Projects-Summary
- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
CISA-Notes
DISCLAIMER
The information provided on this website is intended to provide a basic
understanding of certain technologies and is not intended to be a comprehensive
guide.
Therefore, it should not be relied upon as the sole source of
information and should not be used as a substitute for professional advice or
expert analysis.
Please exercise caution when visiting or downloading from websites
mentioned on this website and verify the safety of the website and software.
Some websites and software may be flagged as malware by antivirus
programs.
The reader assumes all responsibility for their use of the information
contained on this website and any consequences that may arise.
The author disclaims any liability for any damages or losses that may
result from the use of this website or the information contained herein.
The author reserves the right to update or change the information
contained on this website at any time without prior notice.
Any attempts to perform penetration testing or ethical hacking on
systems or networks should be made with the explicit permission of the
system/network owner.
Unauthorized access is illegal and can result in serious legal
consequences.
It is important to fully understand the scope of the testing and to
only test within that scope. Testing outside the agreed upon scope is
considered unauthorized and may result in legal action.
Any findings or vulnerabilities discovered during testing should be
reported to the system/network owner immediately and kept confidential until a
fix can be implemented.
It is recommended to use a separate, dedicated testing environment
rather than testing on a live production system to minimize the risk of
accidentally causing damage or downtime.
It is important to take steps to protect your own identity and prevent
accidental data leaks or exposure of sensitive information during testing.
It is also recommended to follow a standard code of ethics for ethical
hacking and penetration testing.
References
CISA REVIEW Manual
Udemy ISACA's Certified Information System Auditor (CISA) Exam
LinkedIn
CISA Cert Prep: 1 Auditing Information Systems for IS Auditors
CISA Cert Prep: 2 Information Technology Governance and Management for
IS Auditors
CISA Cert Prep: 3 Information Technology Life Cycle for IS Auditors
CISA Cert Prep: 4 IT Operations, Maintenance, and Service Delivery for
IS Auditors
CISA Cert Prep: 5 Information Asset Protection for IS Auditors
Simply learn YouTube videos
Process of Auditing Information Systems - Part 1
Protection Of Information Assets
Process of Auditing Information Systems - Part 2
CISA Domain 2 Governance and Management Of IT
Table of Contents
Contents
1.
References
Domain 1 Information System Auditing Process 18 percent
Domain 2 Governance and Management IT 18 percent
Domain 3 Information Systems Acquisition, Development and Implementation 12 percent
Domain 4 Information Systems Operations and Business Resilience 26 percent
Domain 5 Protection of Information Assets 26 percent
4.
Domain 1 Information System Auditing Process 18 percent
ISACA code of
profession ethics
Risk Assessment and
Risk Analysis
let's start with
identifying business objectives
Sherwood applied
business security architecture..
service oriented
modeling framework
knowledge of control
principles
Classification of
internal controls:
information system
control procedures
Inherent,
Control,Detection and overall Audit risk
5.
Domain 1 Information System
Auditing Process
knowledge statement 1.7
Knowledge
The main areas covered
under this knowledge statement are
evidence
characteristics and types:
Techniques for gathering evidence:
Communication of audit
results
Knowledge of audit
quality assurance systems and frameworks.
6.
Domain 5 Protection of Information Assets 26 percent
Information Security
Management
system access
permissions system
mandatory and
discretionary access controls.
privacy management
issues and role of is Auditors..
information security
and external parties
monitoring and
responding to security incidents
security controls
related to Hardware system software
identification and
authentication
identification and
authentication log on IDs and passwords
passwords token devices
and one-time passwords
identification and
authentication biometric Access Control
logical access Security
Administration
risks and controls
associated with virtualized systems
network and internet
security devices protocols and techniques
General functions of
firewalls
types of firewalls and
firewall issues
demilitarized zone
screened subnet firewall
information system
attack methods and techniques.
computer crime issues
and exposures
active attacks can be
in the following ways
virus detection tools
and control techniques
risks and controls
Associated data leakage
Network infrastructure
security encryption
public key
infrastructure PKI and digital signature techniques
certificate revocation
list crl
peer-to-peer Computing
instant messaging and web-based Technologies
social networking sites
social
controls and risks
associated with the use of mobile and wireless devices
VoIP advantages over
traditional telephony
risks associated with
use of PBX
evidence preservation
techniques
considerations
regarding evidence
key elements of
computer forensics the
data classification
standards and supporting procedures
inventory and
classification of information assets
auditing physical
access involves
Environmental
Protection devices and supporting practices
environmental controls
that can be applied are
handling confidential
information Assets
This concludes the
domain on protection of information assets
8.
