is audit process

8/3/2019 Is Audit Process

1/69

Be okay with what will come and you

would be able to handle it.


2/69

Certified Information Systems Auditor

(CISA)


3/69

The Process of Auditing

Information Systems


4/69

IS audit encompasses the entire practice of IS

auditing including procedures and a thorough

methodology which allows an IS auditor toperform on any given IT area in a professional

manner.


5/69

Objective

The objective of this area is to ensure that a

CISA candidate has the knowledge necessary toprovide information systems audit services in

accordance with IS audit standards, Guidelines

and best practices


6/69

Task

1. Develop and implement a risk-based IS auditstrategy for the organization in compliance withIS audit standards, guidelines and best practices.

2. Plan specific audit to ensure that IT and businesssystems are protected and controlled.

3. Conduct audits in accordance with IS auditstandards, guidelines and best practices to meetplanned audit objectives.

4. Communicate emerging issues, potential risksand audit results to key stakeholders

5. Advise on the implementation of riskmanagement and control practices with theorganization while maintaining independence.


7/69

The audit function should be managed and led

in a manner that ensures that the task

performed and achieved by the audit teamwill fulfill audit function objectives while

preserving audit independence and

competence. Both internal and external auditors should be

independent and report to an audit

committee if available or to the highestmanagement level such as the board of

directors.


8/69

Audit Charter / Engagement letter


9/69

Audit Charter / Engagement letter

The role of the IS internal audit function should be documented inan audit charter

Charter should clearly state managements responsibility andobjectives for, and delegation of authority to the IS audit function.

The charter should outline the overall authority, scope andresponsibility of the audit function.

The highest level of management should approve the charter.

The charter should only be changed if change can be and is

thoroughly justified.ISACAs IS auditing standard require that responsibility, authority and

accountability of the information are appropriately documented inan audit charter or engagement letter.

Engagement letters are more focused on a particular audit exercise

that is sought to be initiated in an organization with a specificobjective in mind.

For external IS audit firms the scope and objective of these servicesshould be documented in a formal contract of statement of workbetween the contracting organization and the service provider.


10/69

Steps to plan an IS audit

Gain an understanding of the business mission,objectives, purpose and processes.

Identify stated contents such as policies,standards and regulatory guidelines.

Perform risk analysis to help in designing audit

plan. Conduct a review of intended control related to

IT.

Set the audit scope and audit objectives.

Develop the audit approach or audit strategy.

Assign personnel resources to the audit.

Address engagement logistics.


11/69

Ways to gain understanding of the business

Reading background material e.g. Industrial

publications, annual reports and independentfinancial analysis reports.

Review business and IT long term business

issues.

Interviewing key managers to understand

business issues.

Review prior audit documentations andreports.


12/69

Effects of laws and regulations on IS audit planning

Each organization need to comply with a number

of governmental and external requirementsrelated to computer system practice and controlsand to the manner in which computer programsand data stored and used.

Special attention should be given to these issuesin those industries that, historically have beenclosely regulated.

Is auditors should review management policy toascertain whether it takes account therequirements of applicable laws and regulationsincluding data flow requirements.


13/69

Steps to determine an organizations level of compliancewith external requirements.

1. Identify those government or other relevant externalrequirements.

2. Document pertinent laws and regulations.

3. Access whether the management of the organization

and the IS function have considered the relevantexternal requirements in making plans and in settingpolicies, standards and procedures.

4. Review internal IS function documents that addressadherence to laws applicable to the industry.

5. Determine adherence to established procedures thataddress these requirements.


14/69

RISK


15/69

WHAT IS RISK?


16/69

The potential that a given threat will exploit

venerabilitys of an asset or group of assets and

thereby cause harm to the organization.


17/69

RISK ANALYSIS

Risk analysis is part of the audit planning and helps identifyrisks and vulnerabilities as the auditor can determine the

controls needed to mitigate those risks. Understanding the relationship between rule and control is

important for IS audit and control professionals. Is auditorsmust be able to identify ad differentiate risk types and thecontrols used mitigate these risks.

