CISA Lecture Domain 11
Transcript of CISA Lecture Domain 11
-
8/19/2019 CISA Lecture Domain 11
1/138
3/30/16
INTRODUCTION
Md. Mushfiqur Rahman, CISA, ITIL!C"#, MC$,MCTS,MCIT$,MCSA,MCS",SCSA,CCNA, OC$ %i/10&/11&
-
8/19/2019 CISA Lecture Domain 11
2/138
3/30/16
D'main 1
The Process of Auditing Information Systems (14!
-
8/19/2019 CISA Lecture Domain 11
3/138
3/30/16
"nsur( )ha) )h( CISA *andida)(+
$r'id( audi) s(ri*(s in a**'rdan*( -i)h IT audi) s)andards)' assis) )h( 'r&ania)i'n in r')(*)in& and *'n)r'in&
inf'rma)i'n ss)(ms.
Th( *'n)(n) ar(a in )his *ha)(r -i r(r(s(n) ar'2ima)(14 'f )h( CISA (2amina)i'n5ar'2ima)( 7 qu(s)i'ns8.
"2am R((an*(
-
8/19/2019 CISA Lecture Domain 11
4/138
3/30/16
"2am R((an*(
-
8/19/2019 CISA Lecture Domain 11
5/138
Tas9 : ;n'-(d&( S)a)(m(n)s
Tas9 and 9n'-(d&( s)a)(m(n)s r(r(s(n) )h(
-
8/19/2019 CISA Lecture Domain 11
6/138
Tas"s% &'ecti)esAudi) $r'*(ss Ar(a, Tas9s
* Tas"s Statements# 1.1 +e)elo, and im,lement a ris" 'ased IT audit strategy‐ in
*'mian*( -i)h IT audi) s)andards )' (nsur( )ha) 9( ar(as ar(
in*ud(d. 1. Plan s,ecific audits )' d()(rmin( -h()h(r inf'rma)i'n
ss)(ms ar( r')(*)(d, *'n)r'(d and r'id( au( )' )h('r&ania)i'n.
1.3 -onduct audits in a**'rdan*( -i)h IS audi) s)andards,&uid(in(s and
-
8/19/2019 CISA Lecture Domain 11
7/138
-
8/19/2019 CISA Lecture Domain 11
8/138
$r'*(ss Ar(a ;n'-(d&( S)a)(m(n)s.10 ;n'-(d&( S)a)(m(n)s
1.6 ;n'-(d&( 'f ai*a
-
8/19/2019 CISA Lecture Domain 11
9/138
1. Mana&(m(n) 'f IS Audi) !un*)i'n
Th( audi) fun*)i'n sh'ud
-
8/19/2019 CISA Lecture Domain 11
10/138
-
8/19/2019 CISA Lecture Domain 11
11/138
1./.2 Audit Planning (continued!
Audi) annin&
Sh'r) )(rm annin&‐
L'n& )(rm annin&‐
Thin&s )' *'nsid(r
N(- *'n)r' issu(s Chan&in& )(*hn''&i(s
Chan&in&
-
8/19/2019 CISA Lecture Domain 11
12/138
-
8/19/2019 CISA Lecture Domain 11
13/138
1./.4 3ffect of a$s and 5egulations(continued!
5egulatory requirements
"s)a
-
8/19/2019 CISA Lecture Domain 11
14/138
1./.4 3ffect of a$s and 5egulations
Ste,s to determine com,liance $ith e6ternal requirements#
Id(n)if (2)(rna r(quir(m(n)s
D'*um(n) (r)in(n) a-s and r(&ua)i'ns Ass(ss -h()h(r mana&(m(n) and )h( IS fun*)i'n ha(
*'nsid(r(d )h( r((an) (2)(rna r(quir(m(n)s
R(i(- in)(rna IS d(ar)m(n) d'*um(n)s )ha) addr(ssadh(r(n*( )' ai*a
-
8/19/2019 CISA Lecture Domain 11
15/138
1.2 ISA-A IT Audit and Assurance Standards and7uidelines
As 'f 16 Au&us) 010
S)andards 5168
@uid(in(s 1 5@1% is *an*((d8
$r'*(dur(s 5118/ Audi) and Assuran*(
T''s : T(*hniqu(
3/30/[email protected]
-
8/19/2019 CISA Lecture Domain 11
16/138
Policy Standards 7uidelines Procedure
3/30/[email protected]
-
8/19/2019 CISA Lecture Domain 11
17/138
+efinition# Standards 7uidelines Procedure
Standards d(fin( manda)'r r(quir(m(n)s f'r IT audi)and assuran*(.
