Process of Auditing Information Systems: CISA Tutorial
1.1 Process of Auditing Information Systems
Hello and welcome to the first domain of the Certified Information Systems Auditor (CISA) Course offered by Simplilearn. This domain will cover the information system’s auditing process. Let us look at the objectives of this domain in the next screen. Objectives By the end of this domain, you should be able to list the knowledge statements related to this domain, understand how an IS audit function should be managed, detail ISACA IS audit and Assurance Standards and Guidelines. Besides, you should be able to explain risk analysis, Internal Controls, control Assessment and demonstrate how an IS audit should be performed and finally expound on the IS audit process. In the following screen, we will understand CISA task and knowledge statements. Introduction Task statements are what a CISA candidate is expected to know how to perform. Knowledge statement are what a CISA candidate must have a good understanding of in order to perform the tasks. Tasks can be mapped to more than one knowledge statements. Let us start with the first topic in this domain in the following screen.
1.2 Knowledge Statement 1.1
In this topic, we will learn about the concepts under the first knowledge statement, or KS 1.1. We will begin with ISACA IS audit best practice resources in the next screen. ISACA IS Audit Best Practice Resources ISAA IS Audit Best Practice Resources The credibility of an audit is based on use of commonly accepted standard. ISACA is the global pioneer of IS Audit and Assurance Guidelines, Standards, Tools and Techniques, and Professionals code of Ethics. ISACA standards provide a universal benchmark for IS Audit. The following screen lists the main areas to be covered under this knowledge statement. Main Areas of Coverage The main areas to be covered are: • ISACA Code of Professional Ethics • ISACA IS Assurance and audit Standards Framework • ISACA IS Audit and Assurance Guidelines • ISACA IS Audit and Assurance Tools and Techniques • Relationship among Standards, Guidelines, and Tools and Techniques Note that the CISA exam will only test the understanding of the application of the Standards and Guidelines and not the candidates’ ability to memorize the definitions. In the next screen we will learn how to manage an IS audit function. Management of an IS Audit Function The IS audit function should be organized in a manner that allows for the attainment of the IS audit objectives, while maintaining independence and competence. It should also allow for value addition to efficient management of IT and attainment of an enterprise’s objectives. IS Audit services can be provided internally, through IS Audit department or function, or externally through firms that provide professional IS Audit or Assurance Services. Some of these popular firms includes the Big 4 (PwC, KPMG, Ernst & Young and Deloitte) although there are many others that do offer professional services in different countries. The Management of an IS audit should always ensure an audit plan is in place with adequate resources both manpower and IT resources. Let us learn about ISACA’s code of professional ethics in the next screen. ISACA Code of Professional Ethics ISACA has set forth a code governing the professional conduct and ethics of all certified IS auditors and members of the association. In this regard, members and certification holders are required to: • Support and encourage compliance with, appropriate standards, procedures and controls for information systems. • Perform their duties with professional care and due diligence and, in accordance with professional standards and best practices. • Serve the interest of stakeholders in a honest and legal manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession. • Maintain the confidentiality and privacy of information obtained in the course of their duties, unless disclosure is required by legal authority. Such information should not be used for personal benefit neither should it be released to inappropriate parties. We shall continue to learn more on ISACA’s code of professional ethics in the next screen. ISACA Professional Code of Ethics (contd.) • Maintain competency within their respective field of expertise and undertake only activities which they can reasonably expect to complete with professional competence. • Inform interested parties of the results of work performed, revealing significant facts known to them. • Support professional education of interested stakeholders in enhancing their knowledge of information systems security and control. Failure to comply with professional code of ethics can result in a review of a member’s and/or ISACA certification holder’s conduct and probably disciplinary action. In the next screen you shall learn about ISACA’s common definition that you will encounter while studying for the CISA exam. ISACA Definitions Standards: Define obligatory requirements for Information System audit, assurance and reporting Guidelines: Provide guidelines in applying Information systems assurance and audit standards. Auditor to rely on professional judgment in their application Tools and Techniques: Provide example of processes an IS auditor might follow in an audit engagement. Let us now look at ISACA’s IT audit and Assurance Standards framework in the next screen. ISACA IT Audit and Assurance Standards Framework The objectives of IS assurance and audit standards are to inform IS auditors of the bare minimum level of performance needed to meet the professional responsibilities set out in the Code of Professional Ethics for IS auditors Besides, management ought to be informed of the profession’s requirement concerning the work of audit practitioners As holders of the CISA certification should understand that failure to meet with these standards may result in a review into the CISA holder’s conduct by the ISACA Board of Directors which may ultimately result