Presentación de PowerPoint

Presentación de PowerPoint

1 of 135 ISACA The recognized global leader in IT governance, control, security and assurance 2 of 135 2010 CISA Review Course

Chapter 1 The IS Audit Process 3 of 135 Course Agenda Learning Objectives

Discuss Task and Knowledge Statements Discuss specific topics within the chapter Case studies Sample questions 4 of 135 Exam Relevance Ensure that the CISA candidate Has the knowledge necessary to provide information systems (IS) audit services in accordance with IS audit standards, guidelines and best practices to ensure than an organizations information technology and business systems are protected and controlled. The content area in this chapter will

represent approximately 10% of the CISA examination (approximately 20 questions). % of Total Exam Questions Chapter 6 14% Chapter 5 31% Chapter 1 10% Chapter 2

15% Chapter 4 14% Chapter 3 16% 5 of 135 Chapter 1 Learning Objectives Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards,

guidelines and best practices Plan specific audits to ensure IT and business systems are protected and controlled Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives 6 of 135 Learning Objectives (continued) Communicate emerging issues, potential risks and audit results to key stakeholders Advise on the implementation of risk management and

control practices within the organization, while maintaining independence 7 of 135 1.2.1 Organization of the IS Audit Function Audit charter (or engagement letter) Stating managements responsibility and objectives for, and delegation of authority to, the IS audit function Outlining the overall authority, scope and responsibilities of the audit function Approval of the audit charter

Change in the audit charter 8 of 135 1.2.2 IS Audit Resource Management Limited number of IS auditors Maintenance of their technical competence Assignment of audit staff 9 of 135 1.2.3 Audit Planning Short-term planning

Long-term planning Things to consider New control issues Changing technologies Changing business processes Enhanced evaluation techniques Individual Audit Planning Understanding of overall environment Business practices and functions Information systems and technology 10 of 135

1.2.3 Audit Planning (continued) Audit planning steps Gain an understanding of the businesss mission, objectives, purpose and processes Identify stated contents (policies, standards, guidelines, procedures, and organization structure) Evaluate risk assessment and privacy impact analysis Perform a risk analysis 11 of 135 1.2.3 Audit Planning (continued)

Audit planning steps (continued) Conduct an internal control review Set the audit scope and audit objectives Develop the audit approach or audit strategy Assign personnel resources to audit and address engagement logistics 12 of 135 1.2.4 Effect of Laws and Regulations on IS Audit Planning Regulatory requirements Establishment

Organization Responsibilities Correlation to financial, operational and IT audit functions 13 of 135 1.2.4 Effect of Laws and Regulations on IS Audit Planning (continued) Steps to determine compliance with external requirements: Identify external requirements Document pertinent laws and regulations

Assess whether management and the IS function have considered the relevant external requirements Review internal IS department documents that address adherence to applicable laws Determine adherence to established procedures 14 of 135 1.3.1 ISACA Code of Professional Ethics The Associations Code of Professional Ethics provides guidance for the professional and personal conduct of members of ISACA and/or holders of the CISA and

CISM designation. 15 of 135 1.3.2 ISACA IS Auditing Standards Framework Framework for the ISACA IS Auditing Standards: Standards Guidelines Procedures 16 of 135 1.3.2 ISACA IS Auditing

Standards Framework (continued) Objectives of the ISACA IS Auditing Standards: Inform management and other interested parties of the professions expectations concerning the work of audit practitioners Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code

of Professional Ethics 17 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S1 Audit charter S7 Reporting S2 Independence S8 Follow-up activities

S3 Ethics and Standards S9 Irregularities and illegal acts S4 Competence S10 IT governance S5 Planning S11 Use of risk assessment in audit planning

S6 Performance of audit work 18 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S1 Audit Charter Purpose, responsibility, authority and accountability Approval S2 Independence Professional independence

Organizational independence 19 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S3 Professional Ethics and Standards Code of Professional Ethics Due professional care S4 Competence Skills and knowledge Continuing professional education

20 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S5 Planning Plan IS audit coverage Develop and document a risk-based audit approach Develop and document an audit plan Develop an audit program and procedures 21 of 135

1.3.2 ISACA IS Auditing Standards Framework (continued) S6 Performance of Audit Work Supervision Evidence Documentation 22 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S7 Reporting

