Table of Contents About This Manual Overview Format of This Manual Evaluation of This Manual About the CISA Review Questions, Answers and Explanations Manual CISA Online Review Course About This Manual OVERVIEW “The CISA Review Maal 26% Elton is intend to assist candidates in preparing forthe CISA exam, The manual fs one source of preparation for the «xam and should not be thought of ws the only source or be viewed asa comprehensive colletion of al the information and experience that is required {o pass the exam. No sinele publication offer such coverage and deal ‘As candidates rea through the manusl and encounter atopic thats new to them or one in which they fel their knowledge and experince ae limited, additions ‘references should be sought. The exam is a combination of questions testing candidates” technical and practical knowledge, and their ability to apply the Iknowledge (based on experience) in given situations The CISA* Review Manual 26" Fition provides coverage of the knowledge and activities related to the various functions associated with the content areas as detailed in the CISA job practice and desribed inthe ISACa Exam Candidate Information Gude (vs isa org exam)"Note: Bach chapter defines the asks hat CISA candidates ne expected to know how todo and inclides a series of knowledge statements required to perform ‘hose sks, These constitute the current practices Tor the IS auditor. The dealed CTSA job practioe an be Viewed a is ssa ore cuajobpracic, Tis ‘eam is sed on these task and knowledge statement. ‘The manual has been developed and organized to asist candidates in their study. CISA canddtes should evaluate their stenaths, based on knowledge and cexperienee, in each of these areas FORMAT OF THIS MANUAL Each ofthe five chapers of the CISA Review Manual 26° Edition is divide into two sections foe Focused study Section one ofeach chapter includes: 1A definition of the domain + Objectives fr the domain sa practice area + Alisung ofthe task and knowledge statements forthe domain ‘+ Armap ofthe relationship of each as tothe knowledge statements forthe domain + Aeference guide forthe knowledge statements for the domain, including the relevant concep and explanations + References to specific content in section 880 foreach knowledge statement + Selfassesement questions and ansvers with explanations + Suggested esouees for farther study Section two of each chapter includes: + Reference material and content that support the knowlege statements + Detintions of tems most commonly Found on the exar ‘Material included is pertinent for CISA candidates’ knowledge andr understanding when preparing forthe CISA certification exam. “The stractre ofthe conten ncides numbering to identify the chapter wheres topics located andthe headings ofthe subsequent levels of topics adress in the chapter (ie, 2.83 Risk Analysis Methods, isa subtopi of Risk Management in chapter 2). Relevant eontent ina subiopic is bolded for specific atention. ‘Understanding the material in this manual s one measurement ofa candidate's knowledge, strengths and weaknesses, and an indication of areas where ditional o focused study is needed. However, writen materials nota substitute for experience. CISA exam questions wil test the candidate's practical pplication ofthis knowledge. Case studies atthe end ofeach chapter present situations within the profession and in specific reas of sty, The scenarios ‘vole topics adresse in the cplers and include practice questions which asist in understanding how a question could be presented on the CISA exam, The selfassessment question in the fist section ofeach chapter also serve this purpose and should not be used independently as a source of knowledge. Sel ssscrsment questions should not be considered a measurement of one's ability to answer questions correction the CISA exam for tat area. The questions are {tended to familiarize candidates with question suctare and general content. nd may of may not be similar to questions tat wl appear on the actual exam. ‘The reference material included in the fits section ofeach chapter ists publications used in the creation of this manual Atte end of the publistion the candidate wil finda glossary. The glossary includes bath terms that ae discussed in the text an ttms that apply to she Aiferent area but may not have heen specifically discussed, The glossary can be another tool o identify areas in which eandidaes may need to seek addtional references, Although every efforts made to addres the majority of information that candidates are expected to know, tall examination questions are necessarily covered in the manva, an candidates will need to ely on professional experience to provide the best answer, “Throughout the manual the word “association” refers to ISACA. Also please note thatthe manual as been writen using standard American English ‘Note: The CISA* Review Manual 26" Fulton is living documents technology advances, the manual willbe updated to reflet such advances. Further ‘updates to this document before the date ofthe exam may be viewed a in 050.0rg ssvacpesEVALUATION OF THIS MANUAL ISACA continuously monitors the sift and profound professional. technological and environmental advances affecting the 1S ait security professions. Recognizing these rapid advances, the CISA™ Review Manual is updated periodically. surance, contol and ‘To assist ISACA in keeping breast of hese advances, please ake a moment to cals the CISA® Review Manual 26" Edin. Such feedback is valuable to full serve the profession and future CISA exam repistants, ‘To complete the evaluation on the web site, please goto wn: isexsorgstyaidsevaluaton. ‘Thank you for your support and assistance ABOUT THE CISA REVIEW QUESTIONS, ANSWERS AND EXPLANATIONS MANUAL, CCandates may also wish to enhance their sty and preparation forthe exam by using the C1SA* Review Questions, Answers & Explanations Maal 11% Ecltion ov te CISA* Review Questions, Anssers & Explanations Database ~ 12 month subscription. “The CISA® Review Onestions,dnowers& Explanations Manual 1" Edition consis of 1.000 mipe-hoice ty questions, answer and explanations arranged inthe areas of the current CISA jb pace. Mayo hese items appeared in previous editions ofthe CISA" Review Questions, dnevers & ‘Eplonarions Manabu have ben reweten to carespond with cuentprctcs andor be more rposcttiv facta CISA exam es. Anviher stu’ aid hat is avilable i the CISA Review Questions. Ansers & Explanations Database ~ 12 Month Subscription It consists ofthe 1,000 ‘questions, answers and explanations included inthe CISA Review Questions, Answers & Explanations Manual 11 Fltion. With this produc, CISA candidates can identify strengths and weaknesses by taking random sample exams of varying lengths and breaking the results down by domain. Sample exams also can be ‘chosen hy domain, allowing for concentrated stady, one domain ata fine, and ocr sorting eatres sich asthe omission of previogscorectly answered ‘qestions are avilable Questions in these product are representative ofthe types of questions tht have appeared on the exam and inchude an explanation of the correct and incorrect answers. Questions are sorted by the CISA domains and asa sample test. These products are ideal for use in conjunction with the CISA® Review Mannal 26" Ehniom These manuals ean be used as study sourees thoughout the study proces o as part of a final review to determine where a candidate may need ‘additonal study. Again, it shoul be noted that hese questions and suggested answers are provided as examples; they are not actual questions from the exam and ‘ay difer in content from those tht actually appear om the exam, "Note: When using the CISA review materials to prepare forthe exam, please note that they cover abroad spectrum of information systems audit, control and security issues. Do mot assume that reading these manuals and answering review questions wll fully prepare you forthe exam. Since actual exam, questions often relate to practical experiences candidates should refer to their own experiences and other reference sources, and draw on the experiences of Colleagues and others who have cara the CISA designation. CISA ONLINE REVIEW COURSE, ‘The CISA Online Review Course is a web-based self-paced sty tol. There are no hard copy materials (books, stad manuals, te.) provided with the course ‘While i is sinificand diferent in terns of how the information is delivered, the course is hased on content om the CTSA Review Manual 26" Eiinion and ‘rom additional content provided by subject mater expets, The course inlues practice questions as Wel a teactive activites and exercises and an online _lossary to reinforce content comprehension, ‘To etter evaluate whether this isan appropriate study tool for you, please view the course demonstration at ip/demceraiation. partners comm demo's index hm. Ta register forthe course, please Bot 0°0.0rgelearninzcanpsChapter 1: The Process of Auditing Information Systems Section One: Overview Definition Objectives Task and Knowledge Statements Tasks Knowledge Statements Suggested Resources for Further Study Self-assessment Questions Answers to Self-assessment QuestionsSection Two: Content 11 1.2 1.3 14 Quick Reference Management of the IS Audit Function 1.2.1 Organization of the IS Audit Function. 1.2.2 IS Audit Resource Management 1.2.3 Audit Planning Annual Planning Individual Audit Assignments 1.2.4 Effect of Laws and Regulations on IS Audit Planning ISACA IS Audit and Assurance Standards and Guidelines 1.3.1 ISACA Code of Professional Ethics 1.3.2 ISACA IS Audit and Assurance Standards General Performance Reporting 1.3.3 ISACA IS Audit and Assurance Guidelines General Performance Reporting 1.3.4 ISACA IS Audit and Assurance Tools and Techniques 1.3.5 Relationship Among Standards, Guidelines, and Tools and Techniques 1.3.6 ITAF™ IS Controls 1.4.1 Risk Analysis 1.4.2 Internal Controls 1.4.3 IS Control Objectives1.6 1.4.4 COBIT 5 1.4.5 General Controls 1.4.6 IS Specific Controls Performing An IS Audit 1.5.1 Audit Objectives 1.5.2 Types of Audits 1.5.3 Audit Methodology 1.5.4 Risk-based Auditing 1.5.5 Audit Risk and Materiality 1.5.6 Risk Assessment and Treatment Assessing Risk Treating Risk 1.5.7 IS Audit Risk Assessment Techniques 1.5.8 Audit Programs 1.5.9 Fraud Detection 1.5.10 Compliance Versus Substantive Testing 1.5.11 Evidence 1.5.12 Interviewing and Observing Personnel in Performance of Their Duties 1.5.13 Sampling 1.5.14 Using the Services of Other Auditors and Experts 1.5.15 Computer-assisted Audit Techniques CAATS as a Continuous Online Audit Approach 1.5.16 Evaluation of the Control Enviornment Judging the Materiality of Findings Communicating Audit Results 1.6.1 Audit Report Structure and Contents1.7 1.8 1.9 1.10 1.6.2 Audit Documentation 1.6.3 Closing Findings Control Self-assessment 1.7.1 Objectives of CSA 1.7.2 Benefits of CSA 1.7.3 Disadvantages of CSA 1.7.4 Auditor Role in CSA 1.7.5 Technology Drivers for CSA 1.7.6 Traditional Versus CSA Approach The Evolving IS Audit Process 1.8.1 Integrated Auditing 1.8.2 Continuous Auditing Case Studies 1.9.1 Case Study A 1.9.2 Case Study B 1.9.3 Case Study C Answers to Case Study Questions Answers to Case Study A Questions Answers to Case Study B Questions Answers to Case Study C QuestionsChapter 1 The Process of Auditing Information 3) Section One: Overview Onjetves Task nd Keovledge Statements Stagte Resources or Fete Stay Safassessment Questions AnmerstSelfanenmet Questions Section Two: Content 14 Quick Reterence 1 Perorming a0 19 Aust 16 Commanieating Aad Rests 18 TheBvohingS And Process 140 Ancor Case Sindy Quan Section One: Over DEFINITION ‘Th hap ont prosen sf auing nora sone 1) nd econ ee pc ofS ang iting poche and ah metodo at alow sorte pro an tc my ga Tae in relearn opsecrivesSection One: Overview DEFINITION ‘This chapter is onthe process of euiting information systems (IS) and encompasses the entire practice of IS auditing, including procedures and a thorough methodology that allows an TS auditor to perform an audit on any given IT area in a professional manner. OBJECTIVES ‘The objective ofthis domain sto ensure thatthe CISA candidate has the knowledge necessary to provide audit services in accordance with IS audit standard assist the organization with protecting and controlling information systems, “This area represents 21 percent of the CISA exam (approximately 2 questions), TASK AND KNOWLEDGE STATEMENTS TASKS ‘There are five tasks within the domain covering the process of auaiting information systems: TLA__Execute a risk-based IS audit strategy in compliance with IS auelt standards to enstre that Key risk areas are audited T1.2 Plan specific aulits to determine whether information systems are protected, controlled aad provide value tothe organization T13 Conduct audits in accondance wi IS aut standards to achieve planned audit objectives, ‘T14 Communicate audit results and make recommendations to key stakeholders through meetings and aut porto promote change when necessary TLS Conduct audit fallow-ups to determine whether appropriate actions have been taken by management in timely manner KNOWLEDGE STATEMENTS ‘The CISA candidate must have a good understanding of each ofthe topics or areas delineated by the knowledge statements. These statements are the bass for the exam, ‘There are 11 knossledge statements within the domain covering the process of auditing information systems KIL] Knowledge of ISACA TS Audit and Assurance Standards, Guidelines, and Tools and Techniques, Code of Professional Ethis and other applicable sandards K12 Knowledge of risk assessment concepts and tols and techniques in planing, examination, reporting and follow-up K13 Knowledge of fundamental business processes (eg, purchasing, payroll, accounts payable, aecounts receivable) ad the role ofS in hese processas K14 Knowledge of control principles related to controls in information systems K1LS Knowledge of risk-based audit planning and audit project management techniques, including follow-up K1.6 Knowledge of applicable laws and regulations which aflectthe scope, evidence collection and preservation and frequency of audits K1.7 Knowledge of evidence collection techniques (observation, inquiry, inspection, interview, data analysis, forensic investigation techniques, computer-asssted audit techniques [CAATs) used to gather, protect and preserve audit evidence K18 Knowledge of different sampling methodolozis and other substantive data analytical procedures K19 Knowledge of reporting and communication techniques (. uilitation, negotiation, confit resol ‘management summary, result verification) K1L10__ Knowledge of audit quality assurance (QA) systems and frameworks K1L11 Knowledge of varios types of audits... intental, extemal, financial) and methods for assessing and placing reliance onthe work of ether auditors o contza entities Relationship of Task to Knowledge Statements ‘he task statements are what the CISA. candidate is expected to know how to perform, The knowledge taements delineate each of the areas in which the CISA. poe ep 20 Be & nee ooR> © "Them asp i psi tae mit nd de gat thoy pei a al [Atego os magne prion a a i slice bee elt ose at “Toe approved wai charter tn: the autor rpms: neha an acouaaby Tae pove ee cet des tt en aon fsa ten ri eee permed ely arth inet nd onl nenent be ben ered to deine iyo det eter evr ihn gtd rent ak xs independentyof am aac occur beats of the nature of the busines To succes combat a ud ts nportat tobe amare of the ‘etc basnss process To pefrm he an the Sandor nerf ndcstun dbus proce and bY understanding hc bse rae te Header ‘eter understands the nero ik Fina anranente we aac onli ene! in wis i ior dtemins ifthe onli eves ily final an or exer pres io comnit ‘Eau acne win be Ars asd audit porch facut othe wadersaning of he ature fhe snes nd being ale tena catgorie isk Bases ik ipa te lng ‘emai of specie bein Than a 1S anor tings hbase at approach a able aden buses pre ‘Blinn coe wale ay apart etfs et thea fa ted deta te bese acne nop the at ‘The Smitveconoly opr scl ean epee ube fete hoveve iy donot eit ovens bsne poco i EW ‘snes spies verso buns cena nhc eS ana cing ont bse ocean wee atin flace ole ‘tiation met the eae. Cons te tamer ere ect wl oot be revetdrdeectin nly mana ye te of eel cca ‘Dos rie dt rt aunt wl ange seston lot eddy te sar bt et consi fe components, apg ‘id nosing i ‘Toe raclevl or eapere without ang no account the ations hat manegement has taken or might tke erent se Sampling te that iaconet asp ene tut th charters of poplin Som hh sample taken Nowanpling Skis te deen sk ot stasis be dot vet fens, log bt ot ie Yo, ha ee “Theta ot expect antl weno jut became ty one sop of acne ret ‘heceoit ot deal jt ste vin herb an’ ida he nr nyt be eial compte todo such ei ts ne threw cutel wees hte ten dioteed by tes alte hey seal be dled By toning cane hs eopity would bea. hc apropi pn wa eto ee spam rt hee ad ead nile aaron rw don Phang Sr ela feu sit resis eerie teat signet plated, wich is infoact Wy he planing poe, Stott log eren ses ta rive ud plnaing ex be beni inpaced by hangs thers evronment echoes td rsines: process ofthe eterprie ‘Theootchate fect e nnd oop mages othe aut ton aie se Seale Applic 18 at senda, eines tad pose nea oy abit capac ad isnot ae by sb ad longterm ise Infra previews woul not ea teins Deca hey would nee ify an ase leone octs Bo narater would othe etre este hey woul neces ei and ses al xl es, ‘ao Sagan vould ate os eve tease thy Would at cess et ad aes aco see. Defining at ences dependent poe ving ough neni of te bine chet a apne Pllc te lt spe td eevee eject pon ving soph dengan ete po “The ts tpi au planing to gu an uerstanding othe bsiessmbson, ob fetes a purpose which in fra Metis the evan ples, stands, cine, procede and orgniatien tector ‘Breton te st appcrrsotey pnd yo having tough dang of te bins betives a poe. ISACAS Ani and Assurance Standard 102, Planaag eels standards and provides gulanc on plnsingan ai Iceques sk bse approach. ‘Mera abr itn SACA Ts Au and Arce Sunred 1200 Is anes arc rofeetlall sneer pte enn osm of con ‘le planing an nggenes an wheter ech weno cesses of coco treat cm Btecy oro Neate Proto pice eed within SACA 1 An ad Ave Sar 120728 ait sl nurse profes sal aaa mati of oes ‘Sepocien dg te engopement” ‘Siieny of wit iden dened win SACA IS Aud and Asse Stn 12052:“S wit anlar pfeil sl eshte the ency of iene (Sete pot nls td seve eggs sje Prete sone thoe tht ert robes thy aie Bock pe came ede eet damage Bera teeta case ara preventive ol Miaagenea oul mis sessing tens to minimize ep cornet abiem Back pe do sot mali pocesing sens ed tne, dat he cine of sarap oe “Acorrcive cnt helps correc rnin the inact ot problem. Baap tapes canbe wed for restora he lesa case of ama of ls, hereby edaing ‘hcimpeet of dorepon ‘Deec conzle pt tet and repr pclane a thy oct Bap tapes Sot iin desc roe1.1 QUICK REFERENCE Chapter utes he nev for perfoning Saude pecially cdg hose manag sequent gang te IS ad's isso and activity a well a good acceso selievem apron Sains ote, CISA cates sol ae sound wanting he longest nt in tect he reset Shasta asow comely aliess questo a elsed sitet rns pcan oop aa a ts eau fo kates cocet fo defi perpee roecis ems abo be sto ey which lees any eset the sete ok bl which cnols ae