Is auditor must have knowledge of common business risks,related technology risks and related controls.

They must also be able to evaluate the risk assessment andmanagement techniques used by business managers.

They should be able to assess the risk and help focus and

plan audit work. The IS audit is often focused towards high risk issues

associated with the confidentiality, availability and integrityof sensitive and critical information.


18/69

The risk assessment process begins with identifying businessobjectives, information assets and the underlying systems orresources that generate, store, use or manipulate the assetscritical to achieving these objectives.

Controls are identified for mitigating identified risks.

Controls are risk mitigating counter measures that preventor reduce the likelihood of a risk event occurring.

Monitoring performance levels of the risks being managedwhen identifying any significant changes in theenvironment that would trigger a risk reassessment.

Risk analysis comprises three processes Risk assessment

Risk mitigation

Risk reevaluation


19/69

Advantages of risk analysis.

1. It assists the auditor in identifying risk and

treats to an IT environment that would needto be addressed by management and system

specific internal controls.

2. It helps the auditor in his evaluation ofcontrols in audit planning.

3. It assists the auditor in determining audit

objectives.4. It supports risk-based audit decision making.


20/69

Controls


21/69

Internal controls

Policies procedures practices and

organizational structured implemented toreduce risk are referred to as internal controls.

Elements of controls that should be

considered when evaluating control strengthsare classified as preventive, detective or

corrective in nature.

Controls could be manual or automated.


22/69

Control Type Implementation

Method

Some Examples

Preventative

stops

Administrative

Technical

Physical

Hiring procedures, background checks, segregation of

duties, training, change control process, acceptable use

policy (AUP), organizational charts, job descriptions,written procedures, business contracts, laws and

regulations, risk management, project management,

service-level agreements (SLAs), system documentation

Data backups, virus scanners, designated redundantsystem for high availability system ready for failover

(HA standby), encryption, access control lists (ACLs),

system certification process

Access control, locked doors, fences, property tags,security

guards, live monitoring of CCTV, human-readable

labels,

warning signs


23/69

Control Type Implementation

Method

Some Examples

Detective

finds

Administrative

Technical

Physical

Auditing, system logs, mandatory vacation periods,

exception

reporting, run-to-run totals, check numbers, control

self-assessment (CSA), risk assessment, oral testimony

Intrusion detection system (IDS), High availability

systems

detecting or signaling system failover condition(HA

failure

detection), automated log readers (CAATs), checksum,

verifying digital signatures, biometrics for identification

(many search), CCTV used for logging, network

scanners,

computer forensics, diagnostic utilities

physical inventory count, alarm system

(burglar, smoke, water, temperature, fire), tamper seals,

fingerprints, receipts and invoices


24/69

Control Type Implementation Method Some Examples

Corrective

fixes

Administrative

Technical

Physical

Termination procedures (friendly/unfriendly),

business

continuity and disaster recovery plans,outsourcing,

implementing recommendations of prior

audit, lessons learned, property and casualty

insurance

Data restoration from backup, High availability

system

failover to redundant system (HA failover

occurs),redundant network routing, file repair utilities

Hot-warm-cold sites for disaster recovery, fire-

control

sprinklers, heating and AC, humidity control


25/69

Types of internal control include

Internal accounting controls These are controls

directed at accounting operations to ensure thatthe operations such as safeguarding of assets andthe reliability of financial records.

Operational controls controls directed at day to

day operations to ensure that the operation ismeeting the business objectives.

Administrative controls concerned withoperational efficiency in a functional area andadherence to management policies includingoperational controls.


26/69

Internal control objectives

These are statements of the desired results or purposeto be achieved by implementing control activities. E.g

Safeguarding of IT assets

Compliance with corporate policies and legalrequirements

Authorization and authentication Confidentiality

Accuracy and completeness of data

Reliability of process

Availability of IT services

Efficiency and economy of operations

Change management process for IT and relate systems.


