Chapter 2. The Information Systems Audit

Most organizations, no matter their size, have a heavy reliance on information technology to stay ahead of their competition. Information systems drive revenue and often reflect the organization’s image on the Internet. Information systems (IS) auditing ensures that an organization’s data is confidentially stored, that data integrity is maintained, and that information systems are available when needed. The audit process is therefore an excellent place to start your preparation for the CISA exam.

Many foundational concepts of the audit process are leveraged across the CISA exam. This chapter helps you prepare for the exam by covering the ISACA objectives, which include understanding the role and importance of auditing standards, guidelines, and best practices. When you complete this chapter, you will be able to do the following:

Understand the skills needed to be an IS auditor

Explain what an IS audit is

Explain how an IS audit is managed and performed

Define risks and how to analyze them

Describe internal controls

Understand how control assessments are performed

Understand how an audit report is written and issued

Explain the end-to-end audit process and understand the challenges

1. Which of the following is an important work-related soft skill an auditor needs?

a. Knowledge of laws, rules, and regulations

b. Ability to code

c. Careful attention to detail when completing work tasks

d. Knowledge of project management tools

2. To whom is the ISACA Code of Professional Ethics applied?

a. Auditors

b. Clients

c. Stakeholders

d. Sponsors

3. Which of the following are mandatory actions, explicitly stated rules, or controls that are designed to support and conform to a policy?

a. Baselines

b. Standards

c. Procedures

d. Guidelines

4. Which of the following is a risk that naturally occurs because of the nature of the business before controls are applied?

a. Control risk

b. Detection risk

c. Inherent risk

d. Residual risk

5. Which of the following control categories is designed to reduce the impact of a threat and attempts to minimize the impact of a problem?

a. Detective

b. Corrective

c. Preventive

d. Selective

6. At which step in the auditing life cycle does an auditor identify interviewees, identify processes to be tested and verified, and obtain documents such as policies, procedures, and standards?

a. Evaluation of results

b. Audit scope

c. Audit objective

d. Data gathering

7. Which of the following is not true of the control self-assessment process?

a. It tends to raise the level of control, which allows risk to be detected sooner and, consequently, reduces cost.

b. It empowers employees and gives them responsibility.

c. It decreases awareness of staff and employees of internal controls and their objectives.

d. It involves employees and raises their level of awareness.

8. Which of the following is a precondition that should be present before an organization can adopt continuous auditing?

a. The information system must have a manually operated secondary control system.

b. The system must have acceptable prebuilt characteristics that are solely considered over cost and technical skill.

c. The auditor does not need to be proficient in the system and information technology but can be trained later.

d. The information system must be reliable, have existing primary controls, and collect data on the system.

9. When reviewing quality assurance, the goal is to improve which two key attributes?

a. Intent and design

b. Quality and adherence

c. Intent and adherence

d. Compliance and design

10. Of the following audit opinion categories, which one is rendered when appropriate testing and obtained evidence exist to cite instances of control weaknesses but the opinion cannot conclude that the control weakness is pervasive?

a. Disclaimer

b. Adverse opinion

c. Unqualified opinion

d. Qualified opinion

Table 2-2 lists some of the important work-related soft and hard skills an auditor needs.

Many new auditors are surprised at the number of soft skills listed in Table 2-2. While not an exhaustive list, it illustrates the skills that typically separate good auditors from bad auditors.

Answers to the “Do I Know This Already?” Quiz:

1. C;

2. A;

3. B;

4. C;

5. B;

6. D;

7. C;

8. D;

9. B;

10. D

To help guide auditors in this defined level of conduct, ISACA has developed the following Code of Professional Ethics:

Members and ISACA certification holders shall:

1. Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including: audit, control, security and risk management.

2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.

3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association.

4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.

5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence.

6. Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.

7. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management.

Failure to comply with this Code of Professional Ethics can result in an investigation into a member’s or certification holder’s conduct and, ultimately, in disciplinary measures.

Let’s consider one major historical event that illustrates the importance of ethical standards. Enron was founded in 1985, and at its peak in 2000, it was one of America’s largest energy companies. By 2001 Enron was taking on massive liabilities and incurring massive losses. To keep its stock price up and hide the losses form the public, it used highly questionable offshore transactions and creative bookkeeping methods. Arthur Andersen was one of the five largest accounting firms in the United States at the time. It had a reputation for high standards and quality. Arthur Andersen oversaw, audited, and signed off on Enron’s financials and accounts. By December 2001, Enron declared bankruptcy. By August 2002, Arthur Andersen had closed its doors.

Let’s look at the events involving the Arthur Andersen auditors at Enron from the point of view of the ISACA Code of Professional Ethics. Knowing that the accounting practices were at the time questionable and not consistent with industry norms, what was the auditors’ obligation? They could have refused to sign off on the company’s books. But that might have caused the accounting firm to be fired and lose millions of dollars in accounting fees. What they chose to do was to sign off, put their firm’s reputation behind Enron, and, worse yet, when the regulators began investigating, they destroyed some of their Enron audit documents. Like Enron, they faced criminal charges and ended up having to close their doors.

What was Arthur Andersen auditors’ obligation? Let’s break down the third point in the statements in the ISACA Code of Professional Ethics:

Serve in the interest of stakeholders…: Stakeholders include the Enron shareholders, the pensions dependent on the Enron stock, and the Enron employees, to name a few. None were well served by the auditors’ decision.

…in a lawful manner…: We can assume that even if the auditors thought the accounting practices were questionable rather than illegal, it was clear that their intent was not to be honest.

…while maintaining high standards of conduct and character, and not discrediting their profession or the Association: At the time, Arthur Andersen auditors not only hurt their firm but called into question the professionalism of the industry. Fortunately, Arthur Andersen closing its doors helps demonstrate that such conduct is unacceptable to the industry and not the norm.

