SlideShare a Scribd company logo

CISA_WK_1.pptx

D
dotco

Training

Education
1 of 23
CISA – Certified Information Systems Auditor
Information System Auditing Process Audit Planning • An audit plan is a step-wise approach to be followed to conduct an audit. • It helps to establish the overall audit process in an effective and efficient manner. • An audit plan should be aligned with the audit charter of the organization. • To plan an audit, the IS auditor is required to have a thorough understanding of business processes, business applications, and relevant controls. • Audit planning includes both short- and long-term planning. Audit charter • The independence of the audit function is ensured through a management-approved audit charter. • An audit charter is a formal document defining the internal audit's objective, authority, and responsibility. • The audit charter covers the entire scope of audit activities. • An audit charter must be approved by top management. • An audit charter should not be changed too often and hence procedural aspects should not be included in it. Also, it is recommended to not include a detailed annual audit calendar including things such as planning, the allocation of resources, and other details such as audit fees, other expenses for the audit, and so on in an audit charter. • An audit charter should be reviewed annually to ensure that it is aligned with business objectives.
Information System Auditing Process • An audit charter includes the following: • The mission, purpose, and objective of the audit function • The scope of the audit function • The responsibilities of management • The responsibilities of internal auditors • The authorized personnel of the internal audit work • If an audit is outsourced to an audit firm, the objective of the audit, along with its detailed scope, should be incorporated in an audit engagement letter. • Audit universe: An inventory of all the functions/processes/units under the organization. Qualitative risk assessment: In a qualitative risk assessment, risk is assessed using qualitative parameters such as high, medium, and low. • Quantitative risk assessment: In a quantitative risk assessment, risk is assessed using numerical parameters and is quantified. • Risk factors: Factors that have an impact on risk. The presence of those factors increases the risk, whereas the absence of those factors decreases the risk.
Information System Auditing Process • The following are some of the benefits of audit planning: • It helps the auditor to focus on high-risk areas • It helps in the identification of resource requirements to conduct the audit • It helps to estimate the budget for the audit • It helps to carry out audit work in a defined structure, which ultimately benefits the auditor as well as the auditee units. • This audit plan should be reviewed and approved by top management. • Generally, approval is obtained from the audit committee of the board. • The audit plan should be flexible enough to address the change in risk environment (that is, new regulatory requirements, changes in the market condition, and other risk factors). • The approved audit plan should be communicated promptly to the following groups: • Senior management • Business functions and other stakeholders • The internal audit team
Information System Auditing Process Individual audit assignments • The next step after doing the overall annual planning is to plan individual audit assignments. • The IS auditor must understand the overall environment under review. While planning an individual audit assignment, an IS auditor should consider the following: • Prior audit reports • Risk assessment reports • Regulatory requirements • Standard operating processes • Technological requirements
Information System Auditing Process • Business process applications and controls • E-commerce: • Single-tier architecture runs on a single computer, that is, a client-based application • Two-tier architecture includes a client and server • Three-tier architecture consists of the following: • A presentation tier (for interaction with the user) • An application tier (for processing) • A data tier (for the database) • The risks are as follows: • A compromise of confidential user data • Data integrity issues due to unauthorized alterations • The system being unavailable may impact business continuity • The repudiation of transactions by either party • The IS auditor's roles are as follows: • To review the overall security architecture related to firewalls, encryption, networks, PKI to ensure confidentiality, integrity, availability, and the non-repudiation of e-commerce transactions • To review the process of log capturing and monitoring for e-commerce transactions • To review the incident management process • To review the effectiveness of the controls implemented for privacy laws • To review anti-malware controls • To review business continuity arrangements
Information System Auditing Process • Electronic Data Interchange (EDI) • EDI is the online transfer of data or information between two enterprises. • EDI ensures an effective and efficient transfer platform without the use of paper. • EDI applications contain processing features such as transmission, translation, and the storage of transactions flowing between two enterprises. • An EDI setup can be either traditional EDI (batch transmission within each trading partner's computers) or web-based EDI (accessed through an internet service provider). • The risks are as follows: • One of the biggest risks applicable to EDI is transaction authorization. Due to electronic interactions, no inherent authentication occurs. • There could be related uncertainty with a specific legal liability when we don't have a trading partner agreement. • Any performance-related issues with EDI applications could have a negative impact on both parties. • Other EDI-related risks include unauthorized access, data integrity and confidentiality, and the loss or duplication of EDI transactions. • The IS auditor's roles are as follows: • To determine the data's confidentiality, integrity, and authenticity, as well as the non-repudiation of transactions • To determine invalid transactions and data before they are uploaded to the system • To determine the accuracy, validity, and reasonableness of data • To validate and ensure the reconciliation of totals between the EDI system and the trading partner's system
Information System Auditing Process • Point of Sale (POS) • Debit and credit card transactions are the most common examples of POS. • Data is captured at the time and place of sale. • The risks of this are as follows: • The risk of skimming, that is, the unauthorized capturing of card data with the purpose of duplicating the card • The risk of the unauthorized disclosure of PINs • The IS auditor's objectives are as follows: • To determine that data used for authentication (PIN/CVV) is not stored in the local POS system • To determine that the cardholder's data (either at rest or in transit) is encrypted
Information System Auditing Process • Electronic banking • E-banking websites and mobile-based systems are integrated with the bank's core system to support automatic transactions without any manual intervention. • Automated processing improves processing speed and reduces opportunities for human error and fraud. • Electronic banking increases the dependence on internet and communication infrastructure. • Risks of this are as follows: • Heavy dependence on internet service providers, telecommunication companies, and other technology firms • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity • The IS auditor's objectives are as follows: • To determine the effectiveness of the governance and oversight of e-banking activities • To determine arrangements for the confidentiality, integrity, and availability of e-banking infrastructure • To determine the effectiveness of security controls with respect to authentication and the non-repudiation of electronic transactions • To review the effectiveness of the controls implemented for privacy laws
