Module-1 (the Process of Auditing Information Systems-T)

8/12/2019 Module-1 (the Process of Auditing Information Systems-T)

1/61

Mohammad Tohidur Rahman BhuiyanCGEIT,CISA,A+,MCSD,ISMS,CSCF

MohammadTohidurRahmanBhuiyanCGEIT,CISA,MCSD,A+,CSCF

TheProcessofAuditingInformationSystems

Outof05Domains,it

covers

14%


Introduction


2/61


CourseAgenda

Learning

Objectives

DiscussTaskandKnowledgeStatements

Discussspecifictopicswithinthechapter

Casestudies(individualPracticefollowCRM)

Samplequestions(individualPracticefollowCRM)


ExamRelevanceEnsure that the CISA candidate

Provide audit services in accordance with IT audit standards to

assist the organization in protecting and controlling information systems.

The content area in this chapter will represent approximately

14% of the CISA examination(approximately 28 questions).

(CRM Pages: XX

Up to 2010From 2011


3/61


Task & Knowledge Statements

Task and knowledge statements represent the basis

from which exam items are written.

Tasks: Tasks are the learning objectives that IS

auditors/CISA candidates are expected to know to

perform their job duties.

knowledge statements: In order to perform all of the

tasks, the IS auditor/CISA candidate should have a firm

grasp of all the knowledge statements contained withinthe CISA Review Manual Chapter 1.


Tasks/ Objectives


4/61


ProcessAreaTasksFiveTasks:1.1 Develop and implement a riskbased IT audit strategy incompliance with IT audit standards to ensure that key areas are

included.

1.2 Plan specific audits to determine whether information systemsare protected, controlled and provide value to the organization.

1.3 Conduct audits in accordance with IS audit standards, guidelinesand best practices to meet planned audit objectives.

1.4 Communicate emerging issues, potential risks, and audit resultsto key stakeholders.

1.5 Advise on the implementation of risk management and controlpractices within the organization, while maintaining independence.


Knowledge Statements


5/61


ProcessAreaKnowledgeStatements

TenKnowledgeStatements(contd.):

1.1 Knowledge of ISACA IT Audit and Assurance Standards,Guidelines and Tools and Techniques, Code of Professional Ethics

and other applicable standards

1.2 Knowledge of risk assessment concepts, tools and techniquesin an audit context

1.3 Knowledge of control objectives and controls related toinformation systems

1.4 Knowledge of audit planning and audit project managementtechniques, including followup

1.5 Knowledge of fundamental business processes (e.g.,purchasing, payroll, accounts payable, accounts receivable)including relevant IT


ProcessAreaKnowledgeStatements.

Ten Knowledge Statements

1.6 Knowledge of applicable laws and regulations which affect thescope, evidence collection and preservation, and frequency ofaudits

1.7 Knowledge of evidence collection techniques (e.g.,observation, inquiry, inspection, interview, data analysis) used togather, protect and preserve audit evidence

1.8 Knowledge of different sampling methodologies

1.9 Knowledge of reporting and communication techniques (e.g.,facilitation, negotiation, conflict resolution, audit reportStructure)

1.10 Knowledge of audit quality assurance systems andframeworks


6/61


OrganizationofISAuditFunction

Audit charter (or engagement letter) Stating managements responsibility and objectives for, and

delegation of authority to, the IS audit function

Outlining the overall authority, scope and responsibilities ofthe audit function

Approval of the audit charter

Change in the audit charter


AuditPlanning

Audit planningShorttermplanning

Longtermplanning

Things

to

consider Newcontrol issues

Changingtechnologies

Changingbusinessprocesses

Enhancedevaluationtechniques

Individual audit planningUnderstandingofoverallenvironment

Businesspracticesandfunctions

Informationsystems

and

technology


7/61


AuditPlanning

Audit Planning Steps

1. Gain an understanding of the businesss mission, objectives,purpose and processes.

2. Identify stated contents (policies, standards, guidelines,procedures, and organization structure)

3. Evaluate risk assessment and privacy impact analysis

4. Perform a risk analysis.

5. Conduct an internal control review.

6. Set the audit scope and audit objectives.

7. Develop the audit approach or audit strategy.8. Assign personnel resources to audit and address engagement

logistics.


