Be okay with what will come and you would be able to handle it.

Certified Information Systems Auditor (CISA)

The Process of Auditing Information Systems

IS audit encompasses the entire practice of IS auditing including procedures and a thorough methodology which allows an IS auditor to perform on any given IT area in a professional manner.

Objective The objective of this area is to ensure that a CISA candidate has the knowledge necessary to provide information systems audit services in accordance with IS audit standards, Guidelines and best practices

Task 1. Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices. 2. Plan specific audit to ensure that IT and business systems are protected and controlled. 3. Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives. 4. Communicate emerging issues, potential risks and audit results to key stakeholders 5. Advise on the implementation of risk management and control practices with the organization while maintaining independence.

 The audit function should be managed and led in a manner that ensures that the task performed and achieved by the audit team will fulfill audit function objectives while preserving audit independence and competence. Both internal and external auditors should be independent and report to an audit committee if available or to the highest management level such as the board of directors.

Audit Charter / Engagement letter

Audit Charter / Engagement letter The role of the IS internal audit function should be documented in an audit charter Charter should clearly state managements responsibility and objectives for, and delegation of authority to the IS audit function. The charter should outline the overall authority, scope and responsibility of the audit function. The highest level of management should approve the charter. The charter should only be changed if change can be and is thoroughly justified. ISACAs IS auditing standard require that responsibility, authority and accountability of the information are appropriately documented in an audit charter or engagement letter. Engagement letters are more focused on a particular audit exercise that is sought to be initiated in an organization with a specific objective in mind. For external IS audit firms the scope and objective of these services should be documented in a formal contract of statement of work between the contracting organization and the service provider.

 Steps to plan an IS audit Gain an understanding of the business mission, objectives, purpose and processes. Identify stated contents such as policies, standards and regulatory guidelines. Perform risk analysis to help in designing audit plan. Conduct a review of intended control related to IT. Set the audit scope and audit objectives. Develop the audit approach or audit strategy. Assign personnel resources to the audit. Address engagement logistics.

Ways to gain understanding of the business Reading background material e.g. Industrial publications, annual reports and independent financial analysis reports. Review business and IT long term business issues. Interviewing key managers to understand business issues. Review prior audit documentations and reports.

Effects of laws and regulations on IS audit planning Each organization need to comply with a number of governmental and external requirements related to computer system practice and controls and to the manner in which computer programs and data stored and used. Special attention should be given to these issues in those industries that, historically have been closely regulated. Is auditors should review management policy to ascertain whether it takes account the requirements of applicable laws and regulations including data flow requirements.

Steps to determine an organizations level of compliance with external requirements. 1. Identify those government or other relevant external requirements. 2. Document pertinent laws and regulations. 3. Access whether the management of the organization and the IS function have considered the relevant external requirements in making plans and in setting policies, standards and procedures. 4. Review internal IS function documents that address adherence to laws applicable to the industry. 5. Determine adherence to established procedures that address these requirements.

RISK

WHAT IS RISK?

The potential that a given threat will exploit venerabilitys of an asset or group of assets and thereby cause harm to the organization.

RISK ANALYSIS Risk analysis is part of the audit planning and helps identify risks and vulnerabilities as the auditor can determine the controls needed to mitigate those risks. Understanding the relationship between rule and control is important for IS audit and control professionals. Is auditors must be able to identify ad differentiate risk types and the controls used mitigate these risks. Is auditor must have knowledge of common business risks, related technology risks and related controls. They must also be able to evaluate the risk assessment and management techniques used by business managers. They should be able to assess the risk and help focus and plan audit work. The IS audit is often focused towards high risk issues associated with the confidentiality, availability and integrity of sensitive and critical information.

The risk assessment process begins with identifying business objectives, information assets and the underlying systems or resources that generate, store, use or manipulate the assets critical to achieving these objectives.
Controls are identified for mitigating identified risks. Controls are risk mitigating counter measures that prevent or reduce the likelihood of a risk event occurring. Monitoring performance levels of the risks being managed when identifying any significant changes in the environment that would trigger a risk reassessment. Risk analysis comprises three processes
Risk assessment Risk mitigation Risk reevaluation

Advantages of risk analysis. 1. It assists the auditor in identifying risk and treats to an IT environment that would need to be addressed by management and system specific internal controls. 2. It helps the auditor in his evaluation of controls in audit planning. 3. It assists the auditor in determining audit objectives. 4. It supports risk-based audit decision making.

