ISACA CISA Review Course CHAPTER 1 THE IS AUDIT PROCESS
|
|
- Thomasine Ross
- 6 years ago
- Views:
Transcription
1 ISACA The recognized global leaders in IT governance, control and assurance CISA Review Course CHAPTER 1 THE IS AUDIT PROCESS 2 1
2 Chapter Overview 1. Introduction Organization of the IS audit function IS audit resource management Audit planning Laws and regulations 2. ISACA IS auditing standards and guidelines 3. Risk analysis 4. Internal controls 5. Performing an IS audit 6. Control self assessment 7. Emerging changes in IS audit process 8. Case Study 3 Process Area Objective Ensure that the CISA candidate Has the knowledge necessary to provide information systems (IS) audit services in accordance with IS audit standards, guidelines and best practices to assist the organization in ensuring that its information technology and business systems are protected and controlled. 4 2
3 Process Area Summary According to the CISA Certification Board, this process area will represent approximately 10% of the CISA examination (approximately 20 questions). 5 Process Area Tasks 1. Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices 2. Plan specific audits to ensure that IT and business systems are protected and controlled 3. Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives 4. Communicate emerging issues, potential risks and audit results to key stakeholders 5. Advise on the implementation of risk management and control practices within the organization while maintaining independence 6 3
4 Process Area Knowledge Statements 1. Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics 2. Knowledge of IS auditing practices and techniques 3. Knowledge of techniques to gather information and preserve evidence 4. Knowledge of the evidence life cycle 5. Knowledge of control objectives and controls related to IS 7 Process Area Knowledge Statements (continued) 6. Knowledge of risk assessment in an audit context 7. Knowledge of audit planning and management techniques 8. Knowledge of reporting and communication techniques 9. Knowledge of control self-assessment (CSA) 10. Knowledge of continuous audit techniques 8 4
5 1 INTRODUCTION Organization of the IS Audit Function Audit Charter (or engagement letter) Stating management s responsibility and objectives for, and delegation of authority to, the IS audit function Outlining the overall authority, scope and responsibilities of the audit function Approval of the audit charter Change in the audit charter 9 1 INTRODUCTION IS Audit Resource Management Limited number of IS auditors Maintenance of their technical competence Assignment of audit staff 10 5
6 1 INTRODUCTION Audit Planning Audit Planning Short-term planning Long-term planning Things to consider New control issues Changing technologies Changing business processes Enhanced evaluation techniques Individual Audit Planning Understanding of overall environment Business practices and functions Information systems and technology 11 1 INTRODUCTION Audit Planning (continued) Audit Planning Steps Gain an understanding of the business s mission, objectives, purpose and processes. Identify stated contents (policies, standards, guidelines, procedures, and organization structure). Evaluate risk assessment and privacy impact analysis. Perform a risk analysis. Conduct an internal control review. Set the audit scope and audit objectives. Develop the audit approach or audit strategy. Assign personnel resources to audit and address engagement logistics. 12 6
7 1 INTRODUCTION Effect of Laws and Regulations on IS Audit Planning Regulatory Requirements Establishment Organization Responsibilities Correlation to financial, operational and IT audit functions 13 1 INTRODUCTION Effect of Laws and Regulations on IS Audit Planning (continued) Steps to determine compliance with external requirements Identify external requirements Document pertinent laws and regulations Assess whether management and the IS function have considered the relevant external requirements Review internal IS department documents that address adherence to applicable laws Determine adherence to established procedures 14 7
8 2 ISACA IS Auditing Standards and Guidelines ISACA Code of Professional Ethics The Association s Code of Professional Ethics provides guidance for the professional and personal conduct of members of the Association and/or holders of the CISA and CISM designation 15 2 ISACA IS Auditing Standards and Guidelines Framework for the ISACA IS Auditing Standards Standards Guidelines Procedures 16 8
9 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards Objectives of ISACA IS Auditing Standards Inform management and other interested parties of the profession s expectations concerning the work of audit practitioners Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics 17 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) 1. Audit charter 2. Independence 3. Ethics and Standards 4. Competence 5. Planning 6. Performance of audit work 7. Reporting 8. Follow-up activities 9. Irregularities and illegal acts 10. IT governance 11. Use of risk assessment in audit planning 18 9
10 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) Audit Charter Purpose, responsibility, authority and accountability Approval Independence Professional independence Organizational independence 19 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) Professional Ethics and Standards Code of Professional Ethics Due professional care Competence Skills and knowledge Continuing professional education 20 10
11 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) Planning Plan IS audit coverage Develop and document a risk-based audit approach Develop and document an audit plan Develop an audit program and procedures 21 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) Performance of Audit Work Supervision Evidence Documentation 22 11
12 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) Reporting Identify the organization, intended recipients and any restrictions State the scope, objectives, coverage and nature of audit work performed State the findings, conclusions and recommendations and limitations Justify the results reports Be signed, dated and distributed according to the audit charter 23 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) Follow-up Activities Review previous conclusions and recommendations Review previous relevant findings Determine whether appropriate actions have been taken by management in a timely manner 24 12
