is audit process chapt 1_isaca hc_2010

2/8/2010

1

Certified Information Systems Auditor Course

2010By Marjan Hussein

MBA, BCOMM,CPA(K),CISA, CIA, CCSA

INFORMATION SYSTEMS AUDIT PROCESS

Domain 1

Domain 1: IS Audit Process (Approximately 10% of exam 20 Questions)

Provide IS audit services in accordance with IS audit standards, guidelines, and best practices to assist the organization in ensuring that its information technology and business systems are protected and controlled.

TASKS

Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices.

Plan specific audits to ensure that IT and business systems are protected and controlled.

Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.

Communicate emerging issues, potential risks, and audit results to key stakeholders.

Advise on the implementation of risk management and control practices within the organization while maintaining independence.

Knowledge Statements

Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures, and Code of Professional Ethics

Knowledge of IS auditing practices and techniques Knowledge of techniques to gather information and

preserve evidence (e.g., observation, inquiry, interview, CAATs, electronic media)

Knowledge of the evidence life cycle (e.g., the collection, protection, chain of custody)

Knowledge of control objectives and controls related to IS (e.g. COBIT)

2/8/2010

2

Knowledge Statements Cont

Knowledge of risk assessment in an audit context Knowledge of audit planning and management

techniques Knowledge of reporting and communication

techniques (e.g., facilitation, negotiation, conflict resolution)

Knowledge of control self-assessment (CSA) Knowledge of continuous audit techniques

Information Systems Audit Process

Management of the IS Audit FunctionOrganization of the IS Audit FunctionIS audit services can be provided internally or externallyCharter defines the IS audit functionScope, authority and responsibility of IS audit functionShould be approved by highest level of management and Audit CommitteeIS Audit Resource ManagementMaintain competency through updates of existing skills and training on new audit techniques and technological areas.Detailed staff training plans for year and reviewed semi annuallyIS Audit PlanningLong and short term plans preparationAnalysis of both plans should be done at least annuallyEach individual audit assignment must be adequately planned


Individual audit assignmentsUnderstanding of environment under review during planning is importantTo perform the audit planning the auditor should:-

Gain an understanding of business mission, purpose, objectives, processes and technology which include information and processing requirements such as availability, integrity, confidentiality and business technology.Identify contents such as policies, standards and required guidelines, procedures and org structurePerform risk analysis to help in designing the audit planConduct review of IC related to ITSet audit scope and objectivesDevelop the audit approach or audit strategyAssign resourcesAddress engagement logistics


Individual audit assignments

How to gain understanding of businessTouring key organizational facilitiesReading background materialsReviewing long-term strategic plans (biz & IT)Interviewing key managers to understand business issuesReviewing prior reportsIdentify special regulation applicable to ITIdentify IT functions or related activities that have been outsourced

2/8/2010

3

Information Systems Audit ProcessLaws and regulations effects on IS Audit PlanningIdentify those government or other external requirements dealing with:

Electronic data, personal data, copyrights, e-commerce, e-signatures etcComputer system practices and controlsManner in which computer program and stored data are usedWay data is processed and transmittedThe organization or activities of information technology servicesIS audits

Information Systems Audit ProcessLaws and regulations effects on IS Audit Planning (cont..)Document pertinent laws and regulationsAssess whether management of the organization and Information Systems function have considered relevant external requirements in making plans, policies, standards and proceduresReview internal IS dept documents that address adherence to applicable laws in the industryDetermine adherence to established procedureEstablish if there are procedures in place to ensure contracts or agreements with external IT services providers reflect any legal requirements related to responsibilities.

ISACA Code of Professional Ethics

The Information Systems Audit and Control Association, Inc. (ISACA) sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders.

Members and ISACA certification holders shall:

1. Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.

ISACA Code of Professional Ethics (cont..)

2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.

3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.

4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.

2/8/2010

4

ISACA Code of Professional Ethics (cont..)

5. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.

6. Inform appropriate parties of the results of work performed; revealing all significant facts known to them.

7. Support the professional education of stakeholders in enhancing their understanding of information systems security and control.

ISACA IS Standards

The specialized nature of IS auditing and the skills and knowledge necessary to perform such audits require globally applicable standards that pertain specifically to IS auditing.

Objectives of ISACA standards are to inform:- IS auditor of minimum level of acceptable performance

required to meet the professional responsibilities set out in the code of professional ethics

Management and other interested parties of the professional expectations concerning the work of audit practitioners

Holders of CISA designation of requirements that failure to comply with these standards may result in investigations by the ISACA board for disciplinary actions.

Standards define mandatory requirements for IS auditing and reporting.

ISACA IS Standards (cont..)

S1 Audit charter S2 Independence S3 Professional Ethics and Standards S4 Professional Competence S5 Planning S6 Performance of Audit Work S7 Reporting S8 Follow up activities S9 Irregularities and Illegal Acts S10 IT Governance S11 Use of Risk Assessment in Audit Planning S12 Audit Materiality S13 Using the Work of Other Experts S14 Audit Evidence S15 IT Controls S16 E-commerce

ISACA IS Auditing Guidelines

Objectives of the guidelines is to provide further information on how to comply with the ISACA IS Auditing Standards

The IS auditor should: consider them in determining how to implement the

standards Use professional judgment in applying them Be able to justify any departure

For index on IS auditing Guidelines refer to the CISA 2010 manual (pg 37 - 40)

2/8/2010

5

ISACA IS Auditing Procedures

Provide examples of possible process an IS auditor might follow in an audit engagement

In determining appropriateness of any specific procedure, IS auditor should apply their own professional judgment to the specific circumstances

The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements

It is not mandatory for the IS auditor to follow these procedures; however, following them will provide assurance that the standards are being followed by the auditor.