Domain 1: Information System
Auditing process:
What should be your
first step in risk-based audit planning?
What is the advantage
of risk-based audit planning?.
What is the first step
to conduct a data center review?
QAE questions - audit
planning
The audit charter is
the formal document that contains
Actions of the audit
department are primarily influenced by the audit charter.
Exam perspective
Internal controls
Threat and
vulnerability and their relationship.
Risk Response methods :
Risk treatment plans.
Key Aspects of Risk
based Auditing
Then you determine the
audit process.
Key aspects from the
CISA exam perspective.
attribute and variable
sampling.
stop or go sampling and
discovery sampling.
What is the confidence
coefficient?
Testing Concept -
Compliance and Substantive testing:
compliance testing, as
well as substantive testing.
Now what is the
attribute sampling method?
1.8 Audit Evidence
Collection Techniques
Testing Concept -
Online Auditing Techniques
Five online auditing
techniques.
a point to remember for
the CISA exam
Reporting and
communication techniques
Testing Concept-
Control SelfAssment CSA
What is control
self-assessment?
objectives of
controlling self-assessment.
1.12 - IS Internal
Audit Function
Requirement for
Separate IS Audit Function
Governance of IS Audit
Function
Reporting Structure of
IS Audit Function
Management of IS Audit
Resources
IS Audit objective
should be aligned with overall Business Objective
1.13 - Managing third
party IS Auditors and other experts
1.15 - Quality
Assurance of Audit Process
Quality Assurance of
Audit Process
Continuous Education
and Updating of IS Auditors
Performance Monitoring
of IS Audit Functions
Audit Recommendation
Implementation Rate:
Accreditation/Certification
of IS Audit Function
1.16 - Use of
Artificial Intelligence in Audit Process Use of AI in Audit Process
Benefits of Use of AI
in Audit Processes
Risks of Use of AI in
Audit Processes
Use Cases of AI in
Audit Process
Best Practices for
Using AI in Audit Process
9.
Domain 2 Governance and
Management of IT
Enterprise Governance
of Information & Technology, EGIT
key aspects from the
CISA exam perspective.
IT policies,
procedures, and standards.
What are guidelines and
procedures?
Approaches for Policy
Development: Top Down & Bottom up
Which approach is best
for developing the policies?
Key aspects from the
CISA exam perspective.
Organizational
Structures -Roles and responsibilities
understand the roles of
various functionaries.
Some questions on the
concept.
Testing Concepts- IT
Strategy & IT Steering Committee
Responsibility of
Strategy Committee and Steering Committee.
Current as well as
future objectives.
Key aspects from exam
perspective.
How to analyze the risk
using a quantification method.
Key aspects from exam
perspective.
Key aspects from exam
perspective.
What is the objective
of the Capability Maturity Model?
What are the advantages
of the Capability Maturity Model?
What are the
pre-requisites for implementing the Capability Maturity model?
Key aspects from exam
perspective:
Laws and regulations
impacting the organization.
what is the role of an
IS auditor while determining the adherence to the laws and regulation.
Key aspect from exam
perspective.
What is the objective
of software escrow agreement?.
IS auditor's role in
review of outsourcing function..
What are the advantages
of outsourcing contracts?
What is the role of the
IS department?
For example, a
question-answer.
IT performance
monitoring and reporting processes.
What are the steps for
developing performance metrics?
Step one is to identify
the critical process.
Best practices for
performance metrics.
Important tools and
techniques for developing performance metrics.
Business Process
Re-engineering.
What is the root cause
analysis?