EffectofLawsandRegulations(continued)

Regulatoryrequirements Establishment

Organization Responsibilities

Correlationtofinancial, operationalandITauditfunctions


8/61


EffectofLawsandRegulations

Stepstodeterminecompliancewithexternal

requirements: Identify external requirements

Document pertinent laws and regulations

Assess whether management and the IS function have considered therelevant external requirements

Review internal IS department documents that address adherence toapplicable laws

Determine adherence to established procedures


ISACAISAuditingStandardsandGuidelines

FrameworkfortheISACA ISAuditingStandards

asof

1March

2010

Standards(16)

Guidelines41(G19iscancelled)

Procedures(11)


9/61


Definition:Standards,Guidelines&Procedure

Standards define mandatory requirements for IT auditand assurance.

Guidelines provide guidance in applying IT Audit andAssurance Standards. The objective of the IT Audit andAssurance Guidelines is to provide further information onhow to comply with the IT Audit and Assurance Standards.

Procedure/ Tools and Techniques provide examples ofprocedures an IT audit and assurance professional mightfollow. The objective of the IT Audit and Assurance Tools

and Techniques is to provide further information on howto comply with the IT Audit and Assurance Standards.


ISACAISAuditingStandardsandGuidelinesISAuditing Standards:16

1. Audit charter

2. Independence

3. Professional Ethics andStandards

4. Competence

5. Planning

6. Performance of audit work

7. Reporting

8. Follow-up activities

9. Irregularities and illegal acts

10.IT governance

11.Use of risk assessment in auditplanning

12.Audit Materiality

13.Using the Work of Other Experts

14.Audit Evidence

15.IT Controls

16.E-commerce


10/61


ISACAISAuditingStandardsandGuidelines(continued)

G1 Using the Work of Other Auditors

G2 Audit Evidence Requirement

G3 Use of Computer Assisted Audit Techniques (CAATs)G4 Outsourcing of IS Activities to Other Organizations

G5 Audit Charter

G6 Materiality Concepts for Auditing Information Systems 1 September

G7 Due Professional Care

G8 Audit Documentation

G9 Audit Considerations for Irregularities and Illegal Acts

G10 Audit Sampling

G11 Effect of Pervasive IS Controls

G12 Organizational Relationship and IndependenceG13 Use of Risk Assessment in Audit Planning

G14 Application Systems Review

G15 Audit Planning Revised

ISAuditing Guidelines:41(421=41, G19is cancelled)


G16 Effect of Third Parties on an Organization's IT Controls

G17 Effect of Non-audit Role on the IT Audit and Assurance

Professionals Independence

G18 IT Governance

G19 Irregularities and Illegal Acts 1 July 2002. Withdrawn 1 September

2008G20 Reporting

G21 Enterprise Resource Planning (ERP) Systems Review

G22 Business-to-consumer (B2C) E-commerce Review

G23 System Development Life Cycle (SDLC) Review Reviews

G24 Internet Banking

G25 Review of Virtual Private Networks

G26 Business Process Reengineering (BPR) Project Reviews

G27 Mobile Computing

G28 Computer ForensicsG29 Post-implementation Review

G30 Competence



11/61



G31 Privacy

G32 Business Continuity Plan (BCP) Review From It

PerspectiveG33 General Considerations on the Use of the Internet

G34 Responsibility, Authority and Accountability

G35 Follow-up Activities

G36 Biometric Controls

G37 Configuration Management Process

G38 Access Controls

G39 IT OrganizationG40 Review of Security Management Practices

G41 Return on Security Investment (ROSI)

G42 Continuous Assurance


12/61


ITRiskAssessmentQuadrants

Quadrant I (High Risk)

Suggested Action(s):

Mitigate

SensitivityRating

Vulnerability Assessment Rating

100%

0%

100%

Quadrant II (Medium Risk)


Accept

Mitigate

Transfer

Quadrant III (Medium Risk)


Accept

Mitigate

Transfer

Quadrant IV (Low Risk)


Accept

Example Risk

Level Assignment

50%

50%

0%


ISACAISAuditingStandardsandGuidelines

ISACA Auditing Procedures

Procedures developed by the ISACA Standards

Board provide examples.

