IS Auditing Process: Planning and Execution

Questions and Answers

Which of the following outlines the overall authority to perform an information systems (IS) audit?

• The approved audit charter (correct)
• The approved audit schedule
• A request from management to perform an audit
• The audit scope with goals and objectives

Which of the following is the key benefit of a control self-assessment (CSA)?

• Fraud detection is improved because internal business staff are engaged in testing controls.
• Audit expenses are reduced when the assessment results are an input to external audit work.
• Management ownership of the internal controls supporting business objectives is reinforced. (correct)
• Internal auditors can use the results of the assessment to shift to a consultative approach.

Which of the following would an information systems (IS) auditor MOST likely focus on when developing a risk-based audit program?

• Business processes (correct)
• Business strategies
• Environmental controls
• Administrative controls

Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed?

Inherent risk (B)

An information systems (IS) auditor performing a review of an application's controls finds a weakness in system software that could materially impact the application. In this situation, an IS auditor should:

review the relevant system software controls and recommend a detailed system software review. (B)

Which of the following is the MOST important reason for reviewing an audit planning process at periodic intervals?

To consider changes to the risk environment (D)

Which of the following is the MOST critical step when planning an information systems (IS) audit?

Performance of a risk assessment (C)

The approach an information systems (IS) auditor should use to plan IS audit coverage should be based on:

risk. (C)

An organization performs a daily backup of critical data and software files and stores backup media at an offsite location. The backup media are used to restore the files in case of a disruption. This is an example of a:

corrective control. (A)

The audit scope is specific to a single audit and does not grant authority to perform an audit.

False (B)

A request from management to perform an audit is sufficient because it relates to a specific audit.

False (B)

Executive management is required to approve the audit plan.

False (B)

Reviewing information security policies and procedures is normally conducted during planning.

False (B)

Flashcards

IS Audit

Examination of IS to assess if they comply with laws, policies, and meet confidentiality, integrity, and availability needs efficiently and effectively.

Audit Definition

Formal inspection to check compliance with standards, accuracy of records, and effectiveness of operations

Audit Charter

Ensuring the IS audit function has a clear mandate, responsibility and authority.

IS Audit Standards

Minimum level of acceptable performance by IS auditors, as per ISACA.

IS Audit Guidelines

Guidance on how to apply IS audit standards, but departures are allowed with justification.

ISACA Code of Ethics

Guiding professional conduct for ISACA members and certification holders.

ITAF (IT Audit Framework)

Standards for IS auditor roles, responsibilities, knowledge, and reporting: defines terms/concepts; provides tools/guidance

Financial Audit

An audit of IS to check if data processing is accurate and reliable.

Operational Audit

An audit to evaluate the internal control structure of a specific process or area.

Integrated Audit

Combines financial and operational audit steps to evaluate overall organizational objectives.

Fraud Audit

An audit designed to discover fraudulent activity using specific analytics.

Computer Forensic Audit

A specialized audit to collect computer evidence for legal proceedings.

Functional Audit

An evaluation of software products ensuring actual functionality matches requirement specifications

Control Self-Assessment (CSA)

An assessment made by staff/management on the effectiveness of controls.

CSA Objective

To leverage the audit function by shifting control monitoring responsibilities to the functional areas.

Integrated Auditing

Combining different audit disciplines to assess key internal controls, focusing on risk

Risk-Based Audit

Identifying and categorizing risk based on the nature of the business.

Audit Risk

The risk that audit information contains a material error that goes undetected.

Inherent Risk

Risk level without considering management's implemented controls.

Control Risk

Risk that a material error won't be prevented or detected by internal controls.

Detection Risk

Risk that material errors won't be detected by the IS auditor.

Overall Audit Risk

Overall risk that the auditor may not detect a material error.

Materiality

Importance of information based on its impact on the entity being audited

Risk Assessment

An organization's method to identify, quantify, and prioritize risk against acceptance criteria.

Risk Analysis

The analysis used to identify risk and vulnerabilities during audit planning.

Controls

Policies, procedures and structures implemented to reduce org risk.

Control Objective

Objective designed to help in fulfilling strategic company goals.

Control Measure

Activity contributing to the fulfillment of a control objective.

IS Control Objectives

Objectives designed to safeguard data, ensure SDLC, OS and app integrity.

