My CISA Study: March 2010

- An IS auditor is responsible for assessing the strength and effectiveness of controls that are designed to protect information systems, and to ensure that audit engagements are planned, designed, and reviewed based on the assessed level of risk that irregular and illegal acts
might occur.

- Determining whether information systems safeguard assets and maintaining data integrity are the primary objectives of an IS audit function.

- IS Auditing Standards are brief mandatory requirements for certification holders’ reports
on the audit and its findings. IS Auditing Guidelines and Procedures give detailed guidance on how to follow those standards.

- The IS Auditing Guidelines provide a framework an IS auditor normally follows, with the
understanding that in some situations the auditor will not follow that guidance. In this case, it is the IS auditor’s responsibility to justify the way in which the work is done.

- Standards: Define mandatory requirements for IS auditing and reporting. Standards inform IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors.

- GuideLines: Provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing
Standards.

- Procedures: Provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS auditing work, but they do not set requirements.

- The eight standards categories are the first three digits in a document number. IS Auditing Standards begin with 0; Standards for IS Control, Professionals begin with 5. The standards numbers are the second three numbers in the document. The third set of three digits in a document number is the number of the guideline. Procedures are listed separately and numbered
consecutively by issue date.

- For example, document 060.020.040 is a guideline. It provides guidance in the sixth standard category, Performance of Audit Work. The guidance applies to the second standard in that category, Evidence. It is the fourth guideline listed under Evidence. Procedures are numbered consecutively as they are issued, beginning with 1.

- The primary purpose of an audit charter is to describe the authority and responsibilities
of the audit department.

- As previously stated, auditors are not qualified (kısıtlı) to determine whether an
irregular, illegal, or erroneous act has occurred. If during the course of the
audit the auditor suspects that these acts have occurred, the auditor must
report this to one or more of the following parties:
➤ The IS auditors’ immediate supervisor and possibly the corporate governance
bodies, such as the board of directors or audit committee
➤ Appropriate personnel within the organization, such as a manager who is
at least one level above those who are suspected to have engaged in such
acts
➤ Corporate governance bodies, if top management is suspected
➤ Legal counsel of other appropriate external experts

- The control self-assessment (CSA) is a formal, documented, collaborative process in which management or work teams are directly involved in judging and monitoring the effectiveness of controls. The CSA does not replace an audit, but its main objective is to enhance audit responsibility. A primary benefit derived from an organization that employs control self-assessment (CSA) techniques is that it can identify high-risk areas that might need a
detailed review later.

- The CSA is generally accompanied by workshops in which the IS auditor leads and guides the clients in assessing their environment. This enables auditors to serve as assessment facilitators and shifts some of the controlmonitoring responsibilities to the functional areas.

- * The traditional role of an IS auditor in a control self-assessment (CSA) should be that
of a facilitator.

- A benefit of the risk-based approach to audit planning is that auditing resources are
allocated to the areas of highest concern (risk).

- Business risk—The risk that a business will not achieve its stated business goals or objectives. Business risk can be affected by both internal and external factors.

- Security risk—The risk that unauthorized access to data will adversely affect the integrity of that data. Poor data integrity can lead to poor decision making and contribute to business risk.

- Continuity risk—This is the risk associated with systems availability and its capability to utilize backups to recover.

- Audit risk—The risk that the information of financial reports might contain material errors or that the IS auditor might not detect an error that has occurred.

- Inherent risk—The risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error. Inherent risk is the susceptibility of an area or process to an error that could be material. An example is when an authorized program has exits (trap doors) because they provide flexibility for inserting code to modify
or add functionality.

- Control risk—The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls.

- Detection risk—Detection risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist, when, in fact, they do.