Relationship Between Standards, Guidelines & Procedures

IS Auditing Standards are to be followed by all IS auditors

Guidelines provide assistance on how the IS auditor can implement standards in various audit assignments

Procedures provide examples of steps the auditor may follow in specific audit assignments so as to implement the standards.

IS auditor should always use professional judgment in using guidelines and procedures

Information Technology Assurance Framework (ITAF)

It is a comprehensive and good-practice setting model that:- Provides guidance on design, conduct and reporting of IT

audit and assurance assignments Defines terms and concepts specific to IT audit and assurance Establish standards that address IT audit and assurance

professional roles and responsibilities, knowledge and skills, and diligence, conduct and reporting requirements.

ITAF includes 3 categories of standards (General code of ethics, Performance audit planning, supervision, scoping etc and Reporting)

(Assigned Readings CISA 2010 manual pages 34 45)

RISK ANALYSISRiskThe potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to asset. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat.uncertainty that surrounds future events and outcomesIt is the expression of the likelihood and impact of an event with potential to influence achievement of an organizations objectives.Risk is anything that could prevent achievement of organizations objectivesAnything that could impact on the interest of stakeholders

2/8/2010

6

Risk Analysis (cont..)Elements of Risk

Threat to, and vulnerabilities of, processes and/or assets (both physical and information assets)Impact on assets based on threats and vulnerabilitiesProbabilities of threats (likelihood and frequency of occurrence)

Total Risk = Threats X Vulnerability X Asset Value

Example of threats are errors, malicious damage/attack, fraud, theft, equipment failure, software failure

Example of vulnerabilities are, lack of user knowledge, poor choice of passwords, use of untested technology, transmission over unprotected communication

Risk Analysis (cont..) Business risks are the likelihood of those threats that

may negatively impact the assets, processes or objectives of a specific business.

The nature of risks may be financial, regulatory or operational, and may arise as a result of interaction of business with its environment, as a result of strategies, systems and particular technology, processes, procedures and information used by business.

The IS auditor is often focused towards high-risk issues associated with confidentiality, availability or integrity of sensitive and critical information, and the underlying information systems and processes that generate, store and manipulate such information

Risk Analysis (cont)Risk assessment process is characterized as an iterative life cycle:-1. Identification of business objectives2. Perform risk assessment to identify threats and determine

the probability of occurrence and the resulting impact and additional safeguards that would mitigate this impact to acceptable level

3. Identifying controls for mitigating the identified risks (preventive, detective and corrective)

4. Assess countermeasures through cost benefit analysis based on:- Cost compared to benefit of minimizing the risk Management risk appetite Preferred risk reduction method [terminate, minimize

occurrence probability, minimize impact, or transfer risk]5. Monitoring performance levels of risks being managed

Perform periodic Risk Reevaluation

(BO/RA/RM/RT)

Identify Business Objectives (BO)

Identify Information Asset Supporting the BOs

Perform Risk Assessment (RA)

[Threat Vulnerability Probability Impact]

Perform Risk Mitigation (RM)

[Map risks with controls in place]

Perform Risk Treatment (RT)

[Treat significant risks not mitigated by existing controls]

Summary of Risk Assessment Process

2/8/2010

7

Risk Analysis (cont..)Purpose of Risk Analysis

Assist the IS Auditor in identifying risks and threats to an IT environment and Systems selecting certain areas to examine

Helps the IS Auditor in his/her evaluation of controls in audit planning

Helps in determining the audit objectives Helps in supporting risk-based audit decision

making.

INTERNAL CONTROLS

Policies, procedures, practices and organizational structures designed to provide reasonable assurance that an organizations objectives will be achieved, undesired risks prevented, or detected and corrected.

INTERNAL CONTROL OBJECTIVES

Statements of desired results or purpose to be achieved by implemented control procedures. Control is the means by which control objectives are addressed.

Control Objectives include:

Safeguarding of information technology assets

Compliance to corporate policies or legal requirements

Authorization/input

Internal Control (cont..)

Accuracy and completeness of processing of transaction

Output

Reliability of process

Backup/recovery

Efficiency and economy of operations

Classifications of Controls

Preventative ControlsDetective ControlsCorrective Controls

Internal Control (cont..)

2/8/2010

8

IS Control Objectives

IC objectives apply to all areas, whether manual or automated.

IS control objectives include:- Safeguarding assets. Information on automated systems is

secured from improper access and kept up to date Assuring integrity of general operating system environments,

including network management and operations Assuring integrity of sensitive and critical application system

environments, including accounting/financial and management information through: Authorization of inputs Accuracy and completeness of processing of transaction

IS Control Objectives (cont..)

Reliability of overall information processing activitiesAccuracy, completeness and security of output

Database integrity

Ensuring the efficiency and effectiveness of operations

Complying with the users requirements and with organizational policies and procedures as well as applicable laws and regulations

IS Control Objectives (cont..)

Developing business continuity and disaster recovery plans

Developing an incidence response time

Change management

COBIT

COBIT is a framework with set of 34 IT processes grouped into 4 domains: planning and organizing, acquiring and implementation, delivery and support and monitoring and evaluation

By addressing these 34 IT processes, organization can ensure that adequate governance and control arrangements are provided for their IT environment

COBIT can be used as a supplementary study material in understanding control objectives and principles.