CISA exam questions will raise a number of situational questions related to the Code of Professional Ethics. A CISA candidate is not expected to recite each word in the code of ethics. However, a candidate needs to understand the importance of conduct during an audit and of conveying the results honestly and transparently.

There are a number of definitions in the industry for these four terms. Given that this is an ISACA-created exam, ISACA’s COBIT 5 use of the terms can be found in Table 2-3. (COBIT 5 is discussed later in this chapter.)

Let’s look at an example to gain a deeper understanding. Say that you have this question on an exam: “If you bought a car, which term would best describe the fact that, on average, you should change the oil every 5,000 miles?” Your answer choices are standard, procedure, guideline, and baseline. Here’s how you could logically break down the question to pick the best choice:

Baseline: A baseline could be the right answer if there were more details about the car, such as the type of car, age of the car, driving habits, and so on. A salesperson driving a car 120,000 miles per year will change the oil far more often than a telecommuter driving 5,000 miles per year. A generic statement about cars would not be considered platform specific.

Procedure: A procedure is a set of steps to follow. This definition is not a fit, given the question.

Standard: A standard could be the right answer if the question said the car is under a lease, and the lease agreement requires changing the oil every 5,000 miles. In the lease situation, the changing of the oil is mandatory, which would make standard a good answer. A giveaway that a standard does not apply, is the use of the hint word should, which conveys that there are options. It’s generally accepted that standards that use the word should are poorly written because standards are mandatory.

Guideline: The term guideline is the correct answer because a guideline provides a general rule. If you didn’t have any other specific information, then changing your car’s oil every 5,000 miles would make sense. If you were to gain more information, you could adjust the frequency of oil change. For example, some of the newer (and more expensive) synthetic oils last longer, and thus you can drive 10,000 miles between oil changes.

While it’s unlikely that you will find a car-related question on the CISA exam, you should expect to break down questions just as is done here. You will likely be able to throw away one or two answers very quickly. The difference between a right answer and a wrong answer can often be found in the context and the hint words provided.

Standards and guidelines are the cornerstone of the audit profession. Standards articulate what must be followed, and they are typically technology platform agnostic. In comparison, a guideline is more of a use case for a standard. A guideline explains how to comply with a standard. It’s important to understand that the ISACA standards and guidelines are issued across multiple industries and across multiple countries. One size does not fit all! Guidelines are optional, intended to give organizations examples of successful implementation of ISACA standards.

Now we’ve talked about the terms standard, procedure, guideline, and baseline broadly as well as in the context of ISACA publications. Is there a difference between these two uses? Yes, an organization will have standards, procedures, guidelines, and baselines. Will an organization’s standards be the same as the ISACA audit and assurance standards? No. An organization typically selects the standards that best meet its needs. ISACA’s audit and assurance standards are one source. A manufacturing company may place heavy reliance on International Organization for Standardization (ISO) standards, a credit card merchant will place heavy reliance on Payment Card Industry Data Security Standards (PCI DSS), and so forth.

The terms procedure and baseline can be confusing. A procedure usually is a series of steps to achieve a specific outcome—for example, the particular steps in a company that you have to take to obtain a logon account for a new employee. A baseline is platform specific on a set of accepted rules—for example, setting a workstation’s Windows 10 platform to time out after 15 minutes. The line between a baseline and a procedure can be blurry. The workstation Windows 10 platform baseline may not only state that a 15-minute timeout is required but may also show the steps and a screenshot for how to make the setting. In that case, it is still a baseline, not a procedure. For the ISACA exam, remember that if a document is platform specific to implement a specific rule, you can treat it as a baseline. If the document is purely procedural steps with a focus on a specific outcome (such as a deliverable), you can treat it as a procedure.

ISACA publishes documents periodically. The best source of the current list of documents is the ISACA website (see “Suggested Readings and Resources,” at the end of this chapter).

At the time of this writing, ISACA had published 17 standards:

Audit Charter

Organizational Independence

Professional Independence

Reasonable Expectation

Due Professional Care

Proficiency

Assertions

Criteria

Engagement Planning

Risk Assessment in Planning

Performance and Supervision

Materiality

Evidence

Using the Work of Other Experts

Irregularity and Illegal Acts

Reporting

Follow-up Activities

ISACA has also published 18 guidelines:

Audit Charter

Organizational Independence

Professional Independence

Reasonable Expectation

Due Professional Care

Proficiency

Assertions

Criteria

Engagement Planning

Risk Assessment in Planning

Performance and Supervision

Materiality

Evidence

Using the Work of Other Experts

Irregularity and Illegal Acts

Audit Sampling

Reporting

Follow-up Activities

For example, the European Union (EU) Privacy Shield law prohibits the transfer of personal data to countries that do not meet the EU standard for privacy protection. Companies that fail to meet these standards can face legal recourse, suffer a loss of public confidence, or even be blocked from doing business in the EU.

The following list of regulatory standards and links to websites, while not exhaustive, is a good representation of important U.S. regulatory expectations:

U.S. Health Insurance Portability and Accountability Act (HIPAA): U.S. standards on management of health care data (www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html)

Sarbanes-Oxley Act (SOX): U.S. financial and accounting disclosure and accountability for public companies (www.soxlaw.com)

Basel III: Risk management in banking (www.bis.org/bcbs/basel3.htm)

Payment Card Industry (PCI) standards: Handling and processing of credit cards (www.pcisecuritystandards.org/pdfs/pcissc_overview.pdf)

U.S. Federal Information Security Management Act (FISMA): Security standards for U.S. government systems (www.gsa.gov/portal/content/150159)

Committee of Sponsoring Organizations of the Treadway Commission (COSO): A series of frameworks to help identify factors that lead to fraudulent financial reporting (www.coso.org/Pages/default.aspx)

U.S. Supervisory Controls and Data Acquisition (SCADA): Enhanced security for automated control systems such as those found in the power plants or oil and gas industry (www.dhs.gov/sites/default/files/publications/csd-nist-guidetosupervisoryanddataccquisition-scadaandindustrialcontrolsystemssecurity-2007.pdf)

U.S. Fair and Accurate Credit Transaction ACT of 2003 (FACTA): Legislation to reduce fraud and identity theft (www.ftc.gov/enforcement/statutes/fair-accurate-credit-transactions-act-2003)

Some regulatory guidelines are not truly laws. For example, PCI is not a law but was developed by the major credit card companies (Visa, MasterCard, American Express, Discover, and JCB) and is referenced in regulatory guidelines such as the FFIEC Handbook for best practices for banks. Whether a regulation calls out a framework as best practices or is written into the law makes little practical difference. The regulator knocking on your door has an expectation of compliance or a very clearly articulated and well-managed reason compliance was not possible. Consideration for regulatory requirements is a high priority when planning and scoping an audit.

