Critically important to the survival and success of an organisation is effective management of information and related Information Technology (IT). In this global information society—where information travels through cyberspace without the constraints of time, distance and speed—this criticality arises from the: • Increasing dependence on information and the systems that deliver this information • Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare • Scale and cost of the current and future investments in information and information systems • Potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs. Management must ensure that an internal control system or framework is in place which supports the business processes, makes it clear how each individual control activity satisfies the information requirements and impacts the IT resources. I.S. Auditing is required to ensure that such a system is in place and is working effectively.
The specialized nature of information systems auditing, and the knowledge and skills necessary to perform such audits, require globally-applicable standards that apply specifically to information systems auditing. One of the Association’s goals is to advance standards to meet this need. One of the most important functions of ISACA is providing information (common body of knowledge per se) to support knowledge requirements. The development and dissemination of Standards for Information systems Auditing are a cornerstone of the Association’s professional contribution to the audit community.
The ISACA Code of Professional Ethics requires members of ISACA and holders of the CISA designation to comply with Information Systems Auditing Standards adopted by ISACA. Apparent failure to comply with these may result in an investigation into the member’s or CISA holder’s conduct by ISACA or an appropriate ISACA board or committee. Disciplinary action may ensue. There are 8 areas within the standards. They are the audit charter, independence, professional ethics and standards, competence, planning, performance of audit work, reporting and follow-up activities.
Among the 8 areas within the standards, we also find: planning, performance of audit work, reporting and follow-up activities.
Controls are generally categorized into 3 major classifications: Preventive : These controls are to deter problems before they arise. Detective : Controls that detect and report the occurrence of an error, omission or malicious act.. Corrective : These controls minimize the impact of a threat, remedy problems discovered by detective controls, identify the cause of a problem. Refer to exhibit 1.1 on page 32 y 33 of the 2005 CISA Review Manual for further details.
The IS auditor should understand the basic control objectives that exist for all functions. Internal control system components include : internal accounting controls, operational controls and administrative controls. The IS control objectives include : Safeguarding assets. Information on automated systems is secured from improper access and kept up to date. Assuring the integrity of general operating system environments, including network management and operations Assuring the integrity of sensitive and critical application system environments, including accounting/financial and management information (information objectives) through: • Authorization of the input—Each transaction is authorized and entered only once • Accuracy and completeness of processing of transactions—All transactions are recorded and entered into the computer for the proper period • Reliability of overall information processing activities • Accuracy, completeness and security of the output • Database integrity Ensuring the efficiency and effectiveness of operations (operational objectives) Complying with the users’ requirements and with organizational policies and procedures as well as applicable laws and regulations (compliance objectives) Developing business continuity and disaster recovery plans Developing an incident response and handling plan Note to the instructor: The CISA candidate should be aware that it is important that the auditor understands the relationships of control objectives and controls; control objectives and audit objectives; criteria and sufficiency and competency of evidence; and audit objective, criteria and audit procedures. Strong understanding of these elements are key for the auditor’s performance.
Internal control objectives apply to all areas, whether manual or automated. Therefore, control objectives in an IS environment remain unchanged from a manual environment. However, the implemented control features may be different. COBIT ( Control Objectives for Information and related Technology ) is published by the ISACF and IT Governance Institute, through ISACA. COBIT is the industry’s leading framework for information system control objectives and related good practices in support of governance, control, and assurance for information and related technology. COBIT consists of 34 high-level control objectives representing IT processes grouped into four domains: planning and organization, acquisition and implementation, delivery and support and monitoring. Supporting these IT processes are over 300 detailed control objectives. The following are examples of IS control objectives: Information on automated systems is secured from improper access and kept up to date. Each transaction is authorized and entered only once. All transactions are recorded and entered into the computer for the proper period. All rejected transactions are reported. Duplicate transactions are reported. Files are adequately backed up to allow for proper recovery. All changes to operating software are approved and tested. Give 5 examples of control objectives to candidates. Note to the instructor: Instruct CISA candidates that they will not be asked to identify specific control objectives from COBIT, but rather to understand how each is applied in practice.
In addition to understanding of business risk and control, IS auditor must understand that risk exists within the audit process.
AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT
Internal auditing is an independent, objective assurance and consulting activity within an organization that is guided by a philosophy of adding value to improve operations of the organization. It assists an organization in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control and governance processes.
