module-1 (the process of auditing information systems-t)
TRANSCRIPT
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
1/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
MohammadTohidurRahmanBhuiyanCGEIT,CISA,MCSD,A+,CSCF
TheProcessofAuditingInformationSystems
Outof05Domains,it
covers
14%
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Introduction
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
2/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
CourseAgenda
Learning
Objectives
DiscussTaskandKnowledgeStatements
Discussspecifictopicswithinthechapter
Casestudies(individualPracticefollowCRM)
Samplequestions(individualPracticefollowCRM)
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ExamRelevanceEnsure that the CISA candidate
Provide audit services in accordance with IT audit standards to
assist the organization in protecting and controlling information systems.
The content area in this chapter will represent approximately
14% of the CISA examination(approximately 28 questions).
(CRM Pages: XX
Up to 2010From 2011
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
3/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Task & Knowledge Statements
Task and knowledge statements represent the basis
from which exam items are written.
Tasks: Tasks are the learning objectives that IS
auditors/CISA candidates are expected to know to
perform their job duties.
knowledge statements: In order to perform all of the
tasks, the IS auditor/CISA candidate should have a firm
grasp of all the knowledge statements contained withinthe CISA Review Manual Chapter 1.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Tasks/ Objectives
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
4/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ProcessAreaTasksFiveTasks:1.1 Develop and implement a riskbased IT audit strategy incompliance with IT audit standards to ensure that key areas are
included.
1.2 Plan specific audits to determine whether information systemsare protected, controlled and provide value to the organization.
1.3 Conduct audits in accordance with IS audit standards, guidelinesand best practices to meet planned audit objectives.
1.4 Communicate emerging issues, potential risks, and audit resultsto key stakeholders.
1.5 Advise on the implementation of risk management and controlpractices within the organization, while maintaining independence.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Knowledge Statements
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
5/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ProcessAreaKnowledgeStatements
TenKnowledgeStatements(contd.):
1.1 Knowledge of ISACA IT Audit and Assurance Standards,Guidelines and Tools and Techniques, Code of Professional Ethics
and other applicable standards
1.2 Knowledge of risk assessment concepts, tools and techniquesin an audit context
1.3 Knowledge of control objectives and controls related toinformation systems
1.4 Knowledge of audit planning and audit project managementtechniques, including followup
1.5 Knowledge of fundamental business processes (e.g.,purchasing, payroll, accounts payable, accounts receivable)including relevant IT
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ProcessAreaKnowledgeStatements.
Ten Knowledge Statements
1.6 Knowledge of applicable laws and regulations which affect thescope, evidence collection and preservation, and frequency ofaudits
1.7 Knowledge of evidence collection techniques (e.g.,observation, inquiry, inspection, interview, data analysis) used togather, protect and preserve audit evidence
1.8 Knowledge of different sampling methodologies
1.9 Knowledge of reporting and communication techniques (e.g.,facilitation, negotiation, conflict resolution, audit reportStructure)
1.10 Knowledge of audit quality assurance systems andframeworks
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
6/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
OrganizationofISAuditFunction
Audit charter (or engagement letter) Stating managements responsibility and objectives for, and
delegation of authority to, the IS audit function
Outlining the overall authority, scope and responsibilities ofthe audit function
Approval of the audit charter
Change in the audit charter
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
AuditPlanning
Audit planningShorttermplanning
Longtermplanning
Things
to
consider Newcontrol issues
Changingtechnologies
Changingbusinessprocesses
Enhancedevaluationtechniques
Individual audit planningUnderstandingofoverallenvironment
Businesspracticesandfunctions
Informationsystems
and
technology
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
7/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
AuditPlanning
Audit Planning Steps
1. Gain an understanding of the businesss mission, objectives,purpose and processes.
2. Identify stated contents (policies, standards, guidelines,procedures, and organization structure)
3. Evaluate risk assessment and privacy impact analysis
4. Perform a risk analysis.
5. Conduct an internal control review.
6. Set the audit scope and audit objectives.
7. Develop the audit approach or audit strategy.8. Assign personnel resources to audit and address engagement
logistics.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
EffectofLawsandRegulations(continued)
Regulatoryrequirements Establishment
Organization Responsibilities
Correlationtofinancial, operationalandITauditfunctions
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
8/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
EffectofLawsandRegulations
Stepstodeterminecompliancewithexternal
requirements: Identify external requirements
Document pertinent laws and regulations
Assess whether management and the IS function have considered therelevant external requirements
Review internal IS department documents that address adherence toapplicable laws
Determine adherence to established procedures
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ISACAISAuditingStandardsandGuidelines
FrameworkfortheISACA ISAuditingStandards
asof
1March
2010
Standards(16)
Guidelines41(G19iscancelled)
Procedures(11)
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
9/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Definition:Standards,Guidelines&Procedure
Standards define mandatory requirements for IT auditand assurance.