mow efecto tenting hs sk Key tps 8 che tie +1 aor les a asocine espnstiiic, aching eget ait once ad ier Betws 1S ming tasks within an asuADs sient a hse within sealing sine + The nw fort independence a eve of thority within the ater mt cviontent oppo oan eter canes > hime ul pai requenents nS snes ees fhe speci o pact uct na scope nesting th eared velo comaice wih SACA TS Ans and Asstace Stand eel for ISAC TS Ani ond Assia Giles > We ing sd wor he opie of erento othe aap lated Cool Setter vena ing coal te died a _lcton cons + Stipe eld weapon and exciton ofthe concep inde in aut sk ver ies sk + Theke le ofeqdrenent-ompla it csdeace when supporting he cb of wit ress and parting > The relane ou cesta aud work pepe al evidere ose nd yamine cyprus of compliance xin vrs ssa esting + And espouse of krwige when conser nl eget ating TT win a at sop The knead mt poe vers he complement eed eS anos be mane th dveseSsandaand mews | Undestnin th iene tesa he dere: of epicenter td conrl peetes + ndesntne evens cobesinn, sant a cites na tse ads mporance mie condi aS ait = dnt eport alconenctin ted 1.2 MANAGEMENT OF THE IS AUDIT FUNCTION ‘The mut fiction shold be managed and led in manner that ensures thatthe diverse teks performed and achieved bythe sit team wil ull ait uneton objectives, while preserving anit independence and competence. Furthermore, managing the aut function should ensure value-added contributions to Senior ‘management regatding the ecient management of T and achievement of business objectives, ‘Note: Information systems (IS) are defined asthe combination of strate, managerial and operational activites involved in gathering, processing. ring, dstibuting and using information and ts related technologies. lnformation systems ae distinc rom information technology (17) i that at information ‘jst hasan TT commpencot that interacts withthe process componens. Tis defined asthe hardware, software, communication und other facilites sed to input, store groces, transmit and output data in whatever form. Therefore the terms TS" and “TT wl be sed aconding wo hese definitions throughout the sana 1.2.1 ORGANIZATION OF THE IS AUDIT FUNCTION, 1 audits the formal examination interview andor testing of information systems to determine whether: + Information systems ae in compliance with applicable Ins, regulations, contracts andor industry guidelines 11S daa and information have appropriate level of confidently, interity and avaabiiy +S operations ace heing accomplished ecinly and effectiveness argets ate being met Aw organization can use both externally or internally provided IS audit services. The fundamental elements of I adit are listed in section 1 3,ISACA TS Audit fund Assurance Standards and Guidelines, ‘The role ofthe IS intemal aut function shouldbe established by an ait charter approved by hoard of dirctors and the audit commie (senior management if these entities do not exist) 1S audit can be apart of internal audit. function as an independent group, or integrated within a financial and operational audit to provide I-rlaed contol assurance to the finial or maigement audfrs. Therefore, the audit hare may inclode IS audit as an aut support function. The ‘Sharer should clay state management's responsiblity and objectives for, and delegation of abort tothe IS ait function. This document should one the overall authority. scope and responsi ofthe a function, The highest level of management and the audit committee, one exis, should approve this charer-Once established, this charter shouldbe changed ony ifthe change cn be ands thoroughly justified. ISACA IS Audit and Assurance Standardsequte hat the responsibility, authority and accountaiiy of te TS au function ae appropriately documented in an ait chater or engagement eter (1001 ‘Audit Charter) An audit charter i an overatching document that covers the ent soope of aut activities in an enity while an engagement letter smote ‘ocused on a paicular audit exercise that i sought to be initiated in an organization with a specific ebjective i mind. 11S audit services are provided by an external firm, the scope and objectives ofthese services should be documented in a formal contract or statement of work ‘beoween the contracting organization apd the service provider. Inciter case. the internal audit function shouldbe independent and report to an adit committe, ifone exists, orto the highest management level such ws the Doar of eirectors. 1.2.2 IS AUDIT RESOURCE MANAGEMENT technology is eonstanly changing, Therefore, is important tht IS auditors main het competeney through updates of exsing skills nd obtain raining ected toad new ait techniques and technological areas ISACA TS Audit and Assurance Standards require thatthe TS itor be technically competent (1006 Proficiency), ving the sls and knowledge necessary to perfor te uitors work. Furr the IS audtr i to matin technical competence through appropriate continuing professional edgcation, Skills and knowledge should be taken ito consideration when planning audits and assigning staf to speciic audit assignment Preferably. a detailed staff waning plan should be dre fr the year based on the organization ection in terms of technology and relate risk that needs to ‘beaddressed, This should be reviewed periodically t ensure that the training effort and result ar lined tothe direction that the ait organization is taking. ‘Additionally, I audit management shoud ls provide the necesay TT resources o propery perfoem IS aus of «highly speialiaod nate (eos, ‘methodology werk programs). 1.2.3 AUDIT PLANNING Annual Planning Audit planing includes both short- and long,-term planning. Short-term planning takes ino account audit issues that willbe covered during the year, whereas Jong-term planning relates to audit plans that wll ake into account risk-telated issues regarding changes inthe orpanization’sT strategie direction that will, affect the organization's IT environment “Allof the relevant processes that represent he blueprint ofthe entity's business should be included in the audit universe. The audit universe ideally list ll of the processes that may be considered for audit. Each of these processes may be subjected to a qualitative or quantitative risk assessment by evaluating the rsk in respect to defined, relevant isk factors. The rik Factors ate those factors that influence the frequency andor husiness impact of rik scenarios Fo example, for fn entity engaged in retail business, eputaion can bea ental rsk factor, The evaluation of 8k should ideally be based on inputs rom the Business process ‘ners, Evaluation of thers factors shouldbe based on objective criteria, althoigh subjectivity cannot be completely avoided. For example, in respect Fepuiation factor, the criteria based on which inputs canbe solicited from the business may be rte as + High—A process issue may result in damage tothe reputation of the entity that will tke more than six months to recover + Medium—A process issue may esultin damage to the reputation of the entity that will take Tes than six months but more than three months to recover + Low—A process issue may result in damage tothe reputation ofthe entity tha wil take les than three mnths to recover Inthis example, the defined timeframe represents the objective aspect of the eiteria, and the subjective aspect ofthe criteria canbe found inthe business process cmers: determination ofthe time frame-whether is more than sx menths ot less than three months. Aer the risk is evaluate foreach relevant eto, an overall criterion may be defined to determine the overall risk ofeach ofthe processes, ‘The audit plan can then be constructed to include all of the proceses that ate rte “high,” which would represent he idea annual ait plan. However ia practice, wen the resources required to exectte the ideal plan are agreed on, often the avaiable resources are not siientto execute the entire ideal plan. This nals will help the audit function to demonstrate to top management the gap in resourcing and give top management a good idea ofthe amount of ik that ‘management is accepting if it doesnot ad (oor augment he esting suit sources Analysis of short and long-term issues should oecur at Jeast annually. This is necessary to take into account new contol issues; changes in the isk environment, technologies and business processes; and enhanced evaluation techniques. The resuls of ths analysis for planning future ait activities should be reviewed by senior audit management and approved by the audit committee f avaiable, or alteratively by the board of diectrs and communicated wo relevant levels ofcment. The annual planing should be updated if any key aspects ofthe risk environment have changed (ce, acquisitions, nw regulatory issues, market conditions). Individual Audit Assignments In addition to overall annual planning, each individual audit assignment must be adequately planned. The 1 auditor should understand that other considerations, such asthe results of periodic risk assesment, changes i the application of technology. and evolving privacy issues and regulatory requirements, may impact the overall approach fo the audit, The IS suitor shoul also take ato consideration system implementation upgrade deadlines, current and faure technologies, requirements fram business process owners, an IS resource limitations, When planning an ait, the 1S autor must have an understanding ofthe overall environment under reves, Ths should include w general understanding ofthe ‘various business practices and fnctions relating to the uit subject. aswell a the types of information systems and technology supporting the activity. For ‘sample, the IS auditor should be familie withthe regulatory environment in which the business operates To perform audit planing. the IS auditor should perform the steps indicted in figure 1.2. = Gn st unastnding ofthe basines's ison, objectives, purpose and processes, which lode forms an prosesing requiem sb 8 8 ‘cut snd sins tocol animation confident. + Cnlrstand cages in bine xvionent of the aie, + Renew prior work papers + ety Sted cues such a polis, standards and reqiedsbelines, procedures and ernazaton ste estar ik ani fo ol on desea an plan + Setthe ait scope a audi objec + Develop eat aproneh raat sty + Adds engagement ops ISACA IS Auait and Assurance Standards require the IS suitor to plan the 1S audit work ta address the ait objectives and comply with applicable ‘professional auditing standards (120] Engagement Planning). The TS auditor should devclop an audit plan tha takes into consideration the objectives ofthe suite relevant tothe audit area and its technology infrastructure. Where appropriate, the IS audit should also consider the area under review and its ‘lationship tothe orzanization (sratezically. financially and/or operationally) and oblain information on the stategc pan. including the 1S strategic plan. The TS suitor should have an understanding ofthe suites information technology architecture and technological direction to design plan appropriate forthe present and, where appropriate, fture technology ofthe auitee Steps an IS auditor could take to gan an understanding of the business include: + Reading background material inluding industry publications snaual reports and independent financial analysis reports + Reviewing prior audit reports or IT-related reports (rom extemal or internal audits, or specific reviews such a regulatory reviews) + Reviewing business and IT long-term strategic plans + Interviewing key managers to understand business issues + Identifying specific regulations applicable to TT «+ Idennving IT functions or related activities that have heen outsourced + Touring key organization facilities Another basic component of planning isthe matching of available audit resources to the tasks as defined inthe aut plan. The IS auditor wo prepares the pla should consider the requirements ofthe adit project, staffing resources and other constants. This matching exerese should consider the needs of individual audit projects aswell ase overall needs of the audit department 1.2.4 EFFECT OF LAWS AND REGULATIONS ON IS AUDIT PLANNING Each organization, regardless ofits size or the industry within which t operates, will ned to comply with a number of governmental and external requirements ‘elated fo compute system practices and controls and tothe mane in wich computers, programs and data are stored and used. Additionally. business regulations can impact the way data ate processed, transmitted and stored (tock exchange, central banks, et). Special attention should be given to these issue: im industries that are closely regulated. The banking industry workiwade has severe penalties for bank and ther officers should a bank be unable to provide anin oss of customer funds. In several countries Internet sMloquate level of sevice duc to security breaches. Inadequate security in a bank's online portal can re Service providers (ISPs) are subjet to laws regarding confidentiality and service availablity Because ofa growing dependency on information systems and related technology, several counts are making efforts oad legal regulations concerning IS uit. The content of thexe legal regulations pera to + Establishment of regulatory requirement + Responsibilities assigned to corresponding entities + Financial operational and TT audit unetions ‘Management personne! as well s audit management, tall evels, should be aware of the exteralruirements relevant to the gos and plans ofthe ‘organization, and tothe responsibilities and activities ofthe information services department function stv. ‘There are two major areas of concer: legal requirements (laws regulatory and contractual agreements) placed on awit or IS aut and legal requirments placed om the stditec and its ystems, data management, reporting, ete. These areas impact the audit seope and audit objectives. The lates important o internal and extemal auditors. Lepal sues also impact the organizations’ business operaons in terms of compliance with ergonomic regulations the US Heals Insurance Porability and Accountability Act HIPAA), Protection of Personal Data Directives and Flectonic Commerce within the European Communit, aud [prevention within banking organizations te. Anexample of strong contol practices isthe US Sarbanes-Oxley Act of 2002, which requires evaluating an organization's interaal conto. Sarbanes-Oxley provides fr nev corporate governance rules, regulations and standards fr specified public companies including US Securities and Exchange Commission (SEC) registrants. The SEC has mandated the use ofa recognized internal contol framework. Sarbanes-Oxley requis organizations to select and implement a Suitable intemal contol framewark Similarly Japan enaced the Tokyo Stock Exchange Principles. In March 2004, the Listed Company Corporate Governance Committee, established by the Tokyo Stock Exchange in December 2002, published Principles of Corporate Governance for Listed Companies. The Internal Control fnegraied Framework from the Commitee of Sponsoring Orgaazations ofthe Treadway Commission (COSO) has hocome the most commonly ‘xloped framework by public companies seeking to comply. Because the US Sarbanes-Onley Act ha ais abjetve incretsing the level of conto of business processes and the information systems supporting them, IS auditors must coasier the impact of Sarbane-Onle as part of audit planning, {A similar example of regulatory impact i the Basel Accords (Basel 1 Basel I and Basel IP, The Basel Accords regulate the minimum amount of capital for financial organizations based on the level of risk they fae. The Basel Commitee on Banking Supervision recommends conditions and capital requirements that should be flied to manage rik exposure, These conditions will ideally sul i an improvement in: = Credit sk + Operational sk + Market risk “The following are steps an IS auditor would perform to determine an organization's lvel of compliance with exteralrequiemients + Tdeiy those government or other relevant external requirements dealing with = Blectonie dita, personal data, copyrights, e-commerce, signatures, et © Conspter system practices and controls = The manner in which computers, programs and data are stored © The organization or the activities of information technology services = IS adits ‘Document applicable laws and regulations [Assess whether the management ofthe organization and the IT funetion have considered the relevant extemal roquitements in making plans and in sting policies, standards and procedures. as wel s business application features. Review internal IT department function activity documents that adress adherence to ls applicable to the industry Determine adherence to established procedures that address these requirements. ‘Determine ifthere are procedures in place to ensure contracts or agreements With external IT services providers reflect any legal requirements related to responsibilities, Ibis expected thatthe organization would have a legal compliance Function on which the IS control practioner could ely ‘Note: A CISA candidate wil ot be asked about any specific laws or regulations but maybe questioned about how one would audit fr compliance with laws ‘and regulations. The examination wil only test knowledge of accepted global practice. 1.3 ISACA IS AUDIT AND ASSURANCE STANDARDS AND GUIDELINES, 1.3.1 ISACA CODE OF PROFESSIONAL ETHICS ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members ofthe association andor its eenifiation holders. ‘Members and ISACA certification holders shal: 1 Support the implementation of, and encourage compliance with, appropriate standards, procedures forthe effective governance and management of enterprise information systems and technology, including: audit, eono, security and sk management 2, Perform their duties with objectivity. due diligence and professional care in accordance with professional standards. 3. Serve in te interest of stakeholders ina lawful manner, while maintaining high standards of conduct and characte, and not discrediting ther profession or the Assocation 4, Maintain the privacy’ and confidentiality of information cbtaned in the course oftheir activities unless disclosure is required by Tegal authority. Such information shall not be used for personal benefit or released to inappropriate parties, 5, Maintain competency in ther respective fle and agree to undertake only those activities they can reasonably expect to complete with the necessary skis ‘knowledge and competence 6, Inform appropriate parties ofthe results of work performed, including the disclosure of all significant facts known to them tha, if not disclosed, may distor the reporting ofthe results 7. Support the profesional education of stakeholders in enbancing their understanding ofthe governance and management of enterprise information systems and technology including: audit, conto, security and sk management Failure to comply with this Code of Professional Fhics can result in an investigation into a members or certification holder's conduct and, ultimately. in Aiseipinary measuresNote: A CISA candidates not expected to have memorized the ISACA TS Aust and Assurance Standards, Guidelines, and Tools and Techniques and the TSACA Code of Professional Ethics (sca. or cerification cade-o-professional-thics), word for word. Rater. the candidates willbe tested on thet understanding ofthe standard, guideline or code is objectives and how it applies ina given situation. 