Ch.11 - Secrets of a Successful Auditor Flashcards

1
Q

Executive/Senior Management Misconduct (Examples)

A
  • Italy’s Parmalat dairy scandal (2003)
    o Executives lied about having an account of 4 billion Euro of assets in the Cayman Islands
  • Bernie Madoff pled guilty to architecting $65 billon Ponzi scheme almost collapsing Wall Street
    o Took clients’ money while never making any legitimate investments on their behalf
  • International Product Investment Corp. (IPIC) CEO Gregory Earl Setser was convicted of conspiracy, securities fraud, and money laundering
    o Sentenced to 40 years in prison and ordered to pay $62 million in restitution for scam
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Demand for IS/IT Audit

A

U.S. Securities and Exchange Commission reported more than 1,000 successful corporate fraud convictions from 2002–2005 (many were made by senior management)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Regulations Put in Place

A

Intended to prevent “shortcuts” while putting a minimum limit on control
✓ Committee of Sponsoring Organizations of the Treadway Commission (COSO)
o United Nations committee created series of regulatory laws tailored to each country
✓ Banking Regulations
o Improve risk management, record keeping and data security
✓ Other Important Regulations
o Medical records Mgt, security of gov info processing, security of automated controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Purpose of Regulations (Objectives)

A

Verify that assets, threats, and vulnerabilities are properly identified and managed to reduce risk – this is what IS auditor would do

  • Evidence of operational integrity
  • Evidence of internal controls to protect valuable assets

In the past- concentration on financial audits (Review bank balances, verifying transactions totals are correct)

Now more emphases on IS audit to ensure that orgs are properly governed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Governance Is Leadership

A
  • To lead an org is what governance is all about
    o Executive Mgt is expected to use its position to set operating rules, which becomes the organization’s culture
  • To govern is to lead by position of authority, set rules, designate priorities, and exercise good decisions – Every org must undertake risks in order to move forward and survive.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Purpose of Auditing

A
  • Determine if actions of orgs are formally authorized and controlled to reduce unnecessary risk
  • Used to measure success of organizational governance
  • As an auditor, you must be familiar with:
    o Various policies, standards and procedures of any org that you are auditing
    ▪ Auditing principles are essentially the same for gov and commercial business
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Audit Results Indicate the Truth

A

Auditors should tell the truth only

Governance exists if the right people of authority looked at the issue, made an intelligent decision, and took appropriate action

  • One of the most acceptable methods of governing is through issuing policies, with supporting standards, guidelines, and easy-to follow procedures for staffs to follow
  • Results are tested through audits
  • Auditors - Compare written procedures to observing person performing tasks – To find truth
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Policies

A

Executive mandate to identify topic containing particular risks to avoid/prevent
- High-level documents signed by person having significant authority to force cooperation
o Authority of person mandating policy will determine scope of implementation
- State high-level control objective that is important to org’s success
- Compliance is mandatory when policy is officially mandated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Standards

A

Contain measurement control points to ensure uniform implementation in support of policy
- Standards identify specific control points necessary for compliance
- Standards do not contain workflow for compliance
- Management’s job is to use individual points from each standard to create appropriate
procedures in complete workflow to obtain compliance within org
o Standard is implemented with different levels of influence – depends on authority level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Regulatory Standard

A

Regulatory control when mandated by gov law or gov agency to protect economy, society, or our environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Industry Standard

A

Specifications developed by inventor (de facto) until widespread adoption of ratified standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Organizational Standard

A

Executive management at various organizations will set their own standards to help obtain their goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Personal Standard

A

Person’s own internal standard will govern its life – depends on age, education or life experiences

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Guidelines

A

Intended to provide advice pertaining to how organizational objectives might be obtained in the absence of a standard
- Provide info to help make decisions about:
o Intended goals (should do)
o Beneficial alternatives (could do)
o Actions that would not create problems (won’t hurt)
- Are Discretionary because directions provided are usually incomplete
- User has to adapt/discard portions of info to fit intended use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Procedures

A

Step-by-steps instructions of specific tasks necessary to achieve minimum compliance to a standard – need to update ineffective procedures