Guidelines provide guidance in applying IT Audit andAssurance Standards. The objective of the IT Audit andAssurance Guidelines is to provide further information onhow to comply with the IT Audit and Assurance Standards.
Procedure/ Tools and Techniques provide examples ofprocedures an IT audit and assurance professional mightfollow. The objective of the IT Audit and Assurance Tools
and Techniques is to provide further information on howto comply with the IT Audit and Assurance Standards.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ISACAISAuditingStandardsandGuidelinesISAuditing Standards:16
1. Audit charter
2. Independence
3. Professional Ethics andStandards
4. Competence
5. Planning
6. Performance of audit work
7. Reporting
8. Follow-up activities
9. Irregularities and illegal acts
10.IT governance
11.Use of risk assessment in auditplanning
12.Audit Materiality
13.Using the Work of Other Experts
14.Audit Evidence
15.IT Controls
16.E-commerce
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
10/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ISACAISAuditingStandardsandGuidelines(continued)
G1 Using the Work of Other Auditors
G2 Audit Evidence Requirement
G3 Use of Computer Assisted Audit Techniques (CAATs)G4 Outsourcing of IS Activities to Other Organizations
G5 Audit Charter
G6 Materiality Concepts for Auditing Information Systems 1 September
G7 Due Professional Care
G8 Audit Documentation
G9 Audit Considerations for Irregularities and Illegal Acts
G10 Audit Sampling
G11 Effect of Pervasive IS Controls
G12 Organizational Relationship and IndependenceG13 Use of Risk Assessment in Audit Planning
G14 Application Systems Review
G15 Audit Planning Revised
ISAuditing Guidelines:41(421=41, G19is cancelled)
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
G16 Effect of Third Parties on an Organization's IT Controls
G17 Effect of Non-audit Role on the IT Audit and Assurance
Professionals Independence
G18 IT Governance
G19 Irregularities and Illegal Acts 1 July 2002. Withdrawn 1 September
2008G20 Reporting
G21 Enterprise Resource Planning (ERP) Systems Review
G22 Business-to-consumer (B2C) E-commerce Review
G23 System Development Life Cycle (SDLC) Review Reviews
G24 Internet Banking
G25 Review of Virtual Private Networks
G26 Business Process Reengineering (BPR) Project Reviews
G27 Mobile Computing
G28 Computer ForensicsG29 Post-implementation Review
G30 Competence
ISACAISAuditingStandardsandGuidelines(continued)
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
11/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ISACAISAuditingStandardsandGuidelines(continued)
G31 Privacy
G32 Business Continuity Plan (BCP) Review From It
PerspectiveG33 General Considerations on the Use of the Internet
G34 Responsibility, Authority and Accountability
G35 Follow-up Activities
G36 Biometric Controls
G37 Configuration Management Process
G38 Access Controls
G39 IT OrganizationG40 Review of Security Management Practices
G41 Return on Security Investment (ROSI)
G42 Continuous Assurance
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
12/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ITRiskAssessmentQuadrants
Quadrant I (High Risk)
Suggested Action(s):
Mitigate
SensitivityRating
Vulnerability Assessment Rating
100%
0%
100%
Quadrant II (Medium Risk)
Suggested Action(s):
Accept
Mitigate
Transfer
Quadrant III (Medium Risk)
Suggested Action(s):
Accept
Mitigate
Transfer
Quadrant IV (Low Risk)
Suggested Action(s):
Accept
Example Risk
Level Assignment
50%
50%
0%
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ISACAISAuditingStandardsandGuidelines
ISACA Auditing Procedures
Procedures developed by the ISACA Standards
Board provide examples.
The IS auditor should apply their own professionaljudgment to the specific circumstances.
