Custom Search

Tuesday, July 10, 2007

CISA Audit Process #16

CISA Audit Process #16

The first step in a risk-based audit approach is to gather information about the business and industry to evaluate the inherent risks. After completing the assessment of the inherent risks, the next step is to complete an assessment of the internal control structure. The controls are then tested and, on the basis of the test results, substantive tests are carried out and assessed.

Related Tags: , , , , , , , ,

CISA Audit Process#15

CISA Audit Process #15

The ISACA IS Auditing Guideline G15 on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.

Related Tags: , , , , ,

Monday, July 9, 2007

CISA Audit Process #14

Calculation of a Business Risk - Risky Analysis

Overall business risk for a particular threat can be expressed as:
a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
For example: If you lose some strictly confidential documents which consists of pricing and patent information of new products that your company is going to launch, what is the impact if it falls under the hands of competitors & further more the documents have not been encrypted.

Impact = 10 (high impact)
Probabaility = 0.9( very likely)

Therefore the risk factor is 10 * 0.9 = 9 (very high risk factor)


Related Tags: , , , , , , ,

Friday, June 29, 2007

CISA Audit Process #13

Data Flow Diagrams

Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.

An IT auditor will always need some data flow diagrams from his auditee to verify data confidentiality , Integrity , Ava liability compliance of an organisation the IT auditor is auditing.

Related Tags: , , , , , , ,

Saturday, May 5, 2007

CISA Audit Process #12

IT Application Audit

The objectives of an IT applicaton audit are to evaluate:

The efficiency of the application in meeting the business processes

The impact of any exposures discovered

The business processes served by the application

The appliction's optimization

However, if a IT auditor is performing a review of an application's controls

It will involves the evaluation of the application's automated controls and an assessment of any

exposures resulting from the control weakness.



Related Tags: , , , , , ,

Thursday, May 3, 2007

CISA 2007 - Audit Process # 11

Auditing Inventory Applicaton

In an audit of an inventory application, the approach which would provide the BEST evidence that purchase orders are valid is testing whether inappropriate personnel can change application parameters.

Tracing purchase orders to a computer listing, comparing receiving reports to purchase order details are after-the fact approaches

Reviewing the application documentation will not give the actual scenario as it is only theory.

Related Tags: , , , , , ,

Tuesday, May 1, 2007

Audit Process #10

Computer Forensic Software

Computer Forensic Software is only utilised if there is a need to collect digital evidence from Information Processing devices such as laptops, computers , PDAs etc. to press charges against fraud, cheat and other computer related crimes.


Computer Forensic Software is most useful for preservation of the chain of custody for electronic evidence

A good Computer Forensic Software should be efficient, effective, time and cost savings.

Another characteristic of a computer forensic software is that it is able to search for violations of intellectual property rights


Related Tags: , , , , ,

Monday, April 30, 2007

CISA 2007 - Audit Process #9

Types of IT Audit Testing

Compliance Testing : In a IT audit , Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.

Substantive Testing : In a IT audit , Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized.

Variable Sampling : In a IT audit , Variable sampling is used to estimate numerical values, such as dollar values.

Stop-Or-Go Sampling: In a IT audit , Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.


Related Tags: , , , , , ,

Friday, April 27, 2007

CISA 2007 - Audit Process #8

IT Audit Process

Not reporting an intrusion is equivalent to an IT auditor hiding a malicious intrusion, which would be a professional mistake. Although notification to the police may be required and the lack of a periodic examination of access rights might be a concern, they do not represent as big a concern as the failure to report the attack. Reporting to the public is not a requirement and is dependent on the organization's desire, or lack thereof, to make the intrusion known.


An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps the IS auditor to know if there is a proper segregation of functions. A workflow chart would provide information about the roles of different employees. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.


The audit charter typically sets out the role and responsibility of the internal audit department. It should state management's objectives for and delegation of authority to the audit department. It is rarely changed and does not contain the audit plan or audit process, which is usually part of annual audit planning, nor does it describe a code of professional conduct, since such conduct is set by the profession and not by management.



Related Tags: , , , , ,

Saturday, April 21, 2007

CISA 2007 - Audit Process #7

During a security audit of IT processes, an IT auditor found that there were no documented security procedures.

Since one of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization.

IT auditors should not prepare documentation, and doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.

Related Tags: , , , , , , ,

CISA 2007 - Audit Process #6

During an IT audit, if the auditee disagrees with the impact of a finding, it is important for the IT auditor to elaborate and clarify the risks and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which the IT auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, the IT auditor should not automatically agree just because the auditee expresses an alternate point of view at the end of an IT audit

In an IT audit, Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.