  • “Best practices” represent info suggested to help users develop their own procedures
  • Purpose = Maintain highest possible control over outcome
  • Compliance with established procedures is mandatory to ensure consistency and accuracy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Ethics

A

Knowing what is right/wrong and doing the right thing each time – place client’s interest first

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Following ISACA (Information Systems Audit and Control Association) Code

A

1) Auditors agree to support implementation of appropriate policies, standards, guidelines, and procedures for IS – also encourage compliance with this objective
2) Auditors agree to perform their duties with objectivity, professional care, and due diligence in accordance with professional standards implementing use of best practices
3) Auditors agree to serve interests of stakeholders in honest/lawful manner that reflects a credible image upon their profession
4) Auditors promise to maintain privacy and confidentiality of info obtained during their audit except for required disclosure to legal authorities
5) Auditors agree to undertake only activities in which they are professionally competent and strive to improve – effectiveness depends on how evidence is gathered, analyzed, and reported
6) Auditors promise to disclose accurate results of work and significant facts to appropriate parties
7) Auditors agree to support ongoing professional education to help stakeholders enhance their understanding of IS security and control
8) Failure of a CISA to comply with this code of professional ethics may result in an investigation with possible sanctions /disciplinary measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Common Examples of Unethical/Criminal Behavior

A
  • Theft of intellectual Property
  • Copyright Violations
  • Failing to Follow Your Own Rules
  • Violating the Law
  • Not reporting Violations Promptly
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Understanding the Purpose of an Audit

A

An audit is a review of past history. The IS auditor is:
• Expected to follow defined audit process
• Establish audit criteria
• Gather meaningful evidence
• Render independent opinion about internal controls
Audit involves applying various techniques for collecting meaningful evidence and performing a comparison of the audit evidence against the standard for reference

  • If Mgt assertions and auditor’s report are in agreement – expect results to be truthful
  • If Mgt assertions and auditor’s report do not agree – concern warranting further attention
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Classifying Basic Types of Audits

A

Internal Audits and Assessments
External Audits
Independent Audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Internal Audits and Assessments

A

Involves auditors within their own org looking to discover evidence of what is occurring inside the org (self-assessment) – shared findings

22
Q

External Audits

A

Customer audits their vendor/supplier to verify integrity of transactions, internal controls, compliance, or entire relationship

23
Q

Independent Audits

A

Outside of customer-supplier influence – Third-party independent auditors are relied on for licensing, certification, or product approval

24
Q

Product audits

A

Check attributes against design specification (size, color, markings) of product

25
Q

Process audits

A

Evaluate process method to determine whether activities/sequence of activities meet published requirements – involve inputs/actions/outputs

26
Q

System audits

A

Seek to evaluate Mgt of system (including its configuration) – The auditor is interested in team members’ activities, control environment, event monitoring, how customer needs are determined, who provides authorization, how changes are implemented, preventative maintenance, and incident response capability

27
Q

Financial audits

A

Verify financial records, transactions, and account balances – compare integrity of financial records and accounting to accounting standards

28
Q

Operational audits

A

Verify effectiveness and efficiency of operational practices – Used frequently in service and process environments, including IT service providers

29
Q

Integrated audits

A

Include both financial and operational controls audits

30
Q

Compliance audits

A

Verify implementation of and adherence to a standard or regulation – could include ISO standards and all gov regulations (look for working control)

31
Q

Administrative audits

A

Verify that appropriate policies/procedures exist and have been implemented as intended – tests for presence of required documentation

32
Q

Information Systems Certification and/or Accreditation

A

Involve formal system testing against a

reference standard

33
Q

Surveillance audits

A

Verify that the auditee is continuing to follow the correct procedures (routine checkup)

34
Q

Understanding Auditor’s Responsibility

A

Expected to fulfill a fiduciary relationship - acting for benefit of another person and placing responsibilities to be fair and honest ahead of your own interest

35
Q

Comparing Audits to Assessments

A
  • Audit: Systematic inspection of records involving analysis, evidence testing, confirmation
  • Assessment: less formal and more cooperative with people/objects under scrutiny
36
Q

Differentiating Between Auditor and Auditee

A

➢ Auditor: Competent person performing audit
➢ Auditee: Org and people being audited
➢ Client: Person or org with authority to request audit
- Independent: not related professionally, personally, or organizationally to subject of audit
o Should conduct independent test to perform a fair audit

Any conflicts will place a shadow of doubt on the objectivity of the audit findings.
No conflict means you are cleared to proceed.

