xlibrary.skillport.com course ware content cca sp cisa a

7/18/2019 Xlibrary.skillport.com Course Ware Content Cca Sp Cisa A

1/7

Job Aid: ISACA IT Audit and Assurance Guidelines

Job AidISACA IT Audit and Assurance Guidelines

Page 1 of7

Purpose: Use this aid to to learn the meaning and purpose of the IT Audit and Assurance Guidelines publishedby ISACA.ISACA IT Audit and Assurance Guidelines7Guideline EffectivedateG 1Using the Work of March 1,Other Auditors 2008

G2 Audit Evidence May 1,2008

G3 Use of Computer-Assisted AuditTechniques (CAATs)

March 1,2008

G4 Outsourcing of ISActivities to OtherOrgan izations

May 1,2008

Description

G1 Using the Work of Other Auditors provides guidance on when to considerassistance from other audit experts during an audit assignment. For example, youcan consider using the work of experts such as IS auditors from external accountingfirms, IT experts in a specific audit area who are appointed by senior managementor audit committee, or management consultants. You may need the help of anexpert when you've limited knowledge of the process being audited, there arescarce audit resources, or the nature of tasks to be carried out requires certainexpertise. An expert can also help you when you are facing constraints in your auditassignment, or you want to improve the quality of audit . This guideline is associatedwith standards S13 and S6.G2 Audit Evidence Requirement explains how to collect sufficient and suitableevidences and analyze them. The results of this analysis later form the basis of theaudit results. This guideline is used to achieve standards S6, S9, S13, and S14.G3 Use of Computer-Assisted Audit Techniques guideline equips you with manytools and techniques to review an IS system. All organizations are increasinglyusing information systems to store, exchange, and process business data. It isessential that you are able to use the relevant IStools and conduct an effect ivereview on an IS system. This guideline consists of many tools and techniquesincluding the generalized audit software, customized queries or scripts, utilitysoftware, software tracing and mapping, and audit expert systems. Using thesetools, you can widen the audit coverage, conduct an exhaustive and coherent dataanalysis, and reduce risks in the audit procedure. You should use this guideline toimplement standards S6, S5, S3, S7, and S14.G4 Outsourcing of IS Activities to Other Organizations guides you to audit the ISservices that are outsourced by the organization.Sometimes an organization may outsource its IS activities such as data centreoperations, security, and application system development and maintenance.Depending on its geographical location, the IS service provider wil l use its systemsor the organization's systems. The responsibility to conform to contracts, otheragreements, and legal rules rests with the organization. But the right to conduct anaudit and the responsibili ty to comply with the audit is generally unclear. Theobjective of this guideline is to set out how the IS auditor meets the standards S1,S5, and S6 in such situations.G5 Audit Charter provides the details for creating an audit charter.One of the integral act ivities of an auditor is to prepare an audit charter beforebeginning the audit assignment. In this document, you identify the peopleresponsible, accountable, and authoritative for the audit activities. This guideline is

https://xlibrary.skillport.com/courseware/Content/cca/sp _cisa_aOl_it_ enus/output/html/jas... 1115/2011