(Index of Procedures)
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
13/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
InternalControl(continued)
InternalControls
Policies, procedures, practices andorganizational structures implemented toreduce risks
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ComponentsofInternalControlSystem
Internalaccountingcontrols Operationalcontrols Administrativecontrols
InternalControl(continued)
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
14/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
InternalControlObjectives
Safeguardingofinformationtechnologyassets
Compliancetocorporatepoliciesorlegalrequirements
Authorization/input
Accuracyandcompletenessofprocessingoftransactions
Output
Reliabilityofprocess
Backup/recovery
Efficiencyandeconomyofoperations
InternalControl(continued)
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Classification ofInternalControls
Preventive controls
Detective controls
Corrective controls
InternalControl(continued)
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
15/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
IS ControlObjectives
Control objectives in an informationsystems environment remain unchangedfrom those of a manual environment.However, control features may be different.The internal control objectives, thus need,to be addressed in a manner specific to IS
related processes
InternalControl(continued)
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
InternalControl(continued)IS Control Objectives(contd)
Safeguarding assets
Assuring the integrity of general operating system
environments
Assuring the integrity of sensitive and criticalapplication system environments through:
Authorization of the input
Accuracy and completeness of processing oftransactions
Reliability of overall information processing activities
Accuracy, completeness and security of the output
Database integrity
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
16/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
InternalControl(continued)
IS Control Objectives(contd)
Ensuring the efficiency and effectiveness of operations
Complying with requirements, policies and procedures, andapplicable laws
Developing business continuity and disaster recovery plans
Developing an incident response plan
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
InternalControl(continued)
IS Control Objectives(contd)
COBIT
Aframeworkwith 34highlevelcontrolobjectives
Planningandorganization
Acquisitionandimplementation
Deliveryandsupport
Monitoringandevaluation
Use
of
36
major
IT
related
standards
and
regulations
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
17/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
InternalControl(continued)
General ControlProcedures(continued)
apply to all areas of an organization and include
policies and practices established by management to
provide reasonable assurance that specific objectives
will be achieved.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
InternalControl(continued)General ControlProcedures(continued)
Internal accounting controls directed at accounting
operations Operational controls concerned with the daytodayoperations
Administrative controls concerned with operationalefficiency and adherence to management policies
Organizational logical security policies and procedures
Overall policies for the design and use of documents andrecords
Procedures and features to ensure authorized access toassets
Physical security policies for all data centers
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
18/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ISControlProcedures Strategy and direction
General organization and management Access to data and programs Systems development methodologies and change control Data processing operations Systems programming and technical support functions Data processing quality assurance procedures Physical access controls
Business continuity/disaster recovery planning Networks and communications Database administration
Internal Control (continued)
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
MohammadTohidurRahmanBhuiyanCGEIT,CISA,MCSD,A+,CSCF
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
19/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
DefinitionofAuditing
Systematic process by which a competent,
independent person objectively obtains andevaluates evidence regarding assertions about aneconomic entity or event for the purpose of formingan opinion about and reporting on the degree towhich the assertion conforms to an identified set of
standards.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
DefinitionofISAuditing
Any audit that encompasses review andevaluation (wholly or partly) of automated
information processing systems, related non
automated processes and the interfaces
between them.
