CRM 2007 Chapter 1

elSAChapter 1:

The IS Audit Process

elSA Review Manual 2007 7

elSACh'lpter 1:

The IS Au d it Process

1.1 Introduction 111.1.1 Organization of the [S Audit Function 111.1.2 IS f\l1dit Resource Management , ; 111.1.3 Audit Planning · 111.1.4 Effect of Laws and Regulations on IS Audit Planning 12

1.2 ISACA IS Auditing Standards and Guidelines :. 141.2.1 .ISACA Code of Professional Ethics 141.2.2 ISACA [S Auditing Standards 141.2.3 ISACA [S Auditing Guidelines 17

Index of Guidelines 171.2.4 ISACA IS Auditiug Procedures 18

Index of Procedures 181.2.5 Relationship Among Standards, Guidelines and Procedures 18

1.3 Risk Ana[ysis 18

1.4 Internal Controls 201.4.1 Internal Control Objectives 211.4.2 IS Control Objectives 211.4.3 COBlT 221.4.4 General Control Procedures 221.4.5 IS Control Procedures " 22

1.5 Performing an IS r\udit 231.5.1 Classification of Audits " 231.5.2 Audit Progran1s __ 241.5.3 Audit Methodology................................... . 251.5.4 Fraud Detection 261.5.5 Audit Risk and Materiality .271.5.6 Risk Assessment Techniques 291.5.7 Audit Objectives 291.5.8 Compliance YS. Substantive Testing 301.5.9 Evidence 311.5.10 Interviewing and Observing Personnel in Action 331.5.1! Sanlpling 331.5.12 Using the Services of Other Auditors and Experts 351.5.13 Computer-assisted Audit Techniques .36

CAATs as a Continuous Online Audit Approach .37CAATs Summary .37

1.5.14 Evaluation of Audit Strengths and \Veaknesses 37Judging the Materiality of Findings 38

1.5.15 Communicating Audit Results 39Audit Report Structure and Contents 39

1.5.16 Management Implementation of Recommendations .40 .1.5.17 Audit Documentation .41

Constraints on the Conduct of the Audit .41Project l'vIanagement Techniques 42

8 elSA Review Manual 2007

The IS Au d i t

Chapter 1:

Process elSAO'l'l,,,nls,,,~Smt"'Al'''''''.-

1.6 Control Self-assessment 421.6.1 Benefits of CSA .421.6.2 Disadvantages of CSA .431.6.3 Auditor Role in CSA .441.6.4 Technology Drivers for CSA .441.6.5 Traditional vs. CSA Approach 44

1.7 Emerging Changes in the IS Audit Process .451.7.1 Automated Work Papers .451.7.2 Integrated Auditing .451.7.3 Continuous Auditing .46

1.8 Chapter 1 Case Study 491.8.1 Case Study Scenario .491.8.2 Case Study Questions 491.8.3 Answers to Case Study Questions 50

1.9 Practice Questions 51

1.10 Answers to Practice Questions : 53

1.11 Suggested Resources for Reference 55


elSAChapter 1.'

The is Au d i t Process

The objective of this area is to ensure that the. elSA candidate has the knowledge necessary to provide information systems(IS) audit services in accordance with IS audit standards, guidelines and best practices to assist the organization in ensuringthat its information technology and business systems are protected and controlled.

This area represents 10 percent of the ClSA examination (approximately 20 questions).

There are five (5) tasks within the [S audit process area:1.1. Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards,

guidelines and best practices.1.2. Plan specific audits to ensure that IT and business systems are protected and controlled.1.3. Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.104. Communicate emerging issues, potential risks and audit results to key stakeholders.1.5. Advise on the implementation of risk management and control practices within the organization while maintaining

independence.

There are 10 knowledge statements within the IS audit process area:1.1. Knowledge of [SACA [S Auditing Standards, Guidelines and Procedures and Code of Professional Ethics1.2. Knowledge of IS auditing practices and techniques1.3. Knowledge of techniques to gather information and preserve evidence (e.g., observation, inquiry, interview,

computer-assisted audit techniques [CAATs], electronic media)104. Knowledge of the evidence life cycle (e.g., the collection, protection, chain of custody)1.5. Knowledge of control objectives and controls related to IS (e.g., COBIT)1.6. Knowledge of risk assessment in an audit context1.7. Knowledge of audit planning and management techniques1.8. Knowledge of reporting and communication teclmiques (e.g., facilitation, negotiation, conflict resolution)1.9. Knowledge of control self-assessment (CSA)1.10. Knowledge of continuous audit techniques


::L1 INTRODUCTION

T.h e IS Au d i t

CllLlpter 1:

Process elSA

1..1..1. ORGANIZATION OF THE IS AUDIT FUNCTION

The role of the IS audit function should be established by an audit charter. IS audit can be a part of internal audit orintegrated within fmancial and operational audit (see exhibit 1.7) to provide IT~related control assurance to the financial ormanagement auditors; therefore, the audit charter may include IS audit as audit support function. The charter should stateclearly management's responsibility and objectives for, and delegation of authority to, the IS audit function. This documentshould outline the overall authority, scope and responsibilities of the audit function. The highest level of management andthe audit committee, if available, should approve this charter. Once established, this charter should be changed only if thechange can be and is thoroughly justified. ISACA IS Auditing Standards require that the responsibility, authority andaccountabilitY' of the information systems audit function are appropriately documented in an audit charter or engagementletter.

1..1..2 IS AUDIT RESOURCE MANAGEMENT

IS auditors are a limited resource and IS technology is constantly changing. Therefore, it is important that IS auditorsmaintain their competency through updates of existing skills and obtain training directed toward new audit techniques andtechnologi~al areas. Specifically, the IS auditor should understand techniques for managing audit projects with appropriatelytrained members of the audit staff. ISACA IS Auditing Standards require that the IS auditor is technically competent, havingthe skills and knowledge necessary to perform the auditor's work. Further, thy IS auditor is to maintain technicalcompetence tlu-ough appropriate continuing professional education. Skill and knowledge'should be taken into considerationwhen planning audits and assigning staff to specific audit assignments.

Preferably, a detailed staff training plan should be drawn for the year based on the organization's direction in terms oftechnology and related risk issues that need to be addressed. This should be reviewed semiannually to ensure that thetraining needs are aligned to the direction that the audit organization is taking. Additionally, IS audit management shouldalso provide the necessary IT resources needed to properly perform IS audits of a highly specialized nature (e.g., software,scanners for network intrusion tests, penetration testing).

1..1..3 AUDIT PLANNING

Audit planning consists of both short- and .long-term planning. Short-term planning takes into accollnt audit issues that willbe covered during the year, whereas long-term planning relates to audit plans that will take into account risk-related issuesregarding changes in the organization's IT strategic direction that will affect the organization's IT environment.

Analysis of short- and long-term issues should occur at least annually. This is necessary to take into account new controlissues, changing technologies, changing business proGesses and enhanced evaluation techniques. The results of this analysisfor planning future audit activities should be reviewed by senior audit management, approved by the audit committee, ifavailable, or alternatively by the board of directors, and communicated to relevant levels of management.

In addition to overall annual plalU1ing, each individual audit assignment must be adequately planned. The IS auditor shouldunderstand that other considerations, such as risk assessment by management, privacy issues and regulatory requirements, mayimpact the overall approach to the audit The IS auditor should also take into consideration system implementation/upgradedeadlines, current and fUhtre technologies, requirements of business process owners, and IS resource limitations.

\Vhen planning an audit, the [S auditor must have an understanding of the overall environment under review. This shouldinclude a general understanding of the various business practices and functions relating to the audit subject, as well as thetypes of information systems and technology supporting the activity. For example, the IS auditor should be familiar with theregulatory environment in which the business operates.


elSACltaptcr 1:

The IS Au d j t Process

To perform audit planning, the IS auditor should perform the following steps in order:• Gain an understanding of the business's mission, objectives. purpose and processes, which include information and

processing requirements, such as availability, integrity, security and business technology.• Identify stated contents, slIch as policies, standards and required guidelines, procedures. and organization structure.• Evaluate the risk assessment of any privacy impact an~lysis carried out by management.• Perform a risk analysis.• Conduct an internal control review.• Set the audit scope and audit objectives.• Develop the audit approach or audit strategy.• Assign personnel resources to the audit address engagement logistics,

ISACA IS Auditing Standards require that the IS auditor plans the IS audit work to address the audit objectives and complywith applicable professional auditing standards. The IS auditor should develop an audit plan that takes into consideration theobjectives of the auditee relevant to the audit area and its technology infrastructure. Where appropriate, the IS auditorshould also consider the area under review and its relationship to the organization (strategically, financially and/oroperationally) and obtain information on the strategic plan, including the [S strategic plan. The IS auditor should have anunderstanding of the auditee's information architecture and the auditee's technological direction to design a plan appropriatefor the present and, where appropriate, future technology of the auditee.

Steps an IS auditor could take to gain an understanding of the business include:• Touring key organization facilities• Reading background material including industry publications, annual reports and independent financial analysis reports• Reviewing long-term strategic plans• Interviewing key managers to understand business issues• Reviewing prior audit reports or IT-related reports• Identifying specific regulations applicable to IT

Another basic component of planning is the matching of available audit resources to the tasks as defined in the audit plan,The IS auditor who prepares the plan should consider the requirements of the audit project. staffing resources and otherconstraints. This matching exercise should consider the needs of individual audit projects as well as the overall needs of theaudit department.

:1.:1.4 EFFECT OF LAWS AND REGULATIONS ON IS AUDIT PLANNING

Each organization, regardless of its size or the industry within which it operates, will need to comply with a number ofgovernmental and external requirements related to computer system practices and controls and to the manner in whichcomputers, programs and data are stored and used. Additionally business regulations can impact the way data are processed,transmitted and stored (stock exchange, central banks, etc,)

Special attention should be given to these issues in those industries that historically have been closely regulated. Forexample, the banking industry worldwide has severe penalties for companies and their officers should the company not beable to provide an adequate level of service because of substandard backup and recovery procedures. Also, Internet serviceproviders are subject, in several countries, to specific laws regarding confidentiality and service availability.

[S auditors should review management's privacy policy to ascertain whether it takes into account the requirements ofapplicable privacy laws and regulations, including transborder data flow requirements such as Safe Harbor and theOrganization for Economic Cooperation and Development (OECD) guidelines governing the protection of privacy andtransborder flows of personal data.

Several countries, because of growing dependencies upon information systems and related technology, are making effolis toestablish added layers ofrcgulatory requircments concerning IS audit. The contents oftbese legal regulations regard:• Establishment of the regulatory requirements• Organization of the regulatory requircments


The IS Au d it

Chapter 1:

Process elSA• Responsibilities assigned to the corresponding entities• Correlation to financial, operational and IT audit functions

Management personnel as well as audit management, at all levels, should be aware of the external requirements relevant tothe goals and plans of the organization and to the responsibilities and activities of the information servicesdepartment/function/activity.

There are two lm~or areas of concern: legal requirements (laws, regulatory and contractual agreements) placed on audit orIS audit and legal requirements placed on the 3uditee and its systems, data management, reporting, etc. These areas wouldimpact audit scope and audit objectives. The latter is important to internal and external auditors. Legal issues also impactthe organizations' business operations in terms of compliance with ergonomic regulations, the US Health InsurancePortability and Accountability Act (HIPAA), Protection of Personal Data Directives and Electronic Commerce within theEuropean Community, etc.

An example of strong control practices is the US Sarbanes-Oxley Act of 2002, which requires evaluating an organization'sIT controls. Sarbanes-Oxley provides for new corporate governance rules, regulations and standards for specified publiccompanies including US Securities and Exchange Commission (SEC) registrants. The SEC has mandated the use of arecognized internal control framework. Sarbanes-Oxley requires organizations to select and implement a suitable internalcontrol framework. The fnternal COJItro/~fntegratedFramell.'ork from the Committee of Sponsoring Organizations of theTreadway Commission (COSO) has become the most commonly adopted framework. [S auditors have, to consider theimpact of Sarbanes-Oxley as part of audit planning. A similar example is the European Basle II for financial organizations.

The follmving are steps that an IS auditor would perform to determine an organization's level of compliance with externalrequirements:• Identify those government or other relevant external requirements dealing with:

- Electronic data, personal data, copyrights, e-commerce, e-signatures, etc.~ Computer system practices and controls- The manner in which computers, programs and data are stored- The organization or the activities of the information services- IS audits

• Document pertinent laws and regulations,• Assess whether the management of the organization and the IS function have considered the relevant external requirements

in making plans and in setting policies. standards and procedures.• Review internal [S department/function/activity documents that address adherence to laws applicable to the industry.• Determine adherence to established procedures that address these requirements.

It is expected that the organization would have a legal compliance function upon which the IS control practitioner could rely.

Due to accounting and brokerage scandals, the quality of information provided to investors has become a matter of primaryinterest worldwide.

In Europe, the Basle n Committee on Banking Supervision recommends conditions that should be fulfilled, besides the sizeof capital, to support credit exposures. These conditions will ideally result in an improvement of:• Credit risk management• Operational risk management• The management of information systems through clearly defined requirements

The US Sarbanes-Oxley Act also aims at a more thorough control of the operations and the information systems supportingthem. The fulfillment of the requirements of either the European Basle II or the US Sarbanes-Oxley Act might result in anenhanced stability of operations.

Note: A CISA candidate will not be asked about any specific laws or regulations, but may be questioned about how onewould audit for compliance with laws and regulations. The examination will only test knowledge of accepted global practices.

13

elSAClwptcr I.'

The IS Au d j t Process

:1..2 ISACA IS AUDITING STANDARDS AND GUIDELINES

:1..2.1. ISACA CODE OF PROFESSIONAL ETHICS

lSACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of theassociation and/or its certification holders.

Members and lSACA certification holders shall:1. Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for

information systems2. Perform their duties with objectivity, clue diligence and professional care. in accordance with professional standards and

best practices3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and

character, and not engage in acts discreditable to the profession4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required

by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.5. Maintain competency in their respective fields and agree to undertake only those activities that they can reasonably

expect to complete with professional competence6. lnform appropriate parties of the results of work performed, revealing all significant facts known to them7. Support the professional education of stakeholders in enhancing their understanding of IS security and control

Failure to comply with this Code of Professional Ethics can result in an investigation "into a member's and/or certificationholder's conduct and, ultimately, in disciplinary measures.

Note: A GSA candidate is not expected to have memorized the ISACA IS Auditing Standards, Guidelines and Proceduresand the lSACA Code of Professional Ethics word for word. Rather, the candidates will be tested on their understanding ofthe standard, guideline or code, its objectives and how it applies in a given situation.

1..2.2 ISACA IS AUDITING STANDARDS

The specialized nature of [S auditing and the skills and knowledge necessary to perform such audits require globallyapplicable standards that pertain specifically to IS auditing. One of the most important functions of ISACA is providinginformation (common body of knowledge) to support knowledge requirements. (See standard S4 Professional Competence.)

One of rSACA's goals is to advance standards to meet this neep.. The development and dissemination of the IS AuditingStandards is a cornerstone of the association's professional contribution to the audit community. The IS auditor needs to beaware that there may be additional standards, or even legal requirements through legislation, placed on the auditor.

The objectives of the ISACA IS Auditing Standards are to inform:• IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in

the Code of Professional Ethics for IS auditors• Management and other interested parties of the profession's expectations concerning the work of audit practitioners

The framework for the ISACA IS Auditing Standards provides for multiple levels, as follows:• Standards define mandatory requirements· for IS auditing and reporting.• Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how

to achieve implementation of the above standards, use professional judgment in their application and be prepared to justifyany departure.

• Procedures provide examples of processes an IS auditor might follow in an audit engagement. The procedure documentsprovide information on how to meet the standards when completing IS auditing work, but do not set requirements.


The IS Au d it

Chapter 1:

Process elSAThe ISACA Code of Professional Ethics requires members 01' ISACA and holders of the ClSA designation to comply with theIS Auditing Standards adopted by rSACA. Apparent failure to comply with these may result in an investigation into themember's or CISA holder's conduct by ISACA or an appropriate ISACA board or committee. Disciplinary action may ensue.

The IS Auditing Standards applicable to IS auditing are:• S I Audit Charter:

- The purpose, responsibility, authority and accountability"of the IS audit function or IS audit assignments should beappropriately documented in an audit charter or engagement letter.

- The audit charter or engagement letter should be agreed and approved at an appropriate level within the orga11iz3tion(5).• S2 Independence:

- Professional independence-In all matters related to the audit, the IS auditor should be independent of the auditee inboth attitude and appearance.