7uidelines r'id( &uidan*( in ain& IT Audi) andAssuran*( S)andards. Th( '
-
8/19/2019 CISA Lecture Domain 11
18/138
3/30/16
1.2./ ISA-A IT Audit and Assurance Standards rame$or"
IS Auditing Standards# 1:
1. Audit charter/. Inde,endence
2. Professional 3thics and
Standards4. -om,etence
*. Planning
:. Performance of audit $or";. 5e,orting
8. ollo$se of ris" assessment in
audit ,lanning1/. Audit ?ateriality
12. >sing the or" of &ther
36,erts14. Audit 3)idence
1*. IT -ontrols
1:. 3
-
8/19/2019 CISA Lecture Domain 11
19/138
3/30/16
1.2.2 ISA-A IT Audit and Assurance 7uidelines (continued!IS Auditing 7uidelines# 41 (4/ 1 41 719 is cancelled!‐
@1 Usin& )h( 'r9 'f O)h(r Audi)'rs
@ Audi) "id(n*( R(quir(m(n)
@3 Us( 'f C'mu)(r Assis)(d Audi) T(*hniqu(s 5CAATs8
@ Ou)s'ur*in& 'f IS A*)ii)i(s )' O)h(r Or&ania)i'ns
@> Audi) Char)(r
@6 Ma)(riai) C'n*()s f'r Audi)in& Inf'rma)i'n Ss)(ms 1 S()(m Audi) $annin& R(is(d
-
8/19/2019 CISA Lecture Domain 11
20/138
3/30/16
1.2.2 ISA-A IT Audit and Assurance7uidelines (continued!
@16 "ff(*) 'f Third $ar)i(s 'n an Or&ania)i'nEs IT C'n)r's
@1 "ff(*) 'f N'naudi) R'( 'n )h( IT Audi) and Assuran*( $r'f(ssi'naBsInd((nd(n*(
@17 IT @'(rnan*(
719 Irregularities and Illegal Acts 1 Buly /==/. ithdra$n 1 Se,tem'er /==8
@0 R('r)in&
@1 "n)(rris( R(s'ur*( $annin& 5"R$8 Ss)(ms R(i(-
@ usin(ss)'*'nsum(r 5C8 "*'mm(r*( R(i(-
@3 Ss)(m D(('m(n) Lif( C*( 5SDLC8 R(i(- R(i(-s
@ In)(rn() an9in&
@> R(i(- 'f Fir)ua $ria)( N()-'r9s
@6 usin(ss $r'*(ss R((n&in((rin& 5$R8 $r'=(*) R(i(-s
@ M'
-
8/19/2019 CISA Lecture Domain 11
21/138
3/30/16
1.2.2 ISA-A IT Audit and Assurance7uidelines
@31 $ria*
@3 usin(ss C'n)inui) $an 5C$8 R(i(- !r'm I)
$(rs(*)i(
@33 @(n(ra C'nsid(ra)i'ns 'n )h( Us( 'f )h( In)(rn()
@3 R(s'nsi
-
8/19/2019 CISA Lecture Domain 11
22/138
3/30/16
1.2.4 ISA-A IT Audit and Assurance Tools andTechniques
IT Audi) and Assuran*( T''s and T(*hniqu(sG 11$1 IS Ris9 Ass(ssm(n)
$ Di&i)a Si&na)ur(s
$3 In)rusi'n D()(*)i'n
$ Firus(s and ')h(r Mai*i'us C'd($> C'n)r' Ris9 S(fass(ssm(n)
$6 !ir(-as
$ Irr(&uari)i(s and I(&a A*)s
$7 S(*uri) Ass(ssm(n)H$(n()ra)i'n T(s)in& and Fun(ra
-
8/19/2019 CISA Lecture Domain 11
23/138
3/30/16
IT Ris9 Ass(ssm(n) uadran)s
Cuadrant II (?edium 5is"!
Suggested Action(s!#Acce,t
?itigate
Transfer
Cuadrant I (Digh 5is"!
Suggested Action(s!#?itigate
Cuadrant IE (o$ 5is"!
Suggested Action(s!#
Acce,t
Cuadrant III (?edium 5is"!
Suggested Action(s!#
Acce,t
?itigateTransfer
Fun(ra
-
8/19/2019 CISA Lecture Domain 11
24/138
3/30/16
ISA-A IS Auditing Standards and 7uidelines
ISACA Audi)in& $r'*(dur(s
$r'*(dur(s d(('(d
-
8/19/2019 CISA Lecture Domain 11
25/138
3/30/16
1.> In)(rna C'n)r' 5*'n)inu(d8
In)(rna C'n)r'sG $'i*i(s, r'*(dur(s,ra*)i*(s and 'r&ania)i'na s)ru*)ur(sim(m(n)(d )' r(du*( ris9s
-
8/19/2019 CISA Lecture Domain 11
26/138
3/30/16
In)(rna C'n)r' 5*'n)inu(d8
C'm'n(n)s 'f In)(rna C'n)r' Ss)(m
In)(rna a**'un)in& *'n)r's
O(ra)i'na *'n)r's
Adminis)ra)i( *'n)r's
-
8/19/2019 CISA Lecture Domain 11
27/138
3/30/16
In)(rna C'n)r' 5*'n)inu(d8
In)(rna C'n)r' O
-
8/19/2019 CISA Lecture Domain 11
28/138
3/30/16
In)(rna C'n)r' 5*'n)inu(d8
-lassification of Internal -ontrols
Pre)enti)e controls
D()(*)i( *'n)r's
C'rr(*)i( *'n)r's
-
8/19/2019 CISA Lecture Domain 11
29/138
3/30/16
In)(rna C'n)r' 5*'n)inu(d8
IS -ontrol &'ecti)es# C'n)r' '
-
8/19/2019 CISA Lecture Domain 11
30/138
3/30/16
In)(rna C'n)r' 5*'n)inu(d8
IS C'n)r' O
-
8/19/2019 CISA Lecture Domain 11
31/138
3/30/16
In)(rna C'n)r' 5*'n)inu(d8
IS C'n)r' O
-
8/19/2019 CISA Lecture Domain 11
32/138
3/30/16
In)(rna C'n)r' 5*'n)inu(d8
IS C'n)r' O
-
8/19/2019 CISA Lecture Domain 11
33/138
3/30/16
In)(rna C'n)r' 5*'n)inu(d8
7eneral -ontrol Procedures (continued!