27/69

IS CONTROLS

A well designed information system should have controls built in for allits sensitive and critical functions.

IS Controls domain include:

Strategy and direction

Controls on computer operations Operation procedures

Business continuity and disaster recovery planning

Networks and communication

Protective and detective mechanisms against internal and externalattacks.

Access to IT resources including data and programs Physical access controls

Logical access controls

Network, application and Database administration System development methodology and change controls

System programming and technical support function

System migration processes


28/69

Performing an IS audit


29/69

Performing an IS audit

Auditing can be defined as a systematic

process by which a qualified, competent,independent, team or person objectively obtainsand evaluates and evaluates evidence regardingassertions about a process for the purpose of

forming an opinion about and reporting on thedegree to which the assertion is implemented.

Is auditing can be defined as any audit thatencompasses review and evaluation of an

automated information processing system,related nonautomated processes and theinterfaces between them.


30/69

Steps to perform an IS audit

Plan for the audit

For effective use of IS audit resources, audit

organizations must assess the overall risk for

the general and application areas and related

services beign audited and develop an auditprogram that consists of objectives and audit

procedures to satisfy the audit objective.


31/69

Gather evidence

Evaluate the strength and weaknesses of

controls based upon the evidence gatheredthrough audit tasks and prepare an auditreport that presents those issues in anobjective manner to management.

Audit managers must ensure the availability ofadequate audit resources and a schedule forperforming the audit and in the case of

internal IS audit, for follow-up reviews on thestatus of corrective actions taken bmanagement.


32/69

The audit process includes

Defining the audit scope

Formulating audit objectives Identifying audit criteria

Performing audit criteria

Performing audit procedures Reviewing and evaluating evidence

Forming audit conclusions and opinions

Reporting to management after discussionwith key process owners.


33/69

Classification of Audits Financial audits

Assess the correctness of an organizations financial statement.

Operational audit

Designed to evaluate the internal control structures in a given auditprocess or area.

Integrated audit

Combines financial and operational audits

Administrative audits

Oriented to assess issues related to the efficiency of operationalproductivity within an organization

Forensic audits

Auditing specialized in discovering, disclosing and following up onfrauds ad crimes.

IS AUDIT

The process collects and evaluates to determine whether theinformation system and related resources adequately safeguard assets.


34/69

Procedures for understanding, evaluating andvalidating IT controls

The use of generalized audit software to surveythe contents of data files. E.g. System logs.

Use of specialized software to access thecontents of operating system database andapplication parameter files.

Flow charting techniques for documentingautomated applications and business processes.

Observation

Enquiry Examination and review of documents

Re-performance


35/69

The IS auditor would need to follow at a

minimum a sequential program of:

1. Understanding the entity under audit

2. Evaluating the control structure

3. Validating the controls


36/69

Fraud Detection

Management is primarily responsible forestablishing, implementing and maintaining aframework and design of IT controls to meet theinternal control objectives.

A well designed internal control system providesgood opportunities for deterring and or timely

detection of fraud. Internal controls may fail where such controls are

circumvented by exploitation vulnerabilities orthrough management perpetuating weaknesses

in controls or collision between people.-Design weaknesses

- Operating efficiency


37/69

Legislation and regulations relating to

corporate governance cast significant

responsibility on management, auditors andthe audit committee regarding detection and

disclosure of any frauds whether material or

not. IS auditors should be aware of the possibility

and means of perpetuating fraud, especially

by exploiting the vulnerabilities and overriding

controls in the IT enabled environment.


38/69

Risk- Based Audit


39/69

Risk- Based Auditing

By understanding the nature of the business,

Is auditors can identify the types of risks thatwill better determine the risk model or

approach in conducting the audit.