Identify the organization, intended recipients and any restrictions State the scope, objectives, coverage and nature of audit work performed State the findings, conclusions and recommendations and limitations Justify the results reports Be signed, dated and distributed according to the audit charter 23 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued)

S8 Follow-up Activities Review previous conclusions and recommendations Review previous relevant findings Determine whether appropriate actions have been taken by management in a timely manner 24 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S9 Irregularities and Illegal Acts Consider the risk of irregularities and illegal acts Maintain an attitude of professional skepticism

Obtain an understanding of the organization and its environment Consider unusual or unexpected relationships Test the appropriateness of internal control Assess any misstatement 25 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S9 Irregularities and Illegal Acts (continued) Obtain written representations from management Have knowledge of any allegations of irregularities or

illegal acts Communicate material irregularities or illegal acts Consider appropriate action in case of inability to continue performing the audit Document irregularity- or illegal act-related communications, planning, results, evaluations and conclusions 26 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S10 IT Governance

Review and assess the IS functions alignment with the organizations mission, vision, values, objectives and strategies Review the IS functions statement about the performance and assess its achievement Review and assess the effectiveness of IS resource and performance management processes 27 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S10 IT Governance (continued)

Review and assess compliance with legal, environmental and information quality, and fiduciary and security requirements Use a risk-based approach to evaluate the IS function Review and assess the organizations control environment Review and assess the risks that may adversely affect the IS environment 28 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued)

S11 Use of Risk Assessment in Audit Planning Use a risk assessment technique in developing the overall IS audit plan Identify and assess relevant risks in planning individual reviews 29 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S12 Audit Materiality The IS auditor should consider audit materiality and its

relationship to audit risk The IS auditor should consider potential weakness or absence of controls when planning for an audit The IS auditor should consider the cumulative effect of minor control deficiencies or weaknesses The IS audit report should disclose ineffective controls or absence of controls 30 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S13 Using the Work of Other Experts

The IS auditor should consider using the work of other experts The IS auditor should be satisfied with the qualifications, competencies, etc., of other experts The IS auditor should assess, review and evaluate the work of other experts The IS auditor should determine if the work of other experts is adequate and complete The IS auditor should apply additional test procedures to gain sufficient and appropriate audit evidence The IS auditor should provide appropriate audit opinion 31 of 135 1.3.2 ISACA IS Auditing

Standards Framework (continued) S14 Audit Evidence Includes procedures performed by the auditor and results of those procedures Includes source documents, records and corroborating information Includes findings and results of the audit work Demonstrates that the work was performed and complies with applicable laws, regulations and policies 32 of 135 1.3.2 ISACA IS Auditing Standards

Framework (continued) S15 IT Controls The IS auditor should evaluate and monitor IT controls that are an integral part of the internal control environment of the oranization. 33 of 135 1.3.2 ISACA IS Auditing Standards Framework (continued) S16 E-commerce The IS Auditor should evaluate applicable controls and assess risk when reviewing ecommerce environments to ensure that ecommerce transactions are properly controlled.

34 of 135 1.3.3 ISACA IS Auditing Guidelines G1 Using the Work of Other Auditors, effective 1 June 1998 G2 Audit Evidence Requirement, effective 1 December 1998 G3 Use of Computer Assisted Audit Techniques (CAATs), effective 1 December 1998 G4 Outsourcing of IS Activities to Other Organizations, effective 1 September 1999 G5 Audit Charter, effective 1 September 1999 G6 Materiality Concepts for Auditing Information Systems, effective 1 September 1999 G7 Due Professional Care, effective 1 September 1999

G8 Audit Documentation, effective 1 September 1999 G9 Audit Considerations for Irregularities, effective 1 March 2000 G10 Audit Sampling, effective 1 March 2000 35 of 135 1.3.3 ISACA IS Auditing Guidelines (continued) G11 Effect of Pervasive IS Controls, effective 1 March 2000 G12 Organizational Relationship and Independence, effective September 2000 G13 Use of Risk Assessment in Audit Planning, effective 1 September 2000 G14 Application Systems Review, effective 1 November 2001