in disciplinary action. Let us now look at ISACA’s IS Audit and Assurance Guidelines in the next screen. ISACA IS Audit and Assurance Guidelines ISACA IS Assurance and Audit guidelines provide further information on how to comply with ISACA IT Audit and Assurance Standards. IS Auditors should use their professional judgment and be able to justify any differences. There are 42 categories of guidelines. Some examples of guidelines important to a CISA candidate are listed on the screen. For a complete list of ISACA IS Assurance and Audit Guidelines please visit the ISACA website. We shall look at ISACA’s IS Assurance Tools and Techniques in the next slide. ISACA IS Assurance and Audit Tools and Techniques ISACA IS Assurance and Audit Tools and Techniques provide further examples of possible processes an IS auditor may follow in an audit engagement. Tools and techniques are currently categorized into: • Reference series (books) • Audit/Assurance programs • White papers • Journal articles It is not mandatory for the IS auditor to follow these tools and techniques; however, following these procedures will provide assurance that the standards are being followed by the auditor. For a complete list of ISACA IS Assurance Audit Tools and Techniques please visit the ISACA website. Let us understand Information Technology Assurance Framework in the following screen. Information Technology Assurance Framework. ITAF™ is a good practice setting-model developed by ISACA IT Governance Institute ITGI® which provides direction on the conduct, reporting and design of Information Technology Assurance and Audit assignments; describes concepts and terms specific to Information Technology assurance; and institutes standards that address Information Technology assurance and audit, addressing IT audit and assurance, responsibilities and roles, skills and knowledge, conduct and reporting requirements. Note that the CISA exam does not test the candidate’s knowledge of ITAF. You will now attempt a question to test your knowledge of what we have covered so far.
1.4 Knowledge Statement 1.2
In this topic, we will learn about the concepts under the second knowledge statement, or KS 1.2. Let us start with risk assessment and analysis in the following screen. Slide 19: Risk Assessment and Risk Analysis A good grasp of knowledge of risk assessment concepts and tools and techniques in an audit context is necessary to carry out risk assessments. The overall audit plan should focus on business risks related to use of IT. The area under audit represents the audit scope. The auditor is expected to use risk analysis techniques to establish critical area to focus on in the audit scope. Because of limited audit resources, auditor should focus on high risk areas when drawing the audit plan. The following screen lists the main areas to be covered under this knowledge statement. Slide 20: Main Areas of Coverage The main areas to cover here are Risk Analysis, Audit Methodology, Risk-Based Auditing, Audit Risk and Materiality, Risk Assessment and Treatment, Risk Assessment techniques. In the next screen, we will learn about risk analysis and how it is important to an IS auditor. Slide 21: Risk Analysis Risk analysis is part of auditing and helps recognize risks and vulnerabilities so the IS auditor can determine the controls needed to mitigate these risks. Risk is defined as the combination of the probability of an occurrence of an event and its consequence. IT Risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. We shall continue to learn more about risk analysis in the next screen. Slide 22: Risk Analysis (contd.) From the IS audit’s perspective, risk analysis serves more than one purpose: • It assists the IS auditor in identifying risks and threats to an IT environment and IS system. • It helps the IS auditor in his/her evaluation of controls in audit planning • It assists the IS auditor in determining audit objectives • It supports risk-based audit decision making Let us learn about risk based audit approach in the next screen. Slide 23: Risk-Based Audit Approach Risk-Based Audit Approach is based on a concept in which determination of areas that should be audited is based on the perceived level of risk. Residual risk represents the management’s risk appetite, that is, the risk that the organization’s management is willing to take. Normally, controls would be implemented to mitigate risk to acceptable level. Audit risk can be defined as the risk that information or report may contain a material error and the likelihood of that material error going undetected in when carrying out an audit. Let us learn about types of various types of risks in the next screen. Slide 24: Inherent, Control, Detection and Overall Audit Risk Inherent risk is the probability that an error exist which could be material assuming there are no related compensating controls. Inherent risk exist independent of an audit and can occur because of the nature of a business. Control Risk is the probability that a material error exists which will not be prevented or detected in a timely basis by the system of internal controls. Detection risk is the probability that the Information Systems Auditor (ISA) used an inadequate checks and surmises that material errors are absent, when in fact, they are present. Overall Audit Risk is the combination of individual audit risk categories for each control objective. The objective of the audit approach is to limit overall audit risk. We shall learn about risk assessment and treatment in the next screen. Slide 25: Risk Assessment and Treatment Risk Assessment involves identifying, quantifying and prioritizing risks against criteria for risk acceptance and objectives relevant in the organization. Risk assessments should be performed periodically to address changes in environment, security requirements and the risk situation and when significant changes occur. Risk Treatment involves the following: • Risk Mitigation - This involves