Cisa 1st Chapter

8/10/2019 Cisa 1st Chapter

1/25

CISA : Chapter #1 The Information Systems Audit Process 1

The Information Systems AuditProcess

www.getlec.com


2/25


The policies, procedures, practices andorganizational structures designed to

provide reasonable assurance that businessobjectives will be achieved and thatundesired events will be prevented ordetected and corrected.

Definitions :

Control :


3/25


A statement of the desired result or purposeto be achieved by implementing control

procedures in a particular IT activity.

Definitions :

IT Control Objective


4/25


A structure of relationships and processesto direct and control the enterprise in order

to achieve the enterprise's goals by addingvalue while balancing risk versus returnover IT and its processes

Definitions :

IT Governance


5/25


A successful organization is built on a solidframework of data and information. TheFramework explains how IT processes deliver theinformation that the business needs to achieve itsobjectives. This delivery is controlled through 34high-level control objectives, one for each ITprocess, contained in the four domains. TheFramework identifies which of the seveninformation criterion (effectiveness, efficiency,

confidentiality, integrity, availability, complianceand reliability), as well as which IT resources(people, applications, technology, facilities anddata) are important for the IT processes to fullysupport the business objective

Definitions :

IT Framework


6/25


In the light of Management Objectives welldocumented AUDIT Charter defining overallAuthority, Scope and Responsibility of theAUDIT function approved by Top Management

Risk AssessmentFamiliarity with Business Regulatory

Environment

Definitions :

Audit Mission


7/25CISA : Chapter #1 The Information Systems Audit Process 7

The potential that a given threat will exploitvulnerabilities of an asset or group of assets tocause loss or damage to the assets. The impact or relative severity of the risk is proportional tothe business value of the loss/damage and to theestimated frequency of the threat.

Risk Analysis :

Risk Elements

Risk

ThreatImpactFrequency


8/25


Are those threats that may impact the assets,processes or objectives of a specific businessorganization. The natures of these threats maybe :

FinancialRegulatoryOperationalOr may arise as a result of the interaction of the business with its

environmentOr may arise in result of the strategies, systems and particulartechnology, process, procedure and information system used bythe business

Risk Analysis :

Business Risk


9/25


Policies, procedures, practices and organizational

structure put into place to reduce risks.

Internal Control

1. Preventive2. Detective

3. Corrective

Control Classification


10/25


Are statements of the desired result or purpose to

be achieved by implementing control procedurein a particular activity.

Internal Control Objectives

Internal Accounting Controls Operational Controls Administrative Controls


11/25


1. Safeguard of information technology assets2. Compliance to corporate policies or legal

requirements.

3. Authorization/Input4. Accuracy and completeness of processing of

transactions5. Output6. Reliability of process7. Backup / Recovery8. Efficiency and economy of operation

Internal Control Objectives include :


12/25


1. Safeguard Assets

2. Integrity of general operations3. Integrity of sensitive and critical application

Systems through:Authorization,

AccuracyReliabilityCompleteness and security of OutputDatabase Integrity

4. Efficiency & Effectiveness5. Compliance6. Continui ty & Disaster Recovery Plan

7. Incident Response and Handling plan

IS Control Objectives include :


13/25


1. Strategy and Direction2. General Organization and management3. Access to data and programs4. System development methodologies and change control5. Data Processing operations6. Systems programming and technical support functions7. Data Processing and quality assurance procedures

8. Physical access controls9. Business continuity/Disaster recovery planning10. Networks and communications11. Data Administration

IS Systems Control Procedures include :


14/25


1. Financial Audit2. Operational Audit3. Integrated Audit

4. Administrative Audits5. Information System Audits6. Special Audit (3 rd Party & Forensic Frauds and crimes)

An Information System Audit : Any Audit that encompasses review and evaluation ofautomated information processing, related non-automated

processes and the interfaces between them.

Classification of Audits :


15/25


1. Understanding of the Audit area/subject2. Risk Assessment3. Detailed audit planning4. Preliminary review of Audit area / subject5. Evaluating Audit are/subject6. Compliance Testing ( often test of controls)7. Substantive testing8. Reporting

9. Follow-up

Audit Procedures :


16/25


1. Inherent Risk2. Control Risk3. Detection Risk4. Overall Audit Risk

Categories of Audit Risk :

Audit Risk :

Risk that the information/financial report may contain

material error that may go undetected during the courseof Audit


17/25


Risk Assessment Techniques :

These techniques may becomputerizednon-computerized,Scoring andJudgment

based upon business knowledge, executivemanagement directives, historical perspective,

business goals and environmental factors


18/25


Compliance Testing :

A compliance test determines if control are beingapplied in a manner that comply withmanagement policies and procedures.

Substantive Testing:

A Substantive test substances the integrity ofactual processing.


19/25


Evidence :

Evidence is any information used by the auditors

whether the entity or data being audited followsthe established audit criteria or objective.These should be sufficient, relevant andcompetent

Reliability of Evidences:

Independence of the provider

Qualification of the provider Objectivity of the evidenceTiming of the evidence


20/25


Evidence gathering Techniques :

Reviewing IS organization structuresReviewing IS PoliciesReviewing IS StandardsReviewing IS documentationInterviewing appropriate personnelObserving processes and employees

performance.


21/25


Computer Assisted Audit techniques :

Generalized Audit Software, Utility Software, test

data, application software tracing and mappingand expert systems.

These tools can be used for Test of details of transactions and balances Analytical review procedures Compliance test of IS general controls Compliance Test of Application controlsPenetration and OS vulnerabilities


22/25


CAATs Advantages :

Reduced Level of Audit Risk

Greater independence from the auditeeBroader and more consistent audit coverageFaster availability of information

Improved exception identificationGreater flexibility of run timesGreater opportunity to quantify internal control

weaknessEnhanced samplingCost saving over time


23/25


Evaluation of Strengths and weaknessesof Audit :

JudgmentControl Matrix (ranking)(Col-known type of errors)(Row-Known Controls)

Compensating/Overlapping ControlsTotality of ControlsSupporting evidences


24/25


Communicating Audit Results :

Constraints on the conduct of the Audit :


25/25

Keep visiting Getlec.com


Cisa 1st Chapter

Documents

Transcript of Cisa 1st Chapter