SlideShare a Scribd company logo

CISA Training - Chapter 1 - 2016

Hafiz Sheikh Adnan Ahmed
Hafiz Sheikh Adnan Ahmed

CISA Training - Chapter 1 - 2016

Technology
1 of 76
2016 CISA ® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
Quick Reference Review • IS Auditor Roles and associated Responsibilities • Assurance Assignment vs Consulting Assignment • Internal Audit Environment vs External Context • Minimum audit planning requirements for an IS audit assignment • ISACA Standards and ISACA guidelines for IS auditing • Audit risk vs Business risk • Role of audit evidence • Compliance testing vs Substantive testing
1.2 Management of the IS Audit Function • Ensures that diverse audit tasks fulfill audit function objectives • Preserve audit independence and competence
1.2.1 Organization of the IS Audit Function • IS audit services can be provided externally or internally • IS audit can be part of internal audit, function as independent group, or be integrated with other management audits • Role of IS internal audit function should be established by and audit charter approved by senior management • Clearly state management responsibility • Objectives and delegation of authority • Scope and responsibilities of audit functions
1.2.2 IS Audit Resource Management • IS auditors to maintain their competency and proficiency
1.2.3 Audit Planning Annual Planning: • Both short term and long term planning Audit Universe • Lists all the processes that may be considered for the audit • Subject to risk assessment • Analysis of short and long-term issues should occur at least annually
Individual Audit Assignments • Each individual audit must be planned • Must consider system implementation / deadlines; current and future technologies
1.2.4 Effect of laws & Regulations on Audit Planning • Regardless of size and complexity of the business, every organization need to comply with laws and regulations
1.3 ISACA IS Audit & Assurance Standards & Guidelines
1.3.2 ISACA IS Audit & Assurance Standards Framework General 1001 Audit Charter 1002 Organizational Independence 1003 Professional Independence 1004 Reasonable Expectation 1005 Due Professional Care 1006 Proficiency 1007 Assertions 1008 Criteria Performance 1201 Engagement Planning 1202 Risk Assessment in Planning 1203 Performance and Supervision 1204 Materiality 1205 Evidence 1206 Using the Work of Other Experts 1207 Irregularity and Illegal acts Reporting 1401 Reporting 1402 Follow-up activities
1.3.3 ISACA IS Audit and Assurance Guidelines • The objective of the ISACA IS Audit and Assurance Guidelines is to provide further information on how to comply with ISACA IS Audit and Assurance Standards. • The IS auditor should: • Consider them in determining how to implement the above standards • Use professional judgment in applying them to specific audits • Be able to justify any difference
1.3.4 ISACA IS Audit & Assurance Tools &Techniques • Provide information on how to meet the standards when performing IS auditing work, but DO NOT set requirements
1.3.5 Relationship Among Standards, Guidelines, &Tools &Techniques • Standards defined by ISACA are TO BE followed by the IS auditor • Guidelines provide assistance on how the auditor can implement standards in various audit assignments • Tools and techniques provide examples of steps the auditor may follow in specific audit assignments
1.3.6 InformationTechnology Assurance Framework (ITAF) • A comprehensive & good-practice-setting model: • Provides guidance on the design, conduct and reporting of IS audit and assurance assignments • Defines terms and concepts specific to IS assurance • Establishes standards that address IS audit and assurance professional R&R, knowledge and skills, and diligence, conduct and reporting requirements • Includes three categories of standards – General, Performance and Reporting – as well as Guidelines, Tools and Techniques
1.4 Risk Analysis • Part of audit planning, and helps identify risks and vulnerabilities so the IS auditor can determine the controls needed to mitigate those risks • IS auditors must be able to identify and differentiate risk types and the controls used to mitigate risks • Risk = Combination of probability of an event and its consequence
1.5 Internal Controls • Composed of policies, procedures, practices and organizational structures which are implemented to reduce risks • Provide reasonable assurance to management that business objectives be achieved and risk events will be prevented, detected and corrected • Operate at all levels to mitigate its exposures to risks
1.5.1 IS Control Objectives • Control objectives are statements of the desired result or purpose to be achieved by implementing control activities • Provide a complete set of high-level requirements to be considered by management for effective control of each IT process • IS control objectives are: • Statements of the desired result or purpose to be achieved • Comprised of policies, procedures, practices and organizational structures • Designed to provide reasonable assurance that business objectives will be achieved
1.5.2 COBIT 5 • A comprehensive framework that assists in achieving the objectives for the Governance and Management of enterprise IT • Helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use
• Governance: • Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on-enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives • Management: • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives
