CISA Exam Information System Auditing Process PDF

Chapter 1 Information System Auditing Process Overview Domain 1 Exam Content Outline Learning Objectives/Task Statements Suggested Resources for Further Study Self-Assessment Questions Chapter 1 Answer Key Part A: Planning 1.1 IS Audit Standards, Guidelines, Functions and Codes of Ethics 1.2 Types of Audits, Assessments and Reviews 1.3 Risk-Based Audit Planning 1.4 Types of Controls and Considerations Part B: Execution 1.5 Audit Project Management 1.6 Audit Testing and Sampling Methodology 1.7 Audit Evidence Collection Techniques 1.8 Audit Data Analytics 1.9 Reporting and Communication Techniques 1.10 Quality Assurance and Improvement of the Audit Process Case Study Case Study Chapter 1 Answer Key Overview The information systems (IS) auditing process encompasses the standards, principles, methods, guidelines, practices and techniques that an IS auditor uses to plan and execute audits of information systems supporting critical business processes. An IS auditor must have a thorough understanding of this auditing process and of IS processes, business processes and controls designed to achieve organizational objectives. This domain represents 18 percent of the CISA exam (approximately 27 questions). Domain 1 Exam Content Outline Part A: Planning 1. IS Audit Standards, Guidelines, Function and Codes of Ethics 2. Types of Audits, Assessments and Reviews 3. Risk-based Audit Planning 4. Types of Controls Part B: Execution 1. Audit Project Management 2. Audit Testing and Sampling Methodology 3. Audit Evidence Collection Techniques 4. Audit Data Analytics (including audit algorithms) 5. Reporting and Communication Techniques 6. Quality Assurance and Improvement of Audit Process Learning Objectives/Task Statements Within this domain, the IS auditor should be able to: Plan an audit to determine whether information systems are protected, controlled and provide value to the organization. Conduct audits in accordance with IS audit standards and a risk based IS audit strategy. Apply project management methodologies to the audit process. Communicate and collect feedback on audit progress, findings, results and recommendations with stakeholders. Conduct post-audit follow up to evaluate whether identified risk has been sufficiently addressed. Utilize data analytics tools to enhance audit processes. Evaluate the role and/or impact of automatization and/or decision-making systems for an organization. Evaluate audit processes as part of quality assurance and improvement programs. Evaluate the organization’s enterprise risk management (ERM) program. Evaluate the readiness of information systems for implementation and migration into production. Evaluate potential opportunities and risks associated with emerging technologies, regulations and industry practices. Suggested Resources for Further Study ISACA Audit Programs and Tools, https://www.isaca.org/resources/insights-and-expertise/audit-programs-and-tools ISACA Frameworks, Standards and Models, https://www.isaca.org/resources/frameworks-standards-and-models ISACA, IT Audit Framework (ITAF™): A Professional Practices Framework for IT Audit, 4th Edition, https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ko91EAC ISACA IT Audit, https://www.isaca.org/resources/it-audit ISACA White Papers, https://www.isaca.org/resources/insights-and-expertise/white-papers Self-Assessment Questions CISA self-assessment questions support the content in this manual and provide an understanding of the type and structure of questions that typically appear on the exam. Often a question will require the candidate to choose the MOST likely or BEST answer among the options provided. Please note that these questions are not actual or retired exam items. Please see section About This Manual for more guidance regarding practice questions. 1. Which of the following outlines the overall authority to perform an information systems (IS) audit? A. The audit scope with goals and objectives B. A request from management to perform an audit C. The approved audit charter D. The approved audit schedule 2. Which of the following is the key benefit of a control self-assessment (CSA)? A. Management ownership of the internal controls supporting business objectives is reinforced. B. Audit expenses are reduced when the assessment results are an input to external audit work. C. Fraud detection is improved because internal business staff are engaged in testing controls. D. Internal auditors can use the results of the assessment to shift to a consultative approach. 3. Which of the following would an information systems (IS) auditor MOST likely focus on when developing a risk-based audit program? A. Business processes B. Administrative controls C. Environmental controls D. Business strategies 4. Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed? A. Control risk B. Detection risk C. Inherent risk D. Sampling risk 5. An information systems (IS) auditor performing a review of an application’s controls finds a weakness in system software that could materially impact the application. In this situation, an IS auditor should: A. disregard these control weaknesses because a system software review is beyond the scope of this review. B. conduct a detailed system software review and report the control weaknesses. C. include a statement in the report that the audit was limited to a review of the application’s controls. D. review the relevant system software controls and recommend a detailed system software review. 6. Which of the following is the MOST important reason for reviewing an audit planning process at periodic intervals? A. To plan for deployment of available audit resources B. To consider changes to the risk environment C. To provide inputs for documentation of the audit charter D. To identify the applicable IS audit standards 7. Which of the following is a KEY benefit of a control self-assessment (CSA)? A. Management ownership of the internal controls supporting business objectives is reinforced. B. Audit expenses are reduced when the assessment results are an input to external audit work. C. Fraud detection is improved because internal business staff are engaged in testing controls. D. Internal auditors can use the results of the assessment to shift to a consultative approach. 8. Which of the following is the MOST critical step when planning an information systems (IS) audit? A. Review of prior audit findings B. Executive management’s approval of the audit plan C. Review of information security policies and procedures D. Performance of a risk assessment 9. The approach an information systems (IS) auditor should use to plan IS audit coverage should be based on: A. risk. B. materiality. C. fraud monitoring. D. sufficiency of audit evidence. 10. An organization performs a daily backup of critical data and software files and stores backup media at an offsite location. The backup media are used to restore the files in case of a disruption. This is an example of a: A. preventive control. B. management control. C. corrective control. D. detective control. Answers on page 28 Chapter 1 Answer Key Self-Assessment Questions 1. A. The audit scope is specific to a single audit and does not grant authority to perform an audit. B. A request from management to perform an audit is not sufficient because it relates to a specific audit. C. The approved audit charter outlines the auditor’s responsibility, authority and accountability. D. The approved audit schedule does not grant authority to perform an audit. 2. A. The objective of control self-assessment (CSA) is to have business managers become more aware of the importance of internal control and their responsibility in terms of corporate governance. B. Reducing audit expenses is not a key benefit of CSA. C. Improved fraud detection is important but not as important as control ownership. It is not a principal objective of CSA. D. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit. 3. A. A risk-based audit approach focuses on understanding the nature of the business and being able to identify and categorize risk. Business risk impacts the long-term viability of a specific business. Thus, an information systems (IS) auditor using a risk-based audit approach must be able to understand business processes. B. Administrative controls, while an important subset of controls, are not the primary focus needed to understand the business processes within the scope of an audit. C. Like administrative controls, environmental controls are an important control subset; however, they do not address high-level overarching business processes under review. D. Business strategies are the drivers for business processes; however, in this case, an IS auditor is focusing on the business processes that were put in place to enable the organization to implement its strategies. 4. A. Control risk is the risk that a material error exists that will not be prevented or detected in a timely manner by the system of internal controls. B. Detection risk is the risk that a material misstatement with a management assertion will not be detected by an audit and assurance professional’s substantive tests. It consists of two components: sampling risk and non-sampling risk. C. Inherent risk is the risk level or exposure assessed without considering the actions that management has taken or might take. D. Sampling risk is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is taken. Non-sampling risk is detection risk that is unrelated to sampling; it can be due to a variety of reasons, including human error. 5. A. An information systems (IS) auditor is not expected to ignore control weaknesses just because they are outside the scope of a current review. B. The conduct of a detailed systems software review may hamper the audit’s schedule, and an IS auditor may not be technically competent to do such a review at the time of the audit. C. If there are control weaknesses that have been discovered by an IS auditor, they should be disclosed. By issuing a disclaimer, this responsibility would be waived. D. The appropriate option would be to review the relevant systems software and recommend a detailed systems software review for which additional resources may be recommended. 6. A. Deployment of available audit resources is determined by the audit assignments, which are influenced by the planning process. B. Short- and long-term issues that drive audit planning can be heavily impacted by changes to the risk environment, technologies and business processes of the enterprise. C. The audit charter reflects the mandate of top management to the audit function and resides at a more abstract level. D. Applicability of information systems (IS) audit standards, guidelines and procedures is universal to any audit engagement and is not influenced by short- and long-term issues. 7. A. The objective of control self-assessment (CSA) is to have business managers become more aware of the importance of internal control and their responsibility in terms of corporate governance. B. Reducing audit expenses is not a key benefit of CSA. C. Improved fraud detection is important but not as important as control ownership. It is not a principal objective of CSA. D. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit. 8. A. The findings of a previous audit are of interest to the auditor, but they are not the most critical step. The most critical step involves finding the current issues or high-risk areas, not reviewing the resolution of older issues. A review of historical audit findings could indicate that management is not resolving the risk items identified or that the recommendations were ineffective. B. Executive management is not required to approve the audit plan. It is typically approved by the audit committee or board of directors. Management could recommend areas to audit. C. Reviewing information security policies and procedures is normally conducted during fieldwork, not planning. D. Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IS Audit and Assurance Standard 1201 (Risk Assessment in Planning), statement 1201.2: “IT audit and assurance practitioners shall identify and assess risk relevant to the area under review when planning individual engagements.” In addition to the standards requirement, if a risk assessment is not performed, then high- risk areas of the auditee systems or operations may not be identified for evaluation. 9. A. Audit planning requires a risk-based approach. B. Materiality pertains to potential weaknesses or absences of controls while planning a specific engagement, and whether such weaknesses or absences of controls could result in a significant deficiency or a material weakness. C. Fraud monitoring pertains to the identification of fraud-related transactions and patterns and may play a part in audit planning but only as it pertains to organizational risk. D. Sufficiency of audit evidence pertains to the evaluation of the sufficiency of evidence obtained to support conclusions and achieve specific engagement objectives. 10. A. Preventive controls are those that avert problems before they arise. Backup media cannot be used to prevent damage to files and, therefore, cannot be classified as preventive controls. B. Management controls modify processing systems to minimize repeat occurrences of the problem. Backup media do not modify processing systems and, therefore, do not fit the definition of management controls. C. A corrective control helps to correct or minimize the impact of a problem. Backup media can be used for restoring the files in case of damage to the files, thereby reducing the impact of a disruption. D. Detective controls help to detect and report problems as they occur. Backup media do not aid in detecting errors. Part A: Planning Audits are conducted for a variety of reasons. An audit can help an organization ensure effective operations, affirm its compliance with various regulations and confirm that the business is functioning well and is prepared to meet potential challenges. An audit can also help to gain assurance on the level of protection available for information assets. Most significantly, an audit can assure stakeholders of the financial, operational and ethical well-being of the organization. IS audits support all those outcomes, with a special focus on the information and related systems upon which most businesses and public institutions depend for competitive advantage. IS audit is the formal examination and/or testing of information systems to determine whether: Information systems are in compliance with applicable laws, regulations, contracts and/or industry guidelines. Information systems and related processes comply with governance criteria and related and relevant policies and procedures. Confidentiality, integrity and availability of IS data meet appropriate levels based on measurable metrics. IS operations are being accomplished efficiently and effectiveness targets are being met. During the audit process, an IS auditor reviews the control framework, gathers evidence, evaluates the strengths and weaknesses of internal controls based on the evidence and prepares an audit report that presents findings and recommendations for remediation to stakeholders in an objective manner. In general terms, the typical audit process consists of three major phases (figure 1.1): Planning Fieldwork/documentation Reporting/follow-up Figure 1.1—Typical Audit Process Phases Source: ISACA, Information Systems Auditing: Tools and Techniques—Creating Audit Programs, USA, 2016 These main phases can be further broken down into subphases; for example, the reporting phase can be broken down into report writing and issuance, issue follow-up and audit closing. The organization and naming conventions of these phases can be customized as long as the procedures and outcomes comply with applicable audit standards such as an IT Assurance Framework (ITAF). Note Information systems are defined as the combination of strategic, managerial and operational activities and related processes involved in gathering, processing, storing, distributing and using information and its related technologies. Information systems are distinct from information technology (IT) in that an information system has an IT component that interacts with the people and process components. IT is defined as the hardware, software, communication and other facilities used to input, store, process, transmit and output data in whatever form. The terms “IS” and “IT” will be used according to these definitions throughout this manual. 1.1 IS Audit Standards, Guidelines, Functions and Codes of Ethics The credibility of any IS audit activity is largely determined by its adherence to commonly accepted standards. The fundamental elements of IS audit are defined and provided within ISACA’s IS audit and assurance standards and guidelines. ISACA’s code of professional ethics guides the professional and personal conduct of ISACA members and certification holders. 1.1.1 ISACA IS Audit and Assurance Standards ISACA IS Audit and Assurance Standards define mandatory requirements for IS auditing and reporting and inform a variety of audiences of critical information, such as: For IS auditors, the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics For management and other interested parties, the profession’s expectations concerning the work of practitioners For holders of the CISA designation, their professional performance requirements The framework for the ISACA IS Audit and Assurance Standards provides for multiple levels of documents: Standards define mandatory requirements for IS audit and assurance and reporting. Guidelines provide guidance in applying IS audit and assurance standards. The IS auditor should consider guidelines in determining how to achieve implementation of standards, use professional judgment in their application and be prepared to justify any departures. Tools and techniques provide examples of processes an IS auditor might follow in an audit engagement. The tools and techniques documents provide information on how to meet standards when completing IS auditing work, but they do not set requirements. ISACA IS Audit and Assurance Standards are divided into general, performance and reporting categories: General—Provide the guiding principles under which the IS assurance profession operates. They apply to the conduct of all assignments and deal with an IS auditor’s ethics, independence, objectivity, due care, knowledge, competency and skill. Performance—Deal with the conduct of the assignment, such as planning and supervision; scoping; risk and materiality; resource mobilization; supervision and assignment management; audit and assurance evidence and the exercising of professional judgment and due care Reporting—Address the types of reports, means of communication and the information communicated 1.1.2 ISACA IS Audit and Assurance Guidelines ISACA IS Audit and Assurance Guidelines provide guidance and information on how to comply with the ISACA IS Audit and Assurance Standards. An IS auditor should: Consider the guidelines in determining how to implement ISACA Audit and Assurance Standards Use professional judgment in applying them to specific audits Be able to justify any departure from the ISACA Audit and Assurance Standards Note The CISA candidate is not expected to know specific ISACA standard and guidance numbering or memorize any specific ISACA IS audit and assurance standard or guideline. However, the exam will test a CISA candidate’s ability to apply these standards and guidelines within the audit process. 1.1.3 ISACA Code of Professional Ethics ISACA’s Code of Professional Ethics guides the professional and personal conduct of ISACA members and certification holders. ISACA members and certification holders shall: 1. Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including audit, control, security and risk management. 2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards. 3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association. 4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. 5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence. 6. Inform appropriate parties of the results of work performed, including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results. 7. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including audit, control, security and risk management. Note A CISA candidate is not expected to memorize the ISACA Code of Professional Ethics.1 The exam will test a candidate’s understanding and application of the code. 1.1.4 ITAF TM ITAF is a comprehensive and best practice-setting reference model that: Establishes standards that address IS auditor roles and responsibilities; knowledge and skills; and diligence, conduct and reporting requirements Defines terms and concepts specific to IS assurance Provides guidance and tools and techniques on the planning, design, conduct and reporting of IS audit and assurance assignments Note A CISA candidate will not be tested on the organization or arrangement of the ITAF framework. However, the application of audit and assurance standards is tested. 1.1.5 IS Internal Audit Function The role of the IS internal audit function should be established by an audit charter approved by the board of directors and the audit committee (or by senior management if these entities do not exist). Professionals should have a clear mandate to perform the IS audit function, which may be expressed in the audit charter. Audit Charter IS audit can be a part of internal audit, or function as an independent group or be integrated within a financial and operational audit to provide IT-related control assurance to the financial or management auditors. Therefore, the audit charter may include IS audit as an audit support function. Additionally, the audit charter should include the IS audit function’s role with consulting-related services that it may perform. The charter should clearly state management’s responsibility and objectives for, and delegation of authority to, the IS audit function. The highest level of management and the audit committee, if one exists, should approve the charter. Once established, the charter should be changed only if the change is thoroughly justified. The responsibility, authority and accountability of the IS audit function should be appropriately documented in an audit charter or engagement letter. An audit charter is an overarching document that covers the entire scope of audit activities in an entity while an engagement letter is more focused on a particular audit exercise to be initiated in an organization with a specific objective in mind. If IS audit services are provided by an external firm, the scope and objectives of the services should be documented in a formal contract or statement of work between the contracting organization and the service provider. In either case, the internal audit function should be independent and report to an audit committee, if one exists, or to the highest management level, such as the board of directors. Note For additional guidance, see standard 1001 Audit Charter and guideline 2001 Audit Charter. Management