Information System Auditing Process • Electronic funds transfer (EFT) • Through EFT, money can be transferred from one account to another electronically, that is, without cheque writing and cash collection procedures. • Some of the risks are as follows: • Heavy dependence on internet service providers, telecommunication companies, and other technology firms • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity • The IS auditor's objectives are as follows: • To determine the availability of two-factor authentication for secure transactions. • To determine that systems and communication channels have undergone appropriate security testing. • To determine that transaction data (either at rest or in transit) is encrypted. • To determine the effectiveness of controls on data transmission. • To review security arrangements for the integrity of switch operations. An EFT switch connects with all equipment in the network. • To review the log capturing and monitoring process of EFT transactions. • In the absence of paper documents, it is important to have an alternate audit trail for each transaction.
Information System Auditing Process • Image processing • An image processing system processes, stores, and retrieves image data. • An image processing system requires huge amounts of storage resources and strong processing power for scanning, compression, displays, and printing. • The use of image processing (in place of paper documents) can result in increased productivity, the immediate retrieval of documents, enhanced control over document storage, and efficient disaster recovery procedures. • Some of the risks are as follows: • Implementation without appropriate planning and testing may result in system failure. • The workflow system may need to be completely redesigned to integrate with the image processing system. Traditional controls and audit processes may not be applicable to image processing systems. • New controls must be designed for automated processes. • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity. • The IS auditor's objectives are as follows: • To determine the effectiveness of controls on the inputs, processing, and outputs of image processing systems • To determine the reliability of the scanners used for image processing • To review the retention process for original documents • To determine that original documents are retained at least until a good image has been captured • To review the confidentiality, integrity, and availability arrangements of image processing systems • To review the training arrangements for employees to ensure that the processes of image scanning and storing are maintained as per the quality control matrix
Information System Auditing Process • Artificial intelligence and expert systems • Capture and utilize the knowledge and experience of individuals • Improve performance and productivity • Automate skilled processes without manual intervention • A knowledge base in AI contains information about a particular subject and rules for interpreting that information. • The components of a knowledge base include the following: • Decision trees: Questions to lead the user through a series of choices • Rules: Rules that use "if" and "then" conditions • Semantic nets: A knowledge base that conveys meaning • Knowledge interface: Stores expert-level knowledge • Data interface: Stores data for analysis and decision making • The risks are as follows: • Incorrect decisions or actions performed by the system due to incorrect, assumptions, formulas, or databases in the system • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity • The IS auditor's roles are as follows: • To assess the applicability of AI in various business processes and determine the associated potential risks • To review adherence to documented policies and procedures • To review the appropriateness of the assumptions, formulas, and decision logic built into the system • To review the change management process for updating the system • To review the security arrangements to maintain the confidentiality, integrity, and availability of the system
Controls and countermeasures • The objective of implementing a control is to address risks by preventing, detecting, or correcting undesirable events. • Countermeasures are a type of control that is implemented to address specific threats. The objective of general controls is to protect information assets from all kinds of threats whereas countermeasures are put in place in response to a specific threat. • The following are some examples of countermeasures: • Disabling certain operating system commands to address a specific type of ransomware attack. • Filtering all incoming emails may be impractical and expensive. In such a scenario, the countermeasure could be email filtering for known spammers. • It may not be possible to restrict mobile phones on the premises. In such a scenario, the countermeasure could be cell phone jammers in sensitive areas. • Countermeasures can also be non-technical, such as offering incentives for providing information with respect to a specific attack. • Arranging specific security training sessions for employees who failed in a phishing exercise.
Controls and countermeasures Control categories • A preventive control (also commonly referred to as a “preventative control”) is a control that is put into place and intended to prevent an event from occurring. Examples – locked doors, user authentication, encryption and so on. • Detective: objective is to detect and event. Examples – audit, IDS, CCTV, checksum etc • Corrective: objective is to correct errors and omissions. Examples – data backups. • Deterrent: objective is to deter an event by providing warning. Examples – warning signs, login banners etc. • Directive: objective is to mandate the behavior aspect by specifying do’s and don’t’s. example – acceptable user policy. • Compensating: objective is to address the absence or weakness of control. Example – compensating weak physical control by having stringent logical access control. • A control can be designed to either fail closed or fail open. • The failure mode of the control impacts safety, confidentiality, and availability. For example, in the event of the failure of an automatic door, an organization can opt for fail open (the door should remain open) or fail closed (the door should remain closed). • In the case of fail open, confidentiality and integrity may be compromised, and in the case of fail closed, availability may be compromised. • In such a situation, the risk should be determined for each element and a decision taken accordingly. • The safety of human life is always considered first.
Risk-based audit planning • Risk is the product of probability and impact. • Probability and impact are equally important when identifying risk. For example, say that the probability or likelihood of a product being damaged is very high, with a value of “1”; however, say that product barely costs anything and so the impact is “0” even if the product is damaged. • A vulnerability is a weakness and a threat is something that can exploit said weakness. • The risk that an activity poses, excluding any controls or mitigating factors – Inherent Risk • The risk that remains after taking controls into account – Residual Risk • Residual Risk = Inherent Risk – Control • Audit risk refers to the risk that an auditor may not be able to detect material errors during the course of an audit. • Audit risk is influenced by inherent risk, control risk, and detection risk. • The following list describes each of these risks: • Inherent risk: This refers to risk that exists before applying a control. • Control risk: This refers to risk that internal controls fail to prevent or detect. • Detection risk: This refers to risk that internal audits fail to prevent or detect. • Audit Risk = Inherent Risk X Control Risk x Detection Risk
Risk-based audit planning • Some ways to minimize audit risk are listed here: • Conduct risk-based audit planning • Review the internal control system • Select appropriate statistical sampling • Assess the materiality of processes/systems in the audit scope • Steps: • Step 1 – Acquire pre-audit requirements: • Knowledge about industry and regulatory requirements • Knowledge about applicable risk to the concerned business • Prior audit results • Step 2 – Obtain information about internal controls: • Get knowledge about the control environment and procedures • Understand control risks • Understand detection risks • Step 3 – Conduct compliance test: • Identify the controls to be tested • Determine the effectiveness of the controls • Step 4 – Conduct a substantive test: • Identify the process for the substantive test • See that the substantive test includes analytical procedures, detail tests of account balances, and other procedures
Risk Management Process Risk Assessment Context Establishment Risk Treatment Risk Identification Risk Analysis Risk Evaluation Assets Vulnerabilities Threads Existing Controls consequences Qualitative Quantitative Risk Mitigation Risk Acceptance/Retention Risk Transfer/Sharing Risk Avoidance