The risk model can be simple as creatingweights for the risk associated with the

business.


40/69

Simple Risk based approach

Gather information and plan

Obtain understanding of internal control

Perform compliance test (walk through)

Perform substantive tests

Conclude the audit


41/69

Part of documenting risk data is for the auditor to identify potential riskresponse strategies that can be used in the audit with each identified risk.The four risk responses are as follows:

AcceptTake your chances. Ignoring a risk is the same as accepting it. The auditorshould be concerned about the acceptance of high-risk situations.

Mitigate (reduce)

Do something to lower the odds of getting hurt. Most internal controls are

designed to mitigate risk.

Transfer

Let someone else take the chance of loss by using a subcontractor orinsurance. You can transfer the risk but not the liability for failure. Blindtransfer of risk would be a genuine concern. This applies to outsourcingagreements and the reason for a right to auditclause in the contract.

Avoid

Reject the situation; change the situation to avoid taking the risk.


42/69

Inherent risks

These are natural or built-in risks that alwaysexist.

E.g. Driving your automobile holds the inherentrisk of an automobile accident or a flat tire. Theftis an inherent risk for items of high value.

Business risksThese are risks that are inherent in the business orindustry itself. They may be regulatory, contractual, orfinancial.

Technological risks

These are inherent risks of using automatedtechnology. Systems do fail.


43/69

Detection risks

These are the risks that an auditor will not be able todetect what they are looking to find. It would be

terrible to report no negative results when materialconditions (faults) actually exist.

Detection risks include sampling and non-sampling risks:

Sampling risks These are the risks that an auditor will falsely accept or

erroneously reject an audit sample (evidence).

Non-sampling risks These are the risks that an auditor will fail to detect a condition

because of not applying the appropriate procedure or usingprocedures inconsistent with the audit objective (detection fault).


44/69

Control Risk

The risk that a material error exists that will

not be prevented or detected in a timelymanner by the internal control system.


45/69

Audit risks

These are the combination of inherent,

detection, control, and residual risks.

Audi risk = Inherent risk+ Detection risk +

Control risk


46/69

Operational risks

These are the risks that a process or

procedure will not perform correctly.

Residual risks

These are the risks that remain after all

mitigation efforts are performed.


47/69

Evidence


48/69

Evidence

Evidence is any information used by an IS

auditor to determine whether the entity ordata being audited follows the established

criteria or objectives, and supports audit

conclusion.


49/69

Types of Evidence

There are two primary types of evidence, according to legal definition:

Direct evidence

This proves existence of a fact without inference or presumption.Inference is when you draw a logical and reasonable propositionfrom another that is supposed to be true. Direct evidence includesthe unaltered testimony of an eyewitness and written documents.

Indirect evidenceIndirect evidence uses a hypothesis without direct evidence tomake a claim that consists of both inference and presumption.Indirect evidence is based on a chain of circumstances leading to aclaim, with the intent to prove the existence or nonexistence ofcertain facts. Indirect evidence is also known as circumstantialevidence.


50/69

Grading evidence

All evidence is graded according to criteria

using four characteristics of evidence. Thisgrading aids the auditor in assessing the

evidence value. It is important to obtain the

best possible evidence.The four characteristics are as follows:


51/69

1. Timing of Evidence

Evidence timing indicates whether evidence is

received when it is requested, or several hoursor days late. In electronic systems, the timing

has a secondary meaning; electronic evidence

may be available only during a limited windowof time before it is overwritten or the software

changes to a new version.


52/69

2. Evidence objectivity

Evidence objectivityrefers to its ability to be acceptedand understood with very little judgment required. The

more judgment required, the less objective theevidence.

As you increase the amount of judgment necessary tosupport your claims, the evidence quickly becomessubjective or circumstantial, which is the opposite of

objective. Objective evidence is in a state of unbiasedreality during examination without influence byanother source. Objective evidence can be obtainedthrough qualitative/quantitative measurement, andfrom records or statements of fact pertaining to thesubject of the investigation. Objective evidence can beverified by observation, measurement, or testing.