2/8/2010

9

COBIT cont..

Supporting these IT processes are more than 200 detailed control objectives necessary for effective implementation

COBIT uses, as primary reference current major framework standards and regulations relating to IT.

COBIT is directed to Management and staff of Information services, control departments, audit functions and most importantly, the business process owners using IT processes to assure confidentiality, integrity and availability of sensitive and critical information

General Controls

Controls include policies, procedures and practices established by management to provide reasonable assurance that specific objectives will be achieved.

They apply to all areas of the organization General Controls include: Internal accounting controls - safeguarding of assets and

reliability of financial records Operational controls - day to day activities Administrative controls - operational efficiency in a

functional area and adherence to management policies. They support operational controls concerned with operating efficiency and policy adherence

IS Controls

Each general control procedure can be translated into IS-specific control procedure.

IS control procedures include: Strategy and direction General organization and management Access to data and programs Systems development methodologies and change control Data processing operations Systems programming and technical support fns. Data processing quality assurance procedures Physical access controls Business continuity and disaster recovery planning Network and communications Database administration

Performing IS Audit

2/8/2010

10

Auditing

A systematic process by which a competent, independent person

objectively obtains and evaluates evidence regarding assertions about an economic entity or event for purpose of forming an opinion about and reporting on the degree to which the assertion

conforms to an identified set of standards

IS Audit

Defined as any audit that encompasses review and evaluation (wholly or partially) of automated information processing systems, related non-automated processes and the interfaces between them

Classification of Audits

Financial audits data (integrity and reliability)

Operational audit - controls Integrated audits data and controls Administrative audits - operational efficiency Information systems audit IS Specialized audits reviewing services

performed by third-party providers Forensic audits discovering, preserving,

disclosing and following up on frauds and crimes

Financial audits:

Assess correctness of financial statements

Often involve detailed substantive testingRelates to information reliability and

integrity

2/8/2010

11

Operational audit

Designed to evaluate internal controls e.g. IS Audit of application controls, or logical

security

Integrated audits Includes both financial and operational Performed to assess overall objectives

related to financial information, assets safeguarding, efficiency

Include both compliance and substantive tests

Administrative Audits

Audits oriented to assess issues related to efficiency and effectiveness of operational productivity within an organization.

Information systems audit

Collect and evaluate evidence to determine whether an information systems and related resources Safeguards assets, Maintains data and system integrity, Provide relevant and reliable information Achieve organizational goals effectively and

efficiently Internal controls provide reasonable assurance

that operational and control objectives will be met

2/8/2010

12

Specialized audits

These are specialized reviews that examine areas such as service performed by third parties and forensic auditing

Statement on Auditing Standards (SAS) 70, titled Reports on Processing of Transactions by Service Organizations is a widely known standard developed by AICPA

SAS 70 defines the professional standards used by service auditor to assess the internal control of service organization

Forensic audits

These are audits specialized in discovering, disclosing and following up on frauds and crimes

The purpose of these reviews is to develop and protect evidence for review by law enforcement and judicial authorities

Computer forensic investigation include analysis of electronic devices, such as computers, phones, PDAs, disks, switches, routers, hubs and other electronic equipment

Admissibility of evidence in court is very important and therefore computer evidence must be properly handled.

Forensic audit tools such as data mapping for security and privacy, risk assessment and search for intellectual property for data protection are being used for prevention, compliance and assurance.

Audit Programs

Audit work program is the audit strategy and plan It identifies scope, audit objectives, and audit procedures

to obtain sufficient, relevant and reliable evidence to draw and support audit conclusions and opinions

IS auditors often evaluate IT functions and systems from different perspectives such as: Security (confidentiality, integrity and availability) Quality (effectiveness and efficiency) Fiduciary (compliance, reliability) Service capacity

General Audit procedures

Steps in performing an audit and includes:- Obtaining and recording an understanding of the audit

area Detailed audit planning Preliminary review of the audit area Verifying and evaluating the appropriateness of

controls designed to meet control objectives Testing (compliance and substantive) Reporting Follow up

2/8/2010

13

General Audit procedures (cont..)

The IS auditor must understand the procedures for testing and evaluating IS controls. These include:- The use of generalized audit software to survey the

contents of data files The use of specialized software to assess the contents of

operating system database and application parameter files (or detect deficiency in system parameters setting)

Flow charting techniques for documenting automated applications and business processes

The use of audit logs/reports available in operation/application systems

Documentation review observation

Audit objectives They refer to the specific goals of the audit Determination of audits objectives is a critical

step in planning an IS audit Center around substantiating that internal

controls exists to minimize business risk The basic purpose of any IS audit is to

identify control objectives and the related controls that address the objective

Management may issue a general objective Key element in planning: translating to

specific IS audit objectives

Audit process steps

Plan assess risks, develop audit program: objectives, procedures

Obtain evidence Evaluate evidence strengths and weaknesses of

controls

Prepare and present report Follow-up - corrective actions taken by management

Audit methodology A set of documented audit procedures

designed to achieve planned audit objectives.

Components include: Scope Audit objectivesWork programs

2/8/2010

14

Audit program Step-by-step set of audit procedures and

instructions that should be performed to complete an audit

A guide for documenting various audit steps performed

Guides on the types and extent of evidential matters to be reviewed

Provides a trail of the process used Provides accountability for performance

Audit phases

Audit subject - Identify the area to be audited Audit objective - Identify purpose of audit Audit scope Pre-audit planning Audit procedures and steps for data gathering Procedures for evaluating the test or review

results (organization specific) Procedures for communication with

management (organizational specific) Audit report preparation:

Audit phases (cont..)

