CISA Audit Process #16
The first step in a risk-based audit approach is to gather information about the business and industry to evaluate the inherent risks. After completing the assessment of the inherent risks, the next step is to complete an assessment of the internal control structure. The controls are then tested and, on the basis of the test results, substantive tests are carried out and assessed.
Related Tags: Risk Assesment, ISO 27001, SOX, IT Compliance, IT Audit, IT risk assesment, Audit, Operational Audit, Process Audit
Custom Search
Tuesday, July 10, 2007
CISA Audit Process#15
CISA Audit Process #15
The ISACA IS Auditing Guideline G15 on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.
Related Tags: CISA, CISM, CISSP, SOX, IT Compliance, ISO 27001
The ISACA IS Auditing Guideline G15 on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.
Related Tags: CISA, CISM, CISSP, SOX, IT Compliance, ISO 27001
Monday, July 9, 2007
CISA Audit Process #14
Calculation of a Business Risk - Risky Analysis
Overall business risk for a particular threat can be expressed as:
Impact = 10 (high impact)
Probabaility = 0.9( very likely)
Therefore the risk factor is 10 * 0.9 = 9 (very high risk factor)
Related Tags: IT security, Risk, Risk Analysis, Impact Analysis, Risk Factor, Compliance, ISO 27001, SOX
Overall business risk for a particular threat can be expressed as:
a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.For example: If you lose some strictly confidential documents which consists of pricing and patent information of new products that your company is going to launch, what is the impact if it falls under the hands of competitors & further more the documents have not been encrypted.
Impact = 10 (high impact)
Probabaility = 0.9( very likely)
Therefore the risk factor is 10 * 0.9 = 9 (very high risk factor)
Related Tags: IT security, Risk, Risk Analysis, Impact Analysis, Risk Factor, Compliance, ISO 27001, SOX
Friday, June 29, 2007
CISA Audit Process #13
Data Flow Diagrams
Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.
An IT auditor will always need some data flow diagrams from his auditee to verify data confidentiality , Integrity , Ava liability compliance of an organisation the IT auditor is auditing.
Related Tags: IT audit, IT governance, Compliance, ISO 27001, SOX, HIPPA, PCI, Data Confidentiality
Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.
An IT auditor will always need some data flow diagrams from his auditee to verify data confidentiality , Integrity , Ava liability compliance of an organisation the IT auditor is auditing.
Related Tags: IT audit, IT governance, Compliance, ISO 27001, SOX, HIPPA, PCI, Data Confidentiality
Saturday, May 5, 2007
CISA Audit Process #12
IT Application Audit
The objectives of an IT applicaton audit are to evaluate:
Related Tags: IT Audit, IT governance, Application Audit, IT controls, SOX, ISO27001, Business Continuity
The objectives of an IT applicaton audit are to evaluate:
The efficiency of the application in meeting the business processes
The impact of any exposures discovered
The business processes served by the application
The appliction's optimization
However, if a IT auditor is performing a review of an application's controls
It will involves the evaluation of the application's automated controls and an assessment of any
exposures resulting from the control weakness.
Related Tags: IT Audit, IT governance, Application Audit, IT controls, SOX, ISO27001, Business Continuity
Thursday, May 3, 2007
CISA 2007 - Audit Process # 11
Auditing Inventory Applicaton
In an audit of an inventory application, the approach which would provide the BEST evidence that purchase orders are valid is testing whether inappropriate personnel can change application parameters.
Tracing purchase orders to a computer listing, comparing receiving reports to purchase order details are after-the fact approaches
Reviewing the application documentation will not give the actual scenario as it is only theory.
Related Tags: IT audit, IT compliance, IT governance, IT security, SOX, ISO 27001, Encryption
In an audit of an inventory application, the approach which would provide the BEST evidence that purchase orders are valid is testing whether inappropriate personnel can change application parameters.
Tracing purchase orders to a computer listing, comparing receiving reports to purchase order details are after-the fact approaches
Reviewing the application documentation will not give the actual scenario as it is only theory.
Related Tags: IT audit, IT compliance, IT governance, IT security, SOX, ISO 27001, Encryption
Tuesday, May 1, 2007
Audit Process #10
Computer Forensic Software
Computer Forensic Software is only utilised if there is a need to collect digital evidence from Information Processing devices such as laptops, computers , PDAs etc. to press charges against fraud, cheat and other computer related crimes.