13 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) Irregularities and Illegal Acts Consider the risk of irregularities and illegal acts Maintain an attitude of professional skepticism Obtain an understanding of the organization and its environment Consider unusual or unexpected relationships Test the appropriateness of internal control Assess any misstatement 25 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) Irregularities and Illegal Acts (continued) Obtain written representations from management Have knowledge of any allegations of irregularities or illegal acts Communicate material irregularities or illegal acts Consider appropriate action in case of inability to continue performing the audit Document irregularity- or illegal act-related communications, planning, results, evaluations and conclusions 26 13
14 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) IT Governance Review and assess the IS function s alignment with the organization s mission, vision, values, objectives and strategies Review the IS function s statement about the performance and assess its achievement Review and assess the effectiveness of IS resource and performance management processes 27 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) IT Governance (continued) Review and assess compliance with legal, environmental and information quality, and fiduciary and security requirements Use a risk-based approach to evaluate the IS function Review and assess the organization s control environment Review and assess the risks that may adversely affect the IS environment 28 14
15 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Standards (continued) Use of Risk Assessment in Audit Planning Use a risk assessment technique in developing the overall IS audit plan Identify and assess relevant risks in planning individual reviews 29 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Guidelines G1 - Using the Work of Other Auditors, effective 1 June 1998 G2 - Audit Evidence Requirement, effective 1 December 1998 G3 - Use of Computer Assisted Audit Techniques (CAATs), effective 1 December 1998 G4 - Outsourcing of IS Activities to Other Organizations, effective 1 September 1999 G5 - Audit Charter, effective 1 September 1999 G6 - Materiality Concepts for Auditing Information Systems, effective 1 September 1999 G7 - Due Professional Care, effective 1 September 1999 G8 - Audit Documentation, effective 1 September 1999 G9 - Audit Considerations for Irregularities, effective 1 March 2000 G10 - Audit Sampling, effective 1 March
16 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Guidelines (continued) G11 - Effect of Pervasive IS Controls, effective 1 March 2000 G12 - Organizational Relationship and Independence, effective September 2000 G13 - Use of Risk Assessment in Audit Planning, effective 1 September 2000 G14 - Application Systems Review, effective 1 November 2001 G15 - Planning Revised, effective 1 March 2002 G16 - Effect of Third Parties on an Organization s IT Controls, effective 1 March 2002 G17 - Effect of Non-audit Role on the IS Auditor s Independence, effective 1 July 2002 G18 - IT Governance, effective 1 July 2002 G19 - Irregularities and Illegal Acts, effective 1 July ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Guidelines (continued) G20 - Reporting, effective 1 January 2003 G21 - Enterprise Resource Planning (ERP) Systems Review, effective 1 August 2003 G22 - Business-to-consumer (B2C) E-commerce Review, effective 1 August 2003 G23 - System Development Life Cycle (SDLC) Review, effective 1 August 2003 G24 - Internet Banking, effective 1 August 2003 G25 - Review of Virtual Private Networks, effective 1 July 2004 G26 - Business Process Reengineering (BPR) Project Reviews, effective 1 July 2004 G27 - Mobile Computing, effective 1 September
17 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Guidelines (continued) G28 - Computer Forensics, effective 1 September 2004 G29 - Post-implementation Review, effective 1 January 2005 G30 - Competence, effective 1 June 2005 G31 - Privacy, effective 1 June 2005 G32 - Business Continuity Plan (BCP) Review From IT Perspective, effective 1 September 2005 G33 - General Considerations on the Use of the Internet, effective 1 March 2006 G34 - Responsibility, Authority and Accountability, effective 1 March 2006 G35 - Follow-up Activities, effective 1 March ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Procedures Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in an audit engagement. Procedures developed by the ISACA Standards Board provide examples The IS auditor should apply their own professional judgment to the specific circumstances 34 17
18 2 ISACA IS Auditing Standards and Guidelines ISACA IS Auditing Procedures (continued) P1 - IS Risk Assessment, effective 1 July 2002 P2 - Digital Signatures, effective 1 July 2002 P3 - Intrusion Detection, effective 1 August 2003 P4 - Viruses and Other Malicious Code, effective 1 August 2003 P5 - Control Risk Self-assessment, effective 1 August 2003 P6 - Firewalls, effective 1 August 2003 P7 - Irregularities and Illegal Acts, effective 1 November 2003 P8 - Security Assessment Penetration Testing and Vulnerability Analysis, effective 1 September 2004 P9 - Evaluation of Management Controls Over Encryption Methodologies, effective 1 January ISACA IS Auditing Standards and Guidelines Relationship Among Standards, Guidelines and Procedures Standards Must be followed by IS auditors Guidelines Provide assistance on how to implement the standards Procedures Provide examples for implementing the standards 36 18
19 3 Risk Analysis Definition of Risk The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat. 37 Elements of Risk 3 Risk Analysis Threats to, and vulnerabilities of, processes and/or assets (including both physical and information assets) Impact on assets based on threats and vulnerabilities Probabilities of threats (combination of the likelihood and frequency of occurrence) 38 19
20 3 Risk Analysis Risk and Audit Planning Risk analysis is part of the audit planning and it helps identify risks and vulnerabilities so the auditor can determine the controls needed to mitigate those risks Risk Analysis Risk Management Process Risk assessment Risk mitigation Risk reevaluation 40 20
21 4 Internal Controls Policies, procedures, practices and organizational structures implemented to reduce risks Classification of Internal Controls Preventive controls Detective controls Corrective controls 41 4 Internal Controls Internal Control Objectives Internal Control System Internal accounting controls Operational controls Administrative controls 42 21
