Escolar Documentos
Profissional Documentos
Cultura Documentos
3/30/16
mushfique98@gmail.com
Domain - 1
The Process of Auditing Information Systems (14%)
3/30/16
mushfique98@gmail.com
Exam Relevance
Ensure that the CISA candidate
Provide audit services in accordance with IT audit standards
to assist the organization in protecting and controlling
information systems.
The content area in this chapter will represent approximately
14% of the CISA examination(approximately 28 questions).
3/30/16
mushfique98@gmail.com
Exam Relevance
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Tasks/ Objectives
Audit Process Area, Tasks
5 Tasks Statements:
mushfique98@gmail.com
Knowledge Statements
Process Area Knowledge Statements
Ten Knowledge Statements (contd.):
1.1 Knowledge of ISACA IT Audit and Assurance Standards,
Guidelines and Tools and Techniques, Code of Professional Ethics and
other applicable standards
1.2 Knowledge of risk assessment concepts, tools and techniques in
an audit context
1.3 Knowledge of control objectives and controls related to
information systems
1.4 Knowledge of audit planning and audit project management
techniques, including followup
1.5 Knowledge of fundamental business processes (e.g. Purchasing,
payroll, accounts payable, accounts receivable) including relevant IT
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Audit planning
Shortterm planning
Longterm planning
Things to consider
New control issues
Changing technologies
Changing business processes
Enhanced evaluation techniques
Individual audit planning
Understanding of overall environment
Business practices and functions
Information systems and technology
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Regulatory requirements
Establishment
Organization
Responsibilities
Correlation to financial, operational and IT
audit functions
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
As of 16 August 2010
Standards (16)
Guidelines 41 (G19 is cancelled)
Procedures (11)/ Audit and Assurance
Tools & Technique
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
IS Auditing Standards: 16
1. Audit charter
2. Independence
3. Professional Ethics and
Standards
4. Competence
5. Planning
6. Performance of audit work
7. Reporting
8. Follow-up activities
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
mushfique98@gmail.com
Suggested Action(s):
Accept
Mitigate
Transfer
Suggested Action(s):
Mitigate
Suggested Action(s):
Accept
Suggested Action(s):
Accept
Mitigate
Transfer
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Preventive controls
Detective controls
Corrective controls
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
IS Control Procedures
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Definition of Auditing
3/30/16
mushfique98@gmail.com
Purpose of an Audit
An audit is simply a review of past history. The IS auditor is
expected to follow the defined audit process, establish audit
criteria, gather meaningful evidence, and render an independent
opinion about internal controls. The audit involves applying various
techniques for collecting meaningful evidence, and then
performing a comparison of the audit evidence against the
standard for reference.
Your key to success in auditing is to accurately report your
findings, whether good or bad or indifferent. A good auditor will
produce verifiable results. No one should ever come in behind you
with a different outcome of findings. Your job is to report what
the evidence indicates.
3/30/16
mushfique98@gmail.com
Classification of audits:
Internal audits and assessments This involves auditing your
own organization to discover evidence of what is occurring inside
the organization (self-assessment). These have restrictions on their
scope, and the findings should not be shared outside the
organization. The findings cannot be used for licensing.
External audits External audits involve your customer auditing
you, or you auditing your supplier. The business audits its customer
or supplier, or vice versa. The goal is to ensure the expected level
of performance as mutually agreed upon in their contracts.
Independent audits Independent audits are outside of the
customer-supplier influence. Third-party independent audits are
frequently relied on for licensing, certification, or product approval.
A simple example is independent consumer reports.
3/30/16
mushfique98@gmail.com
Classification of audits:
Financial audits
Operational audits
Integrated audits
Administrative audits
Information systems audits
Specialized audits
Forensic audits
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Audit Concept
IS audits-This Process collects and evaluates evidence to determine whether the
information system and related resources adequately safeguard assets, maintain data
and system integrity. provide relevant and reliable information, achieve organizational
goals effectively, consume resources efficiently, and have in effect internal controls that
provide reasonable assurance and business. operational and control objectives will be
met and that undesired events will be prevented, or detected and corrected, in a timely
manner.
In short: Any audit that encompasses review and evaluation (wholly or partly) of
automated information processing systems, related non-automated processes and the
interfaces between them.
Specialized auditsWithin the category of IS audits, there are a number of specialized
reviews that examine areas such as services performed by third parties and forensic
auditing. Because businesses are becoming increasingly reliant on third-party service
providers, it is important that internal control be evaluated in these environments.