2/7


Guideline

G6 MaterialityConcepts for AuditingInformation Systems

G7 Due ProfessionalCare

G9 AuditConsiderations forIrregu larities

Effectivedate

May 1,2008

September1,2008

Page 2 of7

Descriptionaimed to serve the auditors to prepare audit charters before an internal audit .However, you can refer to it when it is appropriate for any other activity. By usingthis guideline, you can implement standard S1 in your audits.G6 Materiality Concepts for Auditing Information Systems guides you to assess themateriality of non-financial concepts of an IS audit. Unlike financial audits where themateriality is measured interms of money, auditing information systems has noyardstick to evaluate the system. It may not be possible to determine a consistentmetric for activities such as physical and logical access, program change control,password policy, and design and quality check. By using this guideline, you canassess the materiality of IS audits before commencing the audit. This guideline alsoassists you to focus on high risks and errors in the IS system in the audit plan stage.Using this guideline ensures that the auditor complies with standards S5, S10, S12,and S19.G7 Due Professional Care guideline discusses the meaning of the term 'dueprofessional care'. The IT Audit Standards and Code of Professional Ethicsemphasize the need for dil igence and professional care by an auditor in the auditprocess. Using this guideline, you can meet these requirements. If a member ofISACA or a CISA fails to act according to the Code of Professional Ethics at anypoint in the audit, ISACA will conduct an investigation and take disciplinary actions,if required. This guideline helps to apply standards S3, S2, and S4.G8 Audit Documentation describes the documentation activities that you do torecord and support your audit. An auditor needs to document all essential detailsrelated to the audit in order to extend a formal support to the process. This guidelineenables you to implement standards S5, S6, S7, S12, and S13.You can deal with all issues pertaining to irregular and illegal acts of the employeesby using G9 Audit Considerations for Irregularities guideline. Your duties andresponsibilit ies when you detect irregular and illegal activities during your auditengagement is elaborated in standard S9 of IS Audit Standards. By using thisguideline, you can comply with the standards S3, S5, S6, and S7, in addition to S9.

G10 Audit Sampling facili tates you to design a sampling procedure and assess thesample results. An auditor should conclude an audit based on the evidencescollected during the review. Standard S6 of ISAudit Standards requires an auditorto have a 'sufficient, reliable, relevant and useful evidence' and use appropriatemethod to analyze the evidence. You can achieve this standard by following thisguideline.

G10 Audit Sampling August 1,2008

G11 Effect of August 1,Pervasive IS Controls 2008

G12 OrganizationalRelationship andIndependence

August 1,2008

The G11 Effect of Pervasive IS Controls guideline provides an integrated method torecognize and test the management and monitoring controls that are relevant toyour audit and determine the effect of these controls on the audit findings. Whenyou have to audit internal controls to know if the IS system is successful, you shouldconsider evaluating the ways in which the IS system is managed and monitored.When you find the gaps in the monitoring strategy, you wil l be able to judge the risksinvolved in the audit as well as the suitable approach to conduct the audit. Of thenumerous management and monitoring controls, there could be only few controlsthat are specific to your audit activity. Therefore, it is necessary to identify thecontrols relevant to your audit objectives. This guideline provides guidance to applyS6 of IS Audit Standards.G12 Organizational Relationship and Independence clarifies the term independenceand explains the attitude and independence needed by the auditor when auditing.The object ivity of the audit results is possible if the audit process is not inf luenced byother part ies. Standard S2 of IT Audit Standards stresses the need for auditors tomaintain independence while planning, conducting, and concluding the audit. Thisguideline helps to meet S2 and S3.



3/7


Guideline

G13 Use of RiskAssessment inAuditPlanning

EffectivedateAugust 1,2008

Page 3 of7

Description

G13 Use of Risk Assessment in Audit Planning provides techniques that you canapply to judge the potential r isks inthe audit act ivity. You decide what controls toaudit and how to audit as per the audit object ives. This is a subjective decision,which may cause two types of risks: incorrect conclusion from the auditobservations and inappropriate area of audit that does not meet the audit object ive.Similar to the recommended practices for financial audits, you need guidance toapply the risk assessment techniques inthe IS audit. This guideline ensures thatyou adhere to standards S5 and S6 of IT Audit Standards.