22 4 Internal Controls Internal Control Objectives (continued) Internal Control Objectives Safeguarding of IT assets Compliance to corporate policies or legal requirements Input Authorization Accuracy and completeness of processing of data input/transactions Output Reliability of process Backup/recovery Efficiency and economy of operations Change management process for IT and related systems 43 4 Internal Controls IS Control Objectives Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment 44 22
23 4 Internal Controls IS Control Objectives (continued) Safeguarding assets Assuring the integrity of general operating system environments Assuring the integrity of sensitive and critical application system environments through: Authorization of the input Accuracy and completeness of processing of transactions Reliability of overall information processing activities Accuracy, completeness and security of the output Database integrity 45 4 Internal Controls IS Control Objectives (continued) Ensuring the efficiency and effectiveness of operations Complying with requirements, policies and procedures, and applicable laws Developing business continuity and disaster recovery plans Developing an incident response plan 46 23
24 4 Internal Controls COBIT A framework with 34 high-level control objectives Planning and organization Acquisition and implementation Delivery and support Monitoring and evaluation Use of 36 major IT-related standards and regulations 47 4 Internal Controls General Control Procedures Apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved
25 4 Internal Controls General Control Procedures (continued) Internal accounting controls directed at accounting operations Operational controls concerned with the day-to-day operations Administrative controls concerned with operational efficiency and adherence to management policies Organizational logical security policies and procedures Overall policies for the design and use of documents and records Procedures and features to ensure authorized access to assets Physical security policies for all data centers 49 4 Internal Controls IS Control Procedures Strategy and direction General organization and management Access to data and programs Systems development methodologies and change control Data processing operations Systems programming and technical support functions Data processing quality assurance procedures Physical access controls Business continuity/disaster recovery planning Networks and communications Database administration 50 25
26 5 Performing an IS Audit Definition of Auditing Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards. Definition of IS Auditing Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related nonautomated processes and the interfaces between them Performing an IS Audit Classification of Audits Financial audits Operational audits Integrated audits Administrative audits Information systems audits Specialized audits Forensic audits 52 26
27 5 Performing an IS Audit Audit Programs Based on the scope and the objective of the particular assignment IS auditor s perspectives Security (confidentiality, integrity and availability) Quality (effectiveness, efficiency) Fiduciary (compliance, reliability) Service and Capacity 53 5 Performing an IS Audit Audit Programs (continued) General Audit Procedures Understanding of the audit area/subject Risk assessment and general audit plan Detailed audit planning Preliminary review of audit area/subject Evaluating audit area/subject Compliance testing Substantive testing Reporting(communicating results) Follow-up 54 27
28 5 Performing an IS Audit Audit Programs (continued) Procedures for Testing and Evaluating IS Controls Use of generalized audit software to survey the contents of data files Use of specialized software to assess the contents of operating system parameter files Flow-charting techniques for documenting automated applications and business process Use of audit reports available in operation systems Documentation review Observation 55 5 Performing an IS Audit Audit Methodology A set of documented audit procedures designed to achieve planned audit objectives Composed of Statement of scope Statement of audit objectives Statement of work programs Set up and approved by the audit management Communicated to all audit staff 56 28
29 5 Performing an IS Audit Audit Methodology (continued) Typical Audit Phases 1. Audit subject Identify the area to be audited 2. Audit objective Identify the purpose of the audit 3. Audit scope Identify the specific systems, function or unit of the organization 57 5 Performing an IS Audit Audit Methodology (continued) Typical Audit Phases (continued) 4. Pre-audit planning Identify technical skills and resources needed Identify the sources of information for test or review Identify locations or facilities to be audited 58 29
30 5 Performing an IS Audit Audit Methodology (continued) Typical Audit Phases (continued) 5. Audit procedures and steps for data gathering Identify and select the audit approach Identify a list of individuals to interview Identify and obtain departmental policies, standards and guidelines Develop audit tools and methodology 59 5 Performing an IS Audit Audit Methodology (continued) Typical Audit Phases (continued) 6. Procedures for evaluating test/review result 7. Procedures for communication 8. Audit report preparation Identify follow-up review procedures Identify procedures to evaluate/test operational efficiency and effectiveness Identify procedures to test controls Review and evaluate the soundness of documents, policies and procedures 60 30
31 5 Performing an IS Audit Audit Methodology (continued) What is documented in workpapers (WPs)? Audit plans Audit programs Audit activities Audit tests Audit findings and incidents 61 5 Performing an IS Audit Audit Methodology (continued) Workpapers do not have to be on paper Workpapers must be Dated Initialized Page-numbered Relevant Complete Clear Self-contained and properly labeled Filed and kept in custody 62 31
32 5 Performing an IS Audit Fraud Detection Management s responsibility Benefits of a well-designed internal control system Deterring frauds at the first instance Detecting frauds in a timely manner Fraud detection and disclosure Auditor s role in fraud prevention and detection 63 5 Performing an IS Audit Audit Risk and Materiality Audit Risk Audit risk is the risk that the information/financial report may contain material error that may go undetected during the audit. A risk-based audit approach is used to assess risk and assist with an IS auditor s decision to perform either compliance or substantive testing
33 5 Performing an IS Audit Audit Risk and Materiality (continued) Audit Risks - Categories Inherent risk Control risk Detection risk Overall audit risk 65 5 Performing an IS Audit Audit Risk and Materiality (continued) Risk-based Approach Overview Gather Information and Plan Obtain Understanding of Internal Control Perform Compliance Tests Perform Substantive Tests Conclude the Audit 66 33
