Ch.11 - Secrets of a Successful Auditor

Question 1

Executive/Senior Management Misconduct (Examples)

Answer 1

• Italy’s Parmalat dairy scandal (2003)
  o Executives lied about having an account of 4 billion Euro of assets in the Cayman Islands
• Bernie Madoff pled guilty to architecting $65 billon Ponzi scheme almost collapsing Wall Street
  o Took clients’ money while never making any legitimate investments on their behalf
• International Product Investment Corp. (IPIC) CEO Gregory Earl Setser was convicted of conspiracy, securities fraud, and money laundering
  o Sentenced to 40 years in prison and ordered to pay $62 million in restitution for scam

Question 2

Demand for IS/IT Audit

Answer 2

U.S. Securities and Exchange Commission reported more than 1,000 successful corporate fraud convictions from 2002–2005 (many were made by senior management)

Question 3

Regulations Put in Place

Answer 3

Intended to prevent “shortcuts” while putting a minimum limit on control
✓ Committee of Sponsoring Organizations of the Treadway Commission (COSO)
o United Nations committee created series of regulatory laws tailored to each country
✓ Banking Regulations
o Improve risk management, record keeping and data security
✓ Other Important Regulations
o Medical records Mgt, security of gov info processing, security of automated controls

Question 4

Purpose of Regulations (Objectives)

Answer 4

Verify that assets, threats, and vulnerabilities are properly identified and managed to reduce risk – this is what IS auditor would do

• Evidence of operational integrity
• Evidence of internal controls to protect valuable assets

In the past- concentration on financial audits (Review bank balances, verifying transactions totals are correct)

Now more emphases on IS audit to ensure that orgs are properly governed

Question 5

Governance Is Leadership

Answer 5

• To lead an org is what governance is all about
  o Executive Mgt is expected to use its position to set operating rules, which becomes the organization’s culture
• To govern is to lead by position of authority, set rules, designate priorities, and exercise good decisions – Every org must undertake risks in order to move forward and survive.

Question 6

Purpose of Auditing

Answer 6

• Determine if actions of orgs are formally authorized and controlled to reduce unnecessary risk
• Used to measure success of organizational governance
• As an auditor, you must be familiar with:
  o Various policies, standards and procedures of any org that you are auditing
  ▪ Auditing principles are essentially the same for gov and commercial business

Question 7

Audit Results Indicate the Truth

Answer 7

Auditors should tell the truth only

Governance exists if the right people of authority looked at the issue, made an intelligent decision, and took appropriate action

• One of the most acceptable methods of governing is through issuing policies, with supporting standards, guidelines, and easy-to follow procedures for staffs to follow
• Results are tested through audits
• Auditors - Compare written procedures to observing person performing tasks – To find truth

Question 8

Policies

Answer 8

Executive mandate to identify topic containing particular risks to avoid/prevent
- High-level documents signed by person having significant authority to force cooperation
o Authority of person mandating policy will determine scope of implementation
- State high-level control objective that is important to org’s success
- Compliance is mandatory when policy is officially mandated

Question 9

Standards

Answer 9

Contain measurement control points to ensure uniform implementation in support of policy
- Standards identify specific control points necessary for compliance
- Standards do not contain workflow for compliance
- Management’s job is to use individual points from each standard to create appropriate
procedures in complete workflow to obtain compliance within org
o Standard is implemented with different levels of influence – depends on authority level

Question 10

Regulatory Standard

Answer 10

Regulatory control when mandated by gov law or gov agency to protect economy, society, or our environment

Question 11

Industry Standard

Answer 11

Specifications developed by inventor (de facto) until widespread adoption of ratified standard

Question 12

Organizational Standard

Answer 12

Executive management at various organizations will set their own standards to help obtain their goals

Question 13

Personal Standard

Answer 13

Person’s own internal standard will govern its life – depends on age, education or life experiences

Question 14

Guidelines

Answer 14

Intended to provide advice pertaining to how organizational objectives might be obtained in the absence of a standard
- Provide info to help make decisions about:
o Intended goals (should do)
o Beneficial alternatives (could do)
o Actions that would not create problems (won’t hurt)
- Are Discretionary because directions provided are usually incomplete
- User has to adapt/discard portions of info to fit intended use

Question 15

Procedures

Answer 15

Step-by-steps instructions of specific tasks necessary to achieve minimum compliance to a standard – need to update ineffective procedures