Controls

Internal controls Policies procedures practices and organizational structured implemented to reduce risk are referred to as internal controls. Elements of controls that should be considered when evaluating control strengths are classified as preventive, detective or corrective in nature. Controls could be manual or automated.

Control Type

Implementation Method

Some Examples

Preventative stops

Administrative Hiring procedures, background checks, segregation of duties, training, change control process, acceptable use policy (AUP), organizational charts, job descriptions, written procedures, business contracts, laws and regulations, risk management, project management, service-level agreements (SLAs), system documentation

Technical

Data backups, virus scanners, designated redundant system for high availability system ready for failover (HA standby), encryption, access control lists (ACLs), system certification process
Access control, locked doors, fences, property tags, security guards, live monitoring of CCTV, human-readable labels, warning signs

Physical

Control Type

Implementation Method

Some Examples

Detective finds

Administrative Auditing, system logs, mandatory vacation periods, exception reporting, run-to-run totals, check numbers, control self-assessment (CSA), risk assessment, oral testimony Technical Intrusion detection system (IDS), High availability systems detecting or signaling system failover condition(HA failure detection), automated log readers (CAATs), checksum, verifying digital signatures, biometrics for identification (many search), CCTV used for logging, network scanners, computer forensics, diagnostic utilities

Physical

physical inventory count, alarm system (burglar, smoke, water, temperature, fire), tamper seals, fingerprints, receipts and invoices

Control Type

Implementation Method

Some Examples

Corrective fixes

Administrative Termination procedures (friendly/unfriendly), business continuity and disaster recovery plans, outsourcing, implementing recommendations of prior audit, lessons learned, property and casualty insurance Technical Data restoration from backup, High availability system failover to redundant system (HA failover occurs), redundant network routing, file repair utilities

Physical

Hot-warm-cold sites for disaster recovery, firecontrol sprinklers, heating and AC, humidity control

Types of internal control include Internal accounting controls These are controls directed at accounting operations to ensure that the operations such as safeguarding of assets and the reliability of financial records. Operational controls controls directed at day to day operations to ensure that the operation is meeting the business objectives. Administrative controls concerned with operational efficiency in a functional area and adherence to management policies including operational controls.

Internal control objectives These are statements of the desired results or purpose to be achieved by implementing control activities. E.g Safeguarding of IT assets Compliance with corporate policies and legal requirements Authorization and authentication Confidentiality Accuracy and completeness of data Reliability of process Availability of IT services Efficiency and economy of operations Change management process for IT and relate systems.

IS CONTROLS A well designed information system should have controls built in for all its sensitive and critical functions. IS Controls domain include: Strategy and direction Controls on computer operations
Operation procedures Business continuity and disaster recovery planning Networks and communication Protective and detective mechanisms against internal and external attacks.

Access to IT resources including data and programs

Physical access controls Logical access controls Network, application and Database administration

System development methodology and change controls

System programming and technical support function System migration processes

Performing an IS audit

 Performing an IS audit Auditing can be defined as a systematic process by which a qualified, competent, independent, team or person objectively obtains and evaluates and evaluates evidence regarding assertions about a process for the purpose of forming an opinion about and reporting on the degree to which the assertion is implemented. Is auditing can be defined as any audit that encompasses review and evaluation of an automated information processing system, related nonautomated processes and the interfaces between them.

Steps to perform an IS audit Plan for the audit For effective use of IS audit resources, audit organizations must assess the overall risk for the general and application areas and related services beign audited and develop an audit program that consists of objectives and audit procedures to satisfy the audit objective.

 Gather evidence Evaluate the strength and weaknesses of controls based upon the evidence gathered through audit tasks and prepare an audit report that presents those issues in an objective manner to management. Audit managers must ensure the availability of adequate audit resources and a schedule for performing the audit and in the case of internal IS audit, for follow-up reviews on the status of corrective actions taken b management.