3/30/16
mushfique98@gmail.com
Audit Concept
3/30/16
mushfique98@gmail.com
Auditors Responsibility
3/30/16
mushfique98@gmail.com
Comparing Audits to
Assessments
Audit An audit generates a report considered to represent a high
assurance of truth. Audits are used in asset reporting engagements.
Assessment An assessment is less formal and frequently more
cooperative with the people/
objects under scrutiny. Its purpose is to see what exists and to
assess value based on its relevance.
The assessment report is viewed to have lower value (moderate-tolow value) when
compared to an audit.
The primary goal of an assessment is to help the user/staff work
toward improving their score. However, the audit is the score that
actually counts for regulatory compliance purposes.
3/30/16
mushfique98@gmail.com
Comparing Audits to
Assessments
Auditor The auditor is the competent person performing the audit.
Auditee The organization and people being audited are collectively
called the auditee.
Client The client is the person or organization with the authority to
request the audit. A client may be the audit committee, external
customer, internal audit department, or regulatory group. If the client
is internal to the auditee, that client assumes the auditee role.
3/30/16
mushfique98@gmail.com
Auditors Independence
Independent means that you are not related professionally, personally, or
organizationally to the subject of the audit. You cannot be independent if the audits
outcome results in your financial gain or if you are involved in the auditees
decisions or design of the subject being audited.
an Independence Test
Here is a simple self assessment to help you determine your level of independence:
Are you free of any conflicts, circumstances, or attitudes toward the auditee
that might affect the audit outcome?
Do you have a job conflict? Does the organizational structure require your
position to work under the executive in charge of the area being audited?
3/30/16
mushfique98@gmail.com
Audit Programs
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Audit Methodology
A set of documented audit procedures designed
to achieve planned audit objectives
Composed of
Statement of scope
Statement of audit objectives
Statement of work programs
Set up and approved by the audit management
Communicated to all audit staff
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
6.
7.
8.
mushfique98@gmail.com
Develop
audit tools and methodology to test and
verify control
procedures for evaluating the test or
review results
procedures for communication with
management
Report
3/30/16
mushfique98@gmail.com
Audit
Audit
Audit
Audit
Audit
plans
programs
activities
tests
findings and incidents
3/30/16
mushfique98@gmail.com
WorkPapers
Do not have to be on paper
Must be
Dated
Initialized
Pagenumbered
Relevant
Complete
Clear
Selfcontained and properly labeled
Filed and kept in custody
3/30/16
mushfique98@gmail.com
Fraud Detection
Managements responsibility
Benefits of a welldesigned internal
control system
Deterring frauds at the first instance
Detecting frauds in a timely manner
3/30/16
mushfique98@gmail.com
Audit Risk
3/30/16
mushfique98@gmail.com
Inherent risk
Control risk
Detection risk
Sampling risks
Nonsampling risks
3/30/16
mushfique98@gmail.com
Inherent risk: Inherent risk is the risk that an error exists in the
absence of any compensating controlsan error which could become
significant when combined.
Control risk: Control risk is the risk that a material error exists that
will not be prevented or detected in a timely manner by the system of
internal controls.
Sampling risks These are the risks that an auditor will falsely accept or
erroneously reject an audit sample (evidence).
Non sampling risks These are the risks that an auditor will fail to
detect a condition because of not applying the appropriate procedure or
using procedures inconsistent with the audit objective (detection fault).
3/30/16
mushfique98@gmail.com
Business risks These are risks that are inherent in the business or
industry itself. They may be regulatory, contractual, or financial.
Operational risks These are the risks that a process or procedure will
not perform correctly.
Residual risks These are the risks that remain after all mitigation
efforts are performed.
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Materiality
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Audit Objectives
It is the Specific goals of the audit
3/30/16
mushfique98@gmail.com
Compliance test
Determines whether controls are in compliance with
management policies and procedures
Substantive test
Tests the integrity of actual processing
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Bank confirmation
Accounts receivable confirmation
Inquire of management regarding the collectibility of customer accounts
Match customer orders to invoices billed
Match collected funds to invoices billed
Observe a physical inventory count
Confirm inventories not on-site
Match purchasing records to inventory on hand or sold
Confirm the calculations on an inventory valuation report
Observe fixed assets
Match purchase orders and supplier invoices to fixed asset records
Confirm accounts payable
Examine accounts payable supporting documents
Confirm debt
Analytical analysis of assets, liabilities, revenue, and expenses
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Evidence
It is a requirement that the auditors conclusions must be
based on sufficient, competent evidence.