Computer Forensic Software is most useful for preservation of the chain of custody for electronic evidence
A good Computer Forensic Software should be efficient, effective, time and cost savings.
Another characteristic of a computer forensic software is that it is able to search for violations of intellectual property rights
Related Tags: IT compliance, IT governance, IT audit, IT Forensic, ISO 27001, IT risks
Computer Forensic Software is only utilised if there is a need to collect digital evidence from Information Processing devices such as laptops, computers , PDAs etc. to press charges against fraud, cheat and other computer related crimes.
Computer Forensic Software is most useful for preservation of the chain of custody for electronic evidence
A good Computer Forensic Software should be efficient, effective, time and cost savings.
Another characteristic of a computer forensic software is that it is able to search for violations of intellectual property rights
Related Tags: IT compliance, IT governance, IT audit, IT Forensic, ISO 27001, IT risks
Monday, April 30, 2007
CISA 2007 - Audit Process #9
Types of IT Audit Testing
Compliance Testing : In a IT audit , Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.
Substantive Testing : In a IT audit , Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized.
Variable Sampling : In a IT audit , Variable sampling is used to estimate numerical values, such as dollar values.
Stop-Or-Go Sampling: In a IT audit , Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
Related Tags: IT audit, IT governance, IT Compliance, SOX, ISO 27001, CISA, CISM
Compliance Testing : In a IT audit , Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.
Substantive Testing : In a IT audit , Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized.
Variable Sampling : In a IT audit , Variable sampling is used to estimate numerical values, such as dollar values.
Stop-Or-Go Sampling: In a IT audit , Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
Related Tags: IT audit, IT governance, IT Compliance, SOX, ISO 27001, CISA, CISM
Friday, April 27, 2007
CISA 2007 - Audit Process #8
IT Audit Process
Not reporting an intrusion is equivalent to an IT auditor hiding a malicious intrusion, which would be a professional mistake. Although notification to the police may be required and the lack of a periodic examination of access rights might be a concern, they do not represent as big a concern as the failure to report the attack. Reporting to the public is not a requirement and is dependent on the organization's desire, or lack thereof, to make the intrusion known.
An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps the IS auditor to know if there is a proper segregation of functions. A workflow chart would provide information about the roles of different employees. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.
The audit charter typically sets out the role and responsibility of the internal audit department. It should state management's objectives for and delegation of authority to the audit department. It is rarely changed and does not contain the audit plan or audit process, which is usually part of annual audit planning, nor does it describe a code of professional conduct, since such conduct is set by the profession and not by management.
Related Tags: IT Audit, IT Compliance, CISA, CISM, CISSP, IT Governance
Not reporting an intrusion is equivalent to an IT auditor hiding a malicious intrusion, which would be a professional mistake. Although notification to the police may be required and the lack of a periodic examination of access rights might be a concern, they do not represent as big a concern as the failure to report the attack. Reporting to the public is not a requirement and is dependent on the organization's desire, or lack thereof, to make the intrusion known.
An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps the IS auditor to know if there is a proper segregation of functions. A workflow chart would provide information about the roles of different employees. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.
The audit charter typically sets out the role and responsibility of the internal audit department. It should state management's objectives for and delegation of authority to the audit department. It is rarely changed and does not contain the audit plan or audit process, which is usually part of annual audit planning, nor does it describe a code of professional conduct, since such conduct is set by the profession and not by management.
Related Tags: IT Audit, IT Compliance, CISA, CISM, CISSP, IT Governance
Saturday, April 21, 2007
CISA 2007 - Audit Process #7
During a security audit of IT processes, an IT auditor found that there were no documented security procedures.
Since one of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization.
IT auditors should not prepare documentation, and doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.
Related Tags: IT audit, IT compliance, IT governance, CISA, CISM, Serbanes Oxley Act, HIPPA, ISO 27001
Since one of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization.
IT auditors should not prepare documentation, and doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.
Related Tags: IT audit, IT compliance, IT governance, CISA, CISM, Serbanes Oxley Act, HIPPA, ISO 27001
CISA 2007 - Audit Process #6
During an IT audit, if the auditee disagrees with the impact of a finding, it is important for the IT auditor to elaborate and clarify the risks and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which the IT auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, the IT auditor should not automatically agree just because the auditee expresses an alternate point of view at the end of an IT audit
In an IT audit, Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.