The audit process includes Defining the audit scope Formulating audit objectives Identifying audit criteria Performing audit criteria Performing audit procedures Reviewing and evaluating evidence Forming audit conclusions and opinions Reporting to management after discussion with key process owners.

Classification of Audits
Financial audits Assess the correctness of an organizations financial statement. Operational audit Designed to evaluate the internal control structures in a given audit process or area. Integrated audit Combines financial and operational audits Administrative audits Oriented to assess issues related to the efficiency of operational productivity within an organization Forensic audits Auditing specialized in discovering, disclosing and following up on frauds ad crimes. IS AUDIT The process collects and evaluates to determine whether the information system and related resources adequately safeguard assets.

Procedures for understanding, evaluating and validating IT controls The use of generalized audit software to survey the contents of data files. E.g. System logs. Use of specialized software to access the contents of operating system database and application parameter files. Flow charting techniques for documenting automated applications and business processes. Observation Enquiry Examination and review of documents Re-performance

The IS auditor would need to follow at a minimum a sequential program of:

1. Understanding the entity under audit 2. Evaluating the control structure 3. Validating the controls

Fraud Detection Management is primarily responsible for establishing, implementing and maintaining a framework and design of IT controls to meet the internal control objectives. A well designed internal control system provides good opportunities for deterring and or timely detection of fraud. Internal controls may fail where such controls are circumvented by exploitation vulnerabilities or through management perpetuating weaknesses in controls or collision between people. -Design weaknesses - Operating efficiency

 Legislation and regulations relating to corporate governance cast significant responsibility on management, auditors and the audit committee regarding detection and disclosure of any frauds whether material or not. IS auditors should be aware of the possibility and means of perpetuating fraud, especially by exploiting the vulnerabilities and overriding controls in the IT enabled environment.

Risk- Based Audit

Risk- Based Auditing By understanding the nature of the business, Is auditors can identify the types of risks that will better determine the risk model or approach in conducting the audit. The risk model can be simple as creating weights for the risk associated with the business.

Simple Risk based approach Gather information and plan Obtain understanding of internal control Perform compliance test (walk through) Perform substantive tests Conclude the audit

Part of documenting risk data is for the auditor to identify potential risk response strategies that can be used in the audit with each identified risk. The four risk responses are as follows:
Accept Take your chances. Ignoring a risk is the same as accepting it. The auditor should be concerned about the acceptance of high-risk situations. Mitigate (reduce) Do something to lower the odds of getting hurt. Most internal controls are designed to mitigate risk. Transfer Let someone else take the chance of loss by using a subcontractor or insurance. You can transfer the risk but not the liability for failure. Blind transfer of risk would be a genuine concern. This applies to outsourcing agreements and the reason for a right to audit clause in the contract.

Avoid Reject the situation; change the situation to avoid taking the risk.

Inherent risks These are natural or built-in risks that always exist. E.g. Driving your automobile holds the inherent risk of an automobile accident or a flat tire. Theft is an inherent risk for items of high value. Business risks
These are risks that are inherent in the business or industry itself. They may be regulatory, contractual, or financial.

Technological risks These are inherent risks of using automated technology. Systems do fail.

Detection risks These are the risks that an auditor will not be able to detect what they are looking to find. It would be terrible to report no negative results when material conditions (faults) actually exist.
Detection risks include sampling and non-sampling risks: Sampling risks
These are the risks that an auditor will falsely accept or erroneously reject an audit sample (evidence).

Non-sampling risks
These are the risks that an auditor will fail to detect a condition because of not applying the appropriate procedure or using procedures inconsistent with the audit objective (detection fault).

Control Risk The risk that a material error exists that will not be prevented or detected in a timely manner by the internal control system.

Audit risks These are the combination of inherent, detection, control, and residual risks.
Audi risk = Inherent risk+ Detection risk + Control risk

Operational risks These are the risks that a process or procedure will not perform correctly.
Residual risks These are the risks that remain after all mitigation efforts are performed.

Evidence

Evidence Evidence is any information used by an IS auditor to determine whether the entity or data being audited follows the established criteria or objectives, and supports audit conclusion.