Life Cycle Cost-Benefit
Analysis.
Key aspects from the
CISA exam perspective.
What are the objectives
of an IT balanced scorecard?
objective of IT
balanced scorecard:
Quality assurance and
quality management.
Important aspect of
quality control.
Key aspects from the
CISA exam perspective.
2.13 - Data Privacy
Program and Principles Data Privacy Program and Principles
Different
Privacy-Related Regulations
2.14 - Data
Classification Data Classification
List of Domains
Domain 1
Information System Auditing
Process 18 percent
Domain 2
Governance and Management IT 18 percent
Domain 3
Information Systems Acquisition,
Development and Implementation 12 percent
Domain 4
Information Systems Operations
and Business Resilience 26
percent
Domain 5
Protection of Information Assets 26 percent
Domain 1 Information System Auditing Process 18 percent
the process of auditing Information Systems this domain will account
for 21% of the exam and it's really the guts of an audit
this is where we talk about how you actually conduct an audit at this
point we're not as concerned with regulations and laws and technical issues so
much as we're concerned with actual auditing process
and it is a formal process it's a science it's not an art
in this domain
we're going to have several lessons that walk you through the process
so let's go ahead and get started with domain one after completing this domain
domain one you'll be able to understand basically what an audit is and how an
is audit function should be managed
you'll be able to detail the ISAC is audit and Assurance guidelines and
standards
you'll be able to discuss risks and how to analyze them and discuss and
understand internal controls
you'll also be able to explain the control assessment
you'll be able to demonstrate how an information system audit should be
performed and
expounded upon the details of the audit process
possibly most importantly you'll be able to apply the isaka audit
principles to your audits
possibly most importantly you'll be able to apply the isaka audit
principles to your audits
the cisa divides up the task for
the test into task and knowledge statements
we focus the lessons on knowledge statements but those include the
tasks as well
task statements are what a CA candidate is expected to know how to do
or perform
knowledge statements are what a CA students should know
if you first know the items involved then applying them is all that's
required to perform a task
so while we break the lessons down by knowledge statements you will
also learn to perform the
tasks tasks and knowledge statements establish and maintain the process
of auditing Information Systems tasks can be mapped to more than one knowledge
statement
now within this and the subsequent lessons we're going to walk you
through what you need to know to pass the cisa
it's important that you take time to study and make sure you fully
understand each of these lessons before proceeding to the next lesson
knowledge statement 1.1
tells us the knowledge of isaca it audit and Assurance standards
guidelines tools and techniques the code of professional ethics and other
applicable standards
are all required for those hoping to become cesa certified
there's an explanation for this knowledge statement first and foremost
The credibility of any audit is based at least in part on the use of
commonly accepted standards
it just so happens that ISAC is a global Pioneer of is assurance and
audit guidelines tools and techniques standards and has a comprehensive code of
professional ethics
isaca standards provide you with a benchmark for any information
systems audit
now the main areas that are covered under this knowledge statement
include
first and foremost
the isaca code of professional ethics
that's important to keep in mind because isaca will emphasize this in
the cisa exam
you need to know the professional ethics code and be able to apply it
to scenarios that you're given
ISAC Information Systems assurance and audit standards framework
as well as
Information Systems assurance and audit guidelines
will be covered but in less detail than the professional ethics in
other words for the framework and the guidelines you need a general
understanding
the ISAC Information Systems Assurance audit tools and techniques will
permeate the cesa exam you'll see some under this knowledge statement and other
tools and techniques will show up in other knowledge statements and even other
domains
and
finally you need to understand the relationship between guidelines
tools techniques and standards
ISACA code of profession ethics
the code of professional ethics is critical to understand we're going
to read it right now pausing with certain portions to give a little extra
commentary where needed
isaca set forth a code
governing the professional conduct and ethics of all certified as Auditors and
all members of isaca members and certification holders shall
support the
implementation of and encourage compliance with appropriate standards
procedures and controls for information systems
perform their duties
with due diligence and Professional Care in accordance with Professional
Standards and best practices
serve in the interest