applying appropriate controls to reduce the risks. • Risk acceptance – Knowingly and objectively not taking action, provided the risk clearly satisfies the organization’s policy and criteria for risk acceptance • Risk avoidance - Avoiding risks by not allowing actions that would cause the risks to occur. • Risk transfer/sharing – Transferring the associated risks to other parties, e.g. insurers or suppliers. Let us learn about risk assessment methods in the next screen. Slide 26: Risk Assessment Techniques Different methods can be employed to perform risk assessments. It might involve combination of several methods. These methods may develop and change over time. Example of these methods include Scoring System Method and Judgmental Method. All methods rely on subjective judgment at some point in the process. The auditor should evaluate appropriateness of any chosen risk methodology. You will now attempt a question to test what you have learnt so far.
1.6 Knowledge Statement 1.3
In this topic, we will learn about the concepts under the third knowledge statement or KS 1.3. Let us discuss control objectives and IS controls in the following screen. Control Objectives and IS Controls IS Auditing involves assessment of IS-related controls and understanding their control objectives. It also involves identifying key controls that help achieve a well-controlled environment. COBIT provides a control framework that the IS auditor can use to benchmark IS audit control objectives. The following screen lists the main areas to be covered under this knowledge statement. The main areas covered here are: • Audit Planning • IS Control Objectives • COBIT 5 • IS Controls Although COBIT (pronounce as: Co-bit) is an excellent resource for CISA Exam preparation COBIT definitions or references will not be tested in the final CISA exam. We will learn about internal controls in the next screen. Internal Controls Internal controls is a process in which an organization's structure, work and authority flows, people and management information systems are designed to help the organization accomplish the specific business objectives while minimizing risk. Internal Control is composed of policies, procedures, practices and organizational structures which are implemented to reduce risks to the organization. They can be manual or automated. Let us discuss internal controls further in the following screen. Internal Controls (contd.) These controls look at two things; what should be achieved and what should be avoided. Internal controls procedures are categorized into general control procedures and Information system control procedures The controls can be further classified into preventive, detective and corrective. Let us look at classification of internal controls in the next screen. Classification of Internal Controls Internal Controls can be classified into: Preventive Controls – These prevent, predict and detect issues or problems before they occur. Examples are locking an office to prevent unauthorized access or theft, Authentication mechanisms like RSA Tokens to avoid Man in the middle attacks (MiM). Corrective Controls – These minimizes the impact of a threat and identify cause of problem. Example is backup which ensure recovery by restoring data from the magnetic tapes, virtual tape libraries or other backup technology in use. Detective Controls – These controls detect and report occurrence of errors, omission, and attack as they occur. Examples are logical and physical access logging such as application audit trails, database security logging, server room access control door logging to know who went in and when. We shall look at Information systems control objectives in the next screen IS Control Objectives IS control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process. These objectives are: • Statement of the desired result or purpose to be achieved by implementing controls around information systems processes • Comprised of policies, procedures, practices and organizational structures • Designed to provide adequate assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. The following screen lists objectives of IS control objectives. IS Control Objectives - Examples Examples of these IS Control Objectives are listed here. Ensure Integrity of the system such as Operating System integrity, ensure integrity of the sensitive and critical application systems, safeguard assets, ensure effectiveness and efficiency of operations, ensure appropriate authentication process for users, ensure the effectiveness of the objective, and to ensure availability of service through Business Continuity Planning (BCP) and Disaster Recovery Plan (DRP). Let us understand how COBIT framework can be useful to an IS auditor in the next screen. COBIT 5 Control Objectives for Information and related Technology (COBIT 5) is a good practise framework that supports IT governance and management in ensuring that IT is aligned with business so as to maximize benefits. COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not for profit or the public sector. COBIT 5 is based on Five Principles: Meeting Stakeholder Needs, Covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and, Separating governance from management. The exam will not require specifying or defining of COBIT processes, or domains. However, an understanding of what frameworks are and their value to the organization is needed. Also key principles of such frameworks is important to know. Let us look at information systems control in the next screen. IS Controls Each general control can be translated to an IS-specific control. A well-designed information system should have controls built in for all its sensitive or critical functions. The IS control procedures include: • Strategy and direction of the IT function • General organization and management of the IT function • Access to IT resources, including data and programs • System development methodologies and change