34 5 Performing an IS Audit Audit Risk and Materiality (continued) Materiality An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited 67 5 Performing an IS Audit Risk Assessment Techniques Risk Assessment Techniques Enables management to effectively allocate limited audit resources Ensures that relevant information has been obtained Establishes a basis for effectively managing the audit department Provides a summary of how the individual audit subject is related to the overall organization and to business plans 68 34
35 5 Performing an IS Audit Audit Objectives Audit Objectives - Specific Goals of the Audit Compliance with legal and regulatory requirements Confidentiality Integrity Reliability Availability 69 5 Performing an IS Audit Compliance vs. Substantive Testing Compliance Test Determines whether controls are in compliance with management policies and procedures Substantive Test Tests the integrity of actual processing Correlation between the level of internal controls and substantive testing required Relationship between compliance and substantive tests 70 35
36 5 Performing an IS Audit Evidence It is a requirement that the auditor s conclusions must be based on sufficient, competent evidence Independence of the provider of the evidence Qualification of the individual providing the information or evidence Objectivity of the evidence Timing of evidence 71 5 Performing an IS Audit Evidence (continued) Techniques for gathering evidence: Review IS organization structures Review IS policies and procedures Review IS standards Review IS documentation Interview appropriate personnel Observe processes and employee performance 72 36
37 5 Performing an IS Audit Interviewing and Observing Personnel in action Actual functions Actual processes/procedures Security awareness Reporting relationships 73 5 Performing an IS Audit Sampling General approaches to audit sampling Statistical sampling Non-statistical sampling Methods of sampling used by auditors Attribute sampling Variable sampling 74 37
38 5 Performing an IS Audit Sampling (continued) Attribute Sampling Stop-or-go sampling Discovery sampling Variable Sampling Stratified mean per unit Unstratified mean per unit Difference estimation 75 5 Performing an IS Audit Sampling (continued) Statistical Sampling Terms Confident coefficient Level of risk Precision Expected error rate Sample mean Sample standard deviation Tolerable error rate Population standard deviation 76 38
39 5 Performing an IS Audit Sampling (continued) Key Steps in Choosing a Sample Determine the objectives of the test Define the population to be sampled Determine the sampling method, such as attribute versus variable sampling. Calculate the sample size Select the sample Evaluating the sample from an audit perspective 77 5 Performing an IS Audit Using the Services of Other Auditors and Experts Considerations when using services of other auditors and experts Restrictions on outsourcing of audit/security services provided by laws and regulations Audit charter or contractual stipulations Impact on overall and specific IS audit objectives Impact on IS audit risk and professional liability Independence and objectivity of other auditors and experts Professional competence, qualifications and experience 78 39
40 5 Performing an IS Audit Using the Services of Other Auditors and Experts (continued) Considerations when using services of other auditors and experts (continued) Scope of work proposed to be outsourced and approach Supervisory and audit management controls Method and modalities of communication of results of audit work Compliance with legal and regulatory stipulations Compliance with applicable professional standards 79 5 Performing an IS Audit Computer-assisted Audit Techniques CAATs enable IS auditors to gather information independently CAATs include: Generalized audit software (GAS) Utility software Test data Application software for continuous online audits Audit expert systems 80 40
41 5 Performing an IS Audit Computer-assisted Audit Techniques (continued) Need for CAATs Evidence collection Functional capabilities Functions supported Areas of concern 81 5 Performing an IS Audit Computer-assisted Audit Techniques (continued) Examples of CAATs used to collect evidence Generalized audit software ACL, IDEA, etc. Utility software SQL commands 82 41
42 5 Performing an IS Audit Computer-assisted Audit Techniques (continued) CAATs as a continuous online approach Advantages of CAATs Cost/benefits of CAATs 83 5 Performing an IS Audit Computer-assisted Audit Techniques (continued) Development of CAATs Documentation retention Access to production data Data manipulation 84 42
43 5 Performing an IS Audit Evaluation of Audit Strengths and Weaknesses Assess evidence Evaluate overall control structure Evaluate control procedures Assess control strengths and weaknesses 85 5 Performing an IS Audit Evaluation of Audit Strengths and Weaknesses (continued) Judging Materiality of Findings Materiality is a key issue Assessment requires judgment of the potential effect of the finding if corrective action is not taken 86 43
44 5 Performing an IS Audit Communicating Audit Results Exit Interview Correct facts Realistic recommendations Implementation dates for agreed recommendations Presentation Techniques Executive summary Visual presentation 87 5 Performing an IS Audit Communicating Audit Results (continued) Audit Report Structure and Contents An introduction to the report The IS auditor s overall conclusion and opinion The IS auditor s reservations with respect to the audit Detailed audit findings and recommendations A variety of findings Limitations to audit Statement on the IS audit guidelines followed 88 44
45 5 Performing an IS Audit Management Implementation of Recommendations Auditing is an ongoing process Timing of follow-up 89 5 Performing an IS Audit Audit Documentation Contents of audit documentation Custody of audit documentation Support of findings and conclusions 90 45
46 5 Performing an IS Audit Audit Documentation (continued) Documentation should include, at a minimum, a record of the: Planning and preparation of the audit scope and objectives Description and/or walkthroughs on the scoped audit area Audit program Audit steps performed and audit evidence gathered Use of services of other auditors and experts Audit findings, conclusions and recommendations 91 5 Performing an IS Audit Audit Documentation (continued) Constraints on the Conduct of the Audit Availability of audit staff Auditee constraints Project Management Techniques Develop a detailed plan Report project activity against the plan Adjust the plan Take corrective action 92 46