- Organizational independence-The IS audit function should be independent of the area or activity being reviewed topermit objective completion of the audit assignment.

• S3 Professional Ethics and Standards:- The IS auditor should adhere to the ISACA Code of Professional Ethics.- The IS auditor should exercise due professional care, including observance of applicable professional auditing standards.

• S4 Professional Competence:- The IS auditor should be professionally competent, having the skills and knowledge to conduct the audit assignment.~ The [S auditor should maintain professional competence through appropriate continuing professional education

and training.• SS Planning:

- The IS auditor should plan the information systems audit coverage to address the audit objectives and comply withapplicable laws and professional auditing standards.

- The IS auditor should develop and document a risk-based audit approach.- The [S auditor should develop and document an audit plan detailing the nature and objectives, timing, extent and

resources required.- The IS auditor should develop an audit program and procedures.

• S6 Performance of Andit Work:- Supervision-IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished

and applicable professionnl auditing stnndnrds are met.- Evidence-During the course of the audit, the IS auditor should obtain sufficient. reliable and relevant evidence to

achieve the audit objectives. The audit findings nnd conclusions are to be supported by appropriate analysis anclinterpretation of this evidence.

- Documentation-The audit process should be documented, describing the audit work and the audit evidence thatsupports the IS auditor's findings and conclusions.

• 57 Reporting:- The IS auditor should provide a report, in an appropriate form, upon completion of the audit. The report should identify

the organization, the intended recipients and any restrictions on circulation.- The audit report should state the scope, objectives, period of coverage and the nature, timing and extent of the audit work

performed.- The report should state the findings, conclusions and recommendqtions and any reservations, qualifications or

limitations in scope that the IS auditor has with respect to the audit.~ The IS auditor should have sufficient and appropriate audit evidence to support the results reported.- \Vhen issued, the IS auditor's report should be signed, dated and distributed according to the terms of the audit c.harter or

engagement letter.• S8 Follow-np Activities:

- After the reporting of findings and recommendations, the IS auditor should request and evaluate relevant information toconclude whether appropriate action has been taken by management in a timely manner.


elSAClhlptcr 1:


·59 Irregul:.lritics and Illegal Acts:- In planning and performing the audit to reduce audit risk to a low level, the IS auditor should con?ider the risk of

irregularities and illegal acts.- The IS auditor should maintain an attitude of professional skepticism during the audit. recognizing the possibility that

material misstatements due to irregularities ancl illegal acts could exist, irrespective of his/her evaluation of the risk ofirregularities and illegal acts. .-

- The IS auditor should obtain an understanding of the organization and its environment. including internal controls.- The IS auditor should obtain sufficient and appropriate audit evidence to determine \vhether management or others

\vithin the organization have knowledge of any actual, suspected or alleged irregularities and illegal acts.- \Vhen performing audit procedures to obtain an understanding of the organization and its environment, the IS auditor

should consider unusual or unexpected relationships that may indicate a risk of material misstatements clue toirregularities and illegal acts.

- The lS auditor should design and perform procedures to test the appropriateness of internal control and the risk ofmanagement overriding controls.

- \Vhen the IS auditor identifies a misstatement, the IS auditor should assess whether such a misstatement may beindicative of an irregularity or illegal act. If there is such an indication, the IS auditor should consider the implications inrelation to other aspects of the audit and in particular the representations of management.

- The IS auditor should obtain written representations from management at least annualiy or more frequently dependingon the audit engagement. It should:• Acknowledge its responsibility for the design and implementation of internal controls to prevent and detect

irregularities or illegal acts• Disclose to the IS auditor the results of the ·risk assessment that a material misstatement may exist as a result of an

irregularity or illegal act• Disclose to the IS auditor its knowledge of irregularities or illegal acts affecting the organization in relation to

management and employees who have significant roles in internal control- The IS auditor should have knowledge of any allegations of irregularities or illegal acts. or suspected irregularities or

illegal acts, affecting the organization as communicated by employees, former employees. regulators and others.- If the IS auditor has identified a material irregularity or illegal act, or obtains information that a material irregularity

or illegal act may exist, the [S auditor should communicate these matters to the appropriate level of management in atimely manner.

- If the IS auditor has identified a material irregularity or illegal act involving management or employees who havesignificant roles in internal control, the IS auditor should communicate these matters in a timely manner to thosecharged with governance.

- The [S auditor should advise the appropriate level of management and those charged \vith governance of materialweaknesses in the design and implementation of internal control to prevent and detect irregularities and illegal acts thatmay have come to the IS auditor's attention during the audit.

- If the IS auditor encounters exceptional circumstances, such as a material misstatement or illegal act, that affect the ISauditor's ability to continue performing the audit, the [S auditor should consider the legal and professionalresponsibilities applicable in the circumstances, including whether there is a requirement for the IS auditor to report tothose who entered into the engagement or, in some cases, those charged with governance or regulatory authorities, orconsider withdrawing from the engagement.

- The IS auditor should document all communications, planning, results, evaluations and conclusions relating to materialirregularities and illegal acts that have been reported to management, those charged with governance. regulutors and others.

• S10 IT Governance:- The IS auditor should review and assess whether the IS function aligns \vith the organization's mission, vision, values,

objectives and strategies.- The IS auditor should review whether the IS function has a clear statement about the performance expected by the

business (effectiveness and efficiency) and assess its achiev~ment.

- The IS auditor should review and assess the effectiveness of IS resource and performance lt~anagel11entprocesses.- The IS auditor should review and assess compliance with legal, environmental and information quality. and fiduciary

and security requirements.- A risk~based approach should be used by the IS auditor to evaluate the [S function.- The IS auditor should review and asscss thc control environment of the organization.- The rs auditor should revic\',: and assess the risks that may adversely affect the IS envirollment.


The IS Au d it

Chapter I:

Process elSA

· S 11 Use of Risk Assessment in Audit PI.anning:- The IS auditor should use an appropriate risk asseSsment technique or approach in developing the overall IS audit plm;

and determining priorities for the etfective allocation of IS audit resources.· - vVilen planning individual reviews, the IS auditor should identify and assess risks relevant to the area under review.

:1..2.3 ISACA IS AUDiTING GUIDELINES

The objective of the ISACA IS Auditing Guidelines is to provide further information on how to comply with the ISACA ISAuditing Standards. The [S·auditor should: .• Consider them in determining how to implement the above standards• Use professional judgment in applying them• Be able to justify any departure

Index of GuidelinesG I Using the Work of Other Auditors, effective I June [998G2 Audit Evidence Requirement, effective I December 1998G3 Use of Computer Assisted Audit Techniques (CAATs), effective I December 1998G4 Outsourcing of IS Activities to Other Organisations, etTective 1 September 1999 .G5 Audit Charter, effective [ September 1999 .G6 Materiality Concepts for Auditing Information Systems, effective 1 September 1999G7 Due Professional Care, effec;ive I September 1999G8 Audit Documentation, effective I September 1999G9 Audit Considerations for [rregularities, effective I March 2000GIO Audit Sampling, effective 1 March 2000G II Effect of Pervasive IS Controls, effective I March 2000G 12 Organizational Relationship and lndependence, effective I September 2000G 13 Use of Risk Assessment in Audit Planning, effective 1 September 2000G14 Application Systems Review, effective I November 200 IGIS Planning Revised. effective I March 2002G 16 Effect of Third Parties on an Organization's IT Controls, effective I March 2002G 17 Effect of Nonaudit Ro[e on the [S Auditor's Independence, effective I July 2002G 18 [T Governance, effective I July 2002G 19 Irregularities and Illegal Acts, etTective I July 2002G20 Reporting, effective I January 2003G21 Enterprise Resource Planning (ERP) Systems Review, effective I August 2003G22 Business-to-consumer (B2C) E-commerce Review, effective I August 2003G23 System Development Life Cycle (SDLC) Review, effective I August.2003G24 Internet Banking, effective I August 2003G25 Review of Virtual Private Networks, effective I July 2004G26 Business Process Reengineering (BPR) Project Reviews, effective I July 2004G27 Mobile Computing, effective I September 2004G28 Computer Forensics, effective I September 2004G29 Post-implementation "Review, effective ( January 2005G30 Competence, elTective I June 2005G31 Privacy, effective I June 2005G32 Business Continuity Plan (BCP) Review From IT Perspective, effective I September 2005G33 Genera! Considerations on the Use of the Internet, effective I. March 2006G34 Responsibility, Authority ancl Accountability, effective I March 2006G35 Follow-up Activities, etfective 1 March 2006


elSAChapter 1:

The IS Au d i t',.~"rnN"""n,,,.S,.<rr.,,,,,,,,",,,. Process

:1.2.4 ISACA IS AUDITING PROCEDURES

Procedures developed by the ISACA Standards. Board provide examples of possible processes an IS auditor might follow inan audit engagement. In determining the appropriateness of any specific procedure, IS auditors should apply their ownprofessional judgment to the specific circumstances. 'The procedure documents provide information on how to meet thestandards when performing IS auditing work, but do not set requirements.

It is not mandatory for the IS auditor to follow these procedures; however, following these procedures will provideassurance that the standards are being followed by the auditor.

Index of ProceduresP I IS Risk Assessment, effective I July 2002P2 Digital Signatures, effective 1 July 2002P3 Intrusion Detection, effective I August 2003P4 Viruses and Other Malicious Code, effective I August 2003P5 Control Risk Self-assessment, effective I August 2003P6 Firewalls, effective I August 2003P7 Irregularities and Illegal Acts, effective I November 2003PS Security Assessment-Penetration Testing and Vulnerability Analysis, effective I September 2004P9 Evaluation of Management Controls Over Encryption ivlethodologies, effective I January 2005

1.2.5 RELATIONSHIP AMONG STANDARDS, GUIDELINESAND PROCEDURES

Standards defined by ISACA arc to be followed by the IS auditor. Guidelines provide assistance on how the auditor canimplement standards in various audit assignments. Procedures provide examples of steps the auditor may follow in specificaudit assignment so as to implement the standards. However, the [S auditor should use professional judgment when usingguidelines and procedures.

See appendix B on IS Auditing Standards, Guidelines and Procedures. The complete text of these guidelines and proceduresis available at wlv\-v.h;aca.org/sfandards.

:1..3 RISK ANALYSISRisk analysis is part of the audit planning and it helps identify risks and vulnerabilities so the auditor can determine thecontrols needed to mitigate those risks.

In evaluating IT-related business processes applied by an organization, understanding the relationship between risk andcontrol is important for IS audit and control professionals. IS auditors must be able to identify and differentiate risk typesand the controls used to mitigate these risks. They must have knowledge of common business risks, related technology risksand relevant controls. They must also be able to evaluate the risk assessment and management techniques llsed by business·managers and to make assessments of risk to help focus and plan audit work. In addition to an understanding of businessrisk and control, IS auditors must understand that risk exists within the audit process.

There are many definitions of risk, reflecting t.hat risk means different things to different people. In general, a risk is anyevent that may negatively affect the accomplishment of business objectives. Perhaps one of the most succinct definitions of


The IS Au d i t

Chapter 1:

Process elSArisk used within the informatiol~ security business world is provided by the Guidelines for the iV/anagemen( ofIT Securitypublished by the International Organization for Standardization (ISO):

The potential that a given threat will exploit vulnerabilities ofan asset or group ofassets to cause loss or damage tothe assets. The impact or relative severity ojthe risk is proportional to the business value 0/ the loss/damage (mel tothe estimated frequency ofthe threat.

This definition is lIsed commonly by the IT industry since it puts risk into an organizational context by lIsing the conceptsof assets and loss of value-terms that are easily understood by business managers.

In this context then, risk has the following elements:• Threats to, and vulnerabilities of, processes and/or assets (including both physical and information assets)• Impact on assets based on threats and vulnerabilities• Probability of threats (combination of the likelihood and frequency of occurrence)

Business risks are those threats that may negativeiy impact the assets. processes or objectives of a specific business ororganization. The nature of these threats may be financial, regulatory or operational, and may arise as a result of theinteraction of the business with its environment or as a result of the strategies, systems and particular technology, processes,procedures and information used by the business. The IS auditor is often focused toward high-risk issues associated with theconfidentiality, availability or integrity of sensitive and critical information, and the underlying information systems andprocesses that generate, store and manipulate such information. In reviewing these types of risks, IS auditors will oftenassess the effectiveness of the risk management process that an organization uses. The process is characterized as aniterative life cycle that begins with identifying business objectives, information assets, and the underlying systems orinformation resources that generate/store, use or manipulate the assets (hardware, software, databases, networks, facilities,people, etc.) critical to achieving these objectives. The greatest degree of risk management effort may then be directedtoward those considered most sensitive or critical to the organization. Once sensitive and/or critical information assets areidentified, a risk assessment is performed to identify risks and determine the probability of occurrence and the resultingimpact and additional safeguards that would mitigate this impact to a level acceptable to management.

Next, during the risk mitigation phase, controls are identified for mitigating identified risks. These controls are riskmitigating countermeasures that should prevent or reduce the likelihood of a risk event occurring, detect the occurrence of arisk event, minimize the impact, or transfer the risk to another organization.

The assessment of countcnneasurcs should be performed through a cost-benefit analysis, where controls to mitigate risks areselected to reduce risks to a level acceptable to management. This analysis process may be based on any of the follmving:• The cost of the control compared to the benefit of minimizing the risk• Management's appetite for risk (i.e., the level of residual risk that management is prepared to accept)• Preferred risk-reduction methods (e.g., terminate the risk, minimize probability of occurrence, minimize impact,

transfer/insurance)

The final phase relates to monitoring performance levels of the risks being managed when identifying any significantchanges in the environment that would trigger a risk reassessment, warranting changes to its control environment. Itencompasses three processes-risk assessment, risk mitigation and risk reevaluation-in determining whether risks arebeing mitigated to a level acceptable to management. "

Risk analysis serves more than one purpose:• It assists the auditor in identifying risks and threats to an IT environment and IS systems that would need to be addressed

by management and system-specific internal controls. Depending on the level of risk, this assists the auditor in selectingcertain areas to examine.

• It helps the auditor "in his/her evaluation of controls in audit planning.• It assists the auditor in determining audit objectives.• It supports risk-based audit decision.


elSAClwptcr 1:


:1.4 INTERNAL CONTROLSPolicies, procedures, practices and organizational structures implemented to reduce risks are referred to as internal controls.

Internal controls are developed to provide reasonable assurance to management that the organization'$ business objectiveswill be achieved and risk events will be prevented, or detected and corrected. These controls are implemented by definingcontrol objectives for identified risks and control activities (procedures) that will achieve control objectives. Internal controlactivities and supporting processes are either manual or driven by automated computer information resources. They operateat all levels within an organization to mitigate its exposures to risks that potentially could prevent it from achieving itsbusiness objectives. The board of directors and senior management are responsible for establishing the appropriate culture tofacilitate an effective and efficient internal control system and for continuously monitoring the effectiveness of the internalcontrol system, though each individual within an organization must take part in this process.

There are two key aspects that control should address-what should be achieved and \vhat should be avoided. Not only dointernal controls address business/operational objectives, but they should address undesired events through the prevention,detection and correction of undesired events.

Elements of controls that should be considered when evaluating control strength are classified as preventive, detective orcorrective in nature,

Exhibit 1.1 displays control categories, functions and usages,

Class

Preventive

Detective

Corrective

20

Function

• Detect problems before they arise.• Monitor both operation and inputs.• Attempt to predict potential problems

before they occur and make adjustments.• Prevent an error, omission or malicious

act from occurring.

• Use controls that detect and report theoccurrence of an error, omission ormalicious act.

• Minimize the impact of a threat.• Remedy problems discovered by detective

controls.• Identify the cause of a problem.• Correct errors arising from a problem.• Modify the processing system(s) to

minimize future occurrences of the problem.