- The following steps help define
your responsibilities as an auditor:
1. Plan the IT audit engagement based on an assessed level of risk that
irregular and illegal acts might occur, and that such acts could be material
to the subject matter of the IS auditor’s report.
2. Design audit procedures that consider the assessed risk level for irregular
and illegal acts.
3. Review the results of the audit procedures for indications of irregular
and illegal acts.
4. Assume that acts are not isolated.
5. Determine how the act slipped though the internal control system.
6. Broaden audit procedures to consider the possibility of more acts of
this nature.
7. Conduct additional audit procedures.
8. Evaluate the results of the expanded audit procedures.
9. Consult with legal counsel and possibly corporate governance bodies to
estimate the potential impact of the irregular and illegal acts, taken as a
whole, on the subject matter of the engagement, audit report, and
organization.
10. Report all facts and circumstances of the irregular and illegal acts
(whether suspected or confirmed) if the acts have a material effect on
the subject matter of the engagement or organization.
11. Distribute the report to the appropriate internal parties, such as managers
who are at least one level above those who are suspected or confirmed
to have committed the acts, or corporate governance.

- Because of the critical dependency of business on its information systems, the governance structure must ensure that the IT organizational strategy is aligned with the business strategy. The implementation of the IT strategy will help ensure that IT processes contain the necessary controls to reduce risk to the organization and its business objectives.

- The organization should have an IT steering committee to ensure that the IS department’s strategy directly aligns with the organization’s corporate mission and objectives and efficient use of IT resources.

- The committee is responsible for ensuring that the organization’s leadership (board of directors and senior management) is informed in a timely manner via the minutes and additional reporting,

- The lack of a formal chartered IT steering committee could be an indication that the IT department is not correctly aligned with the organization’s strategy. In the absence of an IT steering committee, the auditor might find that projects do not support the mission of the organization

- Per ISACA, segregation of duties avoids the possibility that a single person could be responsible for diverse and critical functions in such a way that those errors or misappropriations could occur and not be detected in a timely manner and in the normal
course of business processes.

- In keeping with proper segregation of duties, managers must ensure that application programmers use a code library (test-only) while creating and updating code, and that they do not have access to production programs. The test-only programs should be reviewed and put into production by a separate group.

- Systems programmers should have access to entire systems, and management should use compensating controls such as access and change logs to monitor and ensure that they have access to only the system libraries for which they are responsible. The use of a compensating control
reduces the risk associated with a control that is not adequate.

- Systems analysts are involved during the initial phase of the systems development life cycle and ensure that the needs of users are incorporated into the system or application requirements and high-level design documents.

- The DBA generally has access to all of the organization’s data, both test and production.
Although it is not practical to prohibit access to the data, management should implement compensating controls to monitor DBA activities. These controls can include using access logs, logging structural changes to databases, and applying detective controls over the use of database tools.

- A common example of improper segregation of duties is allowing a single person within operations or the help desk to have the responsibility of ordering hardware/software, receiving and managing asset or inventory control. This type of structure could allow a single person to order and receive IT equipment without adding it to the asset-control system and, therefore, creates the opportunity for theft of equipment.

- The primary purpose of audit trails is to establish accountability and responsibility for
processed transactions.

➤ Information systems audit—This process collects and evaluates evidence to determine whether information systems and related resources adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively,
consume resources efficiently, and have in effect internal controls that provide reasonable assurance that business, operation, and control objectives will be met.

- The audit life cycle should include the following steps:
1. Plan
2. Assess risk
3. Prepare and plan an audit program
4. Conduct a preliminary review of the audit area/subject
5. Evaluate the audit area/subject
6. Gather evidence
7. Conduct compliance testing
8. Conduct substantive testing
9. Form conclusions
10. Deliver audit opinion (communicate results)
11. Follow up

- Per ISACA, proper planning is the necessary first step in performing effective audits. The IS auditor’s first task should be to gather background information, such as business sector, applied benchmarks, specific trends, and regulatory and legal requirements. This enables the auditor to better understand what to audit. After gathering initial information, the auditor should identify the audit subject and audit objectives, define the scope, establish the information systems and functions involved, and identify the needed resources.

- In preparation for the audit, the auditor should either use an existing audit methodology or create one. The audit methodology is a set of documented audit procedures to ensure that the auditor achieves the planned audit objectives.

- The methodology should be documented and approved by the audit management and should be communicated to the audit staff.

