CISA Myself Prepare
Short Description
NA...
Description
COBIT®, CISA®, CISM®, CRISC® and CGEIT® are registered trademarks of ISACA.
Start and finish
Course style
Coffee and breaks
Lunch
M00 - Course introduction
2/8 | 2/623
Introduction to CISA certification The role do CISA Understanding the IT Audit terms, concepts and activities Understanding of ISACA IS Audit and Assurance Guidelines Presenting business value and requirements of IT Audit Main goal Preparing students to CISA exam Secondary goal Awareness of IT Audit best practices M00 - Course introduction
3/8 | 3/623
Please share with the class: Your name and surname Your organization Your profession (title, function, job responsibilities) Your experience with the ITSM/ITIL/InfoSec/IT Audit Your personal session expectations
M00 - Course introduction
4/8 | 4/623
CISA Review Manual 2016
Knowledge and experience from IT Audit, GRC on CISA exam is validated against knowledge and way of thinking presented in this manual M00 - Course introduction
CISA® Review Manual cover, copyright © ISACA.
Pages: 468 Published: 2015 Publisher: ISACA Format: Softcover ISBN-13: 978-1604203677
5/8 | 5/623
M00 - Course introduction
6/8 | 6/623
quizlet.com/42740590/
M00 - Course introduction
7/8 | 7/623
Mirosław Dąbrowski Agile Coach, Trainer, Consultant (former JEE/PHP developer, UX/UI designer, BA/SA)
Creator
linkedin.com/in/miroslawdabrowski google.com/+miroslawdabrowski twitter.com/mirodabrowski miroslaw_dabrowski Writer / Translator
• Creator of 50+ mind maps from PPM and related • Product Owner of biggest Polish project topics (2mln views): miroslawdabrowski.com management portal: 4PM: 4pm.pl (15.000+ views • Lead author of more than 50+ accredited materials each month) from PRINCE2, PRINCE2 Agile, MSP, MoP, P3O, ITIL, • Editorial Board Member of Official PMI Poland M_o_R, MoV, PMP, Scrum, AgilePM, DSDM, CISSP, Chapter magazine: “Strefa PMI”: strefapmi.pl CISA, CISM, CRISC, CGEIT, TOGAF, COBIT5 etc. • Official PRINCE2 Agile, AgilePM, ASL2, BiSL methods • Creator of 50+ interactive mind maps from PPM translator for Polish language topics: mindmeister.com/users/channel/2757050
Agile Coach / Scrum Master • 8+ years of experience with Agile projects as a Scrum Master, Product Owner and Agile Coach • Coached 25+ teams from Agile and Scrum • Agile Coach coaching C-level executives • Scrum Master facilitating multiple teams experienced with UX/UI + Dev teams • Experience multiple Agile methods • Author of AgilePM/DSDM Project Health Check Questionnaire (PHCQ) audit tool
Trainer / Coach • English speaking, international, independent trainer and coach from multiple domains. • Master Lead Trainer • 11+ years in training and coaching / 15.000+ hours • 100+ certifications • 5000+ people trained and coached • 25+ trainers trained and coached linkedin.com/in/miroslawdabrowski
PM / IT architect
Notable clients
• Dozens of mobile and ecommerce projects • IT architect experienced in IT projects with budget above 10mln PLN and timeline of 3+ years • Experienced with (“traditional”) projects under high security, audit and compliance requirements based on ISO/EIC 27001 • 25+ web portal design and development and mobile application projects with iterative, incremental and adaptive approach
ABB, AGH, Aiton Caldwell, Asseco, Capgemini, Deutsche Bank, Descom, Ericsson, Ericpol, Euler Hermes, General Electric, Glencore, HP Global Business Center, Ideo, Infovide-Matrix, Interia, Kemira, Lufthansa Systems, Media-Satrun Group, Ministry of Defense (Poland), Ministry of Justice (Poland), Nokia Siemens Networks, Oracle, Orange, Polish Air Force, Proama, Roche, Sabre Holdings, Samsung Electronics, Sescom, Scania, Sopra Steria, Sun Microsystems, Tauron Polish Energy, Tieto, University of Wroclaw, UBS Service Centre, Volvo IT… miroslawdabrowski.com/about-me/clients-and-references/
Accreditations/certifications (selected): CISA, CISM, CRISC, CASP, Security+, Project+, Network+, Server+, Approved Trainer: (MoP, MSP, PRINCE2, PRINCE2 Agile, M_o_R, MoV, P3O, ITIL Expert, RESILIA), ASL2, BiSL, Change Management, Facilitation, Managing Benefits, COBIT5, TOGAF 8/9L2, OBASHI, CAPM, PSM I, SDC, SMC, ESMC, SPOC, AEC, DSDM Atern, DSDM Agile Professional, DSDM Agile Trainer-Coach, AgilePM, OCUP Advanced, SCWCD, SCBCD, SCDJWS, SCMAD, ZCE 5.0, ZCE 5.3, MCT, MCP, MCITP, MCSE-S, MCSA-S, MCS, MCSA, ISTQB, IQBBA, REQB, CIW Web Design / Web Development / Web Security Professional, Playing Lean Facilitator, DISC D3 Consultant, SDI Facilitator, Certified Trainer Apollo 13 ITSM Simulation …
M00 - Course introduction
www.miroslawdabrowski.com
8/8 | 8/623
1. Overview of the CISA certification 2. Domain 1 - The Process of Auditing Information Systems 3. Domain 2 - Governance and Management of IT 4. Domain 3 - Information Systems Acquisition, Development, and Implementation 5. Domain 4 - Information Systems Operations, Maintenance and Service Management 6. Domain 5 - Protection of Information Assets M01 - Overview of the CISA certification
2/9 | 10/623
Domain 1 The Process of Auditing Information Systems
Domain 2 Governance and Management of IT
Domain 3 Information Systems Acquisition, Development, and Implementation
Domain 4 Information Systems Operations, Maintenance and Support
Domain 5 Protection of Information Assets
M01 - Overview of the CISA certification
3/9 | 11/623
CISA is the only globally recognized certification in the area of audit, controls and security of information systems and is – in view of the stringent and globally identical requirements - internationally recognized The CISA job profile has so far been consistently revised in 4 to 6 year intervals (the last time in 2010)