G15 Planning Revised, effective 1 March 2002 G16 Effect of Third Parties on an Organizations IT Controls, effective 1 March 2002 G17 Effect of Non-audit Role on the IS Auditors Independence, effective 1 July 2002 G18 IT Governance, effective 1 July 2002 G19 Irregularities and Illegal Acts, effective 1 July 2002 36 of 135 1.3.3 ISACA IS Auditing Guidelines (continued) G20 Reporting, effective 1 January 2003 G21 Enterprise Resource Planning (ERP) Systems Review,

effective 1 August 2003 G22 Business-to-consumer (B2C) E-commerce Review, effective 1 August 2003 G23 System Development Life Cycle (SDLC) Review, effective 1 August 2003 G24 Internet Banking, effective 1 August 2003 G25 Review of Virtual Private Networks, effective 1 July 2004 G26 Business Process Reengineering (BPR) Project Reviews, effective 1 July 2004 G27 Mobile Computing, effective 1 September 2004 G28 Computer Forensics, effective 1 September 2004 G29 Post-implementation Review, effective 1 January 2005 37 of 135

1.3.3 ISACA IS Auditing Guidelines (continued) G30 Competence, effective 1 June 2005 G31 Privacy, effective 1 June 2005 G32 Business Continuity Plan (BCP) Review From IT Perspective, effective 1 September 2005 G33 General Considerations on the Use of the Internet, effective 1 March 2006 G34 Responsibility, Authority and Accountability, effective 1 March 2006 G35 Follow-up Activities, effective 1 March 2006 G36 Biometric Controls, effective 1 March 2007 G37 Configuration Management, effective 1 November 2007

G38 Access Control, effective 1 February 2008 G39 IT Organizations, effective 1 May 2008 38 of 135 1.3.4 ISACA IS Auditing Procedures Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in an audit engagement The IS auditor should apply their own professional judgment to the specific circumstances 39 of 135

1.3.4 ISACA IS Auditing Procedures (continued) P1 IS Risk Assessment, effective 1 July 2002 P2 Digital Signatures, effective 1 July 2002 P3 Intrusion Detection, effective 1 August 2003 P4 Viruses and Other Malicious Code, effective 1 August 2003 P5 Control Risk Self-assessment, effective 1 August 2003 P6 Firewalls, effective 1 August 2003 P7 Irregularities and Illegal Acts, effective 1 November 2003 P8 Security AssessmentPenetration Testing and Vulnerability Analysis, effective 1 September 2004 P9 Evaluation of Management Controls Over Encryption Methodologies, effective 1 January 2005

P10 Business Application Change Control, effective 1 October 2006 P11 Electronic Funds Transfer (EFT), effective 1 May 2007 40 of 135 1.3.5 Relationship Among Standards, Guidelines and Procedures Standards Must be followed by IS auditors Guidelines Provide assistance on how to implement the standards

Procedures Provide examples for implementing the standards 41 of 135 1.3.6 Information Technology Assurance Framework (ITAF) Section 2200 General Standards Section 2400 Performance Standards Section 2600 Reporting Standards Section 3000 IT Assurance Guidelines Section 3200 Enterprise Topics Section 3400 IT Management Process

Section 3600 IT Audit and Assurance Guidelines Section 3800 IT Audit and Assurance Management 42 of 135 1.4 Risk Analysis What is risk? Elements of risk Risk and audit planning 43 of 135 1.4 Risk Analysis (continued)

Risk management process Risk assessment Risk mitigation Risk reevaluation 44 of 135 1.5 Internal Controls Policies, procedures, practices and organizational structures implemented to reduce risks Classification of internal controls - Preventive controls - Detective controls

- Corrective controls 45 of 135 1.5 Internal Controls (continued) 46 of 135 1.5.1 Internal Control Objectives Internal control system Internal accounting controls Operational controls

Administrative controls 47 of 135 1.5.1 Internal Control Objectives (continued) Internal control objectives

Safeguarding of IT assets Compliance to corporate policies or legal requirements Input Authorization Accuracy and completeness of processing of data input/transactions Output Reliability of process Backup/recovery Efficiency and economy of operations Change management process for IT and related systems

48 of 135 1.5.2 IS Control Objectives Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment. 49 of 135 1.5.2 IS Control objectives (continued)

Safeguarding assets Assuring the integrity of general operating system environments Assuring the integrity of sensitive and critical application system environments through: Authorization of the input Accuracy and completeness of processing of transactions

Reliability of overall information processing activities Accuracy, completeness and security of the output Database integrity 50 of 135

1.5.2 IS Control Objectives (continued) Ensuring appropriate identification and authentication of users of IS resources Ensuring the efficiency and effectiveness of operations Complying with requirements, policies and procedures, and applicable laws Developing business continuity and disaster recovery plans Developing an incident response plan Implementing effective change management procedures 51 of 135

