Wednesday, August 4, 2010

CISA Chapter 1.1

Administrative note:  I decided to split this up into multiple posts, because it was getting really really long.  I'll shoot for more frequent posts in the future that are not so long.  If you would like single long posts instead, sound off in the comments!

Test results

26/30 correct = 87%

Questions I missed:

What is a work breakdown structure? 
I thought it was a sequence of steps with milestones in support of the project scope, but the correct answer is “Decomposition of tasks”.  Those seem pretty similar in my mind, you decompose tasks into steps with milestones, but I guess the author of the book doesn’t think that way.

What is not a responsibility of the Audit Committee?
The not tripped me up here, I chose “The audit committee is composed of members from the board of directors. This committee
has the authority to hire external auditors, and external auditors may meet with the committee
on a quarterly basis without other executives present.” which is a responsibility of the committee.  Paying attention to the wording of questions is important.

What type of audit checks attributes against the design specifications?
I chose a System audit, the correct answer is a Product audit.  I’m in the mode of thinking about IS audits and IS systems, so I’ll have to keep in mind the other types of audits that exist.

What is the purpose of the skills matrix?
I had no idea what a skills matrix was, so I just guessed on this question.  Turns out the correct answer is “Describe the person needed during the performance phase of the audit”.

Chapter Overview
Basically, auditors rock.  They save the world from all sorts of nasty things and really should be considered superheros.  Good career choice.  One thing though... you always have to wear a suit and tie, use “professional” humor, and impress your clients.  And if you ever pirate software or certain CISA training books, ninjas will hunt you down and kill you.  Great start to the book, huh?

Policies - High level, general, issued by someone high in the company and are mandatory
Standards - Mid level, more specific than policies.  One policy may have several supporting standards.  Also mandatory.
Guidelines - General guidelines, intended for advice when there is no policy or standard around a certain subject.  Discretionary.
Procedures - Step by step guide for doing a certain task.  Mandatory.



Members and ISACA certification holders shall:
1.    Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
2.    Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.
3.    Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
4.    Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
5.    Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
6.    Inform appropriate parties of the results of work performed; revealing all significant facts known to them.
7.    Support the professional education of stakeholders in enhancing their understanding of information systems security and control.
Failure to comply with this Code of Professional Ethics can result in an investigation into a member's, and/or certification holder's conduct and, ultimately, in disciplinary measures.

Know the code of ethics.  You can see a FAQ here.  Don’t do anything stupid to get yourself in trouble.

Types of Audits
For a slightly different list, see here.

Internal audits - carried out by the same organization that is being audited.  Not independent, so of limited use.  Sometimes also called an assessment.
External audits - This is usually a customer auditing a company, or a company auditing a supplier.  Usually contract motivated, to make sure things are being done as agreed.
Independent audits - As the name says, these are independent, performed by someone with no relationship to the company, someone who wont be biased.

Those are the general types of audits, there are also different audit objectives that can fit into each type of audit.  Here are some examples:

Product audit - Compare finished product to what was originally designed.  Most often thought of as with a physical product, but can apply to software systems as well.
Process audits - examine a process to decide if it is accomplishing the stated objective, and identify opportunities for increased efficiency.
System audits - Big one.  System configuration, controls, monitoring, change control, authentication, authorization, maintinance, etc.
Financial audit - Another big one.  Checking of accounting procedures, records, balances, etc.
Operational audit - SAS-70.  Operational effectiveness and efficiency.
Integrated audit - SAS-94.  Combined operational and financial audit.
Compliance audit - To verify compliance with a set standard or regulation.  SOX and PCI are common.
Administrative audit - Mostly about documentation of policies and procedures.
Information systems certification - Testing against a standard reference.

Roles
There are 2 categories of roles, audit and non-audit.  Audit roles are auditor and auditee.  The non-audit role is the client, which may be the company being audited.

It is important that as an auditor you maintain independence from what you are auditing.  Basically independence means that you are not personally involved in what you are auditing, and that you won’t be biased to report anything more or less favorably then the evidence suggests.