M01 - Overview of the CISA certification
The technical skills and practices the CISA certification promotes and evaluates are the building blocks of success in this growing field, and the CISA designation demonstrates proficiency in this role
Certification lunched: 1981 Number of certified: 106,000 4/9 | 12/623
CISA exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. PBE & CBE (only pencil & eraser are allowed) 4 hour exam 200 multiple choice questions designed with one best answer No negative points No pre-requisite for exam (only for attending to exam)
M01 - Overview of the CISA certification
5/9 | 13/623
Must ISACA IT Audit and Assurance Standards and Guidelines ISACA CISA official glossary ISACA CISA Item Development Guide ISACA CISA QAE Item Development Guide
Should ISACA CISA Review Manual ISACA Risk IT Framework / ISACA The Risk IT Practitioner Guide
Could COBIT 5 publications CISA Essential Exam Notes M01 - Overview of the CISA certification
6/9 | 14/623
Candidate who pass the CISA exam are not automatically CISA -certified / qualified and cannot use the CISA designation All current requirements are present in official CISA ”Application for CISA Certification” document: www.isaca.org/cisaapp
M01 - Overview of the CISA certification
7/9 | 15/623
ISACA CISA Review Manual Structure CISA Domain Structure About the CISA Exam Recommended reading for CISA exam Earning the CISA qualification
M01 - Overview of the CISA certification
8/9 | 16/623
M01 - Overview of the CISA certification
9/9 | 17/623
1. Overview of the CISA certification 2. Domain 1 - The Process of Auditing Information Systems 3. Domain 2 - Governance and Management of IT 4. Domain 3 - Information Systems Acquisition, Development, and Implementation 5. Domain 4 - Information Systems Operations, Maintenance and Service Management 6. Domain 5 - Protection of Information Assets M02 - Domain 1 - The Process of Auditing Information Systems
2/134 | 19/623
Learning objectives Domain 1 - CISA exam relevance Module agenda
Auditing Risk-Based Auditing Internal Controls Audit Planning Performing the Audit Sampling Audit Analysis and Reporting Control Self-Assessment (CSA) ISACA Code of Professional Ethics
Sample questions M02 - Domain 1 - The Process of Auditing Information Systems
3/134 | 20/623
After this module, the CISA candidate should be able to Develop and implement a risk-based IT audit strategy based on IT Audit standards Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization Conduct audits in accordance with IT audit standards to achieve planned audit objectives Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary Conduct follow-ups or prepare status reports to ensure appropriate actions have been taken by management in a timely manner
M02 - Domain 1 - The Process of Auditing Information Systems
4/134 | 21/623
Ensure that the CISA candidate … Has the knowledge necessary to provide audit services in accordance with IT audit standards to assist the organization with protecting and controlling information systems
M02 - Domain 1 - The Process of Auditing Information Systems
5/134 | 22/623
There are 5 general task statements pertaining to IT Audit in CISA Certification Job Practice In general Develop and implement a risk-based IT audit strategy Plan specific audits Conduct audits in accordance with IT audit standards. Report audit findings and make recommendation Conduct follow-ups or prepare status reports
M02 - Domain 1 - The Process of Auditing Information Systems
6/134 | 23/623
There are 11 general knowledge statements pertaining to IT Audit in CISA Certification Job Practice Knowledge of (selected) ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics Risk assessment concepts, tools and techniques Control objectives and controls related to information systems Audit planning and audit project management techniques Fundamental business processes Applicable laws and regulation Evidence collection techniques Different sampling methodologies Reporting and communication techniques Audit quality assurance systems and frameworks M02 - Domain 1 - The Process of Auditing Information Systems
7/134 | 24/623
M02 - Domain 1 - The Process of Auditing Information Systems
8/134 | 25/623
M02 - Domain 1 - The Process of Auditing Information Systems
9/134 | 26/623
M02 - Domain 1 - The Process of Auditing Information Systems
10/134 | 27/623
Audit begins with the acceptance of an Audit Charter (or engagement letter) Provides Authority for audit Responsibility Reporting requirements
Signed by Audit Committee Senior Management Steering Committee
M02 - Domain 1 - The Process of Auditing Information Systems
11/134 | 28/623
An audit compares (measures) actual activity against Standards and internal policy/ies
Compliance with legal and regulatory requirements Specific goals of the audit CIA Confidentiality Integrity Availability
Reliability Performance …
M02 - Domain 1 - The Process of Auditing Information Systems
12/134 | 29/623
Involves short and long term planning (annual basis) New control issues Changes / Upgrades to technologies Business process / Need / Goals Auditing / Evaluation Techniques Acquisitions / Mergers
Based on concerns of management or areas of higher risk Process failures Financial operations Compliance requirements Regulations changes
M02 - Domain 1 - The Process of Auditing Information Systems
13/134 | 30/623
Financial audits Operational audits Integrated audits Administrative audits IS audits Forensic audits Specialized audits ...