Examples

• Employ only qualified personnel.• Segregate duties (deterrent factor).• Control access to physical facilities.• Use well-designed documents (prevent errors).• Establish suitable procedures for authorization

of transactions.• Complete programmed edit checks.• Use access control software that allows only authorized

personnel to access sensitive files.• Use encryption software to prevent unauthorized

disclosure of data.• Hash totals• Check points in production jobs• Echo controls in telecommunications• Error messages over tape labels• Duplicate checking of calculations• Periodic performance reporting with variances• Past-due account reports• Internal audit functions• Review of activity logs to detect unauthorized

access attempts• Contingency planning• Backup procedures• Rerun procedures

elSA Review Manual 2007

The IS Au d it

Clldptcr 1:

Process elSA

:1.4.:1 INTERNAL CONTROL OBJECTIVES

Internal control objectives are statements of the desired result or purpose to be achieved by implementing control activities(procedures). They generally include the following:• Internal accounting controls~PrimariIydirected, at accounting operations, such as the safeguarding of assets and the

reliability of financial records .-• Operational controls~Directed at the day-ta-day operations, functions and activities to ensure that the operation is

meeting the business objectives• Administrative controls-Concerned with operational efficiency in a functional area and adherence to management

policies including operational controls. These can be described as supporting the operational controls specificallyconcerned with operating efficiency and adherence to organizational policy,

These types of controls include those controls related to the technology environment. Control objectives include:• Safeguarding of IT assets• Compliance to corporate policies or legal requirements• Input• Authorization• Accuracy and completeness of processing of data input/transactions• Output• Reliability of process• Backuplrecovery• Efficiency and economy of operations• Change management process for IT and related systems

:1.4.2 IS CONTROL OBJECTIVES

Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in anIS environment remain unchanged from those of a manual environment. However, control features may be different. Thus,internal control objectives need to be addressed in a manner specific to IS-related processes.

IS control objectives include:• Safeguarding assets. Information on automated systems is secure from improper access and kept up to date.• Assuring the integrity of general operating system (OS) environments, including network management and operations• Assuring the integrity of sensitive and critical application system environments. including accounting/financial and

management information (information objectives), through:- Authorization of the input. Each transaction is authorized and entered only once.- Accuracy and completeness of processing of transactions. All transactions are recorded and entered into the computer for

the proper period.- Reliability of overall information processing activities- Accuracy, completeness and security of the output- Database integrity and availability

• Ensuring the efficiency and effectiveness of operations (operational objectives)• Complying with the users' requirements"organizational policies and procedures, and applicable laws and regulations

(compliance objectives)• Developing business continuity and disaster recovery plans• Developing an incident response and handling plan• Change management

'Working through ISACA, ITGI publishes an IT governance and control framework incorporating good IT managementpractices~ColltrolOhjeclivesj()J'II!f{Jrl/wlioll and related Technology (COBIT'). (OBIT is the leading framework forgovernance. control and assurance for information and related technology.


elSA, '"''''''h,,,,,,,,,,,~\,.m_'''Al1Hn',·

Chapter 1.'

The IS A ud i t Process

:1..4.3 COBIT

COBIT is a framework with a set of 34 IT processes grouped into four domains: Plan and Organize, Acquire and Implement,Deliver and Support, and Monitor and Evaluate. By addressing these 34 IT processes, organizations can ensure thatadequate governance and control arrangements are provided for their IT environment. Supporting these IT processes arcmore than 200 detailed control objectives necessary fot effective implementation. COBIT uses, as primary references,current major framework standards and regulations relating to IT. COl3rT is directed to the management and staff ofinformation services, control departments, audit functions and, most importantly, the business process owners using ITprocesses to assure confidentiality, integrity and availability of sensitive and critical information. ITGI has also publishedthe IT Governance Implementation Guide, to facilitate enterprises in implementing IT governance using the COBITframework. COBIT'" QuickstartT\l provides essentials of COBIT for small and medium enterprises. COBiT Online provides allthe components of CoBIT on the Internet for users to adapt and customize COBIT components as per their specificrequirements. The recently published online COBIT Foundation Course~ and exam is an e-learning solution applicable to ITauditors, IT managers, IT quality professionals, IT leadership, IT developers, process practitioners and managers in ITservice providing firms. They can be used to understand COBIT at a foundation level and help in the application ofCOBIT in practice.

Note: A CISA candidate will not be asked to identify specifically the COBIT process, the CoBIT domains or the set of ITprocesses defined in each. However, candidates should know what frameworks are, what they do and why they are used byenterprises. Knowledge of the existence, structure and key principles of major standards and frameworks related to ITgovernance, assurance and security will also be advantageous. COBfT can be used as a supplemental study material inunderstanding control objectives and principles as detailed in this review material. Please refer to appendix A forreferences between the CISA certification areas and the COBfT framework.

1..4.4 GENERAL CONTROL PROCEDURES

Controls include policies, procedures and practices (tasks and activities) that are established by management to providereasonable assurance that specific objectives will be achieved.

General controls apply to all areas of the organization. These include policies and practices established by management toprovide reasonable assurances that specific objectives will be achieved. The control procedures include:• Internal accounting controls that are primarily directed at accounting operations. They concern the safeguarding of the

assets and the reliability of financial records.• Operational controls that are concerned with the day-to-day operations, functions and activities, and ensure the operation is

meeting the business objectives• Administrative controls that are concerned with operational efficiency in a functional area and adherence to management

policies. Administrative controls support the operational controls specifically concerned with operating efficiency andadherence to organizational policies.

• Organizational security policies and procedures to ensure proper usage of information and technology assets• Overall policies for the design and use of adequate documents and records (manual/automated) to help ensure proper

recording of transactions-transactional audit trail• Procedures and feahtres to ensure adequate safeguards over access to and use of assets and facilities• Physical and logical security policies for all data centers and IT resources (e.g., servers and telecom infrastructure)

1..4.5 IS CONTROL PROCEDURES

Each general control procedure can be translated into an IS-specific control procedure. A well-designed Information systemshould have controls built in for all its sensitive or critical functions. For example, the general procedure to ensure adequatesafeguards over access to assets and t:1cilities can be translated into an IS-related set of control procedures. covering accesssafeguards over computer programs, data and computer equipment. The IS auditor should understand the basic controlobjectives that exist for al! functions.IS control procedures include:


The IS Au d i t

Chapter 1:

Process elSA

• Strategy and direction• General organization and management• Access to data and programs• Systems development methodologies and change control• Data processing operations• Systems programming and technical support functions• Data processing quality assurance procedures• Physical access controls• Business continuity/disaster recovery planning• Networks and communications• Database administration

The lS auditor should understand IS control procedure concepts and how to apply them in planning an audit.

1.5 PERFORMING AN IS AUDIT.Auditing can be defined as a systematic process by which a competent, independent person objectively obtains andevaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about andreporting on the degree to which the assertion conforms to an identified set of standards.

IS audit can be defined as any audit that encompasses review and evaluation. (wholly or partly) of automated informationprocessing systems, related nonautomated processes and the interfaces between them.

To perform such a process, several steps are required. Adequate planning is a necessary first step in performing effective ISaudits. To effectively use IS audit resources, audit organizations must assess the overall risks for the general and applicationarea being audited and then develop an audit program that consists of objectives and audit procedures to satisfy the auditobjectives. The audit process requires the IS auditor to gather evidence, evaluate the strengths and weaknesses of controlsbased upon the evidence gathered, and prepare an audit report that presents those issues in an objective manner tomanagement.

Audit management must ensure the availability of adequate audit resources and a schedule for performing the audits and forfollow-up reviews on the status of corrective actions taken by management. Auditing should include audit scope, auditobjectives, criteria, audit procedures, evidence, conclusions and opinions, and reporting.

1.5.1. CLASSIFICATION OF AUDITS

The IS auditor should understand the various types of audits that can be performed, internally or externally, and the auditprocedures associated with each:• Financial audits~The purpose of a financial audit is to assess the correctness of an organization's financial statements. A

financial audit will often involve detailed, substantive testing. This kind of audit relates to information integrity andreliability.

• Operational audits-An operational audit is designed to evaluate the internal control structure in a given process or area.IS audits of application controls or logical security systems are examples of operational audits.

• Integrated audits~An integmted audit combines financial and operational audit steps. It is also performed to assess theoverall objectives within an organization, related to financial information and assets' safeguarding, efficiency andcompliance. An integrated audit can be performed by external or internal auditors and, would include compliance tests ofinternal controls and substantive audit steps.

• Administrative :ludits-These are oriented to assess issues related to the efficiency of operational productivity within anorganization.

• IS audits-This process collects and evaluates evidence to determine whether the information systems and related


elSAChapler 1:

The IS Audit. Process

resources adequately safeguard assets, maintain data and system integrity. provide relevant and reliable information,achieve organizational goals effectively, consume resources efficiently, and ·have in effect internal controls that providereasonable assurance that business, operational and control objectives will be met and that undesired events will beprevented, or detected and corrected, in a timely manner.

• Specialized audits-Within the category of IS audits, there are a number of specialized reviews that examine areas suchas services performed by third parties and forensic auditing. Because businesses arc becoming increasingly reliant onthird-party service providers, it is important that internal controls be evaluated in these environments. The Statement onAuditing Standards (SAS) 70, titled "Reports on the Processing of Transactions by Service Organizations," is a widelyknown auditing standard developed by the American Institute of Certified Public Accountants (AICPA). SAS 70 definesthe professional standards used by a service auditor to assess the internal controls of a service organization. Many othercountries have their own equivalent of this standard~ A SAS 70-type audit is important because it represents that a serviceorganization has been through an in-depth audit of their control activities. which generally include controls overinformation technology and related processes. SAS 70-type reviews provide guidance to enable an independent auditor(service auditor) to issue an opinion on a service organization's description of controls through a service auditor's report.

• Forensic 3udits-Traditionally, forensic auditing has been defined as an alldit specialized in discovering, disclosing andfollowing up on frauds and crimes. The primary purpose of such a review is the development of evidence for review bylaw enforcement and judicial authorities. In recent years, the forensic professional has been called upon to participate ininvestigations related to corporate fraud and cybercrime. In cases where computer resources may have been misused,further investigation is necessary to gather evidence for possible criminal activity that can then be reported to appropriateauthorities. A computer forensic investigation includes the ;)nalysis of electronic devices, such as computers, phones,personal digital assistants (PDAs), disks, switches, routers, hubs and other electronic equipment. An IS auditor possessingthe necessary skills can assist the information security manager in performing forensic investigations and conduct theaudit of the systems to ensure compliance with the evidence collection procedures.for forensic investigation. Electronicevidence is vulnerable to changes. Therefore, it is necessary to handle it with utmost care. Chain-of-custody for evidenceshould be established to meet legal requirements.

Improperly handled computer evidence is subject to being ruled inadmissible by judicial authorities. The most importantconsideration for a forensic auditor is to make a bit-stream image of the target drive and examine that image withoutaltering date stamps or other information attributable to the examined files. Further, forensic audit tools and techniques,such as data mapping for security and privacy risk assessment and the search for intellectual property for data protection,are also being used for prevention, compliance and assurance.

:1..5.2 AUDIT PROGRAMS

Audit programs for financial, operational. integrated, administrative and IS audits are based on the scope and objective of thepatticular assignment. IS auditors often evaluate IT functions and systems from different perspectives, such as security,(confidentiality, integrity and availability) quality (effectiveness, efficiency), fiduciary (compliance, reliabitity), service andcapacity. It is important to underscore that the audit work program is the audit sh'ategy and plan-it identifies scope, auditobjectives and audit procedures to obtain sutIicient, competent evidence to draw and support audit conclusions and opinions.

General audit procedures are the basic steps in the performance of an audit and usually include:• Obtaining and recording an understanding of the audit area/subject• A risk assessment and general audit plan and schedule• Detailed audit planning• Preliminary review of the audit area/subject,. Evaluating the audit area/subject• Verifying the design of controls• Compliance test.ing (often referred to as tests of implementation of controls)• Substantive testing (test of operative erfectiveness of controls)• Reporting (communicating results)• Follow-upThe IS auditor must understand the procedures for testing and evaluating IS controls. These procedures could include:


The IS Au d i t

Chapterl:

Process elSA• The usc of gencl:alized audit software to survey the contents of data files (including system logs)• The use of specialized software to assess the. contents of operating system parameter files (or detect deficiencies in system

parameter settings)• Flow-chartiIlg techniques for documenting automated applications and business process• The use of andit logs/reports available in operation/application systems• Documentation review• Observation

The IS auditor should have a sufficient understanding of these procedures to allow for the planning of appropriate audit tests.

:1..5.3 AUDIT METHODOLOGY

An audit methodology is a set of documented audit procedures designed to achieve planned audit objectives. Its componentsare a statement of scope, a statement of audit objectives and a statement of work programs.

The audit methodology should be set up and approved by audit management to achieve consistency in the audit approach.This methodology should be formalized and communicated to all audit staff.

Exhibit 1.2 lists the phases of a typical audit. An early and critical product of the audit process should be an audit programthat is the guide for performing and documenting all the following audit steps and the extent and types of evidentialmatter reviewed.Although an audit program does not necessarily follow a specific set of step~, the IS auditor typically would follow

Audit PhaseAudit subjectAudit objective

Audit scope

Preaudit planning

Audit procedures andsteps for data gathering

Procedures for evaluatingthe test or review resultsProcedures forcommunication withmanagement

Audit report preparation

elSA Review Manual 2007

, ,

Description• Identify the area to be audited,

• Identify the purpose of the audit. For example, an objective might be todetermine whether program source code changes occur in a well-defined andcontrolled environment.

• Identify the specific systems, function or unit of the organization to be includedin the review, For example, in the previous program changes example, the scopestatement might iimit the review to a single application system or to a limitedperiod of time,

• Identify technical skills and resources needed,• Identify the sources of information for test or review such as functional

flow charts, policies, standards, procedures and prior audit workpapers,• Identify locations 'or facilities Io be audited,• Identify and select the audit approach to verify and test the controls,• Identify a list of individuals to interview.• Identify and obtain departmental policies, standards and guidelines for review.• Develop audit tools and methodology to test and verify control.Organization -specific

organization-specific

• Identify follow-up review procedures.• Identify procedures to evaluate/test operational efficiency and effectiveness.• Identify procedures to test controls.• Review and evaluate the soundness of documents, policies and procedures.

25

elSAChapter 1:


sequential program steps to gain an understanding of the entity under audit. evaluate the control structure and test thecontrols.

Any and all audit plans, programs, activities, tests, findings and incidents shall be properly documented in workpapers.

Their format and media are optional, but due diligence and best practices require that work papers are dated, initialized,page-numbered, relevant, complete, clear, self-contained and properly labeled, filed and kept in custody. Workpapers do notneces~arily have to be on paper-in hard copy. IS auditors should particularly consider how to maintain audit test evidenceto preserve their proof value in support of audit results.

ISACA IS Auditing Standards and Guidelines set forth many specifications about workpapers, including how to use thoseof other (previous or contractors) auditors, the need to document the audit plan, program and evidence, or the use of CAATsor sampling.

\Vorkpapers can be considered the bridge or interface between the audit objectives and the final report. They should providea seamless transition-with traceability and chargeability-from objectives to report and from report to objectives. Theaudit report, in this c,ontext, can be viewed as a particular workpapers.

IS auditors are a scarce and expensive resource. Any technology capable of increasing the audit productivity is welcome.Automating workpapers affects productivity directly and indirectly (granting access to other auditors, reusing documents orparts of them in recurring audits, etc.).

The quest for integrating workpapers in the auditor's e-environment has resulted in' all major audit and project managementpackages, CAATs and expert systems offering a complete array of automated documentation and import-export features.

1..5.4 FRAUD DETECTION

The lise of information technology for business has immensely benefited enterprises in terms of significantly increasedquality of delivery of information. However, the widespread use of information technology and the Internet suffers fromrisks that enable the easy perpetration 0 f errors and frauds.

tvranagement is primarily responsible for establishing, implementing and maintaining a framework and design of IT controlsto meet the internal control objectives. A well-designed internal control system provides good opportunities for deterringfraud at the first instance and a system that enables timely detection of frauds. Internal controls may fail, where suchcontrols are circumvented by exploiting vulnerabilities or through management perpetrated weakness in controls for undueadvantage or collusion between people.

Legislation and regulations relating to corporate governance cast significant responsibilities on management, auditors andthe audit committee regarding detection and disclosure of any frauds, whether material or not.

The IS auditor should observe and exercise due professional eare (ISACA IS Auditing Standard S3) in all aspects of theirwork. IS auditors entrusted with assurance functions should ensure reasonable care while performing their work and be alertto the possible opportunities that allow a fraud to materialize.

\Vhile it should be understood that the presence of internal controls does not altogether eliminate fraud, IS auditors shouldbe aware and diligent with regards to the possibility and means of perpetrating frauds, especially by exploiting thevulnerabilities and overriding controls in the IT-enabled environment. IS auditors should have knowledge of frauds andfraud indicators and, during performance of auclit work, be alert to the possibility of frauds and error~.

Besides instituting and maintaining a system of internal controls, management looks upon assurance from IS auditors on thestate of internal controls for their ability to deter and detect frauds and recommendations for improvement in internal controls.