1.5.3 General Controls • Controls include policies, procedures, and practices established by management to provide reasonable assurance that specific objectives will be achieved • Internal accounting controls • Operational controls • Administrative controls • Physical and logical security controls
1.5.4 IS Controls • General controls to be translated into IS-specific controls • Access to IT resources, including data and programs • Operations procedures • Systems programming and technical support functions • QA procedures • Physical access controls • BCP/DRP • Database Administration • Networks and communications
1.6 Performing and IS Audit • Plan the audit engagement • Build the audit plan • Execute the plan • Monitor project activity
1.6.1 Classification of Audits Compliance Audits Financial Audits Operational Audits Integrated Audits Administrative Audits IS Audits Specialized Audits Forensic Audits
1.6.2 Audit Programs • A step-by-step set of audit procedures and instructions that should be performed to complete an audit • It is the audit strategy and plan of audit • Based on scope and objective of each assignment • IS auditors evaluate based on Security (C,I,A), Quality (E,E), Fiduciary (C,R), service and capacity
1.6.3 Audit Methodology • A set of documented audit procedures designed to achieve planned audit objectives • Components include: • Statement of Scope • Statement of audit objectives • Statement of audit programs • Set up and approved by audit management
1.6.4 Fraud Detection • IS auditors should be aware of the possibility and means of perpetrating fraud • Should have knowledge and experience of fraud and fraud indicators • Evaluate and communicate to appropriate authorities • In case of major fraud or major high risk, audit management MUST communicate to audit committee
1.6.5 Risk-Based Auditing • Effective risk-based auditing is driven by two processes: • The risk assessment that drives the audit schedule • The risk assessment that minimizes the audit risk during the execution of an audit • This approach is adapted to develop and improve the continuous audit process • Assist IS auditor in deciding to perform compliance testing or substantive testing
1.6.6 Audit Risk and Materiality Audit Risk: • The risk that information may contain a material error that may go undetected during the course of the audit • IS auditor to have sound understanding of these audit risks when planning an audit
1.6.7 Risk Assessment andTreatment • Risk Assessment identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization
1.6.8 Risk AssessmentTechniques • One technique is scoring system based on priority • Other is simple classification. i.e. High, Medium, Low • Another technique is judgmental based on business knowledge, executive management directives, historical perspectives, business goals etc. • A combination of all these is usually used
1.6.9 Audit Objectives • It refers to specific goals that must be accomplished by the audit • Focus on substantiating that internal controls exist to minimize risks and they function as expected • A key element in planning an IS audit is to translate basic audit objective into specific IS audit objectives • Basic purpose of any IS audit is to identify “control objectives” and the related controls that address that objective • “Control objective” refers to how an internal control should function
1.6.10 Compliance vs. SubstantiveTesting • Direct correlation between levels of internal controls and the amount of substantive testing required • If compliance tests reveal the presence of adequate internal controls, minimize the substantive procedures Compliance Testing Substantive Testing Testing an organization’s compliance with control procedures Evaluate the integrity of individual transactions, data or other information Determines if controls are being applied that complies with management policies and procedures Substantiates the integrity of actual processing Provide IS auditors with reasonable assurance that particular control is operating as expected Normally used to test for monetary errors directly affecting financial statement balances Used to test the existence and effectiveness of a defined process
1.6.11 Evidence • Any information used by the IS auditor to determine whether the entity or data being audited follows the established criteria or objectives • May include auditor’s observations, notes taken from the interviews, results of independent confirmations, documentation, results of audit test procedures etc. • The “quality” and “quantity” of evidence must be accessed by the IS auditor • Referred to as “competent (quality)” and “sufficient (quantity)”
• Evidence is “competent” when it is both valid and relevant • Techniques for gathering evidence: • Reviewing IS organizational structures • Reviewing IS policies and procedures • Reviewing IS standards • Reviewing IS documentation • Interviewing appropriate personnel • Observing processes and employee performance • Walkthroughs
1.6.12 Interviewing & Observing personnel in performance of their duties • Assists IS auditors in identifying: • Actual functions • Actual processes/procedures • Security awareness • Reporting relationships • Observation drawbacks