53/69

3. Competency of the evidence provider

Evidence supplied by a person with direct involvementis preferred. The source of their knowledge will affect

the evidence value and accuracy. A secondhand storystill holds value by providing information that may leadto the evidence the auditor is seeking.

An expertis legally defined as a person who possesses

special skill or knowledge in a science or professionbecause of special study or experience with thesubject. An expert possesses a particular skill informing accurate opinions about a subject; in contrast,

a common person would be incapable of deducing anaccurate conclusion about the same subject.


54/69

4. Evidence independence

Evidence independence is similar to auditorindependence, meaning the provider should not have

any gain or loss by providing the evidence. Evidencesupplied by a person with a bias is often questionable.The auditor should ask whether the evidence provideris part of the auditees organization. Qualifications of

the evidence provider should always be considered. Aperson with a high degree of detailed understanding isvastly more qualified than an individual of limitedknowledge. Evidence and data gathered from a novice

may have a low value when compared to data gatheredby an expert. A person who is knowledgeable andindependent of the audit subject would be consideredthe best source of evidence.


55/69

Sampling

SAMPLING


56/69

SAMPLING

Statistical Sampling

Statistical sampling uses mathematical techniques that

result in an outcome that is mathematicallyquantifiable. Statistical samples are usually presentedas a percentage. The purpose of statistical sampling isto gain an objective representation. Samples areselected by an objective mathematical process.

Examples of statistical sampling include the following: Random sampling:

Samples are selected at random.

Fixed interval sampling:

The sample existing at every n + interval increment isselected for testing.

N i i l S li


57/69

Nonstatistical Sampling

Nonstatistical sampling is based on the auditorsjudgment (also referred to asjudgmental

sampling). The auditor determines the samplesize, the method of generating the sample, andthe number of items to be analyzed. This is asubjective process usually based on elements of

risk or materiality. An example of nonstatistical sampling includes

haphazard sampling, in which the samples arerandomly drawn for testing.

After the samples are selected, the next step is toperform compliance tests or substantive testing.

Id tif i A dit T ti


58/69

Identifying Audit Testing

As stated earlier, the basic test methods used will beeither compliance testing or substantive testing.

Appropriate audit samples will have to be generatedfor the test.

Compliance testing tests for the presence or existenceof something. Compliance testing includes verifyingthat policies and procedures have been put in place,

and that user access rights, program change controlprocedures, and system audit logs have been activated.An example of a compliance test is comparing the listof persons with physical access to the data centeragainst the HR list of current employees.

C li t ti i b d f th f ll i t f dit


59/69

Compliance testing is based on one of the following types of auditsamples:

Attribute sampling

The objective is to determine whether an attribute is present orabsent in the subject sample. The result is specified by the rate ofoccurrence

Stop-and-go sampling

Used when few errors are expected. Stop-and-go allows the test tooccur without excessive effort in sampling and provides theopportunity to stop testing at the earliest possible opportunity. It isa simple form of testing to reinforce any claim that errors areunlikely in the sample population.

Discovery sampling

Used to detect fraud or when the likelihood of evidence existing islow. This is an attempt to discover evidence.


60/69

Substantive testing

seeks to verify the content and integrity of

evidence. Substantive tests include verifyingaccount balances, performing physical inventory

counts, and executing detailed scans to detect

effectiveness of a specific system configuration.Substantive testing uses audit samples selected

by dollar value or to project a total for groups

with related characteristics.

Substantive testing is based on one of the following types of audit samples:


61/69

Substantive testing is based on one of the following types of audit samples:

Variable sampling

Used to designate dollar values or weights (effectiveness) of an entire subject population byprorating from a smaller sample. Consider the challenge of counting large volumes of

currency by its weight. Variable sampling could be used to count currency by multiplying thephysical weight of one unit by the total weight of the combined sample, and then multiplyingby the face value printed on the bill or coin. A demonstration would be a single $50 billweighing 0.8 grams, with the entire sample of $50 bills weighing 48 grams altogether.