control • Operation procedures • System programming and technical support functions • Quality Assurance (QA) procedures • Physical access controls • Business Continuity (BCP)/Disaster Recovery Planning (DRP) • Networks and communications • Database administration • Protection and detective mechanisms against internal and external attacks We shall look at classifying audits in the next screen. Classification of Audits The IS auditor should understand the various types of audits that can be performed, internally or externally, and the audit procedures associated with each: Financial audit focuses on correctness, reliability and integrity of financial statements. Operational audit is designed to evaluate the internal control structure in a given process or area. Integrated audit combines financial and operational audit steps. Administrative audit are oriented to assess issues related to the efficiency of operational productivity within an organization. Information Systems audits collects and evaluates evidence to determine whether the information systems and related resources adequately safeguard assets. Specialized audits are specific to a given area. Forensic audit is specialized in discovering, disclosing and following up on frauds and crimes. The following screen gives some examples for audit types. Classification of Audits – Examples Specialized Audit Example: The SAS 70 standards for evaluating service organizations can be used on outsourcing organizations. This audit would give confidence in services offered by a firm. Forensic Audit Example: A crime orchestrated using computer equipment would require analysis of the equipment such as PC, Operating systems and applications logs, network switch, firewall etc. You will now attempt a question to test your knowledge of what you have learned so far.
1.8 Knowledge Statement 1.4
In this topic, we will learn about the concepts under knowledge statement 1.4. Let us discuss audit planning and audit project management in the following screen. Audit Planning, Project Management Techniques and Follow-up Adequate audit planning is key to achieving audit objectives within time and budget constraints for a given audit scope. The IS auditor has to plan in advance for efficient and effective use of audit resources as well as applying audit project planning and management techniques. The following screen lists the main areas to be covered under this knowledge statement. Main Areas of Coverage The Main areas to be covered under this knowledge statement are: • IS Audit Resources Management • Audit Planning • Effect of Laws and Regulations on IS audit Planning • Audit Programs • Audit Objectives • Audit Methodology Let us look at what an audit program is in the next screen. Audit Program An Audit Work Program represents the audit strategy and plan. It has audit scope, audit objectives and audit procedures (appropriate to draw evidence to support audit conclusions and opinions). Audit Work Program is basically a guide for documenting various audit steps performed and the types and extent of evidential matters reviewed. It also provides a trail of the process used and accountability for performance. The IS Audit Process steps are as follows: • Plan – This involves assessing risks, develop audit program, objectives and procedures or guidelines. • Obtain and evaluate evidence on strengths and weaknesses of controls. • Prepare and present report, first with a draft and then a final report. • Follow-up on the findings of the report. This involve appropriate corrective actions taken by management. Let us a look at audit procedures in the next screen. Audit Procedures General audit procedures are the basic steps in the performance of an audit and usually include • Obtaining & recording an understanding of the audit area/subject • Risk assessment & general audit plan/schedule • Detailed audit planning • Preliminary review of the audit area/subject • Evaluating audit area/subject • Compliance testing (tests of controls and their constant application) • Substantive testing (confirming the accuracy of information) • Reporting • Follow-up The IS auditor must understand the procedures for testing and evaluating IS controls. These procedures could include: • The use of generalized audit software to survey the contents of data files (including system logs) • The use of specialized software to assess the contents of operating system database and application parameter files (or detect deficiencies in system parameter settings) • Flow-charting techniques for documenting automated applications and business processes • The use of audit logs/reports available in operation/application systems • Documentation review • Inquiry and observation • Walkthroughs • Performance of controls Let us understand audit methodology in the next screen. Audit Methodology An audit methodology is a set of documented audit procedures designed to achieve planned audit objectives. It is an approach for performing the audit in a continuous and recurring manner in order to achieve the planned audit objectives. Its components are a statement of scope, a statement of audit objectives and a statement of audit programs. Let us look at the phases in the audit methodology in the following screen. Audit Methodology Phases Audit Methodology Phases are as follows: • Identify audit subject – Identify which areas are to be audited. • Identify audit objective – Define why the audit is occurring. • Set audit scope – Identify which specific functions or systems are to be examined. • Conduct pre-audit planning – Identify resources needed for the audit. • Gather data– Identify interviewees, identify processes to be tested etc. • Evaluation – Identify procedures for evaluation of the test or review results. • Communicate with the management – Document and communicate to management. • Prepare audit report – This is the culmination of the audit process. You will now attempt a question to test what you have learned so far.
