Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 60 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
60
Dung lượng
593,57 KB
Nội dung
transaction processing is a viable way to validate that the process works as designed. When auditing a transaction process, this technique serves to ensure that the controls are working as they are designed to do. A variation on reperformance is to introduce a known error into the process and to see if the controls actions and results are as expected. Other such testing tech- niques will be examined later when we discuss test work in more detail. Monitoring Monitoring is the ongoing input of evidence for a time period sufficient in length to meet the needs of the audit objective. Sometimes obtaining direct evidence is not possible and observing a particular time period of a process is not sufficient to ensure that the controls are working properly. Thus, an audit step must be designed to monitor a process or transaction flow over a period of time to ensure that controls are working properly. This is espe- cially the case when many smaller processes or transactions are involved. Test Work Test work is shown the sections of the fieldwork that formally step through a test designed to determine whether the controls are working. Testing is a basic building block of fieldwork. It is a scientific process that involves understanding a process and the expected results—whether they are con- trol related or actual computational results—and performing the work to see if the results support the hypothesis. Because reperformance and the testing of large amounts of transactions or data is usually prohibitive, some kind of population sampling is usually performed in a sufficient quality and quantity to extrapolate the results of the testing into a reliable conclu- sion for the entire population of items. Substantive Testing This type of testing is used to substantiate the integrity of the actual pro- cessing. It is used to ensure that processes, not controls, are working as designed and give reliable results. Compliance Testing A compliance test determines if controls are working as designed. As poli- cies and procedures are created, documented compliance testing looks for compliance to these management directives. 42 Chapter 1 CAATs Computer Assisted Auditing Techniques (CAATs) are useful when large amounts of data are involved or complex relationships of related data need to be reviewed programmatically to glean appropriate evidence from the aggregated data. CAATs can really be any electronic audit tool such as a standard data examination tool like spreadsheet software or a custom tool built and tested for a single purpose. It may be necessary to use a computer- aided audit technique when no directly tangible evidence can be readily obtained. The use of computer-aided tools can enable the auditor to assess a large amount of data quickly and efficiently, however proper planning is still important. Unless it is a test that you will use often, the time and expense of developing a defendable and reliable CAAT may outweigh the benefit for a single audit effort. Some of the functionality you will be able to make use of with CAATs include: ■■ Avoidance of a sampling error by addressing 100 percent of population ■■ Stratification of data ■■ Aging of the transactions and data ■■ Recalculation (reperformance) ■■ Exceptions identification ■■ Fraud detections (via isolated variances) ■■ Extraction of the subsets of data ■■ Linkage of data for analysis ■■ Identification of duplicate transactions ■■ Audit trail analysis CAATs may require a more invasive approach to auditing and will require close communication and agreement with the auditee. Data file copies may need to be exported off line in order not to interrupt the pro- duction use of the data. In addition, strict controls will need to be placed on the extracted data to establish and maintain its integrity. If technical staff is involved with developing and performing tests related to the use of CAATs, due care related to the integrity of the data and additional controls over the audit testing processes may need to be considered. Additional steps to ensure that source code and object code match and that file and data definitions are available may be appropriate in planning and executing CAAT-based reviews. Changes caused by the interaction of The Information System Audit Process 43 the production system and the CAAT tools to both the production envi- ronment and the CAAT tools need to be fully understood before reliance on the technique can be made and before risks to the production environ- ment are introduced. Full description of the CAATS processes and input/output should be documented in the work papers. Management Control Reports Reports used by management to ensure that the controls are working or to be used as detective controls for identifying when errors occurred are often gathered through a sampling and are evidenced in the fieldwork. Manage- ment reports are gathered to confirm statistical or performance data and to evidence communication between line management and other areas affected by their work. Often these are identified as control mechanisms during interviews, at which point representative copies are requested. If the control mechanism supported by the reports is material or significant to the audit objective and kept in archive as evidence, a sampling may be an appropriate review process. Sampling Sampling is an appropriate way to meet the requirements that audit evi- dence is sufficient, reliable, relevant, useful, and supported by appropriate analy- sis. Sampling is the process of applying the audit process to less than 100 percent of the audit items population in order to form an opinion on the control environment. The sampling process has several defined steps: 1. Determine the objectives of the test. 2. Define the population. 