1.6.13 Sampling • Used when time and cost preclude a total verification of all transactions or events in a pre-defined population • Two general approaches: • Statistical Sampling • Objective method of determining the sample size and selection criteria • Uses the mathematical laws of probability to: • Calculate the sampling size • Select the sample items • Evaluate the sample results and make the inference • Quantitatively decides how closely the sample should represent the population • Represented as a percentage
• Non-statistical Sampling • Uses auditor judgment to determine the method of sampling, the number of items that will be examined from a population and which items to select • Based on subjective judgment • Two primary methods of sampling: • Attribute sampling • Generally applied in compliance tests • Variable sampling • Generally applied in substantive tests
1.6.14 Using the services of other auditors & experts • The following should be considered with regards to using the services of other auditors and experts: • Restrictions on outsourcing of audit/security services provided by laws and regulations • Audit charter • Impact on overall and specific IS audit objectives • Impact on IS audit risk and professional liability • Independence and objectivity of other auditors and experts • Professional competence • Scope of work • Supervisory and audit management controls • Compliance with applicable laws, regulations and standards
1.6.15 Computer-Assisted AuditTechniques (CAAT) • An important tool in gathering evidence from different auditing environments • Enable IS auditors to gather information independently • Include many types of tool and techniques such as: • GAS (Generalized audit software) • Utility software • Debugging and scanning software • Test data • Application software tracing and mapping
1.6.16 Evaluation of Strengths &Weaknesses • IS auditors should access the strengths and weaknesses of the controls evaluated • A control matrix is utilized in accessing the level of controls • One strong control may compensate for a weak control in another area • A control objective is achieved NORMALLY by multiple controls
1.6.17 Communicating Audit Results • Exit Interviews • Executive Summary • Audit Report • Visual Presentation • Before communicating the results to the senior management, the IS auditor should discuss the findings with the management/staff of the audited entity • IS auditor should make final decision about what to include/exclude from the audit report • Usually a balanced report BUT must exercise independence
1.6.18 Management Implementation of Recommendations • A follow-up program to determine if findings and corrective actions implemented • Management to develop firm program for corrective actions
1.6.19 Audit Documentation
1.7 Control Self-Assessment (CSA) • An assessment of controls made by the staff and management of the unit/units involved • A methodology used to review key business objectives, risks involved in achieving the business objectives and internal controls designed to manage these business risks • Ranging from questionnaires to workshops
1.7.1 Objectives of CSA • Primary objective is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional areas • NOT intended to replace audit activities BUT to enhance them
1.7.1 Objectives of CSA
1.7.2 Benefits of CSA
1.7.3 Disadvantages of CSA
1.7.4 Auditor role in CSA • Auditors become internal control professionals and facilitators • Lead and guide the auditees in assessing their environment by providing insight about the objectives of controls based on risk assessment
1.7.5Technology Drivers for CSA • Combination of Hardware and Software to support CSA selection
1.7.6Traditional vs. CSA Approach
1.8The Evolving IS Audit Process • This includes: • Integrated auditing • Continuous auditing
1.8.1 Integrated Auditing • A process whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process, or entity • Focuses on risk • Aims to understand and identify risks arising from the entity & its environment, including relevant internal controls
1.8.2 Continuous Auditing • Continuous Auditing: • A methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter • Continuous Monitoring: • Based on automated procedures to meet fiduciary responsibilities. E.g. real-time AV or IDS
Self-Assessment Questions 1. Which of the following outlines the overall authority to perform an IS audit? a) The audit scope, with goals and objectives b) A request from management to perform the audit c) The approved audit charter d) The approved audit schedule
Self-Assessment Questions 2. While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus? a) Business processes b) Critical IT applications c) Operational controls d) Business strategies
Self-Assessment Questions 3. Which of the following is the MOST important reason why an audit planning process should be reviewed at periodic intervals? a) To plan for deployment of available audit resources b) To consider changes to the risk environment c) To provide inputs for documentation of the audit charter d) To identify the applicable IS audit standards
Self-Assessment Questions 4. The FIRST step in planning an audit is to: a) Define audit deliverables b) Finalize the audit scope and audit objectives c) Gain an understanding of the business’ objectives d) Develop the audit approach or audit strategy
Answers 1. (c) The approved audit charter 2. (a) Business Processes 3. (b) To consider changes to the risk environment 4. (c) Gain an understanding of the business’ objectives
CISA Training - Chapter 1 - 2016