of the IS Audit Function The IS audit function should be managed and led in a manner that ensures that the diverse tasks performed by the audit team will fulfill audit function objectives, while preserving audit independence and competence. Furthermore, managing the IS audit function should ensure value-added contributions to senior management in the efficient management of IT and achievement of business objectives. Note For additional guidance, see standards 1002 Organizational Independence, 1003 Auditor Objectivity, 1004 Reasonable Expectation and 1005 Due Professional Care. Also see the related guidelines: 2002, 2003, 2004 and 2005. IS Audit Resource Management IS technology is constantly changing. Therefore, it is important that IS auditors maintain their competency through updates of existing skills and obtain training directed toward new audit techniques and technological areas. An IS auditor must have the technical skills and knowledge necessary to perform audit work. Further, an IS auditor must maintain technical competence through appropriate continuing professional education. Skills and knowledge should be taken into consideration when planning audits and assigning staff to specific audit assignments. Preferably, a detailed staff training plan should be drawn up for the year based on the organization’s direction in terms of technology and related risk that needs to be addressed. The plan should be reviewed periodically to ensure that training efforts and results are aligned with the direction the audit organization is taking. Additionally, IS audit management should provide the necessary IT resources to properly perform IS audits of a highly specialized nature (e.g., tools, methodology, work programs). Note For additional guidance, see standard 1006 Proficiency and guideline 2006 Proficiency. Using the Services of Other Auditors and Experts Due to the scarcity of IS auditors and the need for IT security specialists and other subject matter experts to conduct audits of highly specialized areas, the audit department or auditors entrusted with providing assurance may require the services of other auditors or experts. Outsourcing of IS assurance and security services is increasingly becoming a common practice. Note The IS auditor should be familiar with ISACA Audit and Assurance Standard 1204 Performance and Supervision and the IS Audit and Assurance Guideline 2206 Using the Work of Other Experts, which focus on the rights of access to the work of other experts. External experts could include experts in technologies such as networking, systems integration and digital forensics, or subject matter experts who specialize in a particular industry or area such as banking, securities trading, insurance, privacy or the law. When there is a proposal to outsource a part or all of IS audit services to other auditors and experts or external service providers, the IS auditor should consider: Restrictions on outsourcing of audit/security services provided by laws and regulations Audit charter or contractual stipulations Impact on overall and specific IS audit objectives Impact on IS audit risk and professional liability Independence and objectivity of other auditors and experts Professional competence, qualifications and experience Scope and approach of work to be outsourced Supervisory and audit management controls Method and modalities of communication of results of audit work Compliance with legal and regulatory stipulations Compliance with applicable professional standards Based on the nature of assignment, the IS auditor may also need to consider: Testimonials/references and background checks Access to systems, premises and records Confidentiality restrictions to protect customer-related information Use of computer-assisted auditing techniques (CAATs) and other tools to be used by the external audit service provider Standards and methodologies for performance of work and documentation Nondisclosure agreements The IS auditor or entity outsourcing the auditing services should monitor the relationship to ensure objectivity and independence throughout its duration. It is important to understand that although a part or the whole of the audit work may be delegated to an external service provider, the related professional liability is not necessarily delegated. Therefore, it is the responsibility of the IS auditor or entity employing the services of external service providers to: Clearly communicate the audit objectives, scope and methodology through a formal engagement letter Establish a monitoring process for regular review of the work of the external service provider with regard to planning, supervision, review and documentation. For example, the work papers of other IS auditors or experts should be reviewed to confirm the work was appropriately planned, supervised, documented and reviewed and to consider the appropriateness and sufficiency of the audit evidence provided. Likewise, the reports of other IS auditors or experts should be reviewed to confirm the scope specified in the audit charter, terms of reference or letter of engagement has been observed, the reports were performed within the defined auditable period, any significant assumptions used by other IS auditors or experts have been identified and the findings and conclusions reported have management approval. Assess the usefulness and appropriateness of such external providers’ reports and assess the impact of significant findings on the overall audit objectives 1.2 Types of Audits, Assessments and Reviews An IS auditor should understand the various types of audits, assessments and reviews that can be performed along with the basic associated audit procedures, which may be carried out by internal or external groups. An audit includes formal inspection and verification to check whether standards or guidelines are being followed, records are accurate, or efficiency and effectiveness targets are met. Formal audits provide a higher level of assurance than broader assessments and reviews. In general, assessments and reviews may be perceived with less negative stigma than audits and may focus on opportunities for reducing the costs of poor quality, employee perceptions on quality aspects, proposals to senior management on policy, goals, etc. Some examples of audits, assessment and reviews include: IS audit—An IS audit is designed to collect and evaluate evidence to determine whether an information system and related resources are adequately safeguarded and protected; maintain data and system integrity and availability; provide relevant and reliable information; achieve organizational goals effectively; consume resources efficiently; and have, in effect, internal controls that provide reasonable assurance not only that business, operational and control objectives will be met but also that undesired events will be prevented or detected and corrected in a timely manner. Compliance audit—A compliance audit includes tests of controls to demonstrate adherence to specific regulations or industry-specific standards or practices. These audits often overlap other types of audits but may focus on particular systems or data. Financial audit—A financial audit assesses the accuracy of financial reporting. A financial audit will often involve detailed, substantive testing, although IS auditors are increasingly placing more emphasis on a risk- and control-based audit approach. A financial audit relates to financial information integrity and reliability. Operational audit—An operational audit is designed to evaluate the internal control structure in a given process or area. IS audits of application controls or logical security systems are examples of operational audits. Integrated audit—There are different types of integrated audits, but typically an integrated audit combines financial and operational audit steps and may or may not include the use of an IS auditor. An integrated audit is performed to assess the overall objectives within an organization, related to financial information and to safeguarding assets, maximizing efficiency and ensuring compliance. An integrated audit can be performed by external or internal auditors and includes compliance tests of internal controls and substantive audit steps. See section 1.10 Quality Assurance and Improvement of the Audit Process for more information. Administrative audit—An administrative audit is designed to assess issues related to the efficiency of operational productivity within an organization. Specialized audit—Many different types of specialized audits are conducted. Within the category of IS audit, specialized reviews may examine areas such as fraud or services performed by third parties. Third-party service audit—A third-party service audit addresses the audit of outsourced financial and business processes to third-party service providers that may operate in different jurisdictions. A third-party service audit issues an opinion on a service organization’s description of controls through a service auditor’s report, which then can be used by the IS auditor of the entity that engages the service organization. Fraud audit—A fraud audit is a specialized audit designed to discover fraudulent activity. Auditors often use specific tools and data analysis techniques to discover fraud schemes and business irregularities. Forensic audit—A forensic audit is a specialized audit to discover, disclose and follow up on fraud and crime. The primary purpose of such an audit is the development of evidence for review by law enforcement and judicial authorities. Computer forensic audit—A computer forensic audit is an investigation that includes the analysis of electronic computing devices with the intent to gather and preserve evidence. An IS auditor possessing the necessary skills can assist an information security manager or forensic specialist in performing forensic investigations and can conduct an audit of the system to ensure compliance with the evidence collection procedures for forensic investigation. Functional audit—A functional audit provides an independent evaluation of software products, verifying that its configuration items’ actual functionality and performance are consistent with the requirement specifications. Specifically, a functional audit is conducted either prior to software delivery or after implementation. Readiness assessment—A readiness assessment is a review of an organization’s current state of compliance or adherence to documented standards. Readiness assessments generally focus on control design as opposed to operating effectiveness and result in actionable items for an organization to remediate prior to a formal audit. 