auditing. One of the most . 1002 Organisational Independence:
important functions of ISACA is providing information (common
body of knowledge) to support knowledge requirements. (see
- 1002.1 The IS audit and assurance function shall be
independent of the area or activity being reviewed to permit
standard 34 Professional Competence.)
objectivccompletion of the audit and assurance engagement.
. 1003 Professional Independence:
One of ISACA's goals is to advance standards to meet this need.
The development and dissemination of the IS audit and assurance - 1003.1 The IS audit and assurance professional shall be
standards is a cornerstone ofthe association's professional independent and objective in both attitude and appearance in
confibution to the audit community, The IS auditor needs to all matters related to audit and assurance eng?gements.
be aware that there may be additional standards, or even legal
. 1004 Reasonable Expectation:
requirements, placed on the auditor. - 1004.1 The lS audit and assurance professional shall
have reasonable expectation that the engagement can be
The objectives ofthe ISACA IS audit and assurance standards completed in accordance with these IS artdit and assurance
are to inform: standards and, where required, other appropriate professional
. IS auditors of the minimum ievel of acceptable
perfoqmance or industry standards or applicable regulations and result in a
required to meet the professional responsibilities set out in the professional opinion or conclusion.
Code ofProfessional Ethics for IS auditors.
. Management and other interested parties
of the proiesiion's
- 1004.2 The IS audit and assurance professional shall have
reasonable expectation thatthe scope ofthe engagement
expectations concerning the work of audit practitioners.
enables conclusion on the subject matter and addresses
any restrictions.
32
CISA Review Manual 2Oi4
ISACA. All Rights Resen ed.
(hsxmm* Chapter |-The Process of Auditing lnformation Systerns Section Two: Content
\-,/ *;;-
- 1004.3 The IS audit and assurance professional shall have . 1202 Risk Assessment in planning:
reasonable expectation that management understands its * 12W.1 The IS audit and assurance firnction shall use
obligations and responsibilities with respect to the provision an appropriate risk assxsrnent approach andsupporting
of appropriate, relevant and timely information required to methodology to develop the overall IS audit plan and determine
perform the engagement. priorities for the effective allocation ofIS audit resources.
. 1005 Due Professional Care:
- 1202.2 The IS audit and assurance professional shall
- 1005.1 The IS audit and assurance professional shall exercise identify andassess risk relevant to the area under review,
due professional care, including observance of applicable
when planning individual engagements.
professional audit standards, in planning, performing and
reporting on the results of engagements.
- 12023 The IS dudit and assurance professional shall
consider subject matter risk, audit risk and related exposure
. 1006 Proficiency:
to the enterprise.
- 1006.1 The IS audit and assurance professional, collectively . 1203 Performance and Supervision:
with others assisting with the assignment, shall possess
- l2A3.l The IS audit and assurance professional shall
adequate skills and proficiency in conducting IS audit and
. assurance engagements and be professionally competent to
conduct the work in accordance with the approved IS audit
plan to cover identified risk and within the
perform the work required.
agreed-on schedule.
- 1006.2 The IS audit and assurance professitnal, collectively
- 1203.2 The IS audit and assurance professional shall
with others assisting with the assignment, shall possess
provide supervision to IS audit staffwhom they have
adequate knowledge of the subject matter.
supervisory responsibility, to accomplish audit objectives
* 1006.3 The IS audit and assurance professional shall
and meet applicable professional audit standards.
maintain professional competence through appropriate
continuing professional education and training.
- I 203 . 3 The IS audit and assurance professional shall accept
. I007 Assertions: only tasks that are within their knowledge and skills or for
* which they have reasonable expectation of either acquiring
1007.1 The IS audit and assurance professional shall
the skills during the engagement or achieving the task
review the assertions against which the subject matter will
under supervision.
be assessed to determine that such assertions are capable of
being audited and that the assertions are sufficient, valid - 1203.4 The IS audit and assurance professional shall obtain
sufficient and appropriate evidence to achieve the audit
and relevant.
. objectives. The audit findings and conclusions shall be
1008 Criteria:
supported by appropriate analysis and interpretation ofthis
- 100&l The IS audit and assurance professional shall evidence.
select criteria, against which the subject matter will be
assessed, that are objective, complete, rele.zant, measureable, - 1203.5 The IS audit and assur€ince professional shall
document the audit Brocess, describing the ar:dit work and
understandable, rvidely recognised, authoritative and
the audit evidence that supports findings and conclusions.
undeistood by, or available to, all readers and users ofthe IS
audit or assurance report, - 1203.6 The IS audit and assurance professional shall
identiff and conclude on findings.
- 1008.2 The IS audit and assurance professional shall
. 1204 Materiality:
consider the source ofthe criteria and focus on those issued
by relevant authoritative bodies before accepting lesser- - l2V.l The IS audit and assurance professional shall
consider potential weaknesses or absences of controls while
known criteria.
planning an engagement, and whether such weaknesses or
absences of controls could result in a significant deficiency
Performance
. 1201 Engagement Planning: or a material weakness.
- 12M2 The IS audit and assurance professional shall consider
- I 20 I . I
The IS audit and assurance professional shall plan
materiality and its relationship to audit risk while determining the
each IS audit and assurance engagement to address:
. Objective(s), scope, timeline and deliverables nature, timing and extent of audit procedures.
. Compliance with applicable laws and professional - 12M.3 The IS audit and assurance professional shall
auditing standards consider the cumulative effect of minor control deficiencies
. Use ofa risk-based approach, where appropriate or weaknesses and whether the absence of controls translates
. Engagement-specifi c issues into a significant deficiency or a material weakness.
- Documentation and reporting requirements
- 1204.4 The IS audit and assurance professional shall
- 1201.2 The IS audit and assurance professional disclose the following in the reiion:
shall develop and document an IS audit or assurance . Absence of controls or ineffective
controls
engagement project plan, describing the: - Sigaificance of the control deficiency
. Engagement nature, objectives, timeline and resource . Probability of these weaknesses
resulting in a siglificant
requirements deficiency or matbrial weakness
. Timing and extent of audit procedures to complete
- 1206.7 The IS audit and assurance professional shall www. is a c a. org/s tandards.
provide an appropriate audit opinion or conclusion and
include any scope limitation where required eviclence is not lndex of lS Audit and Assurance Guidelines
obtained through additional test procedures. . Gl Using theWork of OtherAuditors, effective I March 200g
. 1207 Irregularity and Illegal Acts: - This guideline sets our how the IS auditor should consider
- 1207.1 The IS audit and assurance professional shall using the work of other experts in the audit when there are
consider the risk ofirregularities antl illegal acts during constraints that could irnpair the audit work to be performed
the engagement. or potential gains in the quality ofthe audit.
- 1207.2 The IS audit and assurance professional shall -Very often, certain expertise or knowledge is required by the
technical nature ofthe tasks to be performed, scarce audit
maintain an attitude of professional scepticism during
resources and limited knowledge of specific areas of audit. An
the engagement.
'expert'could be an IS auditor fiom the external accounting
- 1207.3 The IS audit and assurance professional shall
firm, a management consultant, an IT expert or expert in the
document and communicate any material irregularities or area of the audit who has been appointed by top management
illegal act to the appropri4e party in a timely manner. orty the IS audit team.
. G2 Audit Evidence Requirement, effective I May 200g
Reporting - Guidelines to the IS auditor about how to obtain sufficient and
.1401 Reporting: appropriate audit evidence and draw reasonable conclusions
on which to base the audit rcsults.
- 140t.1 The IS audit and assurance professional ihall
provide a report to communicate the results upon completion -This guideline provides guidance in applying IS auditing
standards. The IS auditor should consider it in determining
of the engagement, including:
. Identification ofthe enterprise, the intended recipients how to achieve implement4tion of the above standard, use
and
professional judgment in its application and be prepared to
any restrictions on content and circulation
justifiT any departure.