1.5.3 COBIT A framework with 34 high-level control objectives Planning and organization Acquisition and implementation Delivery and support Monitoring and evaluation Use of 36 major IT-related standards and regulations 52 of 135 1.5.4 General Controls Apply to all areas of an organization and include

policies and practices established by management to provide reasonable assurance that specific objectives will be achieved. 53 of 135 1.5.4 General Controls (continued) Internal accounting controls directed at accounting operations Operational controls concerned with the day-to-day operations Administrative controls concerned with operational efficiency and adherence to management policies

Organizational logical security policies and procedures Overall policies for the design and use of documents and records Procedures and features to ensure authorized access to assets Physical security policies for all data centers 54 of 135 1.5.5 IS Controls Strategy and direction General organization and management Access to IT resources, including data and programs Systems development methodologies and change control

Operations procedures Systems programming and technical support functions 55 of 135 1.5.5 IS Controls (continued) Quality assurance procedures Physical access controls Business continuity/disaster recovery planning Networks and communications Database administration Protection and detective mechanisms against internal and external attacks

56 of 135 1.6 Performing an IS Audit Definition of auditing Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards. Definition of IS auditing Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.

57 of 135 1.6.1 Classification of Audits Financial audits Operational audits Integrated audits Administrative audits IS audits Specialized audits Forensic audits 58 of 135

1.6.2 Audit Programs Based on the scope and objective of the particular assignment IS auditors perspectives: Security (confidentiality, integrity and availability) Quality (effectiveness, efficiency) Fiduciary (compliance, reliability) Service and capacity 59 of 135 1.6.2 Audit Programs (continued) General audit procedures

Understanding of the audit area/subject Risk assessment and general audit plan Detailed audit planning

Preliminary review of audit area/subject Evaluating audit area/subject Verifying and evaluating controls Compliance testing Substantive testing Reporting (communicating results) Follow-up 60 of 135 1.6.2 Audit Programs (continued) Procedures for Testing and Evaluating IS Controls Use of generalized audit software to survey the contents of

data files Use of specialized software to assess the contents of operating system parameter files Flow-charting techniques for documenting automated applications and business process Use of audit reports available in operation systems Documentation review Observation 61 of 135 1.6.3 Audit Methodology A set of documented audit procedures designed to achieve planned audit objectives

Composed of: Statement of scope Statement of audit objectives Statement of audit programs Set up and approved by the audit management Communicated to all audit staff 62 of 135 1.6.3 Audit Methodology (continued) Audit phases Audit subject

Audit objective Audit scope Pre-audit planning Audit procedures and steps for data gathering Procedures for evaluating the test or review results Procedures for communication with management Audit report preparation 63 of 135 1.6.3 Audit Methodology (continued) 64 of 135

1.6.3 Audit Methodology (continued) What is documented in workpapers (WPs)? Audit plans Audit programs Audit activities Audit tests Audit findings and incidents 65 of 135 Practice Question 1-1

Which of the following BEST describes the early stages of an IS audit? A. Observing key organizational facilities B. Assessing the IS environment C. Understanding the business process and environment applicable to the review D. Reviewing prior IS audit reports 66 of 135 1.6.4 Fraud Detection Managements responsibility Benefits of a well-designed internal control system

Deterring fraud at the first instance Detecting fraud in a timely manner Fraud detection and disclosure Auditors role in fraud prevention and detection 67 of 135 1.6.5 Risk-based Auditing 68 of 135 Practice Question 1-2

In performing a risk-based audit, which risk assessment is completed initially by the IS auditor? A. B. C. D. Detection risk assessment Control risk assessment Inherent risk assessment Fraud risk assessment

69 of 135 Practice Question 1-3 While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus? A. B. C. D. Business processes

Critical IT applications Operational controls Business strategies 70 of 135 1.6.6 Audit Risk and Materiality Audit risk categories Inherent risk Control risk Detection risk Overall audit risk

71 of 135 Practice Question 1-4 Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed? A. B. C. D. Control risk

Detection risk Inherent risk Sampling risk 72 of 135 Practice Question 1-5 An IS auditor performing a review of an applications controls finds a weakness in system software that could materially impact the application. The IS auditor should: A.