1.2.1 Control Self-Assessment Control self-assessment (CSA) is an assessment of controls made by the staff and management of the unit or units involved. It is a management technique that assures stakeholders, customers and other parties that the internal control system of the organization is reliable. It also ensures that employees are aware of the risk to the business and conduct periodic, proactive reviews of controls. It is a methodology used to review key business objectives; to assess risk involved in achieving the business objectives; and to ensure that internal controls are designed to manage business risk through a formal, documented and collaborative process. An IS auditor acts in the role of facilitator to help business process owners define and assess appropriate controls and to help them understand the need for controls, based on risk to the business processes. The process owners and the personnel who run the processes use their knowledge and understanding of the business function to evaluate the performance of controls against the established control objectives, while considering the risk appetite of the organization. Process owners are in an ideal position to define the appropriate controls because they are knowledgeable about the process objectives. A CSA program can be implemented through methods such as questionnaires and surveys, facilitated workshops and informal peer reviews. For small business units within organizations, a CSA program can be implemented through facilitated workshops in which functional management and IS auditors come together and deliberate how best to evolve a control structure for the business unit. In a workshop, the role of a facilitator is to support the decision-making process. The facilitator creates a supportive environment to help participants explore their own experiences and those of others; identify control strengths and weaknesses; and share their knowledge, ideas and concerns. If appropriate, the facilitator may also offer their own expertise in addition to facilitating the exchange of ideas and experience. Objectives of CSA The primary objective of a CSA program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional areas. It is not intended to replace audit’s responsibilities but to enhance them. Auditees such as line managers are responsible for controls in their environment; the managers should be responsible for monitoring the controls. CSA programs must educate management about control design and monitoring, particularly concentrating on areas of high risk. When employing a CSA program, measures of success for each phase (planning, implementation and monitoring) should be developed to determine the value derived from CSA and its future use. One critical success factor (CSF) is a meeting with the business unit representatives (including appropriate and relevant staff and management) to identify the business unit’s primary objective and to determine the reliability of the internal control system. Actions that increase the likelihood of achieving the primary objective should be identified. Benefits of CSA Some of the benefits of CSA include: Early detection of risk More effective and improved internal controls Creation of cohesive teams through employee involvement Development of a sense of control ownership among employees and process owners and reduction of their resistance to control improvement initiatives Increased employee awareness of organizational objectives Increased employee knowledge of risk and internal controls Increased communication between operational and top management Increased motivation for employees Improved audit rating process Reduction in control cost Assurance provided to stakeholders and customers Necessary assurance given to top management about the adequacy of internal controls relative to regulations and laws Disadvantages of CSA CSA contains some disadvantages, including: It could be mistaken as an audit function replacement. It may be regarded as an additional workload (e.g., one more report to be submitted to management). Failure to act on improvement suggestions could damage employee morale. Lack of audit knowledge may limit effectiveness in the detection of weak controls. The IS Auditor’s Role in CSA When CSA programs are established, auditors become internal control professionals and assessment facilitators. Their value in these roles is evident when management takes ownership and responsibility for internal control systems under its authority through process improvements in control structures, including an active monitoring component. To be effective in this facilitative and innovative role, the IS auditor must understand the business process being assessed. It is important to remember that in the CSA process, IS auditors are the facilitators and the management client is the participant. For example, during a CSA workshop, instead of performing detailed audit procedures, the IS auditor will lead and guide the auditees in assessing their environment by providing insight into the objectives of controls based on risk assessment. The managers, with a focus on improving the productivity of the process, might suggest replacement of preventive controls. In this case, the IS auditor is better positioned to explain the risk associated with such changes. To provide higher-quality audits and make use of internal and/or external audits or subject matter expertise, an integrated audit approach is used to perform risk- based assessments of internal controls over an operation, process or entity. 1.2.2 Integrated Auditing The dependence of business processes on IT requires that all auditors develop an understanding of IT control structures. In addition, IS auditors must develop an understanding of the business control structures. This type of integrated auditing can be defined as the process whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity with a focus on risk. A risk assessment aims to understand and identify risk arising from the entity and its environment, including relevant internal controls. At this stage, the role of an IS auditor is typically to understand and identify risk under topical areas such as information management, IT infrastructure, IT governance and IT operations. Other audit and assurance specialists will seek to understand the organizational environment, business risk and business controls. A key element of the integrated approach is a discussion among the whole audit team of emerging risk, with consideration of impact and likelihood. Detailed audit work focuses on the relevant controls in place to manage risk. IT systems frequently provide a first line of preventive and detective controls, and the integrated audit approach depends on a sound assessment of their efficiency and effectiveness. The integrated audit process typically involves: Identification of risk faced by the organization for the area being audited Identification of relevant key controls Review and understanding of the design of key controls Testing IT system support for key controls Testing operational effectiveness of management controls A combined report or opinion on control risk, design and weaknesses An integrated audit demands a focus on business risk and a drive for creative control solutions. It is a team effort of audit and assurance professionals with different skill sets. Using this approach permits a single audit of an entity with one comprehensive report. An additional benefit is that this approach assists in staff development and retention by providing variety and the ability to see how all the elements (functional and IT) mesh to form the complete picture. See figure 1.2 for an integrated auditing approach. Figure 1.2—An Integrated Audit The integrated audit concept has radically changed the way audits are accepted and valued by different stakeholders. For example: Employees or process owners better understand the objectives of an audit because they can see the linkage between controls and audit procedures. Top management better understands the linkage between increased control effectiveness and corresponding improvements in the allocation and utilization of IT resources. Shareholders better understand the linkage between the push for a greater degree of corporate governance and its impact on the generation of financial statements that can be relied on. All these developments have contributed to the growing popularity of integrated audits. 1.3 Risk-Based Audit Planning Audit planning is conducted at the beginning of the audit process to establish the overall audit strategy and detail the specific procedures to be carried out to implement the strategy and complete the audit. It includes both short- and long-term planning. Short-term planning considers audit issues that will be covered during the year, whereas long-term planning considers risk-related issues regarding changes in the organization’s IT strategic direction that will affect the organization’s IT environment. All of the relevant processes that represent the blueprint of the enterprise’s business should be included in the audit universe. The audit universe ideally lists all the processes that may be considered for audit. Each process may undergo a qualitative or quantitative risk assessment carried out by evaluating the risk in the context of defined, relevant risk factors. The risk factors are those that influence the frequency and/or business impact of risk scenarios. For example, for a retail business, reputation can be a critical risk factor. The evaluation of risk should ideally be based on inputs from the business process owners. Evaluation of the risk factors should be based on objective criteria, although subjectivity cannot be completely avoided. For example, with respect to the reputation factor, the criteria (based on which inputs can be solicited from the business) may be rated as: High—A process issue may result in reputational damage that will take the organization more than six months to recover. Medium—A process issue may result in reputational damage that will take the organization less than six months but more than three months to recover. Low—A process issue may result in reputational damage that will take the organization less than three months to recover. In this example, the defined time frame represents the objective aspect of the criteria, and the subjective aspect of the criteria can be found in the business process owners’ determination of the time frame—whether it is more than six months or less than three months. After the risk is evaluated for each relevant factor, a criterion may be defined to determine the overall risk for each of the processes. The audit plan can then be constructed to include all of the processes that are rated “high,” which would represent the ideal annual audit plan. However, in practice, often the available resources are not sufficient to execute the entire ideal plan. This analysis will help the audit function demonstrate the gap in resourcing and give top management a good idea of the amount of risk that it is accepting if it does not add to or augment the existing audit resources. Analysis of short- and long-term issues should occur at least annually. This frequency is necessary to consider new control issues, enhanced evaluation techniques, and changes in the risk environment, technologies and business processes. The results of this analysis should be reviewed by senior audit management and approved by the audit committee, if available, or alternatively by the board of directors, and communicated to relevant levels of management. The annual planning should be updated if any key aspects of the risk environment have changed (e.g., acquisitions, new regulatory issues, market conditions). Note For additional guidance, see standards 1007 Assertions and 1008 Criteria and related guidelines 2007 and 2008. 