M02 - Domain 1 - The Process of Auditing Information Systems
14/134 | 31/623
Audit objectives / goal Audit scope Internal / External / Departments / Business Partners
Criteria Responsibilities of management of internal and external auditors
Audit procedures Evidence Conclusions and opinions Reporting M02 - Domain 1 - The Process of Auditing Information Systems
15/134 | 32/623
1. Gather Information
2. Identify System and Components
4. Perform Risk Analysis
3. Assess Risk
5. Conduct Internal Control Review
6. Set Audit Scope and Objectives
7. Develop Auditing Strategy
8. Assign Resources
M02 - Domain 1 - The Process of Auditing Information Systems
16/134 | 33/623
Audit Program Challenges Limited number of IS auditors Maintenance of their technical competence Assignment of audit staff
M02 - Domain 1 - The Process of Auditing Information Systems
17/134 | 34/623
Based on the scope and objective of the particular assignment IS auditor’s concerns Security (confidentiality, integrity and availability) Quality (effectiveness, efficiency) Fiduciary (compliance, reliability) Service and capacity Audit risk
M02 - Domain 1 - The Process of Auditing Information Systems
18/134 | 35/623
A set of documented audit procedures designed to achieve planned audit objectives Composed of Statement of scope Statement of audit objectives Statement of audit programs
Set up and approved by the audit management Communicated to all audit staff
M02 - Domain 1 - The Process of Auditing Information Systems
19/134 | 36/623
Audit plans Audit programs Audit activities Audit tests Audit findings Audit evidence Audit incidents
M02 - Domain 1 - The Process of Auditing Information Systems
20/134 | 37/623
1. 2. 3. 4. 5. 6. 7. 8.
Audit subject Audit objective Audit scope Pre-audit planning Audit procedures and steps for information gathering Procedures for evaluating the test or review results Procedures for communication with management Audit report preparation
M02 - Domain 1 - The Process of Auditing Information Systems
21/134 | 38/623
Understanding of the audit area / subject Risk assessment and general audit plan Detailed audit planning Preliminary review of audit area / subject Evaluating audit area / subject Verifying and evaluating controls Compliance testing Substantive testing Reporting (communicating results) Follow-up M02 - Domain 1 - The Process of Auditing Information Systems
22/134 | 39/623
Use of audit software to survey the contents of data files Assess the contents of operating system parameter files Flow-charting techniques for documenting automated applications and business process Use of audit reports available in operation systems Documentation review Observation
M02 - Domain 1 - The Process of Auditing Information Systems
23/134 | 40/623
Audits specifically related to a crime or serious incident Determine Scope of incident Root cause Personnel and systems involved
Obtain and examine evidence Report for further action
M02 - Domain 1 - The Process of Auditing Information Systems
24/134 | 41/623
Fraud detection is Management’s responsibility Benefits of a well-designed internal control system Deterring fraud at the first instance Detecting fraud in a timely manner
Fraud detection and disclosure Auditor’s role in fraud prevention and detection
M02 - Domain 1 - The Process of Auditing Information Systems
25/134 | 42/623
M02 - Domain 1 - The Process of Auditing Information Systems
26/134 | 43/623
M02 - Domain 1 - The Process of Auditing Information Systems
27/134 | 44/623
Inherent risk
Errors likely to occur
Control risk Errors that bypass controls Errors not detect by controls
Detection risk
Errors caught by auditor
Audit risk M02 - Domain 1 - The Process of Auditing Information Systems
Errors undetected by auditor
28/134 | 45/623
Audit Risk The risk that the auditors may unknowingly fail to modify our opinion appropriately on financial statements that are materially misstated
Inherent Risk The susceptibility of an account balance, disclosure or class of transactions, considered at the assertion level, to a material misstatement, assuming there are no related controls.
Control Risk The risk that a material misstatement that could occur in an account balance, disclosure or class of transactions, considered at the assertion level, will not be prevented or detected and corrected on a timely basis by the client’s internal control system.
Detection Risk The risk that the auditors will not detect a material misstatement that exists in an account balance, disclosure, or class of transactions assertion considered at the assertion level.
M02 - Domain 1 - The Process of Auditing Information Systems
29/134 | 46/623
It implies that auditors should attempt to predict where misstatements are most and least likely in the FS segments (account or class of transactions). Inherent risks is a measure of the likelihood that there are material misstatements (errors or fraud) in a segment (class of transactions / account balance) before considering the effectiveness of internal controls
M02 - Domain 1 - The Process of Auditing Information Systems
30/134 | 47/623
The assessment of the likelihood that a misstatement that could occur and that could be material will not be prevented or detected the internal control system. Ideally, the control system would detect any material errors before they enter the financial statements.
M02 - Domain 1 - The Process of Auditing Information Systems
31/134 | 48/623
Is a measure of the risk that audit evidence (substantive procedures planned by the auditor to detect material misstatements in the FS: tests of details of transactions, tests of details of balances, and analytical procedures) will fail to detect misstatements that could be material The Detection risk depends on other factors and is inversely related to the accumulation of inherent and control risk It determines the number of substantial elements of proof the auditor plans to accumulate in order to reduce the Detection risk to an acceptable level. M02 - Domain 1 - The Process of Auditing Information Systems
32/134 | 49/623
Audit risk may be considered as the product of the various risks which may be encountered in the performance of the audit. In order to keep the overall audit risk of engagements below acceptable limit, the auditor must assess the level of risk pertaining to each component of audit risk.
