SlideShare a Scribd company logo

CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS

S
ShivamSharma909

ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard. https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/

Education
1 of 17
Download to read offline
sales@infosectrain.com https://www.infosectrain.com +91-97736-67874 CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
https://www.infosectrain.com sales@infosectrain.com Page No.1 Overall understanding of the domain:  Weightage - This domain constitutes 21 percent of the CISA exam (approximately 32 questions)  Covers 11 Knowledge statements covering the process of auditing information systems 1. ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard 2. risk assessment concepts and tools and techniques in planning, examination, reporting and follow-up 3. Fundamental business processes & the role of IS in these processes 4. Control principles related to controls in information systems 5. Risk-based audit planning and audit project management techniques 6. Applicable laws and regulations which affect the scope, evidence collection and preservation and frequency of audits 7. Evidence collection techniques used to gather, protect and preserve audit evidence 8. Different sampling methodologies & other substantive/data analyti- cal procedures 9. Reporting and communication techniques 10. Audit quality assurance (QA) systems and frameworks 11. Various types of audits & methods for assessing and placing reliance on the work of other auditors or control entities
https://www.infosectrain.com sales@infosectrain.com Page No.2 Important concepts from exam point of view: 1. Audit Charter:  Audit Charter outlines the overall authority, scope and responsibilities of audit function  Audit charter should be approved by Audit committee, senior management  Internal audit function is always independent of management committee Points to remember:  When CISA question is on the approval of audit charter, the answer should be senior most management, based on the options available.  IS auditor’s role being more of reporting of audit observations and giving an “independent audit opinion” https://www.infosectrain.com/courses/cisa-certification-training/
https://www.infosectrain.com sales@infosectrain.com Page No.3 2. Audit planning:  Step 1 – Understanding of business mission, vision, objectives, process which includes information requirements under CIA trait (Confidentiality, Integrity and Availability of data)  Step 2 – Understanding of business environment  Step 3 - Review prior work papers  Step 4 - Perform Risk analysis  Step 5 - Set audit scope and objectives  Step 6 - Develop audit plan/strategy  Step 7 - Assign audit personal/resources Point to remember: The first step in the audit planning is always under- standing the business mission, objectives and business environment, then analyzing the risk involved based in the audit scope.  Audit planning includes – 1. Short term planning – considers audit issues that will be covered during the year 2. Long term planning - audit plans that will take into account risk-related issues regarding changes in the organization’s IT strategic direction that will affect the organization’s IT environment.
https://www.infosectrain.com sales@infosectrain.com Page No.4 3. Risk analysis:  Risk is a combination of the probability of an event and its consequence (International Organization for Standardization [ISO] 31000:2009)  Risk analysis is part of audit planning, and help identify risk and vulnerabili ties so the IS auditor can determine the controls needed to mitigate those risk Point to remember: CISA candidate should be able to differentiate between threat and vulnerability. Threat is anything that can exploit a vul- nerability, intentionally or accidentally, and obtain, damage, or destroy an asset. Vulnerability is Weakness or gap in a security program that can be exploited by threats to gain unauthorized access to an asset  Risk analysis covers Risk Management Framework – ISO 27005, ISO 31000  Risk Assessment Process –The process starts with identifying the source & events, then identifying the vulnerabilities associated with the sources, & then analyzing the probability of the occurrence and the impact.  Risk Management Process - It begins with identifying the business object ives, the information assets that are associated with business, assessmen t of risk, how to mitigate the risk (either to avoid or transfer or mitigate/ reduce the risk) and implementing controls to mitigate the risk) Point to remember:  CISA candidate should be aware of the difference between Risk assessment and Risk management. Risk assessment is the process of finding where the risk exists. Risk management is the second step after performing risk assessment.  Risk can be mitigated/reduced through implementation of controls/ third-party insurance, etc.
