Domain1: IS Audit Process

Policy Is an executive mandate to identify a topic containing particular risks

to avoid or prevent. Policies are high-level documents signed by a
person of significant authority with the power to force cooperation
Guidelin These are intended to provide advice pertaining to how organizational
es objectives might be obtained in the absence of a standard
Procedur These are ‘cookbook’ recipes providing a workflow of specific tasks
es necessary to achieve minimum compliance to a standard. Details are
written in step-by-step format from the very beginning to the end.

ISACA Code; 8 Points:

 Auditors agree to support the implementation of appropriate policies,

standards, guidelines, and procedures for information systems. They will
also encourage compliance with this objective.
 Auditors agree to perform their duties with objectivity, professional care,
and due diligence in accordance with professional standards implementing
the use of best practices.
 Auditors agree to serve the interests of stakeholders in an honest and
lawful manner that reflects a credible image upon their profession. The
public expects and trusts auditors to conduct their work in an ethical and
honest manner.
 Auditors promise to maintain privacy and confidentiality of information
obtained during their audit except for required disclosure to legal
authorities. Information they obtain during the audit will not be used for
personal benefit.
 Auditors agree to undertake only those activities in which they are
professionally competent and will strive to improve their competency. Their
effectiveness in auditing depends on how evidence is gathered, analyzed,
and reported.
  Auditors promise to disclose accurate results of all work and significant
facts to the appropriate parties.
 Auditors agree to support ongoing professional education to help
stakeholders enhance their understanding of information systems security
and control.
 The failure of a CISA to comply with this code of professional ethics may
result in an investigation with possible sanctions or disciplinary measures.

3 Basic types of audit

    Internal audits and assessments

    External audits
    Independent audits (third party Outside of the customer-supplier
influence)

In all cases, auditors are called to audit products, processes and systems.

Standards

Auditing standards

There are two basic categories of audit testing: audits either verify that an item
necessary of compliance exists (compliance test) or check inside for the
substance and integrity of a claim (substantive test).

Audit standards:

 American Institute of Certified Public Accountants (AICPA) and International

Federation of Accountants (IFAC)
 Financial Accounting Standards Board (FASB) with statement on Auditing
Standards (SAS)..
 International Financial Reporting Standards (IFRS), which replaced the
Generally Accepted Accounting Principles (GAAP)..
 COSO
 U.S. public Company Accounting Oversight Board (PCAOB) of securities and
Exchange Commission . it is the standards body for Sarbanes-Oxley
 OECD providing guidelines for participating countries to promote
standardization in multinational business for world trade
 ISO
 FISMA
  ISACA and IT Governance Institute (ITGI)
 Basel Accord Standard

ISACA IS Audit Standards

They are organized using a format numbered from 1 to 16

S1 Audit charter
S2 Independence
S3 Professional Ethics and Standards of
Conduct
S4 Professional competence
S5 Planning
S6 Performance of Audit Work
S7 Audit Reporting
S8 Follow-up Activities
S9 Irregularities and illegal acts
S10 It Governance
S11 Use of Risk Analysis in Audit
planning
S12 Audit Materiality
S13 Using the work of other people
S14 Proper Audit Evidence
S15 Effective IT controls
S16 Electronic Commerce Controls

Retaining audit documentation

In most cases, the archive of the integrated audit may need to be kept for seven
years. Each type of audit may have a longer or shorter retention period,
depending on the regulations identified during audit planning.
The evidence rule

A good auditor will use sufficient evidence to formulate the auditor’s opinion.
Chapter 2: Managing IT governance

Corporate governance is often defined by ISACA as “Ethical behavior of corporate

executives toward shareholders and stakeholders to maximize the return of a
financial investment”

Three high-level management objectives to be verified by the auditor are as

follows:

 A strategic alignment between IT and the enterprise objectives (formal

strategy)
 A process of monitoring assurance practices for executive management
 An intervention as required to stop, modify, or fix failures as they occur
(corrective action)

IT steering committee or IT strategy committee is used to convey the current

business requirements from business executives to IT executive. It should have a
formal charter designating the participation of each member. This charter grants
responsibility and authority in a concept similar to an audit charter.

The representation necessary on the steering committee:

 Marketing
 Manufacturing /Software development
 Sales
 Finance
 legal
 quality control
 legal
 quality control
 research and development
 program and project management office
 business continuity
 Information technology
 Human resources
  Labor management
 Administration

The balanced scorecard

The balanced scorecard is a strategic methodology designed for senior

executives.
IT subset of balanced scorecard

The IT balanced scorecard should be a subset of the organization’s overall

balanced scorecard. As a CISA, you need to understand how the balanced
scorecard can be applied specifically to information technology. ISACA describes
the scorecard by using three layers that incorporate the more common four
perspectives (customer, business process, financial, and growth and learning).

The three layers for IT scoring according to ISACA are so follows:

 Mission (opportunities for future needs)

 Strategy (common platitudes include the following: attain IT control
objectives)
  Metrics (Develop and implement meaningful IT metrics based on critical
success factors and key performance indicators).