Recommended

CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 

Recommended

CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016Hafiz Sheikh Adnan Ahmed
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4Obrina Candra, CISA, ISMS-LA
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice questionArshad A Javed
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5Laddawan Rattanaruang
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkAziz Fataliyev, Internal Audit Practitioner
 
Intro to ISO
Intro to ISOIntro to ISO
Intro to ISOAdrian Hall
 

More Related Content

What's hot

CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice questionArshad A Javed
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 

What's hot (20)

Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice question
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
 

Similar to CISA Training - Chapter 1 - 2016

Module_1_Acctg440.pptx
Module_1_Acctg440.pptxModule_1_Acctg440.pptx
Module_1_Acctg440.pptxLeahMaeNolasco
 
Internal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdfInternal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdfrobinverma31
 
Iso 9001:2015 internal auditor Course
Iso 9001:2015 internal auditor Course Iso 9001:2015 internal auditor Course
Iso 9001:2015 internal auditor Course Atif Alhaj
 
Iso 9001 internal audit tips
Iso 9001 internal audit tipsIso 9001 internal audit tips
Iso 9001 internal audit tipsBaptist Molai
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsNimonik
 
0210-RISK-BASED-AUDIT-APPROACH-new-20211020142926.ppt
0210-RISK-BASED-AUDIT-APPROACH-new-20211020142926.ppt0210-RISK-BASED-AUDIT-APPROACH-new-20211020142926.ppt
0210-RISK-BASED-AUDIT-APPROACH-new-20211020142926.pptSiraj332397
 
How to Perform a Successful Internal Quality Audit
How to Perform a Successful Internal Quality AuditHow to Perform a Successful Internal Quality Audit
How to Perform a Successful Internal Quality AuditGreenlight Guru
 
Internal audit RBIA and Lifecyle approach
Internal audit RBIA and Lifecyle approachInternal audit RBIA and Lifecyle approach
Internal audit RBIA and Lifecyle approachsubbusai82
 
Presentation to the partners of ig mpw by libby mac rae and rob mcdonald
Presentation to the partners of ig mpw by libby mac rae and rob mcdonaldPresentation to the partners of ig mpw by libby mac rae and rob mcdonald
Presentation to the partners of ig mpw by libby mac rae and rob mcdonaldIndonesia Infrastructure Initiative
 
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...Egyptian Engineers Association
 
kainat aiman wajiha QUALITY ,MANAGEW,MANE TO.pptx
kainat aiman wajiha QUALITY ,MANAGEW,MANE TO.pptxkainat aiman wajiha QUALITY ,MANAGEW,MANE TO.pptx
kainat aiman wajiha QUALITY ,MANAGEW,MANE TO.pptxalihassanfarooq19
 
ISO 9001: 2015 QUALITY MANAGEMENT SYSTEMS
ISO 9001: 2015 QUALITY MANAGEMENT SYSTEMSISO 9001: 2015 QUALITY MANAGEMENT SYSTEMS
ISO 9001: 2015 QUALITY MANAGEMENT SYSTEMSSubhendu Datta
 
auditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfauditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfnguyenanvuong2007
 

Similar to CISA Training - Chapter 1 - 2016 (20)

COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
 
Intro to ISO
Intro to ISOIntro to ISO
Intro to ISO
 
Module_1_Acctg440.pptx
Module_1_Acctg440.pptxModule_1_Acctg440.pptx
Module_1_Acctg440.pptx
 