Industry norms emerge from the combination of industry guidance documents and regulation guidance. These industry guidance documents align to major regulatory requirements and often are more detailed and published more often. This is particularly important when a new threat in cybersecurity is identified.

The CISA exam will not require detailed knowledge of each industry guidance. A CISA candidate needs to understand what industry guidance is and most importantly the benefits of effectively adopting industry guidance, which include the following:

Demonstrating to customers compliance with industry best practices

Demonstrating the ability to adopt lessons learned across the globe

Ensuring that organizations’ products and services meet quality and environmental stewardship

Proving through audits that an organization’s systems operate according to accepted norms, as defined by industry standards

Ensuring that products and services are produced with acceptable consistency

Reacting quickly to emerging events related to technology defects and breaches

Notice that the benefits depend on effectively adopting the industry guidance. An important role of an auditor is verifying compliance. Some industry standards have certification programs in which an external examiner audits the organization and certifies the organization’s compliance with specific industry guidance. These external examiners are similar to a health inspectors, who ensure that a restaurant meets health codes. If an organization passes, it obtains a certification of compliance, which may give it a business advantage or provide evidence to a regulator that it is operating within industry norms.

The following list of industry guidance, while not exhaustive, is a good sampling of important U.S. industry expectations:

Control Objectives for Information and Related Technologies (COBIT): COBIT was first published in 1996 as one of the first definitive guides for IS auditors. COBIT has evolved into a globally accepted framework, providing an end-to-end business view of the governance of enterprise IT. COBIT 5 is the latest version and is considered a framework that embodies global thought guidance for information systems audit, assurance, and control functions.

International Organization for Standardization (ISO): Since 1987 the ISO has created a series of international standards that define and structure a company’s management systems. These standards are rigorous, and obtaining certification is not easy. While they cover multiple industries, they often are referred to in manufacturing. The standards cover design, manufacturing, production, purchasing, quality control, packaging, handling, storage, shipping, and customer service.

National Institute of Standards and Technology (NIST) standards: NIST, a unit of the U.S. Commerce Department, issues a number of technology-related standards. Most notably, in 2014 the U.S. government issued a NIST Cybersecurity Framework. Initially this framework only applied to U.S. government systems, but today the NIST Cybersecurity Framework has been widely adopted by banking and other industries.

Federal Information Processing Standards (FIPS): FIPS is a set of U.S. government standards that describe document processing, encryption algorithms, and related information technology standards for use in nonmilitary U.S. government agencies. Government vendors and contractors who work for government agencies must comply with FIPS.

Most organizations want to do the right thing and are interested in proper controls. They might be overwhelmed by the day-to-day demands of business. However, it is very important for auditors to verify their compliance.

The process of verifying regulatory compliance is highly structured and detailed. The results may have to be presented to a regulator to demonstrate due care. Most organizations must comply with many different laws and legal requirements, and this has an impact on an audit. An organization must be aware of these laws and regulations and must have evidence that the organization’s controls demonstrate compliance. The following is a step-by-step high-level procedure for verifying regulatory compliance:

1. Based on the industry and jurisdiction locale in which the organization operates, keep an inventory of laws, rules, and regulations that the organization must adhere to.

2. Review the specific laws and regulations with which the organization must be compliant.

3. Determine whether the organization’s policies and procedures and controls reflect these laws and regulations.

4. Determine whether identified standards and procedures adhere to regulatory requirements.

5. Determine whether the employees are adhering to specified standards and procedures or whether discrepancies exist.

Although you might not think of scuba diving when discussing auditing, the two are actually similar. They both follow standards and guidelines. No one who has ever gone diving would consider jumping into the ocean without checking the oxygen tank or performing other basic safety checks. Auditing is similar, in that you cannot just show up at a site and announce that you are there to perform an audit. Auditing requires a specific set of skills and knowledge. For example, an auditor must know when to perform a compliance test or a substantive test and must understand the differences between them.

Compliance tests are used to verify conformity, whereas substantive tests verify the integrity of claims. What does it mean to verify conformity? It means that an audit verifies that the proper controls are in place to ensure compliance to a specific standard. The compliance test, in essence, makes sure the control is in place. What does the integrity of claims mean? It means the controls are actually working. So compliance tests ensure that controls are in place, and substantive tests ensure that controls are working.

Let’s consider a home inspection company example. Say that a government program provides first-time home buyers a deeply discounted mortgage rate but requires a home inspection. Consider the following questions and answers:

1. What type of audit is it if the auditor assesses that the closing process control of the mortgage includes a home inspection?

Answer: Compliance test. The test tells us whether the closing process control is compliant with the intent of the government program.

2. What type of audit is it if the auditor assesses that the home inspectors are qualified and their inspections are highly accurate?

Answer: Substantive test. The test tells us whether the closing process control is working effectively.

Financial: A financial audit is an audit of financial statements and processes. An IS auditor is typically not involved in a purely financial audit.

Integrated: When a financial audit’s scope includes the underlying technology, such as application and network infrastructure, the IS auditor joins the assessment. This type of audit, which covers non-technology (such as financial) controls and technology controls is referred to as an integrated audit. One of the major advantages of an integrated audit is that the business is only audited once rather than twice (for example, for financials and for technology).