Decoding the IT strategy

The auditor should remain aware that a shadow organization represents a

genuine control failure. This lack of integration represents an ongoing concern in
the areas of cost control, duplication of effort, or a political difference in both
direction and objectives.

PMO vs Doing it all yourself

Here is a short list of the policies required to address issues faced by IT
governance:

Intellectual property: the IS auditor should understand how the organization is

attempting to protect its intellectual property

Data integrity: the goal is to ensure that data is accurate and safely stored

Backup and restoration: what are the plans and procedures for data backup
and restoration? The number one issue in IT is loss of data due to faulty
backup

Security management: Without security controls, ensuring data integrity is

impossible. Internal controls prevent unauthorized modifications.

Mandatory versus Discretionary controls: The organization needs to clearly

identify its management directives for implementation of controls.

Mandatory control: the strongest type of control. The implementation may

be administrative or technical. It is designed to force compliance without
exception.

Discretionary controls: the weakest type of control is discretionary. In a

discretionary control, the user or delegated person of authority determines
what is acceptable.

Monitoring: It should provide valuable metrics necessary to compare alignment to

business objectives.

Incident response: A response is required for skilled individuals to deal with

technical problems or the failure of internal controls.
Audit Program objectives and scope

Every audit will contain a list of objectives. High-level objectives may come from
executive mandate, regulations, or industry standards. The auditor should expect
audit program objectives to vary according to department, task, the subject
matter, or a particular step in their process workflow. Larger organizations have
more audit objectives and smaller organizations usually have fewer because
management has better control with fewer communication problems in a smaller
organization.

Table below demonstrates a simplified view of some audit program objectives

that a company would encounter:

The audit planning issues should be considered regardless of the size of the
organization:

 Number of geographic locations

 Diversity of products
 Activities outsourced to third party (subcontract)
 Needs for certification, accreditation, or registration
 Concerns raised from interested parties
 Complexity of regulations or contracts to be audited
 Type, scope, and number of activities to be audited
 Participation required by external subcontractors
 Audit frequency
 Follow-up on recommendations in previous audits
 Cost, resource, and time requirements
  Discontinuation of low-profit activities, layoffs, failing products

Planning individual audits

 Audit Scope
 Audit criteria
 Audit team
The audit charter outlines the responsibility, authority and accountability of the
auditor.

 Responsibility: Provides scope with goals and objectives

 Authority: Grants the right to perform an audit and the right to
obtain access relevant to the audit
 Accountability: Defines mutually agreed-upon actions between the
audit committee and the auditor, complete with reporting
requirements.

Role of the audit committee

Each organization should have an audit committee composed of business

executives. Each audit committee member is required to be financially literate,
with the ability to read and understand financial statements.

The purpose of the audit committee is to provide advice to the executive

accounting officer concerning internal control strategies, priorities, and
assurances.

The audit committee manages planned audit activities and the results of both
internal and external audits. The committee is authorized to engage outside
experts for independent assurance.

Understanding the variety of audit

Risk Assessment:

 Inherent risk: These are natural or built-in risks that always exist.
 Detection risks: these are the risks that an auditor will not be able to
detect what is being sought. It would be terrible to report no negative
results when material condition (faults) actually exist. Detection risks
include sampling and nonsampling risks.
o Sampling risks: these are the risks that an auditor will falsely accept
or erroneously reject an audit sample (evidence).
o Nonsampling risks: these are the risks that an auditor will fail to
detect a condition because of not applying the appropriate
procedure or using procedures inconsistent with the audit objective
(detection fault)
 Control risks: that an auditor loses control, errors could be introduced, or
errors may not be corrected in a timely manner.
 Business risks: these are risks that are inherent in the business or
industry itself (regulatory, contractual, financial)
 Technological risks: these are inherent risks of using automated
technology
 Operational risks: these are the risks that a process or procedure will not
perform correctly
 Residual risks: these are the risks that remain after all mitigation efforts
are performed
 Audit risks: the combination of inherent, detection, control , and residual
risks. These are the same risks facing normal business operations.

Risk assessment activities

Using data collection techniques:

- Staff observation
- Document review
- Interviews
- Workshop
- Computer assisted audit tools (CAAT)
- Surveys

Understanding the hierarchy of internal controls

General controls
Pervasive IS controls
Detailed IS controls
Application controls (embedded in
programs)
Parent class of controls governing all
areas of the business (jobs description,
separating duties…)
The direction and behavior required for
technology to function properly.
Specific steps or tasks to be
performed.(how security parameters
are set , how to lock a user account…)
Lowest subset in the control family. All
activity should have filtered through
the general controls, and then the
pervasive controls and detailed
controls, before it reaches the
application-controls level.
Types of evidence:

 Direct evidence: this proves existence of a fact without inference or

presumption. Inference is when you draw a logical and reasonable
proposition from another that is supposed to be true. Direct evidence
includes the unaltered testimony of an eyewitness and written documents.
 Indirect evidence: uses a hypothesis without direct evidence to make a
claim that consists of both inference and presumption. Indirect is also
known as circumstantial evidence.

