CISAa

Information System Auditing Process

Exam Overview

o 150 Questions (some “pre-exam”)

o 4 hours
o Online or In-Person with PSI
o You need a score of 450 to pass on a
scale of 200-800
 Exam Overview

Domain 1 – Information System Auditing Process

(21%)
Domain 2 – Governance and Management of IT (17%)
Domain 3 – Information Systems Acquisition,
Development and Implementation (12%)
Domain 4 – Information Systems Operation and
Business Resilience (23%)
Domain 5 – Protection of Information Assets (27%)
 CISAa
Information System Auditing Process
Standards, Guidelines and Practices

o ISACA IS Audit and Assurance

Standards are considered mandatory
requirements for IS auditing
o Includes standards, guidelines, tools
and techniques for multiple levels of
documentation
o Based on ISACA Code of Professional
Ethics
 IS Audit and Assurance Standards

o Three categories:
o General
o Performance
o Reporting
IT Audit Framework (ITAF)

o Comprehensive practice setting

reference model
o Establishes standards that address
IS auditor roles
o Defines terms and concepts
specific to IS assurance
o Not testable!
 CISAa
Information System Auditing Process
Business Processes

o Set of interrelated cross-functional

activities or events that result in the
delivery of a product or service
o Business Process Owner is
responsible for:
o Identifying requirements
o Approving process design
o Managing process performance
 IS Audit Functions – The Audit Charter

o Clearly states management’s

responsibilities for, and delegation
of authority to the IS Auditor
o Changes only if the change is
justified
o IS Audit function’s responsibility,
authority and accountability are
documented here
o Scope of the audit is here
IS Audit Resource Management

o Audit independence and

competence must be preserved
o IS auditors must be technically
competent with appropriate skills
o Staff training should be planned
out for the year
o Appropriate tools should be
available to the IS auditors
 Audit Planning

o Conducted at the beginning of the audit

process
o All relevant processes that represent the
enterprise business should be included in
the audit universe
o Evaluation of risk is based on inputs from
the business process owners
o Audit plans should include all “HIGH” risk
processes
o Understand the effect of laws and
regulations on IS Audits
 Steps to Audit Planning

1. Understand the organization’s mission, objective and purpose

2. Understand the organization’s governance structure
3. Review prior audit work papers
4. Perform a risk analysis
5. Set the audit scope and audit objectives
6. Develop the audit approach and strategy
7. Assign personnel to the audit
8. Address engagement logistics
 CISAa
Information System Auditing Process
Business Processes Applications and Controls

o E-Commerce
o Electronic Data Interchange
o Email
o Point-of-Sale (POS) systems
o Electronic Banking
o Industrial Control Systems (SCADA)
o AI and Expert Systems
 E-Commerce Requirements

o Persistent customer data should

not be stored on servers exposed
to the internet
o Auditors should review:
o Interconnection agreements
o Security mechanisms
o Application logs
o Middleware usage
Electronic Data Interchange (EDI)
o Uses communications and
translation software along with
standards
o IS Auditor should be aware of the
two approaches related to EDI
o Traditional proprietary version
o Publicly available commercial
infrastructure (Internet)
o EDI processes need to detect and
deal with transactions that do not
conform to the standard format
 Electronic Banking

o Risk Management Controls:

o Board and Management Oversight
o Security Controls
o Legal and Reputational Risk
o EFT audits should have the auditor
reviewing the physical security of
unissued plastic cards and pin
generation
o Auditors should also review exception
reports to provide an audit trail
 AI and Expert Systems

o Expert systems are an area of AI

o Associated with Knowledge Bases (KBs)
o Decision Trees
o Rules
o Semantic Nets
o IS Auditor should:
o Understand the functionality of the
system
o Review adherence to corporate policies
o Review the Decision Logic
o Review security access
 CISAa
Information System Auditing Process
Control Types and Objectives

o Every organization has controls

o Controls are made up of:
o Policies
o Procedures
o Practices
o Organizational Structures
o Controls should address what should
be ACHIEVED and what should be
AVOIDED
 Control Types

o Preventative
o Detect problems before they arise
o Monitor operation and inputs
o Detective
o Detects and reports the occurrence
of an error or omission
o Corrective
o Minimize the impact
o Remedy problems
Control Objectives

o Safeguarding Assets
o Ensuring integrity of OS
environments
o Ensuring integrity of sensi^ve and
cri^cal applica^on systems
o Ensuring appropriate iden^fica^on
and authen^ca^on of users
o Ensuring availability of IT services
 General Controls

o Internal accounting controls

o Operational controls
o Administrative controls
o Organizational security policies
o Physical and logical security policies for
all facilities
Specific Controls

o General controls can be translated into an

IS-specific controls
o A control matrix is often used in assessing
proper level of controls
o Strong controls may compensate for weak
controls
o IS Auditors should be aware of
compensating controls
o Overlapping controls are two strong
controls
 CISAa
Information System Auditing Process
Risk-based Audit Planning

o Deployment of audit resources to

areas within an organization that
represent the greatest risk.
o Uses risk assessment to drive the
plan
o Audit risk is influenced by:
o Inherent Risk
o Control Risk
o Detection Risk
 Risk-based Audit Approach