1.3.1 Individual Audit Assignments In addition to overall annual planning, each individual audit assignment must be adequately planned. An IS auditor should understand that other considerations— such as the results of periodic risk assessments, changes in the application of technology and evolving privacy issues and regulatory requirements—may impact the overall approach to the audit. An IS auditor should take into consideration system implementation/upgrade deadlines, current and future technologies, requirements from business process owners and IS resource limitations. When planning an audit, an IS auditor must understand the overall environment under review. This should include gaining a general understanding of the various business practices and functions relating to the audit subject, as well as the types of information systems and technology supporting the activity. For example, an IS auditor should be familiar with the regulatory environment in which the business operates. To perform audit planning, an IS auditor should perform the steps indicated in figure 1.3. Note For additional guidance, see standard 1201 Risk Assessment in Planning and guideline 2201 Risk Assessment in Planning. Figure 1.3—Steps to Perform Audit Planning Gain an understanding of the organization’s mission, objectives, purpose and processes, which include information and processing requirements such as availability, integrity, security and business technology and information confidentiality. Gain an understanding of the organization’s governance structure and practices related to the audit objectives. Understand changes in the business environment of the auditee. Review prior work papers. Identify stated contents such as policies, standards and required guidelines, procedures and organization structure. Perform a risk analysis to help in designing the audit plan. Set the audit scope and audit objectives. Develop the audit approach or audit strategy. Assign personnel resources to the audit. Address engagement logistics. Identify opportunities for continuous audit or audit automation using computer-assisted audit tools (CAATs). 1.3.2 Effect of Laws and Regulations on IS Audit Planning Each organization, regardless of its size or the industry within which it operates, will need to comply with a number of governmental and external requirements related to IS practices and controls and the manner in which data is used, stored and secured. Additionally, industry regulations can impact the way data is processed, transmitted and stored (e.g., stock exchange, central banks, etc.). Special attention should be given to compliance issues in industries that are closely regulated. Because of the dependency on information systems and related technology, several countries are making efforts to add legal regulations concerning IS audit and assurance. The content of these legal regulations pertains to: Establishment of regulatory requirements Responsibilities assigned to corresponding entities Financial, operational and IS audit functions Management at all levels should be aware of the external requirements relevant to the goals and plans of the organization and to the responsibilities and activities of the information services department/function/activity. There are two major areas of concern: 1. Legal requirements (i.e., laws, regulations and contractual agreements) applicable to audit or IS audit 2. Legal requirements placed on the auditee regarding its systems, data management, reporting, etc. These areas impact the audit scope and audit objectives, which are important to internal and external audit and assurance professionals. Legal issues related to ergonomic regulations may also impact the organization’s business operations. An IS auditor would perform the following steps to determine an organization’s level of compliance with external requirements: Identify government or other relevant external requirements dealing with: Electronic data, personal data, copyrights, ecommerce, e-signatures, etc. IS practices and controls The manner in which computers, programs and data are stored The organization or the activities of information technology services IS audits Document applicable laws and regulations. Assess whether the management of the organization and the IT function have considered the relevant external requirements in making plans and in setting policies, standards and procedures and business application features. Review internal IT department/function/activity documents that address adherence to laws applicable to the industry. Determine adherence to established procedures that address external requirements. Determine if there are procedures in place to ensure that contracts or agreements with external IT services providers reflect any legal requirements related to responsibilities. Note A CISA candidate will not be asked about any specific laws or regulations but may be questioned about how one would audit for compliance with laws and regulations. Risk-based audit planning is the deployment of audit resources to areas within an organization that represent the greatest risk. It requires an understanding of the organization and its environment, specifically: External and internal factors affecting the organization The organization’s selection and application of policies and procedures The organization’s objectives and strategies Measurement and review of the organization’s performance As part of obtaining this understanding, an IS auditor must also gain an understanding of the key components of the organization’s: Strategy management Business products and services Corporate governance process Transaction types, transaction partners and transaction flows within information systems Effective risk-based auditing uses risk assessment to drive the audit plan and minimize the audit risk during the execution of an audit. A risk-based audit approach is used to assess risk and to assist an IS auditor in making the decision to perform either compliance testing or substantive testing. It is important to stress that the risk-based audit approach efficiently assists an IS auditor in determining the nature and extent of testing. Within this concept, inherent risk, control risk or detection risk should not be of major concern, despite some resulting weaknesses. In a risk-based audit approach, IS auditors do not rely solely on risk assessment; they also rely on internal and operational controls and knowledge of the organization or the business. This type of risk assessment decision-making can help relate the cost-benefit analysis of the control to the known risk, allowing the organization to make practical choices. Business risk includes concerns about the probable effects of an uncertain event on achieving established business objectives. The nature of business risk may be financial, regulatory or operational. Risk may also be derived from specific technologies. For example, an airline company is subject to extensive safety regulations and economic changes, both of which impact the continuing operations of the company. In this context, the availability of IT services and their reliability are critical. Risk also includes measures an organization is willing to take to achieve or advance its objectives even though the results may be unproven or uncertain. By understanding the nature of the business, an IS auditor can identify and categorize types of risk and can better determine the appropriate risk model or approach in conducting the audit. The risk model assessment can be as simple as creating weights for the types of risk associated with the business and identifying the risk in an equation. On the other hand, risk assessment can be a scheme in which risk is given elaborate weights based on the nature of the business or the significance of the risk. A simplistic overview of a risk-based audit approach is shown in figure 1.4. Note For further guidance, see standard 1204 Materiality. Figure 1.4—Risk-Based Audit Approach 1.3.3 Audit Risk and Materiality Audit risk can be defined as the risk that information collected may contain a material error that may go undetected during the audit. An IS auditor should also consider, if applicable, other factors relevant to the organization: customer data; privacy; availability of provided services; and corporate and public image, as in the case of public organizations or foundations. Audit risk is influenced by: Inherent risk—As it relates to audit risk, inherent risk is the risk level or exposure of the process/entity to be audited without regard to the controls management has implemented. Inherent risk exists independent of an audit and can occur because of the nature of the business. Control risk—This is the risk of a material error that would not be prevented or detected on a timely basis by the system of internal controls. For example, the control risk associated with manual reviews of computer logs can be high because activities requiring investigation are often overlooked due to the volume of logged information. The control risk associated with computerized data validation procedures is ordinarily low if the processes are consistently applied. Detection risk—This is the risk that material errors or misstatements will not be detected by an IS auditor. Overall audit risk—This is the risk that the auditor may not detect a material error in information or financial reports. An objective in formulating the audit approach is to limit the audit risk in the area under scrutiny so the overall audit risk is at a sufficiently low level at the completion of the examination. An internal control weakness or set of combined internal control weaknesses may leave an organization highly susceptible to the occurrence of a threat (e.g., financial loss, business interruption, loss of customer trust, economic sanction). An IS auditor should be concerned with assessing the materiality of the items in question through a risk-based audit approach to evaluating internal controls. Materiality refers to the importance of a piece of information with regard to its impact or effect on the functioning of the entity being audited. Materiality is the expression of the relative significance or importance of a particular matter in the context of the enterprise as a whole. There is an inverse relationship between materiality and the level of audit risk acceptable to the IS auditor (i.e., the higher the materiality level, the lower the acceptability of the audit risk and vice versa). An IS auditor should have a good understanding of audit risk when planning an audit. An audit sample may not reflect every potential error in a population. However, by using proper statistical sampling procedures or a strong quality control process, the probability of detection risk can be reduced to an acceptable level. Similarly, when evaluating internal controls, an IS auditor should realize that a given system may not detect a minor error. However, that specific error, combined with others, could become material to the overall system. Note A CISA candidate should understand audit risk and not confuse it with statistical sampling risk, which is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is selected. 1.3.4 Risk Assessment An IS auditor should understand how the organization being audited approaches risk assessment. Risk assessments should identify, quantify and prioritize risk against criteria for risk acceptance and objectives relevant to the organization. The results should guide and determine the appropriate management action, priorities for managing information security risk and priorities for implementing controls selected to protect against risk. Risk assessments should be performed by management periodically to address changes in the environment, security requirements and the risk landscape (e.g., in the assets, threats, vulnerabilities and impacts) and whenever significant changes occur. It is important to note that IT management is responsible for conducting risk assessments. If expertise is not present within the organization, the IS auditor may assist in risk assessment efforts. However, management is ultimately responsible for the risk assessment process. The IS auditor may perform a separate risk assessment to supplement the needs of risk-based audit planning. Refer to section 2.5 Enterprise Risk Management for additional details on risk assessments. 