Inherent Risk
Control Risk
M02 - Domain 1 - The Process of Auditing Information Systems
Detection Risk
Audit Risk
33/134 | 50/623
Risk Assessment must be based on business requirements, not solely on information systems or technical requirements Risk Assessment Identify and prioritize risk Recommend risk-based controls
Risk Mitigation
Reduce risk Accept risk Transfer risk Share risk Avoid risk
Ongoing assessment of risk levels and control effectiveness M02 - Domain 1 - The Process of Auditing Information Systems
34/134 | 51/623
Identify Business Objectives
Perform Risk Mitigation (RM) [Map Risks with controls in place]
Identify Business Assets that Support the BO
Perform Risk Treatment (RT) [Treat existing risks not mitigated by existing controls]
M02 - Domain 1 - The Process of Auditing Information Systems
Perform Risk Assess (RA) [Threat – Vulnerability – Portability – Impact]
Perform Periodic Risk Revaluation (BO, RA, RM, RT)
35/134 | 52/623
From the IS auditor’s perspective, risk analysis serves more than one purpose It assists the IS auditor in identifying risks and threats to an IT environment and IS system - risks and threats that would need to be addressed by management - and in identifying system specific internal controls Depending on the level of risk, this assists the IS auditor in selecting certain areas to examine
M02 - Domain 1 - The Process of Auditing Information Systems
36/134 | 53/623
IS auditors must be able to Be able to identify and differentiate risk types and the controls used to mitigate these risks Have knowledge of common business risks, related technology risks and relevant controls Be able to evaluate the risk assessment and management techniques used by business managers, and to make assessments of risk to help focus and plan audit work Have an understand that risk exists within the audit process
M02 - Domain 1 - The Process of Auditing Information Systems
37/134 | 54/623
In analyzing the business risks arising from the use of IT, it is important for the IS auditor to have a clear understanding of The purpose and nature of business, the environment in which the business operates and related business risks The dependence on technology and related dependencies that process and deliver business information The business risks of using IT and related dependencies and how they impact the achievement of the business goals and objectives A good overview of the business processes and the impact of IT and related risks on the business process objectives
M02 - Domain 1 - The Process of Auditing Information Systems
38/134 | 55/623
Identity threats and vulnerabilities Helps auditor evaluate countermeasures / controls Helps auditor decide on auditing objectives Support Risk-Based auditing decision Helps identify risks and vulnerabilities Leads to implementation of internal controls
M02 - Domain 1 - The Process of Auditing Information Systems
39/134 | 56/623
Enables management to effectively allocate limited audit resources Ensures that relevant information has been obtained from all levels of management Establishes a basis for effectively managing the audit plans Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plan
M02 - Domain 1 - The Process of Auditing Information Systems
40/134 | 57/623
Assessing security risks Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization Performed periodically to address changes in The environment Security requirements and when significant changes occur
Treating security risks Each risk identified in a risk assessment needs to be treated in a cost-effective manner according to its level of risk Controls should be selected to ensure that risks are reduced to an acceptable level M02 - Domain 1 - The Process of Auditing Information Systems
41/134 | 58/623
Identify Business risks Technological risks Operational risks
M02 - Domain 1 - The Process of Auditing Information Systems
42/134 | 59/623
Gather Information and Plan for the Audit
Obtain Understanding and evaluate the Internal Control
Perform Compliance Testing
Perform Substantive Tests
Perform the Audit M02 - Domain 1 - The Process of Auditing Information Systems
43/134 | 60/623
1. Gather Information and Plan for the Audit Knowledge of business and industry Prior year’s audit results Recent financial information Regulatory statutes Inherent risk assessments
2. Obtain Understanding and evaluate the Internal Control Control environment Control procedures Detection risk assessment Control risk assessment Equate total risk M02 - Domain 1 - The Process of Auditing Information Systems
44/134 | 61/623
3. Perform Compliance Tests Identify key controls to be tested Perform tests on reliability, risk prevention, and adherence to organizational policies and procedures
4. Perform Substantive Tests Analytical procedures Detailed tests of account balances Other substantive audit procedures
5. Perform the Audit Create recommendations Write audit report
M02 - Domain 1 - The Process of Auditing Information Systems
45/134 | 62/623
M02 - Domain 1 - The Process of Auditing Information Systems
46/134 | 63/623
M02 - Domain 1 - The Process of Auditing Information Systems
47/134 | 64/623
Administrative controls concerned with operational efficiency and adherence to management policies Organizational logical security policies and procedures Overall policies for the design and use of documents and records Procedures and features to ensure authorized access to assets Physical security policies for all data centers
M02 - Domain 1 - The Process of Auditing Information Systems
48/134 | 65/623
M02 - Domain 1 - The Process of Auditing Information Systems
49/134 | 66/623
Protection and detective mechanisms against internal and external attacks Safeguarding of IT assets Compliance to corporate policies or legal requirements Input Authorization Accuracy and completeness of processing of data input/transactions Output Reliability of process Backup / recovery Efficiency and economy of operations Change management process for IT and related systems M02 - Domain 1 - The Process of Auditing Information Systems
50/134 | 67/623
Classification of internal controls Directive - Controls Preventive - Controls that avoid incident Detective - Controls that identify incident Corrective - Controls that remedy incident Recovery - Controls that restores baseline from incident Deterrent - Controls that (only) reduce likelihood of incident Compensatory - Control type implemented to make up for deficiencies in other controls
M02 - Domain 1 - The Process of Auditing Information Systems
51/134 | 68/623
Management (Administrative) Controls Policies, Standards, Processes, Procedures, & Guidelines Administrative Entities: Executive-Level, Mid.-Level Management
Operational (and Physical) Controls Operational Security (Execution of Policies, Standards & Process, Education & Awareness) Service Providers: IA, Program Security, Personnel Security, Document Controls (or CM), HR, Finance, etc.