a )' a ar(as 'f an 'r&ania)i'n andin*ud( 'i*i(s and ra*)i*(s (s)a
-
8/19/2019 CISA Lecture Domain 11
34/138
3/30/16
In)(rna C'n)r' 5*'n)inu(d8
7eneral -ontrol Procedures (continued!
In)(rna a**'un)in& *'n)r's dir(*)(d a) a**'un)in& '(ra)i'ns
O(ra)i'na *'n)r's *'n*(rn(d -i)h )h( da )' da '(ra)i'ns‐ ‐
Adminis)ra)i( *'n)r's *'n*(rn(d -i)h '(ra)i'na (ffi*i(n*and adh(r(n*( )' mana&(m(n) 'i*i(s
Or&ania)i'na '&i*a s(*uri) 'i*i(s and r'*(dur(s
O(ra 'i*i(s f'r )h( d(si&n and us( 'f d'*um(n)s andr(*'rds
$r'*(dur(s and f(a)ur(s )' (nsur( au)h'ri(d a**(ss )' ass()s $hsi*a s(*uri) 'i*i(s f'r a da)a *(n)(r
-
8/19/2019 CISA Lecture Domain 11
35/138
3/30/16
In)(rna C'n)r' 5*'n)inu(d8
IS C'n)r' $r'*(dur(s
S)ra)(& and dir(*)i'n
@(n(ra 'r&ania)i'n and mana&(m(n)
A**(ss )' da)a and r'&rams Ss)(ms d(('m(n) m()h'd''&i(s and *han&( *'n)r'
Da)a r'*(ssin& '(ra)i'ns
Ss)(ms r'&rammin& and )(*hni*a su'r) fun*)i'ns
Da)a r'*(ssin& quai) assuran*( r'*(dur(s
$hsi*a a**(ss *'n)r's usin(ss *'n)inui)/disas)(r r(*'(r annin&
N()-'r9s and *'mmuni*a)i'ns
Da)a
-
8/19/2019 CISA Lecture Domain 11
36/138
3/30/16
-
8/19/2019 CISA Lecture Domain 11
37/138
3/30/16
D(fini)i'n 'f Audi)in&
Ss)(ma)i* r'*(ss
-
8/19/2019 CISA Lecture Domain 11
38/138
Pur,ose of an Audit
An audit is sim,ly a r(i(- 'f as) his)'r. Th( IS audi)'r is(2(*)(d )' f''- )h( d(fin(d audi) r'*(ss, (s)a
-
8/19/2019 CISA Lecture Domain 11
39/138
-
8/19/2019 CISA Lecture Domain 11
40/138
3/30/16
Cassifi*a)i'n 'f audi)sG
!inan*ia audi)s
O(ra)i'na audi)s
In)(&ra)(d audi)s
Adminis)ra)i( audi)s
Inf'rma)i'n ss)(ms audi)s
S(*iai(d audi)s
!'r(nsi* audi)s
-
8/19/2019 CISA Lecture Domain 11
41/138
3/30/16
Audi) C'n*() 5*'n)inu(d...8
Th( IS audi)'r sh'ud und(rs)and )h( ari'us )(s 'f audi)s )ha) *an
-
8/19/2019 CISA Lecture Domain 11
42/138
3/30/16
Audi) C'n*()
IS auditsThis $r'*(ss *'(*)s and (aua)(s (id(n*( )' d()(rmin( -h()h(r )h(inf'rma)i'n ss)(m and r(a)(d r(s'ur*(s ad(qua)( saf(&uard ass()s, main)ain da)aand ss)(m in)(&ri). r'id( r((an) and r(ia
-
8/19/2019 CISA Lecture Domain 11
43/138
-
8/19/2019 CISA Lecture Domain 11
44/138
3/30/16
Audi)'rBs R(s'nsi
-
8/19/2019 CISA Lecture Domain 11
45/138
3/30/16
-om,aring Audits toAssessments
Audit An audi) &(n(ra)(s a r('r) *'nsid(r(d )' r(r(s(n) a hi&hassuran*( 'f )ru)h. Audi)s ar( us(d in ass() r('r)in& (n&a&(m(n)s.