Operational: An operational audit assesses how well the business operations are managed. This includes reviewing the organization’s policies, key processes, controls, and operating environment. An example of an operations IS audit is an assessment of data center operations.

The various audits together are typically referred to as an audit program. Each audit program has a specific objective, scope, and predetermined methodology. An enterprise’s information systems can be audited in many different ways, and each audit program can be customized—for example, a cybersecurity audit versus a data center operations audit versus a compliance audit for a specific regulation. Collectively, the audit programs represent the scope of risk covered by the auditors.

A compliance audit is a comprehensive review of an organization’s adherence to regulatory guidelines. IS auditors are playing an increased role in compliance audits today. One reason is that handling, notification, storage, and processing information has emerged as a central theme in many regulations. For instance, the Sarbanes-Oxley Act requirements designate that an entity must utilize an IT control framework (such as COBIT) as a foundation for IT systems and processes. Health care providers that store or transmit electronic health (e-health) records, such as personal health information (PHI), are subject to HIPAA requirements.

An audit program should be defined so that the scope of audit objectives and the scope of procedures are clear. The scope and type of testing that occurs may vary depending on how the understanding of risk has changed since the last audit. Testing and evaluation of system controls require an auditor to fully understand proper test procedures, which can include the following:

Sampling of a population

Auditing through observation

Reviewing documentation

Documenting systems and processes by means of flowcharting

Examining log files and data records

Using specialized software packages to examine system parameter files

Understanding risk is one of the most important steps in audit planning. The goal should be to plan an audit that assesses the greatest amount of the risk controllable by the organization.

Auditors typically focus on the risks that have the highest impact on an organization. Table 2-4 describes the three main risks that are called out by COBIT 5.

Let’s explore each of these risks and the natural variations. The CISA exam will include questions to determine whether you can understand the differences between the risk types. A term you may see on the exam is material, which is generally defined as an item of significance that has a real impact on the organization. For example, a traffic accident that delays your arrival at work may or may not be material. If your late arrival causes you to lose a million-dollar contract because the client gets tired of waiting, then it most likely is material. Arriving at the office late and finding that the offer is gone is not material. Understanding of these risks helps you judge whether something is material:

Inherent risk: Inherent risk is often described as the risk that exists if no controls have been deployed. Given the nature of a business, what is its susceptibility to making a material error if there are no internal controls? For example, given the nature of driving, would having no speed limits be an inherent risk? Yes!

Control risk: Control risk is often described as a control that is deployed but not working as expected. For example, assume that your car has an airbag only in the steering column. A driver-side collision occurs, and the airbag fails to deploy. There is a risk that the airbag has a defect and also a risk that the design of the airbag is flawed.

Detection and audit risk: Detection risk is often described as a defect in a control going undetected. An audit risk is a type of detection risk in which an auditor fails to find a material error or defect in a control. Detection risks can also result from an internal failure of a business, such as an inadequate quality assurance program. Detection control risk is often realized when volumes are high. For example, reviewing security logs is an important control. The volume of logs could increase the likelihood that an event is missed and increase the detection risk.

Residual risk: The residual risk is the risk that remains after controls are applied to the inherent risk. This risk is not included in Table 2-4 because it’s not directly referenced in COBIT. Nonetheless, it is a common term in the industry and an important concept for the CISA exam. Residual risk in essence is inherent risk minus controls. For example, the inherent risk may be high for driving with no speed limit signs, but that risk becomes greatly reduced when speed limit signs are posted. The risk is further reduced when police presence is visible. It’s an important concept that residual risk is reduced by layering controls against the inherent risk.

The assessment of what is material is left to the professional judgment of the auditor. This includes both quantitative analysis and qualitative judgment, based on the understanding of the business and the potential for errors and omissions.

The concept of quantitative analysis involves coming to an objective conclusion based on a series of measurements. The following are some measurements that may be taken related to risk:

Identifying populations (for example, information assets)

Valuing the assets (for example, cost to recover)

Identifying the risks to the assets

Identifying the likelihood of the risk being realized

Identifying the cost to the organization of the risk being realized

Identifying the cost to mitigate the risk

A quantitative analysis based on these measurements may conclude that the cost to mitigate such a risk is too high. For example, say that the measurements captured indicate that a particular risk is predicted to occur is every three years, the cost to remediate is $100,000 per year, and the recovery cost is $50,000 per event. The quantitative analysis may show that it’s not worth the cost to mitigate.

A qualitative judgment looks at the broad understanding of the business and asks the question, what might go wrong? A qualitative judgment can override a quantitative analysis. In that case, be sure to clearly document the rationale. For example, you may be entering a new market and, given the uncertainty and concerns over how the regulators will react, you err on side of caution and remediate the potential risk.

When quantitative analysis is not available, then qualitative judgment is used. Be careful to avoid overreliance on judgment versus analysis. Often a hybrid approach is used, where both methods are applied. When both are applied, the quantitative analysis can be used to validate the qualitative judgment.

Risk management follows a defined process that includes the following steps:

1. Implement a formal risk management program.

2. Identify assets.

3. Identify threats.

4. Perform risk analysis.

5. Disposition of risk.

6. Monitor.

A risk management program often falls under the corporate governance function, such as the chief risk officer. It should be a formal program that is supported by senior leadership. The risk-management team needs support and funding from senior management and should be led by someone with strong project-management skills.

Organizations must identify assets and understand their value to the business. For example, Coca-Cola places value on the original formula for Coke and must protect it. Assets include people, processes, and technology. It is important not to define assets too narrowly. Any asset that is bought or built has value. Depending on the size of the organization, a material threshold should be used. For example, a $5,000 copier/fax machine is not material to a billion-dollar corporation. But if that asset sits in the chairman’s office, the asset becomes much more valuable. Getting the balance right so an inventory can be quickly obtained is the purpose of setting a materiality threshold.