The IS auditor should apply their own professionaljudgment to the specific circumstances.

(Index of Procedures)


13/61


InternalControl(continued)

InternalControls

Policies, procedures, practices andorganizational structures implemented toreduce risks


ComponentsofInternalControlSystem

Internalaccountingcontrols Operationalcontrols Administrativecontrols



14/61


InternalControlObjectives

Safeguardingofinformationtechnologyassets

Compliancetocorporatepoliciesorlegalrequirements

Authorization/input

Accuracyandcompletenessofprocessingoftransactions

Output

Reliabilityofprocess

Backup/recovery

Efficiencyandeconomyofoperations



Classification ofInternalControls

Preventive controls

Detective controls

Corrective controls



15/61


IS ControlObjectives

Control objectives in an informationsystems environment remain unchangedfrom those of a manual environment.However, control features may be different.The internal control objectives, thus need,to be addressed in a manner specific to IS

related processes



InternalControl(continued)IS Control Objectives(contd)

Safeguarding assets

Assuring the integrity of general operating system

environments

Assuring the integrity of sensitive and criticalapplication system environments through:

Authorization of the input

Accuracy and completeness of processing oftransactions

Reliability of overall information processing activities

Accuracy, completeness and security of the output

Database integrity


16/61



IS Control Objectives(contd)

Ensuring the efficiency and effectiveness of operations

Complying with requirements, policies and procedures, andapplicable laws

Developing business continuity and disaster recovery plans

Developing an incident response plan



IS Control Objectives(contd)

COBIT

Aframeworkwith 34highlevelcontrolobjectives

Planningandorganization

Acquisitionandimplementation

Deliveryandsupport

Monitoringandevaluation

Use

of

36

major

IT

related

standards

and

regulations


17/61



General ControlProcedures(continued)

apply to all areas of an organization and include

policies and practices established by management to

provide reasonable assurance that specific objectives

will be achieved.


InternalControl(continued)General ControlProcedures(continued)

Internal accounting controls directed at accounting

operations Operational controls concerned with the daytodayoperations

Administrative controls concerned with operationalefficiency and adherence to management policies

Organizational logical security policies and procedures

Overall policies for the design and use of documents andrecords

Procedures and features to ensure authorized access toassets

Physical security policies for all data centers


18/61


ISControlProcedures Strategy and direction

General organization and management Access to data and programs Systems development methodologies and change control Data processing operations Systems programming and technical support functions Data processing quality assurance procedures Physical access controls

Business continuity/disaster recovery planning Networks and communications Database administration

Internal Control (continued)




19/61


DefinitionofAuditing

Systematic process by which a competent,

independent person objectively obtains andevaluates evidence regarding assertions about aneconomic entity or event for the purpose of formingan opinion about and reporting on the degree towhich the assertion conforms to an identified set of

standards.


DefinitionofISAuditing

Any audit that encompasses review andevaluation (wholly or partly) of automated

information processing systems, related non

automated processes and the interfaces

between them.


20/61


Classificationofaudits:

Financialaudits

Operationalaudits

Integratedaudits

Administrativeaudits

Informationsystemsaudits

Specializedaudits

Forensicaudits


AuditProgramsBasedonthescopeandtheobjectiveofthe

particularassignment

ISauditors

perspectives

Security(confidentiality,integrityandavailability)

Quality(effectiveness,efficiency)

Fiduciary(compliance,reliability)

ServiceandCapacity


21/61


Generalauditprocedures

Understandingof theauditarea/subject

Riskassessment

and

general

audit

plan

Detailedauditplanning

Preliminaryreviewofauditarea/subject

Evaluatingauditarea/subject

Compliancetesting

Substantivetesting

Reporting(communicating

results) Followup


Proceduresfortesting& evaluatingIS controls

Use of generalized audit software to survey the contents ofdata files

Use of specialized software to assess the contents ofoperating system parameter files

