cisa : chapter #1the information systems audit process1

CISA : Chapter #1CISA : Chapter #1 The Information Systems Audit ProcessThe Information Systems Audit Process 11

The Information Systems The Information Systems Audit ProcessAudit Process


The policies, procedures, practices and The policies, procedures, practices and organizational structures designed to organizational structures designed to provide reasonable assurance that business provide reasonable assurance that business objectives will be achieved and that objectives will be achieved and that undesired events will be prevented or undesired events will be prevented or detected and corrected.detected and corrected.

Definitions :Definitions :

Control :Control :


A statement of the desired result or purpose A statement of the desired result or purpose to be achieved by implementing control to be achieved by implementing control procedures in a particular IT activity.procedures in a particular IT activity.


IT Control ObjectiveIT Control Objective


A structure of relationships and processes A structure of relationships and processes to direct and control the enterprise in order to direct and control the enterprise in order to achieve the enterprise's goals by adding to achieve the enterprise's goals by adding value while balancing risk versus return value while balancing risk versus return over IT and its processesover IT and its processes


IT GovernanceIT Governance


A successful organization is built on a solid A successful organization is built on a solid framework of data and information. The framework of data and information. The Framework explains how IT processes deliver the Framework explains how IT processes deliver the information that the business needs to achieve its information that the business needs to achieve its objectives. This delivery is controlled through 34 objectives. This delivery is controlled through 34 high-level control objectives, one for each IT high-level control objectives, one for each IT process, contained in the four domains. The process, contained in the four domains. The Framework identifies which of the seven Framework identifies which of the seven information criterion (effectiveness, efficiency, information criterion (effectiveness, efficiency, confidentiality, integrity, availability, compliance confidentiality, integrity, availability, compliance and reliability), as well as which IT resources and reliability), as well as which IT resources (people, applications, technology, facilities and (people, applications, technology, facilities and data) are important for the IT processes to fully data) are important for the IT processes to fully support the business objectivesupport the business objective


IT FrameworkIT Framework


In the light of Management Objectives well In the light of Management Objectives well documented AUDIT Charter defining overall documented AUDIT Charter defining overall Authority, Scope and Responsibility of the AUDIT Authority, Scope and Responsibility of the AUDIT function approved by Top Managementfunction approved by Top Management

Risk AssessmentRisk Assessment Familiarity with Business Regulatory Familiarity with Business Regulatory

EnvironmentEnvironment


Audit MissionAudit Mission


The potential that a given The potential that a given threat threat will exploit will exploit vulnerabilities of an asset or group of assets to vulnerabilities of an asset or group of assets to cause loss or damage to the assets. cause loss or damage to the assets. The impactThe impact or relative severity of the risk is proportional to or relative severity of the risk is proportional to the business value of the loss/damage and to the the business value of the loss/damage and to the estimated estimated frequencyfrequency of the threat. of the threat.

Risk Analysis :Risk Analysis :

Risk ElementsRisk Elements

RiskRisk

ThreatThreat ImpactImpact FrequencyFrequency


Are those threats that may impact the assets, Are those threats that may impact the assets, processes or objectives of a specific business processes or objectives of a specific business organization. The natures of these threats may organization. The natures of these threats may be :be :

FinancialFinancial RegulatoryRegulatory Operational Operational Or may arise as a result of the interaction of the business with its Or may arise as a result of the interaction of the business with its

environmentenvironment Or may arise in result of the strategies, systems and particular Or may arise in result of the strategies, systems and particular

technology, process, procedure and information system used by technology, process, procedure and information system used by the businessthe business

Risk Analysis :Risk Analysis :

Business RiskBusiness Risk


Policies, procedures, practices and organizational Policies, procedures, practices and organizational structure put into place to reduce risks.structure put into place to reduce risks.

Internal ControlInternal Control

1.1. PreventivePreventive

2.2. DetectiveDetective

3.3. CorrectiveCorrective

Control ClassificationControl Classification


Control ClassificationControl Classification


Are statements of the desired result or purpose to Are statements of the desired result or purpose to be achieved by implementing control procedure be achieved by implementing control procedure in a particular activity.in a particular activity.