Internal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdfInternal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdf
 
The EISA Audit Presentation
The EISA Audit PresentationThe EISA Audit Presentation
The EISA Audit Presentation
 
Iso 9001:2015 internal auditor Course
Iso 9001:2015 internal auditor Course Iso 9001:2015 internal auditor Course
Iso 9001:2015 internal auditor Course
 
Iso 9001 internal audit tips
Iso 9001 internal audit tipsIso 9001 internal audit tips
Iso 9001 internal audit tips
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
 
0210-RISK-BASED-AUDIT-APPROACH-new-20211020142926.ppt
0210-RISK-BASED-AUDIT-APPROACH-new-20211020142926.ppt0210-RISK-BASED-AUDIT-APPROACH-new-20211020142926.ppt
0210-RISK-BASED-AUDIT-APPROACH-new-20211020142926.ppt
 
How to Perform a Successful Internal Quality Audit
How to Perform a Successful Internal Quality AuditHow to Perform a Successful Internal Quality Audit
How to Perform a Successful Internal Quality Audit
 
Internal audit RBIA and Lifecyle approach
Internal audit RBIA and Lifecyle approachInternal audit RBIA and Lifecyle approach
Internal audit RBIA and Lifecyle approach
 
Presentation to the partners of ig mpw by libby mac rae and rob mcdonald
Presentation to the partners of ig mpw by libby mac rae and rob mcdonaldPresentation to the partners of ig mpw by libby mac rae and rob mcdonald
Presentation to the partners of ig mpw by libby mac rae and rob mcdonald
 
SFC Plan of engagement
SFC Plan of engagementSFC Plan of engagement
SFC Plan of engagement
 
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...
 
kainat aiman wajiha QUALITY ,MANAGEW,MANE TO.pptx
kainat aiman wajiha QUALITY ,MANAGEW,MANE TO.pptxkainat aiman wajiha QUALITY ,MANAGEW,MANE TO.pptx
kainat aiman wajiha QUALITY ,MANAGEW,MANE TO.pptx
 
2019_SOU_Internal_Audit.pptx
2019_SOU_Internal_Audit.pptx2019_SOU_Internal_Audit.pptx
2019_SOU_Internal_Audit.pptx
 
ISO 9001: 2015 QUALITY MANAGEMENT SYSTEMS
ISO 9001: 2015 QUALITY MANAGEMENT SYSTEMSISO 9001: 2015 QUALITY MANAGEMENT SYSTEMS
ISO 9001: 2015 QUALITY MANAGEMENT SYSTEMS
 
module_1.pptx
module_1.pptxmodule_1.pptx
module_1.pptx
 
auditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfauditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdf
 