The combined sample weight would indicate a total quantity of 60 bills for an estimateddollar value of $3,000. This is a common technique for forecasting quantity and value ofinventory based on particular characteristics.

Unstratified mean estimationUsed in an attempt to project an estimated total for the subject population.

Stratified mean estimation

Used to calculate an average by group, similar to demographics, whereby the entirepopulation is divided (stratified) into smaller groups based on similar characteristics.

Examples are teenagers from the ages of 13 to 19, people from the ages of 20 to 29, people

from the ages of 30 to 39, and those who are male or female, smokers or nonsmokers, and soon.

Difference estimation

Used to determine the difference between audited and unaudited claims of value.

SAMPLING TERMS


62/69

SAMPLING TERMS

Tolerable error rateIs the maximum number of errors that can exist without declaring a

material misstatement.Regardless of the audit sample and test method used, the auditor ispresumed to have a high degree of confidence when the audit coefficientis 95 percent or higher.

The audit coefficientrepresents your level of confidence about the auditresults. It is also referred to as a reliability factor.

Precision, or expected error rate

The precision rate indicates the acceptable margin of error betweenaudit samples and the total quantity of the subject population. Thisis usually expressed as a percentage such as 5 percent. To obtain a

very low error rate, it is necessary to use a very large sample intesting. The larger sample can yield a higher average.


63/69

Computer Assisted Audit Tools

U i C t A i t d A dit T l


64/69

Using Computer Assisted Audit Tools

Computer assisted audit tools (CAAT) are invaluable forcompiling evidence during IS audits.

The auditor will find several advantages of using CAATsin their analytical audit procedure.

CAAT tools are capable of executing a variety ofautomated compliance tests and substantive tests that

would be nearly impossible to perform manually.

These specialized tools may include multifunction auditutilities, which can analyze logs, perform vulnerabilitytests, or verify specific implementation of compliance

in a system configuration compared to intendedcontrols.

CAAT includes the following types of software tools and


65/69

CAAT includes the following types of software tools andtechniques:

Network traffic and protocol analysis

Testing the configuration of specific applicationsoftware such as an SQL database

Testing for password compliance on user loginaccounts

Many CAAT tools have a built-in report writer that cangenerate more than one type of predefined report offindings on your behalf.

A significant amount of time may be required to becomea competent CAAT operator.

S f th f i t i CAAT


66/69

Some of the concerns for or against using CAATinclude:

Auditors level of computer knowledge andexperience

Level of risk and complexity of the auditenvironment

Cost and time constraints

Specialized training requirements

Speed, efficiency, and accuracy over manual

operations

Security of the data extracted by CAAT


67/69

Control Self-Assessments

Traditional Audit Compared to Control Self Assessments


68/69

Traditional Audit Compared to Control Self-Assessments

A discussion of the audit process would not be complete without mentioning the

benefits of using control self-assessments. The auditee can work to improve their

audit score between audits by using these self-assessment techniques.

To employ the formal skills of a professional auditor is considered a traditional

audit. In a traditional audit, the auditor manages the audit through the entire audit

process and renders a final opinion.

A control self-assessment (CSA) is executed by the auditee. The auditee uses theCSA to benchmark progress with the intention of improving their score.

This CSA process can generate benefits by empowering the staff to take ownership

and accountability. With a CSA, the auditor becomes a facilitator to help guide the

clients effort toward self-improvement.

A great deal of pride can be created by the accomplishment of CSA tasks and

learning the detail necessary to succeed in a traditional audit. A CSA is not going to

fulfill the independence requirement, so a traditional audit will still be required. A

CSA will help your client understand the specific actions


69/69

THANK YOU

is audit process

Documents