Cisa Exam Cram 2

To ensure the audit is comprehensive, you will use guidelines to assist you in applying IS Auditing Standards. These standards define the mandatory requirements for IS auditing and reporting, as well as provide a minimum level of performance for auditors. The Information Systems Auditing Association (ISACA) provides the auditing community with guidance in the form of auditing guidelines, standards, and polices specific to information systems (IS) auditing. One of the goals of the ISACA is to advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards is a cornerstone of the ISACA professional contribution to the audit community. The ISACA framework for the IS Auditing Standards provides multiple levels of guidance for conducting IT audits.

There are 8 categories and 12 overall IS auditing standards. IS Auditing Standards are brief mandatory requirements for certification holders' reports on the audit and its findings. IS Auditing Guidelines and Procedures give detailed guidance on how to follow those standards. The IS Auditing Guidelines provide a framework an IS auditor normally follows, with the understanding that in some situations the auditor will not follow that guidance. In this case, it is the IS auditor's responsibility to justify the way in which the work is done. The Procedures examples show the steps performed by an IS auditor and are more informative than IS Auditing Guidelines. Table 1.1. provides ISACA's definition of standards, guidelines, and procedures.

Table 1.1. IS Auditing Procedures

Standards

Define mandatory requirements for IS auditing and reporting. Standards inform IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors. Standards inform management and other interested parties of the profession's expectations concerning the work of practitioners Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards can result in an investigation into the CISA-holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action.

Guidelines

Provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application, and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.

Procedures

Provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS auditing work, but they do not set requirements. The objective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.

Auditing Standards Explained

The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines, and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be followed.

Codification

The eight standards categories are the first three digits in a document number. IS Auditing Standards begin with 0; Standards for IS Control Professionals begin with 5. The standards numbers are the second three numbers in the document. The third set of three digits in a document number is the number of the guideline. Procedures are listed separately and numbered consecutively by issue date.

For example, document 060.020.040 is a guideline. It provides guidance in the sixth standard category, Performance of Audit Work. The guidance applies to the second standard in that category, Evidence. It is the fourth guideline listed under Evidence. Procedures are numbered consecutively as they are issued, beginning with 1.

Use

It is suggested that during the annual audit program, as well as during individual reviews throughout the year, the IS auditor should review the standards to ensure compliance with them. The IS auditor can refer to the ISACA standards in the report, stating that the review was conducted in compliance with the laws of the country, applicable audit regulations, and ISACA standards. Table 1.2 is the ISACA framework for the IS auditor. This framework is broken down into multiple levels of guidance.

Table 1.2. ISACA Auditing Standards

010

Audit Charter

 

010.010

Responsibility, Authority, and Accountability

The responsibility, authority, and accountability of the information systems audit function are to be appropriately documented in an audit charter or engagement letter.

020

Independence

 

020.010

Professional Independence

In all matters related to auditing, the information systems auditor is to be independent of the auditee in attitude and appearance.

020.020

Organizational Relationship

The information systems audit function is to be sufficiently independent of the area being audited, to permit objective completion of the audit.

030

Professional Ethics and Standards

 

030.010

Code of Professional Ethics

The information systems auditor is to adhere to the Code of Professional Ethics of the Information Systems Audit and Control Association.

030.020

Due Professional Care

Due professional care and observance of applicable professional auditing standards are to be exercised in all aspects of the information systems auditor's work.

040

Competence

 

040.010

Skills and Knowledge

The information systems auditor is to be technically competent, with the skills and knowledge necessary to perform the auditor's work.

040.020

Continuing Professional Education

The information systems auditor is to maintain technical competence through appropriate continuing professional education.

050

Planning

 

050.010

Audit Planning

The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards.

060

Performance of Audit Work

 

060.010

Supervision

Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met.

060.020

Evidence

During the course of the audit, the information systems auditor is to obtain sufficient, reliable, relevant, and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.