The identification of threats should be part of both an ongoing refresh of the threat inventory and a threat assessment of each business area at least annually. It should include an exercise that includes senior management.

Risk analysis is performed using both quantitative and qualitative methods. Regardless of the method used, the idea is to rank threats in some order to determine what requires immediate action. Some threats might have the potential for great impact but very little risk. Other threats might present a high level of risk but have very little impact. The idea is for the team to identify high-impact, high-risk concerns and focus on those items. For example, a company based in Galveston, Texas, would most likely consider a hurricane a high-risk, high-impact item. The island has no point of land that is more than 14 feet above sea level, and the Gulf of Mexico is a prime area for strong storms. This same approach should be used during audits to ensure that audit time is spent on areas with the highest risks.

The disposition of risk has changed over the years. For example, immediately following the financial meltdown in 2008, regulators were at times driving for high rates of risk remediation, regardless of cost. As risks across the financial industry were demonstrated to be more balanced with the threats, there was some easing on the push for massive remediation efforts.

After identifying high-risk, high-impact concerns, the risk-management team can move on to the risk mitigation or risk disposition phase. Risk can be disposed of in the following ways:

Avoiding risk (also referred to as risk avoidance): Avoiding risk can seem like a simple alternative: You simply don’t perform the activity that allows the risk to be present. In reality, many activities cannot be avoided. Even when they can be, an opportunity cost might be involved so that avoiding the risk involves missing the opportunity for profit.

Reducing risk (also referred to as risk reduction): Reducing risk is one of the most common methods of dealing with risk. Examples include installing a firewall and implementing a new internal accounting control.

Accepting risk (also referred to as risk acceptance)—Risk acceptance means that the organization knows about a risk and makes a conscious decision to accept it. Accepting risk means that the company is retaining the potential costs that are associated with the risk. For example, a business might be considering building an e-commerce website but has determined that it will face an added risk. However, along with the risk is the potential to increase revenue, so the company accepts the risk.

Transferring risk (also referred to as risk transference): Transferring risk means placing the risk in someone else’s hands. A good example of risk transference is insurance. Although there are benefits to risk transference, there are also some drawbacks. Chief among them is that insurance is an ongoing expense. In addition, it is time-consuming and costly to document and settle relatively small losses. Finally, even small payouts by the insurance company can have an adverse effect on future insurance costs.

The monitoring of the portfolio of risks is important. You can think of monitoring as a type of change management. Any time a change is made to systems or the operating environment, a reassessment should be performed to see how the changes affect a potential risk. Risk analysis is a powerful tool in the hands of an auditor because it can help identify risks and threats. It also aids the auditor in examining existing controls to determine their effectiveness and helps the auditor focus his or her efforts on a high-risk, high-impact area.

Management might give an auditor a general control objective to review during the audit, but the primary goal is to verify the confidentiality, integrity, and availability (CIA) of information resources. Assuring compliance is also important. Compliance reviews are an integral part of any IT auditor job. Audited systems must meet regulatory and legal requirements while assuring compliance. An auditor can test compliance in several ways, as discussed in this section.

How much substantive testing is required depends on the level of internal controls and the amount of confidence the auditor has in the operation of the internal control structure. IS audits that examine systems with a large number of internal controls that have high confidence lower the number of required substantive tests.

Management uses internal controls to exercise authority and effectively manage the organization. Controls typically start with high-level policy and apply to all areas of the company. IS auditors are interested in IS controls because they are used to verify that systems are maintained in a controlled state. IS controls should protect the integrity, reliability, and accuracy of information and data. Properly implemented IS control objectives should guarantee efficiency and effectiveness, protect the organization against outages, and provide for an effective incident response. As stated earlier, these controls filter down the organizational structure by means of policy and procedure. These procedures can be divided into two categories: general control procedures and IS control procedures.

General control procedures are established by management to provide a reasonable amount of assurance that specific objectives will be achieved. To illustrate, Table 2-5 describes a sampling of general control procedures and IS control procedures.

Controls can be preventive, detective, or corrective. Table 2-6 describes these controls in more detail. Regardless of how well controls are designed, they can provide only reasonable assurance. Using the three types of controls in conjunction with each other creates a system of checks and balances, which helps provide a greater level of assurance and ensures that processes operate in a controlled manner. Keep in mind that no system is perfect, and controls will always be subject to error due to breakdowns or system overrides or even employees or outsiders.

The key difference between preventive, detective, and corrective controls is in how a threat is handled. A preventive control stops a threat immediately. A detective control identifies a threat after the fact. A corrective control tries to remediate risk of a threat after the fact.

An audit methodology is a documented approach for performing an audit in a consistent and repeatable manner. The audit methodology is designed to meet audit objectives by defining the following:

A statement of work

A statement of scope

A statement of audit objectives

The methodology should be approved by management and thoroughly documented so that it provides a highly repeatable process. The audit methodology is an important educational tool for avoiding surprises during an audit. All audit employees must be trained and must have knowledge of the methodology.

1. Audit subject: Identify which areas are to be audited, based on risk.

2. Audit objective: Define why the audit is occurring. For example, the objective of an audit might be to ensure that access to private information, such as Social Security numbers, is controlled.

3. Audit scope: Identify which specific functions or systems are to be examined.

4. Pre-audit planning: Identify what skills are needed for the audit, how many auditors are required, and what other resources are needed. Necessary policies or procedures should be identified, as should the plans of the audit. The plans should identify what controls will be verified and tested.

5. Data gathering: Identify interviewees, identify processes to be tested and verified, and obtain documents such as policies, procedures, and standards. Develop procedures to test controls.

6. Evaluation of test results: Results will be organization specific. The objective is to review the results.

7. Communication with management: Document preliminary results and communicate them to management.

8. Preparation of audit report: Ensure that the audit report is the culmination of the audit process and might include the identification of follow-up items.