3. Determine the confidence level. 4. Determine the precision. 5. Determine the expected standard deviation. 6. Compute the sample size. 7. Document the sampling procedure. 8. Select the audit samples. 9. Evaluate the sample results. 10. Reach an overall conclusion based on the sampling. 44 Chapter 1 There are several types of sampling applicable to IS audits and several related definitions that you must know: Attribute. An aspect of an element of the total population. For exam- ple, the attribute in the sample of those items without proper signa- tures is improper signatures. Attributes are binomial (for example, yes or no). Population. Also known as the universe or field, this is the aggregate total of items to choose from and about which information is desired. Confidence Interval. A range of values that defines the upper and lower limits between which the actual population is believed to lay compared to the sample statistic. For example, if the results of a 95 percent confidence level sample produces a confidence interval between 200 and 300, and the auditor were to repeatedly pull sam- ples of the same size and calculate a confidence level of 95 percent, then 95 percent of the intervals would encompass the actual popula- tion value. Confidence Level or Degree of Assurance. The probability that the results of a sample are reasonable results related to the population as a whole. It is an estimate of the degree of certainty that a population average will be within the precision level selected. Confidence levels are usually expressed as a percentage. A 95 percent confidence level means that if a repeated sampling was conducted, the actual value would fall within the confidence interval about 95 percent of the time. Standard Deviation. The degree to which individual values in a list vary from the mean (average) of all values in the list. The lower the standard deviation, the less individual items vary from the mean and the more reliable the mean. Precision. The range or tolerance estimated that the population would be represented at the confidence level. For example, if there is a 95 percent confidence that the average value is X, then there is a 5 percent risk that the average number is greater than X and a 5 per- cent risk that the average number is less than X. Probability. The ratio of the frequency of certain events to the fre- quency of all possible events in a series, usually expressed as a per- centage of all events in the series. The Information System Audit Process 45 Random Statistical. This is a selection process that utilizes a random selection of a sample population from which every item has an equal chance of being selected for applying the audit process. Use of a ran- dom number generator would be a way of performing such a selec- tion. Your work papers should document the process used to generate the random number sequence. Systematic Statistical. This is a selection process that utilizes a fixed interval between selection items with the first selection being a ran- dom selection. For example, selecting every n th item for applying the audit process. The mathematical method used and the rational should be documented in you work papers. Haphazard Nonstatistical. This sampling technique does not rely on any methodology or basis for selection. It should not be used to form a reliable conclusion on a population of items. Judgmental Nonstatistical. This also is referred to as exception sam- pling. You may pick items over a certain value or outside of some normal definition boundaries for examination. Often in a financial transaction, this also is a way to focus on higher risk items by picking those transactions that represent a high dollar value for closer inspec- tion. The results from audits of samples chosen with this method can- not be extrapolated over the entire population of items to be sampled. Attribute sampling mentioned previously is a judgmental nonstatistical sampling method. Sampling Risk. Sampling risk is the risk that arises from the possibil- ity that the sample size does not represent the population, resulting in a conclusion that would not have been made had the entire popu- lation been examined. This error can occur in two ways: 1) the con- clusion results in an incorrect acceptance of the test because the population is misrepresented by the sample, and 2) the conclusion results in an incorrect rejection of the test of the sample when testing the entire population would have resulted in an acceptable outcome. The auditor should use a sampling method that is representative of the population relative to the characteristic for which the population is being tested. Stratification, a process of subdividing the larger population into smaller ones with common attributes, may be considered as a way to nar- row the population and to increase the confidence of the testing, depend- ing on the audit objective for which the test is designed. The larger the sample sizes, the less error that can be expected; however, some amount of 46 Chapter 1 error must be expected when applying a sampling technique of any kind. The auditor should consider whether