Assessment An ass(ssm(n) is (ss f'rma and fr(qu(n) m'r(*''(ra)i( -i)h )h( ('(/
'
-
8/19/2019 CISA Lecture Domain 11
46/138
3/30/16
-om,aring Audits toAssessments
Auditor Th( audi)'r is )h( *'m()(n) (rs'n (rf'rmin& )h( audi).
Auditee Th( 'r&ania)i'n and ('(
-
8/19/2019 CISA Lecture Domain 11
47/138
3/30/16
AuditorFs Inde,endence
Inde,endent m(ans )ha) 'u ar( n') r(a)(d r'f(ssi'na, (rs'na, 'r'r&ania)i'na )' )h( su
-
8/19/2019 CISA Lecture Domain 11
48/138
3/30/16
Audi) $r'&rams
as(d 'n )h( s*'( and )h( '
-
8/19/2019 CISA Lecture Domain 11
49/138
3/30/16
@(n(ra audi) r'*(dur(s
Und(rs)andin& 'f )h( audi) ar(a/su
-
8/19/2019 CISA Lecture Domain 11
50/138
3/30/16
Procedures for testing e)aluating IS controls
Us( 'f &(n(rai(d audi) s'f)-ar( )' sur( )h(*'n)(n)s 'f da)a fi(s
Us( 'f s(*iai(d s'f)-ar( )' ass(ss )h(*'n)(n)s 'f '(ra)in& ss)(m aram()(r fi(s
!'- *har)in& )(*hniqu(s f'r d'*um(n)in&‐au)'ma)(d ai*a)i'ns and
-
8/19/2019 CISA Lecture Domain 11
51/138
-
8/19/2019 CISA Lecture Domain 11
52/138
3/30/16
Ti*a audi) has(s
1. Audi) su
-
8/19/2019 CISA Lecture Domain 11
53/138
d h 5C Bd8
-
8/19/2019 CISA Lecture Domain 11
54/138
3/30/16
Ti*a audi) has(s 5C'n)Bd8
>. Audi) r'*(dur(s and s)(s f'r da)a&a)h(rin&
Id(n)if and s((*) )h( audi) ar'a*h
Id(n)if a is) 'f indiiduas )' in)(ri(-
Id(n)if and '
-
8/19/2019 CISA Lecture Domain 11
55/138
3/30/16
Ti*a audi) has(s 5C'n)Bd8
6. $r'*(dur(s f'r (aua)in& )(s)/r(i(- r(su)
. $r'*(dur(s f'r *'mmuni*a)i'n
7. Audi) r('r) r(ara)i'n Id(n)if f''- u r(i(- r'*(dur(s‐
Id(n)if r'*(dur(s )' (aua)(/)(s) '(ra)i'na(ffi*i(n* and (ff(*)i(n(ss
Id(n)if r'*(dur(s )' )(s) *'n)r's R(i(- and (aua)( )h( s'undn(ss 'f
d'*um(n)s, 'i*i(s and r'*(dur(s.
-
8/19/2019 CISA Lecture Domain 11
56/138
3/30/16
Ti*a Audi) $has(s SummarIdentify the area to 'e audited the ,ur,ose of the audit the s,ecific systems function or unit of the organi0ation to 'e included in the re)ie$. technical s"ills and resources needed
the sources of information for tests orre)ie$ such as functional flo$charts
,olicies standards ,rocedures and ,rior audit $or" ,a,ers. locations or facilities to 'e audited. select the audit a,,roach to )erify
and test the controls list of indi)iduals to inter)ie$ o'tain de,artmental ,olicies standards
and guidelines for re)ie$
+e)elo, audit tools and methodology to test and
)erify control ,rocedures for e)aluating the test or
re)ie$ results ,rocedures for communication $ith
management
5e,ort
follo$
-
8/19/2019 CISA Lecture Domain 11
57/138
3/30/16
'r9 $a(rs 5$s8‐ (-ontFd!
ha) ar( d'*um(n)(d in $sK
Audi) ans
Audi) r'&ramsAudi) a*)ii)i(s
Audi) )(s)s
Audi) findin&s and in*id(n)s
9 $
-
8/19/2019 CISA Lecture Domain 11
58/138
3/30/16
'r9 $a(rs‐
D' n') ha( )'
-
8/19/2019 CISA Lecture Domain 11
59/138
A di) Ri 9
-
8/19/2019 CISA Lecture Domain 11
60/138
3/30/16
Audi) Ris9
Audi) ris9 is )h( ris9 )ha) )h( inf'rma)i'n/finan*ia r('r) ma *'n)ain ma)(ria (rr'r )ha)
ma &' und()(*)(d durin& )h( audi).