Risk-based audit planning • Risk response methodology • Risk mitigation/risk reduction: Take some action to mitigate/reduce the risk. • Risk avoidance: Change the strategy or business process to avoid the risk. • Risk acceptance: Decide to accept the risk. • Risk transfer: Transfer the risk to a third party. Insurance is the best example. • The risk culture and risk appetite of the organization in question determines the risk response method. • It's not always feasible to mitigate all the risk at an organizational level. Risk-free enterprise is an illusion. • In the top-down approach, a policy is developed and designed from a senior management perspective. In a top-down approach, policies are developed and aligned with business objectives. • In the bottom-up approach, polices are designed and developed from the process owner's/employee's perspective. • The bottom-up approach begins by defining operational-level requirements and policies. • In a top-down approach, major risks to business objectives are addressed, whereas in the bottom-up approach, process-level risks are addressed.
Types of audit and assessment • IS audit • An IS audit is conducted to evaluate and determine whether an information system and any related infrastructure is adequately safeguarded and protected to maintain confidentiality, integrity, and availability. • Compliance audit • CA or more specifically, a compliance audit is conducted to evaluate and determine whether specific regulatory requirements are being complied with. • Financial audit A financial audit is conducted to evaluate and determine the accuracy of financial reporting. A financial audit involves a detailed and substantive testing approach. • Operational audit • An operational audit is conducted to evaluate and determine the accuracy of an internal control system. • It is designed to assess issues related to the efficiency of operational productivity within an organization. • Integrated audit • Here, different types of audit are integrated to combine financial, operational, and other types of audits to form a multi-faceted audit. • An integrated audit is performed to assess the overall objectives to safeguard an asset's efficiency and compliance. • It can be performed both by internal auditors or external auditors. • An integrated audit includes compliance tests of internal controls. • Specialized audit • A specialized audit includes the following: A third-party service audit, A fraud audit and A forensic audit. • Computer forensic audit • A computer forensic audit includes the analysis of electronic devices. • An IS auditor can help in performing forensic investigations and conduct an audit of the system to ensure compliance. • Functional audit • A functional audit is conducted to evaluate and determine the accuracy of software functionality. • A functional audit is conducted prior to software implementation.
Audit Execution • Audit project management • Audit includes various activities, such as audit planning, resource allocation, determining audit scope and audit criteria, reviewing and evaluating audit evidence, forming audit conclusions, and reporting to management. • All these activities are integral parts of audit, and project management techniques are equally applicable for audit projects. • Audit objectives • Audit objectives are the expected outcome of the audit activities. They refer to the intended goals that must be accomplished by the audit. • Audit phases • The audit process has three phases. The first phase is about planning, the second phase is about execution, and the third phase is about reporting.
Sampling methodology • Sampling is the process of the selection of data from a population. • By analyzing the selected samples, characteristics of the full population can be concluded. • Statistical sampling • This is an objective sampling technique. Also known as non-judgmental sampling. • It uses the laws of probability, where each unit has an equal chance of selection. • In statistical sampling, the probability of error can be objectively quantified, and hence the detection risk can be reduced. • Non-statistical sampling • This is a subjective sampling technique. Also known as judgmental sampling. • The auditor uses their experience and judgement to select the samples that are material and represent a higher risk. • Attribute sampling • Attribute sampling is the simplest kind of sampling based on some attributes—that is, either complied or not complied. • It answers the question "how many?". It is expressed in percentage form—for example, 90% complied. In compliance testing, attribute sampling is usually used. • Variable sampling • Variable sampling contains more information than attribute data. • It answers the questions "how much?". It is expressed in monetary value, weight, height, or some other measurement—for example, an average profit of $25,000. • Variable sampling is usually used in substantive testing. • Stop-or-go sampling • Stop-or-go sampling is used where controls are strong and very few errors are expected. • It helps to prevent excess sampling by allowing the audit test to end at the earliest possible moment. • Discovery sampling • Discovery sampling is used when the objective is to detect fraud or other irregularities. • If a single error is found, then the entire sample is believed to be fraudulent/irregular.
Sampling methodology • Sampling risk • Sampling risk refers to a situation where a sample is not a true representation of the population. • The conclusion drawn by analyzing the sample may be different from the conclusion that would have been drawn by analyzing the full population. • The confidence coefficient • A confidence coefficient, or confidence level, is a measure of the accuracy and confidence about the quality of a sample. • The sample size and confidence correlation are directly related. A high sample size will give a high confidence coefficient. • In the case of poor internal controls, the auditor may want to verify 95 samples out of a total population of 100. This indicates a 95% confidence co-relation. • In the case of strong internal controls, the auditor may want to limit the verification of only 25 samples out of the total population of 100. This indicates a 25% confidence co-relation. • Level of risk • The level of risk can be derived by deducting the confidence coefficient from 1. • For example, if the confidence coefficient is 95%, then the level of risk is 5% (100% – 95%). • Expected error rate • This indicates the expected percentage of errors that may exist. • When the expected error rate is higher, the auditor should select higher sample size. • Tolerable error rate • This indicates the maximum error that can exist without the audit result being materially misstated. • Sample mean • The sample mean is the average of all the samples selected. • It is derived by adding all the samples and dividing it by the sample size. • Sample standard deviation • This indicates the variance of the sample value from the sample mean.
Sampling methodology • Compliance Testing • Involves verification of the process. • Compliance testing checks for the presence of controls. • In compliance testing, attribute sampling is preferred. • Examples: • To check for controls in router configuration • To check for controls in the change management process • Verification of system access rights • Verification of firewall settings • Review of compliance with the password policy • Substantive Testing • Involves the verification of data or transactions. • Substantive testing checks for the completeness, accuracy, and validity of the data. • In substantive testing, variable sampling is preferred. • Examples: • To count and confirm the physical inventory • To confirm the validity of inventory valuation calculations • To count and confirm cash balances • Examining the trial balance. • Examining other financial statements • Ideally, compliance testing should be performed first and followed by substantive testing. • If the outcome of compliance testing indicates the existence of effective internal controls, then substantive testing may not be required or may be reduced. • However, if the outcome of compliance testing indicates a poor internal control system, then more rigorous substantive testing is required. • Thus, the design of substantive tests is often dependent on the result of compliance testing. • The attribute sampling technique (which indicates that a control is either present or absent) is useful for compliance testing, whereas variable sampling will be useful for substantive testing.