the expected error rate will exceed the tolerable error rate when determining what to sample and what size sample is sufficient. Sampling procedures and determinations used in defining the sample method must be properly documented in the work papers in order for the samples and overall conclusion to be defendable. In determining these methods and processes, care must be exercised to show that bias has been avoided and that sample size is sufficient. Preparing Exhibits Exhibits should be included in a section of the work paper and organized so that references can be easily made to the audit program. An indexing scheme calls out or indexes an exhibit based on the exhibit’s location in the work papers where it was first referenced. This helps to logically order the exhibits in a sequential order. For example, if audit Step 3 is the first time an exhibit of a certain report is used in the audit work, it might be labeled “EX-3-1” for the first exhibit in audit Step 3. Subsequent references to the exhibit then will continue to use this number as an exhibit identifier. It is helpful in large or frequently performed audits to also note additional information in the labeling of the audit exhibit, such as the auditor who gathered the evidence, the technique used to obtain the evidence (from who, how, by what extraction method, and so on), and the date it was obtained. Provisions in the labeling also should accommodate places for initialing by the reviewer to evidence approval and sufficiency of the exhibit to meet the audit objectives. Identifying Conditions and Defining Reportable Findings As audit work is performed, evidence is reviewed, and work papers are documented, the auditor forms an opinion on whether the controls in place are sufficient to mitigate the risks to a level that meets the audit objective and business needs of the auditee. Deficiencies between the expected or required control effectiveness and the desired level of control are referred to as control weaknesses. Weaknesses can be systemic across the audit area or specific and unique to a single test or piece of audit work. During the course of the audit work, all deficiencies should be noted in and annotated with work paper shorthand for review and summarizing. The Information System Audit Process 47 At times, weaknesses are pronounced and significant, requiring the auditor to consider bringing the issues immediately to management’s attention for correction or disposition. Depending on the prior audit arrangements and the nature of the audit, this is a prudent course of action. If irregularities are identified that could involve an illegal act, the auditor should either consider seeking legal advice directly or recommend that management do so. Identifying the appropriate level of management or the appropriate responsible person to report issues of this nature to can be tricky and may take some special considerations and professional judg- ment. Again, outside legal counsel or audit committee reporting may need to be considered to appropriately handle situations like this. It is important to validate the concerns and double check the evidence and audit process without alarming those involved before confronting management in order to avoid embarrassment and risking the loss of confidence in the audit team. Reporting irregularities needs careful consideration because of the potential for further abuse from identified weaknesses, loss of customer confidence, company reputation damage, and the affect on employees not directly involved with the irregularity. External reporting of illegal acts may be a legal or regulatory obligation. Approval for this kind of reporting should be sought from audit management and the appropriate level of management prior to proceeding. The majority of the routine concerns can be raised in the ongoing and periodic status communications between the auditor and management. Even if satisfactorily corrected and addressed, these weaknesses and related findings should be reported as part of the audit. When audits are performed to place reliance over a period of time, a determination must be made as to when the weakness existed in compari- son to the effective time period the audit is covering. Conclusions An important aspect of all testing and fieldwork is to draw a conclusion based on the evidence reviewed. This can be a difficult part of the audit for an inexperienced auditor. The conclusion is the actual value that comes out of the audit process, without which there is no reason to audit. It is the step most agonized over by auditors, because it is where their opinion and pro- fessional training is ultimately put to the test. The CISA candidate must be familiar with the process of determining, from the evidence presented and tests performed, what their professional opinion is about the sufficiency of the controls relevant to the risk culture of the management and the materi- ality of the particular finding. Even when there are no findings of weakness, 48 Chapter 1 or especially when there is no weakness found, the auditor must clearly state this finding when writing their concluding opinion about the test or fieldwork before they are done with the audit program step. When weak- nesses are noted, some planning will help position the weaknesses to help you formulate findings and reportable items. Identification of Control Weaknesses The identification of the control weaknesses results in the recording of a single incident of a failure or deficiency in the controls. It