G14 ApplicationSystems Review

G15 Planning Revised

G16 Effect ofThirdParties onOrganization's ITControls

audit Role on ISAuditor'sIndependence

G18 IT Governance

G19 Irregularities andIllegal Acts, WithdrawnG20 Reporting

October 1,2008

G14 Application Systems Review guideline recommends few practices to conductan application systems review. Application systems review deals with the risks oninformation technology and information system set up in the organization.Application risks are classified as system and data. When acts such as incapacity tohandle a system, failure to update the system occur, there is a system level r isk.When resources mishandle the data, accesses unauthorized data, and processesincomplete data, they are data level r isks. There are controls responsible forfunctioning of each application. To audit these controls, the auditor needs to identify,document, test, and assess the relevant controls for an application. Byfollowing thisguideline, you can implement standard S6.G15 Planning Revised defines the components of the planning process that arementioned in standard S5 of IT Audit Standards. According to this standard, theauditor should plan the scope of the audit with respect to the audit objectives,relevant laws, and professional auditing standards. By adopting this guideline, youcan achieve standards S5, S11, and S12. In addition, you can decide an auditprocess that meets the objectives of COBIT.When you want to assess the impact of third parties on the IS of the organization,you need to use G16 Effect of Third Parties on Organization's IT Controls guideline.You should always keep a check on the influence of third parties on theorganization's information system controls and related objectives. This guidelinehelps you to comply with standards S5 and S6 of IS Audit Standards as well asCOBIT.Using G17 Effect of Non-audit Role on IS Auditor's Independence guideline, youcan respond to circumstances when your independence is hampered by non-auditmembers. When your independence is impaired, you can use the framework inthisguideline to intimate the authorities concerned. You can also think of alternativeapproaches to the audit during such circumstances and decide the requirements todisclose about the impairment to the management. This guideline is set out to meetthe standards S2 and S3.The objective of G18 IT Governance guideline is to enable you to audit the ITgovernance in an organization. It guides you with a relevant approach to the audit.Using this guideline, you can determine if your organizational position is suitable forthe audit, concerns to include when planning of an audit, and evidences to evaluatefor the audit results. In addition, you will be aware of the reporting standards,including the content and the follow-up tasks to consider. Implementing thisguideline helps the auditor comply with standard S6.

You can follow the report ing standards when creating an audit report by using G20Reporting guideline. According to standard S7 of IT Audit Standards, at the end ofthe audit act ivity, an auditor should create and submit the audit report to themanagement. To adhere to this guideline as well as COBIT, you should use thisguideline.


May 1,2010

March 1,2009

May 1,2010

September1,2008January 1,2003


4/7


Guideline Effectivedate

G21 EnterpriseResource Planning(ERP) SystemsReview

August 1,2003

G22 Business-to-consumer (B2C) E-commerce Review

October 1,2008

G23 SystemDevelopment LifeCycle (SDLC) Review

G25 Review of Virtual July 1,Private Networks 2004

G26 Business ProcessReengineering (BPR)Project Reviews

July 1,2004

G27 Mobile Computing September1,2004

G28 ComputerForensics

September1,2004

Page 40f7

Description

G21 Enterprise Resource Planning, or ERP, Systems Review guideline explains theways in you can adhere to the ISACA and COBIT standards when reviewing theERP system or implementation project of an ERP system. ERP is a core activity inan organization that deals with human resources and software systems. This activityis done to plan and streamline the resources and the use of software system tomanage the complete business process. By using this guideline, you can implementstandards S2 and S6 of IT Audit Standards.G22 Business-to-consumer, or B2C, E-commerce Review guideline containsrecommended practices to review B2C e-commerce tasks and applications. B2C E-commerce is a business method where the organizations use Internet for itstransactions with its customers. When you follow this guideline, you can easily applystandard S6 of IT Audit Standards.You can use G23 System Development Life Cycle, or SDLC, Review guidelinewhen an organization wants to assess the SDLC of its application systems. Systemdevelopment life cycle refers to the phases involving identifying the need, acquiring,and deploying application systems for the business processes. This guideline helpsyou to comply with standards S6, S14, S17, and S20.G24 Internet Banking guideline elaborates the recommended procedures to assessthe initiatives, software applications, and deployment of the Internet banking.Organizations that use online banking facilit ies are more susceptible to mishandlingof funds and fraudulent activities. This guideline provides certain ways to identifyand mitigate possible risks. This guideline assures that you perform in accordancewith standards S2, S4, S5, and S6 of IT Audit Standards.G25 Review of Virtual Private Networks guideline describes suggested practiceswhen auditing the implementation of Virtual Private Networks, also known as VPNs,in accordance with the IS Audit and Assurance Standards. The business processestransacted through a global network require virtual private networks, or VPNs, tocarry the data to its destination. This guideline covers the areas you need to knowsuch as the basics of VPN architecture, its topology, and the associated risks beforereviewing the VPN. Implementing this guideline helps you to meet standard S6 of ITAudit Standards.When you want to evaluate new business processes to ensure that they comply withIS rules, you should use G26 Business Process Reengineering (BPR) ProjectReviews guideline. Organizations may redesign its business processes to enhancethe performance results and adapt to the dynamic business environment. You canuse the framework in this guideline that consists of basic reengineering issues. Thisframework can be used to gauge the essential tasks and potential risks of BPRprojects with consideration to IS aspects. This guideline enables you to comply withstandard S6 of IT Audit Standards.When an organization wants to test the security strength of its mobile access toapplicat ion and data, you need to use G27 Mobile Computing guideline. Many of thecurrent business processes can be carried out using wireless and mobilecommunication technologies. You can review the authenticity of this businesscommunication technology by applying this guideline. This review may be astandalone review or a part of an audit assignment. Following this guideline assuresthat you achieve standards S1, S4, S5, and S6 of IT Audit Standards.You can use the G28 Computer Forensics guideline to perform a computer forensicanalysis. I llegal access to and fraudulent use of information are the major threats toan information system. You should be able to confirm if the IS setup is reliable andadvise a suitable information system, if required. You should have a fundamentalknowledge about computer forensics to identify and avoid such acts. By adopting