Recommended

Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2 Jayant Dalvi
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it envDr Vijay Pithadia Director
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized EnvironmentDr. Sushil Bansode
 
Audit and Assurance
Audit and AssuranceAudit and Assurance
Audit and AssuranceMuhamadSyawal7
 
what is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxwhat is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxsimratkaur290104
 

Recommended

Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2 Jayant Dalvi
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it envDr Vijay Pithadia Director
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized EnvironmentDr. Sushil Bansode
 
Audit and Assurance
Audit and AssuranceAudit and Assurance
Audit and AssuranceMuhamadSyawal7
 
what is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxwhat is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxsimratkaur290104
 
Auditing in computerized environment.pptx
Auditing in computerized environment.pptxAuditing in computerized environment.pptx
Auditing in computerized environment.pptxinfantemiliya18
 
How important is IT auditing
How important is IT auditingHow important is IT auditing
How important is IT auditingLepide USA Inc
 
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019 PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019 Support for Improvement in Governance and Management SIGMA
 
chapter2-190516054412.pdf
chapter2-190516054412.pdfchapter2-190516054412.pdf
chapter2-190516054412.pdfchetanvchaudhari
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
Compliance
ComplianceCompliance
CompliancePriyank Hada
 
auditing-190520092523.pdf
auditing-190520092523.pdfauditing-190520092523.pdf
auditing-190520092523.pdfchetanvchaudhari
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdfNehemiah27
 
Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk Marie Pagnotta
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
audit_it_250759.pdf
audit_it_250759.pdfaudit_it_250759.pdf
audit_it_250759.pdfmabkhoutaliwi1
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copySaleh Rashid
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
GDPR | Cyber security process resilience
GDPR | Cyber security process resilienceGDPR | Cyber security process resilience
GDPR | Cyber security process resilienceRishi Kant
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
Isa 2
Isa 2 Isa 2
Isa 2 Darshan Kumar
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 

More Related Content

Similar to CISA_WK_1.pptx

Auditing in computerized environment.pptx
Auditing in computerized environment.pptxAuditing in computerized environment.pptx
Auditing in computerized environment.pptxinfantemiliya18
 
How important is IT auditing
How important is IT auditingHow important is IT auditing
How important is IT auditingLepide USA Inc
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdfNehemiah27
 
Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk Marie Pagnotta
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copySaleh Rashid
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
GDPR | Cyber security process resilience
GDPR | Cyber security process resilienceGDPR | Cyber security process resilience
GDPR | Cyber security process resilienceRishi Kant
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 

Similar to CISA_WK_1.pptx (20)

Auditing in computerized environment.pptx
Auditing in computerized environment.pptxAuditing in computerized environment.pptx
Auditing in computerized environment.pptx
 
How important is IT auditing
How important is IT auditingHow important is IT auditing
How important is IT auditing
 
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019 PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
 
chapter2-190516054412.pdf
chapter2-190516054412.pdfchapter2-190516054412.pdf
chapter2-190516054412.pdf
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
 
Compliance
ComplianceCompliance
Compliance
 
auditing-190520092523.pdf
auditing-190520092523.pdfauditing-190520092523.pdf
auditing-190520092523.pdf
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf
 
Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
audit_it_250759.pdf
audit_it_250759.pdfaudit_it_250759.pdf
audit_it_250759.pdf
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copy
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
GDPR | Cyber security process resilience
GDPR | Cyber security process resilienceGDPR | Cyber security process resilience
GDPR | Cyber security process resilience
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
Isa 2
Isa 2 Isa 2
Isa 2
 

More from dotco

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptxdotco
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
crisc_wk_6.pptx
crisc_wk_6.pptxcrisc_wk_6.pptx
crisc_wk_6.pptxdotco
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptxdotco
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptxdotco
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
 
CISA_WK_3.pptx
CISA_WK_3.pptxCISA_WK_3.pptx
CISA_WK_3.pptxdotco
 

More from dotco (11)

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
crisc_wk_6.pptx
crisc_wk_6.pptxcrisc_wk_6.pptx
crisc_wk_6.pptx
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptx
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptx
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
CISA_WK_3.pptx
CISA_WK_3.pptxCISA_WK_3.pptx
CISA_WK_3.pptx
 

Recently uploaded

Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPoojaSen20
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 

Recently uploaded (20)

TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptx
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 