Evidence handling refers to the auditor handling any information obtained during the audit. Evidence can be obtained from interviews, work papers, direct observation, internal documentation, compliance testing, and/or substantive testing. All evidence is not created equal; some evidence has more value and provides a higher level of confidence than other forms. Evidence the auditor obtains should be sufficient, usable, reliable, and relevant, and it should achieve audit objectives effectively. This is sometimes referred to as the SURRE rule:

Sufficient

Usable

Reliable

Relevant

Effective

CISA candidates should be aware of ISACA standards for auditing and should understand how evidence can be used to support any findings. The ISACA website is available at www.isaca.org and provides both standards and guidelines related to evidence handling:

IS Audit and Assurance Standard 1205 on Evidence

IS Audit and Assurance Guideline 2205 on Evidence

Table 2-7 lists some basic questions to answer in determining the reliability of evidence.

Auditors should observe auditees in the performance of their duties to assist in gathering evidence and understanding how procedures, job roles, and documentation match actual duties. Auditors should perform the following:

Observe employee activity

Examine and review procedures and processes

Verify employee security awareness training and knowledge

Examine reporting relationships to verify segregation of duties

Auditors are aware of the importance of the control of WPs; these same controls must be provided for automated WPs. Controls that protect the confidentiality, integrity, and availability of electronic WPs should be applied at the same level as their paper-based counterparts. Some items to consider include the following:

Encryption to provide confidentiality

Backups to provide availability

Audit trails and controls

Access controls to maintain authorized access

An area of particular interest to auditors is sampling using software. What do you do when you cannot test an entire population or a complete batch? You use sampling—which is the process of selecting items from a population of interest. The practice of sampling can give the auditor generalized results for the population as a whole. There are two basic types of audit sampling:

Statistical sampling: This type of sampling is based on probability. Every item in the population has a known chance of selection. The prominent feature of statistical sampling is its capability to measure risk and the use of quantitative assessment. An auditor quantitatively determines the sample size and confidence level.

Nonstatistical sampling: This type of sampling involves using auditor judgment to select the sample size and determine which items to select. Nonstatistical sampling is also known as judgmental sampling.

Each sampling type, statistical and nonstatistical, has two subgroups of sampling techniques:

Variable sampling: Variable sampling is used primarily for substantive testing. It measures characteristics of the sample population, such as dollar amounts or other units of measurement.

Attribute sampling: Attribute sampling is used primarily for compliance testing. It records deviations by measuring the rate of occurrence that a sample has a certain attribute. Attribute sampling can be further divided into three subcategories:

Frequency estimating sampling: Answers the question “How many?”

Stop-and-go sampling: Used when it is believed that few errors exist

Discovery sampling: Used to discover fraud or irregularities

Sampling is not the only way to ensure compliance. Ongoing monitoring might be required. One ongoing monitoring method is to use embedded audit modules. Embedded modules are designed to be an integral part of an application and are designed to identify and report specific transactions or other information, based on predetermined criteria. Identification of reportable items occurs as part of real-time processing. Reporting can be performed by means of real-time processing or online processing, or it can use store-and-forward methods. Parallel simulation is another test technique that examines real results that are compared to those generated by the auditor. Integrated test facilities (ITFs) use data that represents fake entities, such as products, items, or departments. ITF is processed on actual production systems.

Name of the organization being audited

Auditor’s Name, date, and signature

Statement of audit objectives

Audit scope

Any limitations of scope

Audience

Standards used in the audit

Details of the findings

Conclusions, reservations, and qualifications

Suggestions for corrective actions

Other significant events

An audit report is designed to provide information needed persuade to the audience where corrective action is needed and why. An audit report with no major issues is valuable! Such an audit report confirms that the controls in place are working effectively, which means management can spend limited resources elsewhere.

When issues are raised, a well-written audit report is a call to action for leadership to not only improve control defects but potentially address why it took an auditor to find the control defect.

When writing an audit report, consider this sampling of best practices:

Timely manner: An audit report issued months after an audit is completed may no longer represent the current state of controls.

Report classification: Be clear on the intended recipients and any restrictions on handling.

Key message: Keep the report centered on the final opinion and key supporting evidence; keep the focus on the results and not on how those results were obtained.

Scope clarity: Be sure the reader knows immediately the scope of the audit and any qualifications, such as the results being limited to compliance tests versus substantive tests.

Severity of issues: A good audit report tells the reader the severity of the issues and opinion in the context of the risk; the audit report tells a risk story and should be compelling.

Tech jargon: Avoid unnecessary technical language. Effective audit reports use simple language to convey powerful ideas.

Leverage WPs: Keep details in the work papers.

Although the traditional approach to auditing has proven itself over the years, it does have some problems, primarily because responsibility for the audit is placed on the auditors. Managers and employees might feel that it is an auditor’s job to find and report problems. Using a control self-assessment (CSA) is an attempt to overcome the shortcomings of the traditional approach. According to ISACA, the CSA methodology is designed to provide assurance to stakeholders, customers, and employees that internal controls have been designed to minimize risks.

CSAs are used to verify the reliability of internal controls. Unlike in traditional auditing, some of the control monitoring responsibilities are shifted to functional areas of the business. Because the functional areas are directly involved and play an important role in the design of the controls that protect critical assets, employees tend to be motivated. CSAs also tend to raise the level of control, which allows risk to be detected sooner and, consequently, reduces cost.

Table 2-8 outlines the differences between traditional auditing and the CSA approach.

You might be thinking that CSA appears to be a cure for all auditing problems, but it does have drawbacks. Some individuals have a misconception that CSAs can replace audits. This is not correct. CSA was not designed to replace the audit function; it was designed to enhance the audit function. Some employees might also offer objections because a CSA program places an additional workload on employees. The key to making a CSA program work is to identify what processes are the most important to the department under examination.