1.3.2 ISACA IS AUDIT AND ASSURANCE STANDARDS, “The specialized nature of TS auditing and he skills and knowledge necessary to perform such audits require globally applicable standards that pertain specifically to IS auditing. One of the most important functions ofISACA is providing information (common body of knowledge) to support knowledge requirements. See standard 1006 Proficiency.) ‘One of ISACA’s goals iso advance standards to meet tis need. The development and dissemination of the ISACA TS Audit and Assurance Standards isa ‘cometsione of the association's professional contibution co the aut community. The IS auditor needs tobe aware tat tere may be additonal standards, ot ‘even legal requirement, placed onthe auditor. Standards contain statements of mandatory requirements for IS audit and assurance. They inform: + TS audit and assurance professionals ofthe minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA, Code of Professional Etbics ‘+ Management and oher interested partes ofthe profession's expectations concerning the work of practitioners «+ Holders ofthe Cenfed Information Systems Auditor (CISA) designation oftheir equizements. Failure to comply wi these standards may result in an invetigntion into the CISA holder's conduct by the ISACA Board of Directors or approprine ISACA.sroap and, ultimately, in disciplinary action ‘The framework forthe ISACA IS Audit and Assurance Standards provides for mulple levels of documents: + Standards define mandatory requirements for IS aut and assurance and reporting + Guidelines provide guidance in applying IS Audit and Assurance Standards, The IS autor should consider them in determining how to achieve Jmplementation ofthe above standards, use professional jdament in thei application and be prepared to justify any departre from the standards + Tools and techniques provide examples of processes an IS auditor might follow in an aut engagement. The tools and techniques documents provide information on how to meet he standards when completing IS auditing work, but donot set requirement ‘Note: The complete text ofthe ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques is avaiable at ys sc ory stander There are thre categories of standards and guidelines—general, performance and reporting: + General—The guiding principles under which te 1S assurance profession operates. They apply to the conduet ofall assignments, and dal withthe 18 audit ‘and assurance professionals ethics, independence, objectiit and due cae ts well as know ledge, competency and sl, + Performance Deal with he conduc of the assignment, soc as planning and supervision, seoping, risk and materiality resource mobilization, supervision ‘and assignment management audit and assurance evidence, andthe exettsing of professional judgment and due eae + Reporting-—Address the types of reports, means of communication and the information communicated Generat + 1001 Auait Charter ~ 1001.1 The IS audit and assurance function shall document the audit function appropeatly in an adit charter indicating purpose, responsibilty. authority sd accountability ~ 1001.2 The IS audit and assurance function shall have de ait charter agreed upon and approved at an appropriate feel within the enterprise + 1002 Organisational Independence = 1002.1 The IS audit and assurance Fanetion shal be independent ofthe atea or ativity being reviewed to permit objective completion ofthe sit and assurance engagement + 1003 Profesional Independence ~ 1003 118 modi and assurance professionals shall be independent and objective i bot titude and appearance in all matters related to audit and assurance engagements. + 1004 Reasonable Expectation ~ 1004.1 18st and assurance professionals shall have reasonable expectation that he engagement can be completed in accordance withthe IS ait and assurance standards and, where required, other appropriate professional or industry standards or applicable regulations and result in a professional opinion, ‘orconchsion| ~ 10042 18 audit and assurance professionals shall have reasonable expectation that he scope of the engngement enables conclusion on the subject matter anc addresses any restrictions = 1004-318 audit and assurance professionals sal tothe provision of appropriate relevant and timely information required to perform te engngcmnet. + 1005 Due Professional Care ~ 1005.1 1S audit and assurance professionals shall exercise due profesional ere, including observance of applicable professional audit standards, in planning, performing and reporting on the results of engagements + 1006 Proficiency ~ 1006.1 1S audit and assurance professionals, collectively with others assisting with the assignment, shall possess adequate skills and pofiieney in ‘conducting IS audit and asurance engagentents and be professionally competent to perform the work equied 1006 21S stand assurance profesional, collectively with thers assisting with the assignment, shall possess adequate knowledge ofthe subject mater. ~ 1006 31S audit and assurance professionals shall maintain professional competence through appropriate continuing professional education and taining + 1007 Assertions ~ 1007.1 1S audit and assurance professionals shall review the assertions aginst which the subject matter willbe assessed to determine that such assertions are capable of being nudited and that the assertion are suficent. valid and relevant + 1008 Criteria ~ 1008.1 1S audit and assurance professionals shall elect criteria, against which the subjct mater wil be assessed that are objective, complet, relevant measureable, understandable, Widely recognised, authoritative and understood by, o avaiable oll readers and users of the report ~ 1008 21S audit and assurance professionals shall consider the souce of the eiteria and focus on those ssued by relevant authoritative bodies before accepting lesser-known cites, Performance + That Fnoasement Planning~ 1201.18 suit and assurance professionals shall plan each IS audit ad assurance engagement to adres: + Objectiv(s,seope timeline and deliverables * Compliance with applicable laws and professional auditing standards + Use of risk-based approach, where appropriate + Engagementspecfi issues + Documentation and reporting requirements ~ 1201218 audit and assurance professionals shall develop and document an TS audit or asuranes engagement project plan, describing the: + Engagement nature, objectives. timeline and resource requirements + Timing and exten of ait procedures to complete the engagement 1202 Risk Assessment in Planning ~ 1202.1 The I audit and assurance funtion shall use an appropriate rsk assessment approach and supporting methodology to develop the overall 1S audit plan and determine priorities for the effective allocation of I ait resourees. = 1202.18 ait and essrance professionals shall dentify and ascs isk relevant othe area under review, when planing indvidea engagements 1202 318 audit and assurance professionals shall consider subject matter risk audit sk and related exposure tothe enterprise. 1203 Performance and Supervision ~ 1203-118 audit and assurance professionals shall conduct the work in accordance with the approved 1S aut plan to cover identified risk and within the agreed-on schedule. ~ 1208218 audit and assurance professionals shall provide supervision to IS aut staf whom they have supervisory responsibility fr so as te accomplish aut objectives and meet applicable professional audit standards ~ 1203.3 18 audit and esurance professionals shall accept only tasks that are within their knowledge and skills or for wich they have a reasonable expectation of ether acquiing the sis during the engagement or achieving the task der supervision, = 1203.418 audit and assurance professionals shall obtain sulficient and appropriate evidence to achive the ait objectives. The awit findings and ‘onelusins shall be supported by appropriate analysis and interpretation ofthis evidence, = 1203.518 audit and asurance professionals shall document the audit process, describing the audit work and the audit evidenee that supports Findings and conclusions. ~ 1203.68 nuit and assurance professionals shall identify and conclude on findings. + 1204 Materality = 1204.1 1S aut and assurance professionals shall consider potential weaknesses or absences of controls while planning an engagement, and whether such weaknesses or absences of controls could result ina significant deficiency or a material weakness. ~ 1204.2 18 ait and assurance professionals shall consider audit materiality and is relaionship to audit risk while determining the nate, ming and extent of audit procedures ~ 1204.3 1S audit and assurance professionals shall consider the cumulative fect of minor contol deficiencies or weaknesses and whether the absence of controls translates into a significant dficeney ora material weakness 1204.4 1S it and assurance professionals shall disclose the following in the report + Absence of controls or inlfective contals + Signiticanee ofthe contol deficiency + Probability of thse wealmesses resulting ina significant doficiney or material weakness + 1208 Evidence ~ 1205.1 TS audit and assurance professionals shall obtain sulicent and appropriate evidence to draw reasonable contusions om which to ase the engagement results ~ 12052 IS audit and assurance professionals shall evaluate the suflcieny of evidence obtained to support conclusions and achieve engagement objectives. + 1206 Using the Work of Other Experts ~ 1206.1 1S audit and assurance professionals shall consider using the work of other expets forthe engagement, where appropriate. ~ 1206.2 IS aut and assurance professionals shall assess and approve the adequacy ofthe oer experts” professional qualifications, competencies, relevant experince, resources, independence and quality-control processes prior to the engagement ~ 1206.3 15 audit and assurance professionals shall asess, review and evaluate the work of other experts as part ofthe engagement, and document the csnelusion on the extent of use and reliance on their work, ~ 1206.4 1S adit an assurance professionals shall determine whether the work oFoher experts, whe ate not part ofthe engagement eam, compet to conclude am the current engagement objectives, and clearly document the conclusion = 1206'5 1S nit and assurance professionals sll dctermine whether the work of ober experts willbe rcled upon and incorporate direst or refered to separately inthe report adequate and206.6 18 audit and assurance professionals sal apply additonal test procedures to gain suficient and appropriate evidence in circumstances where the ‘ork of other experts doesnot provide suicent at appropriate evidence ~ 1206.78 audit and assurance professional shal provide an appropriate audit opinion or conclusion and include any scope limitation where required ‘evidence snot obtained though ational test procedures. + 1207 Irvegulaity and legal Acts ~ 1207.1 TS audit and assurance professionals shal consider the risk of regularities and egal acts during the engagement. ~ 1207218 audit and assurance professionals shall mainainanatitude of professional scepticism during the engagement. = 1207.3 18 audit and assurance professionals shall document aad communicate aay mater iereglaities or illegal act to the appropriate pat in a imely Reporting + 1401 Reporting = 1401.1 1S audit and assurance professionals shall provide «report to communicate the results upon completion ofthe engagement including: + dentition ofthe enterprise, the intended recipients and any restictions an content and ecultion + The scope, engagement objectives, period of eoverage andthe nature, timing and extent ofthe work performed + The findings, conclusions, and recommendations + Any qualifications or Kmitations in scope tha the IS suit and assurance profesional has with respect othe engagement + Signature, date and distribution acording co the terms ofthe aut charter or engagement eter ~ 1401218 audit and assurance professionals shal ensure that findings inthe audit reprt ae supported by sulfcint and appropriate evidence + 1402 Follow-up Activities = 1402.1 18 aut and assurance professionals shall monitor clevant information to conclude whether management has plannedtaken appropriate timely ‘ction to adress reported at findings and recommendations. ‘Note: The CISA exam does not test whether a candidate knows the specific numberof an IS auditing standard, The CISA exam test how standards are applied within the audit process. 1.3.3 ISACA IS AUDIT AND ASSURANCE GUIDELINES ‘The objective ofthe ISACA IS Audit and Assurance Guidelines i to provide guidance and addtional information on how to comply withthe ISACA IS Audit and Assurance Standards, The 1S auditor and assurance professional should * Consider them in determining how to implement the above standards, + Use profesional judgment in applying them to specific audits + Be able to justify any departure from the standards. ‘Note: The CISA candidate isnot expected to know the specific mumber ofan IS Audit and Assurance Guideline. The CISA exam tests how guidelines are applied within the sud process. The IS auditor should review the IS Audit and Assurance Guidlines thoroughly to identi the subject matter that i aly ‘ceded inthe job. The IS Audit and Assurmace Guidelines are living documents. The most curent dacuments niy be viewed af. 1ea.0" guidelines ‘The following are the Purpose sections of the guidelines, section 1. General #2001 Auait Charter ©1111 The purpose ofthis guideline isto assist 1S at and assurance professionals in preparing an audit charter The audit charter defines the purpose, responsiblity authority and accountability of the IS aut and assurance function. ~ 1.1218 audit and assurance professionals should consider this guideline when determining how wo implement the standard, use professional judgement in ts aplication, be prepared to justify any departure and sek additional guidance if considered necessary + 2002 Organisational Independence = 11.1 The purpose ofthis guideline iso address the independence ofthe I audit and assurance function in the enterprise. Three important aspects are considered +The position ofthe I aut and assurance fietion within the enterprise + The level to wich the IS audit and assurance function reports to within the enterprise +The performance of non-audt services within the enterprise by IS audit and assurance management and IS audit and assurance professionals.~ 1.12 This guideline proves guidance on ascesing organisational independence and details the relationship between organisational independence and the ‘nut charter and audit plan ~ 1.13 18 audit and assurance professionals should consider this guideline when determining ov to implement the standard, use professional judgement in ‘ts application, be prepared to justify any departure and seek addtional guidance if considered necessary. 2003 Professional Independence "1.11 The purpose ofthis auideline sto provide a framework that enables the IS audit and assurance professional te + Establish when independence may be, or may appear tobe. immpaited + Consider potential alternative appraces fo dhe audit process When independence i, or may appear tobe, impaired + Reduce o eliminate the impact on independence of IS aut and assurance professionals performing non-audit oles, functions and services + Determine disclosure requirements when required independence may be, of may appear tobe impaired ~ 1.12 TS audit and assurance professionals should consider this guideline when determining hov to implement the standard, use professional judgement in sts application, be prepared to justify any departure and seek additional guidance if considered necessary. 2004 Reasonable Expectation © 1.1 The purpose ofthis guidlines to assist the IS aut and assurance professionals in implementing the principle of resonable expectation in the execution of audit engagements. The main features over which the professionals should have reasonable expectation aretha: + The adit engagement can be completed in accordance with these standards, other applicable standards or regulations, and result in a professional opinion ‘or conclusion. + The scope ofthe audit engagement permits an opinion or conclusion to be expressed on the subject matter. + Management will provide tem with appropriate, relevant and timely information resuired to perform te ait engagement, — 1.12 This guideline fuer assists the 1S suit and assorance professionals in addressing scope limitations and provides guidance on accepting a change in ~ 1.1318 audit and assurance professionals should consider this guideline when determining hv to implement the standard, use professional judgement in ts application, be prepared to justi any departure and eck additonal guidance if considered necessary. 2005 Due Professional Care = 1.1 The purpose ofthis guideline sto clarify the trm “due professional care’ as it applies to performing an aut engagement with integrity and care in compliance with the ISACA Code of Professional Ethics, ~ 1.12 This guideline explains how IS auit and assurance professionals should apply due professional eare in planing, performing and reporting on an audit engagement. ~ 1.13 1S audit and assurance professionals should consider tis guideline when determining how to implement the standard, use profesional judgement in sts application, be prepared to justify any departure and seek additional guidance if considered necessary + 2006 Proficiency ~ 111.1 This pudeline provides euidance tothe IS audit and assurance professionals to aequire the necessary sills and knowledge and maintain the profesional competences while carrying out audit engagements. = 1.1218 audit and assurance professionals should eonsder tis guideline when determining how to implement the standard, use professional judgement in sts application, be prepared fo justify any departure and sek ational puidanee if considered necessary + 2007 Assertions “1.1.1 The purpose of tis guideline is to detail the diferent assertions, guide IS audit and assurance professionals in assuring thatthe riteria against which the subject mater sto he assessed, supports the assertions and provide guidance on formulating a conclusion and drafting a report onthe assertions. ~ 1.1218 aucit and estrance professionals should consider this guideline when determining how to implement the standard, wee profesional judgement in sts application. he prepared to justify any departure and sek adsitional guidance if considered necessary + 2008 Criteria "11,1 The purpose ofthis suideline i to assist IS audit and assurance professionals in selecting criteria, against which the subject matter willbe asessed, ‘hat are suitable, acceptable and come fom a relevant source. ~ 1.12 TS audit and asteance professionals should consider tis guideline when determining how to implement th standard, use profesional judgement in ‘ts application. he prepared to justify any departure and sek adsitional guidance if considered necessary Performance +2201 Engagement Planning "1.1 This guideline provides guidance tothe IS aut and assurance professionals. Adequate planning helps to ensue that appropriate attention is devoted. to important areas ofthe audit, potential problems are identified and resolved on a timely bass, and the audit engagement is propery organised, managed nd performed in an effective and efficient manne.