Elevating IA
Elevating IAElevating IA
Elevating IA
 

Recently uploaded

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

CISA Training - Chapter 1 - 2016

  • 1. 2016 CISA ® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
  • 2. Quick Reference Review • IS Auditor Roles and associated Responsibilities • Assurance Assignment vs Consulting Assignment • Internal Audit Environment vs External Context • Minimum audit planning requirements for an IS audit assignment • ISACA Standards and ISACA guidelines for IS auditing • Audit risk vs Business risk • Role of audit evidence • Compliance testing vs Substantive testing
  • 3. 1.2 Management of the IS Audit Function • Ensures that diverse audit tasks fulfill audit function objectives • Preserve audit independence and competence
  • 4. 1.2.1 Organization of the IS Audit Function • IS audit services can be provided externally or internally • IS audit can be part of internal audit, function as independent group, or be integrated with other management audits • Role of IS internal audit function should be established by and audit charter approved by senior management • Clearly state management responsibility • Objectives and delegation of authority • Scope and responsibilities of audit functions
  • 5. 1.2.2 IS Audit Resource Management • IS auditors to maintain their competency and proficiency
  • 6. 1.2.3 Audit Planning Annual Planning: • Both short term and long term planning Audit Universe • Lists all the processes that may be considered for the audit • Subject to risk assessment • Analysis of short and long-term issues should occur at least annually
  • 7. Individual Audit Assignments • Each individual audit must be planned • Must consider system implementation / deadlines; current and future technologies
  • 8.
  • 9. 1.2.4 Effect of laws & Regulations on Audit Planning • Regardless of size and complexity of the business, every organization need to comply with laws and regulations
  • 10. 1.3 ISACA IS Audit & Assurance Standards & Guidelines
  • 11. 1.3.2 ISACA IS Audit & Assurance Standards Framework General 1001 Audit Charter 1002 Organizational Independence 1003 Professional Independence 1004 Reasonable Expectation 1005 Due Professional Care 1006 Proficiency 1007 Assertions 1008 Criteria Performance 1201 Engagement Planning 1202 Risk Assessment in Planning 1203 Performance and Supervision 1204 Materiality 1205 Evidence 1206 Using the Work of Other Experts 1207 Irregularity and Illegal acts Reporting 1401 Reporting 1402 Follow-up activities
  • 12. 1.3.3 ISACA IS Audit and Assurance Guidelines • The objective of the ISACA IS Audit and Assurance Guidelines is to provide further information on how to comply with ISACA IS Audit and Assurance Standards. • The IS auditor should: • Consider them in determining how to implement the above standards • Use professional judgment in applying them to specific audits • Be able to justify any difference
  • 13. 1.3.4 ISACA IS Audit & Assurance Tools &Techniques • Provide information on how to meet the standards when performing IS auditing work, but DO NOT set requirements
  • 14. 1.3.5 Relationship Among Standards, Guidelines, &Tools &Techniques • Standards defined by ISACA are TO BE followed by the IS auditor • Guidelines provide assistance on how the auditor can implement standards in various audit assignments • Tools and techniques provide examples of steps the auditor may follow in specific audit assignments
  • 15. 1.3.6 InformationTechnology Assurance Framework (ITAF) • A comprehensive & good-practice-setting model: • Provides guidance on the design, conduct and reporting of IS audit and assurance assignments • Defines terms and concepts specific to IS assurance • Establishes standards that address IS audit and assurance professional R&R, knowledge and skills, and diligence, conduct and reporting requirements • Includes three categories of standards – General, Performance and Reporting – as well as Guidelines, Tools and Techniques
  • 16.
  • 17.
  • 18. 1.4 Risk Analysis • Part of audit planning, and helps identify risks and vulnerabilities so the IS auditor can determine the controls needed to mitigate those risks • IS auditors must be able to identify and differentiate risk types and the controls used to mitigate risks • Risk = Combination of probability of an event and its consequence
  • 19.
  • 20.
  • 21. 1.5 Internal Controls • Composed of policies, procedures, practices and organizational structures which are implemented to reduce risks • Provide reasonable assurance to management that business objectives be achieved and risk events will be prevented, detected and corrected • Operate at all levels to mitigate its exposures to risks
  • 22.
  • 23. 1.5.1 IS Control Objectives • Control objectives are statements of the desired result or purpose to be achieved by implementing control activities • Provide a complete set of high-level requirements to be considered by management for effective control of each IT process • IS control objectives are: • Statements of the desired result or purpose to be achieved • Comprised of policies, procedures, practices and organizational structures • Designed to provide reasonable assurance that business objectives will be achieved
  • 24. 1.5.2 COBIT 5 • A comprehensive framework that assists in achieving the objectives for the Governance and Management of enterprise IT • Helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use
  • 25.