1.10 Knowledge Statement 1.5
In this topic, we will learn about the concepts under knowledge statement 1.5. We will begin with fundamental business processes in the following screen. Fundamental Business Processes The identification of key enterprise’s risks requires understanding of the organization and its environment, understanding control objectives, type and nature of transactions the entity engages in, and with whom. The flow of this transaction and how they are captured into information systems. Let us look at some examples of transactions in the next screen Fundamental Business Processes– Transactions Examples • A bank may have various transactions such as mobile banking, ATM transactions, over the counter transactions (e.g. deposits, withdrawals) etc. • A chain store may have PoS (Point of Sale) transactions with credit card information, or cash extranet transactions with suppliers (Electronic Data Interchange) etc. The following screen lists the main areas to be covered under this knowledge statement. Main Areas of Coverage The Main areas to be covered include risk analysis, IS Control Objectives, IS Controls and COBIT 5. These have already been covered in other sections. You will now attempt a question to test what you’ve learned so far.
1.12 Knowledge Statement 1.6
In this topic, we will learn about the concepts under the knowledge statement 1.6. We will look at applicable laws and regulations in an audit plan in the next screen. Applicable Laws and Regulations for IS Audit KS 1.6 deals with applicable laws and regulations that affect the scope, evidence collection and preservation, and frequency of audits Fraud investigations or legal proceedings require the integrity of the evidence be maintained throughout its life cycle (called chain of custody in forensic evidence) Legal requirements include law, regulation and/or contractual agreements placed on Audit (or IS Audit) or the Auditee . Management and audit personnel in an organization should be aware of external requirements for computer system practises and controls, how data is processed, transmitted and stored. There is need to comply with different laws raising legal requirements that impact on audit objectives and audit scope The following screen lists the main areas to be covered. Main areas of coverage Main areas to be covered are; Evidence, Audit Documentation and Continuous Auditing Effect of Laws and Regulation on IS Audit Planning The steps to check compliance with external requirements are; • Identify external requirements • Document applicable laws and regulations • Assess if the external requirements have been considered by management and IS function in plans, standards, policies, business applications • Review internal IS department/ function documents that address adherence to applicable laws • Determine if existing procedures address requirements • Determine if procedures exist that extend responsibilities of requirements to 3rd party vendors (e.g. IT Service providers) The CISA candidate will not be asked about any specific laws or regulations, but may be questioned about how one would audit for compliance with laws and regulations. The examination will only test knowledge of accepted global practices. You will now attempt a question to test what you have learned so far.