~ 1.1218 audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in ‘ts application, be prepared to justify any departure and seek ational guidance i considered necessary +2202 Risk Assessment in Planning “111 The level of ait work required to met the audit abjestve is a subjective decision made by IS audit an assurance professionals. The purpose ofthis guideline is o reduce the risk of reaching an incorrect conclusion based onthe audit Findings and to reduce the existence of errors occurring in the area being audited ~ 1.1.2 The guideline provides guidance in applying a risk assessment approach to develop an + TS audit plan that covers all annual audit engagernenss + Audit engagement project plan that focuses on one speifi ait engagement ~ 1.13 The guideline provides the details ofthe diferent types of risk the IS audit and assurance professionals encounter. ~ 11.418 audit and assurance professionals should consider this guideline when determining hv to implement the standard, use professional judgement in ts application, be prepared to justify any departure and seek ational guidance if considered necessary + 2203 Performance and Supervision "11:1 This guideline provides guidance to IS suit and assurance professionals in performing the audit engagement and supervising IS wait team members Teovers: + Performing an auit engagement Roles and responsibilities, required knowledge and sis fr performing audit engagements Key aspects of supervision Gathering evidence Documenting work performed + Formulating findings and conclusions ~ 1.1218 audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in ‘ts application, be prepared to justify any departure and seck additional guidance if considered necessary +2204 Materiaity “LL The purpose ofthis guideline sto clearly define the concept “materiality” forthe IS audit and assurance professionals and make a clear distinction with the materiality concept used by financial audit and assurance professionals ~ 11.2 The guideline asi he IS ait and assuance professionals in asessing materiaity ofthe subjet mater and considering matey in lationship to contls and reponabe issues ~ ILS ait nd wsrance professionals should consider this sudelne when determining how t mpement the standard, use professional judgement in its apliation, he prepared just any departure and sek additonal guidance if eonsidered necessary + 2205 Evidence “LL The purpose ofthis guideline eo provide guidance to IS aut and assurance professionals in obtaining ufisint and appropriate evidence, caluting the reseed evidence and preprin aproprnts audit documcatation — LLL2 TS adit and assurance professionals should conse his gueline when determining how to mpement the stad, use professional judgement in ‘tsapplicaionbe repre 0 sy any depare and sek aon guidance i considered neces + 2206 Using the Work of Other Experts 1 This guideline provides guidance to 1S aut and asurance professionals when considering the se of work fer experts. The guideline asi in sessing the legacy ofthe experts, reviewing and evaluating the work of oer experts sessing the need for performing ational est procedures and “presing a opinion forthe audit engngemnt wl aking no account the work performed y ac experts ~ 1121S audit and asurance professionals sould ensier ths guideline when determing how to mplemet te standard us professional judgement in its applcation be prepared to justify any departare and sexkadtoal guidance if eonsdeed neces) + 2207 Kereguarityand egal Acts ~ 111 The purpose ofthis guideline is to provide 18 aut and assurance profesional with guidance on boo del with ieguaites and egal as. ~ 112 The guideline details the rsponsblites of both management and 1S at ad sauce professionals it epadsto regulars and illegal acs It farthemore provides gidance how to del with regulates an legal acts during the planning and performance ofthe aut werk. Finally the suielie suggests good practices or internal and extetal reporting on elites ad legal cs ~ ILS ait nd assurance professionals shold consider the sueline when determining howto implement the standards, wse professional judgement in its appli. be prepared ously any deparre and sec aon guidance i cosiered nessa + 2208 Sampling ~ LL The purpose ofthis guideline so provide guidance to IS aut and assurance professionals o design and sees an ait sample and evaluate simple ress Appropent sapling and craton vl help aching the requirements of uci and appropriate evidence~ 1.1218 audit and assurance professionals should consider this guideline when determining how to implement related standards use professional judgement {in Ks application, be prepared to justi any departure and seek additional guidance if considered necessary. Reporting + 2401 Reporting 11.1 This guideline provides guidance for IS audit and assurance professionals onthe different types of IS audit engagements and related reports. = 1.12 The guideline details all aspects that should be included in an audit engagement report and provide IS audit and assurance professionals with ‘considerations to make when defting and finalising an audit engagement report ~ 1.13 18 audit and assurance professionals should consider ths zuideie when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additonal guidance if considered necessary + 2402 Follow-up Activities "1.1.1 The purpose of this guideline i to provide guidance to 1S audit and assurance professionals in monitoring i management has taken appropriate and imely aetion on reported recommendations and auit findings. 11218 aut and asirance professionals should consider this guideline when determining how to implement the standard, use profesional judgement ia fits application, be prepared to justify any departure and sce additonal guidance if considered necessary ‘Note: The CISA candidate shouldbe familia with IS Aut and Assurance Guideline 2001 Audit Charter. Also important s 2207 Iregularites and Illegal ‘Ads inrelaton to the standard 1207 Inegulrities and Illegal Acts forthe purpose of reporting regulates such as frmd. In ation the 1S auditor should tb familiar with the 1S Audit and Assurance Guideline 2003 Professional Independence and the related standard 1003 Professional Independence, Knowledge (0 2402 Follos-up Activites, shouldbe further identified by the 1S auditor inthe 1S Auuit and Assurance Guidelines. 1.3.4 ISACA IS AUDIT AND ASSURANCE TOOLS AND TECHNIQUES ‘Tools and techniques developed by ISACA provide examples of possible processs an IS auditor may follow in an audit engagement. tn determining the appropriateness of ay specifi too! and technique, 1S auditors should apply thet own professional judgment tothe specific cteumstances, The tols and techniques documents provide infomation on how to meet the standards when peroeming IS aditing Work, but do not set requirements ‘Tools and techniques are curently categorized into ‘White papers, sr isaca org whitepapers (complimentary PDF files) + Audit Assuramee programs, wsaca.org audiprograms (complimentary Microsoft" Word files for ISACA members) + COBIT 5 family of products, we ssaeu org cob + Technical and Risk Managentent Reference series (avaiable inthe ISACA Bookstore) + 1S4CA* Journal TT Audit Basis column, wos iaca.org Know ledge- Contr ITAF-1S-Assurance- uh TT-Audit- Bases PagesTT-Audit- Basics-Arsicles aspx {complimentary access) {tis not mandatory for the 1S auditor to follow these tools and techniques; however, following these procedures will provide assurance thatthe standards are being flleved by the auditor. ‘Note: The ISACA IS Aust and Assurance Tools and Techniques ate living documents. The most current documents may be viewed at swe ica. or stondard. 1.3.8 RELATIONSHIP AMONG STANDARDS, GUIDELINES, AND TOOLS AND TECHNIQUES, Standards defined by ISACA are tobe followed by the IS auditor. Guidelines provide assistance on how the auditor can implement standards in various audit sssigaments Tools and techngues are not intended to provide exhaustive guidance tothe suitor when performing an audit. Tools and techniques provide examples of steps the auditor may follow in specific audit assignments to implement the standards: however, the 1S auditor should use profesional judgment ‘when using guidelines and tols and techniques. There may be situations in which the legalregulatory requirements are more stringent than the requirements contained in ISACA TS Audit and Assurance ‘Standards In such cass, the IS auditor should ensure compliance withthe more stringent legal epulatory requirements For example, scction 23 2 of Guideline 2002 supporting Standard 1002 Organisational Independence states: “Activites that are routine and administrative of involve matters that ae inspnficant generally are deemed not o be management responsibilities and, therefore. would nt impair independence. Non-audit Services that would also not impair independence or objectivity if adequate safepuards ace implemented inlude providing routine advice on information technology risk and eontos" However, sn somte counties, regulatory enactments sity prohibit audiors from aceepting audit assignments fom banks fom ‘which they have availed credit facilities In such cases, IS auditors should give precedence tothe applicable regulatory requirement and not accept the fssignment even though accepting the assignment would be in compliance withthe requirement ofthe Guideline 2002s stated throgghout the IS Ault and ‘Assurance Guidelines, he IS audit and assurance professionals should consider all guidelines when determining how to implement related standards, se profesional judgment in ts application, be prepared to justify any departure and seek additonal guidance if considered necessary. 13.6 1TAF™ ITAF is a comprehensive and good pratice-setting reference model that + Establishes standards that address IS uit and assurance professional roles and esponsi requirements + Detines terms and concepts specific to IS assurance + Provides guidance and tools and techniques on the planing, design, conduct and reporting of IS aut and assurance assignments ies, knowledge and skills: and diligence, conduct and reportingTAF is focused on ISACA material and provides single source through which IS audit and assurance professionals can seek guidance, rescarch policies and pocndues, obtain adit and surance programs nd develop effcive reports TAF 3" Eton (vines or TAP) incorporates guidelines eflsive 1 September 201 Asnew gine Jeveloed and insted wl be neve wii the famework 1.4 IS CONTROLS. Im order for information systems to full realize the hones and ssk and resource optimization goals risk that could prevent or inbibit obtaining these goals ced to be addressed, Organiations design, develop. plement and monitor information syste throws plies, procedures, practices and organization Sutures o aes these types of risk. The internal contol life cele is dynamic in nature and designed to provide reasonable assurance that business goals and ‘objectives wil be achieved and undesired events willbe prevented or detected and corrected, 14.1 RISK ANALYSIS ‘Risk analysis spat of aut planning and helps deny risk and vulnerabilities so the IS auditor can determine the controls mde o mitigate risk, {In evaluating IT-related business process applied by an organization, understanding the relationship between rs and control is important fr 1S ait and ‘contol professionals. IS auditors must beable to identify and differetint isk types andthe controls used to mitigate the risk. They must have knowledge of ‘common business risk, related technology risk and relevant controls, They ms also be able to evalate the risk assessment ond management techniques used by business managers. and to make assessments of ris to help focus mr plan audit work In addition to an understanding of busines sk and contol. IS auditors sist understand that sk exist within the ait process, ‘isk isthe combination ofthe probability of an event and its eansequence (International Organization for Standardiation [ISO] 31000:2008: Risk ‘management-Princples ard guidelines ISO Gade 73:2009: Risk management Vocabulary) Business risk may negatively umpact the asc, processes or objectives ofa specific busines or organization. The I auiter is often focused om high-risk sues associated with the confidentiality neg o availablity of ‘sensitive and erica! information and the underlying information systems and processes that generate, store and manipulate such information. In reviewing these {types of IT-related busines risk, I ators wil often asses the cfectiveness ofthe risk management process an organization sss In analyzing the busines risk arising from the use of TT itis important forthe IS auditor to have a clea understanding of. + Industry and or inteationally accepted risk management processes + The purpose and nature of business, the environment in which the business operates and related business risk + The dependence on technology to process and deliver business information +The husiness risk of using IT and how it impact the achievement ofthe siness goals and objectives + A good overview ofthe business processes and the impact of TT and related risk on the business process objectives ISACA’s Risk IT Fromework is based on a set of guiding principle and features business processes and management guidelines that conform to these principles It is dedicated to helping enterprises manage IT-related nak. The collective experience of a global toa of practitioners and experts and existing and emerging practices and methodologies for effective IT risk management have been consulted in the development ofthe Risk IT framework. ‘Thote are many definitions of isk, reflecting that risk means different things to different people Perhaps one ofthe mest holistic definitions of risk applicable throughout the information security business world is derived from NIST Special Publication 800-30 Revision 1 Guide for Conducting Rsk Assessments: Adverse impact() tha could occur..10 organizational operations (including mission, factions, tmage, reputation. organizational asses, individuals, ‘ther arganizations..due fo the potential for authorized access, use. disclosure, disruption, modification or destruction of information andr Information systems This definition is used commonly by the TT industry because it pus risk into an organizational context by using the concepts of assets an Toss of vale—terms that are easily understood by business managers The risk assessment process is characterized a an iterative le ete that begins with idetfVng business objectives, information asses, andthe underlying systems or information resources tht generate, store use or manipulate the asets (hardware, software, databases, networks, facilites, people, etc) rtcal to achieving these objectives, Because IT risk is dynamic, tis strategie for management to recognize the need for and establish a dynamic [T risk management process that supports the business risk management process, The greatest deuree of risk management effort may then be directed toward those considered most Sensitive or ential tothe organization. After sensitive andlor critical information asses are identified, ans assessment is performed to identify vulnerabilities ‘and treats, and determine the probability of occurrence and the resulting impact and addtional safeguard that would mitigate this impact to a level acceptable {to management. "Next, during the risk mitigation phase, controls ae identified for mitigating identified risk. These controls ae rik-mitigating counterneasurcs that should ‘prevent of reduce the likelihood ofa risk event occurring, detect the occurrence oft risk event, minimize the impact, o tansferthe risk wo ancer organization “The assessment of countermeasures shouldbe performed through a cost-benefit analysis where coatrols to mitigate rsk ate selected to reduce rsk to level acceptable to management. This analysis process may be based on any ofthe folasing ‘+ The cost of the control compared to the benefit of minimizing the risk + Managements appetite frisk (the level of residual risk tht management is prepared to accept) «+ Proferrednsk-reduetion mcthods (eg. terminate the risk, minimize probability of occurtence. mizimize impact, transfer dhe isk via insurance) ‘The final phase relates to monitoring performance levels ofthe rsk being managed when identifying any significant changes inthe envionment that would trigger a isk reassessment. warranting changes to is contol envionment. It encompasses thre processes risk assessment, risk mitigation and risk ‘eevaluntion in determining whether sk is being mitigated toa level acceptable to management It shouldbe noted tha, tobe effective, risk assessment should ‘bean ongoing proces in an organization that endeavors to continally identify and evaluate risk as it arises and evolves. See figure 1. forthe summary of the risk management process.Pe eel entity Business Objectives (80) a Identity Infomation Assets Supporting the BOs Y Perform Periodic Perform Risk Assessment (RA) Fisk Reevalustion [Thveat-—Vuineratainy—+ (GO/RAFIRT) ProbebiliyImpact] ¥ Perform Fisk Mitigaton (RN) Map risks with controls, In place] yy Perform Fisk Treatment (RD) fea aieant ks not mitigated by existing contros) From the IS auitor’s perspective, isk analysis serves more than one purpose: Teassists the IS auditor in ening rik and threats to an IT environment and IS system —rsk and threts that would need to be addressed by ‘management-and in identifying system-specificinteral controls. Depending on the level of ris, this assists the IS auditr in selecting certain areas to lp the IS suitor in hisher evaluation of controls in aut planning. + Ieassists the IS auditor in determining audit objectives Ie support risk-based audit deesion making, [Figure 1 depicts the specific proceses used by th IS auditor to realize the above listed objectives. ees Cou Gad Prepare for Assessment Conduct Assessment CT |WerffyThest Souroes ard Events 7 ‘communes | deli Yulerablites and Pradising Candions—_Nsnin asus assesinert‘Sue: Non tin of od Techs (IST PST Spi Prieto S038, Ron bwin Sein: USA, 2012 Repent Neon of Stat {ong UD of Commas. tye in Ua Ses 1.4.2 INTERNAL CONTROLS. Internal controls are nomnally composed of policies, procedures, practices and organizational structures that are implemented 0 reduce risk to the organization, Internal contols are developed to provide reasonable assurance to management thatthe organization's business objectives will be achieved and risk events will be prevented, or detected and corected. Internal control activities and supporting processes are either manual or driven by automated computer information resoures, Internal contol operate at all levels witin an organization to mitigate its exposures to risk that potentially could preven it from achieving its business objectives. The board of directors and senior management are responsible for establishing the appropriate culture to facilitate an effective and ficient ‘internal contol system, and for