Custom Search

Monday, April 30, 2007

CISA 2007 - Audit Process #9

Types of IT Audit Testing

Compliance Testing : In a IT audit , Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.

Substantive Testing : In a IT audit , Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized.

Variable Sampling : In a IT audit , Variable sampling is used to estimate numerical values, such as dollar values.

Stop-Or-Go Sampling: In a IT audit , Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.

Related Tags: , , , , , ,

Friday, April 27, 2007

CISA 2007 - Audit Process #8

IT Audit Process

Not reporting an intrusion is equivalent to an IT auditor hiding a malicious intrusion, which would be a professional mistake. Although notification to the police may be required and the lack of a periodic examination of access rights might be a concern, they do not represent as big a concern as the failure to report the attack. Reporting to the public is not a requirement and is dependent on the organization's desire, or lack thereof, to make the intrusion known.

An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps the IS auditor to know if there is a proper segregation of functions. A workflow chart would provide information about the roles of different employees. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.

The audit charter typically sets out the role and responsibility of the internal audit department. It should state management's objectives for and delegation of authority to the audit department. It is rarely changed and does not contain the audit plan or audit process, which is usually part of annual audit planning, nor does it describe a code of professional conduct, since such conduct is set by the profession and not by management.

Related Tags: , , , , ,

Saturday, April 21, 2007

CISA 2007 - Audit Process #7

During a security audit of IT processes, an IT auditor found that there were no documented security procedures.

Since one of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization.

IT auditors should not prepare documentation, and doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.

Related Tags: , , , , , , ,

CISA 2007 - Audit Process #6

During an IT audit, if the auditee disagrees with the impact of a finding, it is important for the IT auditor to elaborate and clarify the risks and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which the IT auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, the IT auditor should not automatically agree just because the auditee expresses an alternate point of view at the end of an IT audit

In an IT audit, Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.

Related Tags: , , , ,

Tuesday, April 17, 2007

CISA 2007 Audit Process #5

CISA 2007 - IT Audit Process & IT Segregation of Duties

During an IT Compliance Audit by observing the IS staff performing their tasks, the IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IS staff, the auditor can get an overview of the tasks performed. Based on the observations and interviews the auditor can evaluate the segregation of duties.

Management may not be aware of the detailed functions of each employee in the IS department; therefore, discussion with the management would provide only limited information regarding segregation of duties during the course of an IT audit.

An organization chart would not provide details of the functions of the employees. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform during an audit

Related Tags: , , , ,

Saturday, April 14, 2007

CISA 2007 - Audit Process #4

Redudancy Check - It is a check that appends calculated bits to the end of data stream to check transmission errors of data.

Parity Check - It is a hardware control that detects data errors when data gets transmitted from one computer to another from memory or during transmission.

Check Digit - Check digits detect transposition or transcription errors.

Reasonablessness Check - It is a check which compares data to predefined reasonability limits or occurence rates established for the data.

Related Tags: , , ,

Thursday, April 12, 2007

CISA 2007 - Audit Process #3

There are different types of controls that can help prevent, avoid , detect risk:
They are :

Detective Controls : Controls that detect and report errors, omission or malicious acts. Examples are Hash totals, Echo controls in telecommunications.

Preventive Controls : Detect problems before they arise.
Example: Encryption software used to prevent unauthorised access

Corrective Controls: Correct problems before they occur.
Example: Contingency planning, Backup Procedures

Related Tags: , , , ,

Sunday, April 8, 2007

CISA 2007 - Audit Process continued #2

Continuous and Intermittent simulation (CIS) is a moderately complex set of programs which simulate the process instruction of a transaction. As each transaction in entered into a program it is checked to see if it meets certain predefined criteria. If the predefined criteria is met, the program audits the transaction.If not it waits for the next transaction until the predefined criteria is met and audits again.

Audit hooks are low complexity programs that focuses on certain specific conditions instead of detailed criteria in identifying transactions for review.

ITF focuses on test versus live data

During an IT audit, An integrated test facility (ITF) creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data.

SCARF/EAM focuses on controls versus data

A snapshot tool is most useful when an audit trail is required

To detect errors of a previous period of a IT audit, we can make use of Generalized audit software features. It include include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations.

For example,if the vice president of human resources has requested a IT audit to identify payroll overpayments for the previous year.It would be good to use Generalized audit software features because you could design appropriate tests to recompute the payroll and, thereby, determine if there were overpayments and to whom they were made.

Test data would test for the existence of IT controls that might prevent overpayments, but it would not detect specific, previous miscalculations. Neither an integrated test facility nor an embedded audit module would detect errors for a previous period.

Related Tags: , , , ,

CISA 2007 - Audit Process continued #1

Inherent risk can also be defined as error occuring without compensating controls.

Sampling risk is the wrong assumption made with regards to a population being sampled for.

A risk-based approach in auditing involves understanding of the business processes of the company audited, this is because business risks will affect the long-term viability of the business.

Before using integrated test facility (ITF) we need to isolate test data from production data because it involves testing of test data on live programs

Related Tags: , , , ,

Friday, April 6, 2007

CISA 2007 - Audit Process

In order to conduct a risk-based approach audit. We must understand the different
kinds of risks.

1.) Inherent risks - Risks that occur because of the nature of business. For example complex calculations are more easier to be misstated than simple calculations & money is more likely to be stolen than an inventory of coal.

2.)Control risks - The risk of a material error occurs that will not be prevented or detected timely by internal control systems. For example, the risk of overlooking massive volumes of log files is higher than automatic data validation by computer programs.

3.)Detection risks -The risk that an Information Systems Auditor uses inadequate test procedures and conclude that material errors do not exist when in fact they do.

Using statistical sampling, an IS auditor can quantify how closely the sample should represent the population and quantify the probability of error.

The use of statistical sampling helps minimise detection risks

Related Tags: , , , ,

CISA 2007 Exam Information

It's time now to share knowledge on CISA 2007 exam. This year it has been divided into

Area 1 - IS Audit Process (10%)
Area 2 - IT Governance (15%)
Area 3 - Systems & Infrastructure Life-Cycle Management(16%)
Area 4 - IT Service and Delivery Report (14%)
Area 5 - Protection of Information Assets (31%)
Area 6 - Business Continuity and Disaster Recovery(14%)

Related Tags: , , , , , ,