Domain1: IS Audit Process

Policy

Guidelin
es
Procedur
es

Is an executive mandate to identify a topic containing particular risks

to avoid or prevent. Policies are high-level documents signed by a
person of significant authority with the power to force cooperation
These are intended to provide advice pertaining to how organizational
objectives might be obtained in the absence of a standard
These are cookbook recipes providing a workflow of specific tasks
necessary to achieve minimum compliance to a standard. Details are
written in step-by-step format from the very beginning to the end.

ISACA Code; 8 Points:

Auditors agree to support the implementation of appropriate policies,

standards, guidelines, and procedures for information systems. They will
also encourage compliance with this objective.
Auditors agree to perform their duties with objectivity, professional care,
and due diligence in accordance with professional standards implementing
the use of best practices.
Auditors agree to serve the interests of stakeholders in an honest and
lawful manner that reflects a credible image upon their profession. The
public expects and trusts auditors to conduct their work in an ethical and
honest manner.
Auditors promise to maintain privacy and confidentiality of information
obtained during their audit except for required disclosure to legal
authorities. Information they obtain during the audit will not be used for
personal benefit.
Auditors agree to undertake only those activities in which they are
professionally competent and will strive to improve their competency. Their
effectiveness in auditing depends on how evidence is gathered, analyzed,
and reported.

Auditors promise to disclose accurate results of all work and significant

facts to the appropriate parties.
Auditors agree to support ongoing professional education to help
stakeholders enhance their understanding of information systems security
and control.
The failure of a CISA to comply with this code of professional ethics may
result in an investigation with possible sanctions or disciplinary measures.

3 Basic types of audit

Internal audits and assessments
External audits
Independent audits (third party Outside of the customer-supplier
influence)
In all cases, auditors are called to audit products, processes and systems.
Standards

Auditing standards
There are two basic categories of audit testing: audits either verify that an item
necessary of compliance exists (compliance test) or check inside for the
substance and integrity of a claim (substantive test).
Audit standards:

American Institute of Certified Public Accountants (AICPA) and International

Federation of Accountants (IFAC)
Financial Accounting Standards Board (FASB) with statement on Auditing
Standards (SAS)..
International Financial Reporting Standards (IFRS), which replaced the
Generally Accepted Accounting Principles (GAAP)..
COSO
U.S. public Company Accounting Oversight Board (PCAOB) of securities and
Exchange Commission . it is the standards body for Sarbanes-Oxley
OECD providing guidelines for participating countries to promote
standardization in multinational business for world trade
ISO
FISMA

ISACA and IT Governance Institute (ITGI)

Basel Accord Standard

ISACA IS Audit Standards

They are organized using a format numbered from 1 to 16
S1
S2
S3
S4
S5
S6
S7
S8
S9
S10
S11
S12
S13
S14
S15
S16

Audit charter
Independence
Professional Ethics and Standards of
Conduct
Professional competence
Planning
Performance of Audit Work
Audit Reporting
Follow-up Activities
Irregularities and illegal acts
It Governance
Use of Risk Analysis in Audit
planning
Audit Materiality
Using the work of other people
Proper Audit Evidence
Effective IT controls
Electronic Commerce Controls

Retaining audit documentation

In most cases, the archive of the integrated audit may need to be kept for seven
years. Each type of audit may have a longer or shorter retention period,
depending on the regulations identified during audit planning.

The evidence rule

A good auditor will use sufficient evidence to formulate the auditors opinion.

Chapter 2: Managing IT governance

Corporate governance is often defined by ISACA as Ethical behavior of corporate
executives toward shareholders and stakeholders to maximize the return of a
financial investment
Three high-level management objectives to be verified by the auditor are as
follows:

A strategic alignment between IT and the enterprise objectives (formal

strategy)
A process of monitoring assurance practices for executive management
An intervention as required to stop, modify, or fix failures as they occur
(corrective action)

IT steering committee or IT strategy committee is used to convey the current

business requirements from business executives to IT executive. It should have a
formal charter designating the participation of each member. This charter grants
responsibility and authority in a concept similar to an audit charter.
The representation necessary on the steering committee:

Marketing
Manufacturing /Software development
Sales
Finance
legal
quality control
legal
quality control
research and development
program and project management office
business continuity
Information technology
Human resources

Labor management
Administration

The balanced scorecard

The balanced scorecard is a strategic methodology designed for senior
executives.

IT subset of balanced scorecard

The IT balanced scorecard should be a subset of the organizations overall
balanced scorecard. As a CISA, you need to understand how the balanced
scorecard can be applied specifically to information technology. ISACA describes
the scorecard by using three layers that incorporate the more common four
perspectives (customer, business process, financial, and growth and learning).
The three layers for IT scoring according to ISACA are so follows:

Mission (opportunities for future needs)

Strategy (common platitudes include the following: attain IT control
objectives)

Metrics (Develop and implement meaningful IT metrics based on critical

success factors and key performance indicators).