  • 26. • Governance: • Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on-enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives • Management: • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives
  • 27. 1.5.3 General Controls • Controls include policies, procedures, and practices established by management to provide reasonable assurance that specific objectives will be achieved • Internal accounting controls • Operational controls • Administrative controls • Physical and logical security controls
  • 28. 1.5.4 IS Controls • General controls to be translated into IS-specific controls • Access to IT resources, including data and programs • Operations procedures • Systems programming and technical support functions • QA procedures • Physical access controls • BCP/DRP • Database Administration • Networks and communications
  • 29. 1.6 Performing and IS Audit • Plan the audit engagement • Build the audit plan • Execute the plan • Monitor project activity
  • 30. 1.6.1 Classification of Audits Compliance Audits Financial Audits Operational Audits Integrated Audits Administrative Audits IS Audits Specialized Audits Forensic Audits
  • 31. 1.6.2 Audit Programs • A step-by-step set of audit procedures and instructions that should be performed to complete an audit • It is the audit strategy and plan of audit • Based on scope and objective of each assignment • IS auditors evaluate based on Security (C,I,A), Quality (E,E), Fiduciary (C,R), service and capacity
  • 32. 1.6.3 Audit Methodology • A set of documented audit procedures designed to achieve planned audit objectives • Components include: • Statement of Scope • Statement of audit objectives • Statement of audit programs • Set up and approved by audit management
  • 33.
  • 34. 1.6.4 Fraud Detection • IS auditors should be aware of the possibility and means of perpetrating fraud • Should have knowledge and experience of fraud and fraud indicators • Evaluate and communicate to appropriate authorities • In case of major fraud or major high risk, audit management MUST communicate to audit committee
  • 35. 1.6.5 Risk-Based Auditing • Effective risk-based auditing is driven by two processes: • The risk assessment that drives the audit schedule • The risk assessment that minimizes the audit risk during the execution of an audit • This approach is adapted to develop and improve the continuous audit process • Assist IS auditor in deciding to perform compliance testing or substantive testing
  • 36.
  • 37. 1.6.6 Audit Risk and Materiality Audit Risk: • The risk that information may contain a material error that may go undetected during the course of the audit • IS auditor to have sound understanding of these audit risks when planning an audit
  • 38.
  • 39. 1.6.7 Risk Assessment andTreatment • Risk Assessment identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization
  • 40. 1.6.8 Risk AssessmentTechniques • One technique is scoring system based on priority • Other is simple classification. i.e. High, Medium, Low • Another technique is judgmental based on business knowledge, executive management directives, historical perspectives, business goals etc. • A combination of all these is usually used
  • 41. 1.6.9 Audit Objectives • It refers to specific goals that must be accomplished by the audit • Focus on substantiating that internal controls exist to minimize risks and they function as expected • A key element in planning an IS audit is to translate basic audit objective into specific IS audit objectives • Basic purpose of any IS audit is to identify “control objectives” and the related controls that address that objective • “Control objective” refers to how an internal control should function
  • 42.
  • 43. 1.6.10 Compliance vs. SubstantiveTesting • Direct correlation between levels of internal controls and the amount of substantive testing required • If compliance tests reveal the presence of adequate internal controls, minimize the substantive procedures Compliance Testing Substantive Testing Testing an organization’s compliance with control procedures Evaluate the integrity of individual transactions, data or other information Determines if controls are being applied that complies with management policies and procedures Substantiates the integrity of actual processing Provide IS auditors with reasonable assurance that particular control is operating as expected Normally used to test for monetary errors directly affecting financial statement balances Used to test the existence and effectiveness of a defined process
  • 44.
  • 45. 1.6.11 Evidence • Any information used by the IS auditor to determine whether the entity or data being audited follows the established criteria or objectives • May include auditor’s observations, notes taken from the interviews, results of independent confirmations, documentation, results of audit test procedures etc. • The “quality” and “quantity” of evidence must be accessed by the IS auditor • Referred to as “competent (quality)” and “sufficient (quantity)”
  • 46. • Evidence is “competent” when it is both valid and relevant • Techniques for gathering evidence: • Reviewing IS organizational structures • Reviewing IS policies and procedures • Reviewing IS standards • Reviewing IS documentation • Interviewing appropriate personnel • Observing processes and employee performance • Walkthroughs
  • 47. 1.6.12 Interviewing & Observing personnel in performance of their duties • Assists IS auditors in identifying: • Actual functions • Actual processes/procedures • Security awareness • Reporting relationships • Observation drawbacks