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
20/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Classificationofaudits:
Financialaudits
Operationalaudits
Integratedaudits
Administrativeaudits
Informationsystemsaudits
Specializedaudits
Forensicaudits
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
AuditProgramsBasedonthescopeandtheobjectiveofthe
particularassignment
ISauditors
perspectives
Security(confidentiality,integrityandavailability)
Quality(effectiveness,efficiency)
Fiduciary(compliance,reliability)
ServiceandCapacity
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
21/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Generalauditprocedures
Understandingof theauditarea/subject
Riskassessment
and
general
audit
plan
Detailedauditplanning
Preliminaryreviewofauditarea/subject
Evaluatingauditarea/subject
Compliancetesting
Substantivetesting
Reporting(communicating
results) Followup
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Proceduresfortesting& evaluatingIS controls
Use of generalized audit software to survey the contents ofdata files
Use of specialized software to assess the contents ofoperating system parameter files
Flowcharting techniques for documenting automatedapplications and business process
Use of audit reports available in operation systems
Documentation review
Observation
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
22/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
AuditMethodology
Asetofdocumentedauditproceduresdesignedto
achieve
planned
audit
objectivesComposedof
Statementofscope
Statementofauditobjectives
Statementofworkprograms
Setupandapprovedbytheauditmanagement
Communicatedto
all
audit
staff
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Typical audit phases
1. Audit subject
Identify the area to be audited
2. Audit objective
Identify the purpose of the audit
3. Audit scope
Identify the specific systems, function or unit of theorganization
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
23/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Typical audit phases (Contd)
4. Pre-audit planning
Identify technical skills and resources needed
Identify the sources of information for test or
review
Identify locations or facilities to be audited
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Typicalauditphases(Contd)
5. Audit procedures and steps for data gathering
Identify and select the audit approach
Identify a list of individuals to interview
Identify and obtain departmental policies, standardsand guidelines
Develop audit tools and methodology
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
24/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Typicalauditphases (Contd)
6.Proceduresforevaluatingtest/review result
7.Procedures
for communication
8.Auditreportpreparation
Identifyfollowupreviewprocedures
Identifyprocedurestoevaluate/testoperational efficiencyandeffectiveness
Identifyprocedurestotestcontrols
Reviewand
evaluate
the
soundness
of
documents,
policies
and
procedures.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Typical Audit Phases Summary
Identify the area to be audited
the purpose of the audit
the specific systems, function or unit ofthe organization to be included in thereview.
technical skills and resources needed
the sources of information for tests orreview such as functional flowcharts,policies, standards, procedures and prioraudit work papers.
locations or facilities to be audited.
select the audit approach to verify and testthe controls
list of individuals to interview
obtain departmental policies, standards
and guidelines for review
Develop
audit tools and methodology to test andverify control
procedures for evaluating the test orreview results
procedures for communication withmanagement
Identify
follow-up review procedures
procedures to evaluate/test operationalefficiency and effectiveness
procedures to test controls
Review and evaluate the soundness ofdocuments, policies and procedures
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
25/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
WorkPapers(WPs)(Contd)What are documented in WPs?
Audit plans
Audit programs
Audit activities
Audit tests
Audit findings and incidents
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
WorkPapers
Donothavetobeonpaper
Mustbe
Dated
Initialized
Pagenumbered
Relevant
Complete
Clear
Selfcontainedandproperlylabeled
Filed
and
kept
in
custody
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
26/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
FraudDetection
Managements responsibilityBenefits of a welldesigned internal control system
Deterring frauds at the first instance
Detecting frauds in a timely manner
Fraud detection and disclosure
Auditors role in fraud prevention and detection
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
AuditRisk
Audit risk is the risk that theinformation/financial report maycontain material error that may go
undetected during the audit.
A riskbased audit approach is used toassess risk and assist with an IS auditorsdecision to perform either complianceor substantive testing.
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
27/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
AuditRisks Inherentrisk Control
risk
Detectionrisk Overallauditrisk
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
RiskbasedApproach Overview
GatherInformationandPlan
ObtainUnderstandingofInternalControl
PerformCompliance
Tests
PerformSubstantiveTests
ConcludetheAudit
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
28/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Materiality
An auditing concept regarding the importance of anitem of information with regard to its impact oreffect on the functioning of the entity being audited
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
RiskAssessmentTechniques
Enables management to effectively allocate limitedaudit resources
Ensures that relevant information has been obtained
Establishes a basis for effectively managing the auditdepartment
Provides a summary of how the individual auditsubject is related to the overall organization and tobusiness plans
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
29/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
AuditObjectives
ItistheSpecificgoalsoftheaudit
Compliancewith
legal
&
regulatory
requirements
Confidentiality
Integrity
Reliability
Availability
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Compliancevs.SubstantiveTesting
Compliance test
determines whether controls are in compliance with
management policies and procedures Substantive test
tests the integrity of actual processing
Correlation between the level of internal controls andsubstantive testing required
Relationship between compliance and substantive
tests
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
30/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Evidence
It is a requirement that the auditorsconclusions must be based on sufficient,competent evidence.
