D1M1: Planning Audits Part 1

Question 1

What is ITAF?

Answer 1

Information Technology Assurance Framework - A comprehensive practice-setting reference model:

1) Establishes standards that address IS auditor roles and responsibilities; knowledge and skills; and diligence, conduct and reporting requirements
2) Defines terms and concepts specific to IS assurance
3) Provides guidance and tools and techniques on the planning, design and conduct and reporting of IS audit and assurance assignments

Question 2

What are the typical Audit process phases and subphases?

Answer 2

1) Planning (no official subphases)

2) Fieldwork / documentation
a. Review
b. Evidence gathering
c. Evaluation

3) Reporting / follow up
a. Identify weakness, remediation

Question 3

What is an audit universe typically comprised of?

Answer 3

All of the relevant processes that represent the blueprint of the enterprise’s business

Question 4

What are risk factors?

Answer 4

Those factors that influence the frequency and/or business impact of risk scenarios.

Typically rated high, medium, low. Audit plans are then constructed around either high risk areas or combination of high, medium, low – recognizing and considering resource constraints.

Question 5

What are the steps to perform audit planning?

Answer 5

1) Gain an understanding of the organization’s mission, objectives, purpose and processes, which include information and processing requirements such as availability, integrity, security and business technology and information confidentiality.
2) Gain an understanding of the organization’s governance structure and practices related to the audit objectives
3) Understand changes in business environment of the auditee
4) Review prior work papers
5) Identify stated contents such as policies, standards and required guidelines, procedures and organization structure.
6) Perform a risk analysis to help in designing the audit plan
7) Set the audit scope and audit objectives
8) Develop the audit approach or audit strategy
9) Assign personnel resources to the audit

10 Address engagement logistics

Question 6

ISACA IS Audit and Assurance Standards – what are the 3 categories?

Answer 6

1) General
- Provide the guiding principles under which the IS assurance profession operates
- Apply to the conduct of all assignments
- Deal with an IS auditor’s ethics, independence, objectivity and due care as well as knowledge, competency and skill

2) Performance
Performance deals with the conduct of the assignment:
-planning and supervision
-scoping
-risk and materiality
-resource mobilization
-supervision and assignment management
-audit and assurance evidence
-exercising of professional judgment and due care

3) Reporting
- Types of reports
- Means of communication
- Information communicated

Question 7

Purpose behind ISACA IS audit and assurance guidelines? (3)

Answer 7

1) Help further clarify ISACA standards
2) Help IS auditors implement ISACA standards
3) Help IS auditors justify deviations from ISACA standards

Question 8

Purpose behind ISACA Code of Professional Ethics?

Answer 8

1) Guides professional/personal conduct of ISACA members and certification holders
2) Aims to instill the importance of ethical and professional behavior in the individuals holding ISACA certification

Question 9

What is the purpose of each of the below:

1) ISACA Code of Conduct
2) ISACA guidelines
3) ISACA standards
3) ISACA ITAF

Answer 9

1) ISACA Code of conduct applies to the behavior and conduct of IS auditors
2) ISACA guidelines help IS auditors implement ISACA audit and assurance standards and record any deviations
3) ISACA standards apply to the conduct of an IS audit assignment right from the planning to the reporting phase
4) ISACA ITAF reference model enables to seek guidance, research policies and procedures, obtain audit and assurance programs and develop effective reports

Question 10

What is a business process?

Answer 10

• An interrelated set of cross-functional activities or events that result in the delivery of a specific product or service to a customer
• Controlled by policies, procedures, practices and organizational structures
• Meant to achieve a specific objective

Question 11

Audit charter

Answer 11

The audit charter serves as an overarching document defining the full scope of audit activities:

• clearly states management’s objectives for the audit function
• Documents the responsibility, authority and accountability of the IS audit function
• Is approved by the highest level of management, such as an audit committee where one is established
• Is changed only if the change is thoroughly justified

Question 12

Based on the audit charter, the audit function can be engaged in two ways:

Answer 12

1) Engagement letters: Used for particular audit exercises that are initiated in an organization with a specific objective
2) Statements of work: Used to document the scope and objectives of services when IS audit services are provided by an external firm

Question 13

Management of an IS audit function must ensure:

Answer 13

1) Tasks of the audit team fulfill audit function objectives
2) Audit independence and competence are preserved
3) The IS audit function contributes to the efficient management of IT and achievement of business objectives
4) Provisions for the audit team to stay abreast of changing technology and new audit requirements
5) Provisions for the necessary IT resources to enable IS audits of a highly specialized nature

Question 14

What is an integrated application environment?