  • 48. 1.6.13 Sampling • Used when time and cost preclude a total verification of all transactions or events in a pre-defined population • Two general approaches: • Statistical Sampling • Objective method of determining the sample size and selection criteria • Uses the mathematical laws of probability to: • Calculate the sampling size • Select the sample items • Evaluate the sample results and make the inference • Quantitatively decides how closely the sample should represent the population • Represented as a percentage
  • 49. • Non-statistical Sampling • Uses auditor judgment to determine the method of sampling, the number of items that will be examined from a population and which items to select • Based on subjective judgment • Two primary methods of sampling: • Attribute sampling • Generally applied in compliance tests • Variable sampling • Generally applied in substantive tests
  • 50.
  • 51. 1.6.14 Using the services of other auditors & experts • The following should be considered with regards to using the services of other auditors and experts: • Restrictions on outsourcing of audit/security services provided by laws and regulations • Audit charter • Impact on overall and specific IS audit objectives • Impact on IS audit risk and professional liability • Independence and objectivity of other auditors and experts • Professional competence • Scope of work • Supervisory and audit management controls • Compliance with applicable laws, regulations and standards
  • 52. 1.6.15 Computer-Assisted AuditTechniques (CAAT) • An important tool in gathering evidence from different auditing environments • Enable IS auditors to gather information independently • Include many types of tool and techniques such as: • GAS (Generalized audit software) • Utility software • Debugging and scanning software • Test data • Application software tracing and mapping
  • 53. 1.6.16 Evaluation of Strengths &Weaknesses • IS auditors should access the strengths and weaknesses of the controls evaluated • A control matrix is utilized in accessing the level of controls • One strong control may compensate for a weak control in another area • A control objective is achieved NORMALLY by multiple controls
  • 54. 1.6.17 Communicating Audit Results • Exit Interviews • Executive Summary • Audit Report • Visual Presentation • Before communicating the results to the senior management, the IS auditor should discuss the findings with the management/staff of the audited entity • IS auditor should make final decision about what to include/exclude from the audit report • Usually a balanced report BUT must exercise independence
  • 55. 1.6.18 Management Implementation of Recommendations • A follow-up program to determine if findings and corrective actions implemented • Management to develop firm program for corrective actions
  • 57. 1.7 Control Self-Assessment (CSA) • An assessment of controls made by the staff and management of the unit/units involved • A methodology used to review key business objectives, risks involved in achieving the business objectives and internal controls designed to manage these business risks • Ranging from questionnaires to workshops
  • 58. 1.7.1 Objectives of CSA • Primary objective is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional areas • NOT intended to replace audit activities BUT to enhance them
  • 62. 1.7.4 Auditor role in CSA • Auditors become internal control professionals and facilitators • Lead and guide the auditees in assessing their environment by providing insight about the objectives of controls based on risk assessment
  • 63. 1.7.5Technology Drivers for CSA • Combination of Hardware and Software to support CSA selection
  • 65. 1.8The Evolving IS Audit Process • This includes: • Integrated auditing • Continuous auditing
  • 66. 1.8.1 Integrated Auditing • A process whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process, or entity • Focuses on risk • Aims to understand and identify risks arising from the entity & its environment, including relevant internal controls
  • 67.
  • 68. 1.8.2 Continuous Auditing • Continuous Auditing: • A methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter • Continuous Monitoring: • Based on automated procedures to meet fiduciary responsibilities. E.g. real-time AV or IDS
  • 69.
  • 70.
  • 71. Self-Assessment Questions 1. Which of the following outlines the overall authority to perform an IS audit? a) The audit scope, with goals and objectives b) A request from management to perform the audit c) The approved audit charter d) The approved audit schedule
  • 72. Self-Assessment Questions 2. While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus? a) Business processes b) Critical IT applications c) Operational controls d) Business strategies
  • 73. Self-Assessment Questions 3. Which of the following is the MOST important reason why an audit planning process should be reviewed at periodic intervals? a) To plan for deployment of available audit resources b) To consider changes to the risk environment c) To provide inputs for documentation of the audit charter d) To identify the applicable IS audit standards
  • 74. Self-Assessment Questions 4. The FIRST step in planning an audit is to: a) Define audit deliverables b) Finalize the audit scope and audit objectives c) Gain an understanding of the business’ objectives d) Develop the audit approach or audit strategy
  • 75. Answers 1. (c) The approved audit charter 2. (a) Business Processes 3. (b) To consider changes to the risk environment 4. (c) Gain an understanding of the business’ objectives