1.13 Knowledge Statement 1.7
In this topic, we will discuss evidence and evidence collection for IS auditing. In this topic, we will learn about the concepts under third knowledge statement 1.7. We will begin with evidence collection techniques in the next screen. Evidence Collection Techniques Audit findings must be supported by objective evidence. The IS Auditor must know techniques to gather and preserve evidence. Information can be gathered through inquiry, observation, interview, analysis using CAATs (Computer Assisted Auditing Techniques) such ACL, IDEA among others. Electronic media may be used to retain audit evidence to support audit findings. Retention policies should meet requirements for such evidence to support audit findings. The following screen lists the main areas to be covered under this knowledge statement. Main areas of Coverage The main areas of to be covered are; • Computer Assisted Audit Techniques • Evidence • Interviewing and Observing Personnel in Performance of their duties • Continuous Auditing • Audit Documentation Let us learn all about evidence in the next screen. Evidence Evidence is what the Information Systems Auditor or ISA gathers in the course of performing an IS audit to meet audit objectives; by supporting the audit findings. Evidence must directly relate to the objectives of the review. Evidence gathering is very key to the audit process that is mandatory under standard ‘S6 Performance of Audit Work’. The findings should be appropriately organized and documented to support findings and conclusion(s). Let us look at the determinants of reliability of evidence in the following screen. Reliability of Evidence The determinants for the reliability of evidence include: • Independence of the provider of the evidence • Qualification of the individual providing the information/evidence • Objectivity of the evidence • Timing of the evidence Given an audit scenario in the exam, the CISA candidate should be able to determine which type of evidence gathering technique would be best. We shall learn about evidence characteristics in the next screen. Evidence Characteristics and Types The confidence level of evidence is based on its value. Audit Evidence is considered to be; • Sufficient – if it is complete, adequate, convincing and would lead another ISA to form the same conclusions • Useful – if it assists ISAs in meeting their audit objectives • Reliable – if in the auditors opinion, it is valid, factual, objective and supportable. • Relevant – if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support Let us look at the types of audit evidence in the following screen. Types of Audit Evidence Type of Audit Evidence include; • Observed processes and existence of physical items • Documentary evidence recorded on paper or other media • Analysis (Includes comparisons, simulations, calculations, reasoning) • Representations Let us learn about how an auditor can gather evidence in the next screen. Techniques for gathering evidence The following are techniques for gathering evidence: • Reviewing IS organizational structures • Reviewing IS documentation • Reviewing IS Standards • Reviewing IS Policies and Procedures • Interviewing appropriate personnel • Observing processes and employee performance • Reperfomance • Walkthroughs Audit Documentation Audit documentation should, at a minimum, include a record of: ● Planning and preparation of audit scope and objectives ● Description and or walkthroughs on the scoped audit area ● Audit program ● Audit steps performed and audit evidence gather ● Use of services of other auditors or experts ● Audit findings, conclusions and recommendations ● Audit documentation relation with document identification and dates You will now attempt a question to test what you have learned so far.
1.15 Knowledge Statement 1.8
In this topic, we will learn about the concepts under the next knowledge statement, KS 1.8. We will begin with sampling methodologies in the next couple of screens. Sampling Methodologies Compliance testing involves gathering evidence in order to test the enterprise’s compliance with control procedures. Substantive testing is evidence gathered to evaluate the integrity of individual transactions, data or other information. Presence of adequate internal controls (established through compliance testing) minimizes the number of substantive tests that have to be done. Sampling Methodologies (contd.) Conversely weaknesses in internal controls will increase the need or number of substantive tests. Sampling is done when it is not logical to test or verify all transactions by consideration of the time and cost needed. (i.e the population- this consists of all items in the area being examined). The main areas of coverage include compliance testing versus substantive testing and sampling. Let us look at sampling in the next screen. Sampling A sample is a subset of population members. It is used to infer characteristics about a population, based on the results of examining characteristics of a sample of the population. A population consists of the entire group of items that need to be examined .The sample must represent as closely as possible the characteristics of the whole population. The IS Auditor is not expected to be a sampling expert but should have knowledge of general sampling principles and how to design one that can be relied upon (Regulation requirements on organizations) We shall look at approaches to sampling in the next screen. General approaches for sampling Statistical sampling uses objective method. Non-statistical (or Judgmental) sampling on the other hand uses subjective judgment. Statistical Sampling uses objective method to determine sample size, selection criteria, sample precision and reliability or confidence level. This sampling can infer population characteristics from sample. This is the preferred method. Non-statistical or judgmental sampling uses subjective judgment to determine method of sampling, sample size and sample selection. This cannot be used to not infer population characteristics from sample and is not a preferred method of sampling. Sampling Risk is the probability that the auditor will draw the wrong conclusions from the sample. Both statistical and