Related Tags: , , , ,

Tuesday, April 17, 2007

CISA 2007 Audit Process #5

CISA 2007 - IT Audit Process & IT Segregation of Duties

During an IT Compliance Audit by observing the IS staff performing their tasks, the IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IS staff, the auditor can get an overview of the tasks performed. Based on the observations and interviews the auditor can evaluate the segregation of duties.

Management may not be aware of the detailed functions of each employee in the IS department; therefore, discussion with the management would provide only limited information regarding segregation of duties during the course of an IT audit.

An organization chart would not provide details of the functions of the employees. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform during an audit


Related Tags: , , , ,

Saturday, April 14, 2007

CISA 2007 - Audit Process #4

Redudancy Check - It is a check that appends calculated bits to the end of data stream to check transmission errors of data.

Parity Check - It is a hardware control that detects data errors when data gets transmitted from one computer to another from memory or during transmission.

Check Digit - Check digits detect transposition or transcription errors.

Reasonablessness Check - It is a check which compares data to predefined reasonability limits or occurence rates established for the data.


Related Tags: , , ,

Thursday, April 12, 2007

CISA 2007 - Audit Process #3

There are different types of controls that can help prevent, avoid , detect risk:
They are :

Detective Controls : Controls that detect and report errors, omission or malicious acts. Examples are Hash totals, Echo controls in telecommunications.


Preventive Controls : Detect problems before they arise.
Example: Encryption software used to prevent unauthorised access


Corrective Controls: Correct problems before they occur.
Example: Contingency planning, Backup Procedures

Related Tags: , , , ,

Sunday, April 8, 2007

CISA 2007 - Audit Process continued #2

Continuous and Intermittent simulation (CIS) is a moderately complex set of programs which simulate the process instruction of a transaction. As each transaction in entered into a program it is checked to see if it meets certain predefined criteria. If the predefined criteria is met, the program audits the transaction.If not it waits for the next transaction until the predefined criteria is met and audits again.


Audit hooks are low complexity programs that focuses on certain specific conditions instead of detailed criteria in identifying transactions for review.

ITF focuses on test versus live data

During an IT audit, An integrated test facility (ITF) creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data.



SCARF/EAM focuses on controls versus data

A snapshot tool is most useful when an audit trail is required

To detect errors of a previous period of a IT audit, we can make use of Generalized audit software features. It include include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations.

For example,if the vice president of human resources has requested a IT audit to identify payroll overpayments for the previous year.It would be good to use Generalized audit software features because you could design appropriate tests to recompute the payroll and, thereby, determine if there were overpayments and to whom they were made.

Test data would test for the existence of IT controls that might prevent overpayments, but it would not detect specific, previous miscalculations. Neither an integrated test facility nor an embedded audit module would detect errors for a previous period.

Related Tags: , , , ,





CISA 2007 - Audit Process continued #1

Inherent risk can also be defined as error occuring without compensating controls.

Sampling risk is the wrong assumption made with regards to a population being sampled for.

A risk-based approach in auditing involves understanding of the business processes of the company audited, this is because business risks will affect the long-term viability of the business.

Before using integrated test facility (ITF) we need to isolate test data from production data because it involves testing of test data on live programs

Related Tags: , , , ,

Friday, April 6, 2007

CISA 2007 - Audit Process

In order to conduct a risk-based approach audit. We must understand the different
kinds of risks.

1.) Inherent risks - Risks that occur because of the nature of business. For example complex calculations are more easier to be misstated than simple calculations & money is more likely to be stolen than an inventory of coal.

2.)Control risks - The risk of a material error occurs that will not be prevented or detected timely by internal control systems. For example, the risk of overlooking massive volumes of log files is higher than automatic data validation by computer programs.

3.)Detection risks -The risk that an Information Systems Auditor uses inadequate test procedures and conclude that material errors do not exist when in fact they do.

Using statistical sampling, an IS auditor can quantify how closely the sample should represent the population and quantify the probability of error.

The use of statistical sampling helps minimise detection risks

Related Tags: , , , ,

CISA 2007 Exam Information

It's time now to share knowledge on CISA 2007 exam. This year it has been divided into

Area 1 - IS Audit Process (10%)
Area 2 - IT Governance (15%)
Area 3 - Systems & Infrastructure Life-Cycle Management(16%)
Area 4 - IT Service and Delivery Report (14%)
Area 5 - Protection of Information Assets (31%)
Area 6 - Business Continuity and Disaster Recovery(14%)

Related Tags: , , , , , ,