1.3.5 IS Audit Risk Assessment Techniques When determining which functional areas should be audited, an IS auditor may face a large variety of audit subjects. Each of these subjects may incur different types of risk. An IS auditor should evaluate risk candidates to determine the high-risk areas that should be audited. There are many risk assessment methodologies available to an IS auditor, ranging from simple classifications based on the auditor’s judgment of high, medium and low, to complex scientific calculations that provide numeric risk ratings. One such risk assessment approach is a scoring system that is useful in prioritizing audits based on an evaluation of risk factors. The system considers variables such as technical complexity, level of control procedures in place and level of financial loss. These variables may or may not be weighted. The risk values are then compared to each other, and audits are scheduled accordingly. Another form of risk assessment is subjective, in which an independent decision is based on business knowledge, executive management directives, historical perspectives, business goals and environmental factors. A combination of techniques can be used. Risk assessment methods may change and develop over time to best serve the needs of the organization. An IS auditor should consider the level of complexity and detail appropriate for the organization being audited. IS auditors should leverage the results of management risk assessments to supplement their own risk assessment procedures. A degree of professional skepticism should be leveraged when reviewing or leveraging management assessments of risk due to potential independence impairment. Using risk assessment to determine areas to be audited: Enables audit management to effectively allocate limited audit resources Ensures that relevant information has been obtained from all levels of management, including boards of directors, IS auditors and functional area managers. Generally, this information assists management in effectively discharging its responsibilities and ensures that the audit activities are directed to high-risk areas, which will add value for management. Establishes a basis for effectively managing the audit department Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plans 1.3.6 Risk Analysis Risk analysis, a subset of risk assessment, is used during audit planning to help identify risk and vulnerabilities so an IS auditor can determine the controls needed to mitigate risk. Risk assessment procedures provide a basis for the identification and assessment of risk of material vulnerabilities; however, they do not provide sufficient appropriate audit evidence to support the audit opinion. In evaluating IT-related business processes applied by an organization, it is important to understand the relationship between risk and control. IS auditors must be able to identify and differentiate risk types and the controls used to mitigate risk. They should have knowledge of common business risk areas, related technology risk and relevant controls. They should also be able to evaluate the risk assessment and management processes and techniques used by business managers, and to make assessments of risk to help focus and plan audit work. In addition to understanding business risk and control, IS auditors must understand that risk exists within the audit process. 1.4 Types of Controls and Considerations Every organization has controls in place. An effective control is one that prevents, detects and/or contains an incident and enables recovery from a risk event. Organizations design, develop, implement and monitor information systems through policies, procedures, practices and organizational structures to address various types of risk. Controls are normally composed of policies, procedures, practices and organizational structures that are implemented to reduce risk to the organization. Internal controls are developed to provide reasonable assurance to management that the organization’s business objectives will be achieved, and that risk events will be prevented or detected and corrected. Internal control activities and supporting processes may be manual or automated. 1.4.1 Internal Controls Internal controls operate at all levels within an organization to mitigate risk exposures that potentially could prevent it from achieving its business objectives. The board of directors and senior management are responsible for establishing the appropriate culture to facilitate an effective and efficient internal control system and for continuously monitoring the effectiveness of the internal control system, although each individual within an organization must take part in this process. There are two key aspects that controls should address: 1. What should be achieved 2. What should be avoided Internal controls or control activities help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risk and to achieve the enterprise’s business objectives. Control activities occur throughout the enterprise, at all levels and in all functions, such as granting approvals and authorizations, implementing verifications and reconciliations, reviewing operating performance, securing assets and ensuring separation of duties. 1.4.2 Control Objectives and Control Measures A control objective is defined as an objective of one or more operational areas or roles, which is designed to contribute to the fulfillment of the company’s strategic goals. That is, the control objective is explicitly related to the company’s overall strategy. Control objectives are statements of the desired result or purpose to be achieved by implementing control activities (procedures). For example, control objectives may relate to: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding information assets Control objectives apply to all controls, whether they are manual, automated or both (e.g., review of system logs). Control objectives in an IS environment do not differ from those in a manual environment; however, the way the controls are implemented may be different. Thus, control objectives need to be addressed relevant to specific IS-related processes. A control measure is defined as an activity contributing to the fulfillment of a control objective. Both the control objective and control measure serve the decomposition of the strategic-level goals into such lower-level goals and activities that can be assigned as tasks to the staff. This assignment can take the form of a role specified in a job description. IS Control Objectives IS control objectives include a complete set of high-level requirements to be considered by management for effective control of each IT process area. IS control objectives are: Statements of the desired result or purpose to be achieved by implementing controls around IS processes Policies, procedures, practices and organizational structures Requirements designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected Organizational management needs to make choices relative to control objectives by: Selecting those that are applicable Deciding on those that will be implemented Choosing how to implement them (i.e., frequency, span, automation, etc.) Accepting the risk of not implementing others that may apply Specific IS control objectives include: Safeguarding information assets, including ensuring that information on automated systems is up to date and secure from improper access Ensuring that system development life cycle (SDLC) processes are established, in place and operating effectively to provide reasonable assurance that development of business, financial and/or industrial software systems and applications is repeatable, reliable and aligned to business objectives Ensuring integrity of general operating system (OS) environments, including network management and operations Ensuring integrity of sensitive and critical application system environments, including accounting/financial and management information (information objectives) and customer data, through: Authorization of the input—Each transaction is authorized and entered only once. Validation of the input—Each input is validated and will not have a negative impact on the processing of transactions. Accuracy and completeness of transaction processing—All transactions are recorded accurately and entered into the system for the proper period. Reliability of overall information processing activities—All programmatic actions taken by the system during processing are sound. Accuracy, completeness and security of the output—Outputs can be relied upon and countermeasures are implemented to enable security of information assets generated. Database confidentiality, integrity and availability—The underlying systems of record have general IS security controls. Ensuring appropriate identification and authentication of users of IS resources (end users and infrastructure support) Ensuring the efficiency and effectiveness of operations (operational objectives) Complying with users’ requirements, organizational policies and procedures and applicable laws and regulations (compliance objectives) Ensuring availability of IT services by developing efficient business continuity plans (BCPs) and disaster recovery plans (DRPs) that include backup and recovery processes Enhancing protection of data and systems by developing an incident response plan Ensuring integrity and reliability of systems by implementing effective change management procedures Ensuring that outsourced IS processes and services have clearly defined service level agreements (SLAs) and contract terms and conditions designed to protect the organization’s assets and meet business goals and objectives General Control Methods General control methods apply to all areas of an organization as seen in figure 1.5. Figure 1.5—General Control Methods Category Description Example Managerial Controls related to the oversight, reporting, procedures and operations of a process Policies and procedures (administrative) Accounting controls (e.g., balancing) Employee training and development Compliance reporting Technical Also known as logical controls, controls that are provided through the use of technology, Firewall rulesets equipment or devices. A technical control requires proper managerial (administrative) Network or host-based controls to operate correctly. intrusion detection systems (IDSs) Passwords Antimalware solutions Physical Controls that are installed to physically restrict access to a facility or hardware. Physical Physical access badges and controls require maintenance, monitoring and the ability to address and react to an alert. locks Closed-circuit TV (CCTV) Often operational and administrative controls that concern day-to-day operations, functions and activities are included within managerial controls. Technical controls and physical controls, respectively, relate to the use of technology and the use of physical equipment or devices to regulate access. An enterprise should maintain a proper balance of control types in order to meet its specific needs and help achieve its business objectives. For example, the implementation of a technical control, such as a firewall, requires training for the staff who manage or operate it, correct procedures for its configuration, assignment of responsibilities for its monitoring and schedules for regular testing. If these coinciding controls are not in place, stakeholders may