Types of Evidence There are two primary types of evidence, according to legal definition:
Direct evidence This proves existence of a fact without inference or presumption. Inference is when you draw a logical and reasonable proposition from another that is supposed to be true. Direct evidence includes the unaltered testimony of an eyewitness and written documents. Indirect evidence Indirect evidence uses a hypothesis without direct evidence to make a claim that consists of both inference and presumption. Indirect evidence is based on a chain of circumstances leading to a claim, with the intent to prove the existence or nonexistence of certain facts. Indirect evidence is also known as circumstantial evidence.

Grading evidence All evidence is graded according to criteria using four characteristics of evidence. This grading aids the auditor in assessing the evidence value. It is important to obtain the best possible evidence. The four characteristics are as follows:

1. Timing of Evidence Evidence timing indicates whether evidence is received when it is requested, or several hours or days late. In electronic systems, the timing has a secondary meaning; electronic evidence may be available only during a limited window of time before it is overwritten or the software changes to a new version.

2. Evidence objectivity Evidence objectivity refers to its ability to be accepted and understood with very little judgment required. The more judgment required, the less objective the evidence. As you increase the amount of judgment necessary to support your claims, the evidence quickly becomes subjective or circumstantial, which is the opposite of objective. Objective evidence is in a state of unbiased reality during examination without influence by another source. Objective evidence can be obtained through qualitative/quantitative measurement, and from records or statements of fact pertaining to the subject of the investigation. Objective evidence can be verified by observation, measurement, or testing.

3. Competency of the evidence provider Evidence supplied by a person with direct involvement is preferred. The source of their knowledge will affect the evidence value and accuracy. A secondhand story still holds value by providing information that may lead to the evidence the auditor is seeking. An expert is legally defined as a person who possesses special skill or knowledge in a science or profession because of special study or experience with the subject. An expert possesses a particular skill in forming accurate opinions about a subject; in contrast, a common person would be incapable of deducing an accurate conclusion about the same subject.

4. Evidence independence Evidence independence is similar to auditor independence, meaning the provider should not have any gain or loss by providing the evidence. Evidence supplied by a person with a bias is often questionable. The auditor should ask whether the evidence provider is part of the auditees organization. Qualifications of the evidence provider should always be considered. A person with a high degree of detailed understanding is vastly more qualified than an individual of limited knowledge. Evidence and data gathered from a novice may have a low value when compared to data gathered by an expert. A person who is knowledgeable and independent of the audit subject would be considered the best source of evidence.

Sampling

SAMPLING Statistical Sampling Statistical sampling uses mathematical techniques that result in an outcome that is mathematically quantifiable. Statistical samples are usually presented as a percentage. The purpose of statistical sampling is to gain an objective representation. Samples are selected by an objective mathematical process. Examples of statistical sampling include the following: Random sampling: Samples are selected at random. Fixed interval sampling: The sample existing at every n + interval increment is selected for testing.

Nonstatistical Sampling Nonstatistical sampling is based on the auditors judgment (also referred to as judgmental sampling). The auditor determines the sample size, the method of generating the sample, and the number of items to be analyzed. This is a subjective process usually based on elements of risk or materiality. An example of nonstatistical sampling includes haphazard sampling, in which the samples are randomly drawn for testing.
After the samples are selected, the next step is to perform compliance tests or substantive testing.

Identifying Audit Testing As stated earlier, the basic test methods used will be either compliance testing or substantive testing. Appropriate audit samples will have to be generated for the test. Compliance testing tests for the presence or existence of something. Compliance testing includes verifying that policies and procedures have been put in place, and that user access rights, program change control procedures, and system audit logs have been activated. An example of a compliance test is comparing the list of persons with physical access to the data center against the HR list of current employees.

Compliance testing is based on one of the following types of audit samples:

Attribute sampling The objective is to determine whether an attribute is present or absent in the subject sample. The result is specified by the rate of occurrence

Stop-and-go sampling Used when few errors are expected. Stop-and-go allows the test to occur without excessive effort in sampling and provides the opportunity to stop testing at the earliest possible opportunity. It is a simple form of testing to reinforce any claim that errors are unlikely in the sample population.
Discovery sampling Used to detect fraud or when the likelihood of evidence existing is low. This is an attempt to discover evidence.