\Vhere during the course of regular assurance \\lork, the [S auditor comes across any instance of fraud or indicators of fraucl


The IS Au d i t

Chapter 1:

Process elSAthe IS auditor may, after careful evaluation, communicate the need for a detailed investigation to app~opriate authorities. Incase of the auditor identifying a major fraud or where the risk associated with the detection is high, audit managementshould also consider communicating to the audit committee, in a timely manner.

:1.5.5 AUDIT RISK AND MATERIALITY

Pilore and more organizations are moving to a risk-based audit approach that is usually adapted to develop and improve thecontinuous audit process. This approach is used to assess risk and to assist with an IS auditor's decision to do either compliancetesting or substantive testing. It is important to stress that the risk-based audit approach assists the auditor in determining thenature and extent of testing, besides helpiI]g make the decision to complete a compliance or a substantive test.

vVithin this concept, inherent risk, control risk or detection risk should not be of major concern, despite some weaknesses.In a risk-based audit approach, IS auditors are not just relying on risk; they also are relying on internal and operationalcontrols as well as knowledge of the company or the business. This type of risk assessment decision can help relate thecost-benefit analysis of the control to the known risk, allowing practical choices.

Business risks include conccms about the probable effects of an uncertain event on ~chieving established business objectives.The nature of these risks may be financial, regulatory or operational, and may also include risks derivea from specifictechnology. For example, an airline company is subject to extensive safety regulations and economic changes, both of whichimpact the continuing operations of the company. In this context, the availability of IT service and its reliability is critical.

By understanding the nature of the business, IS auditors can identify and categorize 'the types of risks that will betterdetermine the risk model or approach in conducting the audit. The risk modei assessment can be as simple as creatingweights for the types of risks associated with the business and identifying the risks in an equation. On the other hand, riskassessment can be a scheme where risks have been given elaborate weights based on the nahlre of the business or thesignificance of the risk. A simplistic overview of a riskwbased audit approach caJl be seen in exhibit 1.3.

Audit risk can be defined as the risk that the information/financial report may contain material error that may go undetectedduring the course of the audit.

Audit risk can be categorized as:• Inherent risk-The risk that an error exists that could be material or significant when combined with other errors

encountered during the audit, assuming that there are no related compensating controls. Inherent risk can also becategorized as the susceptibility to a material misstatement in the absence of related controls. For example, complexcalculations are more likely to be misstated than simple ones and cash is more likely to be stolen than an inventory of coal.Inherent risks exist independent of an audit and can occur because of the nature of the business.

• Control risk-The risk that a material error exists that will not be prevented or detected in a timely manner by theinternal controls system. For example, the control risk associated with manual reviews of computer logs can be highbecause activities requiring investigation are often easily missed, owing to the volume of logged information. The controlrisk associated with computerized data validation procedures is ordinarily low if the processes are consistently applied,

• Detection risk-The risk that an IS auditor uses an inadequate test procedure and cQncludes that material errors do notexist when, in fact, they do. Detection of an error would not be detennined during the risk assessment phase of an audit.However, identifying detection risk would better evaluate and assess the auditor's ability to test, identify and recommendthe correction 'of material errors as the result of a test.

• Overall audit risk-The combination of the individual categories of audit risks assessed for each specific control"objective. An objective in formulating the audit approach is to limit the audit risk in the area under scrutiny so the overallaudit risk is at a sufficiently low level at the completion of the examination. Another objective is to assess and controlthose risks to achieve the desired level of assurance as efficiently as possible.


elSACllaptcr 1:


I •. I l I 'I I I.

Gather Information and Plan

• Knowledge of business and industry • Regulatory statutes• Prior year's audit results , • Inherent risk assessments• Recent financial information

IObtain Understanding of Internal Control

• Control environment • Control risk assessment• Control procedures • Equate total risk• Detection risk assessment

IPerform Compliance Tests

• Identify key controls to be tested. • Perform tests on reliability, riskprevention and adherence toorganization policies and procedures.

IPerform Substantive Tests

• Analytical procedures • Other 'substantive audit procedures• Detaiied tests of account balances

IConclude the Audit

• Create recommendations. • Write audit report.

Audit risk is also used sometimes to describe the level of risk that the IS auditor is prepared to accept during an auditengagement. The auditor may set a target level of risk and adjust the amount of detailed audit work to minimize the overallaudit risk.

Note: Audit risk should not be confused with statistical sampling risk, which is the risk that incorrect assumptions aremade about the characteristics of a population from which a sample is selected.

The word '"material," associated with any of these components of risks, refers to an error that should be consideredsignificant to any party concerned with the item in question: Materiality considerations combined with an understanding ofaudit risk are essential concepts for planning areas to be audited as well as the specific tests to be performed in a givenaudit. The assessment of what is material is a matter of professional judgment and includes consideration of the effect onthe organization as a who.1e and errors, omissions, irregularities and illegal acts that may arise as a result of controlweaknesses in the area being audited.

Specifically, this means that an internal control weakness or set of combined internal control weaknesses leaves theorganization highly slisceptible to a threat occurring (e.g., financial loss, business interruption, loss of customer trust,economic sanction, etc.). The IS auditor should be concerned with assessing the materiality of the items in question througia risk-based audit approach to evaluating internal controls.

The IS auditor should have a good understanding of these audit risks when planning an audit. An audit sample may notdetect every potential error in a population. However, by using proper statistical sampling procedures or a strong qualitycontrol process, the probability of detection risk could be minimized.

28 elSA Review Manual 200:

The IS Au d i t

Chapter 1:

Process elSASimilarly, when evaluating internal controls, the IS auditor should realize that a given system may not detect a minor error.However, that specific error, combined with others, could become material to the overall system.

The concept of materiality requires sound judgment from the IS auditor. The IS auditor may detect a small error that couldbe considered significant at an operational level, but may not be viewed as significant to upper management. Material ityconsiderations combined with an understariding of audit risk are essential concepts for planning the areas to be audited andthe specific test to be performed in a given audit.

Materiality can be more difficult for the IS auditor. For example, a logical security parameter setting that allows aprogrammer to access, without authorization, the source code for all programs might be a material error. Similarly, accessrights to only a few more insignificant programs might not be considered material to the IS auditor. Materiality isconsidered in terms of the total potential impact to the organization.

:1.5.6 RISK ASSESSMENT TECHNIQUES

When determining which functional areas should be audited, the IS auditor could face a large variety of audit subjects.Each of these may represent different types of audit risks. The IS auditor should evaluate these various risk candidates to.determine the high-risk areas that should be audited.

There are many risk assessment methodologies, computerized and noncomputerized, available from which the IS auditormay choose. These range from simple classifications of high, medium and low, based on the IS auditor's judgment, tocomplex and apparently scientific calculations to provide a numeric risk rating.

One such risk assessment approach is a scoring system that is useful in prioritizing audits based on an evaluation of riskfactors. It considers variables such as technical complexity, level of control procedures in place and level of financial loss.These variables mayor may not be weighted. The risk values are then compared to each other and audits are scheduledaccordingly. Another form of risk assessment is judgmental, where an independent decision is made based upon businessknowledge, executive management directives, historical perspectives, business goals and environmental factors. A combinationof techniques may be used as well. Risk assessment methods may change and develop over time to best serve the needs of theorganization. The IS auditor should consider the level of complexity and detail appropriate for the organization being audited.

Using risk assessment to determine areas to be audited:• Enables management to effectively allocate limited audit resources• Ensures that relevant information has been obtained from all levels of management, including boards of directors,

IS auditors and functional area management. Generally, this information assists management in effectively dischargingtheir responsibilities and ensures that the audit activities are directed to high business risk areas, which will add valuefor management.

• Establishes a basis for effectively managing the audit department• Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plans

:1.5.7 AUDIT OBJECTIVES

A control objective refers to how an internal control should function, while an audit objective refers to the specific goals ofthe audit. An audit may incorporate several audit objectives.

Audit objectives often focus on substantiating that internal controls exist to minimize business risks. These audit objectivesinclude assuring compliance with legal and regulatory requirements as well as the confidentiality, integrity, reliability andavailability of information and IT resources. Management may give the IS auditor a general control objective to review andevaluate when performing an audit.


elSAChapter 1:

The IS Au d i t Process

A key element in planning an IS audit is to translate basic audit objectives into specific IS audit objectives. For example, ina financial/operational audit, an internal control objective could be to ensure that transactions are properly posted to thegeneral ledger accounts. However, in the IS audit, the objective could be extended to ensure that editing features are in placeto detect errors in the coding of transactions that may impact the accQunt-:posting activities.

The IS auditor must have an understanding of how general audit objectives can be translated into specific informationsystems control objectives. Determining an audit's objectives is a critical step in planning an IS audit.

One of the basic purposes of any IS audit is to identify control objectives and the related controls that address the objective.

For example, the IS auditor's initial review of an information system should identify key controls. The IS auditor shouldthen decide whether to test these controls for compliance. The IS auditor should identify both key general and applicationcontrols after developing an understanding and documenting the business processes and the applications/functions thatsupport these processes and general support systems. Based upon that understanding, the IS auditor should identify the keycontrol points.

Alternatively, an IS auditor may assist in assessing the integrity of financial reporting data, which is referred to assubstantive testing, through computer-assisted audit techniques.

:1..5.8 COMPLIANCE VS. SUBSTANTIVE TESTING

The identification of key control points through compliance tests of those controls will allow the IS auditor to develop apreliminary understanding to determine if they are working as expected. The results of these compliance tests \vill allow theIS auditor to design more extensive compliance or substantive tests.

There is a difference between evidence gathering for the purpose of testing an organization's compliance with controlprocedures and evidence gathering to evaluate the integrity of individual transactions, data or other information. The fom1erprocedures are called compliance tests and the latter are called substantive tests.

A compliance test determines if controls are being applied in a manner that complies with management policies andprocedures. For example, if the IS auditor is concerned abollt whether program library controls are working properly, the ISauditor might select a sample of programs to determine if the source and object versions are the same. The broad objectiveof any compliance test is to provide IS auditors with reasonable assurance that the particular control on which the IS auditorplans to rely is operating as the IS auditor perceived in the preliminary evaluation.

It is important that the IS auditor understands the specific objective of a compliance test and the control being tested.Compliance tests can be used to test the existence and effectiveness of a defined process, which may include a trail ofdocumentary and/or automated evidence, for example, to provide assurance that only authorized modifications are made toproduction programs.

A substantive test substantiates the integrity of actual processing. It provides evidence of the validity and integrity of thebalances in the financial statements and the transactions that support these balances. IS auditors use substantive tests to testfor monetary errors directly affecting financial statement balances. An IS auditor might develop a substantive test todetermine if the tape library inventory records are stated correctly. To petform this test, the IS auditor might take a thoroughinventory or might use a statistical sample. which will allow the IS auditor to develop a conclusion regarding the accuracyof the entire inventory.

There is a direct correlation between the level of internal controls and the amount of substantive testing required. If theresults of testing controls (compliance tests) reveal the presence of adequate internal controls, then the [S auditor is justifiedin minimizing the substantive procedures. Conversely. if the testing of control reveals \veaknesses in controls that may raisedoubts about the completeness. accuracy or validity of the accounts, substantive testing can alleviate those doubts.


The IS Au d it

Chapter 1:

Process elSA

Exhibit 1.4 shows the relationship between compliance and substantive tests ancl describes the two categories ofsubstantive tests.

. ,

Review the system to identify controls

ITest compliance to determine whether controls are functioning.

IEvaluate the controls to determine the basis for relianceand the nature, scope and timing of substantive tests.

IUse two types of substantive tests to evaluate the validitv of the data.

II I

1'--__Tc:e-=-st:..:b:..:a:..:1a:..:n-=-ce:..:s:..:a=n",d--,t",ra:..:n-=-sa:..:cc::ti-=-0c::ns:..:._~--.JI Il-_-,-P",erf"'0e.!r",m!..:a",n",a",lv",lti,,-c.cre",v"ie",weJ' De.!rr-"-o",ce",d",u"re,,,s:..:.-----l

1..5.9 EVIDENCE

I

I

Evidence is any information used by the IS auditor to determine whether the entity or data being audited follows theestablished audit criteria or objectives. It is a requirement that the auditor's conclusions must be based on sufficient, relevantand competent evidence. When planning the IS audit work, the IS auditor should take into account the type of auditevidence to be gathered, its use as audit evidence to meet audit objectives and its varying levels of reliability.

Audit evidence may include the IS auditor's observations, notes taken from interviews, material extracted fromcorrespondence and internal docu.mentation, or the results of audit test procedures. 'While all evidence will assist the ISauditor in developing audit conclusions, some evidence is more reliable than others. The rules of evidence and sufficiencyas wetl as the competency of evidence must be taken into account, as required by audit standards.

Determinants for evaluating the reliability of audit evidence include:• Independence of the provider of the evidence~Evidenceobtained from outside sources is more reliable than from

within the organization. This is why confirmation letters are used for verification of accounts receivable balances.• Qualifications of the individual providing the information/evidence-Whether the providers of the

information/evidence ace inside or outside of the organization, the [S auditor should always consider the qualifications ofthe persons providing the information. This can also be true of the IS auditor. If an IS auditor does not have a goodunderstanding of the technical area under review, the information gathered from testing that area may not be reliable,especially if the tS auditor does not fully understand the test.

• Objectivity of the evidence--Objective evidence is more reliable than evidence that requires considerable judgment orinterpretation. An IS auditor's count of a cash fund is direct, objective evidence. An IS auditor's analysis of the efficiencyof an application, based upon discussions with certain personnel, may not be objective audit evidence.

• Timing of the evidence-The IS auditor should consider the time during which information exists or is available indetermining the nature, timing and extent of substantive testing and, ifapplicable, compliance testing. For example, auditevidence processed by electronic data interchange (EDI), document image processing (DIP) and dynamic systems, such asspreadsheets, may not be retrievable after a specified period of time, if changes to the files are not controlled or the filesare not backed up.

The IS auditor gathers a variety of evidence during the audit. Some may be relevant to the objectives of the audit. whileother evidence may be considered peripheral. The IS auditor should focus on the overall objectives of the review ancl not thenature of the evidential matter gathered.


elSAChapter 1:


The quality and quantity of evidence must be assessed by the IS auditor. These two characteristics are referred to by theInternational Federation of Accountants (IFAC) as competent (quality) and sufficient (quantity). Evidential matter iscompetent when it is both valid and relevant. Audit judgment is used to determine when sufficiency is achieved in the samemanner that is used to determine the competency of evidential matter.

An understanding of the rules of evidence is important for IS auditors, as they may encounter a variety of evidence types.

Gathering of evidential matter is a key step in the audit process. The [S auditor should be aware of the various forms ofaudit evidence and how evidence can be gathered arid reviewed. The IS auditor should understand [SACA IS AuditingStandard S6, Evidence, and should obtain evidence of a nature and sufficiency to support audit findings.

The following are techniques for gathering evidence:• Reviewing IS organization structures-An organizational structure that provides an adequate separation or segregation

of duties is a key general control in an IS environment. The IS auditor should understand general organizational controlsand be able to evaluate these controls in the organization under audit. Where there is a strong emphasis on cooperativedistributed processing or on end-user computing, IS functions may be organized somewhat differently than the classic ISorganization, which consists of separate systems and operations functions. The IS auditor should be able to review theseorganizational structures and assess the level of control they provide.

• Reviewing IS policies and procedures-An IS auditor should review whether appropriate policies and procedures are inplace, determine whether personnel understand the implemented policies and procedures, and ensure that they are beingfollowed. The [S auditor should verify that management assumes full responsibility for formulating, developing,documenting, promulgating and controlling policies covering general aims and directives. Regular reviews of policies andprocedures for appropriateness should be carried out.

• Reviewing IS standards-First, the IS auditor should understand the existing standards in place within the organization.• Reviewing IS documentation-A first step in reviewing the documentation for an information system is to understand

the existing documentation in place within the organization. The IS auditor should look for a minimum level of ISdocumentation, which may include:- Systems development initiating documents (e.g., feasibility study)- Functional requirements and design specifications- Tests plans and reports- Program and operations documents- Program change logs and histories- User manuals- Operations manuals- Security-related documents (e.g., security plans; risk assessments)- Quality assurance reports

• Interviewing appropriate personnel-Interviewing techniques are an important skill for the IS auditor. Interviews shouldbe organized in advance, should follow a fixed outline and should be documented by interview notes. An interview fonnor checklist prepared by an IS auditor is a good approach. The IS auditor should always remember that the purpose of suchan interview is to gather audit evidence. Personnel interviews are discovery in nature and should never be accusatory.