Physical Security (Facility or Infrastructure Protection) Locks, Doors, Walls, Fence, Curtain, etc. Service Providers: FSO, Guards, Dogs
Technical (Logical) Controls Access Controls , Identification & Authorization, Confidentiality, Integrity, Availability, Non-Repudiation. Service Providers: Enterprise Architect, Security Engineer, CERT, NOSC, Helpdesk M02 - Domain 1 - The Process of Auditing Information Systems
52/134 | 69/623
Directive
• User registration • User agreement • NdA • Separation of duties • Warning banner
Management (Administrative) Physical / Operational
Preventive
• Procedure
Detective • Review access logs • Job rotation • Investigation • Security awareness training
• Physical barriers • Locks • Badge system • Monitor access • Security Guard • Motion • Mantrap doors detectors • Effective hiring • CCTV practice • Awareness training,
M02 - Domain 1 - The Process of Auditing Information Systems
Corrective
Recovery
• Penalty • Administrativ e leave • Controlled termination processes
• Business continuity planning (BCP) • Disaster recovery planning (DRP)
• User behavioral modification • Modify and update physical barriers
53/134 | 70/623
Technical
Directive
• Standards
Preventive • User authentication • Multi-factor authentication • ACLs • Firewalls • IPS • Encryption
M02 - Domain 1 - The Process of Auditing Information Systems
Detective • Log access and transactions • Store access logs • SNMP • IDS
Corrective • Isolate, terminate connections • Modify and update access privileges
Recovery
• Backups • Recover system functions, • Rebuild,
54/134 | 71/623
Internal control system Internal accounting controls Operational controls Administrative controls
M02 - Domain 1 - The Process of Auditing Information Systems
55/134 | 72/623
Safeguarding assets Assuring the integrity of general operating system environments Assuring the integrity of sensitive and critical application system environments through Authorization of the input Accuracy and completeness of processing of transactions Reliability of overall information processing activities Accuracy, completeness and security of the output Database integrity
M02 - Domain 1 - The Process of Auditing Information Systems
56/134 | 73/623
Ensuring appropriate identification and authentication of users of IS resources Ensuring the efficiency and effectiveness of operations Complying with requirements, policies and procedures, and applicable laws Developing business continuity and disaster recovery plans Developing an incident response plan Implementing effective change management procedures
M02 - Domain 1 - The Process of Auditing Information Systems
57/134 | 74/623
Strategy and direction General organization and management Access to IT resources, including data and programs Systems development methodologies and change control Operations procedures Systems programming and technical support functions Quality assurance procedures Physical access controls Business continuity / disaster recovery planning Networks and communications Database administration M02 - Domain 1 - The Process of Auditing Information Systems
58/134 | 75/623
Internal control objectives apply to all areas, whether manual or automated Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment
M02 - Domain 1 - The Process of Auditing Information Systems
59/134 | 76/623
Cost Assess management’s risk appetite and tolerance for risk Effectiveness at mitigating Risk
M02 - Domain 1 - The Process of Auditing Information Systems
60/134 | 77/623
M02 - Domain 1 - The Process of Auditing Information Systems
61/134 | 78/623
Audit planning steps 1. Gain an understanding of the business’s vision, mission, business drivers, objectives, purpose and processes and it’s culture 2. Identify stated contents (policies, standards, guidelines, procedures, and organization structure) 3. Evaluate risk assessment and privacy impact analysis 4. Perform a risk analysis 5. Conduct an internal control review 6. Set the audit scope and audit objectives 7. Develop the audit approach or audit strategy 8. Assign personnel resources to audit and address engagement logistics
M02 - Domain 1 - The Process of Auditing Information Systems
62/134 | 79/623
Regulatory requirements Adequate controls Privacy Responsibilities Oversight and Governance Establishment Organization Protection of assets Financial Management Correlation to financial, operational and IT audit functions
M02 - Domain 1 - The Process of Auditing Information Systems
63/134 | 80/623
1. Identify external requirements 2. Document pertinent laws and regulations 3. Assess whether management and the IS function have considered the relevant external requirements 4. Review internal IS department documents that address adherence to applicable laws 5. Determine adherence to established procedures
M02 - Domain 1 - The Process of Auditing Information Systems
64/134 | 81/623
M02 - Domain 1 - The Process of Auditing Information Systems
65/134 | 82/623
Standards (must be followed by IS auditors) General Performance Reporting
Guidelines Provide assistance on how to implement the standards
Tools and Techniques Provide examples for implementing the standards
M02 - Domain 1 - The Process of Auditing Information Systems
66/134 | 83/623
Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in an audit engagement The IS auditor should apply their own professional judgment to the specific circumstances
M02 - Domain 1 - The Process of Auditing Information Systems
67/134 | 84/623
P#
Topic
P1
IS Risk Assessment
01.07.2002
P2
Digital Signatures
01.07.2002
P3
Intrusion Detection
01.08.2003
P4
Viruses and Other Malicious Code
01.08.2003
P5
Control Risk Self-assessment
01.08.2003
P6
Firewalls
01.08.2003
P7
Irregularities and Illegal Acts
01.11.2003
P8
Security Assessment - Penetration Testing and Vulnerability Analysis
01.08.2004
P9
Evaluation of Management Controls Over Encryption Methodologies
10.01.2005
P10
Business Application Change Control
01.10.2006
P11
Electronic Funds Transfer (EFT)
01.05.2007
M02 - Domain 1 - The Process of Auditing Information Systems
effective date
68/134 | 85/623
Section 2200 - General Standards Section 2400 - Performance Standards Section 2600 - Reporting Standards Section 3000 - IT Assurance Guidelines Section 3200 - Enterprise Topics Section 3400 - IT Management Process Section 3600 - IT Audit and Assurance Guidelines
M02 - Domain 1 - The Process of Auditing Information Systems
69/134 | 86/623
Framework for the ISACA IS Auditing Standards Standards
Framework for the ISACA IS Auditing Standards Procedures
M02 - Domain 1 - The Process of Auditing Information Systems
Guidelines
70/134 | 87/623
Objectives of the ISACA IT Audit and Assurance Standards Inform management and other interested parties of the profession’s expectations concerning the work of audit practitioners Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics M02 - Domain 1 - The Process of Auditing Information Systems