non-statistical methods require auditor judgment. We shall understand attribute and variable sampling in the next screen Attribute and Variable Sampling Sampling methods are of two types; attribute sampling and variable sampling. Attribute sampling is also known as proportional sampling. It deals with presence or absence of an attribute and generally used in compliance testing. Conclusions are expressed in rates of incidence. Attribute sampling: Types • Attribute sampling or fixed sample size attribute sampling or frequency estimation. • Stop-or-go sampling. • Discovery sampling. Variable sampling is used to estimate the dollar value or some other unit of measure like weight. It is also known as dollar estimation or mean estimation sampling or quantitative sampling. Mostly applied in substantive testing. The method provides conclusions related to deviations from norm. Types of variable sampling include; • Stratified mean per unit: • Un-stratified mean per unit: • Difference estimation: Let us learn about computer assisted audit techniques in the next screen Computer Assisted Audit Techniques (CAATs) Computer Assisted Audit Techniques (CAATs) are automated tools and techniques used by an Auditor for gathering and analyzing data from computer systems to meet a predetermined audit objective. This approach emphasizes on the reliability of the records produced and maintained in the system. The source of the information provide reassurance on findings generated. CAATs process involves understanding the client, obtaining effective evidence, data analysis and reporting. These CAATs are necessitated by differences in HW, SW environments, data structures, record formats, processing functions. Examples of CAATs • Generalized audit software e.g. IDEA, ACL • Utility software e.g. DBMS report writers • Debugging and scanning software • Test Data • Expert systems • SQL commands • Third party access control software • Application software tracing and mapping • Options and reports build in a system Let us look at continue with Computer assisted audit techniques in the next screen Computer Assisted Audit Techniques (CAATs) contd Generalized Audit Software (GAS) refers to standard software that has the capability to directly read and access data from various database platforms, flat-file systems and ASCII formats. GAS provides IS auditors an independent means to gain access to data for analysis. The following functions are commonly supported by GAS: • File access—Enables the reading of different record formats and file structures • File reorganization—Enables indexing, sorting, merging and linking with another file • Data selection—Enables global filtration conditions and selection criteria • Statistical functions—Enables sampling, stratification and frequency analysis • Arithmetical functions—Enables arithmetic operators and functions Let us learn what the IS auditor has to consider before opting for CAATs in the following screen. Computer Assisted Audit Techniques (CAATs) contd An IS auditor should weigh the costs and benefits of CAATs before going through the effort, time and expense of purchasing or developing them. Issues to consider include: • Ease of use, both for existing and future audit staff • Training requirements • Complexity of coding and maintenance • Flexibility of uses • Installation requirements • Processing efficiencies • Effort to obtain source data into CAAT • Integrity of imported data by safeguarding authenticity • Recording time stamp of data downloaded at critical point for credibility of review • Reliability of software • Confidentiality of data being processed You will now attempt a question to test what you have learned so far.
1.17 Knowledge Statement 1.9
In this topic, we will learn about the concepts under the next knowledge statement, KS 1.9. We will begin with reporting and communicating techniques in the following screens. Reporting and Communication Techniques Communication needs to be effective and clear in order to improve the quality of the audit and maximize results. When an argument ensues between the auditor and the auditee during the final IS audit findings report presentation over the accuracy of the findings in the report, it makes the audit process counter intuitive and quickly dilutes the audit process and its value. Let us continue to look at reporting and communication techniques in the following screen. Reporting and Communicating Techniques (contd.) Audit findings reported to stakeholders need to have appropriate buy-in from the auditees for the audit process to be successful and value adding. Communication and negotiation are required skills are required throughout the audit activity as it determine the effectiveness of the audit reporting process. The main areas of covered include communicating Audit Results and Information Technology Assurance Framework (ITAF). Let us learn how an auditor can communicate their findings in the following two screens. Communication of Audit Results During exit interviews the IS auditor should ensure facts presented in the report are accurate, recommendations are realistic and cost-effective, and recommend implementation dates for are agreed on recommendations. Presentation techniques include: • Executive summary - This is an easy to read, concise report that present the summary of the entire report. • Visual presentation – May include slides or computer graphics. Let us continue to look at communication of audit results in the following screen. Communication of Audit Results (contd.) Before communicating the results of an audit to senior management, the IS audit should discuss the findings with management staff of the audited entity. This is to ensure an agreement is reached for both the findings and the corrective action to be taken. Let us check our knowledge by answering the question in the next slide.
1.22 Summary and Conclusion
This domain outlines the framework for performing IS auditing, specifically including those mandatory requirements regarding IS auditor mission and activity, as well as best practices to achieve a favorable IS auditing outcome. Conclusion This concludes the domain on process of auditing information systems. The next domain will focus on governance and management of IT.
