Ch.11 - Secrets of a Successful Auditor Flashcards
Executive/Senior Management Misconduct (Examples)
- Italy’s Parmalat dairy scandal (2003)
o Executives lied about having an account of 4 billion Euro of assets in the Cayman Islands - Bernie Madoff pled guilty to architecting $65 billon Ponzi scheme almost collapsing Wall Street
o Took clients’ money while never making any legitimate investments on their behalf - International Product Investment Corp. (IPIC) CEO Gregory Earl Setser was convicted of conspiracy, securities fraud, and money laundering
o Sentenced to 40 years in prison and ordered to pay $62 million in restitution for scam
Demand for IS/IT Audit
U.S. Securities and Exchange Commission reported more than 1,000 successful corporate fraud convictions from 2002–2005 (many were made by senior management)
Regulations Put in Place
Intended to prevent “shortcuts” while putting a minimum limit on control
✓ Committee of Sponsoring Organizations of the Treadway Commission (COSO)
o United Nations committee created series of regulatory laws tailored to each country
✓ Banking Regulations
o Improve risk management, record keeping and data security
✓ Other Important Regulations
o Medical records Mgt, security of gov info processing, security of automated controls
Purpose of Regulations (Objectives)
Verify that assets, threats, and vulnerabilities are properly identified and managed to reduce risk – this is what IS auditor would do
- Evidence of operational integrity
- Evidence of internal controls to protect valuable assets
In the past- concentration on financial audits (Review bank balances, verifying transactions totals are correct)
Now more emphases on IS audit to ensure that orgs are properly governed
Governance Is Leadership
- To lead an org is what governance is all about
o Executive Mgt is expected to use its position to set operating rules, which becomes the organization’s culture - To govern is to lead by position of authority, set rules, designate priorities, and exercise good decisions – Every org must undertake risks in order to move forward and survive.
Purpose of Auditing
- Determine if actions of orgs are formally authorized and controlled to reduce unnecessary risk
- Used to measure success of organizational governance
- As an auditor, you must be familiar with:
o Various policies, standards and procedures of any org that you are auditing
▪ Auditing principles are essentially the same for gov and commercial business
Audit Results Indicate the Truth
Auditors should tell the truth only
Governance exists if the right people of authority looked at the issue, made an intelligent decision, and took appropriate action
- One of the most acceptable methods of governing is through issuing policies, with supporting standards, guidelines, and easy-to follow procedures for staffs to follow
- Results are tested through audits
- Auditors - Compare written procedures to observing person performing tasks – To find truth
Policies
Executive mandate to identify topic containing particular risks to avoid/prevent
- High-level documents signed by person having significant authority to force cooperation
o Authority of person mandating policy will determine scope of implementation
- State high-level control objective that is important to org’s success
- Compliance is mandatory when policy is officially mandated
Standards
Contain measurement control points to ensure uniform implementation in support of policy
- Standards identify specific control points necessary for compliance
- Standards do not contain workflow for compliance
- Management’s job is to use individual points from each standard to create appropriate
procedures in complete workflow to obtain compliance within org
o Standard is implemented with different levels of influence – depends on authority level
Regulatory Standard
Regulatory control when mandated by gov law or gov agency to protect economy, society, or our environment
Industry Standard
Specifications developed by inventor (de facto) until widespread adoption of ratified standard
Organizational Standard
Executive management at various organizations will set their own standards to help obtain their goals
Personal Standard
Person’s own internal standard will govern its life – depends on age, education or life experiences
Guidelines
Intended to provide advice pertaining to how organizational objectives might be obtained in the absence of a standard
- Provide info to help make decisions about:
o Intended goals (should do)
o Beneficial alternatives (could do)
o Actions that would not create problems (won’t hurt)
- Are Discretionary because directions provided are usually incomplete
- User has to adapt/discard portions of info to fit intended use
Procedures
Step-by-steps instructions of specific tasks necessary to achieve minimum compliance to a standard – need to update ineffective procedures
- “Best practices” represent info suggested to help users develop their own procedures
- Purpose = Maintain highest possible control over outcome
- Compliance with established procedures is mandatory to ensure consistency and accuracy
Ethics
Knowing what is right/wrong and doing the right thing each time – place client’s interest first
Following ISACA (Information Systems Audit and Control Association) Code
1) Auditors agree to support implementation of appropriate policies, standards, guidelines, and procedures for IS – also encourage compliance with this objective
2) Auditors agree to perform their duties with objectivity, professional care, and due diligence in accordance with professional standards implementing use of best practices
3) Auditors agree to serve interests of stakeholders in honest/lawful manner that reflects a credible image upon their profession
4) Auditors promise to maintain privacy and confidentiality of info obtained during their audit except for required disclosure to legal authorities
5) Auditors agree to undertake only activities in which they are professionally competent and strive to improve – effectiveness depends on how evidence is gathered, analyzed, and reported
6) Auditors promise to disclose accurate results of work and significant facts to appropriate parties
7) Auditors agree to support ongoing professional education to help stakeholders enhance their understanding of IS security and control
8) Failure of a CISA to comply with this code of professional ethics may result in an investigation with possible sanctions /disciplinary measures
Common Examples of Unethical/Criminal Behavior
- Theft of intellectual Property
- Copyright Violations
- Failing to Follow Your Own Rules
- Violating the Law
- Not reporting Violations Promptly
Understanding the Purpose of an Audit
An audit is a review of past history. The IS auditor is:
• Expected to follow defined audit process
• Establish audit criteria
• Gather meaningful evidence
• Render independent opinion about internal controls
Audit involves applying various techniques for collecting meaningful evidence and performing a comparison of the audit evidence against the standard for reference
- If Mgt assertions and auditor’s report are in agreement – expect results to be truthful
- If Mgt assertions and auditor’s report do not agree – concern warranting further attention
Classifying Basic Types of Audits
Internal Audits and Assessments
External Audits
Independent Audits