• Observing processes and employee performance-The observation of processes is a key audit technique for many typesof review. The IS auditor should be unobtrusive while making observations and should document everything in sufficientdetail to be able to present it, if required, as audit evidence at a later date.

All of these techniques for gathering evidence mentioned are part of an audit, but an audit is not considered just reviewwork. An audit includes examination, which incorporates, by necessity, the testing of controls and audit evidence, andtherefore includes the results of audit tests.

IS auditors should recognize that with systems development techniques, such as computer-aided software engineering(CASE) or prototyping, traditional systems documentation will not be required or will be in an automated form rather thanon paper. However, the IS auditor should look for documentation standards and practices within the IS organization.


The IS Au d it

Chapter 1:

Process elSAThe IS auditor should be able to review documentation for a given system and determine whether it follows the organization'sdocumentatiol) standards. In addition, the IS auditor should understand the current approaches to developing systems, such asobject orientation, CASE tools or prototyping and how the documentation is constmcted. The IS auditor should recognize othercomponents of IS documentation such as database sp~ci.fications, file layouts or self-documented program listings.

1..5.1.0 INTERVIEWING AND OBSE.RVING PERSONNEl IN ACTION

Observing personnel in the performance of their duties assists an IS auditor in identifying:• Actual functions--':""'Observation is the best test to ensure that the individual who is assigned and authorized to perform a

particular function is the person who is actually doing the job. It allows the [S auditor an opportunity to witness howpolicies and procedures are understood and practiced.

• Actual processes/procedures-Performing a walk-through of the process/procedure allows the IS auditor to gain evidenceof compliance and observe deviations, if any.

• Security awareness-Security awareness should be observed to verify an individual's understanding and practice of goodpreventive and detective security measures to safeguard the company's assets and data.

• Reporting relationships-Reporting relationships should be observed to ensure that assigned responsibilities andadequate segregation of duties are being practiced.

Interviewing information processing personnel and management should provide adequate assurance that the staff has therequired technical skills to perform the job. This is an important factor that contributes to an effective and efficient operation.

1..5.1.1. SAMPLING

Sampling is used when time and cost considerations preclude a total verification of all transactions or events in a predefinedpopulation. The population consists of the entire group of items that need to be examined. The subset of populationmembers used to perform testing is called a sample. Sampling is used to infer characteristics about a population, based onthe characteristics of a sample.

Note: Increasing regulation of organizations has led to a major focus on the IS auditors ability to verify the adequacy ofinternal controls through the use of sampling techniques. This has become necessary since many controls are transactionalin nature, which can make it difficult to test the entire population. Although a candidate is not expected to become asampling expert, it is important for the candidate to have a foundational understanding of the general principles ofsampling and how to design a sample that can be relied upon.

The two general approaches to audit sampling are statistical and n~nstatistical:

1. Statistical sampling-An objective method of determining the sample size and selection criteria. Statistical sampling usesthe mathematical laws of probability to a) calculate the sampling size, b) select the sample items, and c) evaluate the sampleresults and make the inference. With statistical sampling, the IS auditor quantitatively decides how closely the sample shouldrepresent the population (assessing sample precision) and the number of times in 100 the sample should represent thepopulation (the reliability or confidence level). This assessment will be represented as a percentage. The results of a validstatistical sample are mathematically quantifiable.

2. Nonstatistical sampling (often referred to as judgmental sampling)-Uses auditor judgment to determine the methodof sampling, the number of items that will be examined ITom a population (sample size) and which items to select(sample selection). These decisions are based on subjective judgment as to which items/transactions are the most·materialand most risky.

\Vhen using either statistical or nonstatistical sampling methods, the IS auditor should design and select an audit sample,perform audit procedures, and evaluate sample results to obtain sufficient, reliable, relevant and useful audit evidence. Thesemethods of sampling require the IS auditor to use judgment when defining the population characteristics and thus aresubject to the risk that the IS auditor will draw the wrong conclusion from the sample (sampling risk). However, statisticalsampling permits the IS auditor to quantify the probability of error (confidence coefficient). To be a statistical sample, eachitem in the population should have an equal opportunity or probability of being selected.


elSAChapter 1:


\Vithin these two general approaches to audit sampling, there are two primary methods of sampling used by IS auditorsattribute sampling and variable sampling. Attribute sampling, generally applied in compliance testing situations, deals withthe presence or absence of the attribute and provides conclusions that are expressed in rates of incidence. Variable sampling,generally applied in substantive testing situations, deals with population characteristics that vary, such as monetary valuesand weights (or any other measurem~nt), and provides conclusions related to deviations from the norm.

Athibute sampling refers to three different, but related, types of proportional sampling:1. Attribute sampling (also referred to as fixed sample-size attribute sampling or frequency-estimating sampling)-A

sampling model that is used to estimate the rate (percent) of occurrence ofa specific quality (attribute) in a population. Itanswers the question of "how many?" An example of an attribute that might be tested is approval signatures on computeraccess request forms.

2. Stop-or-go sampling-A sampling model that helps prevent excessive sampling of an attribute by allowing an audit testto be stopped at the earliest possible moment. It is used when the IS auditor believes that relatively few errors will befound in a population.

3. Discovery sampling-A sampling model that can be used when the expected occurrence rate is extremely low. Discoverysampling is most often used when the objective of the audit is to seek mit (discover) fraud, circumvention of regulationsor other irregularities..

Variable sampling, also known as dollar estimation or mean estimation sampling, is a technique used to estimate themonetary value or some other unit of measure, such as weight, of a population from a sample portion ofit. An example ofvariable sampling is a review of an organization's balance sheet for material transactions and an application review of theprogram that produced the balance sheet.

Variable sampling refers to a number of different types of quantitative sampling models:1. Stratified mean per unit-A statistical model in which the population is divided into groups and samples are drawn

from the various groups. Stratified mean sampling is used to produce a smaller overall sample size, relative tounstratified mean per unit.

2. Unstratiiled mean per unit-A statistical model whereby a sample mean is calculated and projected as an estimated total3. Difference estimation-A statistical model used to estimate the total difference between audited values and book

(unaudited) values based on differences obtained from sample observations

To perform attribute or variable sampling, the following statistical sampling terms need to be understood:• Confidence coefficient (also referred to as confidence level or reliability factor)-lt is a percentage expression (90

percent, 95 percent, 99 percent, etc.) of the probability that the characteristics of the sample are a true representation of thepopulation. Generally, a 95 percent confidence coefficient is considered a high degree of comfort. If the IS auditor knowsinternal controls are strong, the confidence coefficient may be lowered. The greater the confidence coefficient, the largerthe sample size.

• Level of risk-It is equal to one minus the confidence coefficient. For example, if the confidence coefficient is 95percent, the level of risk is five percent (l00 percent-95 percent).

• Precision-Set by the IS auditor, it represents the acceptable range difference between the sample and the actualpopulation. For attribute sampling, this figure is stated as a percentage. For variable'sampling, this figure is stated as amonetary amount or a number. The higher the precision amount, the smaller the sample size, and the greater the risk offairly large total error amounts going undetected. The smaller the precision amount, the greater the sample size. A verylow precision level may lead to an unnecessarily large sample size.

• Expected error rate-It is an estimate stated as a percent of the errors that may exist. The greater the expected error rate,.the greater the sample size. This figure is applied to attribute sampling formulas, but not to variable sampling formulas.

• Sample mean-It is the sum of all sample values, divided by the size of the sample. It measures the average size ofthe sample.

• Sample standard deviation-It computes the variance of the sample values from the mean of the sample. It measures thespread(s) or dispersion of the sample values.

• Tolerable error rate--It describes the maximum misstatement or number of errors that can exist without an account beingmaterially misstated. Tolerable rate is Llsed for the planned upper limit of the precision range for compliance testing. The termis expressed as a percentage. Precision range or precision have the same meaning when used in substantive testing.


The IS Au d i t

Chapter 1:

Process elSA

• Population standard deviation-It is a mathematical concept that measures th~ relationship to the normal distribution.The greater the standard deviation. the larger the sample size. This figure is applied to variable sampling formulas, but notto attribute sampling formulas.

Key steps in the construction and selection of a sample for an audit test include:• Determining the objectives of the test• Defining the population to be sampled• Determining the sampling method, such as attribute vs. variable sampling• Calculating the sample size• Selecting the sample• Evaluating the sample from an audit perspective

It is impOliant to know that tools exist to analyze all of the data, not just those available through computer-assistedaudit techniques.

1..5.1.2 USING THE SERVICES OF OTHER AUDITORS AND EXPERTS

Due to the scarce availability of IS auditors and the need for IT security specialists and other subject matter experts toconduct audits of highly specialized areas, the audit department or auditors entrusted with providing assurance may require

.the services of otber auditors or experts. Of late, outsourcing of IS assurance and security services is increasingly becominga common practice. External experts could include experts in specific technologies, such as networking, automated tellermachine (ATM), wireless, systems integration and digital forensics, or subject matter experts such as specialists in aparticular industry or area of specialization, such as banking, securities trading, insurance, legal experts etc.

When a part or the wholc of IS audit serviccs are proposed to be outsourced to another audit or external service provider,the following should be considered with regard to using the services of other auditors and experts:• Restrictions on outsourcing of audit/security services provided by laws and regulations• Audit charter or contractual stipulations• Impact on overall and specific IS audit objectives• Impact on IS audit risk and professional liability• Independence and objectivity of other auditors and experts• Professional competence, qualifications and experience• Scope of work proposed to be outsourced and approach• Supervisory and audit management controls• Method and modalities of communication of results of audit work• Compliance with legal and regulatory stipulations• Compliance with applicable professional standards

Based on the nature of assignment, the following may also require special consideration:• Testimonials/references and background checks• Access to systems, premises and records• Confidentiality restrictions to protect customer-related information• Use of CAATS and other tools to be used by the external audit service provider• Standards and methodologies for performance of work and documentation

The IS auditor or entity outsourcing the services should monitor the relationship to ensure thc objectivity and independencethroughout the duration of the arrangement.

It is important to understand that often, even though a part of or the whole of the audit work may be delegated to an externalservicc provider, the related professional liability is not necessarily delegated. Hence, it is the responsibility of the [S auditoror entity employing the services of external service providers to:• Clearly communicate the audit objectives, scope and methodology through a formal engagement letter


elSA().mnn~,~smn...Al"t>ml.-

Chapter 1:


• Put in place a monitoring process for regular review of the work of the extemal service provider with regard to planning,supervision, review and documentation

• Assess the usefulness and appropriateness of reports of such external providers and assess the impact of significantfindings on the overall audit objectives

1.5.13 COMPUTER-ASSISTED AUDIT TECHNIQUES

During the course of an audit, the IS auditor is to obtain sufficient, relevant and useful evidence to achieve the auditobjectives effectively. The audit findings and conclusions should be supported by appropriate analysis and interpretation ofthe evidence. Today's information processing environments pose a stiff challenge to the IS auditor to collect sufficient,relevant and useful evidences since the evidence exists on magnetic media.

CAATs are important tools for the IS auditor in gathering information from these environments. When systems havedifferent hardware and software environments, different data structure, record formats or processing functions, it is almostimpossible for the auditors to coHect evidence without a software tool to collect and analyze the records.

CAATs also enable IS auditors in performing audits to gather information independently. CAATs provide a means to gainaccess and analyze data for a predetermined audit objective and to report the audit findings with emphasis on the reliabilityof the records produced and maintained in the system. The reliability of the source of the information used providesreassurance on findings generated.

CAATs include many types of tools and techniques, such as generalized audit software (GAS), utility software, debuggingand scanning software, test data, application software tracing and mapping, and expert" systems.

GAS refers to standard software that has the capability to directly read and access data from various database platforms,flat-file systems and ASCII formats. GAS provides IS auditors an independent means to gain access to data for analysis andthe ability to 'use high-level, problem-solving software to invoke functions to be performed on data files. Features includemathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations.For example, the following functions are supported in GAS:• File access-Enables the reading of different record formats and file structures• File reorganization-Enables indexing, sorting, merging and linking with another file• Data selection-Enables global filtration conditions and selection criteria• Statistical functions-Enables sampling, stratification and frequency analysis• Arithmetical functions-Enables arithmetic operators and functions

The effective and efficient use of the software requires an understanding of its capabilities and limitations.

Utility software is the subset of software, such as the database management system's report generators, that providesevidence to the auditors about system control effectiveness. Test data involve the auditors using a sample set of data toassess whether logic errors exist in a program and whether the program meets its objectives. The review of an applicationsystem will provide information about internal controls built in the system. The audit-expert system will give direction andvaluable infonnation to all levels of auditors while carrying out the audit, because the query-based system is built on theknowledge base of the senior auditors or managers.

These tools and techniques can be used in performing various audit procedures including:• Tests of the details of transactions and balances• Analytical review procedures• Compliance tests of IS general controls• Compliance tests of [S application controls• Penetration and as vulnerability assessment testing

The [S auditor should have a thorough undt:rstanding of CAATs and know where and when to apply them.


The IS Au d i t

Chapter 1:

Process elSA

CAATs as a Continuous Online Audit ApproachAn increasingly important advantage of CAATs is the ability to improve audit efficiency, particularly in paperlessenvironments, through continuous -online auditing techniques. To this end, IS auditors must develop audit techniques that areappropriate for use with advanced computerized systems. In addition. they must be involved in the creation of advancedsystems at the early stages of development and implementation and must make greater use of automated tools that aresuitable for their organization's automated environment. This is in the form of the continuous audit approach. (For moredetailed information on continuous online auditing, see chapter 3, Systems and Infrastructure Life Cycle Management.)

CAATs SummaryCAATs offer the following advantages:• Reduced level of audit risk• Greater independence from the auditee• Broader and more consistent audit coverage• Faster availability of information• Improved exception identification• Greater flexibility of run times• Greater opportunity to quantify internal control weaknesses• Enhanced sampling• Cost savings over time

Like any other process, an IS auditor should weigh the costslbenefits of CAATs before going through the effort, time andexpense of purchasing or developing them. Issues to consider include:• Ease of use, both for existing and future audit staff• Training requirements• Complexity of coding and maintenance• Flexibility of uses• Installation requirements• Processing efficiencies (especially with a PC CAAT)• Effort required to bring the source data into the CAATs for analysis

\Vhen developing CAATs, the following are examples of documentation to be retained:• Online reports detailing high-risk issues for review• Commented program listings• Flowcharts• Sample reports• Record and file layouts• Field definitions• Operating instructions• Description of applicable source dpcumellts

CAATs documentation should be referenced to the audit program and clearly identitY the audit procedures and objectivesbeing served. When requesting access to production data for use with CAATs, the IS auditor should request read-onlyaccess. Any data manipulation by the IS auditor should be done to copies of production files in a controlled environment toensure production data are not exposed to unauthorized updating.

1..5.1.4 EVALUATION OF AUDIT STRENGTHS AND WEAKNESSES

After developing an audit program and gathering audit evidence, the next step is an evaluation of the information gatheredto develop an audit opinion. This requires the IS auditor to consider a series of strengths and weaknesses and then developaudit opinions and recommendations. These steps require the IS auditor to make judgments that are often gained fromexperience, rather than from reference materials. While it is applied throughout the IS audit process, the ISACA IS AuditingStandard 53, Professional Care. is particularly important to the IS auditor in evaluating audit strengths and weaknesses.


elSAChapter 1:


The lS auditor should assess the results of the evidence gathered for compliance with the control requirements or objectivesestablished during the planning stage of the audit. This requires considerable judgment, as controls are often unclear abolltefficiency or its correspondence to specific control objectives. In essence, controls should be in place to remove orminimize every perceived risk or threat to the entity being audited.

A control matrix is often utilized in assessing the proper level of controls. Known types of errors that can occur in the areaunder review are placed on the top axis and known controls to deteCt or correct errors are placed on the side axis. Then,using a ranking method, the matrix is filled with the appropriate measurements. When completed, the matrix will illustrateareas where controls are weak or lacking.

As part of the IS review, the IS auditor may discover a variety of strong and weak controls. All should be considered whenevaluating the overall control structure. In some instances, one strong control may compensate for a weak control in anotherarea. For example, if the IS auditor finds weaknesses in a system's transaction error report, the IS auditor may find that adetailed manual balancing process over all transactions compensates for the weaknesses in the error report. The IS auditorshould be aware of compensating controls in areas where controls have been identified as weak.