5/7


Guideline

G29Postimplementatio nReview

G30 Competence

Effectivedate

January 1,2005

June 1,2005

G32 BusinessContinuity PlanReview From ITPerspective

G33 GeneralConsiderations on theUse of the Internet

G34 Responsibility,Authority andAccountability

G35 Follow-upActivities

G37 ConfigurationManagement

March 1,2006

March 1,2006

March 1,2006

Descriptionthis guideline, you can meet the standards S3, S4, S5, and S6 in IT AuditStandards.You can use G29 Postimplementation Review guideline to assess the IS systemafter implementing the recommendations of your audit. It also provides certainprocedures to review solutions that were unsuccessful or discarded beforeimplementing. This guideline helps you to adhere to standards S6 and S8 whenreviewing the solutions.G30 Competence guideline guides you to gauge your competence for performing anaudit. Standard S4 of IT Audit Standards asserts that an auditor should beprofessionally competent in the audit activity undertaken. By using this guideline,

G31 Privacy guideline describes how you can comply with the IS Audit Standardsrelevant to privacy. As an IS auditor, you are entrusted with the confidentiality ofbusiness data. You should never be obliged to disclose private information of theorganization to third parties. This guideline is set out to meet the standards S1, S5,and S6 of IT Audit Standards.You should use G32 Business Continuity Plan Review From IT Perspectiveguideline to recognize, document, check, and assess the internal controls and risksin relat ion to Business Continuity Plan, also referred to as BCP. Existence ofnumerous threats to business has made it essential for organizations to protect theirbusiness and safeguard continuance of their operations. The primary motive of thisguideline isto enable organizations sustain any IT risks that stop the business. Thisguideline enables you to adhere to standard S6 of IT Audit Standards.When you want to collect adequate, relevant, and useful evidence for conducting areliable review of Internet, you should use G33 General Considerations on the Useof the Internet guideline. As many business processes use networking technology,you should be proactive in mitigating the possible risks of Internet and protect thebusiness processes. This guideline recommends certain practices to assess the useof Internet in the organization. Implementing this guideline ensures that your audit isin accordance with the standards S4, S5, and S6.You can use G34 Responsibility, Authority and Accountability guideline to createaudit charter or to take decisions about professional ethics required for the audit. Asper the standards S1 and S3, all audit activities should clearly define the responsibleand authoritative people in the audit. This guideline enables you to meet thosestandards.G35 Follow-up Activities guideline explains how you should follow-up the solutionsgiven in the audit report. According to standard S8 of IS Audit Standards, aftersubmitt ing the audit results, you should confirm that necessary steps are taken bythe management as concluded in the audit. This guideline helps you to meet that