070

Reporting

 

070.010

Report Content and Form

The information systems auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of audit work. The audit report is to state the scope, objectives, period of coverage, and nature and extent of the audit work performed. The report is to identify the organization, the intended recipients, and any restrictions on circulation. The report is to state the findings, conclusions, and recommendations, and any reservations or qualifications that the auditor has with respect to the audit.

080

Follow-Up Activities

 

080.010

Follow-Up

The information systems auditor is to request and evaluate appropriate information on previous relevant findings, conclusions, and recommendations to determine whether appropriate actions have been implemented in a timely manner.

The primary purpose of an audit charter is to describe the authority and responsibilities of the audit department.

The ISACA Code of Professional Ethics

As an auditor, you will have access to a variety of information, including intellectual property, internal controls, legal contracts, internal procedures, and both business and IT strategies. ISACA has set forth a Code of Professional Ethics to guide the professional and personal conduct of members of the association and its certification holders.

Members and ISACA certification holders shall...

  • Support the implementation of and encourage compliance with appropriate standards, procedures, and controls for information systems.

  • Perform their duties with objectivity, due diligence, and professional care, in accordance with professional standards and best practices.

  • Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.

  • Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.

  • Maintain competency in their respective fields and agree to undertake only those activities that they can reasonably expect to complete with professional competence.

  • Inform appropriate parties of the results of work performed, revealing all significant facts known to them.

  • Support the professional education of stakeholders in enhancing their understanding of information systems security and control.

Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or certification holder's conduct and, ultimately, in disciplinary measures.

As an auditor, it is important that you pay particular attention to maintaining the privacy and confidentiality of information obtained in the course of your duties and informing the appropriate parties of the results of work performed, revealing all significant facts known to you.

Although management is ultimately responsible for preventing and detecting irregular or illegal acts, you must plan the IT audit engagement based on the assessed level of risk that these acts might occur and design audit procedures that can identify these acts. The auditor then should create a report of the findings of the audit revealing all significant facts known to him or her.

As previously stated, auditors are not qualified to determine whether an irregular, illegal, or erroneous act has occurred. If during the course of the audit the auditor suspects that these acts have occurred, the auditor must report this to one or more of the following parties:

  • The IS auditors' immediate supervisor and possibly the corporate governance bodies, such as the board of directors or audit committee

  • Appropriate personnel within the organization, such as a manager who is at least one level above those who are suspected to have engaged in such acts

  • Corporate governance bodies, if top management is suspected

  • Legal counsel of other appropriate external experts

For more information on ISACA's auditing standards, guidelines, and code of professional ethics, visit www.isaca.org.

As we know, privacy is an issue at the forefront in today's society. A majority of organizations have developed privacy polices that outline how they collect, store, protect, and use private information, along with controls designed to protect private information. As an auditor, you will assess the strength and effectiveness of controls designed to protect personally identifiable information in organizations. This will help ensure that management develops, implements, and operates sound internal controls aimed at protecting the private information that it collects and stores during the normal course of business.

So far, we have provided you with auditors' responsibilities, the ISACA code of ethics, and definitions for guidelines, standards, and procedures for IS auditing. At this point, you might be asking yourself, "What am I getting myself into?" and "What is IS auditing really?"

Whether you are a financial auditor, are a network or security systems engineer, or are new to IS auditing, rest assured that we will guide you through the auditing process and assist you in understanding how the IS audit process and its components fit together. We start at the top by providing you with IS audit planning and management techniques.

As you read through the remainder of this chapter and the following chapters, keep in mind that we start from the auditor's perspective in planning the IS audit and add the components as we go along. Be sure to use all the resources available to you to completely understand the topic before moving forward. You have the CBT and the questions at the end of each chapter to keep you focused and on track. To help solidify the process and components in your mind as you read, apply the things you are learning to your own organization; try to envision the planning, documentation, and people you would communicate with (at both the management and operational levels); imagine what type of information you could expect to receive/review; and consider how you would communicate your results at all levels in the organization.

Keep in mind that the work you perform can directly assist in the successful assessment and mitigation of risk and overall security of the organization you are auditing. If performed successfully, it will be a factor in ensuring the success of the organization, management, employees, and continued service to customers. Good luck and have fun!

Категории