Related Tags: IT Compliance, CISA, CISM, IT Governance, IT audit
In an IT audit, Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.
Related Tags: IT Compliance, CISA, CISM, IT Governance, IT audit
Tuesday, April 17, 2007
CISA 2007 Audit Process #5
CISA 2007 - IT Audit Process & IT Segregation of Duties
During an IT Compliance Audit by observing the IS staff performing their tasks, the IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IS staff, the auditor can get an overview of the tasks performed. Based on the observations and interviews the auditor can evaluate the segregation of duties.
Management may not be aware of the detailed functions of each employee in the IS department; therefore, discussion with the management would provide only limited information regarding segregation of duties during the course of an IT audit.
An organization chart would not provide details of the functions of the employees. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform during an audit
Related Tags: IT Compliance, IT segregation of duties, IT Audit, cisa, cism
During an IT Compliance Audit by observing the IS staff performing their tasks, the IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IS staff, the auditor can get an overview of the tasks performed. Based on the observations and interviews the auditor can evaluate the segregation of duties.
Management may not be aware of the detailed functions of each employee in the IS department; therefore, discussion with the management would provide only limited information regarding segregation of duties during the course of an IT audit.
An organization chart would not provide details of the functions of the employees. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform during an audit
Related Tags: IT Compliance, IT segregation of duties, IT Audit, cisa, cism
Saturday, April 14, 2007
CISA 2007 - Audit Process #4
Redudancy Check - It is a check that appends calculated bits to the end of data stream to check transmission errors of data.
Parity Check - It is a hardware control that detects data errors when data gets transmitted from one computer to another from memory or during transmission.
Check Digit - Check digits detect transposition or transcription errors.
Reasonablessness Check - It is a check which compares data to predefined reasonability limits or occurence rates established for the data.
Related Tags: cisa, IT compliance, IT governance, IT audit
Parity Check - It is a hardware control that detects data errors when data gets transmitted from one computer to another from memory or during transmission.
Check Digit - Check digits detect transposition or transcription errors.
Reasonablessness Check - It is a check which compares data to predefined reasonability limits or occurence rates established for the data.
Related Tags: cisa, IT compliance, IT governance, IT audit
Thursday, April 12, 2007
CISA 2007 - Audit Process #3
There are different types of controls that can help prevent, avoid , detect risk:
They are :
Detective Controls : Controls that detect and report errors, omission or malicious acts. Examples are Hash totals, Echo controls in telecommunications.
Preventive Controls : Detect problems before they arise.
Example: Encryption software used to prevent unauthorised access
Corrective Controls: Correct problems before they occur.
Example: Contingency planning, Backup Procedures
Related Tags: cisa, cissp, it audit, it governance, it compliance
They are :
Detective Controls : Controls that detect and report errors, omission or malicious acts. Examples are Hash totals, Echo controls in telecommunications.
Preventive Controls : Detect problems before they arise.
Example: Encryption software used to prevent unauthorised access
Corrective Controls: Correct problems before they occur.
Example: Contingency planning, Backup Procedures
Related Tags: cisa, cissp, it audit, it governance, it compliance
Sunday, April 8, 2007
CISA 2007 - Audit Process continued #2
Continuous and Intermittent simulation (CIS) is a moderately complex set of programs which simulate the process instruction of a transaction. As each transaction in entered into a program it is checked to see if it meets certain predefined criteria. If the predefined criteria is met, the program audits the transaction.If not it waits for the next transaction until the predefined criteria is met and audits again.
Audit hooks are low complexity programs that focuses on certain specific conditions instead of detailed criteria in identifying transactions for review.
ITF focuses on test versus live data
During an IT audit, An integrated test facility (ITF) creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data.
SCARF/EAM focuses on controls versus data
A snapshot tool is most useful when an audit trail is required
To detect errors of a previous period of a IT audit, we can make use of Generalized audit software features. It include include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations.
For example,if the vice president of human resources has requested a IT audit to identify payroll overpayments for the previous year.It would be good to use Generalized audit software features because you could design appropriate tests to recompute the payroll and, thereby, determine if there were overpayments and to whom they were made.
Test data would test for the existence of IT controls that might prevent overpayments, but it would not detect specific, previous miscalculations. Neither an integrated test facility nor an embedded audit module would detect errors for a previous period.