As another example of a compensating control, the IS auditor might find that the tape management system at a data centeror information facility has a control weakness in that some parameters are set to bypass or ignore the labels written on tapeheader records. This is a control weakness. Ho\\!ever, if the IS auditor finds very strong staging and job setup proceduresthat are considered to be adequate, the IS auditor may conclude that this control compensates for the control weakness overtape label controls. While a compensating control situation occurs when one stronger control supports a weaker one,overlapping controls are two strong controls. For example, if a data center employs a card key system to control physicalaccess and a guard inside the door requires employees to show their card key or badge, an overlapping control exists. Eithercontrol might be adequate to restrict access, and the two complement each other.

Normally, a control objective will not be achieved by considering one control adequate. Rather, the IS auditor will perform avariety of testing procedures and evaluate how these relate to one another. Generally a group of.controls, when aggregatedtogether, may act as compensating controls and, thereby, minimize the risk. An IS auditor should always review forcompensating controls prior to reporting a control weakness.

The IS auditor may not find each control procedure to be in place but should evaluate the comprehensiveness of controls byconsidering the strengths and weaknesses of control procedures.

The IS auditor will review evidence gathered during the audit to determine if the operations reviewed are well controlledand effective. This is also an area that requires IS auditor judgment and experience. The IS auditor should assess thestrengths and weaknesses of the controls evaluated and then determine if they are effective in meeting the control objectivesestablished as part of the audit planning process.

Judging the Materiality of FindingsThe concept of materiality is a key issue when deciding which findings to bring forward in an audit report. Key todetermining the materiality of audit findings is the assessment of what would be significant to different levels ofmanagement. Assessment requires judging the potential effect of the fIDding if corrective action is not taken. A weakness· incomputer security physical access controls at a remote distributed computer site may be significant to management at thesite, but will not necessarily be material to upper management at headquarters. However, there may be other matters at theremote site that would be material to upper management.

The IS auditor must lise judgment when deciding which findings to present to various levels of management. For example, theIS auditor may find that the transmittal fonn for delivering tapes to the offsite storage location is not properly initialed orauthorization evidenced by management as required by procedures. If the IS auditor finds that management otherwise paysattention to this process and that there have been no problems in this area, the IS auditor may decide that the failure to initialtransmittal documents is not matelial enough to bring to the attention of upper management. The IS auditor might decide todiscuss this only with local operations management. However, there may be other control problems that will cause the IS


The IS Au d it

Chapter 1:

Process elSAauditor to conclude that this is a material error, because it may lead to a larger control problem in other areas, The IS auditorshould always judge which findings are material to various levels of management and should report them accordingly.

1.5.15 COMMUNICATING AUDIT RESULTS

The exit interview, conducted at the end of the audit, provieJes the IS auditor with the opportunity to discuss findings andrecommendations with management. The objectives and scope of the audit can be discussed and the IS audit process can beexplained. During the exit interview, the IS auditor should:• Ensure that the facts presented in the report are correct• Ensure that the recommendations are realistic and cost-effective and, if not, seek alternatives through negotiation with the

audited area• Recommend implementation dates for agreed recon:mendations

The IS auditor will frequently be asked to present the results of audit work to various levels of management. The IS auditorshould have a thorough understanding of the presentation techniques necessary to communicate these results.

Presentation techniques could include the following:• Executive summary..........:An easy... to-read, concise report, it presents findings to management in an understandable manner.

Most executive managers are not well versed'in computer jargon; therefore, executive summaries should minimize the useof complex terminology. Findings and recommendations should be communicated from a business perspective. Detailedattachments can be more technical in nature since operations management will require the detail to correct the reportedsituations,

• Visual presentation-This may include overhead transparencies, slides or"computer graphics.

IS auditors should be aware that ultimately they are responsible to senior management and the audit committee of the boardof directors. IS auditors should feel free to communicate issues or concerns to such management. An attempt to deny accessby levels lower than senior management would limit the independence of the audit function.

Before communicating the results of an audit to senior management, the IS auditor should discuss the findings with themanagement staff of the audited entity. The goal of such a discussion would be to gain agreement on the findings anddevelop a course of corrective action. In cases where there is disagreement, the IS auditor should elaborate on thesignificance of the findings, risks and effects of not correcting the control weakness. Sometimes the auditee's managementmay request assistance from the IS auditor in implementing the recommended control enhancements. The IS auditor shouldcommunicate the difference between the IS auditor's role and that of a consultant, and give careful consideration to howassisting the auditee may adversely affect the IS auditor's independence.

Once agreement has been reached with the auditee, IS audit management should brief senior management of the auditedorganization. Periodically, a summary of audit activities will be presented to the audit committee, .-\udit committeestypically are composed of individuals who do not work directly for the organization and, thus, proYide the auditors with anindependent route to report sensitive findings.

Audit Report Structure and ContentsAudit reports are the end product of the IS audit work. They are used by the IS auditor to report findings andrecommendations to management. The exact format of an audit report will vary by organization: However, the skilled ISauditor should understand the b<l;sic components of an audit report and how it communicates audir findings to management.The IS auditor should become familiar with the ISACA S7 Reporting and S8 Follow-up Activities standards.

There is no specific format for an IS audit report, yet the organization '5 audit policies and proCedures will dictate thegeneral format Audit reports, however. usually will have the following structure and content:• An introduction to the report. including a statement of audit objectives and scope, the period of ~lUdit coyerage,and a

general statement on the nature and extent of audit procedures examined during the audit• The IS auditor's overall conclusion and opinion on the adequacy of controls and procedures examined during the audit


elSAChapter 1:


• The IS auditor's reservations or qualifications with respect to the audit. This may state that the controls or proceduresexamined were found to be adequate or inadequate. The balance of the audit report should support that conclusion and theoverall evidence gathered during the audit should provide an even greater level of support.

• Detailed audit findings and recommendations and the decision to include or not include findings in an audit report. Theseshould be based on the materiality of the findings and the intended recipient of the audit report. An audit report directed tothe audit committee of the board of directors, for example, may not include findings that are important to localmanagement but have little control significance to the overall organization. The decision of what to include in variouslevels of audit reports depends upon the guidance provided by upper management.

• A variety of findings, some of which may be quite material while others are minor in nature• Limitations to audit• Statement on the IS audit guidelines followed

The IS auditor, however, should make the final decision about what to include or exclude from the audit report. Generally,the IS auditor should be concerned with providing a balanced report, describing not only negative issues in terms offindings but positive constructive comments regarding improving processes and controls or effective controls already inplace. Overall, the IS auditor should exercise independence in the reporting process.

Management evaluates responses to the findings, stating corrective actions to be taken and timing for implementing theseanticipated correctiv.e actions. Some organizations may wish to issue a summary report with detailed findingscommunicated separately. Others may issue the report without responses.

Management may not be able to implement all audit recommendations immediately. For example, the IS auditor mayrecommend changes to an information system that is also undergoing other changes or enhancements. The IS auditor shouldnot necessarily expect that the other changes will be suspended until the IS auditor's r~commendatio'-:ls are ins.talled. Rather,all may be implemented at once.

The IS auditor should discuss the recommendations and any planned implementation dates while in the process of releasingthe audit report. The IS auditor must realize that various constraints, such as staff limitations. budgets or other projects, maylimit immediate implementation. Management should develop a finn program for corrective action. It is important to obtaina conunitment from the auditee/management on the date by which the action plan will be implemented (the solution canitself be something which takes a long time for implementation) and the manner in which it will be done, as the correctiveaction may itself bring in certain risks that may be avoidedif identified while discussing and finalizing the audit report. Ifappropriate, the IS auditor may want to report to upper management on the progress of implementing recommendations.

The rSACA IS Auditing Guideline, Report Content and Form, specifies that the report should include all significant auditfindings. 'When a finding requires explanation, the IS auditor should describe the finding, its cause and its risk. Whenappropriate, the IS auditor should provide the explanation in a separate document and make reference to it in the report. Forexample, this approach may be appropriate for highly confidential matters. The IS auditor should also identify theorganizational, professional and governmental criteria applied, such as COB IT. The report should be issued in a timelymanner to encourage prompt corrective action. When appropriate, the IS auditor should promptly communicate significantfindings to the appropriate persons prior to the issuance of the report. Prior communication of significant findings shouldnot alter the intent or content of the report.

1.5.16 MANAGEMENT IMPLEMENTATION OF RECOMMENDATIONS

IS auditors should realize that auditing is an ongoing process. The IS auditor is not effective if audits are performed andreports issued, but no follow-up is conducted to detennine if management has taken appropriate corrective actions. ISauditors should have a follow-up program to determine if agreed-to corrective actions have been implemented. Although ISauditors who work for external audit firms may not necessarily follow this process, they may achieve these tasks if agreed toby the audited entity.

The timing of the follow-up will depend upon the criticality of the findings and would be subject to the IS auditor'sjudgment. The results of the follow-up should be communicated to appropriate levels of management.


The IS Au d i t

Chapter 1:

Process elSAThe level of the IS auditor's follow-up review will depend upon several factors. In some instances, the IS auditor maymerely need to inquire as to the current status. In other instances, the IS auditor who works in an internal audit function mayhave to perform certain audit steps to determine if the corrective actions agreed to by management have been implemented.

1..5.17 AUDIT DOCUMENTATION

IS audit documentation includes the audit plan, a description or diagram of the IS environment, audit programs, minutes ofmeetings, audit evidence, findings, conclusions and recommendations, any report issued as a result of the audit work, andsupervisory review comments if any. The audit documentations should be maintained in safe custody and be available for aperiod that satisfies legal, professional and organizational requirements. However, the exact contents of documentationdepend on each audit entity, its scope and objectives. ISACA has published a guideline 08, Audit Documentation.

Audit documentation should support the finding and conclusions/opinion. Time of evidence sometimes will be crucial tosupporting audit findings and conclusions. The IS auditor should take enough care to ensure that the evidence gathered anddocumented will be able to support audit findings and conclusions. An IS auditor should be able to prepare adequateworking papers, narratives, questionnaires and understandable system flowcharts.

Documentation should include, at a minimum, a record of the:• Planning and preparotion of the audit scope and objectives• Description and/or walkthroughs on the scoped audit area• Audit program• Audit steps perfonned and audit evidence gathered• Use of services of other auditors and experts• Audit findings, conclusions and recommendations

It is also recommended that documentation include:• A copy of the report issued as a result of the audit work• Evidence of supervisory review

Documents should include audit information that is required by laws and regulations, contractual stipulations, and professionalstandards. Audit documentation is necessary evidence supporting the conclusions reached and, hence, should be clear, complete,easily retrievable and sufficiently comprehensible. Audit documentation is generally the property of the auditing entity andshould be accessible only to authorized personnel under specific or gen~ral pennission. Where access to audit documentation isrequested by external parties, the auditor should obtain appropriate prior approval of senior management/client.

The rs auditor/IS audit department should also develop policies regarding custody, retention requirements and release ofaudit documentation.

Constraints on the Conduct of the AuditAlthough an audit organization may be staffed with people who have an appropriate mix of required skills, constraints maylimit the availability of this staff. These constraints may range from holidays to time olffor professional conferences toconmcts with other audit projects. For example, IS auditors may be asked to support the external auditors with computerassisted procedures at year-end. Thus, these IS auditors may not be available during this period for other audit projects.

Auditee constraints may include:• Recent employee turnover or unavailability• Infringement on deadline dates or cyclical processing dates• Overall lack of knowledge or documentation

To understand these constraints on the conduct of an audit, the IS auditor should have a good understanding of overallproject management techniques. Often, these constraints can be minimized or avoided by adequate planning.


elSAChapter 1:


Project Management TechniquesProject management techniques for managing and administering audit projects, whether automated or manual, include thefollowing basic steps:• Develop a detailed plan-The plan should spread the necessary audit steps across a time line. Realistic estimates should

be made of the time requirements for each task with proper consideration given to the availability of the auditee.• Report project activity against the plan-There should be some type of reporting system in place such that IS auditors

can report their actual progress against planned audit steps. ;'• Adjust the plan and take corrective action-Actual accomplishments should be measured against the established plan

on a continuous basis. Changes should be made in IS auditor assignments or in planned schedules, as required.

1.6 CONTROL SELF-ASSESSMENTControl self-assessment can be defined as a management technique that assures stakeholders, customers and other partiesthat the internal control system of the business is reliable. It also ensures that employees are aware of the risks to thebusiness and they conduct periodic, proactive reviews of controls. It is a methodology used to review key businessobjectives, risks involved in achieving the business objectives and internal controls designed to manage these business risksin a formal, documented collaborative process.

In practice, CSA is a series of tools on a continuum of sophistication ranging from simple questionnaires to facilitatedworkshops, designed to gather information about thl? organization by asking those with a day-to-day working knowledge ofan area as well as their managers. The basic tools used during a CSA project are the same whether the project is technical,financial or operational. These tools include management meetings, client workshops', worksheets, rating sheets and theCSA project approach. Like the continuum of tools used to gather information, there are diverse approaches to the levelsbelow management that are queried; some organizations even include outsiders (such as clients or trading partners) whenmaking CSA assessments.

The CSA program can be implemented by various methods. For small business units within organizations, it can beimplemented by facilitated workshops where functional management and control profession~l!s such as auditors can cometogether and deliberate how best to evolve a control structure for the business unit.

In the organizations with offices located at various locations, it may not be practical to organize facilitated workshops. Inthis case, a hybrid approach is needed. A questionnaire based on the control structure can be used. Operational managerscan periodically complete the questionnaire, which can be analyzed and evaluated for effectiveness of the controls. However,a hybrid approach will be effective only if the analysis and readjustment of the questionnaire is performed using a life-cycleapproach, as shown in exhibit 1.5.

1.6.1 BENEFITS OF CSA

Some of the benefits of a CSA include the following:• Early detection of risks• Nlore effective and improved internal controls• Creation of cohesive teams through employee involvement• Increased employee awareness of organizational objectives and knowledge of risk and internal controls• Increased communication between operational and top management• Highly motivated employees• Improved audit rating process• Reduction in control cost• Assurance provided t9 stakeholders and customers• Necessary assurance given to top management about the adequacy of internal controls, as required by the various

regulatory agencies and laws such as the US Sarbanes-Oxley Act


The IS Au d it

Chapter I :

Process elSA

I

", I

> I

'"I,-a' i~

~I

~

~

"~0§:

0

0, Idenlifyprocess andobjectives.

41, Idenlify ·nand -assess risks.

+ I ~ I2, Identify I ), Iand • .. ~ !

assess controls." I.. ;;: I~

I~

3, Develop OJOi'

Iquestionnaire. Oi'0

J.

I

4, Collect andanalyze - •

questionnaire.I

1..6.2 DISADVANTAGES OF CSA

CSA does potentially contain several disadvantages, which include:• It could be mistaken as an audit function replacement.• It may be regarded as an additional workload (e.g., one more report to be submitted to management).• Failure to act on improvement suggestions could damage employee morale.• Lack of motivation may limit effectiveness in the detection of weak controls.

There are several objectives associated with adopting a CSA program. The primary objective is to leverage the internal auditfunction by shifting some of the control monitoring responsibilities to the functional areas. It is not intended to replace audit'sresponsibilities, but to enhance them. Clients, such as line managers, are responsible for controls in their environment; theyalso should be responsible for monitoring them. CSA programs also must educate management about control design andmonitoring, particularly concentration on areas of high risk. These programs are not just policies requiring clients to complywith control standards. Instead, they' offer a variety of support ranging from written suggestions outlining acceptable controlenvironments to inRdepth workshops. \Vhen workshops are included in the program, an additional objective, the empowermentof workers to assess or even design the control environment, may be included in the program.

\Vhen employing a CSA program, measures of success for each phase (planning, implementation and monitoring) should bedeveloped to determine the value derived from CSA and its future use. One critical success factor (CSF) is to conduct ameeting with the business unit representatives, including appropriate and relevant staff and management, to identify thebusiness unit's primary objective, which is to determine the reliability of the internal control system. In addition, actionsthat increase the likelihood of achieving the primary objective should be identified.

A generic set of goal and metrics for each process, which can be used in gesigning and monitoring the CSA program, hasbeen provided in COBrT.

COBIT is a governance and control framework that provides guidance in the development of the control assessment method.One could develop a CSA method by identifing the tasks and processes that arc relevant to the business environment andthen defining the controls for relevant activities. A CSA questionnaire can be developed using the [TAssI/ranee Guide.


elSA':"nrnDl~Slm;.uAL'",m.'

Chapter 1:


:1.6.3 AUDITOR ROLE IN CSA

The auditor's role in CSAs should be considered enhanced when audit departments establish a CSA program. When theseprograms are established, auditors become internal control professionals and assessment facilitators. Their value in this roleis evident when management takes responsibility and ownership for internal control systems under their authority throughprocess improvements in their control structures, including an acti'~e monitoring component.