Answer 14

An environment where numerous financial and operational applications function together. Controls are designed and embedded into business applications.

Question 15

Business process controls assurance involves evaluating what two dimensions?

Answer 15

1) General controls – which exist at the process and activity levels and may be a combination of management, programmed, and manual controls
2) Business process owner-specific controls – such as establishing proper security and segregation of duties (SoD), periodic review and approval of access and application controls within the business process

Question 16

What is ECommerce?

Answer 16

Ecommerce is the buying and selling of goods online. As a general model, uses technology to enhance the processes of commercial transactions among a company, its customers and business prtners. ECommerce uses technology to enhance the processes of commercial transactions among a company, its customers and business partners.

Question 17

What are the two important IS audit considerations related to ecommerce?

Answer 17

1) How the changes in the business processes, made to implement ecommerce, impact compliance and security
2) How the integration of ecommerce with the legacy systems impacts the organization’s application architecture and related interconnection agreements

Question 18

What is EDI and what is the purpose?

Answer 18

EDI - Electronic Data Interchange

Purpose is to replace the exchange of traditional paper documents, such as medical claims and records, purchase orders, invoices, or material release schedules, with digital equivalents

Question 19

What is goal of IS audit around EDI?

Answer 19

To ensure EDI transactions are received and translated accurately, passed to an appropriate application, and processed only once.

Question 20

IS audit around EDI Scope of Review entails?

Answer 20

• Internet encryption processes
• Edit checks
• Additional computerized checking
• All inbound transactions
• The use of control totals on receipt of transactions
• Segment count totals
• Transaction set count totals
• Batch control totals
• Validity of the sender against trading partner details by using
  a) control fields
  b) VAN sequential control numbers or reports
  c) Acknowledgment transaction to inform the sender of message receipt

Question 21

What are the various Ecommerce types?

Answer 21

1) B-to-B
2) B-to-C
3) C-to-C
4) C-to-B
5) B-to-G
6) C-to-G

Question 22

What technology does Ecommerce use?

Answer 22

Internet, multimedia, web browsers, proprietary networks, ATMs and home banking, and the traditional approach to EDI

Question 23

What are the typical ecommerce architectures?

Answer 23

1) Single-tier: Client-based application running on a single computer
2) Two-tier: Composed of the client and server
3) Three-tier comprised of:
a) Presentation tier displays info which users can access directly such as a webpage or an operating system’s graphical user interface
b) Application tier (business logic/applications) control an application’s functionality by performing detailed processing
c) Data tier is usually comprised of the database servers, file shares, etc. and the data access layers that encapsulates the persistence mechanisms and exposes the data

Question 24

What is the most heavily used means of communication in an organization?

Answer 24

Email – an open source of communication and data exchange

Question 25

What are the primary email protocols? Outgoing? Incoming?

Answer 25

Outgoing protocols – Simple Mail Transport Protocol (SMTP)

-Incoming protocols - Post Office Protocol (POP)
-Internet Message Access Protocol (IMAP)
Hypertext Transfer Protocol (HTTP)–also called “web-based email”
-Messaging Application Programming Interface (MAPI) – used with Outlook in conjunction with a Microsoft Exchange Server mail server; very close to IMAP but has extended features to interact with other applications

Question 26

What are some of the benefits and cautions to moving email to the cloud?

Answer 26

Benefits:

• Outsources many of the maintenance and security management issues
• Shifts expenditures from capital investments to operations
• Provides additional scalability and availability

Cautions:
-Need to be mindful of the regulatory requirements of the organization