71/134 | 88/623
S1 - Audit Charter S2 - Independence S3 - Ethics and Standards S4 - Competence S5 - Planning S6 - Performance of audit work S7 - Reporting S8 - Follow-up activities
M02 - Domain 1 - The Process of Auditing Information Systems
S9 - Irregularities and illegal acts S10 - IT Governance S11 - Use of risk assessment in audit planning S12 - Audit materiality S13 - Using the Work of Other Experts S14 - Audit Evidence S15 - IT Controls S16 - E-commerce
72/134 | 89/623
S1 Audit Charter
S2 Independence
• Purpose, responsibility, authority and accountability • Approval
• Professional independence • Organizational independence
M02 - Domain 1 - The Process of Auditing Information Systems
73/134 | 90/623
S3 Professional Ethics and Standards
S4 Competence
• Code of Professional Ethics • Due professional care
• Skills and knowledge • Continuing professional education
M02 - Domain 1 - The Process of Auditing Information Systems
74/134 | 91/623
S5 Planning
S6 Performance of Audit Work
• Plan IS audit coverage • Develop and document a risk-based audit approach • Develop and document an audit plan • Develop an audit program and procedures
• Supervision • Evidence • Documentation
M02 - Domain 1 - The Process of Auditing Information Systems
75/134 | 92/623
S7 Reporting
• Identify the organization, intended recipients and any restrictions • State the scope, objectives, coverage and nature of audit work performed • State the findings, conclusions and recommendations and limitations • Justify the results reports • Be signed, dated and distributed according to the audit charter
M02 - Domain 1 - The Process of Auditing Information Systems
76/134 | 93/623
S8 Follow-up Activities
• Review previous conclusions and recommendations • Review previous relevant findings • Determine whether appropriate actions have been taken by management in a timely manner
M02 - Domain 1 - The Process of Auditing Information Systems
77/134 | 94/623
S9 Irregularities and Illegal Acts
• Consider the risk of irregularities and illegal acts • Maintain an attitude of professional skepticism • Obtain an understanding of the organization and its environment • Consider unusual or unexpected relationships • Test the appropriateness of internal control • Assess any misstatement
M02 - Domain 1 - The Process of Auditing Information Systems
78/134 | 95/623
S9 Irregularities and Illegal Acts (continued)
• Obtain written representations from management • Have knowledge of any allegations of irregularities or illegal acts • Communicate material irregularities or illegal acts • Consider appropriate action in case of inability to continue performing the audit • Document irregularity- or illegal act-related communications, planning, results, evaluations and conclusions
M02 - Domain 1 - The Process of Auditing Information Systems
79/134 | 96/623
S10 IT Governance
• Review and assess the IS function’s alignment with the organization’s mission, vision, values, objectives and strategies • Review the IS function’s statement about the performance and assess its achievement • Review and assess the effectiveness of IS resource and performance management processes
M02 - Domain 1 - The Process of Auditing Information Systems
80/134 | 97/623
S10 IT Governance (continued)
• Review and assess compliance with legal, environmental and information quality, and fiduciary and security requirements • Use a risk-based approach to evaluate the IS function • Review and assess the organization’s control environment • Review and assess the risks that may adversely affect the IS environment
M02 - Domain 1 - The Process of Auditing Information Systems
81/134 | 98/623
S11 Use of Risk Assessment in Audit
• Planning • Use a risk assessment technique in developing the overall IS audit plan • Identify and assess relevant risks in planning individual reviews
M02 - Domain 1 - The Process of Auditing Information Systems
82/134 | 99/623
S12 Audit Materiality
• The IS auditor should consider audit materiality and its relationship to audit risk • The IS auditor should consider potential weakness or absence of controls when planning for an audit • The IS auditor should consider the cumulative effect of minor control deficiencies or weaknesses • The IS audit report should disclose ineffective controls or absence of controls
M02 - Domain 1 - The Process of Auditing Information Systems
83/134 | 100/623
S13 Using the Work of Other Experts
• The IS auditor should consider using the work of other experts • The IS auditor should be satisfied with the qualifications, competencies, etc., of other experts • The IS auditor should assess, review and evaluate the work of other experts • The IS auditor should determine if the work of other experts is adequate and complete • The IS auditor should apply additional test procedures to gain sufficient and appropriate audit evidence • The IS auditor should provide appropriate audit opinion
M02 - Domain 1 - The Process of Auditing Information Systems
84/134 | 101/623
S14 Audit Evidence
• Includes procedures performed by the auditor and results of those procedures • Includes source documents, records and corroborating information • Includes findings and results of the audit work • Demonstrates that the work was performed and complies with applicable laws, regulations and policies
M02 - Domain 1 - The Process of Auditing Information Systems
85/134 | 102/623
S15 IT Controls
S16 E-commerce
• The IS auditor should evaluate and monitor IT controls that are an integral part of the internal control environment of the organization.
• The IS Auditor should evaluate applicable controls and assess risk when reviewing e-commerce environments to ensure that ecommerce transactions are properly controlled.
M02 - Domain 1 - The Process of Auditing Information Systems
86/134 | 103/623
G#
Topic
G01
Using the Work of Other Auditors
01.06.1998
G02
Audit Evidence Requirement
01.12.1998
G03
Use of Computer Assisted Audit Techniques (CAATs)
01.12.1998
G04
Outsourcing of IS Activities to Other Organizations
01.09.1999
G05
Audit Charter
01.09.1999
G06
Materiality Concepts for Auditing Information Systems
01.09.1999
G07
Due Professional Care
01.09.1999
G08
Audit Documentation
01.09.1999
G09
Audit Considerations for Irregularities
01.03.2000
G10
Audit Sampling
01.03.2000
M02 - Domain 1 - The Process of Auditing Information Systems
effective date
87/134 | 104/623
G#
Topic
G11
Effect of Pervasive IS Controls
01.03.2000
G12
Organizational Relationship and Independence
01.03.2000
G13
Use of Risk Assessment in Audit Planning
01.09.2000
G14
Application Systems Review
01.11.2001
G15
Planning Revised
01.03.2002
G16
Effect of Third Parties on an Organization’s IT Controls
01.03.2002
G17
Effect of Non-audit Role on the IS Auditor’s Independence
01.07.2002
G18
IT Governance
01.07.2002
G19
Irregularities and Illegal Acts
01.07.2002
G20
Reporting
01.01.2003
M02 - Domain 1 - The Process of Auditing Information Systems
effective date
