the is audit process
TRANSCRIPT
![Page 1: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/1.jpg)
Domain 1: The IS Audit ProcessJimmy ArdiansyahArkansas – September 9, 2005
![Page 2: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/2.jpg)
Knowledge Domain
5 TasksTasks related to I S Audit to be carried out by an I S Auditor
10 knowledge statementsWhat are the process requirements an I S Auditor need to know for carrying out an I S Audit
![Page 3: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/3.jpg)
The Five Tasks1. Develop and implement a risk-based IS audit
strategy for the organization in compliance with IS audit standards, guidelines and best practices.
2. Plan specific audits to ensure that IT and business systems are protected and controlled.
3. Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results to key stakeholders.
5. Advise on the implementation of risk management and control practices within the organization while maintaining independence.
![Page 4: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/4.jpg)
Ten Knowledge Statements
1. Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics
2. Knowledge of IS auditing practices and techniques
3. Knowledge of techniques to gather information and preserve evidence
4. Knowledge of the evidence life cycle 5. Knowledge of control objectives and
controls related to IS
![Page 5: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/5.jpg)
6. Knowledge of risk assessment in an audit context
7. Knowledge of audit planning and management techniques
8. Knowledge of reporting and communication techniques
9. Knowledge of control self-assessment (CSA)
10. Knowledge of continuous audit techniques
![Page 6: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/6.jpg)
Task No.1
Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices.
![Page 7: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/7.jpg)
Risk Based Audit Approach
Align audit tests and findings with the business risks.
Audit approach should enable identification of risks.
Focus on critical/high risk areas and not on entire Organization. Focus on risks rather than volume. Audit planning & frequency based on Risk Profile.Reporting focuses on process improvement and risk management.Efficient commitment of Audit resources
![Page 8: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/8.jpg)
Compliance with Standards, Guidelines & Procedures
Risk assessment helps in selecting auditable units and include those in the IS annual plan that have the greatest risk exposure.Risk assessment exercises should be carried out and documented at least on an annual basis. Risk assessment allows the IS auditor to quantify and justify the amount of IS audit resources needed.
![Page 9: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/9.jpg)
3 Types of Risks:
Inherent riskControl riskDetection risk
How should the I S Auditor consider these Risks during the course of an I S Audit?
![Page 10: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/10.jpg)
Inherent Risk
Inherent risk is the susceptibility of an audit area to error which could be material and there are no related internal controls In assessing the inherent risk, the IS auditor should consider both pervasive and detailed IS controls.
![Page 11: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/11.jpg)
Control RiskControl risk is the risk that an error which could occur in an audit area, and which could be material, will not be prevented or detected and corrected on a timely basis by the internal control system.
![Page 12: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/12.jpg)
Control Risk
The IS auditor should assess the control risk as high unless relevant internal controls are:
IdentifiedEvaluated as effectiveTested and proved to be operating appropriately
![Page 13: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/13.jpg)
Detection Risk
Detection risk is the risk that the IS auditor’s substantive procedures will not detect an error which could be material.In determining the level of substantive
testing required, the IS auditor should consider both:The assessment of inherent risk
![Page 14: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/14.jpg)
The conclusion reached on control risk following compliance testingThe higher the assessment of inherent and control risk the more audit evidence the IS auditor should normally obtain from theperformance of substantive audit procedures.
![Page 15: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/15.jpg)
Task No. 2
Plan specific audits to ensure that IT and business systems are protected and controlled.
![Page 16: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/16.jpg)
Plan Specific AuditsThe IS auditor should plan the information systems audit coverage.The IS auditor should develop and document an audit plan.The IS auditor should develop an audit program.
![Page 17: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/17.jpg)
Components of Planning Process
Business requirementsKnowledge RequirementsMaterialityRisk assessmentInternal Control EvaluationDocumentation
![Page 18: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/18.jpg)
Materiality
IS auditor should ordinarily establish levels of planning materiality such that the audit work will be sufficient to meet the audit objectives and will use audit resources efficiently.
![Page 19: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/19.jpg)
Risk Assessment
To provide reasonable assurance that all material items will be adequately covered during the audit work. Should identify areas with relatively high risk of existence of material problems.
![Page 20: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/20.jpg)
Internal Control Evaluation
Provides a basis for reliance upon information being gathered as a part of the auditing project What do you evaluate:
Existence of controls (Compliance Testing)Effectiveness of control (Substantive Testing)Effect of irregular or illegal acts
![Page 21: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/21.jpg)
The Effect of Lack of Controls
Loss of information confidentiality and privacySystems not being available for use when neededUnauthorized access and changes to systems, applications or dataintegrity, loss of data protection or systems unavailability
![Page 22: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/22.jpg)
Examples of I S Controls
Implementation of software packagesSystem security parametersDisaster recovery planningData input validationException report productionLocking of user accounts after invalid attempts to access them.
![Page 23: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/23.jpg)
Effect of Pervasive Controls
Strong pervasive IS controls can contribute to the assurance which may be obtained by an IS auditor in relation to detailed IS controlsWeak pervasive IS controls may undermine strong detailed IS controls or exacerbate weaknesses at the detailed level
![Page 24: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/24.jpg)
Task No.3
Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.
![Page 25: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/25.jpg)
Performance of Audit Work
SupervisionEvidenceDocumentation
![Page 26: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/26.jpg)
Supervision
IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and applicable professional auditing standards are met.
![Page 27: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/27.jpg)
Evidence
During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.
![Page 28: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/28.jpg)
Documentation
The audit process should be documented, describing the audit work performed and the audit evidence that supports supporting the IS auditor's findings and conclusions.
![Page 29: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/29.jpg)
Task No.4
Communicate emerging issues, potential risks and audit results to key stakeholders.
![Page 30: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/30.jpg)
Communicating
The IS auditor should provide a report, in an appropriate form, upon completion of the audit. The report should identify the organization, the intended recipients and any restrictions on circulation.The audit report should state the scope, objectives, period of coverage and the nature, timing and extent of the audit work
performed.
![Page 31: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/31.jpg)
Reporting and Presentation Criteria
Measurable—Provide for consistent measurementObjective—Free from biasComplete—Include all relevant factors to reach a conclusionRelevant—Relate to the subject matter
![Page 32: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/32.jpg)
Types of Services
An IS auditor may perform any of the following: Audit (direct or attest)Review (direct or attest)Agreed-upon procedures
![Page 33: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/33.jpg)
Audit Opinion
The IS auditor’s opinion is restricted because of the nature of internal controls and the inherent limitations of any set of internal controls and their operations. These limitations include:
Management’s usual requirement that the cost of an internal control does not exceed the expected benefits to be derivedMost internal controls tend to be directed at routine rather than non routine transactions/events
![Page 34: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/34.jpg)
Audit Opinion
The possibility that management may not be subject to the same internal controls applicable to other personnelThe possibility that internal controls may become inadequate due to changes in conditions, and compliance with procedures may deteriorate
![Page 35: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/35.jpg)
Task No. 5
Advise on the implementation of risk management and control practices within the organization while maintaining independence.
![Page 36: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/36.jpg)
Other Knowledge Requirements
Knowledge of control self-assessment (CSA) Knowledge of continuous audit techniques
![Page 37: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/37.jpg)
References:
CISA Review Manual ISACA.orgIITG.org
![Page 38: The is Audit Process](https://reader034.vdocuments.site/reader034/viewer/2022051400/553dd39a4a79597c268b4780/html5/thumbnails/38.jpg)
Information
To obtain the copy (.ppt file), please send request to: [email protected] visit to:http://komputer-teknologi.net