coatinuously monitoring the effectiveness ofthe internal contol system, although each individual within an organization must ke part in his process. ‘There are two key aspects that controls should adress (1) what should be achieved and (2) wht should e avoided. Internal controls adress business operational objectives and should also address undesired events through prevention, detection and correction,Elements of contos that should be considered when evalusting control strength are classified as preventive, detective or corrective in nature Figure 1.5 displays control clasiications, functions and uses. lass Faction Examples Preventive |» Detect oblens before they arse. + Empey ony uni prseanel. + Monit bt operon ad ps. > ub sls roces fr authorization of tanec * Aneto rei! pote pens Before the occur and ake * Compete popraned eli checks ‘sens Use acces conte softs lots nly bord personel acess + Prevet an tr, casson malicious ac fom occuring. sense file 1 Seqreate ais deren face) + Ureerrption stare to reve! aborized cow of dt, (Couol accesso pista ies, se welldesimed docuens (revert 09) Deiesive |» Use contrast detect and iepot the occurence ofan ene, onion or | Hash saline + Check pints in peeduton obs > Echo cio inlecttmnniioos Esse messages over pe abel + Dupe checking of eeuations + Penoiepecfmance reporting with variances * load ei nctene + Review of acti lps to detect umutorized aces tens Secure sade reviews + Somtane ay ansuaace Feeecive |» Miniaize te mpact fe Caningansyconity of operation plat Remedy publes dacovesed by dteive cone, Distt every pli dey the canoe ofa yoblen Incident epee pling + Cae rs rising Hon pcb, + Bika procaine Modis te processing syste) omnicef ossreases ofthe | Renn rete Note: A CISA candidate should know te differences between preventive, detective and corrective contol Control objectives are statements ofthe desired result or purpose tobe achieved by implementing control activities (procedures). For example control objectives say relate to the following concepts 1 Effectiveness + Efficiency * Confidentiality + Integrisy Avulailiy Compliance Relibility Control objectives aply to all conto, whether they are manta, tomate ora combination (c . rview of system logs). Conta objectives in an IS cavironment do no fer fom those ina manal environment. however the wa) these contol are implemented may be different. Ths, contol abjctives need to he addressed relevant to specific IS-related processes1.4.3 IS CONTROL OBJECTIVES 1S contol objectives provide a complet st of high-Level requirements to be considered hy management for effective contol of each IT process 1S contol objectives are: + Statements of the desired result or purpose tobe achieved by implementing controls around information systems processes + Comprised of polices. procedures, practices and organizational structures «+ Designed 1 prove reasonable assurance that business objectives will be achieved nnd undesired events wil be prevented or detected and corected Enterprise management needs to make choices relative to these contro objectives by: + Selecting those that are applicable + Deciding on those that will be implemented + Choosing how to implement them (frequency. span, automation, et) + Accepting the risk of nat mplementing those tht mas apply Specific 1S contol objectives may include: + Safeguarding assets: information on automated systems i secure from improper access and curent + Ensuring system development life eyele(SDLC) proceses are established, in place and operating effectively to provide reasonable assurance that business ‘nancial andr industrial software systems and applications are developed ina repeatable and reliable manner to assure business objectives are met. (See “ciper 5 Information Systems Acquisition, Development and Implementation fr more information ) + Ensuring integrity of general operating system (OS) environments, including network management and operations + Ensuring integrity of sensitive and critical application system environments, including accounting financial and management information (information ‘objectives and customer data, through ~ Authorization ofthe input. Each transaction i authorized and entered only once = Validation of the input: Each inp i validated and will not eaase negative impact othe processing of transactions. = Accuracy and completeness of processing of tansactions All transactions are recorded accurately and entered into the system for the proper period ~ Reliability of overall information processing activites = Accuracy, completeness and security ofthe output ~ Database confidentiality, integrity and availability + Ensuring appropriate identification and authentication of users of TS resources (end users as well as infrastructure suppert) «+ Ensuring te efficiency and effectiveness of operations (operational objectives) + Complying withthe users” requirements, organizational policies and procedures, and applicable aws and regulations (compliance objectives) + Ensuring availability of T services by developing efficient business continuity plans (BCPs) and disaster recovery plans (DRPS) + Enhancing prtcction of data and systems by developing an incident response plan + Ensuring integrity and reliability of systems by implementing effective change management procedures + Ensuring that outsourced IS processes and services have clearly defined sevice level agreements (SLAs) and contact terms and conditions to ensure the organization's assets are properly protected and meet business goals and objectives 1.4.4 COBIT'S CCOBIT 5, doveloped by ISACA, provides a comprehensive framework that assists enterprises in achieving their ajeeives forthe governance and management ‘of enterprise IT (GEIT). Simply stated it helps enterprises create optimal valu fom IT by maintaining a balance between realizing benefits and optimizing isk levels and resource use. COBIT 5 enables IT 0 be governed and managed ina holistic manner for the entre enterprise, taking inthe fll end-to-end business an, TT funetional areas of responsibilty, considering the TT-elated interests of internal and external stakeholders. COBIT 5 s generic and useful for enterprises of llsizes, whether commerial, not-for-profit ori he public sect, CCOBIT 5 is based on five Key principles for governance and management of enterprise IT (shown in figure 1.6) + Principle 1: Mesting Stakeholder Needs Enterprises exist to create vale for thir slakcholders, by maintaining a balance between the realization of ‘benefits and dhe optimization of risk and use of resources. COBIT 5 provides all of the required processes and other enablers to support business val creation ‘through the use of TT Because every enterprise has different objectives, an enterprise ean customize COBIT 5 to suit is own context through the goals «cascade, tanslatng high-level enterprise goals into manageable, specific, IT-related goals and mapping these to specific processes and practices. + Principie 2: Covering the Enterprise End-to-End COBIT 5 integrates ovemance of enterprise IT into enterprise governance: = eovers all functions and processes within the enterprise; COBIT 5 dacs not focus only on the IT Function” but eats information and related technologies as asses that need to be dealt wit ust ke any other asset by everyone in the enterprise ~ Weonsiders al elated governance and management enables to be enferprisewide and end-o-end (i. incusive of everything and everyonc— internal and external-—that is elevant to governance and management of enterprise information and elated TT).+ Principle 3: Applying a Single, Integrated Framework Ther are many T-tlatod standards and goo practices, each providing guidance on a subse of T ‘activites, COBLT 5 align with ober relevant standards and frameworks a high level, and thus can serve a the overarching famework fr governance and management of enterprise IT Principle 4: Enabling a Holistic Approach—Eficiet and effective governance and management of enterprise IT requires «holistic approach, taking into ‘acount several interacting components. COBIT 5 defines a set of enablers to support the implementation of n comprehensive governance and management system for enterprise IT Enablers are broadly defined as anything that can help to achieve the objectives of the enterprise. The COBIT 5 famework defines seven categories of enablers: ~ Principles, Policies and Frameworks = Process ~ Organizations Structures ~ Culture, Ethics and Behavior = Information Services, Inastructare and Applications ~ Poople, Skills and Competencies + Principle &: Separating Governance from ManagementThe COBIT S famevvork makes a clear distinction between governance and management. These to dteiphines encompass diferent types of stiits, quire diferent organizational stuetures and serve diferent purposes, COBIT 5's view om this Kes listnetion between govemance and managements: Governance ‘Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives. In most enterprises, verall governance isthe responsibility ofthe board of directors under the leadership ofthe chairperson, Specific govermance esponsbilites may be delepted to special organizational stuctres at an appropiate level, particularly in larger, complex enterprise, = Management [Management plans, bulls, ns and monitors activities in alignment with the direction set by the governance body to aeeve the enterprise objectives. [In most entepeises, management i the responsibility ofthe executive management under the leadership ofthe chef exeeutve officer (CEO) ‘Together, these five principles enable the enterprise to build an effective governance and management framework that optimizes information and technology investment and use forthe Benefit of stakeholders, ‘Note: A CISA candidate will not be asked to specifically identify the COBIT process, the COBIT domains o the set of IT processes defined in cach “However, candidates should know what frameworks are, what they do and why they are used by enterprises. Knowledge of the existence, structure and key rinipls of major standards an frameworks related to TT governance, assurance and security wll albo be advantageous. COBIT can be sed a8 a ‘supplemental study material in understanding contol objectives and principles as detailed inthis review material 1.4.8 GENERAL CONTROLS Controls include polices, procedures and practices (tasks and activities) established by management to provide reasonable assurance that specific objectives will be achieved, General controls apply to all ares ofthe organization including T infrastructure and support services. General controls include: + Tntemal accounting controls that are primarily diected at accounting operations—contols tat concem the safeguarding of asets and reliability of financial records + Operational contol that concern day-to-day operations, unetons and activites, and ensure that the operation is meeting the business objectives + Administrative controls that concern operational eflciency in a functional rca and adherence to management polices (administrative controls suppor the ‘operational controls specifically concerned with these areas) + Organizational secutity policies and procedures to ensue proper usage of assets+ Overall policies forthe design and use of adequate documents end records (manual/automated) to help ensure proper recording of wansactons—tansactional aut tral + Procedures and practices to ensure adequate safeguards aver access to and use of assets and fails + Physical and logical security policies for ll facilities, datacenters and TT resources (servers and telecom nfastractre) 1.4.6 IS SPECIFIC CONTROLS Each general control can be tratslsted into an 1S-specitic control. A well-designed information sytem should have controls builtin for lls sensitive or ital fietions For example, the general procedure to ensure that adequate safeguards over acces to asets a fciities can be translated ito an IS-related et of contol procedures, covering access safeguard over computer programs, data and computer equipment. The IS autor should understand the basi control bbjetives that exist forall functions. 1S contol procedures include Strategy and direction of the IT function + General organization and management ofthe IT function + Access to IT resources, including data and programs + Systeme development methodologies and change contro + Operations procedures + Systems programming and techical support functions + Quality assurance (QA) procedures + Physical access conta + Business continuity (BCP) disaster recovery planing (DRP) + Networks and communications + Database administration + Protection and detective mechanisms against intemal and extemal attacks “The IS auditor should understand concepts regarding IS controls and how to apply them in planning an uit Note: The IS controls istodin this section shouldbe considered by the CISA eandidate within the related job practice are (Le, Protection of Information Asset) 1.5 PERFORMING AN IS AUDIT Several steps ae required to perform an audit. Adequate planning is necessary first step in performing effective IS aus. To efficiently use IS audit resources ‘suit organizations must assess the overall risk forthe general and application areas and related services being stdite, and then develop an aut program that consists of objectives and audit procedures to satis’ the audit abjetives, The audit process requires the IS auditor o gather evidence, evalvate the stenaths anc ‘weaknesses of controls based onthe evidence gathered though audit tests and prepare an ail report that presents those issues (ares of contol weaknesses ‘with recommendations for remediation) in an objective manner to management ‘Audit management must ensure the availability of adequate avdit resources nd a schedule for performing the audits and, in the case of internal IS audit, for follow-up reviews on the status of corrective actions taken by management, The process of auditing inclides defining the aut scope, formulating audit objectives, identifying audit criteria, performing audit procedures, reviewing and evaluating evidence, forming audit conclusions and opinions, and reporting to ‘management afer discussion with ke process mers Project management techniques for managing and administering anit projects, whether automated or manual, include the following basic steps: ‘Plan the audit engagement—Plan the audit considering project-specific risk + Build the audit plan—Chare out the necessary adit tasks across timeline, optimizing resource use. Make realistic estimates of the time reuirements for ‘ach tas wit proper consideration given tothe availability ofthe utes. + Execute the plan—Fxecute audit tasks against the plan + Monitor project activity IS auditor report their actual progress agains planned audit steps to ensure challenges are managed proactively and the scope is completed within time and budget. 1.5.1. AUDIT OBJECTIVES ‘Aaait objectives refer tote specific goals that must be accomplished bythe suit. In contrast, control objective refers to how an internal control should unetion. An audit generally incorporates several audit objectives, ‘Auait objectives often focus on substantiating that intemal controls exis to minimize business risk and that they funtion as expected. These aut objectives include assuring compliance wit Igal and regulatory eqirements as well as the confidentiality, integrity, reliability and wailbility of information and TT resources, Audit management may sive the IS auditor a general control objective to review and evaluate when performing an ai ‘A key clement in planing an IS ait sto translate basic and wide-ranging suit objectives into specific IS suit objectives. Por example in 8 financial operational ait, a control objective could be to ensure that iranssetions are properly posed tothe general ledger aecouns. However, in the IS aud the objective could be extended fo ensure that eting Features are in place to detec errs in the coxling of transactions that may impact the aecount-posting ‘The IS auditor must have an understanding of how general aut objectives canbe transla ‘objectives is eitial step in planning an TS audit. into specific IS contol objectives. Determining an at's ‘One ofthe basic purposes of any 1S ait st identify contol objectives and the related controls that adress the objective. For example, the IS ators initial review ofan information system should identity key conteols. The IS auditor should then decide whether totes these contols for compliance, The IS auditor should identify both key general and application contol after developing an understanding and documenting the business processes and the pplications functions dat support these processes and general support systems. Hse ot that understanding, the IS auditor should identify the key contol pois Alteratively,anTS auditor may’ assist in assessing the integrity of Financial reporting data, referred to as substantive testing, through computerasssted ait, techniques (CAATS,1.5.2 TYPES OF AUDITS The IS auditor should understand the various types of audits that can be performed, internally or externally, and the audit procedures associated with each: + Compliance audits—Compliance aud include specific tests of contol demonstrate adherence to specific regulatory’ or industry standards. These audits ‘often overlap tana nuis ut may focus on particular systems or data. Examples include Pasment Card Industry’ Data Security Standard (PCIDSS) ‘adits for companies that proces ret card daa and Health Insurance Portability and Accountability Act (HIPAA) audits for companies tt handle healt care dat + Financial audits—The purpose ofa financial auitis to asess the accuracy of financial reporting. financial audit will often involve detailed, substantive testing, although increasingly, auditors are placing more emphasis on a rk- and contol-based aut approach. This kind of audit relates to inn {information integrity and reliably + Operational audits—-An operational audit is designed to evaluate the internal conel structure ina given processor area, IS audits of application contol ot logical seeuity systems are some examples of operational sais. + Integrated audite—An integrated aut combines financial and operational suit steps. An integrated ait is also performed to assess the overall bjcctives ‘within an organization, related to financial infomation and assets’ safeguarding, efficiency and compliance. An integrated awit can be performed by extemal Grinteral auditors and would include compliance tests of intemal controls and substantive audit steps + Administrative audits These are oriented to assess issues related 1 the elicency of operational productivity within an organization. + 1S audits This proces collects and evaluates evidence to determine wither the information systems and related resources adequately safeguard acs ‘maintain data and system inteyity and avaiabliy, provide relevant and reliable information, achieve organizational goals effectively, consume resources ciently and hav. in effet, intel controls that provie reasonable assurance that business, operational and conto objectives wil be met and that undesired events wil be prevented, or detected and corested, ina timely manner, + Specialized audits Within the category of IS avis, a numberof specialized