https://www.infosectrain.com sales@infosectrain.com Page No.5 4. Internal Controls:  Internal controls are normally composed of policies, procedures, practices & organizational structures which are implemented to reduce risks to the organizations  The board of directors are responsible for establishing the effective inter nal control system Point to remember: When CISA question is on the responsibility of internal controls, the answer should be senior most management (BoD, CEO, CIO, CISO etc) , based on the options available  Classification of internal controls: a. Preventive controls b. Detective controls c. Corrective controls Point to remember: CISA question will be scenario based, where the candidate should have a thorough understanding of all the three controls and able to differentiate between preventive, detective and corrective controls  Preventive controls: are those internal controls which are deployed to pre vent happening of an event that might affect achievement of organization al objectives. Some examples of preventive control activities are:  Employee background checks  Employee training and required certifications  Password protected access to asset storage areas  Physical locks on inventory warehouses  Security camera systems  Segregation of duties (i.e. recording, authorization, & custody all handled by separate individuals) https://www.infosectrain.com/courses/cisa-certification-training/
https://www.infosectrain.com sales@infosectrain.com Page No.6 ®  Detective controls: Detective controls seek to identify when preventive controls were not effective in preventing errors and irregularities, particu larly in relation to the safeguarding of assets. Some examples of detect- ive control activities are:  bank reconciliations  control totals  physical inventory counts  reconciliation of the general ledgers to the detailed subsidiary ledgers  Internal audit functions  Corrective controls: When detective control activities identify an error or irregularity, corrective control activities should then see what could or should be done to fix it, & hopefully put a new system in place to prevent it the next time around. Some examples of corrective control activities are:  data backups can be used to restore lost data in case of a fire or other disaster  data validity tests can require users to confirm data inputs if amounts are outside a reasonable range  insurance can be utilized to help replace damaged or stolen assets  management variance reports can highlight variances from budget to actual for management corrective action  training and operations manuals can be revised to prevent future errors and irregularities https://www.infosectrain.com/courses/cisa-certification-training/
https://www.infosectrain.com sales@infosectrain.com Page No.7 5. COBIT 5:  Developed by ISACA  A comprehensive framework that assist enterprises in achieving their objectives for the governance & management of enterprise IT (GEIT)  COBIT 5 based on 5 principles and 7 enablers 5 Principles 7 Enablers 1. Meeting Shareholders needs 1. Principles, Policies and Frameworks 2. End-to-End coverage 2. Processes 3. Holistic Approach 3. Organizational Structures 4. Integrated Framework 4. Culture, Ethics and Behaviour 5. Separate governance from management 5. Information 6. Services, Infrastructure, Application 7. People, Skills and Competencies (Note: A CISA candidate will not be asked to specifically identify the COBIT process, the COBIT domains or the set of IT processes defined in each. However, candidates should know what frame- works are, what they do and why they are used by enter- prises)
https://www.infosectrain.com sales@infosectrain.com Page No.8 6. Risk based auditing  Audit Risk - the risk that information may contain a material error that may go undetected during the course of the audit.  The audit approach should be as follows:  Step 1 – Gather available information and plan through review of prior year’s audit results, recent financial information, inherent risk assessments  Step 2 – Understanding of existing internal controls by analyzing control procedures, detection risk assessment  Step 3 – Perform compliance testing by identifying key controls to be tested  Step 4 – Perform substantive testing by test of account balances, analytical procedures  Step 5 – Conclude the audit - Audit report with independent audit opinion  Factors which influence audit risk a. Inherent risk – Risk that an activity would pose if no controls/ other mitigating factors were in place. b. Control risk - Risk that a material error exists that would not be prev ented or detected on a timely basis by the system of internal control c. Detection risk - The risk that material errors or misstatements that have occurred will not be detected by the IS auditor d. Residual risk – Risk that remains after controls are taken into account Point to remember: A CISA candidate should know the differences between preventive, detective and corrective controls. An example of a question in the exam would be: Which of the following controls would BEST detect https://www.infosectrain.com/courses/cisa-certification-training/
https://www.infosectrain.com sales@infosectrain.com Page No.9 7. Risk Treatment  Risk identified in the risk assessment needs to be treated.  Possible risk response options include:  Risk mitigation—Applying appropriate controls to reduce the risk  Risk acceptance—Knowingly and objectively not taking action, provid ing the risk clearly satisfies the organization’s policy and criteria for risk acceptance  Risk avoidance—Avoiding risk by not allowing actions that would cause the risk to occur  Risk transfer/sharing—Transferring the associated risk to other par ties (e.g., insurers or suppliers)