47 5 Performing an IS Audit Chapter 1 Questions 1. In performing a risk-based audit, which risk assessment is completed initially by the IS auditor? A. Detection risk assessment B. Control risk assessment C. Inherent risk assessment D. Fraud risk assessment 93 5 Performing an IS Audit Chapter 1 Questions (continued) 2. Which of the following types of risk assumes an absence of compensating controls in the area being reviewed? A. Control risk B. Detection risk C. Inherent risk D. Sampling risk 94 47
48 5 Performing an IS Audit Chapter 1 Questions (continued) 3. While developing a risk-based audit program, which of the following would the IS auditor MOST likely focus on? A. Business processes B. Critical IT applications C. Operational controls D. Business strategies 95 5 Performing an IS Audit Chapter 1 Questions (continued) 4. The GREATEST drawback in using an integrated test facility is the need to: A. Isolate test data from production data B. Notify user personnel so they can make adjustments to output C. Segregate specific master file records D. Collect transaction and master file records in a separate file 96 48
49 5 Performing an IS Audit Chapter 1 Questions (continued) 5. To meet predefined criteria, which of the following continuous audit techniques would BEST identify transactions to audit? A. Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM) B. Continuous and intermittent simulation (CIS) C. Integrated test facilities (ITF) D. Audit hooks 97 5 Performing an IS Audit Chapter 1 Questions (continued) 6. Which of the following BEST describes the early stages of an IS audit? A. Observing key organizational facilities B. Assessing the IS environment C. Understanding business process and environment applicable to the review D. Reviewing prior IS audit reports 98 49
50 5 Performing an IS Audit Chapter 1 Questions (continued) 7. An IS auditor is conducting substantive audit tests of a new accounts receivable module. The IS auditor has a tight schedule and limited computer expertise. Which would be the BEST audit technique to use in this situation? A. Test data B. Parallel simulation C. Integrated test facility D. Embedded audit module 99 5 Performing an IS Audit Chapter 1 Questions (continued) 8. The PRIMARY use of generalized audit software (GAS) is to: A. Test controls embedded in programs B. Test unauthorized access to data C. Extract data of relevance to the audit D. Reduce the need for transaction vouching
51 5 Performing an IS Audit Chapter 1 Questions (continued) 9. An IS auditor performing a review of an application s controls finds a weakness in system software that could materially impact the application. The IS auditor should: A. Disregard these control weaknesses, as a system software review is beyond the scope of this review B. Conduct a detailed system software review and report the control weaknesses C. Include in the report a statement that the audit was limited to a review of the application s controls D. Review the system software controls as relevant and recommend a detailed system software review Control Self-Assessment A management technique A methodology In practice, a series of tools
52 6 Control Self-Assessment Implementation of CSA Facilitated workshops Hybrid approach Control Self-Assessment Benefits of CSA Early detection of risks More effective and improved internal controls Creation of cohesive teams through employee involvement Increased employee awareness of organizational objectives and knowledge of risk and internal controls Increased communication between operational and top management Highly motivated employees
53 6 Control Self-Assessment Benefits of CSA (continued) Improved audit rating process Reduction in control cost Assurance provided to stakeholders and customers Necessary assurance given to top management about the adequacy of internal controls, as required by the various regulatory agencies and laws such as the US Sarbanes-Oxley Act Control Self-Assessment Disadvantages of CSA It could be mistaken as an audit function replacement It may be regarded as an additional workload (e.g., one more report to be submitted to management) Failure to act on improvement suggestions could damage employee morale Lack of motivation may limit effectiveness in the detection of weak controls
54 6 Control Self-Assessment Objectives of CSA Enhancement of audit responsibilities (not a replacement) Education for line management in control responsibility and monitoring Empowerment of workers to assess the control environment Control Self-Assessment Auditor Role in CSA When these programs are established, auditors become Internal control professionals Assessment facilitators The auditors are facilitators The management client is the participant in the CSA process
55 6 Control Self-Assessment Technology Drivers for CSA Some technology drivers include Combination of hardware and software to support CSA selection Use of an electronic meeting system Computer-supported decision aids to facilitate group decision making Group decision making is an essential component of a workshop-based CSA where employee empowerment is a goal Control Self-Assessment Traditional vs. CSA Approach Traditional Approach Any approach in which the primary responsibility for analyzing and reporting on internal control and risk is assigned to auditors and, to a lesser extent, controller departments and outside consultants. CSA Approach Emphasizes management and accountability over developing and monitoring internal controls of an organization s sensitive and critical business processes
56 6 Control Self-Assessment Chapter 1 Questions (continued) 10. Which of the following is MOST effective for implementing a control self-assessment (CSA) within business units? A. Informal peer reviews B. Facilitated workshops C. Process flow narratives D. Data flow diagrams Emerging changes in the IS audit process Automated Work papers Risk analysis Audit programs Results Test evidences, Conclusions Reports and other complementary information
57 7 Emerging changes in the IS audit process Automated Work papers (continued) Controls over automated work papers: Access to work papers Audit trails Approvals of audit phases Security and integrity controls Backup and restoration Encryption for confidentiality Emerging changes in the IS audit process Integrated Auditing Process whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity Focuses on risk to the organization (for an internal auditor) Focuses on the risk of providing an incorrect or misleading audit opinion (for an external auditor)