Managerial Controls

Controls related to oversight, reporting, and procedures.

Study Notes

Overview of the IS Auditing Process

• IS auditing encompasses standards, principles, methods, guidelines, practices, and techniques that auditors use to plan and execute audits.
• IS auditors need a deep understanding of the auditing process, IS processes, business processes, and controls for organizational objectives.
• Domain 1 of the CISA exam covers this area, representing 18% of the exam with approximately 27 questions.

Planning Phase

• 1.1 IS Audit Standards, Guidelines, Functions, and Codes of Ethics
  • Outlines the audit standards, guidelines, functions and codes of ethics.
• 1.2 Types of Audits, Assessments, and Reviews
  • Considers the various types of audits, assessments and reviews
• 1.3 Risk-Based Audit Planning
  • Plans around risk mitigation by analyzing the business.
• 1.4 Types of Controls and Considerations
  • Considers what types of controls should be implemented.

Execution Phase

• 1.5 Audit Project Management
  • Manages and maintains oversight of the audit.
• 1.6 Audit Testing and Sampling Methodology
  • Audit data should be tested and sampled appropriately.
• 1.7 Audit Evidence Collection Techniques
  • Collect audit evidence to support the audit.
• 1.8 Audit Data Analytics
  • Audit data should be analyzed to see if controls are sufficient.
• 1.9 Reporting and Communication Techniques
  • Audit findings must be communicated effectively.
• 1.10 Quality Assurance and Improvement of the Audit Process
  • Constantly improve on auditing processes.

Learning Objectives

• Plan audits to determine if information systems are properly protected, controlled, and adding value.
• Conduct audits according to IS audit standards and risk-based strategies.
• Utilize project management methodologies in the audit process.
• Communicate audit progress, findings, and recommendations to stakeholders.
• Conduct post-audit follow-ups to ensure risks are properly addressed.
• Utilize data analytics tools to enhance audit processes.
• Evaluate the role and impact of automation and decision-making systems.
• Evaluate audit processes as part of quality assurance and improvement programs.
• Evaluate an organization's enterprise risk management (ERM) program.
• Evaluate the readiness of information systems for implementation and migration into production.
• Evaluate potential opportunities and risks associated with emerging technologies, regulations, and industry practices.

IS Audit Standards, Guidelines, Functions and Codes of Ethics

• Adherence to commonly accepted standards is critical for the credibility of IS audit activities.
• Elements are defined within ISACA's IS audit and assurance standards and guidelines.
• ISACA's code of professional ethics guides the professional and personal conduct of ISACA members and certification holders.

ISACA IS Audit and Assurance Standards

• Standards define the minimum requirements for IS auditing and reporting.
• Provide audiences with critical information, such as IS auditors regarding expected performance and management concerning work expectations.
• The framework provides multiple levels of documents, including standards, guidelines and tools.
• Standards define mandatory requirements.
• Guidelines offer implementation guidance, the IS auditor should use professional judgment and be prepared to justify any departures from the guidelines.
• Tools and techniques are examples of processes for the auditor and provide information but do not set requirements.
• Categories include general, performance and reporting.

ISACA IS Audit and Assurance Guidelines

• Guidelines provide implementation guidance for the standards.
• Auditors should use professional judgment when applying guidelines to specific audits and be able to justify any departures.

ISACA Code of Professional Ethics

• The Code guides both ISACA members and certification holders in their professional and personal behaviour.
• Requires support for standards and procedures for the governance of enterprise information systems and technology.
• Mandates duties are performed with objectivity, due diligence and professional care.
• Requires stakeholders' lawful interests are served, maintaining high standards of conduct and not discrediting the profession.
• Ensures privacy and confidentiality is maintained, unless disclosure is legally required.
• Requires competence in respective fields and undertaking only activities reasonably expected to be completed with necessary skills.
• Mandates informing appropriate parties about the work results, disclosing all known significant facts that could distort the reporting of results.
• Requires supporting stakeholders' understanding of the governance of enterprise information systems and technology.

ITAF (IT Audit Framework)

• It's a comprehensive reference model that establishes standards, defines terms, and provides guidance/tools for IS audit and assurance.