The role of internal auditing is determined by management and its function’s objective vary according to management’s requirements and as such it is part of the entity.
External audit, on the other hand, is carried out independently to express an opinion on the fairness of the financial statements, with the primary concern and objective of determining whether the financial statements are free from material misstatements. It is, therefore, not a part of entity.
Nevertheless some of the means of achieving their respective objectives are often similar and thus certain aspects of internal auditing may be useful in determining the nature, timing and extent of external audit procedures.
IS auditing is the process of collecting and evaluating evidence to determine whether information systems and related resources, adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have in effect internal controls that provide reasonable assurance that operational and control objectives will be met.
The information systems auditor is to plan the information systems audit work to address the audit objectives on audit standards and requirements and to comply with applicable professional auditing standards.
Supervision: Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met.
Evidence : During the course of the audit, the information systems auditor is to obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.
The information systems auditor is to provide a report in an appropriate form to intended recipients upon completion of audit work. The audit report is to state the scope, objectives, period of coverage and the nature and extent of the audit work performed. The report is to identify the organization, the intended recipients and any restrictions on circulation. The report is to state the findings, conclusions, recommendations and any reservations or qualifications that the auditor has with respect to the audit.
The information systems auditor is to request and evaluate appropriate information on previous relevant findings, conclusions and recommendations to determine whether appropriate actions have been implemented in a timely manner.
IT Risk The chance that information systems will not satisfy the business requirement of ensuring the achievement of IT objectives and responding to threats to the provision of IT services
Control Control is defined as the policies, procedures, practices and organi z ational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.
Control Objectives IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.
Control Practices A key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate management of risk and alignment of IT with business.
Control objectives in an information systems environment remain unchanged from those of a manual environment. However, control features may be different. The internal control objectives, thus need, to be addressed in a manner specific to IS-related processes
To perform an audit planning, the IS auditor should
Gain an understanding of the business’ mission, objectives, processes, information and processing requirements such as availability, integrity and security and information architecture requirements. In general terms, processes and technology.
2. Perform risk analysis .
Conduct an internal control review.
Set the audit scope and audit objective(s).
Develop the audit approach or audit strategy .
Assign resources to audit and address engagement logistics.
The audit methodology is a set of documented audit procedures designed to achieve planned audit objectives. The audit strategy is the audit methodology, which is a set of documented audit procedures designed to achieve planned audit objectives. It’s components are:
Control objective: A control objective refers to how an internal control should function.
Audit objective: Audit objective refers to the specific goals of the audit. An audit may incorporate several audit objectives. Audit objectives often center around substantiating that internal controls exist to minimize business risks. Management may give the IS auditor a general objective to follow when performing an audit.
A key element in planning an information systems audit is to translate basic audit objectives into specific information systems audit objectives.
More and more organizations are moving to a risk-based audit approach that is usually adapted to develop and improve the continuous audit process. This approach is used to assess risk and to assist with an IS auditor’s decision to do either compliance testing or substantive testing.
In a risk-based audit approach, IS auditors are not just relying on risk; they also are relying on internal and operational controls as well as knowledge of the company or the business. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk, allowing practical choices.
Business risks are the concerns about the probable effects of an uncertain event on achieving established objectives. The nature of these risks may be financial, regulatory or operational. By understanding the nature of the business, IS auditors can identify and categorize the types of risks that will better determine the risk model or approach in conducting the audit.
Inherent Risk - The risk that an error exists which could be material or significant when combined with other errors encountered during the audit assuming that there are no related compensating controls.
Control Risk - The risk that a material error exists that will not be prevented or detected on a timely basis by the system of internal controls.
Detection Risk - The risk that an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when, in fact, they do.
Overall Audit Risk - The combination of the individual categories of audit risks assessed for each specific control objective. An objective in formulating the audit approach is to limit the audit risk in the area under scrutiny so the overall audit risk is at a sufficiently low level at the completion of the examination. Another objective is to assess and control those risks to achieve the desired level of assurance as efficiently as possible.
Control objectives and the related key controls that address the objective.
An auditor should be able to identify key controls and then decide to test these controls through substantive or compliance verification methods. The IS auditor is to identify application controls after developing an understanding and documenting the application or function, and based upon that, should identify key control points. This will allow the auditor to determine if controls are working as expected and results of compliance tests will allow the auditor to design more extensive compliance or substantive testing.