is important to begin to transition your thinking from the technical to a management level of communication when identifying weaknesses and documenting them. You should be able to state as part of the weakness documentation what you expected to find or what the condition should have been to draw attention to the magnitude of the difference between that and the found condition. These findings form the basis of the audit report and the overall opinion rendered as the primary deliverable of the audit work. Summarizing Identified Weaknesses into Findings Once you have gone through the audit program and addressed the audit program steps sufficiently to have an end point for all of the items that needed to be reviewed, you can begin to analyze the weaknesses and look for findings that may be reportable. Using a notation methodology that preserves information about the audit step and the particular test where the weakness was identified, you can place all of the weaknesses onto a separate document to help you focus only on the weaknesses and to deter- mine whether any common themes or weaknesses are shared. Prioritiza- tion based on materiality also can begin to take place during this analysis. When multiple weaknesses are related to the same root control defi- ciency, you should note that these items are actually different examples of the same audit finding and should be addressed as a single issue because the solution will cover all of the weaknesses identified. During this step, there should be open communication among the auditee management to validate the issues identified and to ensure that there were no misrepre- sentations during the course of the audit work. As root issues are identi- fied, audit findings are formulated from an overall understanding of the materiality, risk prioritization, audit objectives, scope and risk tolerance, and the weaknesses identified into reportable findings. Now you are pre- pared to draft the findings into a reportable format. The Information System Audit Process 49 Reportable findings contain five specific parts in their presentation format: What is the condition that was found? State the situation in clear nonjargon language. What should be the state of the condition? What would you expect to see in a well-controlled situation? Why is the auditee at risk? Why is this important? What is the significance of the condition? What is the potential downside impact of the condition to the auditee if not addressed? Recommendation. What do you propose that might better mitigate the risk exposure identified by this finding? Your finding should take this format in its final form, but before you make any recommendations you will need to do some root cause analysis to make your recommendations value added. Root Cause Analysis Root case analysis is a process performed on the weakness findings to answer the question: Why? Before you make a value added recommenda- tion, you must understand what the root issues are and what the symp- toms are. Correcting a symptom will not solve the weakness effectively and result in a long-term solution. Often, you must peel back through sev- eral layers of cause and effect scenarios to get to the real cause of the weak- ness or deficiency. Generally, control weaknesses are symptoms and a collection of them will help you identify the root cause. Another popular method to get to a root cause is to start with a symptom and ask why three to five times to get to the real cause that needs to be addressed in order to change the identified symptomatic outcome. This exercise may lead to root causes that are outside either the control of the affected or audit area or beyond the scope of audit’s influence. Alternate recommendations that are within the control of the management affected by the audit should be provided in order to provide actionable results that can be implemented to mitigate the risks. Value-Added Recommendations Your recommendations for addressing risk control weaknesses will need to be realistic and cost/benefit positive to the auditee in order for your work 50 Chapter 1 to be seen as adding value to the auditee management. The auditee management may dismiss your recommendations where the cost of the solution exceeds the potential loss, should the risk go unchecked. Many questions in the CISA exam will test your ability to determine the cost ben- eficial recommendation and will ask you to evaluate whether it is worth it or not. Sometimes this involves understanding the cost of the solution and the cost of the problem over a period of time to define the best long-term control recommendation. Reasonable Assurance through a Review of Work In applying due professional care to their work papers, the IS auditor will have their work checked by another auditor to ensure that their conclu- sions are sound and will stand up to review. Through this second review, the accuracy of the conclusions and identified weaknesses can be reason- ably assured. The expectation of a second opinion of their work prior to the issuance of findings and reports keep the IS auditor focused on thorough and understandable documentation and testing work. The AIC and the Next Level Review of the Work Performed Wherever feasible, all work papers should be reviewed and approved by another auditor, preferably the next higher level of management in the audit organization. If an audit manager performs a section of the audit work, this section should be reviewed by at least one staff auditor or a peer manager to ensure that