CISA_WK_1.pptx

  • 1. CISA – Certified Information Systems Auditor
  • 2. Information System Auditing Process Audit Planning • An audit plan is a step-wise approach to be followed to conduct an audit. • It helps to establish the overall audit process in an effective and efficient manner. • An audit plan should be aligned with the audit charter of the organization. • To plan an audit, the IS auditor is required to have a thorough understanding of business processes, business applications, and relevant controls. • Audit planning includes both short- and long-term planning. Audit charter • The independence of the audit function is ensured through a management-approved audit charter. • An audit charter is a formal document defining the internal audit's objective, authority, and responsibility. • The audit charter covers the entire scope of audit activities. • An audit charter must be approved by top management. • An audit charter should not be changed too often and hence procedural aspects should not be included in it. Also, it is recommended to not include a detailed annual audit calendar including things such as planning, the allocation of resources, and other details such as audit fees, other expenses for the audit, and so on in an audit charter. • An audit charter should be reviewed annually to ensure that it is aligned with business objectives.
  • 3. Information System Auditing Process • An audit charter includes the following: • The mission, purpose, and objective of the audit function • The scope of the audit function • The responsibilities of management • The responsibilities of internal auditors • The authorized personnel of the internal audit work • If an audit is outsourced to an audit firm, the objective of the audit, along with its detailed scope, should be incorporated in an audit engagement letter. • Audit universe: An inventory of all the functions/processes/units under the organization. Qualitative risk assessment: In a qualitative risk assessment, risk is assessed using qualitative parameters such as high, medium, and low. • Quantitative risk assessment: In a quantitative risk assessment, risk is assessed using numerical parameters and is quantified. • Risk factors: Factors that have an impact on risk. The presence of those factors increases the risk, whereas the absence of those factors decreases the risk.
  • 4. Information System Auditing Process • The following are some of the benefits of audit planning: • It helps the auditor to focus on high-risk areas • It helps in the identification of resource requirements to conduct the audit • It helps to estimate the budget for the audit • It helps to carry out audit work in a defined structure, which ultimately benefits the auditor as well as the auditee units. • This audit plan should be reviewed and approved by top management. • Generally, approval is obtained from the audit committee of the board. • The audit plan should be flexible enough to address the change in risk environment (that is, new regulatory requirements, changes in the market condition, and other risk factors). • The approved audit plan should be communicated promptly to the following groups: • Senior management • Business functions and other stakeholders • The internal audit team
  • 5. Information System Auditing Process Individual audit assignments • The next step after doing the overall annual planning is to plan individual audit assignments. • The IS auditor must understand the overall environment under review. While planning an individual audit assignment, an IS auditor should consider the following: • Prior audit reports • Risk assessment reports • Regulatory requirements • Standard operating processes • Technological requirements
  • 6. Information System Auditing Process • Business process applications and controls • E-commerce: • Single-tier architecture runs on a single computer, that is, a client-based application • Two-tier architecture includes a client and server • Three-tier architecture consists of the following: • A presentation tier (for interaction with the user) • An application tier (for processing) • A data tier (for the database) • The risks are as follows: • A compromise of confidential user data • Data integrity issues due to unauthorized alterations • The system being unavailable may impact business continuity • The repudiation of transactions by either party • The IS auditor's roles are as follows: • To review the overall security architecture related to firewalls, encryption, networks, PKI to ensure confidentiality, integrity, availability, and the non-repudiation of e-commerce transactions • To review the process of log capturing and monitoring for e-commerce transactions • To review the incident management process • To review the effectiveness of the controls implemented for privacy laws • To review anti-malware controls • To review business continuity arrangements
  • 7. Information System Auditing Process • Electronic Data Interchange (EDI) • EDI is the online transfer of data or information between two enterprises. • EDI ensures an effective and efficient transfer platform without the use of paper. • EDI applications contain processing features such as transmission, translation, and the storage of transactions flowing between two enterprises. • An EDI setup can be either traditional EDI (batch transmission within each trading partner's computers) or web-based EDI (accessed through an internet service provider). • The risks are as follows: • One of the biggest risks applicable to EDI is transaction authorization. Due to electronic interactions, no inherent authentication occurs. • There could be related uncertainty with a specific legal liability when we don't have a trading partner agreement. • Any performance-related issues with EDI applications could have a negative impact on both parties. • Other EDI-related risks include unauthorized access, data integrity and confidentiality, and the loss or duplication of EDI transactions. • The IS auditor's roles are as follows: • To determine the data's confidentiality, integrity, and authenticity, as well as the non-repudiation of transactions • To determine invalid transactions and data before they are uploaded to the system • To determine the accuracy, validity, and reasonableness of data • To validate and ensure the reconciliation of totals between the EDI system and the trading partner's system
  • 8. Information System Auditing Process • Point of Sale (POS) • Debit and credit card transactions are the most common examples of POS. • Data is captured at the time and place of sale. • The risks of this are as follows: • The risk of skimming, that is, the unauthorized capturing of card data with the purpose of duplicating the card • The risk of the unauthorized disclosure of PINs • The IS auditor's objectives are as follows: • To determine that data used for authentication (PIN/CVV) is not stored in the local POS system • To determine that the cardholder's data (either at rest or in transit) is encrypted
  • 9. Information System Auditing Process • Electronic banking • E-banking websites and mobile-based systems are integrated with the bank's core system to support automatic transactions without any manual intervention. • Automated processing improves processing speed and reduces opportunities for human error and fraud. • Electronic banking increases the dependence on internet and communication infrastructure. • Risks of this are as follows: • Heavy dependence on internet service providers, telecommunication companies, and other technology firms • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity • The IS auditor's objectives are as follows: • To determine the effectiveness of the governance and oversight of e-banking activities • To determine arrangements for the confidentiality, integrity, and availability of e-banking infrastructure • To determine the effectiveness of security controls with respect to authentication and the non-repudiation of electronic transactions • To review the effectiveness of the controls implemented for privacy laws