Independence of the provider of theevidence
Qualification of the individual providing the
information or evidence Objectivity of the evidence
Timing of evidence
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Techniquesforgatheringevidence:
ReviewISorganizationstructures
ReviewISpolicies andprocedures
Review
IS
standards ReviewISdocumentation
Interviewappropriatepersonnel
Observeprocessesandemployeeperformance
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
31/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
InterviewingandObservingPersonnel
Actualfunctions
Actualprocesses/procedures
Securityawareness
Reportingrelationships
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Sampling(continued)
General approaches to audit sampling: Statistical sampling
Nonstatistical sampling
Methods of sampling used by auditors: Attribute sampling
Variable sampling
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
32/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Sampling(continued)
Attributesampling Stop
or
go
sampling
Discoverysampling
Variablesampling Stratifiedmeanperunit
Unstratified meanperunit
Differenceestimation
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Confidentcoefficient
Levelofrisk
Precision
Expectederror
rate
Samplemean
Samplestandarddeviation
Tolerableerrorrate
Populationstandarddeviation
Statistical sampling terms:
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
33/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Keystepsinchoosingasample
Determinetheobjectivesofthetest
Definethe
population
to
be
sampled
Determinethesamplingmethod,suchasattributeversusvariablesampling.
Calculatethesamplesize
Selectthesample
Evaluatingthesamplefromanauditperspective.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ComputerAssistedAuditTechniques.Contd.
CAATs enable IS auditors to gatherinformation independently
CAATs include: Generalized audit software (GAS)
Utility software
Test data
Application software for continuous onlineaudits
Audit expertsystems
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
34/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
NeedforCAATs
Evidencecollection
Functionalcapabilities
Functionssupported
Areasofconcern
ComputerAssistedAuditTechniques.Contd.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ExamplesofCAATsusedtocollectevidence
CAATSasacontinuousonlineapproach
ComputerAssistedAuditTechniques.Contd.
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
35/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
AdvantagesofCAATs
Cost/benefitsofCAATs
ComputerAssistedAuditTechniques.Contd.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
DevelopmentofCAATs
Documentationretention
Accesstoproductiondata
Datamanipulation
ComputerAssistedAuditTechniques.Contd.
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
36/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Evaluation of Strengths and Weaknesses
Assessevidence
Evaluateoverallcontrolstructure
Evaluatecontrolprocedures
Assesscontrolstrengthsandweaknesses
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
JudgingMaterialityofFindings
Materialityisakeyissue
Assessmentrequires
judgment
of
the
potential effectofthefindingifcorrective
actionisnot taken
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
37/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
CommunicatingAuditResults
Exitinterview
Correctfacts
Realisticrecommendations
Implementationdatesforagreedrecommendations
Presentationtechniques
Executivesummary
Visualpresentation
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Auditreportstructureandcontents
An introduction to the report
The IS auditors overall conclusion and opinion
The IS auditors reservations with respect to the audit
Detailed audit findings and recommendations
A variety of findings
Limitations to audit
Statement on the IS audit guidelines followed
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
38/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ManagementActionstoImplementRecommendations
Auditingisanongoingprocess
Timingof
follow
up
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
AuditDocumentation
Contentsofauditdocumentation
Custodyofauditdocumentation
Supportoffindingsandconclusions
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
39/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ConstraintsontheConductoftheAudit
Availabilityofauditstaff
Auditee constraints
ProjectManagementTechniques
Developadetailedplan
Reportprojectactivityagainsttheplan
Adjusttheplan
Takecorrective
action
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ControlSelfAssessment(CSA),Contd.