88/134 | 105/623
G#
Topic
G21
Enterprise Resource Planning (ERP) Systems Review
01.08.2003
G22
Business-to-consumer (B2C) E-commerce Review
01.08.2003
G23
System Development Life Cycle (SDLC) Review
01.08.2003
G24
Internet Banking
01.08.2003
G25
Review of Virtual Private Networks
01.07.2007
G26
Business Process Reengineering (BPR) Project Reviews
01.07.2007
G27
Mobile Computing
01.09.2004
G28
Computer Forensics
01.09.2004
G29
Post-implementation Review
01.01.2005
G30
Competence
01.06.2005
M02 - Domain 1 - The Process of Auditing Information Systems
effective date
89/134 | 106/623
G#
Topic
effective date
G31
Privacy
01.06.2005
G32
Business Continuity Plan (BCP) Review From IT Perspective
01.09.2005
G33
General Considerations on the Use of the Internet
01.03.2006
G34
Responsibility, Authority and Accountability
01.03.2006
G35
Follow-up Activities
01.03.2006
G36
Biometric Controls
01.03.2007
G37
Configuration Management
01.10.2007
G38
Access Control
01.02.2008
G39
IT Organizations
01.05.2008
G40
Review of Security Management Practices
01.10.2008
M02 - Domain 1 - The Process of Auditing Information Systems
90/134 | 107/623
G#
Topic
G41
Return on Security Investment (ROSI)
01.05.2010
G42
Continuous Assurance
01.05.2010
…
…
M02 - Domain 1 - The Process of Auditing Information Systems
effective date
…
91/134 | 108/623
It is a requirement that the auditor’s conclusions be based on sufficient, competent evidence Independence of the provider of the evidence Qualification of the individual providing the information or evidence Objectivity of the evidence Timing of the evidence
M02 - Domain 1 - The Process of Auditing Information Systems
92/134 | 109/623
Review IS organization structures Review IS policies and procedures Review IS standards Review IS documentation Interview appropriate personnel Observe processes and employee performance Inspection of tangible assets
M02 - Domain 1 - The Process of Auditing Information Systems
93/134 | 110/623
M02 - Domain 1 - The Process of Auditing Information Systems
94/134 | 111/623
General approaches to audit sampling Statistical sampling Non-statistical sampling
M02 - Domain 1 - The Process of Auditing Information Systems
95/134 | 112/623
M02 - Domain 1 - The Process of Auditing Information Systems
96/134 | 113/623
M02 - Domain 1 - The Process of Auditing Information Systems
97/134 | 114/623
Attribute sampling (used to estimate the extent to which a characteristic exists within population) Stop-or-go sampling Discovery sampling
Variable sampling (used to estimate amount (or value) of some characteristic of a population) Monetary Unit Sampling (MUS) Stratified mean per unit Unstratified mean per unit Difference estimation
M02 - Domain 1 - The Process of Auditing Information Systems
98/134 | 115/623
Confident coefficient Level of risk Precision Expected error rate Sample mean Sample standard deviation Tolerable error rate Population standard deviation
M02 - Domain 1 - The Process of Auditing Information Systems
99/134 | 116/623
1. Determine the objectives of the test 2. Define the population to be sampled 3. Determine the sampling method Such as attribute versus variable sampling
4. Calculate the sample size 5. Select the sample 6. Evaluating the sample from an audit perspective
M02 - Domain 1 - The Process of Auditing Information Systems
100/134 | 117/623
Compliance test Determines whether controls are in compliance with management policies and procedures
Substantive test Tests the integrity of actual processing Provides evidence of the validity
Correlation between the level of internal controls and substantive testing required Relationship between compliance and substantive tests
M02 - Domain 1 - The Process of Auditing Information Systems
101/134 | 118/623
Review the system to identify controls
Test compliance to determine whether controls are functioning
Evaluate the controls to determine the basis for reliance and the nature, scope and timing of substantive tests Use two types of substantive tests to evaluate the validity of the data
Test balance and transactions M02 - Domain 1 - The Process of Auditing Information Systems
Perform analytic review procedures 102/134 | 119/623
Process whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity Focuses on risk to the organization (for an internal auditor) Focuses on the risk of providing an incorrect or misleading audit opinion (for an external auditor)
M02 - Domain 1 - The Process of Auditing Information Systems
103/134 | 120/623
Process involves Identification of risks faced by organization and of relevant key controls Review and understanding of the design of key controls Testing that key controls are supported by the IT system Testing that management controls operate effectively A combined report or opinion on control risks, design and weaknesses
M02 - Domain 1 - The Process of Auditing Information Systems
Operational Audit
IS Audit
Financial Audit
104/134 | 121/623
Considerations when using services of other auditors and experts Audit charter or contractual stipulations Impact on overall and specific IS audit objectives Impact on IS audit risk and professional liability Independence and objectivity of other auditors and experts
M02 - Domain 1 - The Process of Auditing Information Systems
105/134 | 122/623
Considerations when using services of other auditors and experts Professional competence, qualifications and experience Scope of work proposed to be outsourced and approach Supervisory and audit management controls Method of communicating the results of audit work Compliance with legal and regulatory stipulations Compliance with applicable professional standards
M02 - Domain 1 - The Process of Auditing Information Systems
106/134 | 123/623
CAATs enable IS auditors to gather information independently CAATs include Generalized audit software (GAS) Utility software Debugging and scanning software Test data Application software tracing and mapping Expert systems
M02 - Domain 1 - The Process of Auditing Information Systems
107/134 | 124/623
CAATs as a continuous online audit approach Improves audit efficiency
IS auditors must Develop audit techniques for use with advanced computerized systems Be involved in the design of advanced systems to support audit requirements Make greater use of automated tools
M02 - Domain 1 - The Process of Auditing Information Systems
108/134 | 125/623
Features of generalized audit software (GAS) Mathematical computations Stratification Statistical analysis Sequence checking
Functions supported by GAS File access File reorganization Data selection Statistical functions Arithmetical functions
M02 - Domain 1 - The Process of Auditing Information Systems
109/134 | 126/623
Ease of use for existing and future audit staff Training requirements Complexity of coding and maintenance Flexibility of uses Installation requirements Processing efficiencies Confidentiality of data being processed
M02 - Domain 1 - The Process of Auditing Information Systems
