Some Key Areas that you must review once you complete Domain 1 from CISA. Some important statements that I have documented from Part 1 of Domain 1 that is PLANNING. Part 2 EXECUTION Section I will documented by end of this month
- IS audit is the formal examination of information systems to DETERMINE whether Information systems comply with applicable laws, regulations, contracts and/or industry guidelines.
- IS auditors must FIRST understand and be able to evaluate the Business processes of the organization they are auditing.
- This includes test and evaluation of control
- Business process owner
- Responsible for identifying process requirements
- Approving process design
- Managing process performance
- Commit resources to process specific risk management activities.
- IS INTERNAL AUDIT FUNCTION
- Audit Charter
- The responsibility, authority, and accountability of the IS audit function should be appropriately documented in an audit charter
- Audit Committee Approved audit Charter
- Audit Charter
- An IS auditor must be technically Competent, having the skills and knowledge necessary to perform audit work.
- Audit planning is conducted at the beginning of the audit process to establish the overall audit strategy and detail the specific procedures
- The audit plan includes all of the processes that are rated “high,” which would represent the ideal annual audit plan
- EFFECT OF LAWS AND REGULATIONS ON IS AUDIT PLANNING
- There are two major areas of concern impact audit and audit scope
- Legal requirements place on audit
- Legal Requirement placed on auditee and its data
- There are two major areas of concern impact audit and audit scope
- Good Controls are the one who set and designed into the business application that supports the processes
- controls may be a combination of management, programmed and manual controls
- To EFFECTIVELY audit business application systems, an IS auditor must obtain a clear understanding of the application system under review.
- Controls
- Effective control is one that prevents, detects and/or limits an incident and enables recovery from a risk event.
- Controls are implemented to reduce risk to the organization
- The board of directors and senior management are responsible for establishing the appropriate culture to facilitate an effective and efficient internal control system
- Internal controls direct business or operational objectives
- Control objectives are narratives of the desired result
- Control Objective must have Effectiveness and Efficiency of operations
- An IS auditor analyze evidence gathered throughout the audit to determine if the operations analyzed are well controlled and effective
- Control matrix is usually used in assessing the proper level of controls
- An IS auditor should be aware of compensating controls in areas where controls have been identified as weak.
- While a compensating control situation occurs when one stronger control supports a weaker one, overlapping controls are two strong controls.
- RISK-BASED AUDIT PLANNING
- Effective risk-based auditing uses risk assessment to make the audit plan and minimize the audit risk during the execution of an audit.
- Risk-based audit methodology efficiently help an IS auditor in determining the nature and extent of testing
- Auditor need to understand the business, based on that they can identify and categorize the types of risk
- Risk assessment can be a scheme where risk has been given elaborate weights based on the nature of the business
- Audit Risk
- Inherent Risk = Risk before control
- Residual Risk: Risk left after implementing control
- Detection Risk: Risk which Auditor unable to identify
- Control Risk = Control ineffective
- Audit Risk = Inherent Risk x Control Risk x Detection Risk
- When preparing the overall Information System audit plan, a suitable risk assessment approach should be followed.
- Effective Risk assessment should be an ongoing process in an organization
- Type of Audit
- Information System Audit = Evaluate Information System
- Compliance audit = Evaluate the regulatory or industry-specific standard
- Financial audit = accuracy of financial reporting
- Operational audit = internal control in a given process
- Specialized audit = examine areas such as fraud or services performed by third parties.
- Third-Party Service Audit
- Fraud Audit
- Forensic Audit
- Computer forensic audit = Investigation of Electronic Devices
- Functional audit = Verifying Configuration Items