develop a false sense of security, resulting in unidentified vulnerabilities, an ineffective use of resources and greater risk than anticipated or intended. IS-Specific Controls Each general control method can be translated into an IS-specific control. A well-designed information system should have controls built in for all its sensitive or critical functions. For example, there should be a general procedure to ensure that adequate safeguards over access to assets and facilities can be translated into an IS-related set of control procedures, covering access safeguards over computer programs, data and equipment. Examples of IS-specific control procedures include: Strategy and direction of the IT function General organization and management of the IT function Access to IT resources, including data and programs Systems development methodologies and change control Operations procedures Systems programming and technical support functions Quality assurance (QA) procedures Physical access controls BCP/DRP Networks and communication technology (e.g., local area networks, wide area networks, wireless) Database administration Protective and detective mechanisms against internal and external attacks Note A CISA candidate should understand concepts regarding IS controls and how to apply them in planning an audit. Business Process Applications and Controls In an integrated application environment, controls are embedded and designed into the business application that supports the processes. Business process control assurance involves evaluating controls at the process and activity levels, which may be a combination of management, programmed and manual controls. In addition to evaluating general controls that affect the processes, an IS auditor should evaluate business process owner-specific controls—such as proper security and separation of duties (SoD), periodic reviews, and approvals of access and application controls within the business process. To effectively audit business application systems, an IS auditor must obtain a clear understanding of the application system under review. Numerous financial and operational functions are computerized for the purpose of improving efficiency and increasing the reliability of information. These applications range from traditional (including general ledger, accounts payable and payroll) to industry-specific (such as bank loans, trade clearing and material requirements planning). Given their unique characteristics, computerized application systems add complexity to audit efforts. These characteristics may include limited audit trails, instantaneous updating and information overload. Figure 1.6 describes sample risk and controls for common business applications in an enterprise. Figure 1.6—Business Application Controls Business Application Description Example Risk(s) and related Control(s) System Ecommerce Ecommerce is the buying and selling of goods online. Due to their exposure to the Internet, ecommerce applications are subject to a high risk of Structured Query Language (SQL) injection attacks. IS-specific controls such as secure coding training for developers, system development life cycle (SDLC) code reviews and form input validity checks could be used to mitigate applicable risk. Electronic data EDI replaced the traditional paper document exchange, such Transmitted data is at risk of being intercepted and potentially interchange as medical claims and records, purchase orders, invoices or manipulated or compromised. Appropriate encryption controls (EDI) material release schedules. should be used to ensure the confidentiality and integrity of transmitted data. Email Email services are used by an enterprise to communicate Email provides an avenue for attackers to manipulate end electronically with internal or external parties. users through social engineering. Spam filtering, hyperlink verification and phishing training for email users can decrease the likelihood of phishing-related social engineering attacks. Industrial control ICS is a general term that encompasses several types of Systems like SCADA are highly sensitive and if compromised systems (ICSs) control systems, including supervisory control and data can have a direct impact on human life. Organizations should acquisition (SCADA) systems, distributed control systems consider adding perimeter security controls, such as network (DCSs) and other control system configurations such as segmentation and multifactor authentication, to get into and programmable logic controllers (PLCs), which are often found administer high-risk SCADA environments. in industrial sectors and critical infrastructures. Artificial Expert systems are an area of AI and perform a specific AI systems rely on learned data and associated decision trees intelligence (AI) function or are prevalent in certain industries. An expert that can be inherently biased. An IS auditor should ensure and expert system allows the user to specify certain basic assumptions or that the proper level of expertise was used in developing the systems formulas and then uses those assumptions or formulas to basic assumptions and formulas. analyze arbitrary events. Note A CISA candidate should be familiar with different types of business application systems and architectures, processes, risk and related controls and IS audit implications and practices. The IS auditor should consult industry- or technology-specific guidance and apply applicable IS-specific controls as necessary. For example, when reviewing an ecommerce application, an IS auditor might consider applicable guidance from authoritative sources such as the Open Web Application Security Project (OWASP).2 Where specific skillsets are not present within an IS audit department, external experts should be brought in to perform applicable reviews. 1.4.3 Control Classifications Controls are implemented to provide reasonable assurance to management that the organization’s business objectives will be achieved, and risk events will be prevented or detected and corrected. Elements of controls that should be considered when evaluating control strength are classified as preventive, detective or corrective in nature. Figure 1.7 describes control categories. Figure 1.7—Control Categories Category Description Preventive Inhibit or impede attempts to violate security policy and practices. Encryption, user authentication and vault-construction doors are examples of preventive controls. Deterrent Provide guidance or warnings that may dissuade intentional or unintentional attempts at compromise. Warning banners on login screens, acceptable use policies, security cameras and rewards for the arrest of hackers are examples of deterrent controls. Detective Provide warnings of violations or attempted violations of security policy and practices without inhibiting or impeding the questionable actions. Audit trails, intrusion detection systems (IDSs) and checksums are examples of detective controls. Corrective Remediate errors, omissions, unauthorized uses and intrusions when detected. Data backups, error correction and automated failover are examples of corrective controls. Compensating Offset a deficiency or weakness in the control structure of the enterprise, often because the baseline controls cannot meet a stated requirement due to legitimate technical or business constraints. Placing unsecured systems on isolated network segments with strong perimeter security and adding third-party challenge-response mechanisms to devices that do not support individual login accounts are examples of compensating controls that, while not directly addressing vulnerabilities, make it harder to exploit them. Source: ISACA, CRISC Official Review Manual 7th Edition Revised, USA, 2023 Preventive controls are generally stronger at mitigating risk because they prevent threat events from occurring. For example, if a malicious threat actor attempts to log into a system that is accessible from the Internet with a compromised password, multifactor authentication requirements could prevent the threat actor from successfully accessing the system. By contrast, a detective control does not stop unauthorized uses or entries from occurring, but it indicates that a threat event took place or is in progress. If a threat event occurs, a corrective control helps an enterprise recover from the effects of an attack. For example, if unauthorized access has been gained to a specific enterprise computer, a procedure is initiated to protect the rest of the network. Organizations must implement a variety of control types based on applicable risk and cost-benefit analysis. In summary, detective and preventive controls are used to reduce the likelihood of a threat event (the probability of something happening), while corrective controls are intended to mitigate the consequences (figure 1.8). Figure 1.8—Control Purpose Source: ISACA, Fundamentals of Information Systems Audit and Assurance (Facilitator Guide), USA, 2018 An adequate mix of controls with different classifications is important not only to reduce the likelihood of threat events occurring but also to identify and mitigate consequences. Different types of controls can complement one another to help ensure that each is working effectively and addressing unique threat events as outlined in figure 1.9. Note A CISA candidate should understand the purpose of and differences between preventive, detective and corrective controls and be able to recognize examples of each. Figure 1.9—Interaction of Control Types and Threat Events Source: Adapted from ISACA, CRISC® Review Manual, 7th Edition Revised, USA, 2023 1.4.4 Control Relationship to Risk There is a direct relationship between risk and control that demonstrates that risk is addressed through control and control is justified by the risk it addresses. Figure 1.10 shows this relationship. The IS auditor should have a solid understanding of the applicable risk to controls being evaluated. This not only informs the overall audit procedures that will be used but also helps determine overall materiality of any control weaknesses that may be identified during the performance of an IS audit. When evaluating controls, the IS auditor should ensure that management’s identified controls are mapped back to applicable risk. It is management’s responsibility to ensure controls are documented and implemented per its assessment of risk. Figure 1.10—Control Relationship to Risk Source: ISACA, IT Risk Fundamentals Study Guide, USA, 2020 If controls implemented do not mitigate risk to an acceptable level (per the organization’s risk tolerance), additional controls should be implemented. If appropriate or required countermeasures cannot be implemented based on system or business restrictions, compensating controls may be considered. However, any compensating control must achieve the same result the underperforming control was designed to achieve. Placing unsecured systems on isolated network segments with strong perimeter security and adding third-party challenge-response mechanisms to devices that do not support individual login accounts are examples of compensating controls. Although the examples in the following sections are IT-specific, it is possible for non-IT compensating controls to exist. 