Chapter 1 - Information System Auditing Process, Part A: Planning Flashcards
IS audit is the formal examination and/or testing of information systems to determine whether:
In compliance; IS data & information have appropriate levels of CIA; IS operations are accomplished efficiently & effectively
Typical audit process consists of three major phases:
Planning, Fieldwork/Documentation, Reporting/Follow-Up
The framework for the ISACA IS Audit & Assurance Standards provides of multiple levels of doucments:
Standards; Guidelines, Tools & Techniques
Define mandatory requirements for IS audit & assurance & reporting
Standards
Provide guidance in applying IS audit and assurance standards
Guidelines
Provide examples of processes an IS auditor might follow in an audit engagement
Tools & techniques
ISACA IS Audit & Assurance Standards - three categories
General, Performance, Reporting
Provide the guiding principles under which the IS assurance profession operates
General
Deal with the conduct of the assignment
Performance
Address the types of reports, means of communication and information communicated
Reporting
An interrelated set of cross-functional activities or events in the delivery of a specific product or service to a customer.
Business Process
Controlled by policies, procedures, practices, and organizational structures designed to provide reasonable assurance hta ta business process will achieve its objectives.
Business Process
The individual responsible for identifying process requirements, approving process design, and managing process performance
Business Process Owner
The role of the IS internal audit function should be established by an ___
Audit charter (approved by board of directors & audit committee)
Should clearly state management’s responsibility and objectives for, and delegation of authority, to the IS audit function
Audit Charter
Conducted at the beginning of the audit process to establish the overall audit strategy & detail the specific procedures to be carried out to implement the strategy & complete the audit
Audit Planning
Ideally lists all of the processes that may be considered for audit; all of the relevant processes that represent the blueprint of the enterprise’s business
Audit Universe
Based on which inputs can be solicited from the business
Reputation Factor
Steps to Perform Audit Planning
The content of legal regulations pertains to:
Establishment of Regulatory Requirements; Responsibilities assigned to Corresponding Entities; Financial, operational, and IS audit functions
Legal requirements placed on audit or IS audit
Audit scope & audit objectives
Legal requirements placed on the auditee & its systems, data management, reporting
Internal & External audit & assurance profesionals
Buying & selling goods online
Ecommerce
Business conducted between orgs
Business to Business (B to B)
Business conducted between an org & its customers
Business to Consumer
Business conducted between customers, primarily using a third-party platform
Consumer to Consumer
Business conducted between a consumer & business
Consumer to Business
Business conducted between an org & a public administration
Business to Government
Business conducted between a consumer & public administration or government
Consumer to government
Software transferred between systems & executed on a local system using cross-platform code without explicit installation by the recipient computer
Mobile code
XML associated standards:
Extensible Stylesheet Language (XSL), XML Query (XQuery), XML encryption
Ecommerce Risk elements:
Confidentiality, Integrity, Availability, Authentication & Nonrepudiation, Power shift to consumers
Requires communication software, translation software, and access to standards
Electronic Data Interchange (EDI)
Moves data from one point to another, flags the start and end of an EDI transmission, and determines how acknowledgements are transmitted and reconciled
Communications software
Helps build a map and shows how the data fields from the application correspond to elements of an EDI standard
Translation Software
Uses map to convert data back and forth between the application and EDI formats
EDI systems/access to standards
In reviewing EDI, the audit should be aware of two approaches related to EDI:
Traditional proprietary version, the development of EDI
Traditional EDI functions:
Communications handler, EDI interface, Application system
Biggest risk to EDI
Transaction authorization
EDI audits may involve:
Audit monitors, expert systems
Devices installed at EDI workstations to capture transaction as they are received
Audit monitors
Without the context of using computer system for internal control checks, consideration be given to having audit monitors evaluate the transactions received
Expert systems
Two principal components of Email
Mail servers, clients
Enable the capture of data at the time and place that sales transactions occur
Point of sale (POS) systems
Effective risk management controls for ebanking:
Board & management oversight; security controls; legal & reputational risk management
The electronic transfer of funds between a buyer, seller, and their respective financial institutions
EFT
Specialized form of a POS terminal that is designed for the unattended use by a customer of a financial institution
ATM
An integral element of the financial services industry & enables providers to emerge within & across countries
Electronic Finance (efinance)
Phone technology that allows a computer to detect voice and touch tones using a normal phone call
Integrated Voice Response (IVR)
Purchase account functions:
Accounts payable processing, goods received processing, order processing
Contains specific information or fact patterns associated with particular subject mater and the rules for interpreting these facts
Knowledge Base (KB)
KB can be expressed in several ways:
Decision trees, rules, semantic nets,
Use of questionnaires to lead the user through a series of choices, until a conclusion is reached
Decision Trees
Expression of declarative knowledge through the use of if-then relationships
Rules
Use of a graph in which nodes represent or conceptual objects and the arcs describe the relationship between nodes
Semantic nets
Inclusion of knowledge from an expert into the system without the traditional mediation of a software engineer
Knowledge interface
Collection of data from nonhuman sources through an expert system
Data interface
Linking the business processes between the related entities such as the buyer and the seller
Supply Chain Management (SCM)
Prevents, detects, and/or contains an incident and enables recovery from a risk event
Effective Control
An objective of one or more operational area(s) or role(s) to be achieved in order to contribute to the fulfillment of strategic goal(s) of the company
Control Objective
___ Controls apply to all areas of an organization
General controls
Each general control can be translated into an ___ specific control
IS
Deployment of audit resources to areas within an organization that represent the greatest risk
Risk-based audit planning
The risk that information collected may contain a material error that may go undetected during the course of the audit
Audit risk
Audit risk is influenced by:
Inherent risk, Control Risk, Detection Risk, Overall Audit Risk
A subset of risk assessment and is used during audit planning to help identity risk and vulnerabilities so an IS auditor can determine the controls needed to mitigate risk
Risk analysis
Types of audits and assessments:
IS, Compliance, Financial, Operational, Integrated, Administrative, Specialized (Third Party, Fraud, Forensic), Computer forensic, Functional