A ris9
-
8/19/2019 CISA Lecture Domain 11
61/138
3/30/16
Audi) Ris9sG T(s
Inh(r(n) ris9
C'n)r' ris9
D()(*)i'n ris9 Sam,ling ris"s Honsam,ling ris"s
O(ra audi) ris9
usin(ss ris9s
T(*hn''&i*a ris9s
O(ra)i'na ris9s R(sidua ris9s
Audi) ris9s
A di) Ri 9 T
-
8/19/2019 CISA Lecture Domain 11
62/138
3/30/16
Audi) Ris9sG T(s
Inherent ris"# Inh(r(n) ris9 is )h( ris9 )ha) an (rr'r (2is)s in )h(a
-
8/19/2019 CISA Lecture Domain 11
63/138
3/30/16
Audi) Ris9sG T(s
Gusiness ris"s Th(s( ar( ris9s )ha) ar( inh(r(n) in )h(
-
8/19/2019 CISA Lecture Domain 11
64/138
3/30/16
Ris9
-
8/19/2019 CISA Lecture Domain 11
65/138
3/30/16
Ma)(riai)
An audi)in& *'n*() r(&ardin& )h( im'r)an*( 'f
an i)(m 'f inf'rma)i'n -i)h r(&ard )' i)s ima*) 'r(ff(*) 'n )h( fun*)i'nin& 'f )h( (n)i)
-
8/19/2019 CISA Lecture Domain 11
66/138
Ris9 Ass(ssm(n) T(*hniqu(s
"na
-
8/19/2019 CISA Lecture Domain 11
67/138
3/30/16
Audi) O
-
8/19/2019 CISA Lecture Domain 11
68/138
3/30/16
C'mian*( s. Su
-
8/19/2019 CISA Lecture Domain 11
69/138
3/30/16
C'mian*( s. Su
-
8/19/2019 CISA Lecture Domain 11
70/138
3/30/16
C'mian*( s. Su
-
8/19/2019 CISA Lecture Domain 11
71/138
3/30/16
"id(n*(
-
8/19/2019 CISA Lecture Domain 11
72/138
3/30/16
"id(n*(
I) is a r(quir(m(n) )ha) )h( audi)'rBs *'n*usi'ns mus)
-
8/19/2019 CISA Lecture Domain 11
73/138
3/30/16
T(*hniqu(s f'r &a)h(rin& (id(n*(G
R(i(- IS 'r&ania)i'n s)ru*)ur(s
R(i(- IS 'i*i(s and r'*(dur(s
R(i(- IS s)andards
R(i(- IS d'*um(n)a)i'n
In)(ri(- ar'ria)( (rs'nn(
O
-
8/19/2019 CISA Lecture Domain 11
74/138
3/30/16
In)(ri(-in& and O
-
8/19/2019 CISA Lecture Domain 11
75/138
3/30/16
Samin& 5*'n)inu(d8
@(n(ra ar'a*h(s )' audi) samin&G
Statistical sam,ling# An '
-
8/19/2019 CISA Lecture Domain 11
76/138
3/30/16
Samin& 5*'n)inu(d8
-
8/19/2019 CISA Lecture Domain 11
77/138
-
8/19/2019 CISA Lecture Domain 11
78/138
3/30/16
Samin& 5*'n)inu(d8
M()h'ds 'f samin& us(d
-
8/19/2019 CISA Lecture Domain 11
79/138
Samin& 5*'n)inu(d8
Attri'ute Sam,ling
Sto, or go sam,ling#‐ ‐ A samin& m'd( )ha) h(s r((n) (2*(ssi(samin& 'f an a))ri
-
8/19/2019 CISA Lecture Domain 11
80/138
3/30/16
Samin& 5*'n)inu(d8
Earia'le sam,ling
Stratified mean ,er unitG A s)a)is)i*a m'd( in -hi*h )h( 'ua)i'nis diid(d in)' &r'us and sam(s ar( dra-n fr'm )h( ari'us &r'us.S)ra)ifi(d m(an samin& is us(d )' r'du*( a sma(r '(ra sam(si( r(a)i( )' uns)ra)ifi(d m(an (r uni). 36am,les ar( )((na&(rsfr'm )h( a&(s 'f 13 )' 1%, ('( fr'm )h( a&(s 'f 0 )' %, ('(
fr'm )h( a&(s 'f 30 )' 3%, and )h's( -h' ar( ma( 'r f(ma(, sm'9(rs'r n'nsm'9(rs, and s' 'n.