Practice Question

1-1 Which of the following BEST describes the early stages of an IS audit?

A. Observing key organizational facilitiesB. Assessing the IS environmentC. Understanding the business process and

environment applicable to the reviewD. Reviewing prior IS audit reports

2/8/2010

15

Fraud Detection

Management is primarily responsible for establishing, implementing and maintaining a framework and design of IT controls to meet the internal control objectives.

A well designed ICS provides good opportunity for deterring fraud at the first instance and a system that enables timely detection of frauds

IS auditor should observe and exercise due professional care in all aspects of their work and be alert to the possible opportunities that allow a fraud to materialize

Fraud Detection (cont)

IS auditor should be aware and diligent as regards the possibility and means of perpetrating frauds especially by exploiting the vulnerabilities and overriding controls in IT-enabled environment

IS auditor should have knowledge of fraud and fraud indicators, and during performance of audit work, be alert to the possibility of frauds and errors

When IS auditor comes across any instances of fraud or indicators of fraud, he/she may, after careful evaluation, communicate the need for a detailed investigation to appropriate authorities

In case of auditor identifying a major fraud or where the risk associated with the detection is high, audit management should also consider communicating to the audit committee,in a timely manner.

Risk-Based Auditing

Business risks include concerns about probable effects of an uncertain event on achieving established organization objectives.

By understanding the nature of the business, IS auditors can identify and categorize the types of risks that will better determine the risk approach in conducting the audit.

Risk based approach is used to assist an IS auditor in making the decision to perform either compliance or substantive testing.

Helps the auditor in determining the nature and extent of testing.

In addition to risk the auditors are also influenced by the Internal Controls as well as the knowledge of the business.

Risk-Based Audit Approach

2/8/2010

16

1-2 In performing a risk-based audit, which risk assessment is completed initially by the IS auditor?

A. Detection risk assessmentB. Control risk assessmentC. Inherent risk assessmentD. Fraud risk assessment

Practice Question

1-3 While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus?

A. Business processesB. Critical IT applicationsC. Operational controlsD. Business strategies

Practice Question

Audit risk and Materiality Risk that information may contain a

material error that may go undetected during the course of the audit

Risk within the audit process itself The risk of giving an incorrect audit opinion Sometimes used to describe the level of risk

that the IS Auditor is prepared to accept

Audit risk - contCan be categorized as: Inherent risk Control risk Detection riskOverall audit risk

2/8/2010

17

Inherent risk Risk that an error exist which could be

material assuming there are no related compensating controls

Can be categorized as susceptibility of a material misstatement in the absence of related controls e.g. Complex calculations are more likely to be

misstated than simple ones Cash is more likely to be stolen than inventory

Exist independent of an audit Can occur because of the nature of a

business

Control risk

Risk that a material error exists which will not be prevented or detected on a timely basis by the system of internal controls

Detection risk The risk that the ISA used an inadequate test

procedure and concludes that material errors do not exist, when in fact, they do

Can be used to assess and evaluate and ISAs ability to test, identify and correct material errors

Can be minimized by: Proper statistical sampling procedures A strong quality control process

Overall audit risk Combination of individual categories of

audit risk assessed for each specific control objective

Objective of audit approach is to limit overall audit risk

2/8/2010

18

Materiality and audit risk Materiality is an expression of relative significance or

importance of a particular matter in the context of the organization as a whole

Word material is associated with any of the components of risk - it refers to an error that should be considered significant by any party concerned

While a given system may not detect a minor error, a combination of these may end up being material

Requires sound judgment from the auditor Essential when planning areas to be audited and the specific

tests to be performed Materiality considered in terms of the total potential impact

to the organization.

Practice Question

1-4 Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed?

A. Control riskB. Detection riskC. Inherent riskD. Sampling risk

Practice Question

1-5 An IS auditor performing a review of an applications controls finds a weakness in system software that could materially impact the application. The IS auditor should:

A. disregard these control weaknesses, as a system software review is beyond the scope of this review.

B. conduct a detailed system software review and report the control weaknesses.

C. include in the report a statement that the audit was limited to a review of the applications controls.

D. review the system software controls as relevant and recommend a detailed system software review.

Audit risk assessment

Used to identify and evaluate risk and their potential effect

Used to determine high risk areas that should be audited

Planning guideline - An assessment risk should be made: To provide reasonable assurance that material

items will be adequately covered during the audit work

This assessment should identify areas with relatively high risk of existence of material problems

2/8/2010

19

Audit risk assessment - cont

Risk assessment and other audit techniques should be considered in deciding:The nature, extent and timing of audit

proceduresAreas or business functions to be auditedThe amount of time and resources to be

allocated an audit

Audit risk assessment - cont

Using risk assessment to determine areas to be audited:

Enables management to effectively allocate limited resources

Ensures audit activities are directed to high risk areas

Establishes a basis for effectively managing the audit department

Provides a summary of how the individual audit subject is related to the overall

Risk Assessment

Assess client strategic business risk

Assess the risk of material misstatement due to error, fraud or other irregularities

Factors affecting inherent risk Factors affecting control risk

Audit risk =

Inherent risk ? Control risk ? Detection risk

(Auditee risk) (Auditor risk)

Risk assessment methods Different methods employed to perform risk

assessments e.g.scoring system, Judgmental A combination of methods may be used May develop and change over time to best

serve the needs of the organization All rely on subjective judgment at some point

in the process Evaluate appropriateness of any chosen risk

methodology

2/8/2010

20

Scoring method Considers variables such as: technical complexity, controls in place, financial loss.