1. Gather Information and Plan

2. Obtain Understanding of Internal
Control
3. Perform Compliance Tests
4. Perform Substantive Tests
IS Auditor must understand how
the organization being audited
approaches risk
Risk Analysis

o A subset of risk assessment

o Qualitative – subjective, typically
uses a form of a probability/impact
matrix
o Quantitative – adds a time or money
value to the P&I.
o Risk assessment is iterative!
 Types of Audits and Assessments

o IS Audit – collects and evaluates

evidence to determine if an Info.
System is adequately safeguarded
o Compliance Audit – specific tests of
controls to demonstrate adherence to
specific regulatory or industry
standards
o Financial Audit – assesses the accuracy
of financial reporting
o Operational Audit – evaluates internal
control structure (Application controls)
 CISAa
Information System Auditing Process
 Project Management and Auditing

o Plan the audit

engagement/program
o Build out the audit plan
o Execute the plan
o Monitor the plan
Audit Program

o Step-by-step set of audit procedures

and instructions
o Purpose of Audit Program:
o Formal documentation of audit
procedures
o Creation of procedures that are
repeatable
o Documentation of the type of
testing (Compliance or Substantive)
 Considerations When Executing Audit Plan

o IS Auditor must understand how

general audit objectives are
translated into specific IS control
objectives
o IS Auditor should identify both key
general and application controls
o A primary objective in IS based
audits is to insure compliance with
legal and regulatory requirements
 Typical Audit Process by Phase
Planning Phase
Determine Define Audit Set Audit Determine
Audit Subject Objec2ve Scope Procedures

Fieldwork Phase
Acquire Test Issue Document
Data Controls Discovery Results
Reporting Phase
Gather Report
Draft Report Issue Report Follow Up
Requirements
Audit Work Papers and Irregular Findings
o All audit plans, programs, etc. should
be documented in Work Papers
o Work Papers are the bridge or interface
between the objectives and final report
o IS auditors must be alert to the
possibility of fraud and errors
o Always double check your findings and
document everything
o If fraud is discovered, the audit
committee should be notified and
possibly appropriate authorities
 CISAa
Information System Auditing Process
 Sampling Methodology

o To reach valid conclusions, audit

sampling should be performed
o Purpose of the Sampling:
o Compliance Testing – Test of Controls
o Substantive Testing – Test of Details
Sampling

o Statistical Sampling – Determining

the sample size and selection criteria
using mathematical laws of
probability
o Non-Statistical Sampling –
Judgmental sampling, based on
subjective reasoning. (more risky)
o When using either method, the IS
Auditor should design and select the
audit sample, perform audit
procedures and evaluate results
 Attribute vs. Variable Sampling

o Attribute Sampling:
o Go/No Go Sampling
o Discovery Sampling (Fraud)
o Variable Sampling:
o Stratified mean per unit
o Unstratified mean per unit
o Difference estimation
 CISAa
Information System Auditing Process
 Collecting Evidence

o Evidence – Informa^on used by an

IS auditor to prove whether the
en^ty or data follows objec^ves
o Some types of evidence are more
reliable than others
o Independence of the provider
o QualificaYons of the individual
o ObjecYvity of the evidence
Evidence Gathering Techniques

o IS Organization Structure Reviews

o IS Policies Review
o Interviewing Appropriate Personnel
o Observation of processes
o Reperformance
o Walk-throughs
 CISAa
Information System Auditing Process
 Data Analytics

o Important tool for any IS Auditor

o Assists in:
o Determining operational effectiveness
of current control environment
o Identifying business process
improvements
o Identification of fraud
o Identification of exceptions
o Data Analytics can be effective in both
planning and fieldwork phases of an
audit
Computer Assisted Audit Techniques (CAATs)

o Useful in gathering and analyzing

large amounts of data
o Enables an IS Auditor to gather
information independently
o Include many types of tools and
techniques such as GAS
o Auditors should weigh the costs and
benefits of using CAATs
 CISAa
Information System Auditing Process
 Continuous Auditing

o Uses CAATs
o Used by IS Auditors to continuously
monitor system reliability and
gather a sample of data
o Is not the same as continuous
monitoring
o It’s important to validate the
source of data and not miss manual
changes
Continuous Auditing Techniques

o Systems Control Audit Review File

(SCARF/EAM)
o Snapshots
o Audit Hooks
o Integrated Test Facilities
o Continuous and Intermittent
Simulation (CIS)
 CISAa
Information System Auditing Process
 Communicating the Audit Report

o Exit interviews are conducted at

the end of the audit
o IS Auditors:
o Make sure facts are correct and
material
o Make sure recommendations are
realistic and cost-effective
o Recommend implementation
dates for recommendations
Report Objectives

o Formally present the audit results to

the auditee
o Serves as formal closure of the audit
engagement
o Serves as a valued reference for any
party researching the auditee
o Provides statements of assurance
and identifies areas requiring
corrective action
Report Objectives

o Serves as a basis for a follow-up

audit if necessary
o Helps to promote audit credibility
 Audit Report Structure

o Introduction including statement of

audit objectives and any limitations
to scope
o Audit findings included in separate
sections
o IS Auditor’s conclusion and opinion
on the adequacy of controls and
procedures
o Any reservations or qualifications of
the Auditor
 Audit Report Structure

o Detailed audit findings and

recommendations
o Extraneous findings which may be
material or minor

An IS auditor makes the final decision

on what to include or exclude from the
audit report.
 CISAa
Information System Auditing Process
 Quality Assurance

o Auditors can be a big help in the

area of quality assurance in regard
to control of information systems
o IS Auditors act in the role of facilitator
to the business process owners
o A CSA (control self-assessment)
program can be implemented to
assist
Control Self-Assessments

o Assesses controls using staff that are

part of the business unit
o A management technique that
assures stakeholders that the
internal control system is reliable
o Primary objective is to leverage the
internal audit function by shifting
some of the control monitoring to
functional areas
 Benefits of CSAs

o Early detection of risk

o Increased communication between
ops and management
o Highly motivated staff
o More cohesive teams
o Reduction in control cost
 Disadvantages of CSAs

o Mistaken for an audit replacement

o Regarded as addi^onal workload to
the staff
o Failure to act on sugges^ons would
lower morale
o Lack of mo^va^on on the part of the
staff