>n
-
8/19/2019 CISA Lecture Domain 11
81/138
3/30/16
S)a)is)i*a samin& )(rmsG 5*'n)d.8
C'nfid(n) *'(ffi*i(n)
L(( 'f ris9
$r(*isi'n
"2(*)(d (rr'r ra)(
Sam( m(an
Sam( s)andard d(ia)i'n
T'(ra
-
8/19/2019 CISA Lecture Domain 11
82/138
-
8/19/2019 CISA Lecture Domain 11
83/138
3/30/16
S)a)is)i*a samin& )(rmsG
Sam,le mean# Th( sum 'f a1 sam( au(s, diid(d
-
8/19/2019 CISA Lecture Domain 11
84/138
3/30/16
;( s)(s in *h''sin& a sam(
D()(rmin( )h( '
-
8/19/2019 CISA Lecture Domain 11
85/138
3/30/16
C'mu)(r Assis)(d Audi) T(*hniqu(s. C'n)d.‐
CAATs (na
-
8/19/2019 CISA Lecture Domain 11
86/138
3/30/16
-om,uter Assisted Audit Techniques. -ontd.‐
N((d f'r CAATs
"id(n*( *'(*)i'n
!un*)i'na *aa
-
8/19/2019 CISA Lecture Domain 11
87/138
3/30/16
-om,uter Assisted Audit Techniques. -ontd‐ .
"2am(s 'f CAATs us(d )' *'(*) (id(n*(
CAATS as a *'n)inu'us 'nin( ar'a*h
C'mu)(r Assis)(d Audi) T(*hniqu(s
-
8/19/2019 CISA Lecture Domain 11
88/138
3/30/16
C'mu)(r Assis)(d Audi) T(*hniqu(s.‐C'n)d.
D(('m(n) 'f CAATs
D'*um(n)a)i'n r()(n)i'nA**(ss )' r'du*)i'n da)a
Da)a maniua)i'n
-
8/19/2019 CISA Lecture Domain 11
89/138
3/30/16
3)aluation of Strengths and ea"nesses
Ass(ss (id(n*(
"aua)( '(ra *'n)r' s)ru*)ur(
"aua)( *'n)r' r'*(dur(s
Ass(ss *'n)r' s)r(n&)hs and -(a9n(ss(s
ud&in& Ma)(riai) 'f !indin&s
-
8/19/2019 CISA Lecture Domain 11
90/138
3/30/16
ud&in& Ma)(riai) 'f !indin&s
Ma)(riai) is a 9( issu(
Ass(ssm(n) r(quir(s =ud&m(n) 'f )h( ')(n)ia(ff(*) 'f )h( findin& if *'rr(*)i( a*)i'n is n'))a9(n
C'mmuni*a)in& Audi) R(su)s
-
8/19/2019 CISA Lecture Domain 11
91/138
3/30/16
C'mmuni*a)in& Audi) R(su)s
"2i) in)(ri(-
C'rr(*) fa*)s
R(ais)i* r(*'mm(nda)i'ns
Im(m(n)a)i'n da)(s f'r a&r((dr(*'mm(nda)i'ns
$r(s(n)a)i'n )(*hniqu(s
"2(*u)i( summar Fisua r(s(n)a)i'n
Audit re,ort structure and contents
-
8/19/2019 CISA Lecture Domain 11
92/138
3/30/16
Audit re,ort structure and contents
An in)r'du*)i'n )' )h( r('r)
Th( IS audi)'rBs '(ra *'n*usi'n and 'ini'n
Th( IS audi)'rBs r(s(ra)i'ns -i)h r(s(*) )')h( audi)
D()ai(d audi) findin&s and r(*'mm(nda)i'ns
A ari() 'f findin&s
Limi)a)i'ns )' audi)
S)a)(m(n) 'n )h( IS audi) &uid(in(s f''-(d
?anagement Im,lementation of 5ecommendations
-
8/19/2019 CISA Lecture Domain 11
93/138
3/30/16
?anagement Im,lementation of 5ecommendations
Audi)in& is an 'n&'in& r'*(ss
Timin& 'f f''- u‐
Audi) D'*um(n)a)i'n
-
8/19/2019 CISA Lecture Domain 11
94/138
3/30/16
Audi) D'*um(n)a)i'n
C'n)(n)s 'f audi) d'*um(n)a)i'n
Cus)'d 'f audi) d'*um(n)a)i'n
Su'r) 'f findin&s and *'n*usi'ns
-ontrol Self Assessment (-SA! -ontd.‐
-
8/19/2019 CISA Lecture Domain 11
95/138
3/30/16
-ontrol Self Assessment (-SA! -ontd.
Th( $rimar '
-
8/19/2019 CISA Lecture Domain 11
96/138
3/30/16
-ontrol Self Assessment (-SA! -ontd.
