Certified Information Systems Auditor (CISA) Course 1 - The Process of Auditing Information Systems Slide 1 Course 1 The Process of Auditing Information Systems _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 2 Topic A  Management of the IS audit function  Auditing should be managed and led in a manner that ensures all the tasks are performed and accomplished by the audit team  Auditors should maintain independence as well as their competence in the auditing process  The audit function should have value-added contributions for the senior management  The audit function should also achieve business objectives _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 3 Organization of the IS Audit Function  Audit services can be both external or internal  Internal: An internal audit should be established by charter and have approval of senior management  This can be an internal audit  The audit can function as an independent group  The audit committee integrated within a financial and operational audit provide IT related control assurance to the financial or management auditors  External: IS audit services are provided by an external firm  The scope and objectives of these services should be listed in a formal contract between the organization and the external auditing team  In either internal or external auditing there should be an independence of the auditing team, and they should report to a high level of management _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 4 IS Audit Resource Management  As technology changes it is important that management ensures the auditors keep up-to- date with other skill sets  This requires training that is directed to new auditing techniques and updates technology  ISACA standards require that the auditing team be technically competent  Management should consider the auditor’s skills and knowledge when planning an audit _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 5 Audit Planning  Annual planning:  Planning has both short and long-term goals  Short-term should take into account issues that will be covered during the year  Long-term will take into account the issues regarding changes to the organization’s IT strategic direction  Both long and short-term issues should be reviewed annually _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 6 Audit Planning Continued  Other planning considerations:  Periodic risk assessments  Changes in technology  Changing privacy issues  Regulatory requirements  System implementations or upgrade deadlines  Future technologies  IS resource limitations _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 7 Audit Planning Continued  Information gathering:  An understanding of the overall environment  Business practices and functions relating to the audit  Types of information systems and technologies supporting the business  Listing of all regulatory requirements in which the business operates _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 8 Audit Planning Continued  ISACA IS auditing standards require the auditor to address the audit objectives and to comply with professional auditing standards  The IS auditor should have another plan that considers the objectives of the organization that is relevant to what is being audited in the technology infrastructure  This plan should include an understanding of the organizations IT architecture and technological direction _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 9 Audit Planning Continued  Guidelines that the IS auditor should follow:  Reviewing background information such as industry publications and/or annual reports  Reviewing prior audit reports  Understanding the business and IT long-term plans  Talking with managers to learn about the business issues  Researching the specific regulations that apply  Are any IT functions outsourced?  Walking through the organization’s facilities _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 10 Effect of Laws and Regulations on IS Audit Planning  Almost every organization will need to comply with government or other external requirements that are related to computer system practices  This could include how data is processed, transmitted, and stored  Special consideration should be given on issues for highly regulated industries  These considerations should include all the countries in which the organization operates _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 11 Effect of Laws and Regulations on IS Audit Planning Continued  Privacy issues  The auditors must take into account any requirements of privacy laws and regulations  For example: The safe harbor in organization for economic cooperation and development (OECD) which are guidelines that govern privacy and trans-border flows of personal data  Possible regulations to consider could be as follows:  Establishment and organization of the regulatory requirements  Responsibilities assigned to the organization  Financial, operational, and IT audit functions _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 12 Effect of Laws and Regulations on IS Audit Planning Continued  There are two major areas of concern:  Legal requirements for the auditors  These are the laws, regulatory, and contractual agreements  Legal requirements for the auditee  These would be requirements for systems, data management, reporting, etc.  These two areas will impact the audit scope and objectives  Examples of these would be:  Sarbanes-Oxley  HIPAA _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 13 Effect of Laws and Regulations on IS Audit Planning Continued  The following steps should be followed by the IS auditor to determine the organizations level of compliance:  Identification of requirements dealing with:  Electronic data such as personal information, copyrights, and e-commerce information  Computer system practices and controls  How information is stored  Documentation of the applicable laws and regulations  Determining if the organization has planned to support regulatory requirements  Determining if the organization has addressed the adherence to applicable laws  Determining if there are established procedures to follow these requirements _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Slide 14 Topic B: ISACA IT Audit and Assurance Standards and Guidelines  ISACA code of professional ethics  Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems  Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices  Serving the interests of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________