'The scope, engagement objectives, period ofcoverage and
the nature, timing and extent of the work performed
-The total population of management and monitoring controls . G19 Irregularities and IllegalActs,Withdrawn, L september 2fi)8
is broad, and some of these contols may not be relevant . G20 Reporting effective 16 September 2010
to the specific audit objective. To assess the audit risk and
- This guideline sets out how the IS auditor should comply with
determine the appropriate audit approach, the IS auditor needs ISACA IS audit.andassurance standards and COBIT when
a structured method of determining: reporting on an organization's information system controls
. Those management and monitoring
controls that are relevant and related control objectives.
to the audit scope and objettives . G21 Enterprise Resource Planning
.Those marngement and monitoring.orit ol"tt ut rho,rldbe tested
@RP) Systems Review,
withdrawn 14 January 2013 See Security, Audit and Conkol
- The effect of the relevant managemeii[and monitoring
Features SAP ERP, 3rd Edition, Audit programs and ICes.
controls on the audit opinion . G22 Business-to-consumer
@2C) E-commerce Review,
' G12 Organizational Relationship and Independence, withdrawn 14 January 2013 See E-commerce and pKI
effective I August 2008 Audit/Assurance Program
-The purpose of this guideline is to expand on the meaning of . G23 System Development Life Cycle (SDLC) Reviewn
'independence'as used in standard 52 and to address the IS withdrawn 14 January 2013 See Systems Development and
auditor's attitude and independence in'IS auditing. Project Management Audit/Assurance program
-This guideline provides guidance in applyrng IS audit and . G24 Internet Banking, withdrawn 14 January 2013
assurance standards. The IS auditor should consider it in . G25 Review ofVirtual Priyate Networks, withdrawn 14
determining how to achieve implementation of the above January 2013 VPN Security AuditiAssurance program
See
standards, use professional judgment in its application and be . G26 Business Process Reengineering (BpR) project Reviews,
prepared tojustifu any departure. withdrawn 14,fanuary 2013
. Gl3 Use of RiskAssessment inAudit Flanning, effective . G27 Mobile Computing, withdrawn 14 January 2013
I August 2008 See Mobile Computing Security AudiVAssurance program
-The level of audit work required to meet a specific audit . G28 Computer Forensics, withdrawn 14 January 2013
objective is a subjective decision made'by the IS auditor. The . G29 Postimplementation Review, withdrawn 14 January 2013
risk ofreaching an incorrect conclusion based on the audit See Systems Development and Project Management
findings (audit risk) is one aspect ofthis decision. The other AudiUAssurance Program
is the risk oferrors occurring in the area being audited (error . G30 Competence, effective I June 2005
risk). Recommended practices for risk assessment in carrying - This guideline provides guidance in applying IS Auditing
out financial audits are well documenied in auditing standard; Standard 34 Professional Competence. The IS auditor
for financial auditors, but guidance is Sequired on how to should consider this guideline in determining how to achieve
apply such techniques to IS audits. : implementation of the above standards, use professional
-This guideline provides guidance in applying IS audit and judgment in its application and be prepared to justiff any
assurance standards. The IS auditor should consider it in deparhre.
determining how to achieve implementation of standards 35 . G3l Privacy, withdrawn 14 January 2013 See personally
and 56, use professional judgment in its application, and be Identifiable lnformation (PII) Audit/Assurance program
prepared tojustiFT any departure. '' . G32 Business Continuity Plan Review From IT perspective,
. Gl4Application Systems Review, withdrawn 14 January withdrawn 14 January 2013 See Business Continuity
2013 See Generic Application Audit/Assurance Program Management Audit/Assurance Program
. Gl5 Audit Planning, effectiye I May . G33 General Considerations on the Use of the Interne!
?010
-The purpose of this guideline is to define the components of withdrawn 14 January 2013 See E-commerce and pKI
the planning process as stated in stan(ard 35 of the IS Audit Audit/Assurance Program
and Assurance Standards. . G34 Responsibility, Authority an d Accountability, effective
- This guideline also provides for planning in the audit process I March 2fi)6
to meet the objectives set by COBIT,_ .
38
CISA Review Manuat ZOl4
ISACA- All Rights Beserved.
I
-The work must be conducted with due care and appropriate Reporting standards address (l) types ofreports, (2) the means
consideration for management and auditee issues and of
commrmication, and (3) information to be communicated.
concen$, including timing and timeliness.
- IS audit perfornance must address the objectives and At minimum, the IS audit and assuran"e professional,s report
mandate of the audit. and/or associated,attachments should:
. Representations--The IS audit and . Identify to whom the report is directed
asiurance professional
will receive representations during the course ofconducting . Identify the nahue and objectives
of the IS assufince assignment
the IS audit-some written and others oral. As part of the . Identify the entity or portion- thereof covered
by the IS
audit process, these representations should be documented asswance report
and retained in the work-paper file. In addition, for attestation . Identift the zubject matter or assertions
on which the IS audit
engagements, representations from the auditee should be and assurance professional is reporting
obtained in writing to reduce possible misunderstandings. .
Matters that may appear in a representation letter include: frwide a description of the nahue of the scope of the work,.
including a brief statement on matters that ari not within the
-A statement by the auditee acknowledging responsibility for scope of the assignments as well as those that are, to remove any
the subject matter and, when applicable, the assertions doubt about the scope
- A statement by the auditee aclorowledging responsibility for . the time frame or period covered by the report
ttre criteria, and where applicable, the assertions . ltate the period during which the
ltate IS assurance was performed
-A statement by the auditee acknowledging responsibility for . Provide a reference to the applicable
professional standards
determining that the criteria are appropriate for the purposes goveming the IS asslrance assignment and against which the IS
* A list of specific assertions about the subject *utt.i bui.d
on assurance work was conducted
the criteria selected . Identifu management assertions, if any
-A statement that all known matters corihadicting the assertions . Describe the responsibilities of management
and the IS audit
have been disclosed to the IS audit and assuftulce professional and assurance professional
-A statement that all communications llom regulators affecting . Identifo the criteria against which the subject
matter was evaluated
the subject matter or the assertions have been disclosed to the . State a conclusion-on the level ofassurance
being provided
IS audit and assurance professional (Depending on the type of assignment, this c6uld range from an
- A statement that the IS audit and assurance professional has audit report to a review report where no assuftrnce is protided.)
been provided access to all relevant information and records, . State any reservations that the IS audit and
assurance
files, etc., pertaining to the subject matter professional may have (These may include scope, timing, and
-A statement on any significant event$that have occurred inability to obtain sufficient information or conduct appropriate
subsequent to the date ofthe audit report and prior to release tests, and are particularly important in audit assignments.)-
ofthat report . State any restrictions on the diskibution or use
ofthe report
- Other matters that the IS audit and assirance professional may . State the date ofthe report
deem relevant or appropriate . State where the report was issued
. who issued the report (name or organization of the IS auditor)
Frequently, a sunmary of all representations made during the . lta!
Include the IS audit and assurance professional,s signahue on
assignment is prepared and sigtred prior to finalization of the the written report
audit or assurance work.
In addition, depending on the nature ofthe IS audit or assurance
While the same degree of rigor is not essential in non-audit assignment, other information should be provided such as
assurance engagements, the assurance professional should obtain specific govemment directives, corporate policies or other
representations from management on key issues. information gerrnane to the reader's understanding of the IS
assurance assignment.
Current ISACA IS audit and assurance standards include the
following performance standards : Current ISACA IS audit and assruance standards include the
. l20l Engagement Planning
following reporting standards:
. 1202 RiskAssessment in Plaruring . 1401 Reporting
. 1203 Performance and Superrrision . 1402 Follow-up Activities
. 1204 Materiality
. 1205 Evidence
Sectlon 3OOG--rS Assurance Guidelines
. 1206 Using the Work of Other Experts Section 3000 addresses guidelines in the following areas:
. 1207 kregularity and Illegal Acts Section Guideline Area
3200 Enterprise Topics
Section 74O}-Repottt ng,standards 3400 IS Management Processes
The report produced by the IS audit and assurance professi6nal will 3600 IS Audit andAssurance processes
vary, depending on the type of assignment performed. Corsiderations 3800 IS Audit and Aszurance Management
include the level ofassurance,'mhether the assurance professional
was acting in an auditcapacity, whetherthe assurance professional
isproviding a direct report on the zubject matter or is reporting on
assertioru regarding the subject matter, and whether *nt report is
based on work performed at the review level or the examirntion level.