all of the work performed reasonably meets the rea- sonably competent third party test. Work paper comments and concerns related to unclear procedures or conclusions or related to the sufficiency of the evidence should be documented and discussed with the auditor per- forming the work. These review comments should be presented and cleared in a manner that will not remain part of the permanent work paper files. Notation of the presentation and subsequent clearing of the review comments should be recorded in the chronological log without recording the substance of the comments discussed. After having reviewed the work and satisfactorily addressed and cleared all of review comments, the reviewer’s should initial the work to provide the assurance necessary to achieve a reliable audit result. The Information System Audit Process 51 [...]... A The auditor starts dating the change control librarian B The auditor invests in the business spin-off of the company C The auditor used to manage the same business process at a different company D The auditor is working as consultant for the implementation portion of the project being audited 61 62 Chapter 1 19 Control objectives are defined in an audit program to A Give the auditor a view of the. .. of what the key control issue are based on the risk and management input B Enable the auditor to scope the audit to only those issues identified in the control objective C Keep the management from changing the scope of the audit D Define what testing steps need to be performed in the program 20 An audit charter serves the following primary purpose: A To describe the audit process used by the auditors... C The best evidence available that is consistent with the importance of the audit objectives D Inspection, confirmation, and substantive testing The Information System Audit Process 23 The primary thing to consider when planning for the use of CAATs in an audit program is A Whether the sampling error will be at an unacceptable level B Whether you can trust the programmer who developed the tools of the. .. www.isaca.org/standard/code2.htm I I www.sas70.com/ I I www.theiia.org/itaudit/ The Information System Audit Process Sample Questions The following questions and answers are a sample of what the CISA exam content might look like on the subject matter covered in this chapter The format, style, and layout of the question and answer choices should give you a better understanding of the exam question format... isolated from one another You should not perform audit work with the report in mind The report content should be determined from the results from the test work, which is synthesized and aggregated into a management-specific view of the material details after the test work is performed and the conclusions are made The report is a summary and conclusion of the root concerns identified in the audit test work,... scope of the engagement? A The concerns of management for ensuring that controls are sufficient and working properly B The amount of controls currently in place C The type of business, management culture, and risk tolerance D The complexity of the technology used by the business in performing the business functions 2 Which of the following best describes how a CISA should treat guidance from the IS audit... the audit and preparing auditor( s) 4 Scope 5 Objectives of the engagement 6 Coverage period 7 Brief description of work performed 8 Background information 9 Overall audit conclusion 10 Findings, recommendations, and responses listed from the highest material risk to the lowest material risk The report should initially describe the scope and objectives of the audit and provide information about whether... the entire body of the test work, just an overview of what was tested, the systems and audit areas covered in the audit, and the kinds of testing techniques and methodologies used Any circumstances that limited or expanded the scope should be described in this section of the report Any relevant background information related to the audit should be inserted next This information may be used to set the. .. made to the environment or processes during the audit or before the final issuance of the report that affect the overall response desired from senior management as a result of issuing the report should be mentioned For example, it is not unusual for significant material items to have been resolved or corrected before the final report is issued, due to their potential impact on the business They are,... C Whether the source and object codes of the programs of the CAATs match D The extent of the invasive access necessary to the production environment 24 The most important aspect of drawing conclusions in an audit report is to A Prove your initial assumptions were correct B Identify control weakness based on test work performed C Obtain the goals of the audit objectives and to form an opinion on the . performed audits to also note additional information in the labeling of the audit exhibit, such as the auditor who gathered the evidence, the technique used to obtain the evidence (from who, how, by what. corrected before the final report is issued, due to their potential impact on the business. They are, however, reportable in the audit report because at the time of the audit they were not properly addressed,. exceeds the potential loss, should the risk go unchecked. Many questions in the CISA exam will test your ability to determine the cost ben- eficial recommendation and will ask you to evaluate whether