37
Q

Where do Audit Standards Come From?

A
  • Parent Class with Broad Application across a Variety of Industries (ISO 27002, NIST 800-53)
  • Industry Specific with a Limited Scope (FFIEC regulation, HIPAA)
  • All governance controls exist for purpose of managing money, protecting assets, safeguarding information, providing process handling, and/or managing people
  • Modern commerce controls in world trade are determined by members of COSO, ISO, and Organization for Economic Cooperation and Development (OECD)
38
Q

Various Auditing Standard

A

1) Compliance Test: Verify that item necessary for compliance exists
2) Substantive Test: Check inside for substance and integrity of a claim
✓ Each standard supports nearly identical terms of reference and supports similar audit objectives
o Originate from gov agency (IT control), military (security), banking (budget/financial)

39
Q

Specific Regulations Defining Best Practices

A

Every regulation is designed to mandate minimum acceptable requirements when conducting any form of business within that specific industry

  • Recommended (Discretionary): Actions that contain statements with the word SHOULD
  • Required (Mandatory): Actions that contain the word SHALL
    o Org must comply even if it’ll cause it to lose money – compliance
40
Q

Understanding the Importance of Auditor Confidentiality

A
  • Client entrusts auditor with sensitive info – Good auditor will never reveal it
    o Sensitive info is property of owner and should not be remove from owner’s office
    o Auditor should contact legal counsel for advice concerning confidentiality and laws that would dictate disclosure to authorities
    o Many auditors use automated working papers (WPs) during an audit – Data must be protected with access control and regular data backup
    o Consider using locking security cables and privacy viewing screens for laptops
    o Client shall maintain sole responsibility for the safe retention of the archive
41
Q

Working with Lawyers

A

Lawyer could issue a letter authorizing the auditor’s work on the client’s behalf

42
Q

Working with Executives

A

They are focused on current sales, operating costs, opportunity

43
Q

Working with IT Professionals

A

Mainly Supporting Roles (IT) or Programmers (IS)

44
Q

Retaining Audit Documentation

A

Kept for 7+ years by the clients

45
Q

Providing Good Communication and Integration

A
  • Establish mutual understanding of auditor’s role (auditor’s job = second set of eyes)
  • Establish mutual respect – Do not insult client; just stick to the facts
46
Q

Understanding Leadership Duties

A
  • Leadership style needs to clearly identify when your directions are mandatory and when they are open to feedback and comments
  • Develop specific requirements for success and then share those plans
  • Staff holds the fate of their manager in their hands

▪ Audit manager: Responsible for creating clearly defined responsibilities and authority
▪ Vetting: Process of evaluating and editing words to obtain desired outcome

47
Q

Planning and Setting Priorities

A

o Every audit starts with audit charter or engagement letter
o Customers define focus and scope of audit
o Auditor’s responsibility to gather pre-audit information and develop a schedule

48
Q

Providing Standard terms of Reference

A

Standard terms of reference can be developed to promote respectful and honest interpretation

49
Q

Dealing with Conflicts and Failures

A

Exercise common sense with quick response and use past experiences to make the job look effortless (professionalism)

50
Q

Identifying Value of Internal/External Auditors

A
  • Internal: Add enormous value to an org by providing ongoing efforts that help prepare the org for an external audit
  • External: paid to be independent reviewers for an organization
51
Q

Understanding Evidence Rule

A

Without evidence, claim/assertion is unverifiable and auditor cannot separate fact from fiction - best evidence will need little explanation to interpret

52
Q

Stakeholders - Identifying Who You Need to Interview

A

To justify 15 minutes of somebody’s time, you better have something to discuss that is of greater value than that person’s prorated value to the organization (greater than prorated revenue compensation)