4()
CISA Review Manual 2Ol4
|SACA. All Rights Reaerved.
t-
42
CISA Review Manual 2Ol4
ISAGA- All Bights Beserved.
i-
lts*mrrln*
ffi;k'
Chapter l*The Process of Auditing lnformation Sysfems Section Two: Content
\-/
"The potential that a given threat will exploit Next, during the risk mitigation phase, controls are identified
vulnerabilities of an asset (G.3) or group of assets and for mitigating identified risks. These controls are risk-mitigating
thereby cause harm to the organization." countermeasures that should prevent or reduce the likelihood
(so/rEc PDTR 1333s-t) of a risk event occurring, detect the occurrence of a risk event,
minimize the impact, or trans6i the risk to another organization.
j
This definition is used commonly by the IT industry since it puts
risk into an organizational context by using the concepts ofassets The assessment of countermeasures'should be performed through
and loss of value--terms that are easily undentood by business a cost-benefit analysis where contrgls to mitigate risks are
managers. selected to reduce risls to a level acceptable to management. This
analysis process may be based on any of the following:
. The cost of the control compared to the benefit of mi-nimizing
ISACA'S Risk IT framework defines IT risk as follows:
the risk
. Management's appetite for risk (i.e., the level of residual risk
IT risk is business risk-specifically, the business risk associated
with the use, ownership, operation, involvement, influence and that management is prepared to accept)
adoption of IT within an enterprise. It consists of lT:related events
. Preferred risk-reduction methods (e.g., terminate the risk,
that could potentially impact the business. It includes both uncertain minimize probability of occurrence, minimize impact, transfer
frequency and magnitude, and it creatss challenges in meeting the risk via insurance)
strategic goals and objectives and uncertainty in the pursuit of
opportwrities. The final phase relates to monitoring performance levels of the
risks being managed when identifuing any significant changes
The Risk IT ftamework recognizes that management of business in the environment that would kigger a risk reassessment,
risk is an essenlial component of the responsible administration warranting changes to its control environment. It encompasses
of any enterprise. Almost every business decision requires the three processes-risk assessment, risk mitigation and risk
executive or manager to balance risk and reward- reevaluation-in determining whether risks are being mitigated
to a level acceptable to management. It should be noted that, to
The pervasive use of IT can provide significant benefits to an be effective, risk assessment should b9 an ongoing process in an
enterprise, but it also involves risk. Due to IT's importance to organization that endeavors to continually identifu and evaluate
the overall business, IT risk should be treated like other key risks as they arise and evolve. See eltribit 1.4 for the summary of
business risks, such as market risk, credit risk and other the risk assessment process.
operational risks, all of which fall under the highest'Lrmbrella"
risk category: failure to achieve skategic objectives. While these
other risks have long been incorporated into corporate
decision-making processes, too many executives tend to relegate
IT risk to technical specialists outside the boardroom^
it represents that a service organization tras been through . A risk assessment and general audit plan and
schedule
an in-depth audit of their conkol activities, which generally . Detailed audit planning that would include the necessary
include conhols over information technology and related audit steps and a breakdown ofthe work planned across an
processes. SSAE l6-type reviews provide guidance to enable anticipated timeline
an independent auditor (service auditor) to issue an opinion on a . Preliminary review of the audit area./subject
. Evaluating the audit area./subject
service organization's description of controls through a service
. Verifying and evaluating the appropriateness
auditor's report, which then can be relied on by the IS auditor of ofcontrols
designed to meet contol objectives
the entity that utilizes the sen)ices ofthe service organization.
. Compliance testing (tests of the implementation of controls,
. Forensic audits-Forensic auditing has been defined as
and their consistent application)
auditing specialized in discovering, disclosing and following up . Substantive testing (confrming the accuracy of information)
on frauds and crimes. The primary purpose of such a review is . Reporting (communicating results)
the development of evidence for reviewby law enforcement and . Follow-up in cases where there is an internal audit function
judicial authorities. In recent years, the forensic professional
has been called on to participate in investigations related to
The IS auditor must understand the procedures for testing and
corporate fraud and cybercrime. In cases where computer
evaluating IS controls. These procedures could include:
resources may have been misused, fi.rrther investigation is . The use ofgeneralized audit software to survey the contents
necessary to gather evidence for possible criminal activity that of
data files (including system logs)
can then be reported to appropriate authorities. A computer . The use of specialized software to assess the contents
forensic investigation includes the analysis ofelectronic devices of
operating system database and application parameter files (or
such as computers, smartphones, disks, switches, routers, hubs
detect deficiencies in system parameter settings)
and other electronic equipment. An IS auditor possessing the . Flow-charting techniques for documenting automated
necessary skills can assist the informati6n security manager
applications and business processes
in performing forensic investigations and conduci the audit of . The use of audit logs/reports available in operationr./application
the systems to ensure compliance with ttie evidence collection
systems
procedures for forensic investigation. Electronic evidence . Documentation review
is vulnerable to changes; therefore, it is necessary to handle . Lrquiry and observation
electronic evidence with utrnost care and contols should ensure . Walkthroughs
that no manipulation can occw. Chain of custody for electronic . Reperformance of controls
evidence should be established to meet legal requirements.
44
CISA Review Manual 2Ol4
ISACA. Ail Rights Reserved.
I
thmmff*"r* Chapter l-The Process of Auditing lnformation Systems Section Two: Content
\.,/;;;k*
Section Two: Content. Chapter l-The Process of Auditing lnformation Systems ffim#mni*,
\-/;;;k-
(Affiim* Chapter |-The Process of Auditing lnformation Systerns Section Two: Content
\-/
5(}
CISA Review Manuat 2Ol4
ISACA- All Rights Resowed.
(CsffHrg{::.,- Chapter l-The Process of Auditing lnformation Systerns Section Two: Content
\-/;;;;;-
.,
accepted. Risks may be accepted if, for example, it is assessed
that the risk is low or that the cost of treatment is not
cost-effective for the orgatization. Such decisions should be
recorded-
Specifically, this means that an internal control weakness or set Each of the risks identified in the risk assessment needs to be
ofcombined internal control weaknesses leaves the organization treated. Possible risk response options include:
higtrly susceptible to the occurrence ofa threat (e.g., financial . Risk mitigation-Applying appropriate controls to reduce
loss, business intemrption, loss of customer trust, economic the risks
sanction, etc.). The IS auditor should be concerned with assessing . Risk acceptance-Knowingly and objectively not taking
the materiality of the items in question through a risk-based audit action, providing the risk clearly satisfies the organization's
approach to evaluating internal controls. policy and criteria for risk acceptance
. Risk avoidance-Avoiding risks by not allowing actions that
The IS auditor should have a good understanding ofthese audit would cause the risks to occur
risks when planning an audit An audit sample may not detect every . Risk transfer/sharing-*Transferring the associated risks to
potential error in a population. However, by using proper statistical other parties, e.g. insurers or suppliers
sampling procedures or a strong quality control process, the
probability ofdetecfion risk can be reduced to an acceptable level. For those risks where the risk treatment decision has been to
Similarly, when evaluating internal controls, the IS auditor should apply appropriate controls, controls Should be selected to ensure
realize that a given system may not detect a minor error. However, that risks are reduced to an acceptabte level, taking into account:
that specific erroq combined with others, could become material . Requirements and constraints of national and international
to the overall system. legislation and regulations
. Organizational objectives
The concept of materiality requires soundjudgment fiom the . Operational requirements and constraints
IS auditor. The IS auditor may detect a small error that could . Cost effectiveness (the need to balance the investment in
be considered significant at an operational level, but may not implementation and operation of controls against the harm
be viewed as significant to upper management. Materiality likely to result from security failures)
considerations combined with an understanding of audit risk are
essential concepts for planning the areas to be audited and the Controls can be selected from professional or industry standards
specific test to be performed in a given audit. or new controls can be designed to meet the specific needs ofthe
organization. It is necessary to recognize that some controls may
1.6.7 RISK ASSESSMENT AND TREATMENT not be applicable to every information system or environmen!
and might not be practical for all organizations.