G36 Biometric Controls guideline provides guidance to assess the biometric controlsdeployed in an organization. Many organizations are increasingly using biometricidentification for securing their data and information assets. Therefore, you need toknow the threats and alternative measures of this technology so that you are able toconduct a credible review. When reviewing the biometric technology, you shouldhave a thorough knowledge about the technology, the controls applied to it, and theassociated business process. This guideline enables you to audit the biometrictechnology as per the standards S6 and S10 of IT Audit Standards.G37 Configuration Management guideline facilitates you to evaluate theconfiguration management process. As a part of managing configuration, your dutyis to maintain a configuration repository of all the hardware and software

Page 5 of7


November1,2007


6/7


Guideline

G38 Access Control

Effectivedate

Page 6 of7

Descriptionconfigurations. To manage configuration, you need to collect latest configurationinformation, set baselines, review configuration information, and update theconfiguration repository, if needed. The IS professionals of the organization can alsouse this guideline to ensure availability of information systems, data integrity, andinformation confidentiality. This guideline assists in achieving the standard S6 of ITAudit Standards.

February 1, You should use G38 Access Control guideline to apply IS auditing standards2008 relevant to controlling access to information and information assets. Organizations

strive to secure their investments and information and material assets fromdeliberate or accidental misuse. The technology that is implemented to process theinformation is exhaustive and cumbersome to audit. Due to the complex nature ofthe IS setup, the organizations should have a comprehensive standard that they cancustomize and use as a baseline to protect its IS access controls. This guideline isused to implement the standards S1 and S3 of IT Audit Standards.

G39 IT Organizations May 1,2008

G40 Review ofSecurity ManagementPractices

G41 Return onSecu rity Investment(ROSI)

Assurance

October 1,2008

May 1,2010

G39 IT Organizations enables you to audit IT governance in different organizationalstructures and ensure an optimal IT structure for an organization. Though there isno ideal structure, the organizational structure is a key determinant of an effectivecommunication channel in the organization. Each organization may require differenthierarchies based on their profiles, business process, management procedures,constraints, and strengths. But you can judge the effect iveness of a structure usingfew attributes. Standard S 10 of IT Audit Standards elaborates on the requirementsfor the IT governance. This guideline assures that the auditor applies that standardwhile evaluating the structure of the organization.G40 Review of Security Management Practices guideline comprises an informationsecurity framework that can be used to gauge the effect iveness of the informationsecurity policies within the organization. One of the main focuses of IS policies istoavert intentional or unintentional mishandling of business data. The risks are greaterwhen crucial information is leaked to other part ies. This guideline enables you toprotect the information of the organization. This guideline assures that you adhere tostandards S1 and S3 of IT Audit Standards.You can use G41 Return on Security Investment (ROSI) guideline when reviewingthe Return on Security Investment, or ROSI, when performing an audit. Use ofsecurity measures should be profitable to the organization and bring a value interms of monetary returns. It is your duty to develop a quantifiable security systemthat can be periodically assessed to assure of it is beneficial to the organization. Byfollowing this guideline, you can meet standard 10 of IT Audit Standards.G42 Continuous Assurance guideline guides the IT assurance professionals to plan,implement, and maintain continuous assurance processes and systems. You shouldcontinuously monitor the configuration of the existing information technology and theaudit solutions for the IS system. For this, you should maintain a process and asystem to check for continuous assurance of information security set up andinformation technology architecture of the organization.

It is not essential for you to follow all these guidelines. You need to use you professional judgment to determineif a standard is appropriate for the current audit assignment. But if you deviate from the guidelines, you shouldjustify it sufficiently.

Course: CISA Domain: The Process of Auditing Information Systems - Part1Topic: IT Audit and Assurance Guidelines, Tools, and Techniques



7/7

Job Aid: ISACA IT Audit and Assurance Guidelines Page 70f7

2011 SkiliSof! Ireland Limited

xlibrary.skillport.com course ware content cca sp cisa a

Documents