Variables may or may not be weighted

Judgmental methodDecision based on: executive management directives, historical perspectives, business goals and environmental factors

Audit evidence

The information ISA gathers in the course of performing an IS audit to meet audit objectives

Must directly relate to the objectives of the review

Gathering of evidential matter is key to the audit process

Mandatory under Standard for Evidence Evidence should be appropriately organized and

documented to support findings and conclusion

IS Audit Standard 14 Audit Evidence

States that: .The ISA should obtain sufficient and

appropriate audit evidence to draw reasonable conclusions on which to base the audit results.

The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.

2/8/2010

21

Audit evidence - cont Sufficient it is complete, adequate,

convincing and would lead another ISA to form the same conclusions

Reliable if in the auditors opinion, it is valid, factual, objective and supportable

Relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support

Audit evidence - types Observed processes and existence of

physical items Documentary evidence recorded on

paper or other media Representations Analysis

Audit evidence - cont

Observed processes and existence of physical items e.g. Inventory of media at an offside

storage locationComputer room security in operationCash count


Documentary evidence recorded on paper or other media, can include: Results of data extractions Records of transactions Program listings Invoices Activity and control logs System development documentation

2/8/2010

22


Representations include: written and oral statements, written procedures and policies, system flowcharts

Audit evidence - cont Analysis includes:

Comparisons Simulations Calculations reasoning (synthesis)

Examples: Benchmarking of IS performance against other

organizations or past performance Comparison of error rates between applications,

transactions and users

Audit evidence and planning

When planning IS audit work, ISA should take into account: Audit evidence to be gathered Its use in meeting objectives Its reliability (source & method)

Reliability - determinants

Independence of provider of evidence Qualifications of the individual providing

the information or evidence Objectivity of the evidence Timing of evidence

2/8/2010

23

Reliability - cont

Independence of provider of evidence

Example:Corroborative evidence from an independent third party can be more reliable than evidence from organization being audited (e.g. Circularization of debtors, bank confirmation)

Reliability - contObjectivity of evidence:Objective evidence is much better than that requiring considerable judgment and interpretation Examples: Physical evidence is more reliable than representations

of an individual - ISAs cash count is direct, objective evidence.

However, an ISAs analysis of the efficiency of an application, based upon discussion with certain personnel, may not be objective audit evidence.

Quality and quantity of Evidence

Quality (competence) when it is both valid and relevant

Quantity - refers to sufficiency of audit evidence

Techniques for gathering evidence

Reviewing Information Systems organizational structures

Reviewing IS policies and procedures Interviewing appropriate personnel Observing processes and employee

performance

2/8/2010

24

Reviewing IS organizational structures

Separation/segregation of duties is a key general control.

Review structures to determine the level of controls they provide ISAs knowledge of general organizational controls is very important

Be aware of differences particularly in organization with cooperative distributed processing or end-user computing

Reviewing IS Policies & Procedures Review whether appropriate policies and procedures

are in place and whether personnel understand the implemented policies and procedures

Verify that management assumes responsibility for formulating, developing, documenting promulgating and controlling policies covering general aims and directives

Look for minimum level of documentation Review documentation and determine if it follows

organizations documentation standards Recognize differences in documentation e.g. for

computer Aided Software Engineering (CASE), prototyping, database specifications, file layout, self-documented program listings, documents will not be required or will be in automated form rather than on paper

Reviewing Information Systems Standards

IS auditor should understand the existing standards in place within the organization

Reviewing IS documentation standards

Understand the existing documentation in place

Minimum documentation may include: Systems development initiation documents (e.g. feasibility

study) Functional requirements and design specifications Test plans and reports Program and operations documents Program change logs and histories User manuals Operations manuals Security related documents (e.g. security plans, risk

assessments) QA reports

2/8/2010

25

Interviewing appropriate personnel

Organize interview in advance Follow a fixed outline Documented by interview notes Interview checklist or form is a good

approach Never be accusatory rather interviews be

discovery

Observing processes and employee performance

A key audit technique for many types of reviews

IS auditor should be unobtrusive while making observations

Document everything in sufficient detail to be able to present it as audit evidence at a later date

Interviewing & observing personnel in the performance of their duties

Actual functions allows auditor an opportunity to witness how policies and procedures are internalized

Actual processes / procedures allow ISA to gain evidence of compliance and observe deviations if any

Security awareness assist verify an individuals understanding and practice of preventive and detective security measures to safeguard the companys assets

Reporting relationships to ensure assigned responsibilities and adequate segregation of duties are being practiced

Compliance testing Tests of control designed to obtain audit evidence on

both the effectiveness of the controls and their operation during the audit period

Evidence gathering to determine organizations compliance with control procedures

Used where there is a trail of documentary evidence e.g. written authorization to implement a modified program

Broad objective: to provide reasonable assurance that a particular control on which the ISA plans to rely, is operating as perceived/intended

Attribute sampling compliance test used to check presence or absence of an attribute.

2/8/2010

26

Substantive testing Tests of detailed activities and transactions, or analytical

review tests, designed to obtain audit evidence on the completeness, accuracy or existence of those activities or transactions during the audit period

Evidence gathering that evaluate the integrity of individual transactions, data and other information

Provides evidence of the validity and propriety of the balances in the financial statements and the transactions that support these balances

Minimized if compliance testing reveal presence of adequate controls

Conversely if compliance testing reveals weaknesses in controls that raise doubts about the completeness, accuracy or validity of accounts, substantive testing can alleviate those doubts (variable sampling used)

Relationship between compliance and substantive testing

Review system to identify controls Test compliance to get reasonable assurance

that the controls are functioning Evaluate controls to determine reliance, nature

and extent of substantive tests Use substantive tests to validate data:

Test of balances and transactions Analytical review procedures

Relationship between compliance and substantive testing (cont..)