https://www.infosectrain.com sales@infosectrain.com Page No.10 8. Compliance testing Vs. substantive testing  Compliance testing - determines whether controls are in compliance with management policies and procedures Examples:  User access rights  Program change control procedures  Review of logs  Software license audit  Substantive testing - gathers evidences to evaluate the integrity of individual transactions, data or other information Examples:  performance of a complex calculation on sample basis  testing of account balances Point to remember:  CISA question will be scenario based and the candidate should able to differentiate between substantive testing & compliance testing.  statistical sampling is to be used when the probability of error must be objectively quantified (i.e no subjectivity is involved). Statistical sampling is an objective method of sampling in which each item has equal chance of selection https://www.infosectrain.com/courses/cisa-certification-training/
Point to remember: A CISA candidate, given an audit scenario, should be able to determine which type of evidence gathering tech- nique would be best https://www.infosectrain.com sales@infosectrain.com Page No.11 9. Audit Evidence  any information used by the IS auditor to determine whether the entity or data being audited follows the established criteria or objectives & supports audit conclusions  Techniques for gathering evidence:  Review IS organization structures  Review IS policies and procedures  Review IS standards  Review IS documentation  Interview appropriate personnel  Observe processes and employee performance  Walkthrough
https://www.infosectrain.com sales@infosectrain.com Page No.12 10.Audit Sampling  The subset of population members used to perform testing  Two approaches of sampling: a. Statistical sampling - using mathematical laws of probability to create the sample size b. Non-Statistical sampling - Uses auditor judgment to determine the method of sampling  Methods of sampling a. Attribute sampling - Applied in compliance testing situations, deals with the presence or absence of the attribute & provides conclusions that are expressed in rates of incidence. Involves three types:  Attribute sampling - selecting a small number of transactions & ma- king assumptions about how their characteristics represent the full population of which the selected items are a part  Stop-or-Go Sampling - This model help prevents excessive sampling of an attribute by allowing an audit test to be stopped at the earliest po ssible moment. It is mostly used when auditor believes that relatively few errors will be found in populations  Discovery sampling – It is mostly used when the objective of audit is to discover fraud 24 https://www.infosectrain.com/courses/cisa-certification-training/
https://www.infosectrain.com sales@infosectrain.com Page No.13 b. Variable sampling - Applied in substantive testing situations, deals with population characteristics that vary, such as monetary values & weights or any other measurement and provides conclusions related to deviations from the norm. Involves three types:  Stratified mean per unit – It a statistical model in which population is divided into groups and samples are drawn from the various groups  Un-stratified mean per unit – A statistical model in which sample mean (Average) is calculated and projected as an estimated total.  Difference estimation – Statistical model used to estimate the total difference between audited values and unaudited values based on differences obtained from sample observations. c. Important statistical terms:  Confident coefficient (CC) – A percentage expression of the probabil ity that the characteristics of sample are true representation of the population. Stronger the internal control, lower the confident coefficient  Level of risk – Equal to one minus the confidence coefficient [if confident co-efficient is 95%, the level of risk is (100-95= 5%)]  Expected error rate (ERR) – An estimate stated as a percent of the error that may exist. The greater the ERR, greater the sample size Point to remember: The IS auditor should be familiar with the different types of sampling techniques and when it is appropriate to use each of them
https://www.infosectrain.com sales@infosectrain.com Page No.14 11.Control Self-assessment (CSA) a. What is CSA?  assessment of controls made by the staff and management of the unit or units involved  management technique that assures stakeholders, customers and other parties that the internal control system of the organization is reliable.  Ensures that employees are aware of the risk to the business & they conduct periodic, proactive reviews of controls b. Objectives of CSA  to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional areas  not intended to replace audit’s responsibilities but to enhance them c. Benefits of CSA  Early detection of risk  More effective and improved internal controls  Developing a sense of ownership of the controls in the employees and process owners  reducing their resistance to control improvement initiatives  Increased communication between operational and top management  Highly motivated employees https://www.infosectrain.com/courses/cisa-certification-training/
https://www.infosectrain.com sales@infosectrain.com Page No.15 d. Disadvantages of CSA  mistaken as an audit function replacement  considered as an additional workload  Failure to act on improvement suggestions could damage employee morale  Lack of motivation may limit effectiveness in the detection of weak controls e. Auditor’s role in CSA  The auditor’s role in CSAs should be considered enhanced when audit departments establish a CSA program.  Auditors internal control professionals & assessment facilitators https://www.infosectrain.com/courses/cisa-certification-training/
https://www.infosectrain.com sales@infosectrain.com Page No.16 THANKS https://www.infosectrain.com sales@infosectrain.com +91-97736-67874