  • 10. Information System Auditing Process • Electronic funds transfer (EFT) • Through EFT, money can be transferred from one account to another electronically, that is, without cheque writing and cash collection procedures. • Some of the risks are as follows: • Heavy dependence on internet service providers, telecommunication companies, and other technology firms • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity • The IS auditor's objectives are as follows: • To determine the availability of two-factor authentication for secure transactions. • To determine that systems and communication channels have undergone appropriate security testing. • To determine that transaction data (either at rest or in transit) is encrypted. • To determine the effectiveness of controls on data transmission. • To review security arrangements for the integrity of switch operations. An EFT switch connects with all equipment in the network. • To review the log capturing and monitoring process of EFT transactions. • In the absence of paper documents, it is important to have an alternate audit trail for each transaction.
  • 11. Information System Auditing Process • Image processing • An image processing system processes, stores, and retrieves image data. • An image processing system requires huge amounts of storage resources and strong processing power for scanning, compression, displays, and printing. • The use of image processing (in place of paper documents) can result in increased productivity, the immediate retrieval of documents, enhanced control over document storage, and efficient disaster recovery procedures. • Some of the risks are as follows: • Implementation without appropriate planning and testing may result in system failure. • The workflow system may need to be completely redesigned to integrate with the image processing system. Traditional controls and audit processes may not be applicable to image processing systems. • New controls must be designed for automated processes. • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity. • The IS auditor's objectives are as follows: • To determine the effectiveness of controls on the inputs, processing, and outputs of image processing systems • To determine the reliability of the scanners used for image processing • To review the retention process for original documents • To determine that original documents are retained at least until a good image has been captured • To review the confidentiality, integrity, and availability arrangements of image processing systems • To review the training arrangements for employees to ensure that the processes of image scanning and storing are maintained as per the quality control matrix
  • 12. Information System Auditing Process • Artificial intelligence and expert systems • Capture and utilize the knowledge and experience of individuals • Improve performance and productivity • Automate skilled processes without manual intervention • A knowledge base in AI contains information about a particular subject and rules for interpreting that information. • The components of a knowledge base include the following: • Decision trees: Questions to lead the user through a series of choices • Rules: Rules that use "if" and "then" conditions • Semantic nets: A knowledge base that conveys meaning • Knowledge interface: Stores expert-level knowledge • Data interface: Stores data for analysis and decision making • The risks are as follows: • Incorrect decisions or actions performed by the system due to incorrect, assumptions, formulas, or databases in the system • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity • The IS auditor's roles are as follows: • To assess the applicability of AI in various business processes and determine the associated potential risks • To review adherence to documented policies and procedures • To review the appropriateness of the assumptions, formulas, and decision logic built into the system • To review the change management process for updating the system • To review the security arrangements to maintain the confidentiality, integrity, and availability of the system
  • 13. Controls and countermeasures • The objective of implementing a control is to address risks by preventing, detecting, or correcting undesirable events. • Countermeasures are a type of control that is implemented to address specific threats. The objective of general controls is to protect information assets from all kinds of threats whereas countermeasures are put in place in response to a specific threat. • The following are some examples of countermeasures: • Disabling certain operating system commands to address a specific type of ransomware attack. • Filtering all incoming emails may be impractical and expensive. In such a scenario, the countermeasure could be email filtering for known spammers. • It may not be possible to restrict mobile phones on the premises. In such a scenario, the countermeasure could be cell phone jammers in sensitive areas. • Countermeasures can also be non-technical, such as offering incentives for providing information with respect to a specific attack. • Arranging specific security training sessions for employees who failed in a phishing exercise.
  • 14. Controls and countermeasures Control categories • A preventive control (also commonly referred to as a “preventative control”) is a control that is put into place and intended to prevent an event from occurring. Examples – locked doors, user authentication, encryption and so on. • Detective: objective is to detect and event. Examples – audit, IDS, CCTV, checksum etc • Corrective: objective is to correct errors and omissions. Examples – data backups. • Deterrent: objective is to deter an event by providing warning. Examples – warning signs, login banners etc. • Directive: objective is to mandate the behavior aspect by specifying do’s and don’t’s. example – acceptable user policy. • Compensating: objective is to address the absence or weakness of control. Example – compensating weak physical control by having stringent logical access control. • A control can be designed to either fail closed or fail open. • The failure mode of the control impacts safety, confidentiality, and availability. For example, in the event of the failure of an automatic door, an organization can opt for fail open (the door should remain open) or fail closed (the door should remain closed). • In the case of fail open, confidentiality and integrity may be compromised, and in the case of fail closed, availability may be compromised. • In such a situation, the risk should be determined for each element and a decision taken accordingly. • The safety of human life is always considered first.
  • 15. Risk-based audit planning • Risk is the product of probability and impact. • Probability and impact are equally important when identifying risk. For example, say that the probability or likelihood of a product being damaged is very high, with a value of “1”; however, say that product barely costs anything and so the impact is “0” even if the product is damaged. • A vulnerability is a weakness and a threat is something that can exploit said weakness. • The risk that an activity poses, excluding any controls or mitigating factors – Inherent Risk • The risk that remains after taking controls into account – Residual Risk • Residual Risk = Inherent Risk – Control • Audit risk refers to the risk that an auditor may not be able to detect material errors during the course of an audit. • Audit risk is influenced by inherent risk, control risk, and detection risk. • The following list describes each of these risks: • Inherent risk: This refers to risk that exists before applying a control. • Control risk: This refers to risk that internal controls fail to prevent or detect. • Detection risk: This refers to risk that internal audits fail to prevent or detect. • Audit Risk = Inherent Risk X Control Risk x Detection Risk
  • 16. Risk-based audit planning • Some ways to minimize audit risk are listed here: • Conduct risk-based audit planning • Review the internal control system • Select appropriate statistical sampling • Assess the materiality of processes/systems in the audit scope • Steps: • Step 1 – Acquire pre-audit requirements: • Knowledge about industry and regulatory requirements • Knowledge about applicable risk to the concerned business • Prior audit results • Step 2 – Obtain information about internal controls: • Get knowledge about the control environment and procedures • Understand control risks • Understand detection risks • Step 3 – Conduct compliance test: • Identify the controls to be tested • Determine the effectiveness of the controls • Step 4 – Conduct a substantive test: • Identify the process for the substantive test • See that the substantive test includes analytical procedures, detail tests of account balances, and other procedures
  • 17. Risk Management Process Risk Assessment Context Establishment Risk Treatment Risk Identification Risk Analysis Risk Evaluation Assets Vulnerabilities Threads Existing Controls consequences Qualitative Quantitative Risk Mitigation Risk Acceptance/Retention Risk Transfer/Sharing Risk Avoidance