Im(m(n)a)i'n 'f CSA !a*ii)a)(d -'r9sh's
#
-
8/19/2019 CISA Lecture Domain 11
97/138
3/30/16
C'n)r' S(f Ass(ssm(n)
(n(fi)s 'f CSA
"ar D()(*)i'n 'f Ris9
M'r( "ff(*)i( and imr'(d in)(rna *'n)r's
#i&h M')ia)(d "m'((
Imr'(d Audi) Ra)in& r'*(ss Assuran*( )' T' Mana&(m(n) and S)a9(h'd(rs
Disadan)a&(s 'f CSA
I) ma
-
8/19/2019 CISA Lecture Domain 11
98/138
3/30/16
C'n)r' S(f Ass(ssm(n)
IS AuditorFs 5ole in -SAs# h(n CSA in a*(, audi)'rs
-
8/19/2019 CISA Lecture Domain 11
99/138
3/30/16
3merging -hanges in IS Audit Process
-
8/19/2019 CISA Lecture Domain 11
100/138
3/30/16
g g g
N(- T'i*sG
Au)'ma)(d 'r9 $a(rs
In)(&ra)(d Audi)in&C'n)inu'us Audi)in&
-
8/19/2019 CISA Lecture Domain 11
101/138
-
8/19/2019 CISA Lecture Domain 11
102/138
3/30/16
Au)'ma)(d 'r9 $a(rs
C'n)r's '(r au)'ma)(d -'r9 a(rsG
A**(ss )' -'r9 a(rs
Audi) )raisAr'as 'f audi) has(s
S(*uri) and in)(&ri) *'n)r's
a*9u and r(s)'ra)i'n
"n*r)i'n f'r *'nfid(n)iai)
In)(&ra)(d Audi)in&
-
8/19/2019 CISA Lecture Domain 11
103/138
3/30/16
& &
Integrated Auditing
r'*(ss -h(r(
-
8/19/2019 CISA Lecture Domain 11
104/138
g g y, ,
Id(n)ifi*a)i'n 'f r((an) 9( *'n)r's
R(i(- and und(rs)andin& 'f )h( d(si&n 'f 9(*'n)r's
T(s)in& )ha) 9( *'n)r's ar( su'r)(d
-
8/19/2019 CISA Lecture Domain 11
105/138
-ontinuous Auditing )s. -ontinuous ?onitoring
-
8/19/2019 CISA Lecture Domain 11
106/138
3/30/16
g g
C'n)inu'us M'ni)'rin&
Mana&(m(n) dri(n‐
as(d 'n au)'ma)(d r'*(dur(s )' m(()
fidu*iar r(s'nsi
-
8/19/2019 CISA Lecture Domain 11
107/138
3/30/16
-ontinuous Auditing 3na'ler for the A,,licationof -ontinuous Auditing
N(- inf'rma)i'n )(*hn''&
In*r(as(d r'*(ssin& *aa
-
8/19/2019 CISA Lecture Domain 11
108/138
3/30/16
IT Techniques in a -ontinuous Auditing 3n)ironment
Transa*)i'n '&&in&
u(r )''s
S)a)is)i*s and da)a anasis 5CAAT8
Da)a
-
8/19/2019 CISA Lecture Domain 11
109/138
3/30/16
A hi&h d(&r(( 'f au)'ma)i'n
An au)'ma)(d and r(ia
-
8/19/2019 CISA Lecture Domain 11
110/138
-
8/19/2019 CISA Lecture Domain 11
111/138
Practice Question
-
8/19/2019 CISA Lecture Domain 11
112/138
3/30/16
Q
$ra*)i*( u(s)i'ns 5*'n)d.8
Ans$er is G. A**'un)an)s, audi)'rs, and a-(rsa*) 'n
-
8/19/2019 CISA Lecture Domain 11
113/138
3/30/16
C# ha) ar( )h( diff(r(n) )(s 'f audi)sK
A. !'r(nsi*, a**'un)in&, (rifi*a)i'n, r(&ua)'r
G. In)(&ra)(d, '(ra)i'na, *'mian*(,adminis)ra)i(
-. !inan*ia, SAS, *'mian*(, adminis)ra)i(
+. Inf'rma)i'n ss)(ms, SAS0, r(&ua)'r,r'*(dura
Practice Question
-
8/19/2019 CISA Lecture Domain 11
114/138
3/30/16
$ra*)i*( u(s)i'ns 5*'n)d.8
Ans$er is . A 'f )h( audi) )(s ar( aid(2*() r'*(dura, SAS, (rifi*a)i'n, andr(&ua)'r. Th( aid audi) )(s ar( finan*ia,
'(ra)i'na 5SAS08, in)(&ra)(d 5SAS%8,*'mian*(, adminis)ra)i(, f'r(nsi*, andinf'rma)i'n ss)(ms. A f'r(nsi* audi) is us(d )'dis*'(r inf'rma)i'n a
-
8/19/2019 CISA Lecture Domain 11
115/138
Practice Question
-
8/19/2019 CISA Lecture Domain 11
116/138
3/30/16
$ra*)i*( u(s)i'ns 5*'n)d.8
C# Ans$er is A. A fina 'ini'n is
-
8/19/2019 CISA Lecture Domain 11
117/138
3/30/16
$ra*)i*( u(s)i'ns 5*'n)d.8
C# hich of the follo$ing G3ST descri'es theearly stages of an IS audit
A. O
-
8/19/2019 CISA Lecture Domain 11
118/138
3/30/16
1 1 CG Und(rs)andin& )h(
-
8/19/2019 CISA Lecture Domain 11
119/138
3/30/16