58 7 Emerging changes in the IS audit process Integrated Auditing (continued) Typical Process Identification of relevant key controls Review and understanding of the design of key controls Testing that key controls are supported by the IT system Testing that management controls operate effectively A combined report or opinion on control risks, design and weaknesses Emerging changes in the IS audit process Continuous Auditing A methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter
59 7 Emerging changes in the IS audit process Continuous Auditing (continued) Distinctive character Short time lapse between the facts to be audited and the collection of evidence and audit reporting Drivers Better monitoring of financial issues Allowing real-time transactions to benefit from real-time monitoring Preventing financial fiascoes and audit scandals Using software to determine proper financial controls Emerging changes in the IS audit process Continuous Auditing (continued) Continuous Auditing vs. Continuous Monitoring Continuous monitoring Management-driven Based on automated procedures to meet fiduciary responsibilities Continuous auditing Audit-driven Done using automated audit procedures
60 7 Emerging changes in the IS audit process Continuous Auditing (continued) Enabler for the Application of Continuous Auditing New information technology developments Increased processing capabilities Standards Artificial intelligence tools Emerging changes in the IS audit process Continuous Auditing (continued) IT techniques in a continuous auditing environment Transaction logging Query tools Statistics and data analysis (CAAT) Database management systems (DBMS) Data warehouses, data marts, data mining. Artificial intelligence (AI) Embedded audit modules (EAM) Neural network technology Standards such as Extensible Business Reporting Language
61 7 Emerging changes in the IS audit process Continuous Auditing (continued) Prerequisites A high degree of automation An automated and reliable information-producing process Alarm triggers to report control failures Implementation of automated audit tools Quickly informing IS auditors of anomalies/errors Timely issuance of automated audit reports Technically proficient IS auditors Availability of reliable sources of evidence Adherence to materiality guidelines Change of IS auditors mind-set Evaluation of cost factors Emerging changes in the IS audit process Continuous Auditing (continued) Advantages Instant capture of internal control problems Reduction of intrinsic audit inefficiencies Disadvantages Difficulty in implementation High cost Elimination of auditors personal judgment and evaluation
62 8 Chapter 1 Case Study Scenario The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well-controlled environment and, accordingly, will assess management s review and testing of the general IT control environment. Areas to be assessed include logical and physical security, change management, production control and network management, IT governance, and enduser computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation. Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible duties and failure to document all changes. Additionally, the process for deploying operating system updates to servers was found to be only partially effective. In anticipation of the work to be performed by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination Chapter 1 Case Study Scenario Case Study Questions 1. What should the IS auditor do FIRST? A. Perform an IT risk assessment B. Perform a survey audit of logical access controls C. Revise the audit plan to focus on risk-based auditing D. Begin testing controls that the IS auditor feels are most critical
63 8 Chapter 1 Case Study Scenario Case Study Questions (continued) 2. When testing program change management, how should the sample be selected? A. Change management documents should be selected at random and examined for appropriateness B. Changes to production code should be sampled and traced to appropriate authorizing documentation C. Change management documents should be selected based on system criticality and examined for appropriateness D. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change
"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationTable of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING
Table of Contents Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal Auditing in Enterprises Today: An Update 3 1.1 Internal Auditing History and Background
More informationPosition Description IT Auditor
Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationInformation for entity management. April 2018
Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed
More informationTools & Techniques I: New Internal Auditor
About This Course Tools & Techniques I: New Internal Auditor Course Description Learn the basics of auditing at the new internal auditor level. This course provides an overview of the life cycle of an
More informationISACA Cincinnati Chapter March Meeting
ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson Agenda SOCR Overview
More informationArticle II - Standards Section V - Continuing Education Requirements
Article II - Standards Section V - Continuing Education Requirements 2.5.1 CONTINUING PROFESSIONAL EDUCATION Internal auditors are responsible for maintaining their knowledge and skills. They should update
More informationApplication for Certification
Application for Certification Requirements to Become a Certified Information Security Manager To become a Certified Information Security Manager (CISM), an applicant must: 1. Score a passing grade on the
More informationChapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC
Chapter 8: SDLC Reviews and Audit... 2 8.1 Learning objectives... 2 8.1 Introduction... 2 8.2 Role of IS Auditor in SDLC... 2 8.2.1 IS Auditor as Team member... 2 8.2.2 Mid-project reviews... 3 8.2.3 Post
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 9001 Lead Auditor www.pecb.com The objective of the PECB Certified ISO 9001 Lead Auditor examination is to ensure that the candidate possesses
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO 50001 Lead Auditor The objective of the PECB Certified ISO 50001 Lead Auditor examination is to ensure that the candidate has the knowledge and skills to plan
More informationADVANCED AUDIT AND ASSURANCE
ADVANCED AUDIT AND ASSURANCE CPA PROGRAM SUBJECT OUTLINE The Advanced Audit and Assurance subject provides a body of knowledge for you to understand the nature and diversity of audit and assurance engagements.