Related Tags: IT audit, CISA, CISM, IT governance, IT Compliance
Audit hooks are low complexity programs that focuses on certain specific conditions instead of detailed criteria in identifying transactions for review.
ITF focuses on test versus live data
During an IT audit, An integrated test facility (ITF) creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data.
SCARF/EAM focuses on controls versus data
A snapshot tool is most useful when an audit trail is required
To detect errors of a previous period of a IT audit, we can make use of Generalized audit software features. It include include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations.
For example,if the vice president of human resources has requested a IT audit to identify payroll overpayments for the previous year.It would be good to use Generalized audit software features because you could design appropriate tests to recompute the payroll and, thereby, determine if there were overpayments and to whom they were made.
Test data would test for the existence of IT controls that might prevent overpayments, but it would not detect specific, previous miscalculations. Neither an integrated test facility nor an embedded audit module would detect errors for a previous period.
Related Tags: IT audit, CISA, CISM, IT governance, IT Compliance
CISA 2007 - Audit Process continued #1
Inherent risk can also be defined as error occuring without compensating controls.
Sampling risk is the wrong assumption made with regards to a population being sampled for.
A risk-based approach in auditing involves understanding of the business processes of the company audited, this is because business risks will affect the long-term viability of the business.
Before using integrated test facility (ITF) we need to isolate test data from production data because it involves testing of test data on live programs
Related Tags: IT audit, CISA, CISM, IT governance, IT Compliance
Sampling risk is the wrong assumption made with regards to a population being sampled for.
A risk-based approach in auditing involves understanding of the business processes of the company audited, this is because business risks will affect the long-term viability of the business.
Before using integrated test facility (ITF) we need to isolate test data from production data because it involves testing of test data on live programs
Related Tags: IT audit, CISA, CISM, IT governance, IT Compliance
Friday, April 6, 2007
CISA 2007 - Audit Process
In order to conduct a risk-based approach audit. We must understand the different
kinds of risks.
1.) Inherent risks - Risks that occur because of the nature of business. For example complex calculations are more easier to be misstated than simple calculations & money is more likely to be stolen than an inventory of coal.
2.)Control risks - The risk of a material error occurs that will not be prevented or detected timely by internal control systems. For example, the risk of overlooking massive volumes of log files is higher than automatic data validation by computer programs.
3.)Detection risks -The risk that an Information Systems Auditor uses inadequate test procedures and conclude that material errors do not exist when in fact they do.
Using statistical sampling, an IS auditor can quantify how closely the sample should represent the population and quantify the probability of error.
The use of statistical sampling helps minimise detection risks
Related Tags: cissp, cisa, IT audit, IT governance, IT compliance
kinds of risks.
1.) Inherent risks - Risks that occur because of the nature of business. For example complex calculations are more easier to be misstated than simple calculations & money is more likely to be stolen than an inventory of coal.
2.)Control risks - The risk of a material error occurs that will not be prevented or detected timely by internal control systems. For example, the risk of overlooking massive volumes of log files is higher than automatic data validation by computer programs.
3.)Detection risks -The risk that an Information Systems Auditor uses inadequate test procedures and conclude that material errors do not exist when in fact they do.
Using statistical sampling, an IS auditor can quantify how closely the sample should represent the population and quantify the probability of error.
The use of statistical sampling helps minimise detection risks
Related Tags: cissp, cisa, IT audit, IT governance, IT compliance
CISA 2007 Exam Information
It's time now to share knowledge on CISA 2007 exam. This year it has been divided into
Area 1 - IS Audit Process (10%)
Area 2 - IT Governance (15%)
Area 3 - Systems & Infrastructure Life-Cycle Management(16%)
Area 4 - IT Service and Delivery Report (14%)
Area 5 - Protection of Information Assets (31%)
Area 6 - Business Continuity and Disaster Recovery(14%)
Related Tags: cisa 2007 review manual, cisa, cism, IT audit, IT compliance, IT governance, Disaster Recovery
Area 1 - IS Audit Process (10%)
Area 2 - IT Governance (15%)
Area 3 - Systems & Infrastructure Life-Cycle Management(16%)
Area 4 - IT Service and Delivery Report (14%)
Area 5 - Protection of Information Assets (31%)
Area 6 - Business Continuity and Disaster Recovery(14%)
Related Tags: cisa 2007 review manual, cisa, cism, IT audit, IT compliance, IT governance, Disaster Recovery
Subscribe to:
Posts (Atom)