Recommended

CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
Ismail aboulezz
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
InfosecTrain
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3
ShivamSharma909
 
Cisa domain 4
Cisa domain 4Cisa domain 4
Cisa domain 4
ShivamSharma909
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
InfosecTrain
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 

Recommended

CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
Ismail aboulezz
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
InfosecTrain
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3
ShivamSharma909
 
Cisa domain 4
Cisa domain 4Cisa domain 4
Cisa domain 4
ShivamSharma909
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
InfosecTrain
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Coso erm
Coso ermCoso erm
Coso erm
luisrobles_cl
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
PECB
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
Yasir Khan
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
BOC Group
 
Audit planning and risk assessment
Audit planning and risk assessmentAudit planning and risk assessment
Audit planning and risk assessmentcasahiljain1992
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
Magdalena Matell
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
Marco Raposo
 
Information risk management
Information risk managementInformation risk management
Information risk management
Akash Saraswat
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
Iso 27001
Iso 27001Iso 27001
Iso 27001
Adam Miller
 
Cisa exam mock test questions-1
Cisa exam mock test questions-1Cisa exam mock test questions-1
Cisa exam mock test questions-1
Hemang Doshi
 
IT Governance
IT GovernanceIT Governance
IT Governance
Carlos Chalico
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
jiricejka
 
Auditing
AuditingAuditing
Auditing
Pardhasaradhi ch
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
Asad Raza
 

More Related Content

What's hot

Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Coso erm
Coso ermCoso erm
Coso erm
luisrobles_cl
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
PECB
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
Yasir Khan
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
BOC Group
 
Audit planning and risk assessment
Audit planning and risk assessmentAudit planning and risk assessment
Audit planning and risk assessmentcasahiljain1992
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
Magdalena Matell
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
Marco Raposo
 
Information risk management
Information risk managementInformation risk management
Information risk management
Akash Saraswat
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
Iso 27001
Iso 27001Iso 27001
Iso 27001
Adam Miller
 
Cisa exam mock test questions-1
Cisa exam mock test questions-1Cisa exam mock test questions-1
Cisa exam mock test questions-1
Hemang Doshi
 
IT Governance
IT GovernanceIT Governance
IT Governance
Carlos Chalico
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
jiricejka
 

What's hot (20)

Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Coso erm
Coso ermCoso erm
Coso erm
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
Audit planning and risk assessment
Audit planning and risk assessmentAudit planning and risk assessment
Audit planning and risk assessment
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
 
Information risk management
Information risk managementInformation risk management
Information risk management
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
 
Iso 27001
Iso 27001Iso 27001
Iso 27001
 
Cisa exam mock test questions-1
Cisa exam mock test questions-1Cisa exam mock test questions-1
Cisa exam mock test questions-1
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
 

Similar to CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS

Auditing
AuditingAuditing
Auditing
Pardhasaradhi ch
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
Asad Raza
 
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
cveiga12
 
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
cveiga12
 
Security audit
Security auditSecurity audit
Security audit
Rosaria Dee
 
Ict governance
Ict governanceIct governance
Ict governance
Zablon Peter
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
Sazzad Hossain, ITP, MBA, CSCA™
 
Data Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and MonitoringData Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and Monitoring
Jim Kaplan CIA CFE
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iii
Ashish Desai
 
Tugas control & audit sistem informasi
Tugas control & audit sistem informasiTugas control & audit sistem informasi
Tugas control & audit sistem informasi
Nur Fatrianti
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
Chapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docx
Chapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docxChapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docx
Chapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docx
mccormicknadine86
 
Kontrol & Audit Sistem Informasi
Kontrol & Audit Sistem InformasiKontrol & Audit Sistem Informasi
Kontrol & Audit Sistem Informasi
dwiki apsyarin
 
module_1.pptx
module_1.pptxmodule_1.pptx
module_1.pptx
ssuser432862
 
It management audits it management templates
It management audits it management templatesIt management audits it management templates
It management audits it management templates
IT-Toolkits.org
 
chapter2-190516054412.pdf
chapter2-190516054412.pdfchapter2-190516054412.pdf
chapter2-190516054412.pdf
chetanvchaudhari
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
Sreekanth Narendran
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
JoshJaro
 
Auditing concept
Auditing conceptAuditing concept
Auditing concept
Ganesh Sharma
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 

Similar to CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS (20)

Auditing
AuditingAuditing
Auditing
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
 
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
 
Security audit
Security auditSecurity audit
Security audit
 
Ict governance
Ict governanceIct governance
Ict governance
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
 
Data Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and MonitoringData Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and Monitoring
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iii
 
Tugas control & audit sistem informasi
Tugas control & audit sistem informasiTugas control & audit sistem informasi
Tugas control & audit sistem informasi
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
 
Chapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docx
Chapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docxChapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docx
Chapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docx
 
Kontrol & Audit Sistem Informasi
Kontrol & Audit Sistem InformasiKontrol & Audit Sistem Informasi
Kontrol & Audit Sistem Informasi
 
module_1.pptx
module_1.pptxmodule_1.pptx
module_1.pptx
 
It management audits it management templates
It management audits it management templatesIt management audits it management templates
It management audits it management templates
 
chapter2-190516054412.pdf
chapter2-190516054412.pdfchapter2-190516054412.pdf
chapter2-190516054412.pdf
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
Auditing concept
Auditing conceptAuditing concept
Auditing concept
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 

More from ShivamSharma909

Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdf
ShivamSharma909
 
CYBERSECURITY Interview Questions for Freshers.pdf
CYBERSECURITY Interview Questions for Freshers.pdfCYBERSECURITY Interview Questions for Freshers.pdf
CYBERSECURITY Interview Questions for Freshers.pdf
ShivamSharma909
 
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
ShivamSharma909
 
Top 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfTop 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdf
ShivamSharma909
 
Top 25 Azure Architect Interview Questions and Answers.pdf
Top 25 Azure Architect Interview Questions and Answers.pdfTop 25 Azure Architect Interview Questions and Answers.pdf
Top 25 Azure Architect Interview Questions and Answers.pdf
ShivamSharma909
 