For an auditor to be effective in this facilitative and innovative role, the auditor must understand the business process beingassessed. This can be attained via traditional audit tools, such as a preliminary surveyor walk-through. Also, the auditors.must remember that they are the facilitators and the management client is the participant in the CSA process. For example,during a CSA workshop, instead of the auditor performing detailed audit procedures, the auditor will lead and guide theclients in assessing their environment by providing insight about the objectives of controls based on risk assessment. Themanagers, with a focus on improving the productivity of the process, might suggest replacement of preventive controls. Inthis case, the auditor is better placed to explain the risks associated with such changes.

:1.6.4 TECHNOLOGY DRIVERS FOR CSA

The development of techniques for empowerment, information gathering and decision making is a necessary part of a CSAprogram implementation. Some of the technology drivers include the combination of hardware and software to support CSAselection and the use of an electronic meeting system and computer-supported decision qids to facilitate group decisionmaking. Group decision making is an essential co.mponent of a workshop-based CSA where employee empowerment is agoal. In case ofa questionnaire approach, the same principle applies for the analysis and readjustment of the questionnaire.

:1.6.5 TRADITIONAL VS. CSA APPROACH

The traditional approach can be summarized as any approach in which the primary responsibility for analyzing andreporting on internal control and risk is assigned to auditors and, to a lesser extent, controller departments and outsideconsultants. This approach has created and reinforced the notion that auditors and consultants, not management and workteams, are responsible for assessing and reporting on internal control. The CSA approach, on the other hand, emphasizesmanagement and accountability over developing and monitoring internal controls of an organization's sensitive and criticalbusiness processes.

A summary of attributes or focus that distingUishes each from the other is described in exhibit 1.6.

Traditional Historical

., I •• I

Assigns duties/supervises staffPol icy/ru le-d rivenLimited employee participationNarrow stakeholder focusAuditors and other specialists

Reporters

44

Empowered/accountable employeesContinuous improvement/learning curveExtensive employee participation and trainingBroad stakeholder focusStaff at all levels, in all functions, are theprimary control analystsReporters

elSA ReView Manual 2007

The IS Au d it

Chapter 1:

Process elSA

:t.7 EMERGING CHANGES IN THE IS AUDIT PROCESSThe IS audit process must continually change to keep pace with innovations in technology. New topics to address theseemerging changes include areas such as automated work papers, integrated auditing and continuous auditing.

:1.7.:1 AUTOMATED WORK PAPERS

Increasingly, audit teams are creating their audit work papers (risk analysis, audit programs, results, test evidences,conclusions, reports and other complementary information such as business information) in automated format, usingspecialized applications designed for this purpose.

Although auditors often use office automation packages such as text/word processors or spreadsheets, standard auditworkpaper packages are being implemented in more and more medium to large audit departments and are proving to beuseful and appropriate to help facilitate audit work.

In such cases, rules regarding integrity, confidentiality and availability of audit records should be applied that are equivalentto those required for hard copy or printed documents. Minimum controls that should be addressed include:• Access to workpapers (profiles and access rights), i.e., no one should be authorized to change or delete audit records when

audit work has been completed and a report issued, after audit management approval• Audit trails, including when a document has been changed, who has performed the modification, automated update of a

document version, when it is changed• Automated features to provide and record approvals (e.g., by audit director,.managers, etc.) of audit phases (audit program,

conclusions, reports)• Security and integrity controls regarding the operating system, databases and communication channels (e.g., server under

audit control, corporate network, exporting documents, exclusive server)• Backup and restore procedures• Encryption techniques to provide confidcntiality

:1.7.2 INTEGRATED AUDITING

Dependence of business processes on information technology has necessitated that traditional financial and operationalauditors develop an understanding of [T control structures and IS auditors develop an understanding of the business controlstructures. Integrated auditing can be defined as the process whereby appropriate audit disciplines are combined to assesskey internal controls over an operation, process or entity.

The integrated approach focuses on risk. For an internal audit function, this will focus on risk to th'e entity. For an externalauditor, the focus wi!! be on the risk of providing an incorrect or misleading audit opinion. A risk analysis assessment aimsto understand and identify risks arising from the entity and its environment, including relevant internal controls. At thisstage, the role of IT audit is typically to understand and identify risks under topical areas such as information management,IT infrastructure, IT governance and IT operations. Other audit specialists will seek to understand the organizationalenvironment, business risks and business controls. A key element of the integrated approach is discussion of the risksarising among the whole audit team, with consideration of impact and likelihood.

Detailed audit work then focuses on the relevant controls in place to manage these risks. IT systems frequently provide afirst line of preventive and detective controls, and the integrated audit approach depends on a sound assessment of theirefficiency and effectiveness.


elSAChapter 1:


The integrated audit process typically involves:• Identification of relevant key controls• Review and understanding of the design of key controls• Testing that key controls are supported by the IT system• Testing that management controls operate effectively• A combined report or opinion on control risks, design and weaknesses

The integrated audit demands a focus on business risk and a drive for creative control solutions. It is a team effort ofauditors with different skill sets, Using this approach permits a single audit of an entity with one comprehensive report. Anadditional benefit is that this approach assists in staff development and retention by providing greater variety and the abilityto see how all of the elements (both functional and IT) mesh together to form the complete picture. See exhibit 1.7 for anintegrated auditing approach.

OperationalAudit

1..7.3 CONTINUOUS AUDITING

IS Audit

FinancialAudit

The focus on increased effectiveness and efficiency of assurance, internal auditing and control has spurred the developmentof new studies and examination of new ideas concerning continuous auditing, as opposed to more traditional periodicauditing reviews. Several research studies and documents addressing the subject carry different definitions of continuousauditing. All of them, however, recogniie that a distinctive character of continuous au~iting is the short time lapse betweenthe facts to be audited and the collection of evidence and audit reporting.

Traditional financial reports and the traditional audit style sometimes prove not to be enough because they lack the essentialelement in today's business environment-updated information. Therefore, continuous auditing appears to be gaining more'and more followers.

Some of the drivers of continuous auditing are a better monitoring of financial issues within a company, ensuring that realtime transactions also benefit from real-time monitoring, prevention of financial fiascoes and audit scandals, such as Enronand \VoridCom, and the use of software to determine that financial controls are proper. Continuous auditing involyes a largeamount of work because the company practicing continuous auditing will not provide one report at the end of a quarter, butwill provide financial reports on a more frequent basis.


The IS Au d i t

Chapter 1:

Process elSA

Continuous auditing is not a recent development. Traditional application systems may contain embedded audit modules. Thesewould allmv an auditor to trap predefined types of events, or to directly inspect abnormal or suspect conditions and transactions.

lYrost current commercial applications could be customized with such features. However, cost and other considerations andthe technical skills that would be required to establish and operate these tools tend to limit the usage of embedded auditmodules to specific fields and applications.

To properly understand the implications and requirements of continuous auditing, a clear distinction has to be made betweencontinuous auditing and continuous monitoring:• Continuous monitoring-Provided by IS management tools, it is typically based on automated procedures to meet

fiduciary responsibilities. For instance, real-time antivirus or intrusion detection systems (lOSs) may operate in acontinuous monitoring fashion.

• Continuous auditing-"A methodology that enables independent auditors to provide written assurance on a subjectmatter using a series of auditors' reports issued simultaneously with, or a short period of time after, the occurrence ofevents underlying the subject matter" (from DeWayne L. Searcy and 10n B. Woodroof; "Continuous Auditing: LeveragingTechnology," CICAJAICPA research report, May 2003). Continuous IS (and non-IS) auditing is typically completed usingautomated audit procedures. .

Continuous auditing should be independent of continuous control or monitoring activities. When both continuousmonitoring and auditing take place, continuous assurance can be established.

Efforts on the subject of continuous auditing often incorporate new IT developments, increased processing capabilities ofcurrent hardware and software, standards, and artificial intelligence (AI) too)s. Continuous auditing attempts to facilitate thecollection and analysis of data at the moment of the action. Data must be gathered from different applications that areworking within different environments, transactions must be screened, the transaction environment has to be analyzed todetect trends and exceptions, and atypical patterns (I.e., a transaction with significantly higher or lower value than typicalfor a given business partner) must be exposed. If all of this must happen in real time, perhaps even before final sign-off of atransaction, it is mandatory to adopt and combine various top-level IT techniques. The IT environment is a natural enablerfor the application of continuous auditing, because of the intrinsic automated nature of its underlying processes.

Continuous accounting aims at providing a more secure platform to avoid fraud and a real-time process that is aimed atensuring a high-level of financial control.

Prerequisites/preconditions for continuous auditing to succeed include:• A high degree of automation• An automated and highly reliable process in producing information about subject matter soon after the occurrence of

events underlying the subject matter• Alarm triggers to report timely control f~ilures

• Implementation of highly automated audit tools that require the IS auditor to be involved in setting up the parameters• Quickly informing IS auditors of the results of automatedprocedures, particularly when the process has identified

anomalies or errors• The quick and timely issuance of automated audit reports• Technically proficient IS auditors• Availability of reliable sources of evidence• Adherence to materiality guidelines• A change of mindset required for IS auditors to embrace continuous reporting• Evaluation of cost factors


elSAChapter 1:


Simpler continuous auditing and monitoring to~ls are already built into many ERP packages and most operating system andnetwork security packages. These environments, if appropriately conflgured and populated with rules, parameters andformulas can output exception lists upon request, while operating against actual data. Therefore, they represent an instanceof continuous auditing. The difficult but significant added value to using, these features is that they postulate a definition ofwhat would be a "dangerous" or 'exception condition. For instance, whether a set of granted IS access permissions is to bedeemed risk-free or not will depend on having well-defined rules of segregation of duties. On the other hand, it may bemuch harder to decide if a given sequence of steps, taken to modifY-and maintain a database record, are pointing to apotential risk.

IT techniques that are used to operate in a continuous auditing environment must work at all data levels-single input,transaction and databases-and include:• Transaction logging• Query tools• Statistics and data analysis (CAAT)• Database management system(DBMS)• Data warehouses, data marts, data mining• AI• Embedded audit modules (EAM)• Neural network teclmology• Standards such as Extensible Business Reporting Language (XBRL)

AI software may be utilized to autom~te the expert evaluation processes and allow for flexibility and dynamic analysiscapabilities. The configuration and application of expert rules may also be outsoUI:ced, allowing for external assuranceon demand.

Full continuous auditing processes have to be carefully built into applications and work in layers. The auditing tools mustoperate in parallel to normal processing--eapturing real-time data, extracting standardized profiles or descriptors, andpassing the result to the auditing layers. At the top layer, the AI or neural network software must be capable of fetching allneeded elements and drawing an opinion, eventually selecting and activating other sources.

Continuous auditing has an intrinsic edge over point-in-time or periodic auditing, because it captures internal controlproblems as they occur, preventing negative effects. Implementation can also reduce possible or intrinsic auditinefficiencies, such as delays, planning time, inefficiencies of the audit process, overheads due to work segmentation,multiple quality or supervisory reviews, or discussions concerning the validity of findings.

Full top management support, dedication, and extensive experience and technical knowledge is necessary to do all this,while minimizing the impact on the underlying audited business processes. The auditing layers and rules may also needcontinual adjustment and updating. Besides difficulty and cost, continuous auditing has an inherent disadvantage in thatinternal control experts and auditors might be resistant to trust an automated tool in lieu of their personal judgment andevaluation.

The implementation of continuous auditing involves many factors; however, the task is not impossible. There is anincreasing desire to provide auditing over information in a real-time environment (or as close to real time as possible).

With time and effort, continuous auditing can become a reality.


The IS Au d i t

Chapter 1:

Process elSACummn I~'FO."'''''''Snn"" Ac't>rm<"

1.8 CHAPTER 1 CASE STUDY

1..8.1. CASE STUDY SCENARIO

The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review tomeasure compliance with new regulatory requirements. These requirements afe designed to ensure that management istaking an active role in setting up and maintaining a well-controlled environment and, accordingly, will assess management'sreview and testing of the general IT control environment. Areas to be assessed include logical and physical security, changemanagement, production control and network management, IT governance, and end-user computing. The IS auditor hasbeen given six months to perfonn this preliminary work, so sufficient time should be available. It should be noted that inprevious years, repeated problems have been identified in the areas of logical security and change management, so theseareas will most likely require some degree of remediation. Logical security deficiencies noted included the sharing ofadministrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies includedimproper segregation of incompatible duties and failure to document all changes. Additionally, the process for deployingoperating system updates to servers was found to be only partially effective. In anticipation of the work to be performed bythe IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flowsdescribing the major activities for which IT is responsible. These were completed, approved by the various process ownersand the CIO, and then forwarded to the IS auditor for examination.

1..8.2 CASE STUDY QUESTIONS

I. What should the IS auditor do FIRST?

A. Perform an IT risk assessment.B. Perform a survey audit of logical access controls.C. Revise the audit plan to focus on risk-based auditing.D. Begin testing controls that the IS auditor feels are most critical.

2. \-Vhen testing program change management, how should the sample be selected?

A. Change management documents should be selected at random and examined for appropriateness.B. Changes to production code should be sampled and traced to appropriate authorizing documentation.C. Change management documents should be selected based on system criticality and examined for appropriateness.D. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time

of the change.


elSAChapter 1:


:1..8.3 ANSWERS TO CASE STUDY QUESTIONS

I. A An IT risk assessment should be performed first to ascertain. which areas present the greatest risks and whatcontrols mitigate those risks. Although narratives and'process flO\vs have been created, the organization has not yetassessed which controls are critical. All other choices would be undertaken after performing the IT risk assessment.

2. B When testing a control, it is advisable to trace from the itei'n being controlled to the relevant controldocumentation. When a sample is instead chosen from a set of control documents, there is nO way to assure thatevery change was accompanied by appropriate control documentation. Accordingly, changes to production codeprovide the most appropriate basis for selecting-a sample. These sampled changes should then be traced toappropriate authorizing documentation. In contrast, selecting from the population of change managementdocuments will not reveal any changes that bypassed the normal approval and documentation process. Similarly,comparing production code changes to system-produced logs will not provide evidence of proper approval ofchanges prior to their being migrated to production.


The IS Au d i t

Chapter 1:

Process elSA

:1.9 PRACTICE QUESTIONS

1. In performi'ng a risk-based audit, which risk assessment is completed initially by the IS auditor?

A. Detection risk assessmentB. Control risk assessmentC. Inherent risk assessmentD. Fraud risk assessment

2. Which of the following types of audit risk assumes an absence of compensating controls in the areabeing reviewed?

A. Control riskB. Detection riskC. Inherent riskD. Sampling risk

3. While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus?

A. Business processesB. Critical IT applicationsC. Operational controlsD. Business strategies

4. The GREATEST drawback in using an integrated test facility is the need to:

A. isolate test data from production data.R notify user personnel so they can make adjustments to output.C. segregate specific master file records.D. collect transaction and master file records in a separate file.

5. To meet predefined criteria, which of the following continuous audit techniques would BEST identifytransactions to audit?

A. Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM)B. Continuous and intermittent simulation (CIS)C. Integrated test facilities (ITF)D. Audit hooks

6. Which of the following BEST describes the early stages of an IS audit?

A. Observing key organizational facilitiesB. Assessing the IS environmentc. Understanding the business process and environment applicable to the reviewD. Reviewing prior IS audit reports


elSAChapter 1:


7.

8.

9.

An IS auditor is conducting substantive audit tests of a new accounts receivable module. The IS auditor has a tightschedule and limited computer expertise. Which would be the BEST audit technique to use in this situation?

A. Test dataB. Parallel simulationC. Integrated test facilityD. Embedded audit module

The PRIMARY use of generalized audit software (GAS) is to:

A. test controls embedded in programs.B. test unauthorized access to data.C. extract data of relevance to the audit.D. reduce the need for transaction vouching.

An IS auditor performing a review of an application's controls finds a weakness in system software that couldmaterially impact the application. The IS auditor should:

A. disregard these control weaknesses, as a system software review is beyond the scope of this review.B. conduct a detailed system software review and report the control weaknesses.C. include in the report a statement that the audit was limited to a review of the application's controls.D. review the system software controls as relevant and recommend a detailed system software review.