reviews examine areas such as services performed by thd parties, Because Invsincsss are becoming ineseasinaly reliant on third-party service provers, its important hat nteroal controls be elated in hese environments. The fatemeat on Standards for Attestation Engagements 16 (SSAE 16), ted, "Reporting on Controls at» Service Organization,” isa widely known auditing standard developed by the American lsu of Cerifid Public Accountants (AICPA), This standard replaced the previous standard, Statement on Auditing ‘Standards 70 (SAS 70, tiled "Reports onthe Processing of Transaction by Service Organizations " This standard defines the professional standards used by service auditor to asess the internal contos ofa service organization, This typeof audit has become increasingly relevant de to the current tend of ‘outsourcing of financial and business processes to thitd-paty sevice providers, Which, n some cass, may operate i different jurisdictions or even diferent counties It should be noted that a Type 2 SSAF 16 review isa more thorough variation of a regular SAE 16 review. which soften required in connection ith regulatory reviews. Many other countries have tei own equivalent ofthis standard, An SSAE 16-1ype audits importnt because it represents tha a service organization has boen through an in-depth wit oftheir contol activities, which generally include controls over information technology and related processes, SSAE 16-fype reviews provide guidance to enable an independent auditor (service auiter) to sue ah opinion on a service organization's ‘description of controls through a service auditor's repor. which then canbe relied on bythe 1S suitor ofthe eit th utlizs the services ofthe service organization, + Forensic audits Forensic auditing has been defined as aiting specialized in discovering, disclosing and following up on Saud and crimes. The primacy purpose of such a review isthe development of evidence for review bylaw enforcement and judicial authorities, Forensic professionals have been called om to Dticipate in investigations related to corporate faud and cybercrime In cases where computer resources may have been misused. urcr investigation is ‘neeessiry to gather evidence for possible eriminal activity that ean then be reported to appropriate authorities. A computer forensic investigation inches the tnalysis of eleetonic devices such as computers, smartphones, disks, switches, routers, hubs and ater eleetonic equipment. AnTS auditor possessing the necessary sills can asist the information security manager in performing forensic investigations and conduct the aut of the systems o ensure compliance ‘ith the evidence collection procedures for forensic investigation Eecitonic evidence i vulnerable to changes: therefore, itis necessary To handle electronic evidence with uimort care and controls should enstre that no manipulation con accur Chain of custody for eletranic evidence shoul he established to met legal requirements Improperly handled computer evidence is subject to being ruled inadmissible by judicial authorities. The most important consideration for a forensic ator is tomake a bitstream image of the target dive and examine tht imaze without altering date stamps or oer information stinbutable to the examine files. Further, forensic audit tools and techniques suchas data mapping fr security and privacy rsk assessment, and the search for intellectual property fr data protection, ae als being used for prevention, compliance and assurance, 1.53 AUDIT METHODOLOGY An audit methodology is set of documented avd ‘objectives and ait programs ‘The audit methodology shouldbe setup and approved by audit management to achieve consistency inthe anit approach. This methodology should be formalized and communicated tll adit tal. rocedures designed to achieve planned audit objectives. Its components area statement of scope audit[gure 1.7 lists the phases of atypical audit. An early and cial product ofthe audit process should ben ait program that isthe guide for performing and documenting all ofthe ait steps and the extent and types of eviemial mater reviewed. Although an audit program does nt necessarily follow a specific set of steps, the TS auditor typically would fll, as minimum course of aston, sequential [rogram steps to gun an understanding ofthe emity under suit evaluate the control structure and test the contol. Auli Phase Descrnton Au sj Tey thee ob ued ‘ni objective Tene prose of eat For evar on oljectve mig fe odes whether progr sourcecode Snes tect inawellifine and contol ecmeat Tipe 7 Tite specific ystems ton roi othe rgmzation Yo be nchaed in the review For erp nth vio gram changes example the see net neti he eee toa single aplication syste or fo ned prod * Tate sources of botnet or review such as itogl ow chars, police, standards, procedures and iran wrk papers * Develop a eonmicton pla a he Beginning ofeach gage tht describes who to emit, en, how ‘en ad for what post) “at precedes stop Ford etre |= Tena eet the mat aproch overf and ost the sons 1 Ids of didlo tev + Ido and obtain deparanetl polices, standards nd gules fo revi + Develop alt eas ad wetbodoloy to test an vey cat Procedures fr evan thes orev ress + Meaty meds cading tok) to era the etalon ety eta for eveting the tet (lars est sc fr the aio te in condi the evo). + Meaty ems ad resources to ofa te eration was aur (ad repeatable, apple ost: fr connnncton wit managanet | Determine frequency of communication, + Pepe docu fo fal ep Aiport prepa + Discos folwap review rome, + Discos rovers to evant est pein eflicency and effectiveness + Rovow and evalu the sounds of docunens policies and procedures, ach ait department should design and approve an audit methodology as wells the minimum steps tobe observed in any audit assignment Allaudit plan, programs, activities tess, Findings and incidents shouldbe properly documented in work papers. The format and media of work papers can vary depending on specific needs ofthe department. IS auditors should particularly consider how wo maintain the Inteprity and protection of audit tes evidence in oder Co preserve ther Vale a substantiation in suppor of aut result ‘Werk papers canbe considered the bridge or interface between the ait objectives and the final report, Work papers should provide a seamless transition —with teaceabilty and support fr the work pelormed from objectives o report and from report to objectives. In ths context, the adit report canbe viewed asa prricular work paper1.5.4 RISK-BASED AUDITING Effective risk-based auditing is driven by two processes: 1. The risk assessment that drives the audit schedule (see section 1 5.6 Risk Assessment and Treatment) 2. The risk assessment that minimizes the audit risk during the execution of an audit (see section 1.5.5 Audit Risk and Materiality) A tisk-based audit approach is usually adapted to develop and improve the continuous ait proces, Tis approach is used to assess risk and to assist aa IS suitor in making the decison to perform ether compliance testing or substantive testing ts mportant to stress tht the risk-based audit approacs eflicicatly sists the auditor in determining the nature and extent of testing. Within this concep, inberent risk, contol risk or detection rsk should not be of major concern despite some weaknesses. In a isk-based ait approach IS auditors are nt just relying on risk they also are relying on internal and operational contols aswell a knowledge of the company or the business. This ype of risk assessment decision ean help relate the cost-benefit analysis of the conto tothe known sk, allowing practical choices. ‘Business risk includes coneems about the probable effects of an uncertain event on achieving established business objectives, The nature of busines sk may’ financial regulatory or operational and may also includ risk derived fom specific technology, For example, an atline company is subject to extensive safety regulations and economic changes, both of which impact the continuing operations ofthe company. In this content, the availabilty of TT service an reliability are erticl, ‘By understanding the nature ofthe busines, IS auditors can identity and categorize the types of risk that will better detenmine the isk model or approach in conducting the audit. The isk model assessment ean he as smmple as creating weights forthe types of risk associated withthe business and idemifying the isk in fn equation. On the other hand, rsk assessment canbe a scheme where nak has been given claborate weights based on the mature ofthe business or the ‘enificance ofthe rik. simplistic overview ofa risk-based audit proach can be seen i Figure 1.8. 1.5.5 AUDIT RISK AND MATERIALITY Adit rsk ean he defined as the risk that information may contain a material ero that may govundetected during the course of the audit. The IS auditor should also take into account. if applicable, oer factors elevantt the erganizaton: customer data privacy. availabilty of proved services as well as corprate and Public image a inthe case of publi organizations of foundations Audit risk is influenced by ‘Inherent rsk—AS it lates to aut rik, itis thers level or exposure of the processentity to be audited without taking into account the eoatols that ‘management has implemented. Inherent risk exists independent ofan audit and ean accur because ofthe nature of the busiss. + Control risk—The tsk that a material errr exists that would not be prevented or detected on a timely basis by the system of internal contol. For example, ‘the contol risk associated with manual eviews of computer logs ean be high because activites requiring investigation are often easily mised due tothe volume of logged information. The control risk associated with computerized data validation procedures is ordinarily low ifthe processes ae consistently spplcd + Detection risk-—The risk that materia errors or misstatements that have occurred will ot be detected by the IS muditor+ Overall audit visk—The probability that information o financial reports may contain material errors and that the auditor may not detect an eror tat has ‘ecued An objective i formulating the audit approach i to limit the adit risk in the area under scruny sa the overall ait skis a sient love level at the completion ofthe examination. Note: Audit sk should not be confused with statistical sampling risk, which isthe risk that incorrect assumptions are made about the characteristics of population from which a sample is selected ‘Spevifically this means that an internal contro weakness or set of combined internal control weaknesses leaves the organization highly susceptible tothe ‘occurence of threat (eg. financial loss, busines interruption loss of customer trust economic sanction, etc). The IS auditor should be concerned with assessing the materiality ofthe items in question through a sk-based ait approach o evaluating intemal conteos. “The IS auditor should havea good understanding of audit isk when planing an audit. An audit sample may not detect every potential error ina population, However, by using proper statistical sampling procedures o strong quality contol process, the probability of detection risk can be reduced toa acceptable level ‘Similarly. when evaluating intemal contol, the 18 auditor should realize that a given system may not detect a minor eror. However that specific err, combined ith others, could hecome material to the overall system, ‘The concept of materiality requires sound judgment fom the IS auditor. The IS autor may detect a small eror that could be considered significant wt an ‘operational level, but may not be viewed a significant to upper management, Materialty considerations combined with an understanding of audit risk are ‘essential concepts for planing the areas tobe audited and the specific testo he performed ina given audit, 1.5.6 RISK ASSESSMENT AND TREATMENT. Assessing Risk ‘To develop a more complete understanding of ait risk, the I autor should also understand how the organization being ate approaches risk assesment nd treamient Risk assessments should identify, quantify and prioritize isk agains entra for rsk acceptance and objectives relevant othe organization. The results shoul vide and determine the appropriate managemett action, priorities for managing information seeuity risk and prioities fr implementing conteols selected to roect aginst sk, Risk assessments should also be performed periodically to addres changes in the environment, security requirements and in the isk situation (eg inthe assets, dveats, vulnerailiies, impacts) and when sigaiieant changes occur. These isk assessments should be underaken in a methodieal manner capable of producing comparable and reproducible ests, ‘he scope of ask assessment canbe ether the entire organization, pars ofthe erganizatin, an individual information system, specific system components oF services where this is practicable realistic and elpfl Treating Risk Before considering the treatment of risk, the organization should decide te extra for determining whether risk can be managed within the risk appetite. Risk may be aoepted if for example, its assessed that thers is Tow or tat the cost of teatment snot costelTective for the organization, Such dessins should be recorded, ‘isk identified inthe risk assessment nceds tobe tented. Possible isk response options includ: + Risk mitigation Applying appropriate controls to rede hens 1 Risk acceptance Knowingly and objectively not aking scion, providing the risk clearly satisfies the organization's policy and criteria for sk aeceptance + Risk avoidance Avoiding risk by not allowing ations that would eause the risk to occur + Risk transfer/sharing Transfering the associated risk to other patos (insurers or supper) For risk where the risk treatment decision has heen to apply appropriate controls, controls shouldbe selected to ensure that risks reduced to an acceptable level ‘aking into scout:+ Requirements and constraints of national and intemational legislation and regulations + Organizational objectives + Operational requirements and constraints + Cost-effzctivenes (the need to balance the investment in implementation and operation of conto aginst hear likly to result from security failures) Controls canbe selected from professional or industry standards, or new controls can be designed to meet the specific need of the organization. Its necessary to recognize that some controls may not be applicable to every information syst or environment and might not be practical fr all organizations Information security conteos should be considered atthe systems and projet requirements specification and design stage, Failure to do so can rest in ‘uditional ests and less effective solutions and, in a worst ease scenario, the inability to achieve adequate security "No set of controls can achieve complete security. Additional management action shouldbe implemented to monitor, evaluste and improve the efficieney and effectiveness of security controls to support the organization's aims. 1.5.7 IS AUDIT RISK ASSESSMENT TECHNIQUES, ‘When dotermining which functional areas shouldbe audited, the IS auditor could face a large variety of audit subjects. Each ofthese subjects may represent different types of sk. The IS auditor should evaluate These various risk candidates to determine the high-risk aeas that should be mite ‘There ate many risk assessment methodologies, computerized and noncomputeized, from which the TS autor may choose. These range fom simple classifications based onthe IS suitors judgment of high, medium and lve to complcx scientific calculations that provide a mimteric risk ating. (One sch ris assessment approach isa scoring system that i wef in prortizing audits based onan evaluation of rik factors. The system considers variables such as technical complexity, level of contol procedures in place and level of financial loss. These variables may or may not be weighted. The risk values are then compared to cach other, and audits are scheduled accordingly. Another form of risk assessment is judgmental, where an independent decision is made based on business knowledge, executive management directives, historical perspectives, business goals and envsonmental factors. A combination of techniques may bbe sed aswell Risk assessment methods may change and develop over ime to best serve the necds of the organization, The IS auditor should consider the level ‘of complexity and detail appropriate forthe organization being ated. Using risk assessment to determine areas tobe audited: + Entbles management o effectively allocate hited audit resources + Ensures that relevant information fs been obtained fom al levels of management, including boards of dirctors, 1S auditors and functional area management, ‘Generally this information assists management in effectively discharging is responsibilities and ensures tha the audit activities ae directed to highs areas, ‘which il add value for management. + Establishes a basis for effectively managing the audit deperment + Provides a summary of how the individual aut subjects related to the overall ganization as well a othe business plans 1.5.8 AUDIT PROGRAMS An audit program isa step-by-step set of aut procedures and instrctions that shoud he performed to complete an ait. Audit programs fr financial, ‘operational, tegrated admnistaive and IS adits ae based onthe scope and objective of the particular asigment. IS auditors oflen evaluate T functions and ‘json from diferent perspectives suc as security (confidentiality, integrity and availablity), quality (effectiveness, efficiency), fiduciary compliance, felinbliy), service and capacity. The audit work program is the audit strategy and plan it identifies scope, audit objectives and audit procedures to aban ‘uiient, elevant and rolabe evidence to draw and support audit conclusions and opinions, General audit procedures are the basic steps inthe performance of an aut and usually elude: + Obtaining and recording an understanding ofthe audit area subject + Ariskassessment and general audit pan and schedule + Detailed audit planning that would include the necessary at steps and a breakdown ofthe work planned across an anticipated ie line + Preliminary review ofthe audit area subject + Bvaating the audit aren subject, + Verifying and evaluating the appropriateness of contolsdesioned to meet contra objectives+ Substantive testing (confirming the accuracy of information) + Reporting (communicating resus) + Follow-up in cases where there isan internal adit function ‘The IS auditor must understand the procedures for testing and evaluating IS controls. These procedures could include: + The use of generalized audit software to survey the contents of data files (including syste logs) + The use of specialized software to asess the contents of OS database and application parameter les (or detect deficiencies in system parameter stings) + Flow-charting techniques for documenting astomated applications and busines processes + The use of auit logs reports available in operation application systems + Documentation review + Inguiry and observation + Walkthroughs + Reperformance of controls ‘The IS auditor should have a suficient understanding ofthese procedures to allow forthe planning of appropriate aut tess "Note: For audit program examples visit saca ory aaliprograms 1.5.9 FRAUD DETECTION ‘The use of information technology for business has immensely benefited enterprises in terms of significantly increased quality of delivery of information However, the widespread use of information technology and the Internet leads to risk that enables the perpetaton of errs and fraud, ‘Management i primarily responsible for establishing, implementing and maintaining » framework snd design of TF contos to meet the control objectives, A well-designed internal control system provides good opportunities for deterence andor timely detection of traud,Intemal controls may fil where suck contol ‘ce citeumvented by exploiting vulnerabilities or though management perpetrated weakness in controls ot coasion among people. Legislation and regulations relating to corporate governance cast significant responsibilities on management, auditors and the audit committe regarding detection snd disclosure of any fraud, whether material or not 1S ausitors should observe and exerese due professional ear (1005 Due Professional Care) in all apeets oftheir work. 1S auditors entrusted with assurance functions should ensure reasonable care wile performing their work and be alert to the possible opportunities that allow fraud to materialize. ‘The presence of interal controls docs not altogether eliminate fraud. IS auditors should be aware ofthe possibility and means of perpetrating fran speci by exploiting the vulnerabilities nd overriding controls in te TT-enabled environment. 