Top 20 Azure Administrator Interview Questions.pdf
Top 20 Azure Administrator Interview Questions.pdfTop 20 Azure Administrator Interview Questions.pdf
Top 20 Azure Administrator Interview Questions.pdf
ShivamSharma909
 
Threat Hunting Professional Online Training Course
Threat Hunting Professional Online Training CourseThreat Hunting Professional Online Training Course
Threat Hunting Professional Online Training Course
ShivamSharma909
 
Why cloud security engineers find CCSE as a perfect fit
Why cloud security engineers find CCSE as a perfect fitWhy cloud security engineers find CCSE as a perfect fit
Why cloud security engineers find CCSE as a perfect fit
ShivamSharma909
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
Top 20 azure interview questions
Top 20 azure interview questionsTop 20 azure interview questions
Top 20 azure interview questions
ShivamSharma909
 
Top 15 aws security interview questions
Top 15 aws security interview questionsTop 15 aws security interview questions
Top 15 aws security interview questions
ShivamSharma909
 
EC-Council Certified SOC Analyst
EC-Council Certified SOC AnalystEC-Council Certified SOC Analyst
EC-Council Certified SOC Analyst
ShivamSharma909
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
ShivamSharma909
 
Domain 6 of CEH: Wireless Network Hacking
Domain 6 of CEH: Wireless Network HackingDomain 6 of CEH: Wireless Network Hacking
Domain 6 of CEH: Wireless Network Hacking
ShivamSharma909
 
Domain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application HackingDomain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application Hacking
ShivamSharma909
 
Domain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter HackingDomain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter Hacking
ShivamSharma909
 
Domain 3 of CEH v11: System Hacking Phases and Attack Techniques
Domain 3 of CEH v11: System Hacking Phases and Attack TechniquesDomain 3 of CEH v11: System Hacking Phases and Attack Techniques
Domain 3 of CEH v11: System Hacking Phases and Attack Techniques
ShivamSharma909
 
Domain 2 of CEH v11: Reconnaissance Techniques
Domain 2 of CEH v11: Reconnaissance TechniquesDomain 2 of CEH v11: Reconnaissance Techniques
Domain 2 of CEH v11: Reconnaissance Techniques
ShivamSharma909
 
Domain 1 of CEH v11: Information Security and Ethical Hacking
Domain 1 of CEH v11: Information Security and Ethical HackingDomain 1 of CEH v11: Information Security and Ethical Hacking
Domain 1 of CEH v11: Information Security and Ethical Hacking
ShivamSharma909
 
How is az 303 different from az-304
How is az 303 different from az-304How is az 303 different from az-304
How is az 303 different from az-304
ShivamSharma909
 

More from ShivamSharma909 (20)

Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdf
 
CYBERSECURITY Interview Questions for Freshers.pdf
CYBERSECURITY Interview Questions for Freshers.pdfCYBERSECURITY Interview Questions for Freshers.pdf
CYBERSECURITY Interview Questions for Freshers.pdf
 
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
 
Top 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfTop 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdf
 
Top 25 Azure Architect Interview Questions and Answers.pdf
Top 25 Azure Architect Interview Questions and Answers.pdfTop 25 Azure Architect Interview Questions and Answers.pdf
Top 25 Azure Architect Interview Questions and Answers.pdf
 
Top 20 Azure Administrator Interview Questions.pdf
Top 20 Azure Administrator Interview Questions.pdfTop 20 Azure Administrator Interview Questions.pdf
Top 20 Azure Administrator Interview Questions.pdf
 
Threat Hunting Professional Online Training Course
Threat Hunting Professional Online Training CourseThreat Hunting Professional Online Training Course
Threat Hunting Professional Online Training Course
 
Why cloud security engineers find CCSE as a perfect fit
Why cloud security engineers find CCSE as a perfect fitWhy cloud security engineers find CCSE as a perfect fit
Why cloud security engineers find CCSE as a perfect fit
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Top 20 azure interview questions
Top 20 azure interview questionsTop 20 azure interview questions
Top 20 azure interview questions
 
Top 15 aws security interview questions
Top 15 aws security interview questionsTop 15 aws security interview questions
Top 15 aws security interview questions
 
EC-Council Certified SOC Analyst
EC-Council Certified SOC AnalystEC-Council Certified SOC Analyst
EC-Council Certified SOC Analyst
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
 
Domain 6 of CEH: Wireless Network Hacking
Domain 6 of CEH: Wireless Network HackingDomain 6 of CEH: Wireless Network Hacking
Domain 6 of CEH: Wireless Network Hacking
 
Domain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application HackingDomain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application Hacking
 