Interviews, meetings with appropriate business unit employees, and questionnaires are some of the methods used to identify key processes. COBIT 5 under the Monitor and Evaluation Section documents the CSA control objectives (referred to as COBIT 5 ME2.4) and provides related material for CSA.

Continuous monitoring can help meet the demand. Continuous monitoring allows an auditor to program certain control tests. It can alert an auditor to a potential threat or control breakdown. Continuous monitoring is not itself an audit. When a potential threat or control breakdown is detected through continuous monitoring, further examination through an audit is typically required. This is akin to a doctor finding an abnormality in an X-ray and wanting to run further tests to understand more.

Continuous monitoring works well for automated processes that capture, manipulate, store, and disseminate data. Research produced by the American Institute of Certified Public Accountants and the Chartered Professional Accountants of Canada found that six preconditions should be present before an organization can adopt continuous auditing:

The system must have acceptable characteristics. Cost and factors such as technical skill must be considered.

The information system must be reliable, have existing primary controls, and collect data on the system.

The information system must have a highly automated secondary control system.

The auditor must be proficient in the system and information technology.

The audit process must offer a reliable method for obtaining the audit procedure results.

Verifiable controls of the audit reporting process must exist.

There are challenges in implementing a continuous monitoring program. It is important to allocate the appropriate amount of time and effort for the development of a continuous auditing environment. Auditors need to acquire the skills for this program to meet the demands of the changing audit environment.

At a minimum, adherence should mean adherence to the organization’s standards. Consequently, adherence expectations should be well defined and easier than quality to measure. When regulatory obligations are baked into an organization’s standards, adherence to the standards results in adherence to regulatory obligations.

If quality expectations are baked into standards, adherence to those standards can drive improvement in quality. If they are not defined in standards, then separate testing is needed through the QA program.

Defects identified and corrected through a QA program are generally not considered an audit issue. This is because the QA process is a control specifically designed to catch and remediate defects. As long as the defect rate stays at acceptable levels, the QA process is working as it is designed to work.

An auditor’s interest in the QA process should be to perform testing of the controls to ensure that the program is well designed and effective. The QA process is audited as any other process, starting with understanding the intent and overall design. The QA process would most likely result in an operational audit that includes both compliance and substantive testing.

Many of these fears are unwarranted. An auditor must nevertheless overcome any unwarranted perceptions and demonstrate confidence. A smart, experienced auditor doesn’t waste people’s time and makes a point to ask relevant questions. The better the auditor knows the business and can ask insightful and deep questions, the more likely it is that the business will have confidence in the audit.

An audit is successful when the business recognizes that the auditor has no agenda beyond finding risk exposures that allowed the business to potentially avoid business disruptions or losses. This perception of value is not always shared by a control owner who has a defect identified through an audit. The reactions can range from reluctant admission to lukewarm denial to borderline threats of complaints about the auditor to management. Police officers are not often thanked for issuing speeding tickets, but those tickets inevitably save some lives!

When examination concludes, an auditor needs to be clear and concise about the type of opinion that will be reported. An auditor looks at the controls, the findings, and the supporting evidence in the context of all the material respects of the design and operational control procedures tested. The auditor then forms an opinion, in one of four possible categories, illustrated in Table 2-9.

These opinions can be applied to either an entire audit report or a specific finding. For example, say that you have 10 findings, of which 9 are unqualified in that the evidence and testing obtained are clear and persuasive. Now assume the tenth issue is qualified because the test results are just not clear in terms of the extent to which the control weakness exists. At this point, an auditor has a few choices, depending on the nature of the issues found. The auditor could drop the tenth issue from the report and issue the entire report as an unqualified opinion. Alternatively, the auditor could issue the report as qualified and clearly state that the tenth issue indicates a concern that may not be fully understood.

Many organizations determine an audit report opinion based on the scope, number, and severity of risks found. These audit rating labels can vary greatly. For example, a simple rating scheme for audit reports could be unrated, satisfactory, and unsatisfactory, based on the following mapping to opinion categories:

Unrated report: Some findings disclaimed

Satisfactory report: A low volume of qualified or unqualified findings

Unsatisfactory: Any adverse opinion

When stakeholders want to challenge and negotiate, their arguments typically fall within three possible areas of disagreement:

1. The finding itself: Are the facts accurate and complete?

2. The severity of the finding: Is the risk well calculated?

3. The process by which the finding was identified: Was the testing fair and unbiased?

It’s important for an auditor to review the facts and evidence from the client perspective for gaps or inconsistencies. An audit that is well prepared with facts and a well-documented audit program can be very persuasive.

Conflict can be handled by staying calm and letting the audit process and results speak for themselves. When you have a sound audit process, your observations (that is, findings) will be strong. As a result, many conflicts and negotiations focus on the severity and the aggregated risk as the point of disagreement.

The best way to negotiate and cut down the disagreements is to make an audit report relevant to the business. Relevance is critical for stakeholder satisfaction. Focus the interim discussions on each individual finding to ensure that it is factual. As the audit begins to wind down, the negotiation focus will shift to the severity. The overall audit report rating is typically reserved for discussion with senior leaders. Discussing the overall rating with key stakeholders (such as the control owner) will help drive awareness and provide an opportunity for senior leaders to negotiate any concerns with the report’s wording.

Any audit report rating is typically not open to negotiation. Once the facts have been verified, an auditor must issue an independent opinion. Independence is not only the concern of the auditor but also of senior management, who need an independent view of their control environment.

This chapter discusses the auditor’s valuable position in the organization and the need for the auditor to abide by legal and ethical standards, including the ISACA Code of Professional Ethics.

This chapter discusses the fact that auditors must also be able to evaluate and understand risks. Organizations have limited resources, so it’s important to identify areas of high risk and focus auditing efforts there. An effective auditor focuses on those areas and uses effective communication skills to facilitate and negotiate positive improvements to reduce material risks.