Assessingi Security Rr'sks
To develop a more complete understanding of audit risk, the
Inforrnation security controls should be considered at the systems
IS auditor should also understand how the organization being
and projects requirements.specification and design stage. Failure
audited approaches risk assessment and treatment.
to do so can result in additional costs and less effective solutions,
Risk assessments should identifu, quanti$r and prioritize risks an( in a worst case scen4rio, the inability to achieve adequate
against criteria for risk acceptance and objectives relevant
securify.
to the organization. The results should guide and determine I
No set of controls can achieve complete security. Additional
the appropriate management action, priorities for managing
management action should be implemented to monitor, evaluate,
information security risks, and priorities for implementing
and improve the efficiency and effectiveness of security controls
controls selected to protect against these risks.
to support the organization\ aims.
fusk assessments should also be performed periodically to
address changes in the environmen! security requirements and 1.6.8 Rr$K ASSESSMENT TECHNIQUES
in the risk situation (e.g., i, the assets, threats, vulnerabilities, When determining which functional areas should be audited,
impacts), and when sigrrificant changes occur. These risk the IS auditor could face a large variety ofaudit subjects. Each
assessments should be undertaken in a methodical marmer ofthese subjects may represent different types ofrisk. The IS
capable of producing comparable and reproducible results. auditor should evaluate these various risk candidates to determine
the high-risk areas that should be audited.
The scope of a risk assessment can be either the whole
organization, parts of the organization, an individual information There are many risk assessment methodologies, computerized
system, specific system components, or servicbs where this is and noncomputerized, from which the IS auditor may choose.
practicable, realistic and helpful. These range from simple classifications ofhigh, medium and
low, based on the IS auditorb judgmen! to complex scientific
Treating Risks calculations that provide a numeric risk rating.
Before considering the treatrnent ofa rislg the organization
Should decide the criteria for determining whether risks can be
Use two types of substantive tests to evaruate the varidity of ttre data.
The quality and quantity ofevidence must be assessed by the Functional requirements and design specifications
-
IS auditor. These two characteristics are referred to by the
-Tests plans and reports
Intemafional Federation ofAccountants (IEAC) as competent
- Program and operations documents
(qualrty) and sufficient (quaotity). Evidence is competent when * Program change logs and histories
"
it is both valid and relevant. Audit judgment is used to determine User manuals
-
when sufficienry is achieved'in the same marmer that is used to
- Operations manuals
determine the competency of evidence.
- Security-related documents (e.g., security plans, risk assessments)
- BCPs
An understanding of the rules of evidence is important for IS
- QA reports
auditors since they may encounter a variety ofevidence types.
- Reports on security metrics
. Interviewing appropriate personnel-Interviewing
Gathering ofeyidence is a key step in the audit process. The IS techniques are an important skill for the IS auditor. Interviews
auditor should be aware of the various forms of audit evidence should be organized in advance with objectives clearly
and how evidence can be gathered and reviewed. The IS auditor communicated, follow a lixed oufftne and be documented by
should understand ISACA IT Assurance Standards 56 and S14, interview notes. An interview form or checklist prepared by
and should obtain evidence of a nature and sufficiency to support an IS auditor is a good approach. The IS auditor should always
audit findings. remember that the purpose of such an interview is to gather
audit evidence. Procedures to gather audit evidence include:
inquiry observation, inspection, confirmation, performance
and monitoring. Persorurel interviews are discovery in nature
and should never be accusatory; the interviewer should help
people feel comfortable, encouraging them to share information,
The fo\\ovrrng are techruques for gathenng evidence: rdeas, concerns andknorv\edge.The IS audilor shou\dventy the
. Reviewing IS organizati6n 5flusfurgs-An organizational accuracy of the notes with the interviewee whether or not these
structure that provides an adequate separation or segregation notes would be necessary to support conclusions.
ofduties is a key general control in an IS environment. The IS . Observing processes and employee performance-The
auditor should understand general organizational controls and be observation ofprocesses is a key audit technique for many types
able to evaluate these controls in the organization under audit. of review. The IS auditor should be unobtrusive while making
Where there is a strong emphasis on cooperative distributed observations and should document everything in suffrcient detail
processing or on end-user computing, IS functions may be to be able to present it, ifrequired, as audit eyidence at a later
organized somewhat differently than the classic IS organization date. In some situations, the release of the audit report may not
which consists of separate systems and operations fi.inctions. be timely enough to use this observation as evidence. This may
The IS auditor should be able to review these organizational necessitate the issuance of an interim report to managernent of
structures and assess'ihe level of conkol the area being audited. The IS auditor may also wish to consider
they provide. whether documentary evidence would be useful as evidence
. Reviewing IS policies and procedures,--An IS auditor should (e.g., photograph of a server room with doors fully opened).
review whether appropriate policies and procedures are in place, . Reperformance-The reperformance process is a key audit
determine whettrer personnel understand the implemented policies technique that generally provides better evidence than the other
and procedures, and ensure that policies and procedures are being techniques and is therefore used when a combination of inquiry
followed. The IS auditor should verify that management assurnes observation and examination ofevidence does not provide
full responsibility for formulating, developing, documenting, sufficient assurance that a conhol is operating effectively.
promulgating and controlling policies co',ering general aims . Walkthroughs-The walkthrough is an audit technique to
and directives. Periodic reviews ofpolicies and procedures for confirm the understanding of controls.
appropriateness should be carried out.
. Reviewing IS standards-The IS auditor should first All ofthese techniques for gathering evidence are part ofan
understand the existing standards in place within the audit, but an audit is not considered only review work. An audit
organization. includes examination, which incorporates by necessity the testing
. Reviewing IS documentation-A first step in reviewing ofcontrols and audit evidence, and therefore includes the results
the documentation for an information system is to understand ofaudit tests.
the existing documentation in place within the organization.
This documentation could be held in hard copy form or lS auditors should recognize that with systems development
stored elechonically (e.g., document images stored on the techniques such as computer-aided software engineering (CASE)
internal corporate network). Ifthe latter is the case, controls to or prototyping, traditional systems documentation will not be
preserve the document integrity should be evaluated by the IS required or will be in an automated form rather than on paper.
auditor. The IS auditor should look for a minimum level of IS However, the IS auditor should look for documentation standards
documentation. Documentation may include: and practices within the IS organization.
- Systems development initiating documents
(e.g., feasibility study) The IS auditor should be able to review documentation for a
- Documentation provided by external application suppliers given system and determine whether it follows the organization,s
- Service level agreements (SLAs) with extemal IT providers documentation standards. In addition, the IS auditor should
Variable sampling-also known as dollar estimation or mean upper limit of the precision range for compliance testing. The
estimation sampling-is a technique used to estimate the term is expresSed as a percentage. Precision range and precision
monetary value or some other unit of measure (such as weight) have the same meaning when used jp substantive testing.
of a population from a sample portion. An example of variable
sampling is a review of an organization's balance sheet for . Population standard deviation-A mathematical
concept that
material transactions and an application review ofthe program measrues the relationship to the normal distribution. The greater
that produced the balance sheet. the standard deviation, the larger the sample size. This figure
is applied to variable sampling formulas but not to attribute
Yanab\e samp\tngreters\o anumber ol differenttypes ol
sampling formulas.
quantitative sampling models:
1. Stratified mean per unit-A statistical model in which the
Key steps in the construction and selection of
a sample for an
population is divided into groups and samples are drawn from audit test include:
the various groups. Stratified mean sampling is used to produce a . Determining the objectives of the test
smaller overall sample size relative to unstratified mean per unit. . Defining the population to be sampled
2. Unstratified mean per unit-A statistical model in which a . Determining the sampling method, such
as attribute vs.
sample mean is calculated and projected as an estimated total. variable sampling
3. Difference estimation-Alstatistical model used to estimate . Calculating the sample size
the total difference between audited values and book . Selecting the sample
(unaudited) values based on differences obtained fiom sample . Evaluating the sample fiom an audit perspective
observations.