IS Internal Audit Function

• An audit charter, approved by the board or senior management, should define the role of the IS internal audit to maintain a clear mandate
• IS audit can be a part of internal audit, or an independent group or function as an audit support function.
• The charter should clearly state management's responsibility for, and delegation of authority to, the IS audit function. Approved by the highest level of management and the audit committee, if one exists.
• The responsibility, authority and accountability of the IS audit function should be documented in an audit charter or formal contract/statement of work if services are provided by an external firm.
• The IS internal audit function should remain independent and report to an audit committee or the highest management level.

Management of the IS Audit Function

• IS audit function must be managed and led to align with audit objectives while maintaining independence and competence
• Adding value to the IS audit function with contributions to senior management in IT and business achievement should be ensured.

IS Audit Resource Management

• Auditors should maintain their competency through continuing professional education.
• Skills and necessary knowledge should be a factor when tasks are delegated.
• Ensure that a training plan is drawn up and updated periodically to align with technical and business developments.

Using the Services of Other Auditors and Experts

• Consider using other expert auditors when there is not enough staff or a need for greater expertise in a subject.
• Outsourcing IS assurance and security services is a common practice with external experts include technology specialists or subject matter experts specializing in areas like finance or law.

Outsourcing Considerations

• Restrictions by laws/regulations.
• Audit charter stipulations.
• Impact on objectives, risk/liability and independence.
• Competence, qualifications and scope.
• Supervisory and communicative controls.
• Legal/regulatory compliance, professional standards.
• Nature of assignment: testimonials, access, confidentiality, CAATs, non-disclosure.
• IS auditor monitoring ensures objectivity and the professional liability is is not necessarily delegated to other auditors.

Monitoring External Service Providers

• Communicate objectives, scope and methodology through engagement letters.
• Establish monitoring of planning, supervision, review and documentation, looking at sufficiency+appropriateness.
• Confirm audit charter observance, defined auditable period is followed any assumptions are identified and conclusions have management approval.
• Assess external providers' reports and assess the impact of findings on objectives.

Types of Audits, Assessments and Reviews

• Auditors should understand the various types of audits, assessments and reviews that can be performed by internal or group.
• Audits have higher levels of assurance than broader assessments and reviews.
• Assessments and reviews focus on opportunities, employee perception, policy goals, etc.
• Some examples include:
  • IS Audit: Evaluates safeguards, data integrity, goal achievement and effectiveness.
  • Compliance Audit: Tests adherence to regulations or industry practices.
  • Financial Audit: Assesses the accuracy of financial reporting, focusing on risk/control-based ones.
  • Operational Audit: Evaluates internal control structures (e.g., IS audits of application controls).
  • Integrated Audit: Combines financial and operational steps, assesses overall objectives and ensures compliance.
  • Administrative Audit: Assesses operational productivity and efficiency.
  • Specialized Audit: Fraud or 3rd party reviews.
  • Third-party Audit: Audits outsourced processes, provides opinion thru Service auditor's report.
  • Fraud Audit: Searches for fraudulent activity using data analysis techniques.
  • Forensic Audit: Focuses on fraud and crime, developing evidence for law enforcement.
  • Computer forensic audit-Gathers and preserves computing device analysis for evidence. Functional Audit-Independent evaluation of software functionality.
  • Functional Audit-Provides independent evaluation of software products.
  • Readiness Assessment-Reviews compliance with documented standards.

Control Self-Assessment (CSA)

• CSA shifts control to the internal parts of the IS system.
• Used to review key objectives, assess risks and ensure internal controls to manage risk via formal.
• An IS auditor facilitates business process owners on appropriate controls to protect business.
• Owners and personnel use understanding to evaluate controls versus objectives, while considering the organization's risk appetite.

CSA Program Implementation

• Implementation can happen through questionnaires, facilitated workshops and peer reviews.
• Workshop facilitators create support to discuss experiences and exchange understanding+expertise
• CSA programs use measures to determine the value and identify key for internal control and reliability

Benefits of CSA

• Some benefits include:
  • Early risk detection/cohesive teams
  • Ownership
  • Employee awareness.
  • Top management communication

Disadvantages of CSA

• Replacing other audits
• Possible additional workload
• Damaged employee morals if suggestions get ignored.
• Lack of knowledge may limit the effectiveness of the detection of weak controls.