1.21 Domain One Exam Quick Pointers
1. The old-fashioned role of an information systems auditor in a control self-assessment is that of an enabler. 2. Using statistical sampling for inventory items is an illustration of a substantive test. 3. The objective of an auditor in a control self Assessment (CSA) is to ensure enhancement 4. Without adequate authentication and identification on access control, it will be impossible to place accountability for any actions carried out. 5. Information system auditors are likely to perform compliance tests when initial evaluation of controls indicate that the control risk is within limits that are acceptable. 6. It is important to identify areas of high risks when planning for an audit 7. Previous audit reports should be considered of a lesser value to an information system auditor when attempting to gain an understanding of the organization’s IT process than evidence directly collected. 8. Audit trails are used to establish responsibility and accountability for transactions . Slide 108 Domain One Exam Quick Pointers….Continued 9. Identification of high risk areas should be the first point of concern when implementing a continuous auditing, continuous monitoring systems. 10. Risk–based approach to audit planning should ensure that audit resources are allocated to high risk areas 11. Inherent risk is linked to authorized program exits such as trap doors. 12. Once an Information systems auditor has noted the threats and their impact, the auditor should review the controls that can mitigate them. 13. One of the features of generalized audit software is to check for duplicates, gaps and so on. 14. Statistical sampling helps reduce detection risk Slide 109: Domain One Exam Quick Pointers (contd.) 15. If successful attacks on the network are not reported, the information systems auditor should be concerned. 16. Detection risk arises when the auditor uses inadequate tests on materials errors that exist when they actually do not. 17. The auditor can use an integrated test facility to independently verify computed data.
1.19 Knowledge Statement 1.10
In this topic, we will learn about the concepts under the next knowledge statement, KS 1.10. Audit Assurance Systems and Frameworks Auditing standards are minimum parameters an IS auditor should take into account when performing an audit. These standards assist IS auditor to understand the impact of the IS environment on traditional auditing practices and techniques to ensure audit objective is achieved. Control Self Assessment (CSA) is a process in which an IS auditor can act in the role of facilitator to business process owners to help them define and assess appropriate controls (taking into consideration the risk appetite of the organization) Process owners are best placed to define appropriate controls, due to their process knowledge. IS auditors help these process owners understand need for controls based on business risk. The following screen lists the main areas to be covered under this knowledge statement. Main Areas of Coverage. The areas covered here include; • Audit programs • Audit methodology • Audit objectives • Evaluation of audit strength and weakness • Control Self Assessment (CSA) • Objectives, advantages and disadvantages of CSA • Auditors Role in CSA • Using services of other Auditors and Experts • Traditional vs CSA Approach We shall look at Control Self Assessment in the next screen. Control Self Assessment (CSA). Control Self Assessment is a methodology used to review key business objectives, risks involved in achieving the business objectives and internal controls designed to manage these business risks in a formal, documented, collaborative process. CSA is a management technique that assures stakeholders, customers, and other parties that the internal control system of the organization is reliable. It ensures employee are aware of business risk and that they conduct periodic, proactive reviews of controls. CSA involves a series of tools on a continuum of sophistication ranging from Simple questionnaires to Facilitated workshops Let us look at the objectives of CSA in the following screen. Objectives of a CSA Objectives of a CSA are to: • Leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional areas • Ensure line managers are in charge of monitoring controls • Educate management on control design and monitoring COBIT provides guidance on development of a CSA Let us look at the benefits of Control Self Assessment in the next screen. Benefits of a CSA Some of the benefits of CSA include; • Early detection of risk • More effective and improved internal controls • Create cohesive teams – employee involvement • Develops sense of ownership of controls in employees and process owners. • Improved audit rating process • Reduction in control cost • Increased communication between operations and top management • Highly motivated employees • Assurance provided to stakeholders and customers Let us look at the disadvantages of a CSA and the role of an auditor in CSA in the following screen. CSA Disadvantages and Role of Auditor CSA does potentially contain several disadvantages which include: • It could be mistaken as an audit function replacement • May be taken as additional workload (e.g. writing reports to management) • Failure to act on improvement suggestions could damage employee morale • Lack of motivation may limit effectiveness in detection of weak controls. Auditors role in CSA When audit departments established with a CSA program, Auditors become internal control professional and assessment facilitator (management staff are the one participating in the CSA process not the auditor). We shall look at the traditional audit approach versus Control self assessment approach in the next screen. Traditional Vs CSA Approach The traditional approach can be summarized as any approach in which the primary responsibility for analyzing and reporting on internal control and risk is assigned to auditors, and to a lesser extent, controller departments and outside consultants. The table on the slide lists the other differences between traditional and CSA approaches. You will now attempt a question to test your knowledge of this domain.
About the On-Demand Webinar
About the Webinar