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More information10/13/2016 Certified Information Systems Auditor/Prepare for the Exam/Pages/CISASelfAssessment.aspx?
CISA Self Assessment The CISA certification was developed to assess an individual's information system assurance experience specific to information security situations. Earning the CISA designation distinguishes
More informationC22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers
C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers SAS No. 70 Practices & Developments Todd Bishop Director, Risk Assurance Services, PricewaterhouseCoopers Agenda SAS 70 Background
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationIS Standards, Guidelines and Procedures for Auditing and Control Professionals
IS Standards, Guidelines and Procedures for Auditing and Control Professionals Code of Professional Ethics IS Auditing Standards, Guidelines and Procedures IS Control Professionals Standards Current as
More informationIT Attestation in the Cloud Era
IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting Contents Introduction
More informationSTAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:
STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security
More informationAudit Considerations Relating to an Entity Using a Service Organization
An Entity Using a Service Organization 355 AU-C Section 402 Audit Considerations Relating to an Entity Using a Service Organization Source: SAS No. 122; SAS No. 128; SAS No. 130. Effective for audits of
More informationKENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)
KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT) 1. DIRECTOR, LEARNING & DEVELOPMENT - LOWER KABETE Reporting to the Director General, Campus Directors will be responsible for
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationThe IS Audit Process Part-1 Four key objectives
The IS Audit Process Part-1 Four key objectives a. Defining auditing and auditors b. The audit planning process c. Risk analysis d. Internal controls Auditing & Auditors: an evaluation process of an org,
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 22000 Lead Auditor www.pecb.com The objective of the Certified ISO 22000 Lead Auditor examination is to ensure that the candidate has
More informationCISM Certified Information Security Manager
CISM Certified Information Security Manager Firebrand Custom Designed Courseware Logistics Start Time Breaks End Time Fire escapes Instructor Introductions Introduction to Information Security Management
More informationIT Audit Process Prof. Liang Yao Week Two IT Audit Function
Week Two IT Audit Function Why we need IT audit A Case Study What You Can Learn about Risk Management from Societe Generale? https://www.cio.com/article/2436790/security0/what-you-can-learn-about-risk-management-fromsociete-generale.html
More informationISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing
More informationREPORT 2015/149 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results
More informationINFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010
INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK Presented by Ronald E. Franke, CISA, CIA, CFE, CICA April 30, 2010 1 Agenda General Accountability Office (GAO) and IT Auditing Federal
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO/IEC 20000 Lead Auditor www.pecb.com The objective of the Certified ISO/IEC 20000 Lead Auditor examination is to ensure that the candidate
More informationANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. And
ANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. Content 261311 - Analyst Programmer... 2 135111 - Chief
More informationCOURSE BROCHURE CISA TRAINING
COURSE BROCHURE CISA TRAINING What is CISA? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual within
More informationCritical Cyber Asset Identification Security Management Controls
Implementation Plan Purpose On January 18, 2008, FERC (or Commission ) issued Order. 706 that approved Version 1 of the Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1.
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationCISA Training.
CISA Training www.austech.edu.au WHAT IS CISA TRAINING? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual
More informationCOBIT 5 With COSO 2013
Integrating COBIT 5 With COSO 2013 Stephen Head Senior Manager, IT Risk Advisory Services 1 Our Time This Evening Importance of Governance COBIT 5 Overview COSO Overview Mapping These Frameworks Stakeholder
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO/IEC 27001 Lead Auditor www.pecb.com The objective of the Certified ISO/IEC 27001 Lead Auditor examination is to ensure that the candidate
More informationObjectives of the Security Policy Project for the University of Cyprus
Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University
More informationAdvanced Security Tester Course Outline
Advanced Security Tester Course Outline General Description This course provides test engineers with advanced skills in security test analysis, design, and execution. In a hands-on, interactive fashion,
More informationBusiness Continuity Planning
Information Systems Audit and Control Association www.isaca.org Business Continuity Planning AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE The Information Systems Audit and Control Association With more
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 14001 Lead Auditor www.pecb.com The objective of the PECB Certified ISO 14001 Lead Auditor examination is to ensure that the candidate
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationInformation Systems and Tech (IST)
Information Systems and Tech (IST) 1 Information Systems and Tech (IST) Courses IST 101. Introduction to Information Technology. 4 Introduction to information technology concepts and skills. Survey of
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO/IEC 17025 Lead Auditor The objective of the PECB Certified ISO/IEC 17025 Lead Auditor examination is to ensure that the candidate possesses the needed expertise
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationTesters vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7
Testers vs Writers: Pen tests Quality in Assurance Projects 10 November 2016 @ Defcamp7 Contents INTRODUCTION CONTEXT WHAT ABOUT AUDITING STANDARDS WHAT ABOUT INDEPENDENCE PEN TEST BETWEEN REGULATORY AND
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationExam4Tests. Latest exam questions & answers help you to pass IT exam test easily
Exam4Tests http://www.exam4tests.com Latest exam questions & answers help you to pass IT exam test easily Exam : CISM Title : Certified Information Security Manager Vendor : ISACA Version : DEMO 1 / 10
More informationPublic Safety Canada. Audit of the Business Continuity Planning Program
Public Safety Canada Audit of the Business Continuity Planning Program October 2016 Her Majesty the Queen in Right of Canada, 2016 Cat: PS4-208/2016E-PDF ISBN: 978-0-660-06766-7 This material may be freely
More informationIsaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.