B. C. D. disregard these control weaknesses, as a system software review is beyond the scope of this review. conduct a detailed system software review and report the control weaknesses. include in the report a statement that the audit was limited to a review of the applications controls. review the system software controls as relevant and recommend a detailed system software review. 73 of 135

1.6.7 Risk Assessment and Treatment Assessing security risks Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization Should be performed periodically to address changes in the environment, security requirements and when significant changes occur 74 of 135 1.6.7 Risk Assessment and

Treatment (continued) Treating security risks Each risk identified in a risk assessment needs to be treated Controls should be selected to ensure that risks are reduced to an acceptable level 75 of 135 1.6.8 Risk Assessment Techniques Enables management to effectively allocate limited audit resources Ensures that relevant information has been obtained

from all levels of management Establishes a basis for effectively managing the audit department Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plan 76 of 135 1.6.9 Audit Objectives Specific goals of the audit Compliance with legal and regulatory requirements Confidentiality Integrity

Reliability Availability 77 of 135 1.6.10 Compliance vs. Substantive Testing Compliance test Determines whether controls are in compliance with management policies and procedures Substantive test

Tests the integrity of actual processing Correlation between the level of internal controls and substantive testing required Relationship between compliance and substantive tests 78 of 135 1.6.10 Compliance vs. Substantive Testing (continued)

79 of 135 1.6.11 Evidence It is a requirement that the auditors conclusions be based on sufficient, competent evidence: Independence of the provider of the evidence Qualification of the individual providing the information or evidence Objectivity of the evidence Timing of the evidence 80 of 135

1.6.11 Evidence (continued) Techniques for gathering evidence: Review IS organization structures Review IS policies and procedures Review IS standards Review IS documentation Interview appropriate personnel Observe processes and employee performance 81 of 135 1.6.12 Interviewing and Observing Personnel in Performance of Their Duties

Actual functions Actual processes/procedures Security awareness Reporting relationships 82 of 135 1.6.13 Sampling General approaches to audit sampling: Statistical sampling Non-statistical sampling 83 of 135

1.6.13 Sampling (continued) Attribute sampling Stop-or-go sampling Discovery sampling Variable sampling

Stratified mean per unit Unstratified mean per unit Difference estimation 84 of 135 1.6.13 Sampling (continued) Statistical sampling terms: Confident coefficient Level of risk Precision Expected error rate

85 of 135 1.6.13 Sampling (continued) Statistical sampling terms (continued): Sample mean Sample standard deviation Tolerable error rate Population standard deviation 86 of 135 1.6.13 Sampling (continued) Key steps in choosing a sample:

Determine the objectives of the test Define the population to be sampled Determine the sampling method, such as attribute versus variable sampling Calculate the sample size Select the sample Evaluating the sample from an audit perspective 87 of 135 1.6.14 Using the Services of Other Auditors and Experts Considerations when using services of other auditors and experts:

Restrictions on outsourcing of audit/security services provided by laws and regulations Audit charter or contractual stipulations Impact on overall and specific IS audit objectives Impact on IS audit risk and professional liability Independence and objectivity of other auditors and experts 88 of 135 1.6.14 Using the Services of Other Auditors and Experts (continued) Considerations when using services of other

auditors and experts: Professional competence, qualifications and experience Scope of work proposed to be outsourced and approach Supervisory and audit management controls Method and modalities of communication of results of audit work Compliance with legal and regulatory stipulations Compliance with applicable professional standards 89 of 135 1.6.15 Computer-assisted Audit Techniques CAATs enable IS auditors to gather

information independently CAATs include: Generalized audit software (GAS) Utility software Debugging and scanning software Test data Application software tracing and mapping Expert systems 90 of 135 1.6.15 Computer-assisted Audit Techniques (continued) Features of generalized audit software (GAS):

Mathematical computations Stratification Statistical analysis Sequence checking Functions supported by GAS:

File access File reorganization Data selection Statistical functions Arithmetical functions 91 of 135 Practice Question 1-6

The PRIMARY use of generalized audit software (GAS) is to: A. B. C. D. test controls embedded in programs. test unauthorized access to data. extract data of relevance to the audit. reduce the need for transaction vouching. 92 of 135

1.6.15 Computer-assisted Audit Techniques (continued) Items to consider before utilizing CAATs: Ease of use for existing and future audit staff Training requirements Complexity of coding and maintenance Flexibility of uses Installation requirements Processing efficiencies Confidentiality of data being processed 93 of 135 1.6.15 Computer-assisted