Internal Control ObjectivesInternal Control Objectives

•Internal Accounting ControlsInternal Accounting Controls•Operational ControlsOperational Controls•Administrative ControlsAdministrative Controls


1.1. Safeguard of information technology assetsSafeguard of information technology assets

2.2. Compliance to corporate policies or legal Compliance to corporate policies or legal requirements.requirements.

3.3. Authorization/InputAuthorization/Input

4.4. Accuracy and completeness of processing of Accuracy and completeness of processing of transactionstransactions

5.5. OutputOutput

6.6. Reliability of processReliability of process

7.7. Backup / RecoveryBackup / Recovery

8.8. Efficiency and economy of operation Efficiency and economy of operation

Internal Control Objectives include :Internal Control Objectives include :


1.1. Safeguard AssetsSafeguard Assets

2.2. Integrity of general operationsIntegrity of general operations

3.3. Integrity of sensitive and critical application Integrity of sensitive and critical application Systems through:Systems through:

Authorization, Authorization,

AccuracyAccuracy

ReliabilityReliability

Completeness and security of OutputCompleteness and security of Output

Database IntegrityDatabase Integrity

4.4. Efficiency & EffectivenessEfficiency & Effectiveness

5.5. ComplianceCompliance

6.6. Continuity & Disaster Recovery PlanContinuity & Disaster Recovery Plan

7.7. Incident Response and Handling plan Incident Response and Handling plan

IS Control IS Control ObjectivesObjectives include : include :


1.1. Strategy and DirectionStrategy and Direction

2.2. General Organization and managementGeneral Organization and management

3.3. Access to data and programsAccess to data and programs

4.4. System development methodologies and change controlSystem development methodologies and change control

5.5. Data Processing operationsData Processing operations

6.6. Systems programming and technical support functionsSystems programming and technical support functions

7.7. Data Processing and quality assurance proceduresData Processing and quality assurance procedures

8.8. Physical access controlsPhysical access controls

9.9. Business continuity/Disaster recovery planningBusiness continuity/Disaster recovery planning

10.10. Networks and communicationsNetworks and communications

11.11. Data AdministrationData Administration

IS Systems Control IS Systems Control ProceduresProcedures include : include :


1.1. Financial AuditFinancial Audit

2.2. Operational AuditOperational Audit

3.3. Integrated AuditIntegrated Audit

4.4. Administrative AuditsAdministrative Audits

5.5. Information System AuditsInformation System Audits

6.6. Special Audit (3Special Audit (3rdrd Party & Forensic – Frauds and crimes) Party & Forensic – Frauds and crimes)

An Information System Audit :An Information System Audit :

“ “ Any Audit that encompasses review and evaluation of Any Audit that encompasses review and evaluation of automated information processing, related non-automated automated information processing, related non-automated processes and the interfaces between them.”processes and the interfaces between them.”

Classification of Audits :Classification of Audits :


1.1. Understanding of the Audit area/subjectUnderstanding of the Audit area/subject

2.2. Risk AssessmentRisk Assessment

3.3. Detailed audit planningDetailed audit planning

4.4. Preliminary review of Audit area / subjectPreliminary review of Audit area / subject

5.5. Evaluating Audit are/subjectEvaluating Audit are/subject

6.6. Compliance Testing ( often test of controls)Compliance Testing ( often test of controls)

7.7. Substantive testingSubstantive testing

8.8. ReportingReporting

9.9. Follow-upFollow-up

Audit Procedures :Audit Procedures :


1.1. Inherent RiskInherent Risk

2.2. Control RiskControl Risk

3.3. Detection RiskDetection Risk

4.4. Overall Audit RiskOverall Audit Risk

Categories of Audit Risk :Categories of Audit Risk :

Audit Risk :Audit Risk :

Risk that the information/financial report may contain Risk that the information/financial report may contain material error that may go undetected during the course material error that may go undetected during the course of Audit of Audit


Risk Assessment Techniques :Risk Assessment Techniques :

These techniques may be These techniques may be computerizedcomputerized non-computerized, non-computerized, Scoring and Scoring and JudgmentJudgment

based upon business knowledge, executive based upon business knowledge, executive management directives, historical perspective, management directives, historical perspective, business goals and environmental factors business goals and environmental factors


Compliance Testing :Compliance Testing :

A compliance test determines if control are being A compliance test determines if control are being applied in a manner that comply with applied in a manner that comply with management policies and procedures. management policies and procedures.