• “Best practices” represent info suggested to help users develop their own procedures
• Purpose = Maintain highest possible control over outcome
• Compliance with established procedures is mandatory to ensure consistency and accuracy

Question 16

Ethics

Answer 16

Knowing what is right/wrong and doing the right thing each time – place client’s interest first

Question 17

Following ISACA (Information Systems Audit and Control Association) Code

Answer 17

1) Auditors agree to support implementation of appropriate policies, standards, guidelines, and procedures for IS – also encourage compliance with this objective
2) Auditors agree to perform their duties with objectivity, professional care, and due diligence in accordance with professional standards implementing use of best practices
3) Auditors agree to serve interests of stakeholders in honest/lawful manner that reflects a credible image upon their profession
4) Auditors promise to maintain privacy and confidentiality of info obtained during their audit except for required disclosure to legal authorities
5) Auditors agree to undertake only activities in which they are professionally competent and strive to improve – effectiveness depends on how evidence is gathered, analyzed, and reported
6) Auditors promise to disclose accurate results of work and significant facts to appropriate parties
7) Auditors agree to support ongoing professional education to help stakeholders enhance their understanding of IS security and control
8) Failure of a CISA to comply with this code of professional ethics may result in an investigation with possible sanctions /disciplinary measures

Question 18

Common Examples of Unethical/Criminal Behavior

Answer 18

• Theft of intellectual Property
• Copyright Violations
• Failing to Follow Your Own Rules
• Violating the Law
• Not reporting Violations Promptly

Question 19

Understanding the Purpose of an Audit

Answer 19

An audit is a review of past history. The IS auditor is:
• Expected to follow defined audit process
• Establish audit criteria
• Gather meaningful evidence
• Render independent opinion about internal controls
Audit involves applying various techniques for collecting meaningful evidence and performing a comparison of the audit evidence against the standard for reference

• If Mgt assertions and auditor’s report are in agreement – expect results to be truthful
• If Mgt assertions and auditor’s report do not agree – concern warranting further attention

Question 20

Classifying Basic Types of Audits

Answer 20

Internal Audits and Assessments
External Audits
Independent Audits

Question 21

Internal Audits and Assessments

Answer 21

Involves auditors within their own org looking to discover evidence of what is occurring inside the org (self-assessment) – shared findings

Question 22

External Audits

Answer 22

Customer audits their vendor/supplier to verify integrity of transactions, internal controls, compliance, or entire relationship

Question 23

Independent Audits

Answer 23

Outside of customer-supplier influence – Third-party independent auditors are relied on for licensing, certification, or product approval

Question 24

Product audits

Answer 24

Check attributes against design specification (size, color, markings) of product

Question 25

Process audits

Answer 25

Evaluate process method to determine whether activities/sequence of activities meet published requirements – involve inputs/actions/outputs

Question 26

System audits

Answer 26

Seek to evaluate Mgt of system (including its configuration) – The auditor is interested in team members’ activities, control environment, event monitoring, how customer needs are determined, who provides authorization, how changes are implemented, preventative maintenance, and incident response capability

Question 27

Financial audits

Answer 27

Verify financial records, transactions, and account balances – compare integrity of financial records and accounting to accounting standards

Question 28

Operational audits

Answer 28

Verify effectiveness and efficiency of operational practices – Used frequently in service and process environments, including IT service providers

Question 29

Integrated audits

Answer 29

Include both financial and operational controls audits

Question 30

Compliance audits

Answer 30

Verify implementation of and adherence to a standard or regulation – could include ISO standards and all gov regulations (look for working control)

Question 31

Administrative audits

Answer 31

Verify that appropriate policies/procedures exist and have been implemented as intended – tests for presence of required documentation

Question 32

Information Systems Certification and/or Accreditation

Answer 32

Involve formal system testing against a

reference standard

Question 33

Surveillance audits

Answer 33

Verify that the auditee is continuing to follow the correct procedures (routine checkup)

Question 34

Understanding Auditor’s Responsibility

Answer 34

Expected to fulfill a fiduciary relationship - acting for benefit of another person and placing responsibilities to be fair and honest ahead of your own interest

Question 35

Comparing Audits to Assessments

Answer 35

• Audit: Systematic inspection of records involving analysis, evidence testing, confirmation
• Assessment: less formal and more cooperative with people/objects under scrutiny

Question 36

Differentiating Between Auditor and Auditee

Answer 36

➢ Auditor: Competent person performing audit
➢ Auditee: Org and people being audited
➢ Client: Person or org with authority to request audit
- Independent: not related professionally, personally, or organizationally to subject of audit
o Should conduct independent test to perform a fair audit

Any conflicts will place a shadow of doubt on the objectivity of the audit findings.
No conflict means you are cleared to proceed.

