Ch.11 - Secrets of a Successful Auditor Flashcards
Executive/Senior Management Misconduct (Examples)
- Italy’s Parmalat dairy scandal (2003)
o Executives lied about having an account of 4 billion Euro of assets in the Cayman Islands - Bernie Madoff pled guilty to architecting $65 billon Ponzi scheme almost collapsing Wall Street
o Took clients’ money while never making any legitimate investments on their behalf - International Product Investment Corp. (IPIC) CEO Gregory Earl Setser was convicted of conspiracy, securities fraud, and money laundering
o Sentenced to 40 years in prison and ordered to pay $62 million in restitution for scam
Demand for IS/IT Audit
U.S. Securities and Exchange Commission reported more than 1,000 successful corporate fraud convictions from 2002–2005 (many were made by senior management)
Regulations Put in Place
Intended to prevent “shortcuts” while putting a minimum limit on control
✓ Committee of Sponsoring Organizations of the Treadway Commission (COSO)
o United Nations committee created series of regulatory laws tailored to each country
✓ Banking Regulations
o Improve risk management, record keeping and data security
✓ Other Important Regulations
o Medical records Mgt, security of gov info processing, security of automated controls
Purpose of Regulations (Objectives)
Verify that assets, threats, and vulnerabilities are properly identified and managed to reduce risk – this is what IS auditor would do
- Evidence of operational integrity
- Evidence of internal controls to protect valuable assets
In the past- concentration on financial audits (Review bank balances, verifying transactions totals are correct)
Now more emphases on IS audit to ensure that orgs are properly governed
Governance Is Leadership
- To lead an org is what governance is all about
o Executive Mgt is expected to use its position to set operating rules, which becomes the organization’s culture - To govern is to lead by position of authority, set rules, designate priorities, and exercise good decisions – Every org must undertake risks in order to move forward and survive.
Purpose of Auditing
- Determine if actions of orgs are formally authorized and controlled to reduce unnecessary risk
- Used to measure success of organizational governance
- As an auditor, you must be familiar with:
o Various policies, standards and procedures of any org that you are auditing
▪ Auditing principles are essentially the same for gov and commercial business
Audit Results Indicate the Truth
Auditors should tell the truth only
Governance exists if the right people of authority looked at the issue, made an intelligent decision, and took appropriate action
- One of the most acceptable methods of governing is through issuing policies, with supporting standards, guidelines, and easy-to follow procedures for staffs to follow
- Results are tested through audits
- Auditors - Compare written procedures to observing person performing tasks – To find truth
Policies
Executive mandate to identify topic containing particular risks to avoid/prevent
- High-level documents signed by person having significant authority to force cooperation
o Authority of person mandating policy will determine scope of implementation
- State high-level control objective that is important to org’s success
- Compliance is mandatory when policy is officially mandated
Standards
Contain measurement control points to ensure uniform implementation in support of policy
- Standards identify specific control points necessary for compliance
- Standards do not contain workflow for compliance
- Management’s job is to use individual points from each standard to create appropriate
procedures in complete workflow to obtain compliance within org
o Standard is implemented with different levels of influence – depends on authority level
Regulatory Standard
Regulatory control when mandated by gov law or gov agency to protect economy, society, or our environment
Industry Standard
Specifications developed by inventor (de facto) until widespread adoption of ratified standard
Organizational Standard
Executive management at various organizations will set their own standards to help obtain their goals
Personal Standard
Person’s own internal standard will govern its life – depends on age, education or life experiences
Guidelines
Intended to provide advice pertaining to how organizational objectives might be obtained in the absence of a standard
- Provide info to help make decisions about:
o Intended goals (should do)
o Beneficial alternatives (could do)
o Actions that would not create problems (won’t hurt)
- Are Discretionary because directions provided are usually incomplete
- User has to adapt/discard portions of info to fit intended use
Procedures
Step-by-steps instructions of specific tasks necessary to achieve minimum compliance to a standard – need to update ineffective procedures
- “Best practices” represent info suggested to help users develop their own procedures
- Purpose = Maintain highest possible control over outcome
- Compliance with established procedures is mandatory to ensure consistency and accuracy
Ethics
Knowing what is right/wrong and doing the right thing each time – place client’s interest first
Following ISACA (Information Systems Audit and Control Association) Code
1) Auditors agree to support implementation of appropriate policies, standards, guidelines, and procedures for IS – also encourage compliance with this objective
2) Auditors agree to perform their duties with objectivity, professional care, and due diligence in accordance with professional standards implementing use of best practices
3) Auditors agree to serve interests of stakeholders in honest/lawful manner that reflects a credible image upon their profession
4) Auditors promise to maintain privacy and confidentiality of info obtained during their audit except for required disclosure to legal authorities
5) Auditors agree to undertake only activities in which they are professionally competent and strive to improve – effectiveness depends on how evidence is gathered, analyzed, and reported
6) Auditors promise to disclose accurate results of work and significant facts to appropriate parties
7) Auditors agree to support ongoing professional education to help stakeholders enhance their understanding of IS security and control
8) Failure of a CISA to comply with this code of professional ethics may result in an investigation with possible sanctions /disciplinary measures
Common Examples of Unethical/Criminal Behavior
- Theft of intellectual Property
- Copyright Violations
- Failing to Follow Your Own Rules
- Violating the Law
- Not reporting Violations Promptly
Understanding the Purpose of an Audit
An audit is a review of past history. The IS auditor is:
• Expected to follow defined audit process
• Establish audit criteria
• Gather meaningful evidence
• Render independent opinion about internal controls
Audit involves applying various techniques for collecting meaningful evidence and performing a comparison of the audit evidence against the standard for reference
- If Mgt assertions and auditor’s report are in agreement – expect results to be truthful