- A risk-based audit approach helps management effectively utilize limited auditing resources by identifying areas of high risk in the organization. This method helps prioritize audits, and information gathered from risk analysis facilitates more effective corporate governance by ensuring that audit activities are directed to high business risk areas, maximizing the effectiveness of audit activities.

- An attestation audit can include reports on descriptions of systems of internal controls and compliance with statutory, contractual, or regulatory requirements. These types of auditing engagements require that the auditor clearly understand the business functions, have a high degree of technical proficiency, and be able to conduct security and integrity tests to verify that the systems meet the standards.

- Other types of attestation audits include compliance audits. In these audits, the auditor verifies that the organization’s business practices have sufficient controls to meet contractual or regulatory standards. Regulatory standards might include HIPAA, Sarbanes-Oxley, GLBA, or others

- Findings and recommendations do not produce an opinion; they provide a summary of the work performed in connection with the engagement. These consulting or advisory types of engagements can include review of the following:
➤ System implementations
➤ Enterprise resource planning
➤ System security reviews
➤ Database application reviews
➤ Internal audit services

- The CISA Exam might not ask specifically about audit types (SAS 70 and SAS 94), but
it is important to understand the difference between audit types.

- Attribute sampling deals with the rate of occurrence or frequency of items that have a certain attribute. The attribute either is there or is not. When the IS auditor uses attribute sampling, the results are expressed as a sample frequency or error rate. An example of expressing an error rate is review system logs in which one event, such as a daily backup, is not logged
1 day in 100. This would represent a 1% sample error rate. There may be 1,000 logs to review, so the IS auditor must choose a sample (100 logs) of the total population (1,000 logs);

- Variable sampling deals with variations in some unit of measure. As an example, system logs should have time stamps for the start and end of backups on a given day. Those times might vary, depending on the type of backup or the amount of data backed up.

- The sampling confidence coefficient is a percentage expression of the probability that the characteristics of the sample are considered a true representation of the population.

- If the strength of controls is not known, the auditor must choose a larger sample size to provide a greater confidence coefficient. The confidence coefficient is expressed in percentages; a 95% confidence coefficient is considered a high degree of confidence. If incorrect assumptions are made about a population that the sample is selected from,
this introduces sampling risk. Sampling risk is calculated using this formula:
Sampling risk = 1 – Confidence coefficient

- Substantive testing substantiates the integrity of actual processing, sometimes called transaction integrity. This type of testing provides an appropriate assurance of detecting the possibility of material errors. Neither attribute nor variable sampling is a perfect fit for substantive testing because attribute sampling measures frequencies/percentages, not value, and variable sampling measures averages.

- Compliance testing tests controls in the environment, to ensure that they are being applied in a manner that complies with the organization’s policies and procedures.

- A distinction that can be made between compliance testing and substantive testing is that compliance testing tests controls, whereas substantive testing tests details

- IS auditors are most likely to perform compliance tests of internal controls if, after
their initial evaluation of the controls, they conclude that control risks are within the
acceptable limits.

- Another example of compliance testing involves obtaining a list of current users with
access to the network or applications and verifying that those listed are current employees.

- As a part of the report conclusions, the auditor must draft a management letter; any material misstatements in the financial statements should be reported to management immediately. Management then evaluates responses to the findings, states corrective actions to be taken, and determines the timing for implementing these anticipated corrective actions.

- Gathering background information pertinent to the new audit is the first task an IS auditor
should complete when performing an audit in an unfamiliar area. The information obtained is collectively known as evidence.

- Earlier audit reports are considered of lesser value to an IS auditor attempting to gain
an understanding of an organization’s IT process than evidence directly collected

- The reliability of evidence is based on the following criteria:
➤ Independence of the provider of the evidence—Evidence gained
from outside the organization being audited is generally more reliable
than evidence gained internally,
➤ Qualification of the individual providing the information/ evidence—Regardless of whether the individual providing the evidence is inside or outside the organization, the qualification of the individual determines the reliability of the evidence.
➤ Objectivity of the evidence; If tests are performed against account balances or a specific security control, this is more objective than interviews with personnel on account balances or
the effectiveness or relevance of the security control.
➤ Timing of evidence—Some evidence might not be available because of internal procedures properly eliminating evidence or fairly high rates of change regarding the evidence.