IS Auditor's Role in CSA

• Auditors become facilitators of controls over management-led internal businesses, improving structure, monitoring, etc. in real time.
• The auditor improves client assessment by insight on the design/objectives of controls, and may recommend replacements.

Integrated Auditing

• Dependence on the success of IS requires all auditors develop an understanding of the IT aspects of its control structure.
• Risk is understood by topical areas of IS such as information management, IT infrastructure, IT governance and IT operations.
• Emerging risk is discussed by considering the effects on processing and data in a integrated approach.

Risk-Based Audit Planning

• This occurs at the beginning to establish an overall goal and audit plans, consisting of short and long term planning.
• Short term is what will be covered during the year.
• Long term considers risk with strategic direction.
• Risk assessment in a risk-based audit is determined qualitatively/quantitatively.
• Risk factors drive the frequency and business impact of the scenario.

Constructing the Audit Plan

• All highly rated processes are included
• Ideal plan may not come to fruition due to lack of resources, demonstrating gaps.
• Short and long term assessments come at least annually for enhanced reviews and techniques, risk changes, etc.

Individual Audit Assignments

• The IS auditor should take considerations of things such as implementation deadlines, new technologies and requests from process owners.
• Understanding the business to figure out the systems and practices regarding the audit.

Steps for Audit Planning

• Understanding of the company mission, objectives, processes, and what needs to be confidential.
• Understanding of the organization's governance structure of auditing.
• Understand changes in the business side of an auditee.
• Review work papers and stated contents. Assess risk to design a complete plan of approach.

Laws and Regulations Effect on the Audit

• A number of governmental compliances are to be met by each size and type of company related to IS control.
• Efforts to add regulations on IS assurance and audit are being recognized. Management should be concerned about external requirements set to the goals/plans of the activities of the information services.
• The Legal Requirements includes:
  • Laws/regulations, agreements, and requirements placed on the auditee.
  • In particular data dealing with personal information and protection.
• Identifying Compliance includes:
  • Laws/regulations that need identification of controls on security, data types, storage.
  • If assessments of IT are effective in making plans.
  • Policies and procedures of meeting regulatory requirements like service provide responsibilities.

Deploying Resources

• Effective auditing has assessment that is based around a great risk for the organization.
• Specifically assess: External factors, objectives, business services, risk assessment.

Assessment to the Audit

• Auditors cannot rely solely on risk to find/determine what the state of IS security is.
• The auditors also must rely on: Internal controls, operational controls, company knowledge, assessment weights, risk assessment approaches.
• Technology matters too. For example, an Airline is subject to safety and economic changes, that affect its operations.
• IT services availability and reliability are critical. Risk includes organizations willing to go forward to achieve new unproven objectives.

Evaluate Business

• You must understand the nature of the business to determine risks, such as; weights, assessment types to help conduct the audit.

Audit Risk and Materiality

• Audit must be planned to be effectively carried out and have the potential risks addressed.
• The company's key metrics are: data, image quality, foundation and organization.
• There are a few types of risks that the audit will influence:
  • The Risk of Inherence: Risk level of entity without looking at management.
  • The Risk of Control: material not discovered on time by the controller.
  • The Risk of Detection: material not detected by auditors. Overall risk: may not detect material errors. Material can affect the action of IT, a greater level can reduce risk and give insight on the operation.

Elements to Understand

• Organization's: Risk acceptance and assessment criteria, relevant objectives.
• Results should be: Management actions+priorities, managing I.S risk/priorities, control implementation.
• They should address: Changes in requirements, risk landscaps eand performance.
• Auditors may assist in efforts, but responsible for the IT management.
• Refer to specific section on IS audit.

Assessment Techniques

• Face a big variety of audit subjects and need to narrow in on what the high risk areas are. There are various methodologies to do that depending on the decision of high or low. You may consider using: Complexity or knowledge of IS areas, to get a proper process.

Auditors Risks

• Enabes: manage risk effetively by limiting resources.
  • That is the key to management and boards that ensures the activities will help high risk areas. Estabhs: audit department and what will be useful for better results. Review these things to help with the assessment process:

Gathering

• A proper plan for determining needed controls to decrease risk. Analysis as a way to figure out controls, etc.

Risk of controls

• Used in the audit for analysis to help determine the effectiveness of what needs a great amount of testing.
• All in all provide an easy approach to risk assessment.
• Be aware of ethics and human interference.