1. 2007 CISA Review Course CHAPTER 1 The IS Audit Process
2.
3. Process Area Objective Ensure that the CISA candidate… “ The objective of the process area is to ensure that the CISA candidate has the knowledge necessary to provide information systems (IS) audit services in accordance with IS audit standards, guidelines and best practices to assist the organization in ensuring that its information technology and business systems are protected and controlled . ”
4. Process Area Summary According to the CISA Certification Board, this Process Area will represent approximately 10% of the CISA examination (approximately 20 questions).
5.
6.
7.
8.
9.
10.
11.
12.
13.
14. II - ISACA IS Auditing Standards and Guidelines 1. ISACA Code of Professional Ethics The Association’s Code of Professional Ethics provides guidance for the professional and personal conduct of members of the Association and/or holders of the CISA and CISM designation
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29. 3. ISACA IS Auditing Guidelines II - ISACA IS Auditing Standards and Guidelines G1 Using the Work of Other Auditors, effective 1 June 1998 G2 Audit Evidence Requirement, effective 1 December 1998 G3 Use of Computer Assisted Audit Techniques (CAATs), effective 1 December 1998 G4 Outsourcing of IS Activities to Other Organisations, effective 1 September 1999 G5 Audit Charter, effective 1 September 1999 G6 Materiality Concepts for Auditing Information Systems, effective 1 September 1999 G7 Due Professional Care, effective 1 September 1999 G8 Audit Documentation, effective 1 September 1999 G9 Audit Considerations for Irregularities, effective 1 March 2000 G10 Audit Sampling, effective 1 March 2000 G11 Effect of Pervasive IS Controls, effective 1 March 2000 G12 Organizational Relationship and Independence, effective 1 September 2000 G13 Use of Risk Assessment in Audit Planning, effective 1 September 2000 G14 Application Systems Review, effective 1 November 2001 G15 Planning Revised, effective 1 March 2002 G16 Effect of Third Parties on an Organization’s IT Controls, effective 1 March 2002 G17 Effect of Nonaudit Role on the IS Auditor’s Independence, effective 1 July 2002 G18 IT Governance, effective 1 July 2002 G19 Irregularities and Illegal Acts, effective 1 July 2002
30. 3. ISACA IS Auditing Guidelines II - ISACA IS Auditing Standards and Guidelines G20 Reporting, effective 1 January 2003 G21 Enterprise Resource Planning (ERP) Systems Review, effective 1 August 2003 G22 Business-to-consumer (B2C) E-commerce Review, effective 1 August 2003 G23 System Development Life Cycle (SDLC) Review, effective 1 August 2003 G24 Internet Banking, effective 1 August 2003 G25 Review of Virtual Private Networks, effective 1 July 2004 G26 Business Process Reengineering (BPR) Project Reviews, effective 1 July 2004 G27 Mobile Computing, effective 1 September 2004 G28 Computer Forensics, effective 1 September 2004 G29 Post-implementation Review, effective 1 January 2005 G30 Competence, effective 1 June 2005 G31 Privacy, effective 1 June 2005 G32 Business Continuity Plan (BCP) Review From IT Perspective, effective 1 September 2005 G33 General Considerations on the Use of the Internet, effective 1 March 2006 G34 Responsibility, Authority and Accountability, effective 1 March 2006 G35 Follow-up Activities, effective 1 March 2006
31.
32. II - ISACA IS Auditing Standards and Guidelines 4. ISACA IS Auditing Procedures P1 IS Risk Assessment, effective 1 July 2002 P2 Digital Signatures, effective 1 July 2002 P3 Intrusion Detection, effective 1 August 2003 P4 Viruses and Other Malicious Code, effective 1 August 2003 P5 Control Risk Self-assessment, effective 1 August 2003 P6 Firewalls, effective 1 August 2003 P7 Irregularities and Illegal Acts, effective 1 November 2003 P8 Security Assessment—Penetration Testing and Vulnerability Analysis, effective 1 September 2004 P9 Evaluation of Management Controls Over Encryption Methodologies, effective 1 January 2005
33.
34.
35.
36.
37.
38.
39.
40.
41. 2. IS Control Objectives Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment IV – Internal Controls
42.
43.
44.
45.
46.
47.
48. Definition of Auditing Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards. V – Performing an IS Audit Definition of IS Auditing Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non - automated processes and the interfaces between them .
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75. V – Performing an IS Audit 12. Using the Services of Other Auditors and Experts Considerations when using services of other auditors and experts: • Restrictions on outsourcing of audit/security services provided by laws and regulations • Audit charter or contractual stipulations • Impact on overall and specific IS audit objectives • Impact on IS audit risk and professional liability • Independence and objectivity of other auditors and experts • Professional competence, qualifications and experience
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87. Documentation should include, at a minimum, a record of the: • Planning and preparation of the audit scope and objectives • Description and/or walkthroughs on the scoped audit area • Audit program • Audit steps performed and audit evidence gathered • Use of services of other auditors and experts • Audit findings, conclusions and recommendations V – Performing an IS Audit 17. Audit Documentation
88.
89.
90.
91.
92.
93.
94.
95.
96.
97.
98.
99.
100.
101.
102.
103.
104.
105.
106. 5. Traditional vs. CSA Approach VI - Control Self-Assessment Traditional approach Any approach in which the primary responsibility for analyzing and reporting on internal control and risk is assigned to auditors and, to a lesser extent, controller departments and outside consultants. CSA approach Emphasizes management and accountability over developing and monitoring internal controls of an organization’s sensitive and critical business processes
107.
108.
109.
110.
111.
112. VII - Emerging changes in the IS audit process 3. Continuous Auditing Definition “ A methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter”
113.
114.
115.
116.
117.
118.
119. VIII - Chapter 1 Case Study 1. Case study Scenario The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well-controlled environment and, accordingly, will assess management’s review and testing of the general IT control environment. Areas to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation. Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible duties and failure to document all changes. Additionally, the process for deploying operating system updates to servers was found to be only partially effective. In anticipation of the work to be performed by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination.
120. VIII - Chapter 1 Case Study 2. Case study Questions 1. What should the IS auditor do FIRST? A. Perform an IT risk assessment. B. Perform a survey audit of logical access controls. C. Revise the audit plan to focus on risk-based auditing. D. Begin testing controls that the IS auditor feels are most critical.
121. VIII - Chapter 1 Case Study 2. Case study Questions 2. When testing program change management, how should the sample be selected? A. Change management documents should be selected at random and examined for appropriateness B. Changes to production code should be sampled and traced to appropriate authorizing documentation C. Change management documents should be selected based on system criticality and examined for appropriateness D. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change