Sampling

Population consists of the entire group of items that need to be examined

Sample is a subset of population members Used to infer characteristics about a population,

based on the results of examining characteristics of a sample of the population

Sample must represent as closely as possible the characteristics of the whole population

2/8/2010

27

Why sampling

Ideal to examine the entire population

Considerations: Time Cost

General Sampling approaches

Statistical sampling uses objective method

Non-statistical (or Judgmental sampling) uses subjective judgment

Statistical sampling

Uses objective method to determine: Sample size Selection criteria Sample precision Reliability or confidence level

NB: to be a statistical sample, each item in the population should have an equal opportunity of being selected

Can infer population characteristics from sample Preferred method

Non-statistical or judgmental sampling

uses subjective judgment to determine:Method of sampling Sample size Sample selection which items to select

May not infer population characteristics from sample

not preferred method

2/8/2010

28

Sampling risk

Both statistical and judgmental sampling require ISA judgment

Risk that the auditor will draw the wrong conclusion from the sample

Statistical sampling allows ISA to quantify probability of error (confidence coefficient)

Methods of sampling Attribute sampling

Variable sampling

Attribute sampling

Selecting items with certain attributes or characteristics (all items over a certain size)

Also known as proportional sampling Deals with presence or absence of an

attribute or characteristic Generally used in compliance testing Conclusions expressed in rates of

incidence

Attribute sampling: types

Attribute sampling or fixed sample size attribute sampling or frequency estimation used to estimate rate of occurrence of specific quality in a population (how many?)

Stop-or-go sampling audit tests stopped at the earliest possible moment (relatively few errors)

Discovery sampling when expected occurrence is extremely low. Used to seek out fraud, circumvention of regulations and other irregularities

2/8/2010

29

Variable sampling

Used to estimate the average or total value of population based on a sample

Also known as- dollar estimation or - mean estimation sampling or - quantitative sampling

Used to estimate the dollar value or some other unit of measure such as weight, height etc.

Generally applied in substantive testing Provides conclusions related to deviations from norm Example is review of balances for material transactions

Variable sampling: Types

Stratified mean per unit Population divided into groups and samples drawn

from them Produces a smaller sample size

Un-stratified mean per unit: Sample mean is calculated and projected as an

estimated total Difference estimation:

Used to estimate total difference between audited values and book values (un-audited values) based on sample

Statistical sampling terms

Confidence coefficient (also referred to as confidence level or reliability factor)

Level of risk: one minus confidence coefficient Precision- acceptable range difference between the

sample and actual population (set by auditor) Expected error rate - EER Sample size Sample mean average size of the sample Sample standard deviation Tolerable error rate max no of errors that can exist

without an account being materially misstated Population standard deviation

Confidence coefficient

Also referred to as confidence level or reliability factor

The probability that the characteristics of the sample are a true representation of the population

95% considered a high degree of comfort If internal controls are strong, confidence

level may be lowered The greater the confidence coefficient, the

larger the sample

2/8/2010

30

Level of risk

One minus confidence coefficient E.g. if confidence coefficient is 95%

level of risk is 5%

Precision

Set by the ISA Represents acceptable range between sample

and population For attribute sampling stated as a percentage For variable sampling stated as a monetary

amount or number The higher the precision amount, the smaller

the sample size, the higher the risk of error The lower the precision amount, the greater

the sample size

Expected error rate

An estimate of errors that may exist Expressed as a percentage The greater the expected error rate, the

greater the sample size Applied to attribute sampling

Others

Sample mean average size of the sample Sample standard deviation measures spread

or dispersion of sample values Tolerable error rate - Maximum misstatement

or number of errors that can exist without an account being materially misstated

Population standard deviation measures relationship to standard deviation The greater the standard deviation, the larger the

sample size Applied to variable sampling

2/8/2010

31

Using the Services of other Auditors and Experts

Circumstances that may lead to using services of other auditors:- Scarcity of IS auditors and the need for IT security specialists Highly specialized areas

Outsourcing of IS assurance and security services is increasingly becoming a common practice

Possible areas of outsourcing include Networking, ATM, Wireless, System Integration etc.

Considerations before using services of other auditors and experts:- Any restriction by law and regulations Audit charter or contractual stipulations Impact on overall and specific IS audit objectives Impact on IS audit risk and professional liability Independence and objectivity of other auditors/experts Professional competence, qualifications and experience Scope of the work to be outsourced and the approach Supervisory and audit management control Methods and modalities of communication of audit results etc.

Using the Services of other Auditors and Experts (cont..)

Other special considerations would include:- Testimonials/references and background checks Access to systems, premises and records Confidentiality restrictions to protect customer related information Use of CAATs and other tools Standards and methodologies for performance of work and

documentation Nondisclosure agreements

IS auditor responsibilities:- Clearly communicating the audit objectives, scope and

methodology through a formal engagement letter Put in place monitoring process for regular review of the third

party work Assess usefulness and appropriateness of reports and impacts of

their significant findings on the overall audit objectives.