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Actual functions
Actual processes/procedures
Security awareness
Reporting relationships
3/30/16
mushfique98@gmail.com
Sampling (continued)
3/30/16
mushfique98@gmail.com
Sampling (continued)
3/30/16
mushfique98@gmail.com
Sampling (continued)
3/30/16
mushfique98@gmail.com
Sampling (continued)
Methods of sampling used by auditors:
Attribute sampling: Attribute sampling, generally applied in
compliance testing situations, deals with the presence or
absence of the attribute and provides conclusions that are
expressed in rates of incidence.
Variable sampling: Variable sampling, generally applied in
substantive testing situations, deals with population
characteristics that vary, such as monetary values and weights
(or any other measurement), and provides conclusions related
to deviations from the norm.
3/30/16
mushfique98@gmail.com
Sampling (continued)
Attribute Sampling
mushfique98@gmail.com
Sampling (continued)
Variable sampling
mushfique98@gmail.com
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Evidence collection
Functional capabilities
Functions supported
Areas of concern
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Documentation retention
Access to production data
Data manipulation
3/30/16
mushfique98@gmail.com
Assess evidence
Evaluate overall control structure
Evaluate control procedures
Assess control strengths and weaknesses
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Audit Documentation
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Implementation of CSA
Facilitated workshops
Hybrid approach
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
New Topics:
3/30/16
mushfique98@gmail.com
Risk analysis
Audit programs
Results
Test evidences
Conclusions
Reports and other complementary
information
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Integrated Auditing
Integrated Auditing
process whereby appropriate audit disciplines are combined
to assess key internal controls over an operation, process or
entity
Focuses on risk to the organization (for an internal
auditor)
Focuses on the risk of providing an incorrect or
misleading audit opinion (for external auditor
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Continuous Auditing
Continuous Auditing: A methodology that enables
independent auditors to provide written assurance
on a subject matter using a series of auditors
reports issued simultaneously with, or a short period
of time after, the occurrence of events underlying
the subject matter
3/30/16
mushfique98@gmail.com
Continuous Monitoring
Managementdriven
Based on automated procedures to meet
fiduciary responsibilities
Continuous Auditing
Auditdriven
Done using automated audit procedures
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Query tools
Statistics and data analysis (CAAT)
Database management systems (DBMS)
Data warehouses, data marts, data mining.
Artificial intelligence (AI)
Embedded audit modules (EAM)
Neural network technology
Standards such as Extensible Business
Reporting Language
3/30/16
mushfique98@gmail.com
mushfique98@gmail.com
Continuous Auditing
Advantages
Instant capture of internal control problems
Reduction of intrinsic audit inefficiencies
Disadvantages
Difficulty in implementation
High cost
Elimination of auditors personal judgment and
evaluation
3/30/16
mushfique98@gmail.com
Practice Question
Practice Questions (contd.)
Q. What does fiduciary responsibility mean?
A. To use information gained for personal interests without
breaching confidentiality of the client.
B. To act for the benefit of another person and place the
responsibilities to be fair and honest ahead of your own interest.
C. To follow the desires of the client and maintain total
confidentiality even if illegal acts are discovered. The auditor shall
never disclose information from an audit in order to protect the
client.
D. None of the above.
3/30/16
mushfique98@gmail.com
Practice Question
Practice Questions (contd.)
Answer is B. Accountants, auditors, and lawyers
act on behalf of their clients best interests unless
doing so places them in violation of the law. It is
the highest standard of duty implied by law for a
trustee and guardian.
3/30/16
mushfique98@gmail.com
Practice Question
Q: What are the different types of audits?
A. Forensic, accounting, verification, regulatory
B. Integrated, operational, compliance,
administrative
C. Financial, SAS-74, compliance, administrative
D. Information systems, SAS-70, regulatory,
procedural
3/30/16
mushfique98@gmail.com
Practice Question
Practice Questions (contd.)
Answer is B. All of the audit types are valid
except procedural, SAS-74, verification, and
regulatory. The valid audit types are financial,
operational (SAS-70), integrated (SAS-94),
compliance, administrative, forensic, and
information systems. A forensic audit is used to
discover information about a possible crime.
3/30/16
mushfique98@gmail.com
Practice Question
Practice Questions (contd.)
Q: How does the auditor derive a final
opinion?
A. From evidence gathered and the auditors
observations
B. By representations and assurances of
management
C. By testing the compliance of language used in
organizational policies
D. Under advice of the audit committee
3/30/16
mushfique98@gmail.com
Practice Question
Practice Questions (contd.)