110/134 | 127/623
M02 - Domain 1 - The Process of Auditing Information Systems
111/134 | 128/623
Audit documentation includes Planning and preparation of the audit scope and objectives Description on the scoped audit area Audit program Audit steps performed and evidence gathered Other experts used Audit findings, conclusions and recommendations
M02 - Domain 1 - The Process of Auditing Information Systems
112/134 | 129/623
Risk analysis Audit programs Results Test evidences Conclusions Reports and other complementary information
M02 - Domain 1 - The Process of Auditing Information Systems
Minimum controls Access to work papers Audit trails Automated features to provide and record approvals Security and integrity controls Backup and restoration Encryption techniques
113/134 | 130/623
Materiality is a key issue Assess evidence Assessment requires judgment of the potential effect of the finding if corrective action is not taken
Evaluate overall control structure Evaluate control procedures Assess control strengths and weaknesses
M02 - Domain 1 - The Process of Auditing Information Systems
114/134 | 131/623
Exit interview Correct facts Realistic recommendations Implementation dates for agreed recommendations
Presentation techniques Executive summary Visual presentation Oral presentation
M02 - Domain 1 - The Process of Auditing Information Systems
115/134 | 132/623
Audit report structure and contents Introduction to the report Audit findings presented in separate sections The IS auditor’s overall conclusion and opinion The IS auditor’s reservations with respect to the audit - audit limitations Detailed audit findings and recommendations
Audit recommendations may not be accepted Negotiation Conflict resolution Explanation of results, findings and best practices or legal requirements M02 - Domain 1 - The Process of Auditing Information Systems
116/134 | 133/623
Ensure that accepted recommendations are implemented as per schedule Auditing is an ongoing process Timing a follow-up
M02 - Domain 1 - The Process of Auditing Information Systems
117/134 | 134/623
M02 - Domain 1 - The Process of Auditing Information Systems
118/134 | 135/623
A management technique A methodology In practice, a series of tools Can be implemented by various methods In simple terms, CSA involves a structured approach to documenting business objectives, risks and controls and having operational management and staff assess the adequacy of control
M02 - Domain 1 - The Process of Auditing Information Systems
119/134 | 136/623
Leverage the internal audit function by shifting some control monitoring responsibilities to functional areas Enhancement of audit responsibilities, not a replacement Educate management about control design and monitoring Empowerment of workers to assess the control environment
M02 - Domain 1 - The Process of Auditing Information Systems
120/134 | 137/623
Early detection of risks More effective and improved internal controls Increased employee awareness of organizational objectives Highly motivated employees Improved audit rating process Reduction in control cost Assurance provided to stakeholders and customers
M02 - Domain 1 - The Process of Auditing Information Systems
121/134 | 138/623
Could be mistaken as an audit function replacement May be regarded as an additional workload Failure to act on improvement suggestions could damage employee morale Lack of motivation may limit effectiveness in the detection of weak controls
M02 - Domain 1 - The Process of Auditing Information Systems
122/134 | 139/623
Internal control professionals Assessment facilitators
M02 - Domain 1 - The Process of Auditing Information Systems
123/134 | 140/623
Traditional Approach Assigns duties / supervises staff Policy / process / rule driven Limited employee participation Narrow stakeholder focus
Control Self-Assessment (CSA) Approach Empowered / accountable employees Continuous improvement / learning curve Extensive employee participation and training Broad stakeholder focus
M02 - Domain 1 - The Process of Auditing Information Systems
124/134 | 141/623
Continuous monitoring Provided by IS management tools Based on automated procedures to meet fiduciary responsibilities
Continuous auditing Audit-driven Completed using automated audit procedures
M02 - Domain 1 - The Process of Auditing Information Systems
125/134 | 142/623
Distinctive character Short time lapse between the facts to be audited and the collection of evidence and audit reporting
Drivers Better monitoring of financial issues Allows real-time transactions to benefit from real-time monitoring Prevents financial fiascoes and audit scandals Uses software to determine proper financial controls
Application of continuous auditing due to New information technology developments Increased processing capabilities Standards Artificial intelligence tools M02 - Domain 1 - The Process of Auditing Information Systems
126/134 | 143/623
Transaction logging Query tools Statistics and data analysis Computer Assisted Audit Techniques (CAAT) Database management systems (DBMS) Continuous and Intermittent Simulation (CIS)
Data warehouses, data marts and data mining Intelligent agents Embedded audit modules (EAM) Neural network technology Standards such as Extensible Business Reporting Language (XBRL)
M02 - Domain 1 - The Process of Auditing Information Systems
127/134 | 144/623
A high degree of automation An automated and reliable information-producing process Alarm triggers to report control failures Implementation of automated audit tools Quickly informing IS auditors of anomalies / errors Timely issuance of automated audit reports Technically proficient IS auditors Availability of reliable sources of evidence Adherence to materiality guidelines Change of IS auditors’ mindset Evaluation of cost factors M02 - Domain 1 - The Process of Auditing Information Systems
128/134 | 145/623
Advantages Instant capture of internal control problems Reduction of intrinsic audit inefficiencies
Disadvantages Difficulty in implementation High cost Elimination of auditors’ personal judgment and evaluation
M02 - Domain 1 - The Process of Auditing Information Systems
129/134 | 146/623
M02 - Domain 1 - The Process of Auditing Information Systems
130/134 | 147/623
M02 - Domain 1 - The Process of Auditing Information Systems
131/134 | 148/623
Auditing Risk-Based Auditing Internal Controls Audit Planning Performing the Audit Sampling Audit Analysis and Reporting Control Self-Assessment (CSA) ISACA Code of Professional Ethics
of CISA Review Manual M02 - Domain 1 - The Process of Auditing Information Systems
132/134 | 149/623
M02 - Domain 1 - The Process of Auditing Information Systems
133/134 | 150/623
I hope you enjoyed this presentation. If so, please like, share and leave a comment below. Endorsements on LinkedIn are also highly appreciated! (your feedback = more free stuff)
MIROSLAWDABROWSKI.COM/downloads
View more...
Comments