1.4.5 Prescriptive Controls and Frameworks In some instances, authoritative sources provide a prescriptive set of controls or control objectives for an organization to implement and assess. Prescriptive control sets or control frameworks attempt to provide a standard set of controls an organization should implement to mitigate applicable risk to the organization as a whole or to a specific business process. Examples of sets of prescriptive controls or control objectives include: Center for Internet Security (CIS) 18 Critical Security Controls3—A prescriptive, prioritized and simplified set of best practices that organizations can use to strengthen their cybersecurity postures OWASP Software Assurance Maturity Model (SAMM)4—An open framework to help organizations formulate and implement strategies for software security that are tailored to the specific risk they face Service Organization Controls (SOC) reports5—A framework developed by the American Institute of Certified Public Accountants (AICPA) meant to be used by organizations to process data related to services they provide Payment Card Industry (PCI) Data Security Standard (DSS)6—A set of requirements that must be met by organizations that store, process, transmit or in any way affect the security of credit card data Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)7—A cybersecurity control framework for cloud computing encompassing various key practices to ensure cloud security across different cloud models and designed to provide fundamental security principles to guide cloud vendors and assist prospective cloud customers in assessing the overall security risk of a cloud provider Organizations leveraging prescriptive control frameworks must identify applicable countermeasures in place to meet outlined control objectives. In some instances, prescriptive controls may not be applicable to an organization based on unique business practices. For example, if an organization accepting credit cards does not store credit card data as a part of its business process, then controls applicable to the protection of stored credit card information are likely not applicable. Where prescriptive controls do not apply to an organization, the organization should ensure the reasons and validation on non-applicability are formally documented. 1.4.6 Evaluation of the Control Environment The control environment should be reviewed in accordance with the risk-based audit plan. Although IS audit will execute its risk-based audit plan, it is important to note that IS management should also evaluate the effectiveness of the control environment. Management Control Monitoring Management may perform its own monitoring of control effectiveness within a given audit cycle. This process helps to identify control deviations prior to a potentially less frequent audit and allows management to take corrective action. Control monitoring ensures that: Control requirements are being met. Standards are being followed. Employees are complying with enterprise policies, practices and procedures. Management can use the results of its own control monitoring efforts to continuously improve the organization’s security program. An IS auditor may leverage these results as reassurance that controls were effectively working over a period of time. When reviewing management’s control monitoring processes, an IS auditor should ensure the following: Identified control exceptions are remediated and lessons learned are considered for security program enhancement. Metrics are established for critical processes or control monitoring and are based on management’s risk assessment. Metrics identify specific, quantifiable outputs for reporting. Independence considerations are made regarding potential completeness and accuracy concerns. Reporting establishes expected thresholds for control effectiveness and tracks success over time. Independent Evaluation of the Control Environment Once the applicable risk and controls are understood, the IS auditor can perform an evaluation of the control environment. An IS auditor reviews evidence gathered during the audit to determine if the operations reviewed are well controlled and effective. This is an area that requires judgment and experience. An IS auditor also assesses the strengths and weaknesses of the controls evaluated and determines if they are effective in meeting the control objectives established as part of the audit planning process. Part B: Execution Once an audit is planned and the scope and objectives are defined, the IS auditor is ready to execute the audit. The following sections provide guidance for executing an audit. 1.5 Audit Project Management Several steps are required to perform an audit. Adequate planning is a necessary first step in performing an effective IS audit. To efficiently use IS audit resources, audit organizations must assess the overall risk for the general and application areas and related services being audited, and then develop an audit program that consists of objectives and audit procedures to satisfy the audit objectives. The audit process requires an IS auditor to gather evidence, evaluate the strengths and weaknesses of controls based on the evidence gathered through audit tests, and prepare an audit report that presents those issues (i.e., areas of control weaknesses with recommendations for remediation) to management in an objective manner. Audit management must ensure the availability of adequate audit resources and a schedule for performing the audit procedures and, in the case of an internal IS audit, for conducting follow-up reviews on the status of corrective actions taken by management. The process of auditing includes defining the audit scope, formulating audit objectives, identifying audit criteria, performing audit procedures, reviewing and evaluating evidence, forming audit conclusions and opinions, and reporting to management after discussion with key process owners. Project management techniques for audit projects include: Plan the audit engagement—Plan the audit, considering project-specific risk. Build the audit plan—Chart the necessary audit tasks across a timeline, optimizing resource use. Make realistic estimates of the time requirements for each task with proper consideration given to the availability of the auditee. Execute the plan—Execute audit tasks against the plan. Monitor project activity—Report actual progress against planned audit steps to ensure challenges are managed proactively and the scope is completed within time and budget. 1.5.1 Audit Objectives Audit objectives refer to the specific goals that must be accomplished by the audit. In contrast, a control objective refers to how an internal control should function. An audit generally incorporates several audit objectives. Audit objectives often focus on confirming that internal controls exist to minimize business risk and function as expected. These audit objectives include ensuring compliance with legal and regulatory requirements and ensuring the confidentiality, integrity, reliability and availability of information and IT resources. Audit management may give an IS auditor a general control objective to review and evaluate when performing an audit. A key element in planning an IS audit is to translate basic and wide-ranging audit objectives into specific IS audit objectives. For example, in a financial/operational audit, a control objective could be to ensure that transactions are properly posted to the general ledger accounts. However, in an IS audit, the objective could be extended to ensure that editing features are in place to detect errors in the coding of transactions that may impact account-posting activities. An IS auditor must understand how general audit objectives can be translated into specific IS control objectives. Determining an audit’s objectives is a critical step in planning an IS audit. One of the primary purposes of an IS audit is to identify control objectives and the related controls that address the objective. For example, an IS auditor’s initial review of an information system should identify key controls. It should then be determined whether to test those controls for compliance. An IS auditor should identify both key general and application controls after developing an understanding and documenting the business processes and the applications/functions that support those processes and general support systems. Based on that understanding, an IS auditor should identify the key control points. Alternatively, an IS auditor may assist in assessing the integrity of financial reporting data, referred to as substantive testing, through CAATs. 1.5.2 Audit Phases Each phase in the execution of an audit can be divided into key steps to plan, define, perform and report the results, as shown in figure 1.11. Figure 1.11—Typical Audit Process Steps by Phase Source: ISACA, Information Systems Auditing: Tools and Techniques—Creating Audit Programs, USA, 2016 Planning Planning steps can be further broken down into more specific activities, as shown in figure 1.12. Figure 1.12—Audit Process Activities for the Planning Phase Audit Step Description 1. Determine audit Identify the area to be audited (e.g., business function, system, physical location). subject. 2. Define audit Identify the purpose of the audit. For example, an objective might be to determine whether program source code changes objective. occur in a well-defined and controlled environment. 3. Set audit scope. Identify the specific systems, function or unit of the organization to be included in the review. In the case of the program changes example, the scope statement might limit the review to a single application, system or a limited period of time. This step is very important because the information systems (IS) auditor will need to understand the IT environment and its components to identify the resources that will be required to conduct a comprehensive evaluation. A clear scope will help the IS auditor define a set of testing points that are relevant to the audit and to further determine the technical skills and resources necessary to evaluate different technologies and their components. 4. Perform Conduct a risk assessment, which is critical in setting the final scope of a risk-based audit. For other types of audits (e.g., preaudit planning. compliance), conducting a risk assessment is a good practice because the results can help the IS audit team justify the engagement and further refine the scope and preplanning focus. Interview the auditee to inquire about activities or areas of concern that should be included in the scope of the engagement. Identify regulatory compliance requirements. Once the subject, objective and scope are defined, the audit team can identify the resources needed to perform the audit. Some of the necessary resources to be defined: Technical skills and resources Budget and effort to complete the engagement Locations or facilities to be audited Roles and responsibilities among the audit team Time frame for the various stages of the audit Sources of information for test or review, such as functional flowcharts, policies, standards, procedures and prior audit work papers Points of contact for administrative and logistics arrangements A communication plan that identifies whom to inform, when, how often and for what purposes 5. Determine audit At this stage of the audit process, the audit team should have enough information to identify and select the audit approach or procedures and strategy and start developing the audit program. Some of the specific activities in this step are: steps for data Identify and obtain departmental policies, standards and guidelines for review. gathering. Identify any regulatory compliance requirements. Identify a list of individuals to interview. Identify meth

CISA Exam Information System Auditing Process PDF

Document Details

Tags

Related

Summary

Full Transcript