- The purpose and scope of the audit determines the extent to which data will be collected
during an IS audit.

- The systems development life cycle (SDLC) defines how the organization acquires, develops, changes, and implements IT infrastructure and applications. This documentation addresses
how the IS organization functions and can include the following:

➤ Phase 1: Feasibility study—The feasibility study enables management to identify and quantify the cost savings of a new system, and estimate the payback schedule for costs incurred in implementing the system.
➤ Phase 2: Requirements definition—The requirements definition maps the major requirements to the solution. It involves management and end users to make sure the new system will support the business needs.
➤ Phase 3: System design—The requirements gathered in Phase 2 assist in establishing a baseline of system and subsystem specifications that describe the parts of the system, how they interact, and how the system will be implemented using the chosen hardware, software, and network
facilities.
➤ Phase 4: Development—In the system-development phase, the programming and testing take place. The testing verifies and validates what has been developed.
➤ Phase 5: Implementation: This phase puts the new system into operation. It includes final user acceptance testing and can include certification and accreditation processes.

- IS auditors involved actively in the design and implementation of the application system
risk having their independence impaired. (zayıflatır)

- The combination of organizational structure, policies and procedures, and best practices that are implemented to reduce risk is called internal controls. Internal controls are used by the organization to provide a reasonable assurance that the business objectives will be met and risk will be prevented, detected, or corrected.
Control procedures can be manual or automated and generally fall into three categories:
➤ Internal accounting controls—Primarily used in accounting operations. They apply to safeguarding the assets and reliability of financial data and records.
➤ Operational controls—Used in day-to-day operations to ensure that the operation is meeting business objectives.
➤ Administrative controls—Used to ensure compliance with management policy.

- The IS auditor is ultimately responsible to senior management and to the audit committee of the board of directors. Before communicating the results to senior management, the IS auditor should discuss the findings with the management staff of the audited entity to gain agreement on the findings and to develop a course of corrective action.

- As an example, if an auditor discovers that the organization’s computers contain unauthorized software, the auditor should report the use of the unauthorized software to auditee management and highlight the need to prevent recurrence.

- An exit interview should be conducted at the conclusion of the audit. This provides the auditor with an opportunity to discuss the scope and the findings and recommendations of the audit. The exit interview also assures the auditor that the facts presented in the report are correct and that the recommendations are realistic (cost-effective), and establishes the implementation dates for corrective action.

- Responsibility, authority, and accountability of the IS audit function must be documented
and approved by the highest level of management.

- Risk can be defined as the possibility of something adverse happening. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level (mitigation), and maintaining that acceptable level of risk.

- Risk management encompasses three processes: risk assessment, risk mitigation, and risk transference.

- Threats can generally be classified as natural, environmental, or manmade; they have the potential to cause such harm to the asset as destruction, disclosure, modification, or disruption.

- The result of a threat exercising a vulnerability is called an impact; this can result in a loss to the organization’s resources. The impact might be quantitative (direct loss of money, opportunity, disruption) or qualitative (breach of legislation, damage to reputation, endangerment of staff, breach of confidence) and represents either a direct or an indirect loss to the organization.

- Senior management must support risk analysis in the organization for it to be successful. Risk analysis is the process of identifying risk in the organization, quantifying the impact of potential threats, and providing cost/benefit justification for the implementation of controls.

- Risk analysis can use either a quantitative approach, which attempts to assign real numbers to the cost of threats and the amount of damage, or a qualitative approach, which uses a ranking method to analyze the seriousness of the threat against the sensitivity of the asset.

- While preparing the audit report, the IS auditor should record the observations and the risk arising from the collective weaknesses.

======================================
CISA REVIEW MANUAL 2010
======================================

My CISA Study

Tuesday, March 2, 2010

Chapter 1. The Information Systems (IS) Audit Process

Introduction

Followers

Blog Archive

About Me