Amanagementtechnique
Amethodology
Inpractice,aseriesoftools
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
40/61
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
41/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ControlSelfAssessment
ISAuditorsRoleinCSAs
TechnologyDrivers for
CSA
Program
Traditionalvs.CSAApproach
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
MohammadTohidurRahmanBhuiyanCGEIT,CISA,MCSD,A+,CSCF
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
42/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
EmergingChangesinISAuditProcess
NewTopics:
AutomatedWorkPapers
IntegratedAuditing
ContinuousAuditing
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
AutomatedWork
Papers
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
43/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Riskanalysis
Audit
programs Results
Testevidences,
Conclusions
Reportsandothercomplementaryinformation
Automated Work Papers (Contd)
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
AutomatedWorkPapers
Controlsoverautomatedworkpapers:
Accesstoworkpapers
Audittrails
Approvalsof
audit
phases
Securityandintegritycontrols
Backupandrestoration
Encryptionforconfidentiality
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
44/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
IntegratedAuditing
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
IntegratedAuditing
process whereby appropriate audit disciplines arecombined to assess key internal controls over an operation,
process or entity
Focuses on risk to the organization (for an internalauditor)
Focuses on the risk of providing an incorrect ormisleading audit opinion (for external auditor
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
45/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
IntegratedAuditingTypicalprocess:
Identification of relevant key controls
Review and understanding of the design of key controls Testing that key controls are supported by the IT
system
Testing that management controls operate effectively
A combined report or opinion on control risks, designand weaknesses
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ContinuousAuditing
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
46/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ContinuousAuditing
Continuous Auditing: A methodology thatenables independent auditors to provide writtenassurance on a subject matter using a series ofauditors reports issued simultaneously with, or ashort period of time after, the occurrence of eventsunderlying the subject matter
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Distinctive character
short time lapse between the facts to be audited and
the collection of evidence and audit reporting Drivers
better monitoring of financial issues
allowing realtime transactions to benefit from realtime monitoring
preventing financial fiascoes and audit scandals
using software to determine proper financial controls
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
47/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ContinuousAuditingvs.ContinuousMonitoring
ContinuousMonitoring
Managementdriven
Basedonautomatedproceduresto meetfiduciaryresponsibilities
ContinuousAuditing
Auditdriven
Doneusingautomatedauditprocedures
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
ContinuousAuditingEnablerfortheApplicationofContinuousAuditing
New information technology developments
Increased processing capabilities
Standards
Artificial intelligence tools
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
48/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Transactionlogging
Querytools
Statisticsanddataanalysis(CAAT)
Databasemanagementsystems(DBMS)
Datawarehouses,datamarts,datamining.
Artificialintelligence(AI)
Embeddedauditmodules(EAM)
Neuralnetworktechnology
Standardssuch
as
Extensible
Business
Reporting
Language
IT Techniques in a Continuous Auditing Environment
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
A high degree of automation
An automated and reliable informationproducing process
Alarm triggers to report control failures
Implementation of automated audit tools
Quickly informing IS auditors of anomalies/errors
Timely issuance of automated audit reports
Technically proficient IS auditors
Availability of reliable sources of evidence
Adherence to materiality guidelines
Change of IS auditorsmindset
Evaluation of cost factors
ContinuousAuditingPrerequisites
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
49/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
(ContinuousAuditing)
Advantages Instant capture of internal control problems
Reduction of intrinsic audit inefficiencies
Disadvantages
Difficulty in implementation
High cost
Elimination of auditors personal judgment andevaluation
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
Practice Question
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
50/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
PracticeQuestions(contd.)
11 Which of the following BEST describes the early
stages of an IS audit?
A. Observing key organizational facilities
B. Assessing the IS environment
C. Understanding the business process and environment applicable tothe review
D. Reviewing prior IS audit reports
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
11C: Understanding the business process
and environment applicable to the review ismost representative of what occurs early onin the course of an audit. The other choicesrelate to activities actually occurring withinthis process.
Answer
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
51/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
PracticeQuestions(contd.)12 In performing a riskbased audit, which risk
assessment is completed initially by the IS auditor?
A.Detectionriskassessment
B.Controlriskassessment
C.Inherentriskassessment
D.Fraudriskassessment
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
12C: Inherent risks exist independently ofan audit and can occur because of the nature
of the business. To successfully conduct anaudit, it is important to be aware of therelated business processes. To perform theaudit the IS auditor needs to understand thebusiness process, and by understanding thebusiness process, the IS auditor betterunderstands the inherent risks.
Answer
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
52/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
PracticeQuestions(contd.)
13 While developing a riskbased audit program, on
which of the following would the IS auditor MOST likelyfocus?
A. Business processes
B. Critical IT applications
C. Operational controls
D. Business strategies
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
13A: A riskbased audit approach focuseson the understanding of the nature of the
business and being able to identify andcategorize risk. Business risks impact thelongterm viability of a specific business.Thus, an IS auditor using a riskbased auditapproach must be able to understandbusiness processes.
Answer
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
53/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
PracticeQuestions(contd.)