Audit Techniques (continued) Documentation that should be retained: Online reports Commented program listings Flowcharts

Sample reports Record and file layouts Field definitions Operating instructions Description of applicable source documents 94 of 135 1.6.15 Computer-assisted Audit Techniques (continued) CAATs as a continuous online audit approach: Improves audit efficiency IS auditors must: develop audit techniques for use with advanced

computerized systems be involved in the creation of advanced systems make greater use of automated tools 95 of 135 1.6.16 Evaluation of Audit Strengths and Weaknesses Assess evidence Evaluate overall control structure Evaluate control procedures Assess control strengths and weaknesses 96 of 135

1.6.16 Evaluation of Audit Strengths and Weaknesses (continued) Judging materiality of findings Materiality is a key issue Assessment requires judgment of the potential effect of the finding if corrective action is not taken 97 of 135 1.6.17 Communicating Audit Results Exit interview

Correct facts Realistic recommendations Implementation dates for agreed recommendations Presentation techniques Executive summary Visual presentation 98 of 135 1.6.17 Communicating Audit Results (continued) Audit report structure and contents An introduction to the report

Audit findings presented in separate sections The IS auditors overall conclusion and opinion The IS auditors reservations with respect to the audit Detailed audit findings and recommendations A variety of findings 99 of 135 1.6.18 Management Implementation of Recommendations Auditing is an ongoing process Timing of follow-up

100 of 135 1.6.19 Audit Documentation Audit documentation includes: Planning and preparation of the audit scope and objectives Description on the scoped audit area Audit program Audit steps performed and evidence gathered Other experts used Audit findings, conclusions and recommendations 101 of 135

1.7 Control Self-Assessment A management technique A methodology In practice, a series of tools Can be implemented by various methods 102 of 135

1.7 Control Self-Assessment (continued) 103 of 135 Practice Question 1-7 Which of the following is MOST effective for implementing a control self-assessment (CSA) within business units? A. B. C.

D. Informal peer reviews Facilitated workshops Process flow narratives Data flow diagrams 104 of 135 1.7.1 Objectives of CSA Leverage the internal audit function by shifting some control monitoring responsibilities to functional areas Enhancement of audit responsibilities, not a replacement Educate management about control design and

monitoring Empowerment of workers to assess the control environment 105 of 135 1.7.2 Benefits of CSA Early detection of risks More effective and improved internal controls Increased employee awareness of organizational objectives Highly motivated employees Improved audit rating process Reduction in control cost

Assurance provided to stakeholders and customers 106 of 135 1.7.3 Disadvantages of CSA Could be mistaken as an audit function replacement May be regarded as an additional workload Failure to act on improvement suggestions could damage employee morale Lack of motivation may limit effectiveness in the detection of weak controls 107 of 135

1.7.4 Auditor Role in CSA Internal control professionals Assessment facilitators 108 of 135 1.7.5 Technology Drivers for CSA Combination of hardware and software Use of an electronic meeting system Computer-supported decision aids Group decision making is an essential component

109 of 135 1.7.6 Traditional vs. CSA Approach Traditional Approach Assigns duties/supervises staff Policy/rule driven Limited employee participation Narrow stakeholder focus CSA Approach Empowered/accountable employees Continuous improvement/learning curve Extensive employee participation and training

Broad stakeholder focus 110 of 135 1.8.1 Automated Work Papers Risk analysis Audit programs Results Test evidences Conclusions Reports and other complementary information 111 of 135

1.8.1 Automated Work Papers (continued) Minimum controls: Access to work papers Audit trails Automated features to provide and record approvals Security and integrity controls Backup and restoration Encryption techniques 112 of 135 1.8.2 Integrated Auditing Process whereby appropriate audit disciplines are

combined to assess key internal controls over an operation, process or entity. Focuses on risk to the organization (for an internal auditor) Focuses on the risk of providing an incorrect or misleading audit opinion (for an external auditor) 113 of 135 1.8.2 Integrated Auditing (continued) Process involves:

Identification of risks faced by organization and of relevant key controls Review and understanding of the design of key controls Testing that key controls are supported by the IT system

Testing that management controls operate effectively A combined report or opinion on control risks, design and weaknesses 114 of 135 1.8.3 Continuous Auditing

