cisa 1st chapter

Upload: arif-qureshi

Post on 02-Jun-2018




0 download


  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 1

    The Information Systems AuditProcess

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 2

    The policies, procedures, practices andorganizational structures designed to

    provide reasonable assurance that businessobjectives will be achieved and thatundesired events will be prevented ordetected and corrected.

    Definitions :

    Control :

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 3

    A statement of the desired result or purposeto be achieved by implementing control

    procedures in a particular IT activity.

    Definitions :

    IT Control Objective

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 4

    A structure of relationships and processesto direct and control the enterprise in order

    to achieve the enterprise's goals by addingvalue while balancing risk versus returnover IT and its processes

    Definitions :

    IT Governance

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 5

    A successful organization is built on a solidframework of data and information. TheFramework explains how IT processes deliver theinformation that the business needs to achieve itsobjectives. This delivery is controlled through 34high-level control objectives, one for each ITprocess, contained in the four domains. TheFramework identifies which of the seveninformation criterion (effectiveness, efficiency,

    confidentiality, integrity, availability, complianceand reliability), as well as which IT resources(people, applications, technology, facilities anddata) are important for the IT processes to fullysupport the business objective

    Definitions :

    IT Framework

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 6

    In the light of Management Objectives welldocumented AUDIT Charter defining overallAuthority, Scope and Responsibility of theAUDIT function approved by Top Management

    Risk AssessmentFamiliarity with Business Regulatory


    Definitions :

    Audit Mission

  • 8/10/2019 Cisa 1st Chapter

    7/25CISA : Chapter #1 The Information Systems Audit Process 7

    The potential that a given threat will exploitvulnerabilities of an asset or group of assets tocause loss or damage to the assets. The impact or relative severity of the risk is proportional tothe business value of the loss/damage and to theestimated frequency of the threat.

    Risk Analysis :

    Risk Elements



  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 8

    Are those threats that may impact the assets,processes or objectives of a specific businessorganization. The natures of these threats maybe :

    FinancialRegulatoryOperationalOr may arise as a result of the interaction of the business with its

    environmentOr may arise in result of the strategies, systems and particulartechnology, process, procedure and information system used bythe business

    Risk Analysis :

    Business Risk

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 9

    Policies, procedures, practices and organizational

    structure put into place to reduce risks.

    Internal Control

    1. Preventive2. Detective

    3. Corrective

    Control Classification

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 10

    Are statements of the desired result or purpose to

    be achieved by implementing control procedurein a particular activity.

    Internal Control Objectives

    Internal Accounting Controls Operational Controls Administrative Controls

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 11

    1. Safeguard of information technology assets2. Compliance to corporate policies or legal


    3. Authorization/Input4. Accuracy and completeness of processing of

    transactions5. Output6. Reliability of process7. Backup / Recovery8. Efficiency and economy of operation

    Internal Control Objectives include :

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 12

    1. Safeguard Assets

    2. Integrity of general operations3. Integrity of sensitive and critical application

    Systems through:Authorization,

    AccuracyReliabilityCompleteness and security of OutputDatabase Integrity

    4. Efficiency & Effectiveness5. Compliance6. Continui ty & Disaster Recovery Plan

    7. Incident Response and Handling plan

    IS Control Objectives include :

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 13

    1. Strategy and Direction2. General Organization and management3. Access to data and programs4. System development methodologies and change control5. Data Processing operations6. Systems programming and technical support functions7. Data Processing and quality assurance procedures

    8. Physical access controls9. Business continuity/Disaster recovery planning10. Networks and communications11. Data Administration

    IS Systems Control Procedures include :

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 14

    1. Financial Audit2. Operational Audit3. Integrated Audit

    4. Administrative Audits5. Information System Audits6. Special Audit (3 rd Party & Forensic Frauds and crimes)

    An Information System Audit : Any Audit that encompasses review and evaluation ofautomated information processing, related non-automated

    processes and the interfaces between them.

    Classification of Audits :

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 15

    1. Understanding of the Audit area/subject2. Risk Assessment3. Detailed audit planning4. Preliminary review of Audit area / subject5. Evaluating Audit are/subject6. Compliance Testing ( often test of controls)7. Substantive testing8. Reporting

    9. Follow-up

    Audit Procedures :

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 16

    1. Inherent Risk2. Control Risk3. Detection Risk4. Overall Audit Risk

    Categories of Audit Risk :

    Audit Risk :

    Risk that the information/financial report may contain

    material error that may go undetected during the courseof Audit

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 17

    Risk Assessment Techniques :

    These techniques may becomputerizednon-computerized,Scoring andJudgment

    based upon business knowledge, executivemanagement directives, historical perspective,

    business goals and environmental factors

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 18

    Compliance Testing :

    A compliance test determines if control are beingapplied in a manner that comply withmanagement policies and procedures.

    Substantive Testing:

    A Substantive test substances the integrity ofactual processing.

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 19

    Evidence :

    Evidence is any information used by the auditors

    whether the entity or data being audited followsthe established audit criteria or objective.These should be sufficient, relevant andcompetent

    Reliability of Evidences:

    Independence of the provider

    Qualification of the provider Objectivity of the evidenceTiming of the evidence

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 20

    Evidence gathering Techniques :

    Reviewing IS organization structuresReviewing IS PoliciesReviewing IS StandardsReviewing IS documentationInterviewing appropriate personnelObserving processes and employees


  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 21

    Computer Assisted Audit techniques :

    Generalized Audit Software, Utility Software, test

    data, application software tracing and mappingand expert systems.

    These tools can be used for Test of details of transactions and balances Analytical review procedures Compliance test of IS general controls Compliance Test of Application controlsPenetration and OS vulnerabilities

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 22

    CAATs Advantages :

    Reduced Level of Audit Risk

    Greater independence from the auditeeBroader and more consistent audit coverageFaster availability of information

    Improved exception identificationGreater flexibility of run timesGreater opportunity to quantify internal control

    weaknessEnhanced samplingCost saving over time

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 23

    Evaluation of Strengths and weaknessesof Audit :

    JudgmentControl Matrix (ranking)(Col-known type of errors)(Row-Known Controls)

    Compensating/Overlapping ControlsTotality of ControlsSupporting evidences

  • 8/10/2019 Cisa 1st Chapter


    CISA : Chapter #1 The Information Systems Audit Process 24

    Communicating Audit Results :

    Constraints on the conduct of the Audit :

  • 8/10/2019 Cisa 1st Chapter


    Keep visiting

    CISA : Chapter #1 The Information Systems Audit Process 25