10. Which of the following is MOST effective for implementing a control self-assessment (CSA) withinbusiness units?

A. Informal peer reviewsB. Facilitated workshopsC. Process flow narrativesD. Data flow diagrams


The IS Au d it

Chapter 1:

Process elSA

:1..10 ANSWERS TO PRACTICE QUESTIONS

I. C Inherent risks exist independently of an audit and can occur because of the nature of the business. Tosuccessfully conduct an audit, it is important to be aware of the related business processes. To perform theaudit, the IS auditor needs to understand the business process and, by understanding the business process,the IS auditor better understands the inherent risks.

2. C The risk of an error existing that could be material or significant when combined with other errorsencountered during the audit, there being no related compensating controls, is the inherent risk. Controlrisk is the risk that a material error exists that will not be prevented or detected in a timely manner by thesystem of internal controls. Detection risk is the risk of an IS auditor using an inadequate test procedurethat concludes that material errors do not exist, when they do. Sampling risk is the risk that incorrectassumptions are made about the characteristics of a population from which a sample is taken.

3. A A risk-based audit approach focuses on the understanding of the nature of the business and being able toidentify and categorize risk. Business risks impact the long-term viability of a specific business. Thus, anIS auditor using a risk-based audit approach must be able to understand business processes.

4. A The test entries in ITF can affect the live data, as testing in rTF involves the processing of test data on liveprograms. Choices B, C and D, although issues associated with ITF, are not as important as the primaryrequirement to separate test data from production data.

5. B Continuous and intermittent simulation (CIS) is a moderately complex set of programs that, during aprocess run of a transaction, simulates the instruction execution of its application. As each transaction isentered, the simulator decides whether the transaction meets certain predetermined criteria and, if so, auditsthe transaction. If not, the simulator waits until it encounters the next transaction that meets the criteria.Audits hooks, which are of low complexity, focus on specific conditions instead of detailed criteria inidentifying transactions for review. rTF is incorrect because its focus is on test vs. live data. SCARF/EArvIfocuses on controls vs. data.

6. C Understanding the business process and environment applicable to the review is most representative ofwhat occurs early on in the course of an audit. The other choices relate to activities actually occurringwithin this process.

7. A Test data use a set of hypothetical transactions to verify the program logic and internal control in a shorttime and for an auditor with minimal IT background. In a parallel simulation, the results produced for anactual program are compared with the results from a program written for the IS auditor; this technique canbe time-consuming and requires IT expertise. An integrated test facility enables test data to be continuallyevaluated when transactions are processed online; this technique is time-consuming and requires ITexpertise. An embedded audit module is a programmed module that is inserted into an application programto test controls; this technique is tinle-consuming and requires IT expertise.


elSAChapter 1:


S. C Generalized audit software facilitates the IS auditor to directly access and interrogate the data. The mostimportant advantage of using GAS is that it helps in identifying data of interest to the IS auditor. GASdoes not involve testing of application software directly. Hence, GAS helps in testing controls embedded inprograms indirectly by testing data. GAS cannot identify unauthorized access to data if this information isnot stored in the audit log file. However, this information may not aiways be avaihible. Hence, this is notone of the primary reasons for using GAS. Vouching involves verification of documents. GAS could helpin selecting transactions for vouching. Using GAS-does not reduce transaction vouching.

9. D The IS auditor is not expected to ignore control weaknesses just because they are outside the scope of acurrent review. Further, the conduct of a detailed systems software revie\v may hamper the audit's scheduleand the IS auditor may not be technically competent to do such a review at this time. If there are controlweaknesses that have been discovered by the IS auditor, they should be disclosed. By issuing a disclaimer,this responsibility would be waived. Hence, the appropriate option would be to review the systems softwareas relevant to the review and recommend a detailed systems software review for which additional resourcesmay be recommended.

10. B Facilitated workshops work well within business units. Process flow narratives and data flow diagramswould not be as effective, since they would not necessarily identify and assess all control issues: Informalpeer reviews similarly would be less effective for the same reason.


The IS Au d i t

Chapter 1:

Process elSA

1.11 SUGGESTED RESOURCES FOR REFERENCEBakshi, Sunil; "Control Self-assessment for Information and Related Technology," Information Systems Control Journal,vol. I, 2004, p. 55-62

Bank for International Settlements, Basle Committee on Ba!)king Sllpervision~Risk JI,;!anagemenf Principles for ElectronicBanking, Switzerland, May 200 I

Barbin, Douglas; John Patzakis; "Computer Forensics Emerges as an Integral Component of an Enterprise InformationAssurance Program," Information Systems Control Journal, voL 3, 2002, p. 25-27

Bayuk, Jennifer L.; Stepping Through the IS Audit, 2"" Edition, ISACA, USA, 2004

Bek, Jon; "ZFPAudit: A Computer-assisted Audit Tool for Evaluation of Microsoft Operating Systems," In/ormation SystemsControi Journai, vol. 1,2004, p. 34-37 .

Bhatia, Mohan; "New Basel Accord: Operational Risk Management-Emerging Frontiers for the Profession,"Information Systems Control JOllrnai, vol. 1,2002, p. 37-42

Blanco, Luis; "Audit Trails in an E-commerce Environment," Information Systems Control Journal, vol. 5, 2002, p. 32-35

Bunker, Eva; "Optimizing an Organization's Security Effectiveness by Using Vulnerability Management to Support theAudit Function," Information Systems Control JOllrnal, vol. 4, 2003, p. 28-30

Cerullo, Michael J; M. Virginia Cerullo; "Using Neural Network Software as a Forensic Accounting Tool,"Information Systems Control JOllrnai, vol. 2, 2006, p. 33-37

Cerullo, Michael J; Nt Virginia Cerullo; "How the New Standards and Regulations Affect an Auditor's Assessment ofCompliance With Internal Controls," Information Systems Control Journal, vol. 4, 2005

Cerullo, Michael J; M. Virginia Cerullo; "Impact of SAS No. 94 on Computer Audit Techniques," Information SystemsControi JOllrnal, vol. 1,2003, p. 53-57

Champlain, Jack J.; Auditing Information Systems, 2"<1 Edition, John \ViIey & Sons Inc., USA, 2003

Champlain, Jack; Practical ITAuditing, Warren Gorham & Lamont, USA, 2002 Edition with 2005 Supplement

Cilli, Claudio; "[T Governance: Why a Guideline?," Information Systems Control JOllrnai, vol. 3, 2003, p. 22-24

Coderre, David G.; CAATTs and Other BEASTs for Auditors, 3rd Edition, Ekaros Analytical Inc.,British Columbia, 2005

Comptroller of the Currency Administration of National Banks, Large Bank Supervision-Comptroller's Handbook,USA, May 200 I

Davis, Robert E.; ITAuditing: The Process, Pleier Corporation, USA, 2005

Denker, Bob; "Analysis Software for Auditors and Management." Injormation Systems Control Journal, vol. I, 2001, p. 25-26

Note: Publiclltions in bold arc stocked in tlil' ISACA Booli;storc. Information Systems COlltrol Jot/mal articles arc available at www.isaca.org/a/.chives.The articles arc available online to ISAC\ members only during their first year or release, and then arc opened to the public. All rererencedJOllmal articles are available on the ClSA Review Questions, Answers and Explanations CD-ROM 2007.


elSAChapter 1:


Dodds, Ruppert; HHo\v Does Information Security Fit Into a Governance Framework," Information Systems Control JOllrnal~vol. 4, 2005, www.isaca.org/jon/ille

Doughty, Ken; John O'Driscoll; "Information Technology Auditing and Facilitated Control Self-assurance,"b1{ormation Systems Control Journal, vol. 4, 2002, p. 33-38

Echenique Garcia, Jose Antonio; Auditoria en informatica, 2a, Edicion, McGraw Hill, Mexico, 2002

Frownfelter-Lohrke, Cynthia; James E. Hunton; "New Opportunities for Information System Auditors: Linking SysTrust toeosrT," Information Systems Contfol Journal, voL 3, 2002, p. 45~48

Gallegos, Frederick; "Due Professional Care," Information Systems Control Journal, vol. 2,2002, p. 25-28

Gallegos, Frederick; "Maintaining IT Audit Proficiency-The Role of Professional Development Planning," InformationSystems Control Journal, vol. 6,2002, p. 20-23

Garside, T.; C. Pedersen; "Basel II Prompts Strategic Rethinks," Euromoney, December 2002

Grembergen, Wim Van; Steven De Haes; "ComT's Management Guidelines Revisited: The KGIs/KPIs Cascade,"{"formation Systems Control Journal, vol. 6,2005, p. 54-56

Hall, James A.; Tommie Singleton; Illformation Technology Auditing and Assurance, 2ild Edition, ThomsonSouth-Western, USA, 2005

Hamaker, Stacey; "Enterprise Governance and the Role of IT," Information Systems Control Journal, vol. 6,2005, p. 27-30

Hardy, Gary; Erik Guldentops; "COBIT 4.0: The New Face of COBlT," Information Systems Control Journal,vol. 6, 2005, p. 35-38

Heschl, Jimmy; "COBIT in Relation to Other International Standards," Injormation Systems ContlVl Journal,vol. 4, 2004, p. 37-40

Hoskinson, Clayton; "Data Hiding," Injonnation Systems ContlVl Journal, vol. 3, 2002, p. 28-32

ISACA, IS Auditing Procedure No. I, IS Risk Assessment Measurement, USA, 2002

ISACA, IS Auditing Standard S6 Performance of Audit Work, USA, 2005

ISACA, IS Auditing Standard, 04 Evidence, USA, 2005

ISACA, IS Standards, Guidelines and Procedures for Auditing and COlltrol Professionals, USA, 2006,JVJVJV.isaca.orgistandards.

International Federation of Accountants, Handbook ofInternational Auditing, Assurance, and Ethics Pronouncements,2003, www.ifac.org

International Organization for Standardization and International .Electrotechnical Commission (lEe);{nformation Technology-Guidelines for the Management ofIT Security (TR 13335-1), Subcommittee 27,Working Group I, 1996

,Vole: Publications in bold arc stocked in the ISACA Bookstore. l"IiJrmutioll Systems COlltrol Journal articles afC ,l\'uilablc :H II'ww.isllca.orglurchives.The articles are available online to I$;\CA members only during their first year of release, and then arc opened to the public. All referencedJournal articles arC :Ivai!:lblc 011 the elSA Review Questions, Answers and Explanations CD-ROj\[ 2007.


The

IT Governance Institute, COBIT 4.0, USA, 2005

IS Au d i t

Chapter 1:

Process elSA

IT Governance Institute, IT Control Objectives for S(lrb(llles~Oxley,USA~ 2004, wJVw.isaca.org/sarbanes-oxley

Krist, Martin A.; Standard for Auditing Computer Applications, Auerbach, USA, 1999

Lanza, Richard B.; "How to Use a New Computer Audit-fraud Prevention and Detection Tool," Information Systems ControlJournal, vol. I, 2004, p. 63-66

Lux, Allen G; Sandra Fitiani; "Fighting Internal Crime Before It Happens," Tnformation Systems Control Journal,vol. 3,2002, p. 50-51

Mark, Robert; "Finding a Best-practices Method for Measuring Operational Risk," Worldfinance, vol. 12, issue 2, 2000

McNamee, David; Business RiskAssessment, The Institute of Internal Auditors, USA, 1998, www.theiia.org

Mookhey, K.K.; "Open Source Tools for Security and Control Assessment," tn/ormation Systems Control Journal,vol. I, 2004, p. 39-44

Musaji, Yusuf; "A Holistic Definition of IT Security-Part I," [nformation Systems Control Journal, vol. 3, 2006, p. 43-46

Musaji, Yusuf; "A Holistic Definition oflT Security-Part 2," [n/armation Systems Control Journal, vol. 4, 2006, p. 51-56

Musaji, Yusuf; "Sarbanes-Oxley and Business Process Outsourcing Risk," Information Systems Control Journal,vol. 5, 2005, p. 47-49

tyluthukrishnan, Ravi; "The Auditor's Prerogative to Review Internal Controls," Information Systems Control Journal, vol. 2,2004, p. 54-56

Niblett, Peter; Sander S. Wechsler; "The IS Auditor's Consideration of Irregularities and Illegal Acts," tn/ormation SystemsControl Journal, voL 3, 2003, p. 56-59

Nolan, John; "Best Practices for Establishing an Effective Workplace Policy for Acceptable Computer Usage," [nformationSystems Control Journal, vol. 6, 2005, p. 32-34

Pareek, Mukul; "Optimizing Controls to Test as Part of a Risk-based Audit Strategy," [nformation Systems Control Journal,voL 2, 2006, p. 39-41

Parker, Xenia Ley; Information Technology Audits, 2006 Edition, CCH, USA, 2006

Pidanick, Ryan; "An Investigation of Computer Forensics," Information Systems Control Journal, vol. 3, 2004, p. 47-51

Pinkett, Fred; "Automating System Security Audits," Information Systems Control Journal, voL I, 2004, p. 45-46

Public Company Accounting Oversight Board, Auditing Standard No.2, "An Audit ofInternal Control Over FinancialReporting Conducted in Conjunction With an Audit of Financial Statements," USA, 2004

Rafeq, A.; "Using COBIT for IT Control Health Check-up," [nformation Systems Control Journal. vol. 5, 2005, p. 18-19

Note: Publications in bold are stocked in the ISACA Bookstore. Information Systems COlltrol Journal articles arc availllbic at 1V1V1V.is{/(:a.org!llrchive.~.

The articles arc available online to ISACA members only during their first year of release, and then arc opened to the public. All referencedJOllrnal articles arc available on the elSA Review Questions, Answers and Explanations CD':ROi\I 2007.


elSAChapter 1:


Ross, Steven J.: "Falling Off the Truck," Information Systems Control Journal, vol. 3, 2006, p. 9-10

Sarup, Deepak; "'Watchdog or Bloodhound'! The Push and Pull Towm:d a New Audit Model," Information Systems ControlJot/mal, vol. 1,2004, p. 23-26

Sarva, Srinivas; "Continuous Auditing Through Leveraging Technology," [r?!ormation Systems Control Journal,vol. 2, 2006, p. 47-50

Sayana, S. Anantha; "Auditing IT Service Delivery," Information Systems Control Journal, vol. 5,2005, p. 13-14

Sayana, S. Anantha; "Using CAATs to Support IS Audit," liiformation Systems Control Jot/rnal, vol. I, 2003, p. 21-23

Senft, Sandra; Daniel P. 1\'laosoo; Carol Gonzales; Frederick Gallegos; Illformation Technology Control and Audit,2"d Editioll l Auerbach, USA, 2004

Shue, Lily; "Guidance on Tax Compliance for Business and Accounting Software and SAF-T," Information Systems ControlJournal, vol. 2, 2006, p. 31-32

Singleton, Tommie W.; "What Every IT Auditor Sbould Know About Cyberforensics," Information Systems Control Journal,voU, 2006, p. 17-19

SoHs l\tIontes, Gustavo Adolfo;. Reingenierfa de laAuditoria biformatica, Editorial Trillas (Spanish only), I\tIexico, 2002

Sparks, Harry A.; "Getting Action on Audit Results," Information Systems Control journal, vol. 6, 2003, p. 37-40

Stein, Douglas M; Vairam Arunacbalam; Larry E. Rittenberg; "Electronic Commerce System Sophistication and the AuditProcess: Insights from Information Systems Auditors," Information Systems Control Journal, vol. 1, 200 I, p. 33-38

Unwula, Huzeifa; "Return on Information Technology," Information Systems Control Journal, vol. 2, 2004, p. 51-53

Van Grembcrgen, vVim; Steven Dc Hacs; Jan Moons; "IT Governance: Linking Business Goals to IT Goals and COBlIProcesses," h!!ormatiot/ Sy.':items Control Journal, vol. 4, 2005

Wakefield, Robin; "Auditor Due Care in E-commerce," InjiJrl/Iatioll Systems Control Journal, vol. 5, 2002, p. 41-42

Williams, Paul; "Continuous Auditing: Is It Fantasy or Reality?," !nformation Systems Control Journal, vol. 5, 2002, p. 43-46

vVikimedia Foundation, "ACID (Atomicity, Consistency, Isolation and Durability)," Wikipedia, }V}1/w.wikipedia.orglwiki/AC!D

iVute: Publications in bold arc stocked in the ISACA Bookstore. l/ljbrlllutioll Systems COlllro! Journal articles are :lv:lilable at Il'lI'lI'.i.mclI.org/archiJlt's.The articles :lre :wailable online to ISAC\ mcmbl'rs only during their first year of release, and then are opened to the puhlic. All ,·cferencedJournal articles arc avaiI:lble on the elSA Ih'vicw Questions,Answcrs and Explanations CD-RO\I 2007.


CRM 2007 Chapter 1

Documents

Transcript of CRM 2007 Chapter 1