Flowcharting techniques for documenting automatedapplications and business process

Use of audit reports available in operation systems

Documentation review

Observation


22/61


AuditMethodology

Asetofdocumentedauditproceduresdesignedto

achieve

planned

audit

objectivesComposedof

Statementofscope

Statementofauditobjectives

Statementofworkprograms

Setupandapprovedbytheauditmanagement

Communicatedto

all

audit

staff


Typical audit phases

1. Audit subject

Identify the area to be audited

2. Audit objective

Identify the purpose of the audit

3. Audit scope

Identify the specific systems, function or unit of theorganization


23/61


Typical audit phases (Contd)

4. Pre-audit planning

Identify technical skills and resources needed

Identify the sources of information for test or

review

Identify locations or facilities to be audited


Typicalauditphases(Contd)

5. Audit procedures and steps for data gathering

Identify and select the audit approach

Identify a list of individuals to interview

Identify and obtain departmental policies, standardsand guidelines

Develop audit tools and methodology


24/61


Typicalauditphases (Contd)

6.Proceduresforevaluatingtest/review result

7.Procedures

for communication

8.Auditreportpreparation

Identifyfollowupreviewprocedures

Identifyprocedurestoevaluate/testoperational efficiencyandeffectiveness

Identifyprocedurestotestcontrols

Reviewand

evaluate

the

soundness

of

documents,

policies

and

procedures.


Typical Audit Phases Summary

Identify the area to be audited

the purpose of the audit

the specific systems, function or unit ofthe organization to be included in thereview.

technical skills and resources needed

the sources of information for tests orreview such as functional flowcharts,policies, standards, procedures and prioraudit work papers.

locations or facilities to be audited.

select the audit approach to verify and testthe controls

list of individuals to interview

obtain departmental policies, standards

and guidelines for review

Develop

audit tools and methodology to test andverify control

procedures for evaluating the test orreview results

procedures for communication withmanagement

Identify

follow-up review procedures

procedures to evaluate/test operationalefficiency and effectiveness

procedures to test controls

Review and evaluate the soundness ofdocuments, policies and procedures


25/61


WorkPapers(WPs)(Contd)What are documented in WPs?

Audit plans

Audit programs

Audit activities

Audit tests

Audit findings and incidents


WorkPapers

Donothavetobeonpaper

Mustbe

Dated

Initialized

Pagenumbered

Relevant

Complete

Clear

Selfcontainedandproperlylabeled

Filed

and

kept

in

custody


26/61


FraudDetection

Managements responsibilityBenefits of a welldesigned internal control system

Deterring frauds at the first instance

Detecting frauds in a timely manner

Fraud detection and disclosure

Auditors role in fraud prevention and detection


AuditRisk

Audit risk is the risk that theinformation/financial report maycontain material error that may go

undetected during the audit.

A riskbased audit approach is used toassess risk and assist with an IS auditorsdecision to perform either complianceor substantive testing.


27/61


AuditRisks Inherentrisk Control

risk

Detectionrisk Overallauditrisk


RiskbasedApproach Overview

GatherInformationandPlan

ObtainUnderstandingofInternalControl

PerformCompliance

Tests

PerformSubstantiveTests

ConcludetheAudit


28/61


Materiality

An auditing concept regarding the importance of anitem of information with regard to its impact oreffect on the functioning of the entity being audited


RiskAssessmentTechniques

Enables management to effectively allocate limitedaudit resources

Ensures that relevant information has been obtained

Establishes a basis for effectively managing the auditdepartment

Provides a summary of how the individual auditsubject is related to the overall organization and tobusiness plans


29/61


AuditObjectives

ItistheSpecificgoalsoftheaudit

Compliancewith

legal

&

regulatory

requirements

Confidentiality

Integrity

Reliability

Availability


Compliancevs.SubstantiveTesting

Compliance test

determines whether controls are in compliance with

management policies and procedures Substantive test

tests the integrity of actual processing

Correlation between the level of internal controls andsubstantive testing required

Relationship between compliance and substantive

tests


30/61


Evidence

It is a requirement that the auditorsconclusions must be based on sufficient,competent evidence.