Decoding the IT strategy

The auditor should remain aware that a shadow organization represents a

genuine control failure. This lack of integration represents an ongoing concern in
the areas of cost control, duplication of effort, or a political difference in both
direction and objectives.

PMO vs Doing it all yourself

Here is a short list of the policies required to address issues faced by IT

governance:
Intellectual property: the IS auditor should understand how the organization is
attempting to protect its intellectual property
Data integrity: the goal is to ensure that data is accurate and safely stored
Backup and restoration: what are the plans and procedures for data backup
and restoration? The number one issue in IT is loss of data due to faulty
backup
Security management: Without security controls, ensuring data integrity is
impossible. Internal controls prevent unauthorized modifications.
Mandatory versus Discretionary controls: The organization needs to clearly
identify its management directives for implementation of controls.
Mandatory control: the strongest type of control. The implementation may
be administrative or technical. It is designed to force compliance without
exception.
Discretionary controls: the weakest type of control is discretionary. In a
discretionary control, the user or delegated person of authority determines
what is acceptable.
Monitoring: It should provide valuable metrics necessary to compare alignment to
business objectives.
Incident response: A response is required for skilled individuals to deal with
technical problems or the failure of internal controls.

Audit Program objectives and scope

Every audit will contain a list of objectives. High-level objectives may come from
executive mandate, regulations, or industry standards. The auditor should expect
audit program objectives to vary according to department, task, the subject
matter, or a particular step in their process workflow. Larger organizations have
more audit objectives and smaller organizations usually have fewer because
management has better control with fewer communication problems in a smaller
organization.
Table below demonstrates a simplified view of some audit program objectives
that a company would encounter:

The audit planning issues should be considered regardless of the size of the
organization:

Number of geographic locations

Diversity of products
Activities outsourced to third party (subcontract)
Needs for certification, accreditation, or registration
Concerns raised from interested parties
Complexity of regulations or contracts to be audited
Type, scope, and number of activities to be audited
Participation required by external subcontractors
Audit frequency
Follow-up on recommendations in previous audits
Cost, resource, and time requirements

Discontinuation of low-profit activities, layoffs, failing products

Planning individual audits

Audit Scope
Audit criteria
Audit team

The audit charter outlines the responsibility, authority and accountability of the
auditor.

Responsibility: Provides scope with goals and objectives

Authority: Grants the right to perform an audit and the right to
obtain access relevant to the audit
Accountability: Defines mutually agreed-upon actions between the
audit committee and the auditor, complete with reporting
requirements.

Role of the audit committee

Each organization should have an audit committee composed of business

executives. Each audit committee member is required to be financially literate,
with the ability to read and understand financial statements.
The purpose of the audit committee is to provide advice to the executive
accounting officer concerning internal control strategies, priorities, and
assurances.
The audit committee manages planned audit activities and the results of both
internal and external audits. The committee is authorized to engage outside
experts for independent assurance.

Understanding the variety of audit

Risk Assessment:

Inherent risk: These are natural or built-in risks that always exist.
Detection risks: these are the risks that an auditor will not be able to
detect what is being sought. It would be terrible to report no negative
results when material condition (faults) actually exist. Detection risks
include sampling and nonsampling risks.
o Sampling risks: these are the risks that an auditor will falsely accept
or erroneously reject an audit sample (evidence).
o Nonsampling risks: these are the risks that an auditor will fail to
detect a condition because of not applying the appropriate
procedure or using procedures inconsistent with the audit objective
(detection fault)
Control risks: that an auditor loses control, errors could be introduced, or
errors may not be corrected in a timely manner.
Business risks: these are risks that are inherent in the business or
industry itself (regulatory, contractual, financial)
Technological risks: these are inherent risks of using automated
technology
Operational risks: these are the risks that a process or procedure will not
perform correctly
Residual risks: these are the risks that remain after all mitigation efforts
are performed
Audit risks: the combination of inherent, detection, control , and residual
risks. These are the same risks facing normal business operations.

Risk assessment activities

Using data collection techniques:

-

Staff observation
Document review
Interviews
Workshop
Computer assisted audit tools (CAAT)
Surveys

Understanding the hierarchy of internal controls

General controls

Pervasive IS controls
Detailed IS controls

Application controls (embedded in

programs)

Parent class of controls governing all

areas of the business (jobs description,
separating duties)
The direction and behavior required for
technology to function properly.
Specific steps or tasks to be
performed.(how security parameters
are set , how to lock a user account)
Lowest subset in the control family. All
activity should have filtered through
the general controls, and then the
pervasive controls and detailed
controls, before it reaches the
application-controls level.

Types of evidence:

Direct evidence: this proves existence of a fact without inference or

presumption. Inference is when you draw a logical and reasonable
proposition from another that is supposed to be true. Direct evidence
includes the unaltered testimony of an eyewitness and written documents.
Indirect evidence: uses a hypothesis without direct evidence to make a
claim that consists of both inference and presumption. Indirect is also
known as circumstantial evidence.