Substantive Testing:Substantive Testing:

A Substantive test substances the integrity of A Substantive test substances the integrity of actual processing.actual processing.


Risk Based Audit ApproachRisk Based Audit Approach


Evidence :Evidence :

Evidence is any information used by the auditors Evidence is any information used by the auditors whether the entity or data being audited follows whether the entity or data being audited follows the established audit criteria or objective.the established audit criteria or objective.

These should be sufficient, relevant and These should be sufficient, relevant and competentcompetent

Reliability of Evidences:Reliability of Evidences:

Independence of the providerIndependence of the provider Qualification of the providerQualification of the provider Objectivity of the evidenceObjectivity of the evidenceTiming of the evidenceTiming of the evidence


Evidence gathering Techniques :Evidence gathering Techniques :

Reviewing IS organization structuresReviewing IS organization structuresReviewing IS PoliciesReviewing IS PoliciesReviewing IS StandardsReviewing IS StandardsReviewing IS documentationReviewing IS documentationInterviewing appropriate personnelInterviewing appropriate personnelObserving processes and employees Observing processes and employees performance.performance.


Computer Assisted Audit techniques :Computer Assisted Audit techniques :

Generalized Audit Software, Utility Software, test Generalized Audit Software, Utility Software, test data, application software tracing and mapping data, application software tracing and mapping and expert systems.and expert systems.

These tools can be used forThese tools can be used for Test of details of transactions and balancesTest of details of transactions and balances Analytical review proceduresAnalytical review procedures Compliance test of IS general controlsCompliance test of IS general controls Compliance Test of Application controlsCompliance Test of Application controlsPenetration and OS vulnerabilitiesPenetration and OS vulnerabilities


CAATs Advantages :CAATs Advantages :

Reduced Level of Audit RiskReduced Level of Audit RiskGreater independence from the auditeeGreater independence from the auditeeBroader and more consistent audit coverageBroader and more consistent audit coverageFaster availability of informationFaster availability of informationImproved exception identificationImproved exception identificationGreater flexibility of run timesGreater flexibility of run timesGreater opportunity to quantify internal control Greater opportunity to quantify internal control weaknessweaknessEnhanced samplingEnhanced samplingCost saving over time Cost saving over time


Evaluation of Strengths and weaknesses Evaluation of Strengths and weaknesses of Audit :of Audit :

JudgmentJudgmentControl Matrix (ranking)Control Matrix (ranking)

(Col-known type of errors)(Col-known type of errors) (Row-Known Controls)(Row-Known Controls)

Compensating/Overlapping ControlsCompensating/Overlapping ControlsTotality of ControlsTotality of ControlsSupporting evidencesSupporting evidences


Control Self-Assessment (CSA) :Control Self-Assessment (CSA) :

• Control Assessment can be defined as a Control Assessment can be defined as a “management technique that assures “management technique that assures stakeholders, customers and other parties that stakeholders, customers and other parties that internal control system of the organization is internal control system of the organization is reliable. reliable.

• It also ensures that employees are aware of the It also ensures that employees are aware of the risks to the business and they conduct risks to the business and they conduct periodic, proactive reviews of control.periodic, proactive reviews of control.


Control Self-Assessment (CSA) :Control Self-Assessment (CSA) :

• Tools used in this context Tools used in this context ::• simple questionnairessimple questionnaires• Facilitated WorkshopsFacilitated Workshops• Management MeetingsManagement Meetings• Client Workshops, Client Workshops, • WorksheetsWorksheets• Rating sheetsRating sheets


Objectives of CSA :Objectives of CSA :

• Leverage the internal audit function Leverage the internal audit function • by shifting some of the control monitoring responsibilities to by shifting some of the control monitoring responsibilities to

the functional areasthe functional areas• Auditee such as line managers are responsible for controls in Auditee such as line managers are responsible for controls in

their environment, the manager should also be responsible for their environment, the manager should also be responsible for monitoring the control.monitoring the control.

• CSA program also educate the managers CSA program also educate the managers about control design and monitoringabout control design and monitoring

cisa : chapter #1the information systems audit process1

Documents

business objectives

framework slide

processes definitions

audit mission slide

control objective slide

control procedures

audit function

highlevel control objectives