The next chapter builds on what you have learned in this chapter and focuses on the role of IT governance, with an emphasis on management routines.

baselines

chain of custody

Code of Professional Ethics

compliance test

computer-assisted audit techniques (CAATs)

continuous monitoring

control risk

control self-assessment (CSA)

detection risk

fiduciary

financial audit

guidelines

inherent risk

integrated audit

knowledge statements

material

nonstatistical sampling

operational audit

procedures

risk acceptance

risk avoidance

risk reduction

risk transference

standards

statistical sampling

substantive test

task statements

This chapter introduces some of the aspects of the IS audit process, including risk. As you might remember, the risk assessment process consists of the following steps:

1. Implement a formal risk management program.

2. Identify assets.

3. Identify threats.

4. Perform risk analysis.

5. Disposition of risk.

6. Monitor.

This exercise introduces you to one way to perform the second step of the risk process, identifying assets. Although ISACA does not test knowledge on the use of any type of applications, this exercise is designed to provide a deeper understanding of the material.

This exercise looks at an automated inventory tool used to audit systems and software.

1. Download Network Inventory from https://emcosoftware.com/download. Network Inventory generates hardware and software information for Microsoft networks and also verifies software license information.

2. Execute the setup program as shown in Figure 2-1. Accept the license agreement and all default installation settings.

3. When the program launches, choose Enumerate LAN to have the program scan the local network and identify available systems (see Figure 2-2). Allow the program several minutes to finish its enumeration.

4. When the enumeration has finished, from the Machine Management window, under Installed Applications, highlight your local computer. The Data field to the right then lists all applications discovered on the local computer, as shown in Figure 2-3.

5. The program provides an easy way to quickly see all programs that have been installed. To learn more about any one application, simply double-click it to display information similar to what is shown in Figure 2-4.

6. Spend some time looking at the other types of information that Network Inventory can provide to an auditor. In the Machine Management window, examine some of the other types of information the program can provide, such as processes, hotfixes, scheduled tasks, and user accounts.

a. A PCI industry standard requiring a 15-minute session timeout

b. Installation step recommendations from the vendor for an Active Directory server

c. A network topography diagram of the Active Directory forest

d. Security configuration settings for an Active Directory server

2. Which audit opinion best describes a finding that failed a compliance test in 3 of 1,300 locations?

a. Unqualified

b. Qualified

c. Adverse

d. Disclaimer

3. Which of the following best describes integrated auditing?

a. Integrated auditing places internal control in the hands of management and reduces the time between the audit and the time of reporting.

b. Integrated auditing combines the operational audit function, the financial audit function, and the IS audit function.

c. Integrated auditing combines the operational audit function and the IS audit function.

d. Integrated auditing combines the financial audit function and the IS audit function.

4. Which storage of evidence would best preserve the chain of custody of evidence obtained during an audit?

a. Locked department safe behind card access doors

b. Offsite location, such as home, out of reach by anyone at work

c. Archival at a third-party offsite facility

d. Locked cabinet on the department floor with only one key, in the possession of the auditor

5. Which of the following best describes risk that can be caused by the failure of internal controls and can result in a material error?

a. Residual risk

b. Inherent risk

c. Detection risk

d. Control risk

6. Which of the following is not one of the best techniques for gathering evidence during an audit?

a. Attend board meetings

b. Examine and review actual procedures and processes

c. Verify employee security awareness training and knowledge

d. Examine reporting relationships to verify segregation of duties

7. Which of the following is not an advantage of control self-assessment (CSA)?

a. CSA helps provide early detection of risks.

b. CSA is an audit function replacement.

c. CSA reduces control costs.

d. CSA provides increased levels of assurance.

8. If an auditor cannot obtain the material needed to complete an audit, what type of opinion should the auditor issue?

a. Unqualified opinion

b. Qualified opinion

c. Adverse opinion

d. Disclaimer

9. Which of the following is the best example of general control procedures?

a. Internal accounting controls used to safeguard financial records

b. Business continuity and disaster-recovery procedures that provide reasonable assurance that the organization is secure against disasters

c. Procedures that provide reasonable assurance for the control of access to data and programs

d. Procedures that provide reasonable assurance and have been developed to control and manage data-processing operations

10. Which of the following describes a significant level of risk that the organization is unwilling to accept?

a. Detection risk

b. Material risk

c. Business risk

d. Irregularities

11. Which of the following is the most accurate description of a substantive test in which the data represents fake entities such as products, items, or departments?

a. Parallel tests

b. Integrated test facility

c. Embedded audit module

d. Test data

12. You need to review an organization’s balance sheet for material transactions. Which of the following would be the best sampling technique?

a. Attribute sampling

b. Frequency estimating sampling

c. Stop-and-go sampling

d. Variable sampling

13. Which of the following best describes types of questions that might be on the CISA exam related to how to implement specific risk types discussed in this chapter?

a. Task statements

b. Operational audits

c. Knowledge statements

d. Integrated audits

14. Which of the following is not a benefit of CSA?

a. Provides early detection of risks

b. Reduces potential audit costs

c. Increases employee awareness of internal controls

d. Can be used to avoid a regulator audit

15. Which of the following should have priority on the planning and scoping of an IS audit?

a. Company standards

b. Organization’s master plan

c. Regulatory requirements

d. Industry best practices

ISACA IS audit and assurance guidelines: www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IS-Audit-and-Assurance/Pages/IT-Audit-and-Assurance-Guidelines.aspx

IS audit basics: www.isaca.org/Journal/archives/2017/Volume-2/Pages/risk-based-audit-planning-for-beginners.aspx

COBIT: www.isaca.org/cobit/pages/default.aspx

Auditing Standard 15—Audit evidence: https://pcaobus.org/Standards/Auditing/pages/auditing_standard_15.aspx

Auditor’s responsibility for fraud detection: www.claconnect.com/resources/articles/are-financial-auditors-responsible-for-detecting-internal-fraud

NIST Cybersecurity Framework: www.nist.gov/news-events/news/2017/01/nist-releases-update-cybersecurity-framework