Computer Aided Audit Techniques (CAATs)

Any computer based tool for automating audit procedures

Provides a means to: gain access and to analyze data for a predetermined period report on audit findings with emphasis on reliability of

records produced and maintained in the system

CAATs Examples

These include: Generalized audit software e.g. ACL, IDEA Utility software e.g. DBMS report writers SQL commands Third party Access Control Software Application Systems Options and reports build into system Spreadsheets??

2/8/2010

32

Need for CAATs Evidence exists in electronic form Differences in HW, SW environments, data

structures, record formats, processing functions, etc

What else???

Functional capabilities of CAATs

File access reading different file structures and record formats

File reorganization indexing, sorting, merging, linking

Data selection filtration conditions, selection criteria

Statistical functions sampling, stratifications, frequency analysis

Arithmetic functions - arithmetic operators and functions

Generalized audit software

Provides an independent means to gain access to data for analysis

Effective and efficient use require understanding of its capabilities and limitations

Reads and accesses data from various DB platforms, flat file formats, ASCII formats

Features include: Mathematical computations Stratifications Statistical analysis Sequence checks Duplicate checks Re-computations

CAATs advantages

Reduced level of audit risk Enhances independence from auditee Broader and more consistent audit coverage Faster availability of information Improved exception identification Greater flexibility of run times Greater opportunity to quantify IC weaknesses Enhanced sampling Cost savings over time

2/8/2010

33

CAATs: Things to consider Cost benefit analysis Ease of use Training requirements Complexity of coding and maintenance Flexibility of uses Installation requirements Processing efficiencies Effort required to obtain source data into

CAAT

CAATs areas of concern

Integrity, reliability and security of CAAT Integrity of IS and security environment Confidentiality and security of data

CAATs things to do

Request read only access to production data

Keep data confidential

CAATs development documentation

Commented program listings Flowcharts Sample reports Record and file layouts Field definitions Operating instructions

2/8/2010

34

Practice Question

1-6 The PRIMARY use of generalized audit software (GAS) is to:

A. test controls embedded in programs. B. test unauthorized access to data. C. extract data of relevance to the audit.D. reduce the need for transaction vouching.

Evaluating evidence Involve judgments based on experience Use evidence gathered to assess compliance

with control objectives Assess strengths and weaknesses in controls

to determine if these are effective in meeting control objectives established in planning

Control matrix may be used to illustrate areas where controls may be weak or lacking

Always check for compensating controlsbefore reporting a control weakness

A control objective may be met by a number of controls

Judging materiality of findings

Key: judging what is significant to different levels of management

Requires judgment of potential effect of finding if corrective action is not taken

ISA decides what to discuss with auditee and what to report

Communicating Audit Results

ISAs are ultimately responsible to Senior Mgt and to the Audit Committee of the Board of Directors

Before communicating the results of an audit to Senior Mgt the ISA should discuss the findings with Mgt staff responsible for area audited

Presentation technique could include executive summary and visual presentation

2/8/2010

35

Audit Report Structure and Contents

Introduction including statement of audit objectives and scope and general statement on the nature and extent of audit procedures used during the audit

ISAs overall conclusion and opinion on the adequacy of controls and procedures examined during the audit

ISAs reservations or qualifications with respect to the audit Detailed audit findings and recommendation Limitation to audit Statement of IS guidelines followed

Management Actions to Implement Recommendations

ISA will not be effective if audits are performed, reports issued, but no follow-up in done to determine if management has taken appropriate corrective actions

ISA should have a follow-up program to determine if agreed corrective actions have been implemented

The timing of the follow-up will depend on criticality of the findings and would be subject to ISAs judgment

The results of the follow-up should be communicated to appropriate levels of management

Audit Documentation

Documentation should include, at a minimum, a record of: The planning and preparation of audit scope and

objectives The information system environment The audit program The audit steps performed and audit evidence

gathered Audit findings, conclusions and recommendations Any report issued as a result of the audit work Supervisory review

Control Self-Assessment (CSA)

A management technique that assures stakeholders, customers and other parties that the internal control system of the business is reliable

It ensures that employees are aware of the risks to the business and they conduct periodic reviews of controls

Methodology used to review key business objectives, risks involved in achieving the business objectives and internal controls designed to manage these business risks in a formal, documented and collaborative process.

In CSA mgt and working teams are directly involved in judging and monitoring the effectiveness of existing controls

2/8/2010

36


CSA program can be implemented using various ways ranging from use of questionnaires to facilitated workshops

Primary objective is to leverage the Internal Audit function by shifting some of the control monitoring responsibilities to the functional areas.

A critical success factor (CSF) in CSA is to conduct a meeting with the business units representatives, including appropriate and relevant staff and management to identify the business units primary objectives, which is to determine the purpose of the business unit and supporting objectives

COBIT management guidelines provides generic sets of CSFs, KPIs, and KGIs for each process used in designing and monitoring CSA program



Benefits of CSA Early detection of risks More effective and improved internal controls Creation of cohesive teams through employee involvement Increased employee awareness of organizational objectives and

knowledge of risk and internal controls Increased communication between operational and top management Highly motivated employees Improved audit rating processes Reduction in control cost Assurance provided to stakeholders and customers Necessary assurance given to top management about adequacy of

internal controls, as required by the various regulatory agencies and laws e.g. Sarbanes-Oxley Act


Disadvantages of CSA

It could be mistaken as an audit function replacement

It is regarded as an additional workload (e.g. one more report to be submitted to management)

Failure to act on improvement suggestions could damage employee morale.