C# In ,erforming a ris" 'ased audit‐$hich ris" assessment is com,letedinitially 'y the IS auditor
A. D()(*)i'n ris9 ass(ssm(n). C'n)r' ris9 ass(ssm(n)
C. Inh(r(n) ris9 ass(ssm(n)
D. !raud ris9 ass(ssm(n)
Ans-(r
-
8/19/2019 CISA Lecture Domain 11
120/138
3/30/16
1 CG Inh(r(n) ris9s (2is) ind((nd(n) 'f an audi) and‐ ‐
*an '**ur
-
8/19/2019 CISA Lecture Domain 11
121/138
3/30/16
C# hile de)elo,ing a ris" 'ased audit ,rogram on‐$hich of the follo$ing $ould the IS auditor ?&STli"ely focus
A. usin(ss r'*(ss(s
. Cri)i*a IT ai*a)i'ns
C. O(ra)i'na *'n)r's
D. usin(ss s)ra)(&i(s
-
8/19/2019 CISA Lecture Domain 11
122/138
$ra*)i*( u(s)i'ns 5*'n)d.8
-
8/19/2019 CISA Lecture Domain 11
123/138
3/30/16
C# hich of the follo$ing ty,es of audit ris"assumes an a'sence of com,ensating controlsin the area 'eing re)ie$ed
A. C'n)r' ris9
. D()(*)i'n ris9
C. Inh(r(n) ris9
D. Samin& ris9
Ans-(r
-
8/19/2019 CISA Lecture Domain 11
124/138
3/30/16
s (
1 CG Th( ris9 'f an (rr'r (2is)in& )ha) *'ud
-
8/19/2019 CISA Lecture Domain 11
125/138
3/30/16
C# An IS auditor ,erforming a re)ie$ of an a,,licationJs controls finds a$ea"ness in system soft$are that could materially im,act the a,,lication. TheIS auditor should#
A. disr(&ard )h(s( *'n)r' -(a9n(ss(s sin*( a ss)(m s'f)-ar( r(i(- is
-
8/19/2019 CISA Lecture Domain 11
126/138
3/30/16
1 > DG Th( IS audi)'r is n') (2(*)(d )' i&n'r( *'n)r' -(a9n(ss(s‐ ‐
=us)
-
8/19/2019 CISA Lecture Domain 11
127/138
3/30/16
C# Th( P5I?A5K use of generali0ed auditsoft$are (7AS! is )'G
A. )(s) *'n)r's (m
-
8/19/2019 CISA Lecture Domain 11
128/138
3/30/16
1 : -#‐ ‐ @(n(rai(d audi) s'f)-ar( fa*ii)a)(s dir(*) a**(ss )' andin)(rr'&a)i'n 'f )h( da)a
-
8/19/2019 CISA Lecture Domain 11
129/138
3/30/16
C# hich of the follo$ing is ?&ST effecti)efor im,lementing a control self assessment‐(-SA! $ithin 'usiness units
A. Inf'rma ((r r(i(-s
. !a*ii)a)(d -'r9sh's
C. $r'*(ss f'- narra)i(s
D. Da)a f'- dia&rams
Ans-(r
-
8/19/2019 CISA Lecture Domain 11
130/138
3/30/16
1 G !a*ii)a)(d -'r9sh's -'r9 -( -i)hin‐ ‐
-
8/19/2019 CISA Lecture Domain 11
131/138
3/30/16
C# Th( I5ST ste, in ,lanning an audit is to#
A. d(fin( audi) d(i(ra
-
8/19/2019 CISA Lecture Domain 11
132/138
3/30/16
Ans-(r
1 7 CG Th( firs) s)( in audi) annin& is )' &ain an‐ ‐
und(rs)andin& 'f )h(
-
8/19/2019 CISA Lecture Domain 11
133/138
3/30/16
C# The a,,roach an IS auditor shoulduse to ,lan IS audit co)erage should'e 'ased on#
A. ris9.. ma)(riai).
C. r'f(ssi'na s9()i*ism.
D. suffi*i(n* 'f audi) (id(n*(.
Ans-(r
-
8/19/2019 CISA Lecture Domain 11
134/138
3/30/16
1 % AG S)andard S>, $annin&, (s)a
-
8/19/2019 CISA Lecture Domain 11
135/138
3/30/16
C# A com,any ,erforms a daily 'ac"u, of critical dataand soft$are files and stores the 'ac"u, ta,es at anoffsite location. The 'ac"u, ta,es are used to restorethe files in case of a disru,tion. This is a#
A. r((n)i( *'n)r'.
. mana&(m(n) *'n)r'.
C. *'rr(*)i( *'n)r'.
D. d()(*)i( *'n)r'.
Ans-(r
-
8/19/2019 CISA Lecture Domain 11
136/138
3/30/16
1 10 CG A *'rr(*)i( *'n)r' h(s )' *'rr(*) 'r minimi( )h( ima*) 'f‐ ‐
a r'
-
8/19/2019 CISA Lecture Domain 11
137/138
Question&
Answer
3/30/16
T#IS IS A COM!ORTAL" $OINT TOSAJ
-
8/19/2019 CISA Lecture Domain 11
138/138
SAJ++++.
T#AN; JOU AND "ST O! LUC;