Independence of the provider of theevidence

Qualification of the individual providing the

information or evidence Objectivity of the evidence

Timing of evidence


Techniquesforgatheringevidence:

ReviewISorganizationstructures

ReviewISpolicies andprocedures

Review

IS

standards ReviewISdocumentation

Interviewappropriatepersonnel

Observeprocessesandemployeeperformance


31/61


InterviewingandObservingPersonnel

Actualfunctions

Actualprocesses/procedures

Securityawareness

Reportingrelationships


Sampling(continued)

General approaches to audit sampling: Statistical sampling

Nonstatistical sampling

Methods of sampling used by auditors: Attribute sampling

Variable sampling


32/61


Sampling(continued)

Attributesampling Stop

or

go

sampling

Discoverysampling

Variablesampling Stratifiedmeanperunit

Unstratified meanperunit

Differenceestimation


Confidentcoefficient

Levelofrisk

Precision

Expectederror

rate

Samplemean

Samplestandarddeviation

Tolerableerrorrate

Populationstandarddeviation

Statistical sampling terms:


33/61


Keystepsinchoosingasample

Determinetheobjectivesofthetest

Definethe

population

to

be

sampled

Determinethesamplingmethod,suchasattributeversusvariablesampling.

Calculatethesamplesize

Selectthesample

Evaluatingthesamplefromanauditperspective.


ComputerAssistedAuditTechniques.Contd.

CAATs enable IS auditors to gatherinformation independently

CAATs include: Generalized audit software (GAS)

Utility software

Test data

Application software for continuous onlineaudits

Audit expertsystems


34/61


NeedforCAATs

Evidencecollection

Functionalcapabilities

Functionssupported

Areasofconcern



ExamplesofCAATsusedtocollectevidence

CAATSasacontinuousonlineapproach



35/61


AdvantagesofCAATs

Cost/benefitsofCAATs



DevelopmentofCAATs

Documentationretention

Accesstoproductiondata

Datamanipulation



36/61


Evaluation of Strengths and Weaknesses

Assessevidence

Evaluateoverallcontrolstructure

Evaluatecontrolprocedures

Assesscontrolstrengthsandweaknesses


JudgingMaterialityofFindings

Materialityisakeyissue

Assessmentrequires

judgment

of

the

potential effectofthefindingifcorrective

actionisnot taken


37/61


CommunicatingAuditResults

Exitinterview

Correctfacts

Realisticrecommendations

Implementationdatesforagreedrecommendations

Presentationtechniques

Executivesummary

Visualpresentation


Auditreportstructureandcontents

An introduction to the report

The IS auditors overall conclusion and opinion

The IS auditors reservations with respect to the audit

Detailed audit findings and recommendations

A variety of findings

Limitations to audit

Statement on the IS audit guidelines followed


38/61


ManagementActionstoImplementRecommendations

Auditingisanongoingprocess

Timingof

follow

up


AuditDocumentation

Contentsofauditdocumentation

Custodyofauditdocumentation

Supportoffindingsandconclusions


39/61


ConstraintsontheConductoftheAudit

Availabilityofauditstaff

Auditee constraints

ProjectManagementTechniques

Developadetailedplan

Reportprojectactivityagainsttheplan

Adjusttheplan

Takecorrective

action


ControlSelfAssessment(CSA),Contd.

Amanagementtechnique

Amethodology

Inpractice,aseriesoftools


40/61


41/61


ControlSelfAssessment

ISAuditorsRoleinCSAs

TechnologyDrivers for

CSA

Program

Traditionalvs.CSAApproach




42/61


EmergingChangesinISAuditProcess

NewTopics:

AutomatedWorkPapers

IntegratedAuditing

ContinuousAuditing


AutomatedWork

Papers


43/61


Riskanalysis

Audit

programs Results

Testevidences,

Conclusions

Reportsandothercomplementaryinformation

Automated Work Papers (Contd)


AutomatedWorkPapers

Controlsoverautomatedworkpapers:

Accesstoworkpapers

Audittrails

Approvalsof

audit

phases

Securityandintegritycontrols

Backupandrestoration

Encryptionforconfidentiality


44/61


IntegratedAuditing


IntegratedAuditing

process whereby appropriate audit disciplines arecombined to assess key internal controls over an operation,

process or entity

Focuses on risk to the organization (for an internalauditor)

Focuses on the risk of providing an incorrect ormisleading audit opinion (for external auditor


45/61


IntegratedAuditingTypicalprocess:

Identification of relevant key controls

Review and understanding of the design of key controls Testing that key controls are supported by the IT

system

Testing that management controls operate effectively

A combined report or opinion on control risks, designand weaknesses


ContinuousAuditing


46/61


ContinuousAuditing

Continuous Auditing: A methodology thatenables independent auditors to provide writtenassurance on a subject matter using a series ofauditors reports issued simultaneously with, or ashort period of time after, the occurrence of eventsunderlying the subject matter


Distinctive character

short time lapse between the facts to be audited and

the collection of evidence and audit reporting Drivers

better monitoring of financial issues

allowing realtime transactions to benefit from realtime monitoring

preventing financial fiascoes and audit scandals

using software to determine proper financial controls


47/61


ContinuousAuditingvs.ContinuousMonitoring

ContinuousMonitoring

Managementdriven

Basedonautomatedproceduresto meetfiduciaryresponsibilities

ContinuousAuditing

Auditdriven

Doneusingautomatedauditprocedures


ContinuousAuditingEnablerfortheApplicationofContinuousAuditing

New information technology developments

Increased processing capabilities

Standards

Artificial intelligence tools


48/61


Transactionlogging

Querytools

Statisticsanddataanalysis(CAAT)

Databasemanagementsystems(DBMS)

Datawarehouses,datamarts,datamining.

Artificialintelligence(AI)

Embeddedauditmodules(EAM)

Neuralnetworktechnology

Standardssuch

as

Extensible

Business

Reporting

Language

IT Techniques in a Continuous Auditing Environment


A high degree of automation

An automated and reliable informationproducing process

Alarm triggers to report control failures

Implementation of automated audit tools

Quickly informing IS auditors of anomalies/errors

Timely issuance of automated audit reports

Technically proficient IS auditors

Availability of reliable sources of evidence

Adherence to materiality guidelines

Change of IS auditorsmindset

Evaluation of cost factors

ContinuousAuditingPrerequisites


49/61


(ContinuousAuditing)

Advantages Instant capture of internal control problems

Reduction of intrinsic audit inefficiencies

Disadvantages

Difficulty in implementation

High cost

Elimination of auditors personal judgment andevaluation


Practice Question


50/61


PracticeQuestions(contd.)

11 Which of the following BEST describes the early

stages of an IS audit?

A. Observing key organizational facilities

B. Assessing the IS environment

C. Understanding the business process and environment applicable tothe review

D. Reviewing prior IS audit reports


11C: Understanding the business process

and environment applicable to the review ismost representative of what occurs early onin the course of an audit. The other choicesrelate to activities actually occurring withinthis process.

Answer


51/61


PracticeQuestions(contd.)12 In performing a riskbased audit, which risk

assessment is completed initially by the IS auditor?

A.Detectionriskassessment

B.Controlriskassessment

C.Inherentriskassessment

D.Fraudriskassessment


12C: Inherent risks exist independently ofan audit and can occur because of the nature

of the business. To successfully conduct anaudit, it is important to be aware of therelated business processes. To perform theaudit the IS auditor needs to understand thebusiness process, and by understanding thebusiness process, the IS auditor betterunderstands the inherent risks.

Answer


52/61



13 While developing a riskbased audit program, on

which of the following would the IS auditor MOST likelyfocus?

A. Business processes

B. Critical IT applications

C. Operational controls

D. Business strategies


13A: A riskbased audit approach focuseson the understanding of the nature of the

business and being able to identify andcategorize risk. Business risks impact thelongterm viability of a specific business.Thus, an IS auditor using a riskbased auditapproach must be able to understandbusiness processes.

Answer


53/61



14 Which of the following types of audit risk assumes

an absence of compensating controls in the area beingreviewed?