of stakeholders in a lawful and honest manner while maintaining high standards
of conduct and character and not engage in Acts discreditable to the profession
maintain the privacy
and confidentiality of information obtained in the course of their duties
unless disclosure is required by legal Authority such information shall not be
used for personal benefit or released to inappropriate parties
now this
last one requires some extra commentary as an is auditor you're going to see
all sorts of confidential information perhaps be exposed
to proprietary data processes plans
Personnel information that sort of thing you must make confidentiality
a Cornerstone of your professional ethics
members
and certification holders shall also maintain competency in their respective
fields and agree to undertake only those activities which they can reasonably
expect to complete with professional competence
what this
means is first and foremost you have to continue learning make sure you
increase your competency you're aware of new techniques and strategies and also
make sure you don't take on projects you're not fully qualified for
inform appropriate
parties of the results of work performed revealing all significant facts known
to them
support the
professional education of stakeholders and enhancing their understanding of
Information Systems security and control
this last
one also Bears some commentary the entire purpose of an audit is to inform the
stakeholders of the situation of their information systems
how
does it stand in a relationship to security well your job when the audit is
over is to educate the stakeholders
failure to comply with the code of professional ethics can
result in
an investigation into a member's Andor certification holder conduct
and ultimately in disciplinary measures isaka
may choose to ban you from isaka or to revoke your certification if to
situation warrant it
it audit and Assurance
standards framework EST established by isaka has specific objectives is
Auditors should be informed of the bare minimum level of performance needed to
meet the professional responsibilities set out in the professional code of
ethics
now keep that in mind
these standards are the minimum you should always strive to do better the
standard should also inform
the management of the
profession's requirements concerning the work of audit practitioners
and these stand standard should also inform
holders of cesa certification that failure to meet with these standards may
result in a review Into the cesa holders conduct by the isaka board of
directors which may ultimately result in disciplinary action
isaka is Assurance audit guidelines provide additional information on
how to comply with isaka information technology assurance and standards the
information systems auditor should use professional judgment which means
sometimes you may differ from the standards but you need to be able to justify
any difference
the guidelines are
documents that are all identified by a prefix G followed by number for example
G10 g12 G20 there's actually 42 categories of guidelines
isaka is Assurance audit guidelines provide additional information on
how to comply with isaka information technology assurance and standards the
information systems auditor should use professional judgment which means
sometimes you may differ from the standards but you need to be able to justify
any difference
the guidelines are
documents that are all identified by a prefix G followed by number for example
G10 g12 G20 there's actually 42 categories of guidelines
in the next few screens we'll briefly look at all of them you don't
have to memorize them and therefore we won't read everyone to you
I will point out a few of them that are of particular importance on the
certification test
what we
see here due Professional Care that ties directly in with the professional code
of ethics so G7 is particularly important
there's an entire
knowledge statement on G10 audit sampling which discusses how to do proper
sampling
audit evidence
requirement G2 also is prominent on the certification test
g15 planning a
properly planned audit is the only way you're going to have a good audit and of
course
G20 reporting the way
you report your audit is essential to communicating your findings to the
stakeholders
g28 computer forensics
may seem like an odd one to you it's not required that you be a forensics
expert or professional but there is a forensics component and you need to have
at least a basic understanding of forensics being able to effectively conduct an
audit
continuous Assurance G
42 even if your audit shows that everything meets standards are we sure it will
still meet standards a week from now a month from now any time period between
now and the next audit
g38 access controls
those are always a common point to check during your audit
ISAC also has standards and guidelines related to audit the ITF and you
can see here a listing of those standards
as with the G standards you don't have to to memorize each of these and
we won't read them to you but you should be familiar with them this concludes
knowledge statement 1.1
knowledge statement 1.2