Selecting Audit Sampling

Audit samples are selected for the purpose of collecting representative evidence
to be subjected to either compliance testing or substantive testing. Two basic
types of audit samples can be designed by the auditor: Statistical and
nonstatistical.

Random sampling: Samples are selected at random.

Cell sampling: random selection is performed at predefined intervals.
Fixed Interval Sampling: The sample existing at every n+ interval increment is
selected for testing.
Using Computer-Assisted Audit Tools
These tools are capable of executing a variety of automated compliance tests
and substantive tests that would be nearly impossible to perform manually. They
include multifunction audit utilities, which can analyze logs, perform vulnerability
tests, or verify implementation of compliance in a system configuration compared
to intended controls.
CAAT includes the following types of software tools and techniques:

Host evaluation tools to read the system configuration setting and

evaluate the host for known vulnerabilities.
Network traffic and protocol analysis using a sniffer
Mapping and tracing tools that use a tracer-bullet approach to follow
processes through a software application using test data
Testing the configuration of specific application software such as SQL
database
Software license counting across the network
Testing for password compliance on user login accounts

Using CAAT for continuous online audit

Six types of continuous online auditing techniques:

Online Event Monitors: include automated tools designed to read and

correlate system logs or transaction logs on behalf of the auditor.
Embedded Program Audit Hooks: A software developer can write
embedded application hooks into their program to generate red-flag alert
to an auditor, hopefully before the problem gets out of hand.
Continuous and intermittent simulation (CIS) Audit: In continuous
and intermittent simulation, the application software always tests for
transactions that meet a certain criteria. When the criteria are met, the
software runs an audit of the transaction (intermittent test). Then the
computer waits until the next transaction meeting criteria occurs.
Snapshot Audit: This technique uses a series of sequential data captures
that are referred to as snapshots. The snapshots are taken in a logical
sequence that a transaction will follow. The snapshots produce an audit
trail, which is reviewed by the auditor.
Embedded Audit M(EAM): This integrated audit testing module allows
the auditor to create a set of dummy transactions that will be processed
along with live, genuine transactions.
System Control Audit Review file with Embedded Audit Modules
(SCARF/EAM) the Theory is straightforward. A system-level audit program
is installed on the system to selectively monitor the embedded audit
modules inside the application software.

Grading of evidence
Four criteria:
-

Material relevance;
Evidence objectivity;
Competency of evidence provider;
Evidence independence

Timing of evidence is also important.

Following the evidence lifecycle

Conducting Audit Evidence Testing

The basic test methods used will be either compliance testing or
substantive testing.
Compliance Testing for the presence or absence of something. It includes
verifying that policies and procedures have been put in place, and checking that
user access rights, program change control procedures, and system audit logs
have been activated. (Exp. Compare the list of persons with physical access to
the data center against the HR list of current employees)
Compliance testing is based on one of the following types of audit samples:
Attribute
sampling

Stopand-Go
Sampling

Determine whether an attribute is present or absent in the subject

sample
The result is specified by the rate of occurrence-for example, the
presence of 1 in 100 units would be 1%
Used when few errors are expected. Stop-and-go allows the test to
occur without excessive effort in sampling and provides the
opportunity to stop testing at the earliest possible opportunity.

Discover
y
sampling
Precision
,
or
Expected
Error
Rate

This 100% percent is used to detect fraud or when the likelihood of

evidence existing is low. Forensics is an excellent example of
discovery sampling.
The precision rate indicates the acceptable margin of error between
audit samples and the total quantity of the subject population.

Substantive testing
Substantive testing seeks to verify the content and integrity of evidence.
Substantive tests may include complex calculations to verify account balances,
perform physical inventory counts, or execute sample transactions to verify the
accuracy of supporting documentation.
This test is based on one of the following types of audit samples:
Variable
sampling

Used to designate dollar value or weights (effectiveness) of

an entire subject population by prorating from a smaller
sample.

Unstratified
mean estimation
Stratified mean
estimation

Used in an attempt to project an estimated total for the whole

subject population.
Used to calculate an average by group, similar to
demographics, whereby the entire population is divided
(stratified)
into
smaller
groups
based
on
similar
characteristics.
Used to determine the difference between audited and
unaudited claims of value.

Difference
estimation

Each finding of evidence can be classified into one of these common reporting
statements, presented in order of most desirable to least desirable:

Noteworthy achievement:
Conformity
Opportunity for Improvement
Concern
Nonconformity

Example of illegal activities:

Fraud
Theft
Suppression
Racketeering
Regulatory violations

Networking technology Basic

IS Network infrastructure

Information systems lifecycle

ISO 9126: Software quality

It is a variation of ISO 9001. This standard also defines requirements for
evaluating software products and measuring specific quality aspect.
The six quality attributes are as follows:

Functionality of the software processes

Ease of use
Reliability with consistent performance

Efficiency of resources
Portability between environments
Maintainability with regards to making modifications