A. Control risk

B. Detection risk

C. Inherent risk

D. Sampling risk


14C: The risk of an error existing that could bematerial or significant when combined with othererrors encountered during the audit, there being no

related compensating controls, is the inherent risk.Control risk is the risk that a material error exists thatwill not be prevented or detected in a timely manner bythe system of internal controls. Detection risk is therisk of an IS auditor using an inadequate test procedurethat concludes that material errors do not exist, whenthey do. Sampling risk is the risk that incorrect

assumptions are made about the characteristics of apopulation from which a sample is taken.

Answer


54/61


PracticeQuestions(contd.)15 An IS auditor performing a review of an application's controls

finds a weakness in system software that could materially impactthe application. The IS auditor should:

A. disregard these control weaknesses since a system software review isbeyond the scope of this review.

B. conduct a detailed system software review and report the controlweaknesses.

C. include in the report a statement that the audit was limited to a reviewof the application's controls.

D. review the system software controls as relevant and recommend adetailed system software review.


15D: The IS auditor is not expected to ignore controlweaknesses just because they are outside the scope of acurrent review. Further, the conduct of a detailedsystems software review may hamper the audit's

schedule and the IS auditor may not be technicallycompetent to do such a review at this time. If there arecontrol weaknesses that have been discovered by the ISauditor, they should be disclosed. By issuing adisclaimer, this responsibility would be waived. Hence,the appropriate option would be to review the systemssoftware as relevant to the review and recommend a

detailed systems software review for which additionalresources may be recommended.

Answer


55/61



16 The PRIMARY use of generalized auditsoftware (GAS)is to:

A. test controls embedded in programs.

B. test unauthorized access to data.

C. extract data of relevance to the audit.

D. reduce the need for transaction vouching.


16C: Generalized audit software facilitates direct access to

and interrogation of the data by the IS auditor. The mostimportant advantage of using GAS is that it helps in

identifying data of interest to the IS auditor. GAS does notinvolve testing of application software directly. Hence, GASindirectly helps in testing controls embedded in programsby testing data. GAS cannot identify unauthorized access todata if this information is not stored in the audit log file.However, this information may not always be available.Hence, this is not one of the primary reasons for using GAS.

Vouching involves verification of documents. GAS could

help in selecting transactions for vouching. Using GAS doesnot reduce transaction vouching.

Answer


56/61


57/61


18 TheFIRST step in planning an audit is to:

A. define audit deliverables.

B. finalize the audit scope and audit objectives.

C. gain an understanding of the business'objectives.

D. develop the audit approach or audit strategy.



18C: The first step in audit planning is togain an understanding of the business's

mission, objectives and purpose, which inturn identifies the relevant policies,standards, guidelines, procedures, andorganization structure. All other choices aredependent upon having a thoroughunderstanding of the business's objectives

and purpose.

Answer


58/61


19TheapproachanISauditorshouldusetoplanISauditcoverageshouldbebasedon:

A.risk.

B.materiality.

C.professionalskepticism.

D.sufficiencyofauditevidence.



19A: Standard S5, Planning, establishes

standards and provides guidance onplanning an audit. It requires a riskbasedapproach.

Answer


59/61


PracticeQuestions

IlO A company performs a daily backup of critical

data and software files, and stores the backup tapes atan offsite location. The backup tapes are used to restorethe files in case of a disruption. This is a:

A. preventive control.

B. management control.

C. corrective control.

D. detective control.


110C: A corrective control helps to correct or minimize theimpact of a problem. Backup tapes can be used for restoringthe files in case of damage of files, thereby reducing the

impact of a disruption. Preventive controls are those thatprevent problems before they arise. Backup tapes cannot beused to prevent damage to files and hence cannot beclassified as a preventive control. Management controlsmodify processing systems to minimize a repeat occurrenceof the problem. Backup tapes do not modify processingsystems and hence do not fit the definition of a managementcontrol. Detective controls help to detect and report

problems as they occur. Backup tapes do not aid in detectingerrors.

Answer


60/61


61/61



Module-1 (the Process of Auditing Information Systems-T)

Documents

Transcript of Module-1 (the Process of Auditing Information Systems-T)