It is important to know &at tools exist to analyze all of the
To perform attibute or variable sampling, the following statistical data, notjust those available through computer-assisted
sampling terms need to be understood: audit techniques.
. Confidence coefficient (also referred to as confidence
level or reliability factorFA percentage expression (90 Note: The,IS auditox
percent, 95 percent, 99 percent, etc.) ofthe probability that the of samplin g techniquss' and*i
characteristics ofthe sample are a true representation ofthe them,,,,,i 1r,:'i.:.1:.F*t
population. Generally, a 95 percent confidence coefficient is
considered a high degree ofcomfort. Ifthe IS auditor knows 1.6.14 USING THE SERVICES OF OTHER AUDITORS
internal controls are strong, the confidence coefficient may be
lowered. The greater the confidence coefficient, the larger the
AND EXPERTS
sample size. Due to the scarcity ofIS auditors and the need for IT security
. Level of risk-Equal to one minus the confidence coefficient. specialists and other subject matter experts to conduct audirs of
For example, ifthe confidence coefricient is 95 percent, the highly specialized areas, the audit department or auditors enfusted
level ofrisk is five percent (100 percent minus 95 percent). with providing assurance may require the services of other auditors
. Precision-Set by the IS auditor, it represenrs rhe or experts. Outsourcing of IS assurance and security services is
acceptable
increasingly becoming a common practice. External experts could
range difference between thC sample and the actual population.
include experts in specific technologies such as netw.orking,
For attribute sampling, this figure is stated as a percentage. For
automated teller machine (ATM), wireless, systems inregration
variable sampling, this figure is stated as a monetary amount
and digital forensics, or subject matter experts such as specialists
or a number. The higher the precision amount, the smaller the
sample size and the greater the risk offairly large total error
in a particular industry or area ofspecialization such u. bu.rking,
securities trading, insurance, legal experts, etc.
amounts going undetected. The smaller the precision amount,
the greater the sample size. A very low precision level may lead
When a part or all ofIS audit services are proposed to be
to an urmecessarily large sample size.
. Expected error outsourced to another audit or external service provider, the
rate-An estimate stated as a percent of following should be considered with regard to using the services
the errors that may exist. The greater the expected error rate,
ofother auditors and experts:
the greater the sample size. This figure is applied to atkibute
. Restrictions on outsourcing ofaudit/securify
sampling formulas but not to variable sampling formulas. services provided
by laws and regulations
' Sample mean-The sum of all sample values, divided by the . Audit charter or contractual stipulations
size of the sample. The sample mean measures the average . Impact on overall and specific IS audit objectives
value of the sample. . Impact on IS audit risk and professional liability
. Sample standard deviation-Computes the variance . Independence and objectivity ofother auditors and experts
of the
sample values from the mean ofthe sample. Sampld standard . Professional competence, qualifications and experience
deviation measures the spread or dispersion of the sample . Scope ofwork proposed to be outsourced and approach
values. . Supervisory and audit management contols
. Tolerable error rate-Describes the maximum
misstatement 'Method andmodalities of communication ofresults of audit work
or number of errors that cari exist without an account being . Compliance with legal and regulatory stipulations
materially misstated. Toleratle rate is used for the planned . Compliance with applicable professional standards
assignment' the following mav also require cAArs also enabre IS auditors to gatherinformation
i1x::ft:Ta:1}fff independentry
:f"':Ii*$f:**:nr*:***checks ;#*xffiiTixffiAf:,ffi;ffi:it3ffilffij;;-,.,
' conridentiari,v..'iiJ"* to protect customer-rerated inrormation
' other tools to be used uv tt .*t"*ui;il"
ilifl:TJillH:";T,|jiffi:Til"::ltxl?1xf*#*{*:;
ffi::ffi"and " ;;'t;;r r*r..**ce on findings generated.
. Standards and methodologies
for perforrnance of work and CAAIs. include many types of tools.and techliques
documentation such as
. Nondisclosure agreements generalized audit software (GAS), uiitity
soft*a.e, debugging
and scanning software, test data, application
software tracing and
mapping, and expert systems.
The IS auditor or entit5r outsourcing the services
should monitor
the relationship to ensure the objeJtivif, and
independence GAS refers to standard software that has the
throughor.rt the duration of the arrangeri-rent. capability to
directly read and access data from various dataiase
platforms,
It is important to understand that often, even though
flarfile systems and ASCII formats. GAS provides
IS auditors
a part of an independent means to gain access to
or the whole of the audit work may be delegated data for analysis and
tian external the ability to use highJevel, problem_solving
service provideq the related professionar tia'uitity sodvare to
is not necessarily invoke functions to be performed on data fitis.
delegated. 'fherefore, it is the responsibility features include
of tt e-is uudto. o. mathematical computations, stratification,
entity employing the services of extemal service statistical analysis,
providers to: se-quence checking, duplicate checking
. Clearly communicate the and recomputations. The
audit objectives, s"o'pe unO Ioltowlng functions are commonly supported
methodology through a formal engagement by GAS:
. Put in place a monitoring ljter. . File access-Enables the
process ioir"gular review of the reading of differenirecord formats
work of the external service provider wIh regard and file skuctures
to pianning, . File reorganization-Enables
supervision, review and documentation. For indexing, sorting, merging and
Ixample, review of
the work papers of other IS auditors o. linking with another file
io the . Data selection-Enables
wolk wa9 appropriately planned, superuised, "*p"a,documented
"onfirm global filtration conditions ancl
and
reviewed, and to consider the appropriateness selection criteria
and sufficiency of
the.audit evidence provided; oi."uie* oftn...fo.t . Statistical fu nctions-Enables
ofother IS sar_npling, stratification and
auditors or experts to confirm the scope frequency analysis
specifiia in the audit
charter, terms of reference or letter of . Arithmetical functions_Enables
has been met, arithmetic operators
that any significant assumptions us.a "ngugaan"nt
Uy"otiei IS auditors or and functions
experts have been identified" and the findings
and conclusions
reported have been agreed on by managemeit. The effective and efflcient use ofsoftware
. Assess the usefulness requires an
and appropriatenlss of reports of such understanding of its capabilities and limitations.
external providers, and assess the impact
ofsignificant findings
on the overall audit objectives. Utility software isa subset of software_such as report generators
of the database management system_that provides
evidence to
auditors about system control Lffectivenor.
auditors using a sample set of data to assess
t.t our, rnvolve the
whettrer logic errors
exist in a program and whether the program
*""r" i,, objectives.
The review of an application system will provide
information about
mternal controls built in the system. The
audit_expert system will
give direction and valuable information
levjs of auOitors
to ail
1.6. 15 C0MPUTER-ASS|STED AUDTT while carrying out the audit because the qu".y_Uur"J
TECHNTQUES ryrtem is built
on the knowledge base of the senjor
During ttre course of an audit, the IS auditor auditors; m;agers.
is to obtain sufficien!
relevant and useful widence to effectively
achievethe audit These toolsand techniques can be used
objectives. The audit findings ana conctusions,t.rfO in performing various
U" supported audit procedures:
by appropriate analysis and interpretatron
oitrr" *ioence. Tbday,s . Tests crfthe details
oftransactions and balances
info. 11tion-grocessing
environments p"* rig.n.ant challenge . Analytical review procedures
to the IS auditor to collect sufficien! relevant.iJ*"n
" . Compliance tests
f evidence of IS general controls
since the evidence may onJy exist ln etecnonic . Compliance tests
fo.m. of IS application controls
are important tools for the IS auditor in gathering
'Y.*.t and operating system (OS) vulnerability assessments
9lATr . Penetration testing
information from these environments. When sysiems . Application
have security testing and source code security
different hardware and software environments] scans
dutu r*"*"r,
record-formats or processing functions, it is almost
impossible for The IS auditor should have a thorough understanding
the auditors to collect certain evidence without
a software tool to
ofCAAIs,
and know where and when to apply ihem. pt"a""
collect and analyze the records. i"ru. to C:,
ISACA Guideline on Computer Assisted Audit
Techniques.