Selecting Audit Sampling

Audit samples are selected for the purpose of collecting representative evidence
to be subjected to either compliance testing or substantive testing. Two basic
types of audit samples can be designed by the auditor: Statistical and
nonstatistical.
Random sampling: Samples are selected at random.

Cell sampling: random selection is performed at predefined intervals.

Fixed Interval Sampling: The sample existing at every n+ interval increment is

selected for testing.

Using Computer-Assisted Audit Tools

These tools are capable of executing a variety of automated compliance tests

and substantive tests that would be nearly impossible to perform manually. They
include multifunction audit utilities, which can analyze logs, perform vulnerability
tests, or verify implementation of compliance in a system configuration compared
to intended controls.

CAAT includes the following types of software tools and techniques:

 Host evaluation tools to read the system configuration setting and

evaluate the host for known vulnerabilities.
 Network traffic and protocol analysis using a sniffer
 Mapping and tracing tools that use a tracer-bullet approach to follow
processes through a software application using test data
 Testing the configuration of specific application software such as SQL
database
 Software license counting across the network
 Testing for password compliance on user login accounts

Using CAAT for continuous online audit

Six types of continuous online auditing techniques:

  Online Event Monitors: include automated tools designed to read and
correlate system logs or transaction logs on behalf of the auditor.
 Embedded Program Audit Hooks: A software developer can write
embedded application hooks into their program to generate red-flag alert
to an auditor, hopefully before the problem gets out of hand.
 Continuous and intermittent simulation (CIS) Audit: In continuous
and intermittent simulation, the application software always tests for
transactions that meet a certain criteria. When the criteria are met, the
software runs an audit of the transaction (intermittent test). Then the
computer waits until the next transaction meeting criteria occurs.
 Snapshot Audit: This technique uses a series of sequential data captures
that are referred to as snapshots. The snapshots are taken in a logical
sequence that a transaction will follow. The snapshots produce an audit
trail, which is reviewed by the auditor.
 Embedded Audit M(EAM): This integrated audit testing module allows
the auditor to create a set of dummy transactions that will be processed
along with live, genuine transactions.
 System Control Audit Review file with Embedded Audit Modules
(SCARF/EAM) the Theory is straightforward. A system-level audit program
is installed on the system to selectively monitor the embedded audit
modules inside the application software.

Grading of evidence

Four criteria:

- Material relevance;
- Evidence objectivity;
- Competency of evidence provider;
- Evidence independence

Timing of evidence is also important.

Following the evidence lifecycle

Conducting Audit Evidence Testing

The basic test methods used will be either compliance testing or

substantive testing.

Compliance Testing for the presence or absence of something. It includes

verifying that policies and procedures have been put in place, and checking that
user access rights, program change control procedures, and system audit logs
have been activated. (Exp. Compare the list of persons with physical access to
the data center against the HR list of current employees)

Compliance testing is based on one of the following types of audit samples:

Attribute Determine whether an attribute is present or absent in the subject

sampling sample
The result is specified by the rate of occurrence-for example, the
presence of 1 in 100 units would be 1%
Stop- Used when few errors are expected. Stop-and-go allows the test to
and-Go occur without excessive effort in sampling and provides the
Sampling opportunity to stop testing at the earliest possible opportunity.
Discover This 100% percent is used to detect fraud or when the likelihood of
y evidence existing is low. Forensics is an excellent example of
sampling discovery sampling.
Precision The precision rate indicates the acceptable margin of error between
, or audit samples and the total quantity of the subject population.
Expected
Error
Rate

Substantive testing

Substantive testing seeks to verify the content and integrity of evidence.

Substantive tests may include complex calculations to verify account balances,
perform physical inventory counts, or execute sample transactions to verify the
accuracy of supporting documentation.

This test is based on one of the following types of audit samples:

Variable Used to designate dollar value or weights (effectiveness) of

sampling an entire subject population by prorating from a smaller
sample.

Unstratified Used in an attempt to project an estimated total for the whole

mean estimation subject population.
Stratified mean Used to calculate an average by group, similar to
estimation demographics, whereby the entire population is divided
(stratified) into smaller groups based on similar
characteristics.
Difference Used to determine the difference between audited and
estimation unaudited claims of value.

Each finding of evidence can be classified into one of these common reporting
statements, presented in order of most desirable to least desirable:

 Noteworthy achievement:
 Conformity
 Opportunity for Improvement
 Concern
 Nonconformity

Example of illegal activities:

 Fraud
 Theft
 Suppression
 Racketeering
 Regulatory violations
Networking technology Basic
IS Network infrastructure
Information systems lifecycle

ISO 9126: Software quality

It is a variation of ISO 9001. This standard also defines requirements for
evaluating software products and measuring specific quality aspect.

The six quality attributes are as follows:

 Functionality of the software processes

 Ease of use
 Reliability with consistent performance
 Efficiency of resources
 Portability between environments
 Maintainability with regards to making modifications