Domain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter HackingDomain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter Hacking
 
Domain 3 of CEH v11: System Hacking Phases and Attack Techniques
Domain 3 of CEH v11: System Hacking Phases and Attack TechniquesDomain 3 of CEH v11: System Hacking Phases and Attack Techniques
Domain 3 of CEH v11: System Hacking Phases and Attack Techniques
 
Domain 2 of CEH v11: Reconnaissance Techniques
Domain 2 of CEH v11: Reconnaissance TechniquesDomain 2 of CEH v11: Reconnaissance Techniques
Domain 2 of CEH v11: Reconnaissance Techniques
 
Domain 1 of CEH v11: Information Security and Ethical Hacking
Domain 1 of CEH v11: Information Security and Ethical HackingDomain 1 of CEH v11: Information Security and Ethical Hacking
Domain 1 of CEH v11: Information Security and Ethical Hacking
 
How is az 303 different from az-304
How is az 303 different from az-304How is az 303 different from az-304
How is az 303 different from az-304
 

Recently uploaded

Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
MIRIAMSALINAS13
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
GeoBlogs
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
beazzy04
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
Jheel Barad
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Atul Kumar Singh
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
BhavyaRajput3
 

Recently uploaded (20)

Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
 

CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS

  • 2. https://www.infosectrain.com sales@infosectrain.com Page No.1 Overall understanding of the domain:  Weightage - This domain constitutes 21 percent of the CISA exam (approximately 32 questions)  Covers 11 Knowledge statements covering the process of auditing information systems 1. ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard 2. risk assessment concepts and tools and techniques in planning, examination, reporting and follow-up 3. Fundamental business processes & the role of IS in these processes 4. Control principles related to controls in information systems 5. Risk-based audit planning and audit project management techniques 6. Applicable laws and regulations which affect the scope, evidence collection and preservation and frequency of audits 7. Evidence collection techniques used to gather, protect and preserve audit evidence 8. Different sampling methodologies & other substantive/data analyti- cal procedures 9. Reporting and communication techniques 10. Audit quality assurance (QA) systems and frameworks 11. Various types of audits & methods for assessing and placing reliance on the work of other auditors or control entities
  • 3. https://www.infosectrain.com sales@infosectrain.com Page No.2 Important concepts from exam point of view: 1. Audit Charter:  Audit Charter outlines the overall authority, scope and responsibilities of audit function  Audit charter should be approved by Audit committee, senior management  Internal audit function is always independent of management committee Points to remember:  When CISA question is on the approval of audit charter, the answer should be senior most management, based on the options available.  IS auditor’s role being more of reporting of audit observations and giving an “independent audit opinion” https://www.infosectrain.com/courses/cisa-certification-training/
  • 4. https://www.infosectrain.com sales@infosectrain.com Page No.3 2. Audit planning:  Step 1 – Understanding of business mission, vision, objectives, process which includes information requirements under CIA trait (Confidentiality, Integrity and Availability of data)  Step 2 – Understanding of business environment  Step 3 - Review prior work papers  Step 4 - Perform Risk analysis  Step 5 - Set audit scope and objectives  Step 6 - Develop audit plan/strategy  Step 7 - Assign audit personal/resources Point to remember: The first step in the audit planning is always under- standing the business mission, objectives and business environment, then analyzing the risk involved based in the audit scope.  Audit planning includes – 1. Short term planning – considers audit issues that will be covered during the year 2. Long term planning - audit plans that will take into account risk-related issues regarding changes in the organization’s IT strategic direction that will affect the organization’s IT environment.
  • 5. https://www.infosectrain.com sales@infosectrain.com Page No.4 3. Risk analysis:  Risk is a combination of the probability of an event and its consequence (International Organization for Standardization [ISO] 31000:2009)  Risk analysis is part of audit planning, and help identify risk and vulnerabili ties so the IS auditor can determine the controls needed to mitigate those risk Point to remember: CISA candidate should be able to differentiate between threat and vulnerability. Threat is anything that can exploit a vul- nerability, intentionally or accidentally, and obtain, damage, or destroy an asset. Vulnerability is Weakness or gap in a security program that can be exploited by threats to gain unauthorized access to an asset  Risk analysis covers Risk Management Framework – ISO 27005, ISO 31000  Risk Assessment Process –The process starts with identifying the source & events, then identifying the vulnerabilities associated with the sources, & then analyzing the probability of the occurrence and the impact.  Risk Management Process - It begins with identifying the business object ives, the information assets that are associated with business, assessmen t of risk, how to mitigate the risk (either to avoid or transfer or mitigate/ reduce the risk) and implementing controls to mitigate the risk) Point to remember:  CISA candidate should be aware of the difference between Risk assessment and Risk management. Risk assessment is the process of finding where the risk exists. Risk management is the second step after performing risk assessment.  Risk can be mitigated/reduced through implementation of controls/ third-party insurance, etc.