An IS auditor should weigh the costs and.benefits of CAATs judgment and experience. The IS auditor should assess the
before going through the effort, time and:expense ofpurchasing strengths and weaknesses ofthe controls evaluated and then
or developing them. Issues to consider include: determine if they are effective in meeting the control objectives
. Ease of use, both for existing and future audit staff established as part ofthe audit planning process.
. Training requirements
. Complexity of coding and maintenance. A contol matrix is often utilized in assessing the proper level of
. Flexibility of uses controls. Known types oferrors that can occur in the area under
. Installation requirements review are placed on the top axis and known contols to detect or
. Processing effrciencies (especially with a PC CAAT) correct errors are placed on the side axis. Then, using a ranking
. Effortrequired to bringthe source data into the CAAIs for analysis method, the matrix is filled with the appropriate measurements.
. Ensuring the integdty of imported data by safeguarding its When complete( the matrix will illustrate areas where controls
authenticity are weak or lacking,
. Recording the time stamp of
!lata downloaded at critical
processing points to sustain fne credibility of the review In some instances, one skong control may compensate for a
. Obtaining permission to install the softlyare on the weak control in another area. For example, if the IS auditor
auditee seryers finds weaknesses in a system's transaction error report, the IS
. Reliability of the software auditor may find that a detailed manual balancing process over all
. Confidentiality of the data being processed transactions compensates for the weaknesses in the error report.
The IS auditor should be aware of compensating controls in areas
When developing CAAIs, the following are examples of where conkols have been identified as weak.
documentation to be retained:
. Online reports detailing high-risk issueq for review While a compensating control situation occurs when one stronger
. Commented progftrm listings control supports a weaker one, overlapping controls are two
. Flowcharts strong conkols. For example, if a data center employs a card
. Sample reports key system to control physical access and a guard inside the
. Record and file layouts door requires employees to show their card key or badge, pn
. Field definitions overlapping control exists. Either control might be adequate to
i
. Operating instructions restrict access, but the two complement each other.
. Description of applicable source documents
Normally, a control objective will not be achieved by considering
CAATs documentation should be referenced to the audit progranr, one control adequate. Rather, the IS auditor will perform a
and clearly identifo the audit procedures and objectives being served variety of testing procedures and evaluate how these relate to one
When requesting access to production data for rse with CAATs, the another. Generally a group ofcontrols, when aggregated together,
IS auditor should request read-o$y access. Any daa manipulation may act as compensating controls, and thereby minimize the risk.
by the IS auditor should be applied to copies ofproduction files An IS auditor should always review for compensating controls
in a conkolled environmentto ersure thatproduction data are not prior to reporting a conkol weakness.
exposed to unauthorized updating. Most of the CAATs provide for
downloading production data from production systems to a standalone The IS auditor may not find each conhol procedure to be in
platrorm and then conducting analysis fromthe standalone platforrry place but should evaluate the comprehensiveness ofcontrols by
thereby insulating the production systems fro.m any adverse impact. considering the strengths and weaknesses ofcontrol procedures.
problems in this area, the IS auditor may decide that the failure periodically to the audit committee. Audit committees typically
to initial transmittal documents is not material enough to bring to are composed of indivitiuals who do not work directly foi the
-
the attention of upper management. The IS auditor might decide organization, and thus provide the auditors with an independent
to discuss this only with local operations management- However, route to report sensitive findings,
there may be other control problems that will cause the IS auditor
to conclude that this is a material error because it may lead to
Audit Report Structure and Contents
a larger control problem in other areas. The IS auditor should
Audit reports are the end product ofthe IS audit work. They are
always judge which findings are material to various levels of
used by the IS auditor to report findings and recommendations
management and report them accordingly.
to management. The exact format of an audit report will vary by
organization; howeveq the skilled IS auditor should understand
I.6.L7 COMM UNICATING AUDIT RESULTS the basic components of an audit report and how it communicates
The exit interview, conducted at the end ofthe audit, provides audit findings to management.
the IS auditor with the opporhrnity to discuss findings and
recommendations with management. During the exit interview, Noie:' .The crsat,ca;Uiti;ffi j
the IS auditor should: ISACA 57 Repo Lng and 58 Folto;-rf aCtiuitim
. Ensure that the facts presented in the report are correct
. Ensure that the recommendations are realistic and cost- There is no specific format for an IS audit report; the
effective, and ifnot, seek alternatives through negotiation organization's audit policies and procedures will dictate the
with auditee management general format. Audit reports will usually have the following
. Recommend implementation dates for agreed on structure and content:
recommendations . An introduction to the report, including
a statement of audit
objectives, limitations tc the audit and scope, the period of audit
The IS auditor will frequently be asked to present the results coverage, and a general statement on the nafure and extent of
of audit work to various levels of management- The IS auditor audit procedures conducted and processes examined during the
should have a thorough understanding ofthe presentation audit, followed by a statement on the IS audit methodology and
techniques necessary to communicate these results. guidelines
. A good practice is to include audit
findings in separate sections.
Presentation techniques could include the following: These findings can be grouped in sections by materiality and./or
' Executive summary-An easy-to-read, concise report that intended recipient.
presents findings to management in an understandable manner. . The IS auditor's overall conclusion and
opinion on the adequacy
Findings and recommendatiors should be communicated fiom a of controls and procedures examined during the audit, and the
business perspective. Detailed attachments can be more technical actual potential risks identified as a consequence ofdetected
in nahre since operations management will require the detail to deficiencies
correct the reported situations. . The IS auditor's reservations or quaiifications
with respect to the
. Visual presentation-May include slides or computer graphics. audit-This may state that the controls or procedures examined
were found to be adequate or inadequate. The balance ofthe
IS auditors should be aware that ultimately they are responsible audit report should support that conclusion and the overall
to senior management and the audit committee of the board evidence qathered during the audit should provide an even
of directors. IS auditors should feel free to communicate greater level ofsupport for the audit conclusions.
issues or concerns to such management. An attempt to deny
. Detailed audit findings and recommendations-The IS auditor
access by levels lower than senior management would limit the would decide whether to include specific findings in an audit
independence of the audit firnction. report. This should be based on the materiality of the findings and
the intended recipient of the audit report. An audit report directed
Before communicating the results of an audit to senior to the audit committee of the board of directors, for example, may
management, the IS auditor should discuss the findings with not include findings that are important only to local management
the management staffof the audited entity. The goal olsuch but have little control significance to the overall organization.
a discussion would be to gain agreement on the findings and The decision of what to include in various levels of audit reports
develop a course of corrective action. [n cases where there is depends on the guidance providedby uppermanagemenl
. A variety of findings, some of
disagreement, the IS auditor should elaborate on the significance which may be quite material
ofthe findings, risks and effects ofnot correcting the control while others are minor in nature. The auditor may choose to
weakness, Sometimes the auditee's management may request present minor findings io management in an altemate format
assistance flom the IS auditor in implementing the recommended such as by memorandum.
control enhancements. The IS auditor should corirmunicate the
difference between the IS auditor's role and that of a consultant, The IS auditor, however, should make the finat decision about
and give careful consideration to how assisting the auditee may what to include or exclude from the audit report. Generally, the
adversely affect the IS auditor's independence. IS auditor should be concerned with providing a balancedreport,
describilg 116t only negative issues interms oifindings but -
Once agreement has been reached with the auditee, lS audit positive constructive corninents regarding improving processes
management should brief senior management of the audited and conhols or effective controls already in place. Ovirall, the IS
organization. A summary of audit activities will be presented auditor should exercise independence in theieporting process.