Lack of motivation may limit effectiveness in the detection of weak controls

2/8/2010

37

Auditors Role in CSA

Auditors become Internal Control professionals and assessment facilitators

Auditors role enhanced when Audit Dept embark on CSA program

Auditors value becomes more evident when mgt takes responsibility and ownership for internal control systems under their authority through process improvements in their control structures and active monitoring

Technology Drivers for CSA Program

Combination of hardware and software to support CSA selection

Use of electronic meeting system and computer-supported decision aids to facilitate group decision making

In case of questionnaire approach, the same principle applies for the analysis and readjustment of the questionnaire

Traditional VS CSA Approach

In traditional approach the primary responsibility for analyzing and reporting on internal control and risk was assigned to auditors and, to a lesser extent, controller departments and outside consultants

This approach created and reinforced the notion that auditors and consultants, not management and work teams, are responsible for assessing and reporting on IC

The CSA approach emphasizes management and accountability over developing and monitoring IC of an organizations sensitive and critical business processes

EMERGING CHANGES IN THE IS AUDIT PROCESS

Areas that address changes in IS audit process in order to keep pace with innovations and technology include: Automated work papers, Integrated auditing, and Continuous auditing

2/8/2010

38

Automated Work Papers

Specialized applications are used in automating audit working papers (e.g. risk analysis, audit programs, results, test evidences, conclusions reports and other complimentary information)

Although auditors often use office automation packages such as word processors or spreadsheets, standard audit work paper packages are being implemented in audit departments and are proving useful and appropriate to help facilitate audit work

When automating work papers rules regarding integrity, confidentiality and availability of audit records should be applied that are equivalent to those required for hard copy.

Automated Work Papers

Minimum controls include but not limited to: Access to work papers Audit trails Automated features to provide and record approval Security and integrity controls regarding the OS, DB and

communication channels

Backup and restore procedures Encryption techniques to provide confidentiality

Integrated Auditing

A process whereby audit disciplines are combined to assess key internal controls over an operation, process or entity.

Integrated approach focuses on risk. Risk assessment aims to understand and identify risks arising from the entity and its environment

IT audit help understand and identify risks in information management, IT infrastructure, IT Governance and IT operations

Other audits seek to understand organizational environment, business risks and business controls

IT systems provide a first line of preventive and detective controls, and integrated audit depends on a sound assessment of their efficiency and effectiveness

Practice Question

1-7 Which of the following is MOST effective for implementing a control self-assessment (CSA) within business units?

A. Informal peer reviewsB. Facilitated workshopsC. Process flow narrativesD. Data flow diagrams

2/8/2010

39

Integrated Auditing cont Integrated audit process

involves: Identification of relevant key

controls Reviewing and obtaining an

understanding of the design of key controls

Testing that key controls are supported by the IT system

Testing that management controls operate effectively

A combined report or opinion on control risks, design and weaknesses

Continuous Auditing

A methodology that enables independent auditors to provide assurance on a subject matter using a series of auditors reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter

Has edge over periodic auditing because it captures internal control problems as they occur, thus preventing negative effects

Implementation can reduce audit inefficiencies, such as delays, planning time, inefficiency of audit process itself, overheads due to work segmentation etc.

Continuous Auditing cont

Drivers of continuous auditing include; better monitoring of financial issues within a company, ensuring that real-time transactions also benefit from real-time monitoring, prevention of financial and audit scandals, e.g. Enron and WorldCom, and use of software to determine that financial controls are proper

Embedded audit modules allow an auditor to trap predefined types of events, or directly inspect abnormal transactions

Continuous auditing often incorporate new information technology development, increased processing capabilities of current hardware and software, standards and artificial intelligence tools

Continuous Auditing cont..

For continuous auditing to succeed there must be: A high degree of automation An automated and highly reliable process in producing

information about subject matter soon after occurrence of events underlying the subject matter

Alarm triggers to report timely control failures Implementation of highly automated audit tools that

require the IS auditor to be involved in setting up parameters

Quickly informing IS auditor of the results of automated audit procedures, particularly when the process has identified anomalies or errors

2/8/2010

40

Continuous Auditing cont..

For continuous auditing to succeed there must be (cont..): Quick and timely issuance of automated audit reports Technically proficient IS auditors Availability of reliable sources of audit evidence Adherence of materiality guidelines Evaluation of cost factors Change of mind-set required for IS auditors to embrace

continuous reporting


IT techniques used in continuous auditing must work at all data levels, transaction and databases and include: Transaction logging Query tools Statistics and data analysis (CAAT) Database Management System (DBMS) Data warehouses, data marts, data mining Artificial intelligence (AI) Embedded audit modules (EAM) Neural network technology Standards such as Extensible Business Reporting Language (XBRL)

Advantages Instant capture of internal control problems Reduction of intrinsic audit inefficiencies

Disadvantages Difficulty in implementation High cost Elimination of auditors personal judgment and

evaluation


Practice Question

1-8 The FIRST step in planning an audit is to:A. define audit deliverables. B. finalize the audit scope and audit objectives C. gain an understanding of the businesss

objectives.D. develop the audit approach or audit strategy.

2/8/2010

41

Practice Question

1-9 The approach an IS auditor should use to plan IS audit coverage should be based on:

A. risk.B. materiality.C. professional skepticism.D. detective control.

Practice Question

1-10 A company performs a daily backup of critical data and software files and stores the backup tapes at an offsite location. The backup tapes are used to restore the files in case of a disruption. This is a:

A. preventive control.B. management control.C. corrective control.D. detective control.

is audit process chapt 1_isaca hc_2010

Documents