Distinctive character Short time lapse between the facts to be audited and the collection of evidence and audit reporting Drivers Better monitoring of financial issues Allows real-time transactions to benefit from real-time monitoring Prevents financial fiascoes and audit scandals Uses software to determine proper financial controls 115 of 135 1.8.3 Continuous Auditing

(continued) Continuous auditing vs. continuous monitoring Continuous monitoring Provided by IS management tools Based on automated procedures to meet fiduciary responsibilities Continuous auditing Audit-driven Completed using automated audit procedures 116 of 135 1.8.3 Continuous Auditing

(continued) Application of continuous auditing due to: New information technology developments Increased processing capabilities Standards Artificial intelligence tools 117 of 135 1.8.3 Continuous Auditing (continued) Prerequisites: A high degree of automation An automated and reliable information-producing

process Alarm triggers to report control failures Implementation of automated audit tools Quickly informing IS auditors of anomalies/errors Timely issuance of automated audit reports Technically proficient IS auditors Availability of reliable sources of evidence Adherence to materiality guidelines Change of IS auditors mindset Evaluation of cost factors 118 of 135 1.8.3 Continuous Auditing

(continued) IT techniques in a continuous auditing environment: Transaction logging Query tools Statistics and data analysis (CAAT)

Database management systems (DBMS) Data warehouses, data marts and data mining Intelligent agents

Embedded audit modules (EAM) Neural network technology Standards such as Extensible Business Reporting Language 119 of 135 1.8.3 Continuous Auditing (continued)

Advantages Instant capture of internal control problems Reduction of intrinsic audit inefficiencies Disadvantages Difficulty in implementation High cost Elimination of auditors personal judgment and evaluation 120 of 135 Practice Question 1-8

The FIRST step in planning an audit is to: A. define audit deliverables. B. finalize the audit scope and audit objectives C. gain an understanding of the businesss objectives. D. develop the audit approach or audit strategy. 121 of 135 Practice Question 1-9 The approach an IS auditor should use to

plan IS audit coverage should be based on: A. risk. B. materiality. C. professional skepticism. D. detective control. 122 of 135 Practice Question 1-10 A company performs a daily backup of critical data and software files and stores the backup tapes at an offsite location. The backup tapes are used to restore the files in case of a disruption. This is a: A. preventive control.

B. management control. C. corrective control. D. detective control. 123 of 135 1.9.1 Case Study A Scenario The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well-controlled environment and, accordingly, will assess managements review and testing of the general IT control environment.

Areas to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation. 124 of 135 1.9.1 Case Study A Scenario (continued) Logical security deficiencies noted included the sharing of administrator

accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible duties and failure to document all changes. Additionally, the process for deploying operating system updates to servers was found to be only partially effective. In anticipation of the work to be performed by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination. 125 of 135 Case Study A Question

1. What should the IS auditor do FIRST? A. Perform an IT risk assessment. B. Perform a survey audit of logical access controls. C. Revise the audit plan to focus on risk-based auditing. D. Begin testing controls that the IS auditor feels are most critical. 126 of 135 Case Study A Question 2. When testing program change management, how should the sample be selected?

A. B. C. D. Change management documents should be selected at random and examined for appropriateness. Changes to production code should be sampled and traced to appropriate authorizing documentation. Change management documents should be selected based on system criticality and examined for appropriateness. Changes to production code should be sampled and traced back to system-produced logs indicating the date

and time of the change. 127 of 135 1.9.2 Case Study B Scenario An IS auditor is planning to review the security of a financial application for a large company with several locations worldwide. The application system is made up of a web interface, a business logic layer and a database layer. The application is accessed locally through a LAN and remotely through the Internet via a VPN connection.

128 of 135 Case Study B Question 1. The MOST appropriate type of CAATs tool the auditor should use to test security configuration settings for the entire application system is: A. B. C. D. generalized audit software. test data. utility software.

expert system. 129 of 135 Case Study B Question 2. Given that the application is accessed through the Internet, how should the auditor determine whether to perform a detailed review of the firewall rules and virtual private network (VPN) configuration settings? A. B.