- If Mgt assertions and auditor’s report do not agree – concern warranting further attention
Classifying Basic Types of Audits
Internal Audits and Assessments
External Audits
Independent Audits
Internal Audits and Assessments
Involves auditors within their own org looking to discover evidence of what is occurring inside the org (self-assessment) – shared findings
External Audits
Customer audits their vendor/supplier to verify integrity of transactions, internal controls, compliance, or entire relationship
Independent Audits
Outside of customer-supplier influence – Third-party independent auditors are relied on for licensing, certification, or product approval
Product audits
Check attributes against design specification (size, color, markings) of product
Process audits
Evaluate process method to determine whether activities/sequence of activities meet published requirements – involve inputs/actions/outputs
System audits
Seek to evaluate Mgt of system (including its configuration) – The auditor is interested in team members’ activities, control environment, event monitoring, how customer needs are determined, who provides authorization, how changes are implemented, preventative maintenance, and incident response capability
Financial audits
Verify financial records, transactions, and account balances – compare integrity of financial records and accounting to accounting standards
Operational audits
Verify effectiveness and efficiency of operational practices – Used frequently in service and process environments, including IT service providers
Integrated audits
Include both financial and operational controls audits
Compliance audits
Verify implementation of and adherence to a standard or regulation – could include ISO standards and all gov regulations (look for working control)
Administrative audits
Verify that appropriate policies/procedures exist and have been implemented as intended – tests for presence of required documentation
Information Systems Certification and/or Accreditation
Involve formal system testing against a
reference standard
Surveillance audits
Verify that the auditee is continuing to follow the correct procedures (routine checkup)
Understanding Auditor’s Responsibility
Expected to fulfill a fiduciary relationship - acting for benefit of another person and placing responsibilities to be fair and honest ahead of your own interest
Comparing Audits to Assessments
- Audit: Systematic inspection of records involving analysis, evidence testing, confirmation
- Assessment: less formal and more cooperative with people/objects under scrutiny
Differentiating Between Auditor and Auditee
➢ Auditor: Competent person performing audit
➢ Auditee: Org and people being audited
➢ Client: Person or org with authority to request audit
- Independent: not related professionally, personally, or organizationally to subject of audit
o Should conduct independent test to perform a fair audit
Any conflicts will place a shadow of doubt on the objectivity of the audit findings.
No conflict means you are cleared to proceed.
Where do Audit Standards Come From?
- Parent Class with Broad Application across a Variety of Industries (ISO 27002, NIST 800-53)
- Industry Specific with a Limited Scope (FFIEC regulation, HIPAA)
- All governance controls exist for purpose of managing money, protecting assets, safeguarding information, providing process handling, and/or managing people
- Modern commerce controls in world trade are determined by members of COSO, ISO, and Organization for Economic Cooperation and Development (OECD)
Various Auditing Standard
1) Compliance Test: Verify that item necessary for compliance exists
2) Substantive Test: Check inside for substance and integrity of a claim
✓ Each standard supports nearly identical terms of reference and supports similar audit objectives
o Originate from gov agency (IT control), military (security), banking (budget/financial)
Specific Regulations Defining Best Practices
Every regulation is designed to mandate minimum acceptable requirements when conducting any form of business within that specific industry
- Recommended (Discretionary): Actions that contain statements with the word SHOULD
- Required (Mandatory): Actions that contain the word SHALL
o Org must comply even if it’ll cause it to lose money – compliance
Understanding the Importance of Auditor Confidentiality
- Client entrusts auditor with sensitive info – Good auditor will never reveal it
o Sensitive info is property of owner and should not be remove from owner’s office
o Auditor should contact legal counsel for advice concerning confidentiality and laws that would dictate disclosure to authorities
o Many auditors use automated working papers (WPs) during an audit – Data must be protected with access control and regular data backup
o Consider using locking security cables and privacy viewing screens for laptops
o Client shall maintain sole responsibility for the safe retention of the archive
Working with Lawyers
Lawyer could issue a letter authorizing the auditor’s work on the client’s behalf
Working with Executives
They are focused on current sales, operating costs, opportunity
Working with IT Professionals
Mainly Supporting Roles (IT) or Programmers (IS)
Retaining Audit Documentation
Kept for 7+ years by the clients
Providing Good Communication and Integration
- Establish mutual understanding of auditor’s role (auditor’s job = second set of eyes)
- Establish mutual respect – Do not insult client; just stick to the facts
Understanding Leadership Duties
- Leadership style needs to clearly identify when your directions are mandatory and when they are open to feedback and comments
- Develop specific requirements for success and then share those plans
- Staff holds the fate of their manager in their hands
▪ Audit manager: Responsible for creating clearly defined responsibilities and authority
▪ Vetting: Process of evaluating and editing words to obtain desired outcome
Planning and Setting Priorities
o Every audit starts with audit charter or engagement letter
o Customers define focus and scope of audit
o Auditor’s responsibility to gather pre-audit information and develop a schedule
Providing Standard terms of Reference
Standard terms of reference can be developed to promote respectful and honest interpretation
Dealing with Conflicts and Failures
Exercise common sense with quick response and use past experiences to make the job look effortless (professionalism)
Identifying Value of Internal/External Auditors
- Internal: Add enormous value to an org by providing ongoing efforts that help prepare the org for an external audit
- External: paid to be independent reviewers for an organization
Understanding Evidence Rule
Without evidence, claim/assertion is unverifiable and auditor cannot separate fact from fiction - best evidence will need little explanation to interpret
Stakeholders - Identifying Who You Need to Interview
To justify 15 minutes of somebody’s time, you better have something to discuss that is of greater value than that person’s prorated value to the organization (greater than prorated revenue compensation)