knowledge of the risk assessment Concepts and tools and techniques used
in planning examination reporting and followup
first of all your overall audit plan has to FOC focus on business risks
related to the use of it
now throughout this course we're going to look at a lot of
methodologies standards and techniques but if you think about it for just a
moment
I think you'll agree that
information system auditing comes down to one simple concept
identify the risks a business faces
look at the controls in place to mitigate those risks and
evaluate the efficacy of those controls that's really
what auditing is all about
the area under our audit represents the audit scope we're not going to
audit everything
so let's find out what we are going to audit what is the scope of our
audit
Auditors should use risk analysis techniques to find out what are the
critical areas to focus on within the audit scope in other words
you determine the audit scope by risk analysis
you obviously have limited audit resources
you don't have an
infinite number of personnel number of hours or number of dollars to spend on
an audit
so this requires a focus in drawing the audit plan and the focus is on
the risks that are important to this business
it's also important to prepare a proper audit report
think about it for
just a moment once you're done with your audit one of the big goals is to
inform the odity of the issues you found and the remediation steps you
recommend
the primary communication vehicle you have for this is your audit
report so writing a good audit report is very important
follow up on issues that are found in the audit that's also very
critical
it's not enough to
identify an issue it's not even enough to recommend remediation there has to be
some process to discover a followup
if the remediation was done
Risk Assessment and Risk Analysis
the main areas we'll look at in this lesson include risk analysis now
throughout this course you're going to see other looks at risk analysis but
we'll begin in this lesson looking at risk analysis methodologies Pro
processes and techniques this leads us to
audit methodology
now that's another issue that will permeate the course obviously
various methodologies we'll begin in this lesson our whole focus is on
risk-based auditing using
risk analysis to drive
the entire audit process
we also will be discussing
inherent risks in the audit itself what we call audit risk and
materiality
we'll begin looking at
risk assessment how do we determine what is a risk and and treatment
what are our steps to remediate a risk
this will involve beginning your introduction to
risk assessment techniques
we'll also be discussing
reporting techniques and followup
risk analysis:
let's start with looking at
risk analysis
this is a process that helps an auditor recognize the vulnerabilities
and risks
that's the first part you have
to be aware of what the risk and vulnerabilities to this specific organization
are
now some risks and some vulnerabilities are common to everyone
everyone is at risk for a virus outbreak
everyone is at risk for a fire in the server room
but we also have very specific risk to specific Industries
then we need to look at how do we Define controls
that can be put in place or may already be in place to mitigate those
risks
now throughout this lesson you're going to see several different
phrasings of the definition of risk they're all worded slightly differently
because they come from different sources but they all essentially mean the same
thing
let's start with this
first one
risk is defined as the mixture of the likelihood of an event and its
magnitude
first of all an event
we're defining as some negative incident
How likely is it to
happen some events are more likely than others not everything has an equal
likelihood
for example for any
organization the likelihood of a hard drive crash in a server is relatively
High but
the likelihood of an
intrusion by a state sponsored cyber terrorist is only high for certain
businesses high-tech companies defense contractors
it's extremely low for
a pizza delivery business or a book seller so we have to look at the likelihood
of an event then let's look at the magnitude not all events have the same
magnitude for every industry
let's consider a hypothetical an event that causes your web server to
crash and to be offline temporarily
let's assume your business is pizzas you sell pizzas you have a chain
of pizza restaurants
if your
web server is down some of your customers will not do business with you during
that time they can't order online so they will order from a competitor you will
lose some business but
some customers will
come into your restaurants and eat
there some will come
in and get takeout some will phone in for their delivery orders so you will
lose some business but by no means all
now let's
assume the same web server crash but your business is that of e-commerce you
sell things online it's
what you
do if your web server is down you're making zero money you're losing all
dollars for every minute the web server is down
now in both scenarios the web server going down is negative
it's a risk but
the magnitude is different in the second scenario than
in the first.