Question 37

Where do Audit Standards Come From?

Answer 37

• Parent Class with Broad Application across a Variety of Industries (ISO 27002, NIST 800-53)
• Industry Specific with a Limited Scope (FFIEC regulation, HIPAA)
• All governance controls exist for purpose of managing money, protecting assets, safeguarding information, providing process handling, and/or managing people
• Modern commerce controls in world trade are determined by members of COSO, ISO, and Organization for Economic Cooperation and Development (OECD)

Question 38

Various Auditing Standard

Answer 38

1) Compliance Test: Verify that item necessary for compliance exists
2) Substantive Test: Check inside for substance and integrity of a claim
✓ Each standard supports nearly identical terms of reference and supports similar audit objectives
o Originate from gov agency (IT control), military (security), banking (budget/financial)

Question 39

Specific Regulations Defining Best Practices

Answer 39

Every regulation is designed to mandate minimum acceptable requirements when conducting any form of business within that specific industry

• Recommended (Discretionary): Actions that contain statements with the word SHOULD
• Required (Mandatory): Actions that contain the word SHALL
  o Org must comply even if it’ll cause it to lose money – compliance

Question 40

Understanding the Importance of Auditor Confidentiality

Answer 40

• Client entrusts auditor with sensitive info – Good auditor will never reveal it
  o Sensitive info is property of owner and should not be remove from owner’s office
  o Auditor should contact legal counsel for advice concerning confidentiality and laws that would dictate disclosure to authorities
  o Many auditors use automated working papers (WPs) during an audit – Data must be protected with access control and regular data backup
  o Consider using locking security cables and privacy viewing screens for laptops
  o Client shall maintain sole responsibility for the safe retention of the archive

Question 41

Working with Lawyers

Answer 41

Lawyer could issue a letter authorizing the auditor’s work on the client’s behalf

Question 42

Working with Executives

Answer 42

They are focused on current sales, operating costs, opportunity

Question 43

Working with IT Professionals

Answer 43

Mainly Supporting Roles (IT) or Programmers (IS)

Question 44

Retaining Audit Documentation

Answer 44

Kept for 7+ years by the clients

Question 45

Providing Good Communication and Integration

Answer 45

• Establish mutual understanding of auditor’s role (auditor’s job = second set of eyes)
• Establish mutual respect – Do not insult client; just stick to the facts

Question 46

Understanding Leadership Duties

Answer 46

• Leadership style needs to clearly identify when your directions are mandatory and when they are open to feedback and comments
• Develop specific requirements for success and then share those plans
• Staff holds the fate of their manager in their hands

▪ Audit manager: Responsible for creating clearly defined responsibilities and authority
▪ Vetting: Process of evaluating and editing words to obtain desired outcome

Question 47

Planning and Setting Priorities

Answer 47

o Every audit starts with audit charter or engagement letter
o Customers define focus and scope of audit
o Auditor’s responsibility to gather pre-audit information and develop a schedule

Question 48

Providing Standard terms of Reference

Answer 48

Standard terms of reference can be developed to promote respectful and honest interpretation

Question 49

Dealing with Conflicts and Failures

Answer 49

Exercise common sense with quick response and use past experiences to make the job look effortless (professionalism)

Question 50

Identifying Value of Internal/External Auditors

Answer 50

• Internal: Add enormous value to an org by providing ongoing efforts that help prepare the org for an external audit
• External: paid to be independent reviewers for an organization

Question 51

Understanding Evidence Rule

Answer 51

Without evidence, claim/assertion is unverifiable and auditor cannot separate fact from fiction - best evidence will need little explanation to interpret

Question 52

Stakeholders - Identifying Who You Need to Interview

Answer 52

To justify 15 minutes of somebody’s time, you better have something to discuss that is of greater value than that person’s prorated value to the organization (greater than prorated revenue compensation)