  • 6. https://www.infosectrain.com sales@infosectrain.com Page No.5 4. Internal Controls:  Internal controls are normally composed of policies, procedures, practices & organizational structures which are implemented to reduce risks to the organizations  The board of directors are responsible for establishing the effective inter nal control system Point to remember: When CISA question is on the responsibility of internal controls, the answer should be senior most management (BoD, CEO, CIO, CISO etc) , based on the options available  Classification of internal controls: a. Preventive controls b. Detective controls c. Corrective controls Point to remember: CISA question will be scenario based, where the candidate should have a thorough understanding of all the three controls and able to differentiate between preventive, detective and corrective controls  Preventive controls: are those internal controls which are deployed to pre vent happening of an event that might affect achievement of organization al objectives. Some examples of preventive control activities are:  Employee background checks  Employee training and required certifications  Password protected access to asset storage areas  Physical locks on inventory warehouses  Security camera systems  Segregation of duties (i.e. recording, authorization, & custody all handled by separate individuals) https://www.infosectrain.com/courses/cisa-certification-training/
  • 7. https://www.infosectrain.com sales@infosectrain.com Page No.6 ®  Detective controls: Detective controls seek to identify when preventive controls were not effective in preventing errors and irregularities, particu larly in relation to the safeguarding of assets. Some examples of detect- ive control activities are:  bank reconciliations  control totals  physical inventory counts  reconciliation of the general ledgers to the detailed subsidiary ledgers  Internal audit functions  Corrective controls: When detective control activities identify an error or irregularity, corrective control activities should then see what could or should be done to fix it, & hopefully put a new system in place to prevent it the next time around. Some examples of corrective control activities are:  data backups can be used to restore lost data in case of a fire or other disaster  data validity tests can require users to confirm data inputs if amounts are outside a reasonable range  insurance can be utilized to help replace damaged or stolen assets  management variance reports can highlight variances from budget to actual for management corrective action  training and operations manuals can be revised to prevent future errors and irregularities https://www.infosectrain.com/courses/cisa-certification-training/
  • 8. https://www.infosectrain.com sales@infosectrain.com Page No.7 5. COBIT 5:  Developed by ISACA  A comprehensive framework that assist enterprises in achieving their objectives for the governance & management of enterprise IT (GEIT)  COBIT 5 based on 5 principles and 7 enablers 5 Principles 7 Enablers 1. Meeting Shareholders needs 1. Principles, Policies and Frameworks 2. End-to-End coverage 2. Processes 3. Holistic Approach 3. Organizational Structures 4. Integrated Framework 4. Culture, Ethics and Behaviour 5. Separate governance from management 5. Information 6. Services, Infrastructure, Application 7. People, Skills and Competencies (Note: A CISA candidate will not be asked to specifically identify the COBIT process, the COBIT domains or the set of IT processes defined in each. However, candidates should know what frame- works are, what they do and why they are used by enter- prises)
  • 9. https://www.infosectrain.com sales@infosectrain.com Page No.8 6. Risk based auditing  Audit Risk - the risk that information may contain a material error that may go undetected during the course of the audit.  The audit approach should be as follows:  Step 1 – Gather available information and plan through review of prior year’s audit results, recent financial information, inherent risk assessments  Step 2 – Understanding of existing internal controls by analyzing control procedures, detection risk assessment  Step 3 – Perform compliance testing by identifying key controls to be tested  Step 4 – Perform substantive testing by test of account balances, analytical procedures  Step 5 – Conclude the audit - Audit report with independent audit opinion  Factors which influence audit risk a. Inherent risk – Risk that an activity would pose if no controls/ other mitigating factors were in place. b. Control risk - Risk that a material error exists that would not be prev ented or detected on a timely basis by the system of internal control c. Detection risk - The risk that material errors or misstatements that have occurred will not be detected by the IS auditor d. Residual risk – Risk that remains after controls are taken into account Point to remember: A CISA candidate should know the differences between preventive, detective and corrective controls. An example of a question in the exam would be: Which of the following controls would BEST detect https://www.infosectrain.com/courses/cisa-certification-training/
  • 10. https://www.infosectrain.com sales@infosectrain.com Page No.9 7. Risk Treatment  Risk identified in the risk assessment needs to be treated.  Possible risk response options include:  Risk mitigation—Applying appropriate controls to reduce the risk  Risk acceptance—Knowingly and objectively not taking action, provid ing the risk clearly satisfies the organization’s policy and criteria for risk acceptance  Risk avoidance—Avoiding risk by not allowing actions that would cause the risk to occur  Risk transfer/sharing—Transferring the associated risk to other par ties (e.g., insurers or suppliers)