C. D. Documented risk analysis Availability of technical expertise Approach used in previous audit IS auditing guidelines and best practices 130 of 135 Case Study B Question 3. During the review, if the auditor detects that the

transaction authorization control objective cannot be met due to a lack of clearly defined roles and privileges in the application, the auditor should FIRST: A. review the authorization on a sample of transactions. B. immediately report this finding to upper management. C. request that auditee management review the appropriateness of access rights for all users. D. use a generalized audit software to check the integrity of the database. 131 of 135 1.9.3 Case Study C Scenario An IS auditor has been appointed to carry out IS audits in

an entity for a period of 2 years. After accepting the appointment, the IS auditor noted that: The entity has an audit charter that detailed, among other things, the scope and responsibilities of the IS audit function and specifies the audit committee as the overseeing body for audit activity. The entity is planning a major increase in IT investment, mainly on account of implementation of a new ERP application, integrating business processes across units dispersed geographically. The ERP implementation is expected to become operational within the next 90 days. The servers supporting the business applications are hosted offsite by a thirdparty service provider.

132 of 135 1.9.3 Case Study C Scenario (continued) The entity has a new incumbent as chief information security officer (CISO), who reports to the chief financial officer (CFO). The entity is subject to regulatory compliance requirements

that require its management to certify the effectiveness of the internal control system as it relates to financial reporting. The entity has been recording growth at double the industry average consistently over the last two years. However, the entity has seen increased employee turnover as well. 133 of 135 Case Study C Question 1. The FIRST priority of the IS auditor in year 1 should be to study the: A. previous IS audit reports and plan the audit schedule.

B. audit charter and plan the audit schedule. C. impact of the new incumbent as CISO. D. impact of the implementation of a new ERP on the IT environment and plan the audit schedule. 134 of 135 Case Study C Question 2. How should the IS auditor evaluate backup and batch processing within computer operations? A. Plan and carry out an independent review of computer operations.

B. Rely on the service auditors report of the service provider. C. Study the contract between the entity and the service provider. D. Compare the service delivery report to the service level agreement. 135 of 135 Conclusion Chapter 1 Quick Reference Review Page 32 of CISA Review Manual 2010

Recently Viewed Presentations

  • Duffy Poetry National 5 Revision

    Duffy Poetry National 5 Revision

    Duffy Poetry Higher Revision Thoroughly study your notes / annotated copies of all six poems: War Photographer Originally Anne Hathaway Havisham Valentine
  • Parallel computing

    Parallel computing

    Because it takes advantage of shared memory, the programmer does not need to worry (that much) about data placement. Programming model is "serial-like" and thus conceptually simpler than message passing. Incremental implementation is possible (unlike MPI) Compiler directives are generally...
  • Challenging the traditional identity ... - Identity Maestro

    Challenging the traditional identity ... - Identity Maestro

    The next Identity Maestro development sprints start . June 12, 2017 and July 31, 2017. Identity Maestro's future is 100% customer driven. Which of the following will help you grow better and faster? New connections and remote agents for specific...
  • Realist Film Movements - Waseda

    Realist Film Movements - Waseda

    Realist Film Movements Neorealismo (3) Films of Luchino Visconti Table of Contents 1) Common Neorealist Elements 2) Who is Luchino Visconti? 3) La Terra trema 4) Neorealist Ideals and Reality Common Neorealist Elements (1) In CONTENT a.
  • Assessment and Accountability Overview Chris Domaleski, Georgia Department

    Assessment and Accountability Overview Chris Domaleski, Georgia Department

    Assessment and Accountability Overview Chris Domaleski, Georgia Department of Education December 5, 2007 Tests that are already developed or that are on schedule to be developed 9th Grade Literature (Fall 2005) Physical Science (Fall 2005) Biology (Fall 2005) Economics (Fall...
  • Orthographic Analysis of Anagram through Anagram Detection ...

    Orthographic Analysis of Anagram through Anagram Detection ...

    -Syllabic structure affects anagram solving time - The effect of Syllabic complexity on reading fluency measure. The correlation between the recognition of anagram containing infrequent grapheme and those with frequent phoneme-to-grapheme mapping is not explored . 2. Norvick L.R and...
  • CDC Presentation

    CDC Presentation

    What is a potential public health emergency of international concern? A public health emergency of international concern is defined as an extraordinary event that may constitute a public health risk to other countries through international spread of disease and may...
  • Student Contracts - Shelby County Schools

    Student Contracts - Shelby County Schools

    TIERED ASSIGNMENTS. HOW. Decide what needs to be adjusted based on the activity: materials, form of expression, level of complexity, amount of structure, number of steps, time, level of dependence.