1S auditors should have knowledge of aud and fraud indicators, and be ler tothe possibility of fraud and erors wile performing an audit, During the couse of regular assurance work, the IS auditor may come across instances or indicators of fraud. After careful evaluation, the IS autor may ‘communicate the need for a detailed investigation fo appropriate authorities, Inte case ofthe auditor identifying 4 mayor fraud or ifthe risk associated with the ‘detection i high, audit management should also consider communicating in a inely mane to the audit commitee Regarding fraud prevention, the IS auditor shouldbe aware of potential legal requirements concerning the implementation of specifi faud detection procedures and reporting fad to appropriate authorities, 1.5.10 COMPLIANCE VERSUS SUBSTANTIVE TESTING Compliance testing is evidence gathering forthe purpose of testing an organization's compliance with contol procedures. This differs from substantive testing in which evidence s gathered to evaluate the integrity of individual transaction. data or other information A compliance test determines whether contols are being applied in a manner that complies ith management policies and procedures, For example, i the 1S ‘suitor is concemed about whether prosiction program libriry controls ae working propery. the IS aitor might select a sample of programs to determine ‘whether the source and objet versions ae the same, The broad objective of any compliance tet is to provide TS auditors with reasonable assurance that the particlar contol on which the IS auditor plans to rely is operating asthe IS ator perceived in the preliminary evaluation.‘tis important thatthe IS auditor understands the specific objective of «compliance test and ofthe control being ested. Compliance tests canbe usd to tet the existence and effectiveness of a defined process, which may include a tei of documentary anor automated evidence for example, to provide assurance that ‘only authorized modifications ae made to production programs, ‘A substantive ts substantiate the integrity of actual processing. Tt provides evidence ofthe validity and integrity ofthe balances in the financial statements and ‘he transactions that support these balances. S auditors could use substantive tess to west for monetary ertors relly affecting financial statement balances oF other relevant data ofthe organization. Additionally, an IS auditor might develop a substantive test to determine whether the tape library inventory records are Stated cometly. To perform tis et, the IS auditor might take a thorough inventory or might use asaistcal sample, which willow the IS auditor to develop conclusion regarding the acuracy ofthe ene inveatery ‘There is direct comelaton between the level of itera contols and the aioun of substantive testing requited. Ihe results of testing controls (compliance ‘ests reveal the presence of adequate internal controls, then the IS auditor is justified in minimizing the substantive procedures. Conversely. ifthe contol esting reveals weaknesses in controls that may tase doubt abou the completeness, accuracy oF validity ofthe accounts, substantive testing ean alleviate those doubts, Examples of compliance testing of controls where sampling could be considered inchue user access rights, program change contol procedures, documentation precedes, program documentation, follow-up of exceptions review of logs softvare license mais, Examples of substantive tests where sampling could be considered include performance ofa complex calculation (eg. interest om a sample of accounts ofa simple of tansaction to Vouch fr supporting dacientation, ‘The IS auditor could also decide during the preliminary assessment ofthe conto to include some substantive testing ithe results ofthis preliminary evaluation india that implemented controls are not reiable or donot exis Figure 1.9 shows the relationship between compliance and substantive tests and describes the two categories of substantive tet "Note: The IS auditor should be knowledgeable on when to perform compliance tests or substantive tests 1.5.11 EVIDENCE, Evidence is any information used bythe IS auditor to determine whether the entity or data being audited follows the established esitera or objectives and supports audit concasions, Ii requirement thatthe auditors conclusions be based on sufficient, relevant and competent evidence. When planning the IS audit, the TS auditor should take into coun the type of audit evidence to be gathered. is use as audit evidence to mest audit objectives and is varying levels of reliability. Audit evidence may inch: + The IS itor» observations (presented o management) + Notes ken fom interviews + Results of independent confirmations obtained bythe IS auditor fom different stakeholders + Material extracted from comespondence and intemal documentation or contraets with external partners + The resls of anit test procedures While all evidence wil assist the 18 auditor in developing aut conclusions, some types of evidence are more reliable than others. The rules of evidence and suliciency as well a the competency of evidence must be taken into account as euired hy ait standardsDeterminants fr evaluating the reliability of uit evidence include: Independence of the provider of the evidence Evidence obtained fiom outside sources is more reliable than frm within the organization. Tis i why ‘confirmation lees are used for verification of accounts receivable balances. Additionally, sighed contacts or agreements with extemal parties could be ‘considered reliable ithe original documents ae made avaiable fr review. + Qualifications of the individual providing the information/vidence —Whether the providers of the infermaton/evdence ae nse or ouside ofthe ‘organization the 1S auditor should always consider the qualifications and functional responsibiltis of the persons providing the information. This can also be ‘wus of the IS auditor an IS auditor doesnot have # good understanding ofthe echnical area under review, the information gathered fom testing that area may not be reliable, especially ifthe 1S autor does not flly understand te est + Objectivity ofthe evidence Objective evidence is more reliable tan evidence that reguites considerable judgment or interpretation, An I auditor's review ‘of media inventory is dicet, objective evidence. An IS auditor's analysis of the efliciency of an aplication, based on discussions with certain personne, may fot be objective adit evidence. + Timing of the evidenee—The IS autor should consider the time during which information exis ori vale in determing the nature, timing and extent ‘of compliance testing and. if applicable, substantive testing. For example, audit evidence processed by dynamic systems, sch a spreadsheets, may not be retrievable alter a specified petiod of time if changes to the files are not controled or the ies are not backed up. The IS auctor gathers a variety of evidence during the audit, Some evidence may be relevant to the objectives ofthe at, while other evidence may be considered peripheral. The 18 auditor should focus on the overall objectives ofthe review and not the nature ofthe evidence gathered. ‘The quality nd quantity of evidence must be assessed by the IS auditor These two characteristics ae referred toby the Intemational Federation of Accountants (EAC) as competent (quality) and suficient (quantity). Evidence is competent when tis both valid and relevant. Audit judgment is used to determine when sulficency is achieved in the same manner that suse wo determine the competency of evidence An understanding of the rules of evidence is important for IS auditors because they may encounter a variety of evidence types. Gathering of evidence is a ey step in the ait process. The IS autor should be nwate ofthe various forms of aut evidence and how evidence can be gathered and reviewed. The I auditor should understand ISACA IS Audit and Assurance Standard [205 Evidence and should obtain evidence of a ature and suficency to support audit findings Note: A CISA candidat, given an audit senaro, should beable to determine which type of evidence gathering technique would be bes ‘The following ae techniques for gathering evidence: + Reviewing IS organization structures An organizational structre that provides an adequate separation o segregation of duties key peneral contol in ‘anI8 environment. The IS auditor should understind general organizational controls and be able to evaluate these controls in the organization under audit ‘Where there isa stag emphasis on cooperative distributed processing or on end-user computing. IT functions may be organized somewhat different than the classic IS organization, which consists of separate systems and operations functions. The IS auditor shouldbe able to review these organizational Structures and assess the level of conto they provide Reviewing IS polices and procedures—An I auior should review whether appropriate policies and procedures ae in place, determine whether personnel ‘understand th implemented policies and procedures, and ensue that policies and procedures ar being followed. The 1S auditor should very that ‘management assumes full responsibility for formulating, developing, documenting, promulgating and controlling policics covering general ins and | ses conto + 3 Develop questionnaro, —+ 7 calet we maize —| cqvestiona. eT quod pu won's uy soouany's 1.7.1 OBJECTIVES OF CSA There ae several objectives associated with adopting @ CSA program. The primary objective i o leverage the inter contol monitoring responsibilities tothe funciona areas. Iti nt intended to replace audit's responsibilities but to enhance them. Avditees, suchas line manages, ae responsible for controls in ther environment; the managers also shouldbe responsible for monitoring the controls. CSA programs also mst ‘scale managentent about contol design snd monitoring, paticully concentration on areas of high risk, These programs ae not us policies reqitng clients to comply with contol standards. Instead, they offer a variety of support ranging from wniten suggestions outlining acceptable control environments to in-depth workshops. When workshops are included in the program, an additonal objective—the empowerment of workers to asexs or even design the contol cenvironment—may be included in the program, When employing a CSA program, measures of success fr each phase (planing, implementation and monitoring) shouldbe developed to determine the value derived ftom CSA and is future use. One eriticl suceess factor (CSF) i to conduct a meeting withthe business unit representatives (ineluding appropiate andrelevant staff and management 1o identify the business units primary objctive—to determin the reliability of the itera control sytem. In addition, actions that inrease the likelihood of achieving the primary objective shouldbe denied [A generic st of goals and metres for each proces, which can be used in designing and monitoring the CSA program, has been provided in COBIT. COBIT is governance and contol framework tat provides guidance inthe development ofthe control assessment method. One could develop a CSA method by identifying the tasks and processes that ae relevant to the busiess environment and then defining the contol for relevant activities. A CSA questionnaire can be developed using the tafements in the relevant contol objctivesof the nleatfied IT processes. Various components ofthe COBIT framework —such as ‘npucoutput matix, RACT cst, goals, meties and maturity model can be converted into the form of'a CSA questionnaite to assess each ofthe areas as required. 1.7.2 BENEFITS OF CSA, ‘Some of the benefits of a CSA include the following + Eatly detection of risk + More effective and improved intemal controls + Creation of cohesive teams through employee involvement + Developing 2 sense of onmership ofthe contol inthe employees and process owners and reducing their esistnce to control improvement iititives + Increased employes avvareness of organizational objectives, and knowledge of isk and internal controls + Increased communication hereen operational and top management + Highly motivated employees + Improved audit rating process + Rediction in control cost + Assurance provide to stakeholders and customers + Necossary assurance given wo top management about the adeguacy of internal controls s required by the various regulatory agencies and laws such asthe US, Sarbanes-Oley Act 11.3 DISADVANTAGES OF CSA CCSA contains several disadvantages, including: + Ttcould be mistaken as an audit fiction replacement + Itmay be regarded as an additonal workload (eg. one more report tobe submitted to management) + Failure to atom improvement suggestions could damage employce morale + Lack of motivation may iit effectiveness inthe detection of weak controls 4 AUDITOR ROLE IN CSA, The auditor's ole in CSAs shouldbe considered enhanced when audit deparments estblish a CSA program. When these programs are established, auditors become intemal control professionals and assessment facilitators, Tht vale i this ole seve when managsment takes responsiblity and ownership foe internal contol systems under their authority through process improvements in their contol structures, inching an active monitoring componest. For an ator ta he efecive in this facilitative and innovative rl, the auditor must understand the business process being assessed. This com he attained via traditional aut tools soch as a preliminary survey oe walk-through. Also the suitors mist remember tha they are the facilitators and the management clint is the patcipant inthe CSA process. For example, during a CSA workshop, instead ofthe auditor performing detailed auit procedures, the auditor wil lead and guide the muditees in assessing thei environment by providing insight about the objectives of conteos based on rsk assessment. The managers, ith a focus on proving the productivity ofthe process, might suggest replacement of preventive controls. In this case, the awit is better positioned to explain the risk sssocintd with such changes 8 TECHNOLOGY DRIVERS FOR CSA The development of techniques for empowerment, information gathering and decision making is «necessary pat ofa CSA program implementation Some of| the technology drivers include the combination of hardware and software to support CSA selection, andthe use of an electronic meeting system and computer supported decison aid to facilitate group decision making. Grovp decision making is an esentinl component ofa workshop-based CSA sehere employee {empowerment i gal. In ese ofa questionnaire approach, the same principle applies forthe analysis and readjustment of the questionaire 1.16 LRADLIIUNAL VEKSUS SA APPROACH, ‘The traditional approach canbe summarized as any approach in which the primary responsibility for analyzing and reporting on internal control and risk is assigned to auditors, and oa lesser extent, controller departments and outside consultants. This approach has created and reinforced the notion that auditor and ‘onsuliants, not management and work tans, are responsible fr assessing and reporting on internal contol. The CSA approach, onthe other hand, emphasizes ‘management and aecounthilty ver developing and monitoring internal controls of an ofganizaton's sensitive and critical business processes. A summary of attributes or focus that distinguishes each om the other i described in figure 1.12. A Asis dis sypaies salt Empowered aonb plese Paticyne-iven Carinae inprovemeatewning ve Tinie enlace prison Estes eaves pian nd ing Nero sake oo road waco soe Ali a er specs Silva al lve al ncn ee pray enol anal 1.8 THE EVOLVING IS AUDIT PROCESS ‘The IS audit process must continually change to keep pec with innovations in technology. Topies to address these evolving changes include areas such as inegrated auditing and continuous auditing1.81 INTEGRATED AUDITING Dependence of business processes on information technology has necessitated that traditional financial and operational auditors develop an understanding of IT contol structures and IS auditors develop an understanding ofthe husiness control suctures,Inteprated auditing can be defined a the process whereby Appropriate audit dseiplines ate combined to assess Key internal contals aver an operation, processor enti) ‘The integrated approach focuses on risk. A risk assessment sims to understand and identify risk arising ftom the entity and its environment, including relevant internal ontols.Atths stage, the role of T audits typially to understand and identity risk under topical ageas suchas information management, IT infrastructure, TT governance and TT operations, Other aut specialists wil sock to understand the organizational environment, business risk and business controls A ey element of the integrated approac is discussion ofthe risk arising among the whole audit eam, with consideration of impat and likelihood Detailed audit work thea focuses onthe relevant controls in place to manage tis isk. IT systems frequently provide a fist line of preventive and detective contols, and the integrated audit approach depends on a sound assessment of heir efficiency and eflectiveness ‘The integrated audit process typically invlves: + Identification of risk faced by the ganization fr the are being sited, + Mentification of relevant key controls Review and understanding ofthe design of key controls + Testing that key controls ae supported by the TT sytem + Testing that management conals operate effectively { Accombined report or opinion on control risk, sigh and weaknesses ‘The integrated audit demands a focus on business isk anda deve for creative control solutions. It is a tam effort of auditors with diferent skill sets, Using this approach