Q: Answer is A. A final opinion is based on
evidence gathered and testing. The purpose of an
audit is to challenge the assertions of
management. Evidence is gathered that will
support or disprove claims.
3/30/16
mushfique98@gmail.com
Practice Question
Practice Questions (contd.)
Q: Which of the following BEST describes the
early stages of an IS audit?
A. Observing key organizational facilities
B. Assessing the IS environment
C. Understanding the business process and
environment applicable to the review
D. Reviewing prior IS audit reports
3/30/16
mushfique98@gmail.com
Answer
11C: Understanding the business process and
environment applicable to the review is most
representative of what occurs early on in the
course of an audit. The other choices relate to
activities actually occurring within this process.
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Answer
12C: Inherent risks exist independently of an audit and
can occur because of the nature of the business. To
successfully conduct an audit, it is important to be aware of
the related business processes. To perform the audit the IS
auditor needs to understand the business process, and by
understanding the business process, the IS auditor better
understands the inherent risks.
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Answer
13A: A riskbased audit approach focuses on the
understanding of the nature of the business and
being able to identify and categorize risk. Business
risks impact the longterm viability of a specific
business. Thus, an IS auditor using a riskbased
audit approach must be able to understand
business processes.
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Answer
14C: The risk of an error existing that could be material or
significant when combined with other errors encountered during
the audit, there being no related compensating controls, is the
inherent risk. Control risk is the risk that a material error exists
that will not be prevented or detected in a timely manner by the
system of internal controls. Detection risk is the risk of an IS
auditor using an inadequate test procedure that concludes that
material errors do not exist, when they do. Sampling risk is the
risk that incorrect assumptions are made about the characteristics
of a population from which a sample is taken.
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Answer
15D: The IS auditor is not expected to ignore control weaknesses
just because they are outside the scope of a current review.
Further, the conduct of a detailed systems software review may
hamper the audit's schedule and the IS auditor may not be
technically competent to do such a review at this time. If there are
control weaknesses that have been discovered by the IS auditor,
they should be disclosed. By issuing a disclaimer, this responsibility
would be waived. Hence, the appropriate option would be to review
the systems software as relevant to the review and recommend a
detailed systems software review for which additional resources
may be recommended.
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Answer
16C: Generalized audit software facilitates direct access to and
interrogation of the data by the IS auditor. The most important advantage
of using GAS is that it helps in identifying data of interest to the IS auditor.
GAS does not involve testing of application software directly. Hence, GAS
indirectly helps in testing controls embedded in programs by testing data.
GAS cannot identify unauthorized access to data if this information is not
stored in the audit log file. However, this information may not always be
available. Hence, this is not one of the primary reasons for using GAS.
Vouching involves verification of documents. GAS could help in selecting
transactions for vouching. Using GAS does not reduce transaction vouching.
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Answer
17B: Facilitated workshops work well within
business units. Process flow narratives and data
flow diagrams would not be as effective since they
would not necessarily identify and assess all
control issues. Informal peer reviews similarly
would be less effective for the same reason.
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Answer
18C: The first step in audit planning is to gain an
understanding of the business's mission, objectives and
purpose, which in turn identifies the relevant policies,
standards,
guidelines,
procedures,
and
organization
structure. All other choices are dependent upon having a
thorough understanding of the business's objectives and
purpose.
3/30/16
mushfique98@gmail.com
3/30/16
mushfique98@gmail.com
Answer
19A: Standard S5, Planning, establishes
standards and provides guidance on planning an
audit. It requires a riskbased approach.
3/30/16
mushfique98@gmail.com
Practice Questions
Q: A company performs a daily backup of critical data
and software files, and stores the backup tapes at an
offsite location. The backup tapes are used to restore
the files in case of a disruption. This is a:
A. preventive control.
B. management control.
C. corrective control.
D. detective control.
3/30/16
mushfique98@gmail.com
Answer
110C: A corrective control helps to correct or minimize the impact of
a problem. Backup tapes can be used for restoring the files in case of
damage of files, thereby reducing the impact of a disruption.
Preventive controls are those that prevent problems before they arise.
Backup tapes cannot be used to prevent damage to files and hence
cannot be classified as a preventive control. Management controls
modify processing systems to minimize a repeat occurrence of the
problem. Backup tapes do not modify processing systems and hence
do not fit the definition of a management control. Detective controls
help to detect and report problems as they occur. Backup tapes do not
aid in detecting errors.
3/30/16
mushfique98@gmail.com
Question
&
Answer
3/30/16
mushfique98@gmail.com
THANK YOU
AND BEST OF LUCK
3/30/16
mushfique98@gmail.com