ISACA IS auditing standard 57 and the ISACA IS Auditing Documents should include audit information that is required by
Guideline on Reporting (G20) state that the report should include laws and regulations, contrachral stipulations and professional
all significant audit findings. standards. Audit documentation is the necessary evidence
the IS auditor should describe
$en a frnding iequires explanation, supporting the conclusions reached, and hence should be clear,
$e finding, its cause and risk. complete, easily retrievable and sufficiently comprehensible.
When appropriate, the IS audit6r should provide the explanation
in a separate document and make reference to it in the report. For Audit documentation is generally the property oithe auditing
example, this approach may be appropriate for highly confidential entity and should be accessible only to authorized personnel
matters. The IS auditor should also identifo the organizational, under specific or general permission. Where access to audit
professional and governmenral criteria applied ,uCh us COBIT. The documentation is requested by extemal parties, the auditor should
report should be issued in a timely manner to encourage prompt obtain appropriate prior approval of senior management and legal
corrective action. When appropriate, the IS auditor should promptly counsel.
communicate sigrrificant findings to the appropriate persons prior
to the issuance of the report. prior communication of significant The IS auditor/IS audit deparrment should also develop policies
findings should not alter the intent or content ofthe report. regarding custody, retention requirements and release of audit
documentation.
60
CISA Review Manual 2Oi4
ISACA. All Rights Beserved.
(AsHH.[m:.,* Chapter |-The Process of Auditing lnformation Sysfems Section Two: Content
\-,/;**;-
Audit documentation should support the finding and In a workshop, the role of a facilitator is to support the
conclusionVopinion. Time of evidence sometimes will be crucial decision-making process- The facilitator creates a supportive
to supporting audit findings and conclusions. The IS auditor environment to help participants explore their own experiences
should take enough care to ensure that the evidence gathered and those ofothers, identify co_ntrol strengths and weaknesses,
and documented will be able to support audit findings and and share their knowledge, ideas and concerns. If appropriate,
concluSions. An IS auditor should be able to prepare adequate a facilitator may also offer his/her own expertise in addition to
working papers, narratives, questionnaires and understandable facilitating the exchange ofideas and experience. A facilitator
system flowcharts. does not have to be an expert in a certain process or subject
matter; however, the facilitator should have basic skills such as:
IS auditors are a scarce and expensive resource. Any technology . Active listening skills and the ability to ask good questions,
capable of increasing the audit productivity is welcome. including questions that probe the topics and move the
Automating work papers affects productivity directly and discussions forward.
indirectly (granting access to other auditors, reusing documents . Good verbal communicbtion skills, including the ability to
or parts of them in recurring audits, etc.). pose questions in a nonthreateningmanner and the ability to
summarize material. I
The quest for integrating work papers in the auditor's e-environment . The ability to manage the dynamics of the group,
including
has resulted in all major audit and project management packages, managing various personalities so that a few members do not
CAAIs and expert systems offering a complete array ofautomated dominate the discusdions and managing processes so that
documentation and import-export features. goals are met.
. The ability to resolve conflicts.
ISACA IS audit and assurance standards and guidelines set . The ability to manage time and keep the proceedings
on schedule.
forth many specifications about work papers, including how to
use thoseof other auditors (previous or contractors); the need ln the organizations with offices located at geographically dispersed
to document the audit plan, program and evidence; or the use locations, it may not be practical to organize facilitated workshops.
of CAAIs or sampling (Gl Using the Work of OtherAuditors, [n this case, a hybrid approach is needed. A questionnaire based
G2 Audit Evidence Requirement, G3 Use of Computer-assisted on the control strucfure can be used. Op-erational managers can
AuditTechniques (CAAIs) and G8 Audit Documentation). periodically complete the questionnaire, which can be anallzed
and evaluated for effectiveness of the controls. However, a hybrid
approach will be effective only ifthe analysis and readjusknent of
1.7 CONTROL SETF.ASSESSMENT the questionnaire is performed using a life cycle approach, as shown
in exhibit 1.10.
Control self-assessment (CSA) is an assessment of conhols made
by the staffand management of the unit or units involved. It is a 1.7.1 oBJECTTVES 0F CSA
management technique that assures stakeholders, customers and There are several objectives associa(ed with adopting a CSA
other parties that the intemal control system of the organization program. The primary objective is td leverage the internal
is reliable. It also ensures that employees are aware ofthe risks audit function by shifting some of the conkol monitoring
to the business and they conduct periodic, proactive reviews responsibilities to the functional areas. It is not intended to
of controls. It is a methodology used to review key business replace auditb responsibilities, but to enhance them. Auditees
objectives, risks involved in achieving the business objectives such as line managers are responsible for controls in their
and internal controls designed to manage these business risks in a environment; the managers also should be responsible for
formal, documented collaborative process. monitoring the controls. CSA programs also must educate
management about control design and monitoring, particularly
In practice, CSA is a series of tools on a continuum of sophistication concentration on areas ofhigh risk. These programs are not
ranglng from simple questionnaires to facilitated workshops, just policies requiriag clients to comply with conkol standards-
designed to gather information about the organization by asking Instead, they offer a variety of support ranging from written
those with a day-to{ay working knowledge of an area as well as suggestions outlining acceptable control environments to in-depth
their managers. The basic tools used during a CSA project are the workshops. When wcrkshops are included in the program, an
same whether the project is technical, financial or operational, These additional objective.-the empowennent of workers to assess or
tools include management meetings, client workshops, worksheets, even design the conhol envirorunent-may be included in the
rating sheets and the CSA project approach. Like the continuum of program.
tools used to gather information, there are diverse approaches to the
levels below management that are queried; some organizations even When employing a CSA progftm, measures of success for each
include outsiders (such as clients or trading parhrers) when making phase (planning, implementation and monitoring) should be
CSA assessments developed to determine the value derived from CSA and its future
use. One critical success factor (CSE) is to conduct a meeting
The CSA program can be implemented by various methods. For with the business unit representatives (including appropriate and
small business units within organizations, it can be implemented relevant staffand management) to identiff the business unit,s
by facilitated workshops where functional management and contol primary objective-to determine the reliability of the internal
professionals such as auditors can come together and deliberate how control system. In addition, actions that increase the likelihood of
best to wolve a control struchfe for the brsiness unit, achieving the primary objective should be identified.
I
o st
6'
5 €
$
=
a =
@
o
E
o
a D
o= =
=.
G
62
CISA Review Manual 2Ot4
ISACA. All Rights Beserved.
thg#.H"*H,"' Chapter l-The Process of Auditing lnformation Systerns Section Two: Content
\-/*k-
1.7.5 TECHNOTOGY DRIVERS FOR CSA topical areas such as infonnation management, IT infrastrucu.re,
The development of techniques for empowerment, information IT govemance and IT operations. Other audit specialisb will seek
gathering and decision making is a necessary part of a CSA to understand the organizational environmen! business risks and
program implementation. Some of the technology drivers business conhols. A key element ofthe integrated approach is
include the combination of hardware and software to support discussion of the risks arisrrg am6ng the whole audiiteam, with
CSA selection, and the use of an elechonic meeting system and consideration of impact and likelihood.
computer-supported decision aids to facilitate group decision
making. Group decision making is an essential component of a Detailed audit work then iocuses on the relevant controls in place
workshop-based CSA where employee empowerrnent is a goal. tn to manage these risks. IT systems frequently provide a first line
case of a questioruraire approach, the same principle applies for ofpreventive and deteltive controls, and the integrated audit
the analysis and readjustment of the questionnaire. approach depends on a sound assessment of their efficiency
and effectiveness.