let's look
at another definition that's very similar
it risk is
specifically the Enterprise risk associated with the ownership use operation
influence involvement and Adoption of Information Technology within a business
now let's think about
that for just a moment
we all like new
technologies myself more than most the convenience the productivity all these
things that are afforded Us by new technologies
but every technology
also involves a risk simply by owning and using it
for example we already
mentioned websites that expand your customer base let you sell to customers
more conveniently and in some cases to customers in other areas that you
normally wouldn't get to reach
however
every website is vulnerable To
Deni of service attacks
SQL injection
cross-site scripting and a variety of other attacks
smartphones these are
now ubiquitous everyone has one and I personally depend on mine all the time
and many people
now bring these phones
into the workplace and connect them to the organization's Wi-Fi this is
referred to as byod bring your own device
well that poses a lot
of risks yes it's incredibly convenient and it allows employees to blend work
with personal time
they may on their own
time address a work issue through their phone and they may be able to take a
critical personal issue such as a
sick relative and
still come to work because of the access they have with the phone so it Blends
our worlds
however
you now have attached
to your Wi-Fi
a diverse number of
phones with a a wide range of operating systems software and Hardware
this is a risk
so every technology just owning it and using it gives us some risk to
the Enterprise
Definition of risk
let's consider two other
definitions of risks
and these are slightly worded differently but very similar and almost
identical in meaning to what
we've already seen
the
probable frequency and probable magnitude of a future loss
now
what I really like about this definition is the use of the word probable
it's
unlikely that you'll be able to know exactly how frequent an event may occur or
the exact magnitude you have to perform an estimate
the second definition
the
potential that a given threat will exploit vulnerabilities of an asset or group
of assets and cause harm to the organization
now this comes from the standard ISO 27005
which you're
definitely going to see on the C Isa exam not just this definition but you'll
see more about the standard and we'll revisit again in future lessons
definitely be familiar with ISO 27005 but
I like this definition
because it emphasizes two things first and foremost we're concerned about harm
to the organization if a particular it system is offline but it doesn't harm
the organization it's not that big a concern
if you have 20 printers and one of them is offline it's an
inconvenience it doesn't have great harm to the organization
I also like this
definition because it's talking about the exploiting of vulnerabilities and that's
what we're really concerned about in Risk mitigation
now the process of risk analysis is complex and involved and
it's applied in a variety of areas such as Disaster Recovery planning
and business continuity planning but
let's look at it specifically
from the auditor's point of view from
the
information system audit point of view risk analysis is used for the following
purposes
first it helps the
auditor identify threats and risks within the is environment
we've already stated that your audit has to be
risk driven but that begins by identifying the threats and risks that are of
most concern in this specific environment
it also
lets you plan the audit by looking at the controls in place and we look at
those controls in light of the specific risks and threat
we've already identified
now you're
in a position to know the audit objectives
you're
basically testing to see if the controls in place appropriately and adequately
mitigate the threats and risks you've identified
this makes
decision making a much easier process when you're using risk based methodology
now on the right hand side of the screen here you see several steps
these are actually occurring initially in a linear fashion for our
initial Audi but then in an ongoing basis
let's start with identifying business objectives
this literally means
what is the business trying to
do
now you
can think about this in a very broad scope
but we're being more
specific for example if you have a pizza business there objective is to sell
pizzas but we need to break this down much more fine-tuned
for example the
objective of the website is to allow people to order online underneath
that objective we have
subobjectives we want to be able to effectively securely processed credit cards
we want it to be a
user friendly experience and there may be a host of other objectives but before
you can even begin looking at the audit you have to know what the business is
trying to do
now that flows very naturally into identifying those information assets
that support the business objective
it may sound odd but
normally an organization has a number of Information Systems some of
which are not absolutely critical to the business objective
we're concerned about those are
again
if you
have 20 printers and most of your business is online anyway doesn't require
printing for each transaction printing is used for things
like monthly reports
and invoicing well then
one printer being down
is not a big concern
the web server being
down is a huge concern
now that you've identified the information assets that support those
business objectives
now we flow straight
to doing a risk assessment on those assets
what are the threats to those assets
what vulnerabilities are in those assets that would allow a threat to
be realized and
what would be the impact now impact often involves something
we haven't discussed yet called