Relationship between substantive and compliance tests and the two categories of substantive tests.
Substantive tests substantiate the integrity of actual processing. It provides evidence of the validity and integrity of the balances in the financial statements and the transactions that support these balances.
Compliance tests determine if controls are being applied in a manner that complies with management policies and procedures.
Correlation between the level of internal controls and the amount of substantive testing required.
If the results of testing controls reveal the presence of adequate internal controls, then the IS auditor is justified in minimizing the substantive procedures. Conversely, if the testing controls reveals weaknesses in control that may raise doubts about the completeness, accuracy or validity of the accounts, substantive testing can alleviate those doubts.
The audit findings and conclusions are to be supported by appropriate analysis and interpretation of the evidence. Today’s information processing environments pose a stiff challenge to the IS auditor to collect sufficient, relevant and useful evidence since the evidence exists on magnetic media and can only be examined using CAATs. With systems having different hardware and software environments, different data structure, record formats, processing functions, etc., it is almost impossible for the IS auditors to collect evidence without a software tool to collect and analyze the records.
Generalized audit software provides IS auditors the ability to use high-level problem solving software to invoke functions to be performed on data files. The following functions supported in generalized audit software are:
After developing an audit program and gathering audit evidence, the next step is an evaluation of the information gathered in order to develop an audit opinion. This requires the IS auditor to consider a series of strengths and weaknesses and then to develop audit opinions and recommendations.
The IS auditor should assess the results of the evidence gathered for compliance with the control requirements or objectives established during the planning stage of the audit. This requires considerable judgment, as controls are often unclear. A control matrix is often utilized in assessing the proper level of controls.
As part of the information systems review, the IS auditor may discover a variety of strong and weak controls. All should be considered when evaluating the overall control structure . In some instances, one strong control may compensate for a weak control in another area. The IS auditor should be aware of compensating controls in areas where controls have been identified as weak.
A control objective will not normally be achieved due to one control being considered adequate. They must be evaluated to determine how they relate to each other. Evaluate the totality of control by considering the strengths and weaknesses of control procedures.
Assess the strengths and weaknesses of the controls evaluated and then determine if they are effective in meeting the control objectives established as part of the audit planning process.
The concept of materiality is a key issue when deciding which findings to bring forward in an audit report. Key to determining the materiality of audit findings is the assessment of what would be significant to different levels of management.
Assessment requires judgment of the potential effect of the finding if corrective action is not taken. Assess what is significant to different levels of management. Discuss examples of what might be important to different levels of management and why.
Communicating audit results. Results or concerns should be communicated to senior management and to the audit committee of the board of directors. IS auditors should feel free to communicate issues or concerns to such management.
Audit report structure and contents. There is no specific format for an IS audit report; therefore, the organization's audit policies and procedures will generally dictate the format.
Exit interview. Used to discuss the findings of the audit and recommendations with management. Ensure that the facts presented in the report are correct, recommendations are realistic and cost effective, and if not, seek alternatives through negotiation with the audit area; and establish implementation dates for agreed recommendations.
The IS auditor is not effective if audits are performed and reports issued but not followed up on to determine if management has taken appropriate corrective actions. IS auditors should have a follow-up program to determine if agreed corrective actions have been implemented.
Timing of follow-up
The timing of follow-up will depend upon the criticality of the findings and would be subject to the IS auditor’s judgment. The results of the follow-up should be communicated to appropriate levels of management.
IS audit documentation is the record of the audit work performed and the audit evidence supporting the findings and conclusions (see ISACA Guidelines on audit documentation).
The IS auditor should understand techniques for documenting an information system as well as documenting the understanding of the information systems environment. The IS auditor should be able to prepare adequate work papers, narratives, complete interview questionnaires and create understandable systems flowcharts.
It is important for an IS auditor to consider a project management technique for managing and administering audit projects, whether automated or manual. Basic steps for this purpose include:
Develop a detailed plan - This should spread the necessary audit steps across a time line. Realistic estimates should be made of the time requirements for each task with proper consideration given to the availability of the auditee.
Report project activity against the plan . There should be some type of reporting system in place such that IS auditors can report their actual progress against planned audit steps.
Adjust the plan and take corrective action, as required . Actual accomplishments should be measured against the established plan on a continuous basis. Changes should be made in IS auditor assignments or in planned schedules, as required.