1.7.6 TRADITIONAL VS. CSA APPROACH
The iategrated audit process typically involves:
The traditional approach can be summarized as any approach in . Identification ofrisks faced by the organization for the
which the primary responsibility for analyzing and reporting on
area being audited
internal control and risk is assigned to auditors, and to a lesser . Identification ofrelevant key controls
extent, controller departments and outside consultants. This . Review and understanding ofthe design ofkey controls
approach has created and reinforced the notion that auditors and . Testing that key controls are supported
consultants, not management and work teams, are responsible for by the IT system
. Testing that management controls
assessing and reporting on internal control. The CSA approach, operate effectively
. A combined report or opinion on control
on the other hancl emphasizes management and accountability risks, design
and weaknesses
over developing and monitoring internal controls of an
organization's sensitive and critical business processes.
The integrated audit demands a focus on business risk and a &ive
for creative conhol solutions. It is a team effort of auditors with
A summary of attributes or focus that distinguishes each from the
different skiJl sets- Using this approach.permits a single audit of
other is described in exhibit 1.11.
an entity with one comprehensive report. An additional benefit
is that this approach assists in staffdevelopment and retention
by providing greater variety and the ability to see how all ofthe
elements (functional and IT) mesh together to form the complete
pichre. See exhibit 1.12 for an integrated auditing approach.
(tmm*
\-/;;t;-
Chapter l-The process of Auditing lnformation Systerns
Section Two: Content
. Implementation of highly
automated audit tools that require the reduce possible or intrinsic auait ineilciencies
IS auditor to be involved in setting up the parameters such as delays,
planning time, inefficiencies of the audit process,
' Quickly informing IS auditors of the resutl of automated overhead due
to work segmentation, multiple quality oisupervisory
procedures, particularly when the process has reviews, or
identified discussions conceming the vatidity oi n"ai"gr.
anomalies or errors
'3i tgl"1. and timely issuance of automated audit reports Full top management support, dedication and extensive
. Technically proficient
IS auditors experience and technical knowledge are all necessary to
. Availability ofreliable
sources ofevidence accomplish continuous auditing, while minimizing the
. Adherence to materiality
guidelines impact on
the underlying audited business processes. fne ariiting
. A change of mindset required
for IS auditors to embrace tayrs
and settings may also need continual adjustrnent
continuous reporting ana upaatng.
B,esides difficulty and cost, continuous auditing
. Evaluation ofcost factors has an inherent
disadvantage in that internal conkol experts ani auditors
might
be resistant to trust an automated tool in lieu of their personal
Simpler continuous auditing and monitoring tools are already judgment and evaluation. Also, mechanisms
built into many enterprise resource planning (ERp) packagei have to be put in
place to eliminate false negatives and false positives
and most operating system and network,"*;ty puikug.r. in the reports
generated by such audits so that the report generated
These environments, if appropriately configured and populated continues to
inspire stakeholders'confidence in the a"c,i.acy ofthe
with rules, parameters and formulas, report.
oJput
"u,actuai data.
lists on request while operating against "^".ption
tir.."io.", The implementation of continuous auditing involves
they represent an instance ofcontinuous auditing. many
The difficult factors; however, the task is not impossiblJ There is
but sigruficant added value to using these featurls i. ,frurit.y an
increasing desire to provide auditing.over information
poshrlate a definition ofwhat would be a..dangerorx,,or in a
real-time environment (or as close to real time as possible).
exception condition For instance, whether a sel of granted
IS
access permissions is to be deemed risk_free will
depend on
having well-defined rules of segregation of duties. On
the other 1.9 CASE STUDIES
hand, it may be much harder to A."ia. if a given sequence
of
steps, taken to modifu and maintain a database record, points
to a The following case sh:dies are included as a learning tool
to reinforce
potential risk,
ttre concepts intoduced in this chapter. nxam
candiLtes should note
that the CISA exam does not currently use this format
IT techniques that are used to operate in a continuous auditrng for testing.
environment must work at all data levels_single input,
kansactiqn and databases-and include: 1.9.1 CASE STUDYA
. Transaction logging The IS auditor has becn asked to perform preliminary
work that
. Query tools will assess the readiness of the organization for a review to measure
. Statistics and data analysis (CAAT) compliance with new regulatory requirements. These
requirements
. Database management system (DBMS) are designed to ensure that managernent is taking
an active role
. Data warehouses, data marts, in setting up and maintaining a well-controlled eil.rronment,
and
data mimng
. lntelligent agents accordingly will assess management's review and testing
of the
. Embedded audit modules (EAM) general IT control environment. Areas to be
assessed include logical
. Neural network technology and physical security, change managemen! production
control and
. Standards such management, IT governance, and end-user computing. The
as Extensible Business Reporting t anguage @RL) T*o.k
IS auditor has been given six months io perform ttris preiimlnary
Intelligent software agents may be used to automate the work so sufficient time should be ar,ailable. It should be
noted
evaluation processes and allow for flexibility and dynamic that in previous years, repeated problems have
been identified
analysis capabilities. The configuration and application in the areas of logical security and change management
of so these
intelligent agents (sometimes referred to as Uoill, allows for *.*ill rylt likely require some degree of remediation. Logical
continuous monitoring of systems settings ana t[r-e security deficiencies noted included the sharing of adminishator
delivery of
alert messagbs when certain thresholds ie exceeded accounts and failure to enforce adequate
or when overpasswords.
certain conditions are met. "oruJ,
Change management deficiencies included'improper
segregation
of incompatible duties and failure to documenialfchanges.
Full continuous auditing processes have to be carefully built Additionally, the process for deploying operating system updates
into to
applications and work in layers. The auditing tools must operate servers was found to be ody partially efective. L anticipation
of the
in parallel to normal processing---capturing-real-time data, work to be performed by the iS audiioq the chief information
officer
exhacting standardized profiles or discriptors, and passing the (CIO) requested direct reports to develop narratives and process
result to the auditing layers. flows describing the major activities for which IT is responsible.
See answers and explanations to the case study questions at the end of the
A. Documented risk analysis
chapter (page 6Q.
B. Availability of technical expertise
C.Approach used in previous audit
D. lS auditing guidelines and best practices
See answers and explanations to the case study questjons at he end of the
chapter (page 6n.
(Gffirffi* Chapter ?-The process ol Auditing lnformation Sysfems Section Two: Content
\-/*k-
1.10 ANSWERST0 cAsE sTUDy QUESTI0NS B.2. A In order to decide ifthe audit scope should include
specific in&astructure components (in.this case,
ANSWERSTO CASE STUDYA QUESTT0NS the firewall rules andVpN configration settings),
L the auditor should perform and document a risk- '
AI. A An IT risk assessment should be performed first analysis in order to determine which sections
present the greatest risk and include these sections
to ascertain which areas present the greatest risks
I
I
and what controls mitigate those risks. Although
in the audit scope. The risk analysis may consider
narratives and process flows have been created, the factors such as previous revisions to the system,
organization has not yet assessed which conhols related security incidents within the .o*p"ry o,
are critical. AII other choices would be undertaken other companies of the same sectors, resources
after performing the IT risk assessment. available to do the review and others. Availability
oftechnical expertise and the approach used in
42. previous audits may be taken into consideration;
When testing a control, it is advisable to trace from
the item being controlled to the relevant control however, these should be of secondary importance.
documentation. When a sample is chosen from a IS auditing guidelines and best practices prwide a
guide to the auditor on how to comply with IS
set of control documents, there is no way to ensure audit
that every change was accompanied by appropriate standards, but by themselves they would not be
control documentation- Accordingly, changes to sufficient to make this decision.
production code provide the most appropriate basis
for selecting a sample. These sampled 83. A The auditor should first review the authorization
"hung.,
should then be traced to appropriate authorizing on a sample of transactions in order to determine
documentation. In contrast, selecting from the and be able to report the impact and materiality of
population of change management documents will this issue. Whether the auditor would immediately
not reveal any changes that bypassed the normal report the issue or v.,a:t until the end of the audit
approval and documentation process. Similarly, to report this finding will depend on the impact
comparing production code changes to system_ and materiality of the issue, which would require
produc"d logs will not provide evidence ofproper reviewing a sample of transactions. The use of
approval of changes prior to their being migrated to GAS to check the integrity of the database would
production. not help the auditor assess the impact of this issue.
Sorrf;on"fryor ,Coiktemt