14 Which of the following types of audit risk assumes
an absence of compensating controls in the area beingreviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
14C: The risk of an error existing that could bematerial or significant when combined with othererrors encountered during the audit, there being no
related compensating controls, is the inherent risk.Control risk is the risk that a material error exists thatwill not be prevented or detected in a timely manner bythe system of internal controls. Detection risk is therisk of an IS auditor using an inadequate test procedurethat concludes that material errors do not exist, whenthey do. Sampling risk is the risk that incorrect
assumptions are made about the characteristics of apopulation from which a sample is taken.
Answer
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
54/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
PracticeQuestions(contd.)15 An IS auditor performing a review of an application's controls
finds a weakness in system software that could materially impactthe application. The IS auditor should:
A. disregard these control weaknesses since a system software review isbeyond the scope of this review.
B. conduct a detailed system software review and report the controlweaknesses.
C. include in the report a statement that the audit was limited to a reviewof the application's controls.
D. review the system software controls as relevant and recommend adetailed system software review.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
15D: The IS auditor is not expected to ignore controlweaknesses just because they are outside the scope of acurrent review. Further, the conduct of a detailedsystems software review may hamper the audit's
schedule and the IS auditor may not be technicallycompetent to do such a review at this time. If there arecontrol weaknesses that have been discovered by the ISauditor, they should be disclosed. By issuing adisclaimer, this responsibility would be waived. Hence,the appropriate option would be to review the systemssoftware as relevant to the review and recommend a
detailed systems software review for which additionalresources may be recommended.
Answer
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
55/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
PracticeQuestions(contd.)
16 The PRIMARY use of generalized auditsoftware (GAS)is to:
A. test controls embedded in programs.
B. test unauthorized access to data.
C. extract data of relevance to the audit.
D. reduce the need for transaction vouching.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
16C: Generalized audit software facilitates direct access to
and interrogation of the data by the IS auditor. The mostimportant advantage of using GAS is that it helps in
identifying data of interest to the IS auditor. GAS does notinvolve testing of application software directly. Hence, GASindirectly helps in testing controls embedded in programsby testing data. GAS cannot identify unauthorized access todata if this information is not stored in the audit log file.However, this information may not always be available.Hence, this is not one of the primary reasons for using GAS.
Vouching involves verification of documents. GAS could
help in selecting transactions for vouching. Using GAS doesnot reduce transaction vouching.
Answer
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
56/61
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
57/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
18 TheFIRST step in planning an audit is to:
A. define audit deliverables.
B. finalize the audit scope and audit objectives.
C. gain an understanding of the business'objectives.
D. develop the audit approach or audit strategy.
PracticeQuestions(contd.)
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
18C: The first step in audit planning is togain an understanding of the business's
mission, objectives and purpose, which inturn identifies the relevant policies,standards, guidelines, procedures, andorganization structure. All other choices aredependent upon having a thoroughunderstanding of the business's objectives
and purpose.
Answer
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
58/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
19TheapproachanISauditorshouldusetoplanISauditcoverageshouldbebasedon:
A.risk.
B.materiality.
C.professionalskepticism.
D.sufficiencyofauditevidence.
PracticeQuestions(contd.)
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
19A: Standard S5, Planning, establishes
standards and provides guidance onplanning an audit. It requires a riskbasedapproach.
Answer
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
59/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
PracticeQuestions
IlO A company performs a daily backup of critical
data and software files, and stores the backup tapes atan offsite location. The backup tapes are used to restorethe files in case of a disruption. This is a:
A. preventive control.
B. management control.
C. corrective control.
D. detective control.
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
110C: A corrective control helps to correct or minimize theimpact of a problem. Backup tapes can be used for restoringthe files in case of damage of files, thereby reducing the
impact of a disruption. Preventive controls are those thatprevent problems before they arise. Backup tapes cannot beused to prevent damage to files and hence cannot beclassified as a preventive control. Management controlsmodify processing systems to minimize a repeat occurrenceof the problem. Backup tapes do not modify processingsystems and hence do not fit the definition of a managementcontrol. Detective controls help to detect and report
problems as they occur. Backup tapes do not aid in detectingerrors.
Answer
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
60/61
-
8/12/2019 Module-1 (the Process of Auditing Information Systems-T)
61/61
Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF
MohammadTohidurRahmanBhuiyanCGEIT,CISA,MCSD,A+,CSCF