  • 11. https://www.infosectrain.com sales@infosectrain.com Page No.10 8. Compliance testing Vs. substantive testing  Compliance testing - determines whether controls are in compliance with management policies and procedures Examples:  User access rights  Program change control procedures  Review of logs  Software license audit  Substantive testing - gathers evidences to evaluate the integrity of individual transactions, data or other information Examples:  performance of a complex calculation on sample basis  testing of account balances Point to remember:  CISA question will be scenario based and the candidate should able to differentiate between substantive testing & compliance testing.  statistical sampling is to be used when the probability of error must be objectively quantified (i.e no subjectivity is involved). Statistical sampling is an objective method of sampling in which each item has equal chance of selection https://www.infosectrain.com/courses/cisa-certification-training/
  • 12. Point to remember: A CISA candidate, given an audit scenario, should be able to determine which type of evidence gathering tech- nique would be best https://www.infosectrain.com sales@infosectrain.com Page No.11 9. Audit Evidence  any information used by the IS auditor to determine whether the entity or data being audited follows the established criteria or objectives & supports audit conclusions  Techniques for gathering evidence:  Review IS organization structures  Review IS policies and procedures  Review IS standards  Review IS documentation  Interview appropriate personnel  Observe processes and employee performance  Walkthrough
  • 13. https://www.infosectrain.com sales@infosectrain.com Page No.12 10.Audit Sampling  The subset of population members used to perform testing  Two approaches of sampling: a. Statistical sampling - using mathematical laws of probability to create the sample size b. Non-Statistical sampling - Uses auditor judgment to determine the method of sampling  Methods of sampling a. Attribute sampling - Applied in compliance testing situations, deals with the presence or absence of the attribute & provides conclusions that are expressed in rates of incidence. Involves three types:  Attribute sampling - selecting a small number of transactions & ma- king assumptions about how their characteristics represent the full population of which the selected items are a part  Stop-or-Go Sampling - This model help prevents excessive sampling of an attribute by allowing an audit test to be stopped at the earliest po ssible moment. It is mostly used when auditor believes that relatively few errors will be found in populations  Discovery sampling – It is mostly used when the objective of audit is to discover fraud 24 https://www.infosectrain.com/courses/cisa-certification-training/
  • 14. https://www.infosectrain.com sales@infosectrain.com Page No.13 b. Variable sampling - Applied in substantive testing situations, deals with population characteristics that vary, such as monetary values & weights or any other measurement and provides conclusions related to deviations from the norm. Involves three types:  Stratified mean per unit – It a statistical model in which population is divided into groups and samples are drawn from the various groups  Un-stratified mean per unit – A statistical model in which sample mean (Average) is calculated and projected as an estimated total.  Difference estimation – Statistical model used to estimate the total difference between audited values and unaudited values based on differences obtained from sample observations. c. Important statistical terms:  Confident coefficient (CC) – A percentage expression of the probabil ity that the characteristics of sample are true representation of the population. Stronger the internal control, lower the confident coefficient  Level of risk – Equal to one minus the confidence coefficient [if confident co-efficient is 95%, the level of risk is (100-95= 5%)]  Expected error rate (ERR) – An estimate stated as a percent of the error that may exist. The greater the ERR, greater the sample size Point to remember: The IS auditor should be familiar with the different types of sampling techniques and when it is appropriate to use each of them
  • 15. https://www.infosectrain.com sales@infosectrain.com Page No.14 11.Control Self-assessment (CSA) a. What is CSA?  assessment of controls made by the staff and management of the unit or units involved  management technique that assures stakeholders, customers and other parties that the internal control system of the organization is reliable.  Ensures that employees are aware of the risk to the business & they conduct periodic, proactive reviews of controls b. Objectives of CSA  to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional areas  not intended to replace audit’s responsibilities but to enhance them c. Benefits of CSA  Early detection of risk  More effective and improved internal controls  Developing a sense of ownership of the controls in the employees and process owners  reducing their resistance to control improvement initiatives  Increased communication between operational and top management  Highly motivated employees https://www.infosectrain.com/courses/cisa-certification-training/
  • 16. https://www.infosectrain.com sales@infosectrain.com Page No.15 d. Disadvantages of CSA  mistaken as an audit function replacement  considered as an additional workload  Failure to act on improvement suggestions could damage employee morale  Lack of motivation may limit effectiveness in the detection of weak controls e. Auditor’s role in CSA  The auditor’s role in CSAs should be considered enhanced when audit departments establish a CSA program.  Auditors internal control professionals & assessment facilitators https://www.infosectrain.com/courses/cisa-certification-training/
  • 17. https://www.infosectrain.com sales@infosectrain.com Page No.16 THANKS https://www.infosectrain.com sales@infosectrain.com +91-97736-67874