perma single anit ofan entity with one comprehensive report An addtional benefits that his approach assist in staff development and reteation by providing greater variety andthe ability 0 sce how all ofthe cleats (hunctioal and IT) mesh together vo frm the complete picture. See figure 113 for an snteprated auditing approach, nee Gera tald Financial { Operational | Audit The integrated audit eoncept has also radically change the manner in which audits are looked on by the diferent stakeholders. Employees or process owners better understand the objectives of an aut because they ae able tose the linkage between controls and audit procedures. Top management better understands the linkage between increased control effectiveness and corresponding improvements inthe allocation and utilization of IT resources. Shareholders are able to Detter understand the linkage between the push for a gretcr degree of corporate overance and its impact on the generation of Finacial statements tht can be reliod on, All these developments have led to greater impetus forthe growing popularity of integrated audits, ‘Note: This topic on integrated suiting though important, snot specifically tested inthe CISA exam, 1.8.2 CONTINUOUS AUDITING The focus on increased efectiveness and efficiency of assurance, internal auditing and contol has spurred the development of new stues and examination of new ideas concerning contindous tditing as opposed to more aditinal periodic auditing reviews, Several rescarch stuies and documents addressing thesubject cary different definitions of continuous auiting, AI ste, however, recognize that a distinctive character of eontinuows ating is the shor time Iapse between the facts to heated, the collection of evidence and nit reporting ‘Traditional financial reports and the traditional aut style sometimes prove tobe insuiiient because they lek the essential element inthe curtent business cavironment—updated information. Therefor, continuous auditing appears tobe gaining more and more followers. ‘Some ofthe drivers of continuous auditing are a better monitoring of financial issues within a company. ensuring that real-time transactions also benefit fom realtime monitoring. prevention of financial fraud and audit scandals such as Enron and Tesco Ple. and the use of software to determine that financial controls sre prope. Continuous auditing involves a large amount of work because the company practicing continuous auditing will nt provide ane report atthe end of ‘quarter ut will provide financial reports ot a more frequent bass, Audit functions in organizations that wwe ERP platforms are increasingly using suomated governance, risk and compliance (GRC) tools, which fag transactions that meet predefined criteria ona rea-me basis. These ols ae setup atthe database level and pull data that meet he predefined criteria Such data may inelude purchase invoices that have the same o similar address as that ofan employee. The ‘advantage of sng these tools is that volumsnos data are analyzed at high speod to highlight relevant pattems of data that may be of interest othe sions Continous auditing is nota recent development. Traditional application systems may contain embedded audit modules. These would allow an autor to trap predefined sypes of events ort dretiy inspect abnormal or sspect conditions and transactions ‘Most current commercial aplcatons could be customized with such features, However, cost and athe considerations and the tecical il that would be equired to establish and operate these tools tend to limit the usage of embeded audit modules to specific fields and aplication. ‘To properly understand the implications and requirements of continuous auditing. clear distinction bas to be made between continuous auditing and continuous srontering + Continuous monitoring —This is provided by 1S management tools and typically based on automated procedures to meet fiduciary responsibilities. For instane, realtime ativiru o inteusion detection stems (IDSs) may’ perat in a continuous monitoring fashion + Continuous auditing— According othe Global Technology Audit Guide 3: Coninuons Auditing: Implication fr Assurance Monitoring and Risk Assessment continuous auditing is "a method to automatically perform control and sk assessments on a more fequent basis. Continuous auditing changes ‘the aut paradigm ftom periodic reviews ofa sample of wansactions to ongoing audit testing of 100 percent of transactions, I becomes an integral par of| ‘modern auditing at many levels.” Continous I and non-18) auitng is typically completed using automated aut procedures Continvous suiting sbould be independent of continuous conto or monitoring activites. When both continuous mortering and auditing take place, continuous sssurance canbe established In practice, continiots ating is the precursor to management adopting camtinots monitoring ass process ona yt bass. (fen the audit function will hand over the techniques used in continuous auditing tothe business, which will hea run the continuous monitoring. This collaboration has le to increased appreciation among process comers of the value thatthe audit function brings to the organization, lading to greater confidence and uust between the business and auditors. Nevertheless, the lack of independence and objectivity inherent in continuous monitoring should mot be ‘overlooked, and continuous monitoring should never be cusiderd a a substitute forthe audit function, Continuous suiting efforts often incorporate new IT developments. increased processing capabilities of curent hardware, software standards and arti intelligence (AI) tools, Continuous auditing attempts o faite the collection and apalsis of data a the moment ofthe eansaetion Data must be gathered from different applications working within different environments, transactions mus be screened, the transaction envionment has to be analyzed to detect tends and exceptions, and atypical pattems (ce. a transaction with signfieanly higher or lower value dan typical fra given business partner) must be exposed. Ill of ‘his must happen ina ime, perhaps even before final sign-o ofa rasacton, tis mandatory to adopt and combine varius top-level IT techniques. The TT environment ia natural enabler forthe application of continuous auditing because ofthe intrinsic automated nature of is undedving processes. Continuous auting sims to provide a more secue platform to avoid fin and a real-time process aimed at ensuring a highLevel of financial cont Prerequistspreonditons for continuous suiting 1 suceed includ, + Ahigh degree of automation + An automated and highly reliable process in producing information about subject matter soon afer or during the oeurrence of events underlying the subject, + Alam tigges to report ely contol flures + Implemestation of highly automated audit wool that require the IS auditor o be involved in Sting up the parameters + Quickly informing IS aaitors ofthe resis of automated procedures, particularly when the proces as identified anomalies or erors + The quick and timely issuance of automated audit reports + Technically proficient 1S adits + Availablity of reliable sources of evidence + Adherence to materiality guidelines + Achange of mind-set required for IS auditors to embrace coninsous reporting + Evaluation of cost factors ‘Simpler continuous auiting and monitoring tools ae already built nto many ERP packages and most OS and network security packages. These environments, i appropnatly configured and populated with rules, pramites and formas, can output exception lists on rquest wile operating aginst actoal dat ‘Therefore, they represent an instance of eontinsows ating The difficult but significant added vale ta using these feturs is that they postulate a definition of ‘what would bea “dangerous” or exception condition For instance, whether a set of granted IS access permissions i o be deemed risk-free wil depend on having well-defined rules of segevation of duties. On the other hand, it may be mock harder to decide if given sequence of eps, taken to modify and maintain database record, points toa potential risk, IT techniques that are used fo operate in 2 continuous auditing environment must Work at all data levels—single iput, transaction and databases —and include: + Transaction logging * Query tools + States and data analysis (CAAT) + Database management system (DBMS) + Data warehouses, data mars, data mining * Intelligent agents + Embedded audit modules (EAM) + Neural network technology + Standards such as Extensible Business Reporting Language (XBRL)Intelligent software agents may be used to automate the evaluation processes ad allow for flexibility and dynamic analysis capabilites, The configuration and application of intelligent agents (sometines referred to a bos), lls for continuous monitoring of systems settings and the delivery of alee messiges When tertain thresholds are exceeded when certain conditions are met. Full continuous auditing processes have to be carefully ult into application and workin layers. The aditing tools must operate in parallel o nommal processng-capuring real-sime data, extracting standardized profiles or descnpters and passing the result tothe auditing layers. Continous suiting hasan intrinsic edge over point-inimt or periodic ating becmse it captures internal contol problems as they occu, preventing negative fects Implementation can also reduce possible or intrinsic audit inefficiencies such ax delays, panning time, inefficiencies ofthe audit process, oven de to work segmentation multiple quality or supervisory reviews, or discussions concerning the validity of findings. Full op management support, dedication and extensive experience and technical knowledge ae all necessity to accomplish continuous auditing, wile ‘mining te impact onthe underlying acted business processes, The auditing layers and settings may also need continual adjustment and updating, Besides Aifficlty and cost continuous auditing hasan inherent disadvantage in that interal contol experts and auitrs might be resistant to trust an automated tol in liew oftheir personal judgment and evaluation. Also, mechanisms have to b pl in place to eliminate false negatives and fase positives inthe reports wenerated by such audits so tha the eport generated continues to inspire stakeholders’ confidence inthe accuracy of the report. ‘The implementation of continuous auditing involves many factors; however, the task isnot imposible. There an increasing deste vo provide auditing over ‘information ina raltime enitonment (ora elose to eal time a posible), 1.9 CASE STUDIES The following case studies are included as a leaming tool to reinforce the concepts introduced in this chapter. 1.9.1 CASE STUDY A. Tae IS auditor has been asked to perform preliminary work that wll assess the readiness ofthe organization fora eviews to measure compliance with new regulatory requirements. These requirements are designed to ensre that management staking an active roe in setting up and maintaining a well-controlled ‘vironment and accordingly will asess management's review and testing of the general TT contol environment, Areas tobe asessed include logical and ‘physical security. change management, production control and network management IT governance, and end-user computing. The IS auditor has been given six ‘months to perform this preliminary work. o sufficient time should be available. Tt shouldbe noted tat in previous yes, repeated problems have been identified inthe areas of logical security and change management, so these afeas will mot likely require some degrce of remediation, Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies incladed improper segregation of incompatible duties and fare vo document ll changes. ditionally. the process for deploying OS updates to servers was found tobe only partially effective. In anticipation ofthe work to be performed by the 18 auditor, the chef information office (CIO) requested diect reports to develop iarnatives and process flows describing the major activites for which IT i responsible. These were completed, approved by the various process owners and the ‘C10, and then forwarded tothe IS auditor for examination, Al Wha shuld he Sate FIRST? Perform aa IT isk ses, Perfor sey aut of opel aces cons (C Revise tie ai plan oes cael sig D. Begin esting ool that the 18 air Tels vet sil Change mamgenentdocinents bole selected trom ad exmines o ap opines 'B_ Changes to podiction cole shoul be sampled ad waced to apyroprate aber documeition, (© Change mangement document shuld be eect base on sem citcalit an examined for aprons. D. Changes to production cole should be sned altace bck fo sempre logs neti he date and tine of he change1.9.2 CASE STUDY B ‘An I auditors planning to review the security ofa finan ‘pofa web itrtace,a business logic layer and a database layer. The aplication is accessed locally through a LAN and remotely through the I il private network (VPN) connection. application for large company with several locations worldwide. The application system is made BL The MOST spyopiae ype of CAAT tool he auditor shuld seo et sei coigation eigs fhe nite pplication ye i A. penalized an softare (GAS). 2. tetas aly sofware D. expen stem. a, Given atthe application is ccs ron he Intra ow sul he autor detenine weber to peta a dee review ofthe reall ules acd VPN A. Dowamcaed rik asi Availity of tcnicalexprise D, IS ami idles and best rcties Bs ising i review the anor dec tte watnaton aration conv aesive canoe et eos ck of ley defied sad panes fo he apc. the andr shuld FIRST A. teview the borin on engl of trams, [Crest hat wie anagerent reve the appropriateness of sce ih forall ers D. mie GAS o chuck te hep of te dnane 1.9.3 CASE STUDY C [An IS auditor has been appointed to carry out IS audits in an entity fora period of two years. After accepting the appointment the TS auditor noted ha; + The entity hasan audit charter that detailed, among ater things, the scope and responsibilities ofthe IS audit function and specifies the dit eommitee asthe overseeing body for audit activity. + The ent is planning a major increase in IT investment, mainly on account of implementation ofa new ERP application, integrating business processes across ‘units dispersed geographically. The ERP implementation is expected to become operational within the next 90 days, The servers supporting he business applications are hosted offsite by a third-party service provider. 4+ The entity has a new incumbent as chef information security officer (CISO) who reports to the chet financial officer (CFO). +The entity is subject to regulatory compliance requirements that require is managemtent fo certify the effectiveness ofthe internal contol system ait relates to Financial reporting. The ent has been recording consistent growth oer the last to years at double the inlusty average. However the ent has seen increased employee turnover aswell ch The FIRST pity ofthe IS audios ia year on oul eto stay te ‘A. povows Sait eports and plan th aut schedule Bf charter an plan he aut sched Je spac of th ne incite C1. D. npatof the plementation fnew ERP on he IT envionment ad plan he at shes ov sould he 1S audio evaluate backup and bach processing win computer operons? A. Placa out nnepednt eve of compe pestis B, Roly on the sevice ait rpet of te service provide [c.Stody th cauet between the ety and he sve provi. D. Compare he eve delivery rat oe service vel aes. Sirooner opi fora psi french 1.10 ANSWERS TO CASE STUDY QUESTION: ANSWERS TO CASE STUDY A QUESTIONS. AL. A- An IT risk assessment shouldbe performed fist o ascertain which areas present he greatest isk and what controls mitigate that risk. Although, haratives and process flows have been crested, the organization has not yet asessed which controls are ential. All ote choices would be undertaken after performing the TT risk assessment AZ B When testing a contol, its advisable to trace from the item being controlled to the relevant control documentation, When a sample is chosen from & set of control documents, thee is no way to ensure that every change was accompanied by appropiate control documentation, Accordingly. changes to production code provide the most appropritc basis for selecting sample. These sampled changes should then be traced to appropriate authorizing documentation In contrast, selecting from the population of change management documents will not reveal any changes that bypassed the normal Approval and documentation process. Similarly, comparing production code changes to system-produced logs will aot provide evidence of proper fpproval of changes prior to ther being migrated to production ANSWERS TO CASE STUDY B QUESTIONS BI. © When testing the security ofthe entire application system including OSs, database and application secuity—the auditor will most likely use a uility software that assists in eviewing the configuration settings. In contrast the autor might use GAS to perfor a substantive esting of data and configuration ies of te application, Test data are normally used to check the integrity ofthe data and expert systems are used to inguire on specific topics.BA BA Inorder wo decide ithe audit cope should include specific infrastructure components (in this case, the firewall ules and VPN contiguration settings), the ator should perform and document arsk analysis inorder to determine which sections present the greatest sk and inl these sections in the nud scope. The risk analysis may consider factors suchas previous revisions tothe system. related security incidents within the company or other companies of the same sectors, resources available todo the review and others. Availability of technical expertise andthe approach ‘used in previous atdts may be alsa into consideration; however, these should be of secondary smportance. 1S suiting guidelines and best practices provide'a guide tothe audior on how to comply with IS aud stad, but by themselves they would ot be slicient to make this deison, ‘The auditor should fist review the auhorizaton ona sample of transactions inorder to determine and be able to report the impact and materiality of this issue. Whether the auditor would immediately report the issue or wait unl tbe end ofthe audit to report this finding will depend on the impact and materiality of the issue, which would require reviewing sample of transactions, The use of GAS to chock the integrity ofthe database would not help the auditor assess the impact ofthis ss, ANSWERS TO CASE STUDY C QUESTIONS cD Tn tenms of priority, because the implementation ofthe new ERP wil ave far reaching consequences onthe way IS controls ae configured inthe stom, the IS aitor should std the impact of implementation ofthe ERP an plan the aut schedule accordingly. Preferably. the 18 auditor should discuss the aut plan with the extemal auditor and the intemal audit division of the entity to make the audit more effective and useful forthe ent ‘The service delivery’ report that captures the actual performance ofthe service provider agains the contractually agreed-on levels provides the best ind most objective has for evaluation ofthe computer operations. The service auditor's repo is likely tobe more use from a controls evaluation perspective for the extemal suitor ofthe enti