Isaca EXAM - CISM Certified Information Security Manager Buy Full Product http://www.examskey.com/cism.html Examskey Isaca CISM exam demo product is here for you to test the quality of the product. This
More informationAuditing IT General Controls
Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program
More informationBCS Practitioner Certificate in Information Risk Management Syllabus
BCS Practitioner Certificate in Information Risk Management Syllabus Version 6.5 April 2017 This qualification is not regulated by the following United Kingdom Regulators - Ofqual, Qualification in Wales,
More informationGuidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17
GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive
More informationCourses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X
4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationInternal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit
Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 37001 Lead Auditor www.pecb.com The objective of the Certified ISO 37001 Lead Auditor examination is to ensure that the candidate possesses
More informationREVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009
APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationSAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2
SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Changes in Reports on Service Organization Controls (formerly SAS 70) April 18, 2012 Duane M. Reyhl, CPA Andrews Hooper Pavlik
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationSOC Reporting / SSAE 18 Update July, 2017
SOC Reporting / SSAE 18 Update July, 2017 Agenda SOC Refresher Overview of SSAE 18 Changes to SOC 1 Changes to SOC 2 Quiz / Questions Various Types of SOC Reports SOC for Service Organizations (http://www.aicpa.org/soc4so)
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Administrators
Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener
More informationSAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010
JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor
More informationMaking trust evident Reporting on controls at Service Organizations
www.pwc.com Making trust evident Reporting on controls at Service Organizations 1 Does this picture look familiar to you? User Entity A User Entity B User Entity C Introduction and background Many entities
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationIntroduction To IS Auditing
Introduction To IS Auditing Instructor: Bryan McAtee, ASA, CISA Bryan McAtee & Associates - Brisbane, Australia * Course, Presenter and Delegate Introductions * Definition of Information Technology (IT)
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified OHSAS 18001 Lead Auditor www.pecb.com The objective of the PECB Certified OHSAS 18001 Lead Auditor examination is to ensure that the candidate
More informationCISA ITEM DEVELOPMENT GUIDE
CISA ITEM DEVELOPMENT GUIDE Updated March 2017 TABLE OF CONTENTS Content Page Purpose of the CISA Item Development Guide 3 CISA Exam Structure 3 Writing Quality Items 3 Multiple-Alternative Items 4 Steps
More informationTexas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13
Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13 I. Vision A highly reliable and secure bulk power system in the Electric Reliability Council of Texas
More informationFRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.
FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from
More informationCredit Card Data Compromise: Incident Response Plan
Credit Card Data Compromise: Incident Response Plan Purpose It is the objective of the university to maintain secure financial transactions. In order to comply with state law and contractual obligations,
More informationCASA External Peer Review Program Guidelines. Table of Contents
CASA External Peer Review Program Guidelines Table of Contents Introduction... I-1 Eligibility/Point System... I-1 How to Request a Peer Review... I-1 Peer Reviewer Qualifications... I-2 CASA Peer Review
More informationIS Audit and Assurance Guideline 2001 Audit Charter
IS Audit and Assurance Guideline 2001 Audit Charter The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More information26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 26 February 2007 Office of the Secretary Public
More informationGeneral Information Technology Controls Follow-up Review
Office of Internal Audit General Information Technology Controls Follow-up Review May 19, 2015 Internal Audit Team Shannon B. Henry Chief Audit Executive Stacy Sneed Audit Manager Rod Isom Auditor Winston-Salem
More informationBUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW
BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW EXECUTIVE SUMMARY CenturyLink is committed to ensuring business resiliency and survivability during an incident or business disruption. Our Corporate Business
More informationCOPYRIGHTED MATERIAL. Index
Index 2014 revised COSO framework. See COSO internal control framework Association of Certified Fraud Examiners (ACFE), 666 Administrative files workpaper document organization, 402 AICPA fraud standards
More informationitexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공
itexamdump 최고이자최신인 IT 인증시험덤프 http://www.itexamdump.com 일년무료업데이트서비스제공 Exam : CISA Title : Certified Information Systems Auditor Vendor : ISACA Version : DEMO Get Latest & Valid CISA Exam's Question and
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationSubject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento
Larry Mandel Vice Chancellor and Chief Audit Officer Audit and Advisory Services 401 Golden Shore, 4th Floor Long Beach, CA 90802-4210 562-951-4430 562-951-4955 (Fax) lmandel@calstate.edu October 23, 2018
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More information