Substantive testing seeks to verify the content and integrity of evidence. Substantive tests include verifying account balances, performing physical inventory counts, and executing detailed scans to detect effectiveness of a specific system configuration. Substantive testing uses audit samples selected by dollar value or to project a total for groups with related characteristics.

Substantive testing is based on one of the following types of audit samples:

Variable sampling Used to designate dollar values or weights (effectiveness) of an entire subject population by prorating from a smaller sample. Consider the challenge of counting large volumes of currency by its weight. Variable sampling could be used to count currency by multiplying the physical weight of one unit by the total weight of the combined sample, and then multiplying by the face value printed on the bill or coin. A demonstration would be a single $50 bill weighing 0.8 grams, with the entire sample of $50 bills weighing 48 grams altogether. The combined sample weight would indicate a total quantity of 60 bills for an estimated dollar value of $3,000. This is a common technique for forecasting quantity and value of inventory based on particular characteristics. Unstratified mean estimation Used in an attempt to project an estimated total for the subject population. Stratified mean estimation Used to calculate an average by group, similar to demographics, whereby the entire population is divided (stratified) into smaller groups based on similar characteristics. Examples are teenagers from the ages of 13 to 19, people from the ages of 20 to 29, people from the ages of 30 to 39, and those who are male or female, smokers or nonsmokers, and so on.

Difference estimation Used to determine the difference between audited and unaudited claims of value.

 SAMPLING TERMS
Tolerable error rate
Is the maximum number of errors that can exist without declaring a material misstatement. Regardless of the audit sample and test method used, the auditor is presumed to have a high degree of confidence when the audit coefficient is 95 percent or higher. The audit coefficient represents your level of confidence about the audit results. It is also referred to as a reliability factor.

Precision, or expected error rate The precision rate indicates the acceptable margin of error between audit samples and the total quantity of the subject population. This is usually expressed as a percentage such as 5 percent. To obtain a very low error rate, it is necessary to use a very large sample in testing. The larger sample can yield a higher average.

Computer Assisted Audit Tools

Using Computer Assisted Audit Tools Computer assisted audit tools (CAAT) are invaluable for compiling evidence during IS audits. The auditor will find several advantages of using CAATs in their analytical audit procedure. CAAT tools are capable of executing a variety of automated compliance tests and substantive tests that would be nearly impossible to perform manually. These specialized tools may include multifunction audit utilities, which can analyze logs, perform vulnerability tests, or verify specific implementation of compliance in a system configuration compared to intended controls.

CAAT includes the following types of software tools and techniques: Network traffic and protocol analysis Testing the configuration of specific application software such as an SQL database Testing for password compliance on user login accounts
Many CAAT tools have a built-in report writer that can generate more than one type of predefined report of findings on your behalf. A significant amount of time may be required to become a competent CAAT operator.

Some of the concerns for or against using CAAT include: Auditors level of computer knowledge and experience Level of risk and complexity of the audit environment Cost and time constraints Specialized training requirements Speed, efficiency, and accuracy over manual operations Security of the data extracted by CAAT

Control Self-Assessments

Traditional Audit Compared to Control Self-Assessments A discussion of the audit process would not be complete without mentioning the benefits of using control self-assessments. The auditee can work to improve their audit score between audits by using these self-assessment techniques.
To employ the formal skills of a professional auditor is considered a traditional audit. In a traditional audit, the auditor manages the audit through the entire audit process and renders a final opinion. A control self-assessment (CSA) is executed by the auditee. The auditee uses the CSA to benchmark progress with the intention of improving their score. This CSA process can generate benefits by empowering the staff to take ownership and accountability. With a CSA, the auditor becomes a facilitator to help guide the clients effort toward self-improvement. A great deal of pride can be created by the accomplishment of CSA tasks and learning the detail necessary to succeed in a traditional audit. A CSA is not going to fulfill the independence requirement, so a traditional audit will still be required. A CSA will help your client understand the specific actions

THANK YOU