  • 18. Risk-based audit planning • Risk response methodology • Risk mitigation/risk reduction: Take some action to mitigate/reduce the risk. • Risk avoidance: Change the strategy or business process to avoid the risk. • Risk acceptance: Decide to accept the risk. • Risk transfer: Transfer the risk to a third party. Insurance is the best example. • The risk culture and risk appetite of the organization in question determines the risk response method. • It's not always feasible to mitigate all the risk at an organizational level. Risk-free enterprise is an illusion. • In the top-down approach, a policy is developed and designed from a senior management perspective. In a top-down approach, policies are developed and aligned with business objectives. • In the bottom-up approach, polices are designed and developed from the process owner's/employee's perspective. • The bottom-up approach begins by defining operational-level requirements and policies. • In a top-down approach, major risks to business objectives are addressed, whereas in the bottom-up approach, process-level risks are addressed.
  • 19. Types of audit and assessment • IS audit • An IS audit is conducted to evaluate and determine whether an information system and any related infrastructure is adequately safeguarded and protected to maintain confidentiality, integrity, and availability. • Compliance audit • CA or more specifically, a compliance audit is conducted to evaluate and determine whether specific regulatory requirements are being complied with. • Financial audit A financial audit is conducted to evaluate and determine the accuracy of financial reporting. A financial audit involves a detailed and substantive testing approach. • Operational audit • An operational audit is conducted to evaluate and determine the accuracy of an internal control system. • It is designed to assess issues related to the efficiency of operational productivity within an organization. • Integrated audit • Here, different types of audit are integrated to combine financial, operational, and other types of audits to form a multi-faceted audit. • An integrated audit is performed to assess the overall objectives to safeguard an asset's efficiency and compliance. • It can be performed both by internal auditors or external auditors. • An integrated audit includes compliance tests of internal controls. • Specialized audit • A specialized audit includes the following: A third-party service audit, A fraud audit and A forensic audit. • Computer forensic audit • A computer forensic audit includes the analysis of electronic devices. • An IS auditor can help in performing forensic investigations and conduct an audit of the system to ensure compliance. • Functional audit • A functional audit is conducted to evaluate and determine the accuracy of software functionality. • A functional audit is conducted prior to software implementation.
  • 20. Audit Execution • Audit project management • Audit includes various activities, such as audit planning, resource allocation, determining audit scope and audit criteria, reviewing and evaluating audit evidence, forming audit conclusions, and reporting to management. • All these activities are integral parts of audit, and project management techniques are equally applicable for audit projects. • Audit objectives • Audit objectives are the expected outcome of the audit activities. They refer to the intended goals that must be accomplished by the audit. • Audit phases • The audit process has three phases. The first phase is about planning, the second phase is about execution, and the third phase is about reporting.
  • 21. Sampling methodology • Sampling is the process of the selection of data from a population. • By analyzing the selected samples, characteristics of the full population can be concluded. • Statistical sampling • This is an objective sampling technique. Also known as non-judgmental sampling. • It uses the laws of probability, where each unit has an equal chance of selection. • In statistical sampling, the probability of error can be objectively quantified, and hence the detection risk can be reduced. • Non-statistical sampling • This is a subjective sampling technique. Also known as judgmental sampling. • The auditor uses their experience and judgement to select the samples that are material and represent a higher risk. • Attribute sampling • Attribute sampling is the simplest kind of sampling based on some attributes—that is, either complied or not complied. • It answers the question "how many?". It is expressed in percentage form—for example, 90% complied. In compliance testing, attribute sampling is usually used. • Variable sampling • Variable sampling contains more information than attribute data. • It answers the questions "how much?". It is expressed in monetary value, weight, height, or some other measurement—for example, an average profit of $25,000. • Variable sampling is usually used in substantive testing. • Stop-or-go sampling • Stop-or-go sampling is used where controls are strong and very few errors are expected. • It helps to prevent excess sampling by allowing the audit test to end at the earliest possible moment. • Discovery sampling • Discovery sampling is used when the objective is to detect fraud or other irregularities. • If a single error is found, then the entire sample is believed to be fraudulent/irregular.
  • 22. Sampling methodology • Sampling risk • Sampling risk refers to a situation where a sample is not a true representation of the population. • The conclusion drawn by analyzing the sample may be different from the conclusion that would have been drawn by analyzing the full population. • The confidence coefficient • A confidence coefficient, or confidence level, is a measure of the accuracy and confidence about the quality of a sample. • The sample size and confidence correlation are directly related. A high sample size will give a high confidence coefficient. • In the case of poor internal controls, the auditor may want to verify 95 samples out of a total population of 100. This indicates a 95% confidence co-relation. • In the case of strong internal controls, the auditor may want to limit the verification of only 25 samples out of the total population of 100. This indicates a 25% confidence co-relation. • Level of risk • The level of risk can be derived by deducting the confidence coefficient from 1. • For example, if the confidence coefficient is 95%, then the level of risk is 5% (100% – 95%). • Expected error rate • This indicates the expected percentage of errors that may exist. • When the expected error rate is higher, the auditor should select higher sample size. • Tolerable error rate • This indicates the maximum error that can exist without the audit result being materially misstated. • Sample mean • The sample mean is the average of all the samples selected. • It is derived by adding all the samples and dividing it by the sample size. • Sample standard deviation • This indicates the variance of the sample value from the sample mean.
  • 23. Sampling methodology • Compliance Testing • Involves verification of the process. • Compliance testing checks for the presence of controls. • In compliance testing, attribute sampling is preferred. • Examples: • To check for controls in router configuration • To check for controls in the change management process • Verification of system access rights • Verification of firewall settings • Review of compliance with the password policy • Substantive Testing • Involves the verification of data or transactions. • Substantive testing checks for the completeness, accuracy, and validity of the data. • In substantive testing, variable sampling is preferred. • Examples: • To count and confirm the physical inventory • To confirm the validity of inventory valuation calculations • To count and confirm cash balances • Examining the trial balance. • Examining other financial statements • Ideally, compliance testing should be performed first and followed by substantive testing. • If the outcome of compliance testing indicates the existence of effective internal controls, then substantive testing may not be required or may be reduced. • However, if the outcome of compliance testing indicates a poor internal control system, then more rigorous substantive testing is required. • Thus, the design of substantive tests is often dependent on the result of compliance testing. • The attribute sampling technique (which indicates that a control is either present or absent) is useful for compliance testing, whereas variable sampling will be useful for substantive testing.