Auditing Standards

There are quite a few standards, including the following:

American Institute of Certified Public Accountants (AICPA) and International Federation
of Accountants (IFAC).
Financial Accounting Standards Board (FASB) with Statement on Auditing Standards
(SAS), standards 1 through 114, which are referenced and applied by the AICPA and IFAC.
Generally Accepted Accounting Principles (GAAP).
Committee of Sponsoring Organizations of the Treadway Commission (COSO), providing
the COSO internal control framework that is the basis for standards used in global commerce.
COSO is the parent for the standards used by governments around the world.
Public Company Accounting Oversight Board (PCAOB) of the Securities and Exchange Commission,
issuing audit standards AS-1, AS-2, AS-3, AS-4, and AS-5. PCAOB is the standards
body for Sarbanes-Oxley, including the international implementation by the Japanese government
and European Union (US-SOX, J-SOX and E-SOX).
Organization for Economic Cooperation and Development (OECD), providing guidelines
for participating countries to promote standardization in multinational business for
world trade.
International Organization for Standardization (ISO), which represents participation
from more than member governments.
U.S. National Institute of Standards and Technology (NIST), providing a foundation
of modern IS standards used worldwide. When combined with British Standards/ISO
(BS/ISO), you get a wonderful amount of useful guidance.
U.S. Federal Information Security Management Act (FISMA), which specifies minimum
security compliance standards for all systems relied on by the government, including the
military and those systems operated by government contractors. (The U.S. government is
the world’s largest customer.)
IS Audit and Control Association (ISACA) and IT Governance Institute (ITGI) issue the
Control OBjectives for IT (CObIT) guidelines which are derived from COSO with a more
specific emphasis on information systems.
Basel Accord Standard II (Basel II), governing risk reduction in banking.


The 16 Standards are:

S1 Audit Charter The audit charter authorizes the scope of the audit and grants you responsibility,
authority, and accountability during the audit.

S2 Independence Every auditor is expected to demonstrate professional and organizational
independence, like we talked about earlier.

S3 Professional Ethics and Standards of Conduct The auditor must act in a manner that
denotes professionalism and respect.

S4 Professional Competence The auditor must have the necessary skills to perform the
audit. Continuing education is required to improve and maintain skills.

S5 Planning Successful audits are the result of advance preparation. Proper planning is
necessary to ensure that the audit will fulfill the intended objectives.

S6 Performance of Audit Work This standard provides guidance to ensure that the auditor
has proper supervision, gains the correct evidence to form conclusions, and creates the required
documentation of the audit.

S7 Audit Reporting The auditor report contains several required statements and legal disclosures.
This standard provides guidance concerning the contents of the auditor’s report.

S8 Follow-up Activities The follow-up activities include determining whether management
has taken action on the auditor’s recommendations in a timely manner.

S9 Irregularities and Illegal Acts This standard outlines how to handle the discovery of
irregularities and illegal acts involving the auditee.

S10 IT Governance This standard covers the authority, direction, and control of the information
technology function. Technology is now pervasive in all areas of business. Is the auditee
properly managing IT to meet their needs?

S11 Use of Risk Analysis in Audit Planning This standard provides guidance for implementing
a risk-based approach in audit planning. Risk planning is used to determine whether an audit
is possible. Auditors always weigh our level of competency to conduct the audit. Audit plans
should be structured for the maximum return on investment when designing specific audits, aka
impact for the dollar spent.

S12 Audit Materiality Auditors must use evidence that portrays the most accurate story.
The absence of controls or a potential weakness may cumulatively result in unacceptable risk
to the organization. Ineffective controls, absence of controls, and control deficiencies should
be disclosed in the audit report.

S13 Using the Work of Other People It’s impossible for the auditor to perform all the work
alone. The work of other experts may be included in the audit, provided the auditor is satisfied
with their competencies, relevant experience, professional qualifications, independence, and
quality control. A scope limitation may be required in the final audit opinion if the other
experts do not provide appropriate and sufficient evidence. An expert working in the same
area as the one being audited should not be relied on.

S14 Proper Audit Evidence Appropriate evidence includes the written procedures performed
by the auditor, source documents, corroborating records, samples, and corresponding test results.
Reliable evidence is based on its source, natural state, and authenticity. Audit evidence must be
specifically identified, cataloged, and cross-referenced in the audit documentation, via auditor
notes and working papers.

S15 Effective IT Controls Working IT controls represent an integral foundation in the organization’s
overall internal control environment. IS auditors should monitor and evaluate the
effect or absence of IT controls. It’s necessary to help management understand the IT controls’
design, implementation, and methods of improvement. The level of effective controls provided
by outsourcing, or their absence, may help or hurt the organization.

S16 Electronic Commerce Controls E-commerce allows the business to conduct electronic
transactions with other businesses and directly to consumers over the public Internet. E-commerce requires the auditor to implement risk-based audit plans with data-gathering techniques for continuous assurances regarding the security and integrity of the environment. This only applies to the public internet, not to private networks between various companies.