a criticality analysis
that's just a nice way of saying we look at each particular asset and
evaluate how critical it is to the organization
and that's often based simply on
how much damage would it cause if that particular asset wasn't
available
now that you've done a risk assessment
now we can do risk management
let's look
at
the risks and map them to existing controls although that can be an
involved process
it really comes down to two questions
are there controls in
place that address each and
every
risk you have any place you have a risk that does not have a control
that's an obvious
place that needs to be addressed
the second question is assuming there is a control in place for that
risk does it adequately mitigate the risk does it bring the risk down to a
level that's tolerable once
you've done that
now we can do risk treatment
let's look at those
risks that are not mitigated by existing controls
or at least the
existing controls don't adequately mitigate
it now as I mentioned your initial audit this is a linear process
but
I think you'll agree things change business objectives change all the
time
sometimes a business may add on new objectives
they may leave old objectives
they may add on a new line of business or
abandon the line of business
information assets definitely change
there are new operating systems
there are changes to Hardware all of these change things
certain threats change
for example
SQL injection is still a threat but it's less of a threat today than it
was 5 years ago denial of
service attacks are still a big threat
but a specific old one called a sin flood Sy YN flood is not near as
much a danger today as it once was due to Modern fire walls
threats have changed
on the other hand there are new threats that didn't exist 5 years ago
all of these changes cause this process to now become cyclical
we will re-evaluate the risk and repeat the process
Risk Assessment terms
there are some basic risk assessment terms
and these are borrowed from business continuity and Disaster Recovery
planning
that you need to be familiar with
assets
are the resources
you're trying to protect now your natural inclination may be to think about
servers and those are certainly assets
but I think if
you'll reflect on this
for a moment you'll agree that in most cases the data on the server is worth a
lot more than the server itself
risk
and this is yet
another definition that may seem to be worded differently but means essentially
the same that we've seen so far it's the potential that a chosen action or
activity will lead to a loss
threats
any negative action
that could harm a system
vulnerabilities
any weakness that
allows a threat to cause harm
impact
the severity of damage
whenever possible we like to express this in dollars now to express that in
dollars
Calculating Risk
we
have some very specific formulas these formulas are also borrowed from disaster
recovery and business continuity planning
exposure Factor
this is
the percentage value of an asset loss due to an in now what we mean is in many
cases you won't completely lose an asset
let's
assume you have a database and you do a full backup every hour then the worst
you can lose is 59 minutes worth of data because if the database crashes one
minute before your next backup you will have lost those 59 minutes you can
recover all the other data
now if we look at a
single loss expectancy
that means
what do we lose in a single negative incident
we start with the
asset value how much is the asset worth times that exposure factor that will
give us a single loss expectancy
next we have to consider the
annual rate of
occurrence
that's the
number of losses
you might
expect to have in a year now this can be effectively estimated through a number
of different methods
first look
at previous years what was the number of losses last year and the year before
then there are a variety of security firms that every year publish reports
that tell you the preceding years various losses various attacks
various threats broken down by industry and size of company
for
example insurance companies that do over $20 million a year in business but
less than 100 million how many virus outbreaks do they have on average that
sort of information is publicly available
now I want to stop and point out something here
there are a number of things throughout this process that are estimates
annual rate of occurrence is one
but as I
was just indicating an estimate doesn't mean a wild guess you shouldn't just
think and come up with some random number annual rate of occurrences 15 times that's very ineffective and in fact
counterproductive
but if you
look at your prior Year's annual rate of occurrence
how many virus outbreaks did you have a year ago two years ago three
years ago is there an upward Trend in them
if you
look at industry reports that give you the norm for your industry and size of
business and you use all of this to estimate the annual rate of occurrence
then yes
it's an estimate no it's not exact but it's a good estimate
you
should do the same thing when looking at asset value exposure factor or any
number of factors that
we've
already discussed or will discuss where we say it's an estimate
estimate
should never be guessed I would also recommend that in your final audit report
you actually include the basis for your estimates where'd you get this number
now with that said
we're ready to compute
annualized
loss expectancy
that's
the year L cost due to a risk you take the single loss expectancy times the
annual rate of occurrence and normally this is done per asset per risk
in
other words the web server and denial of service attacks what's the annualized
rate of occurrence what's the annualized loss expectancy
now
the reason we do this is we can now
calculate the cost effectiveness of mitigating controls
let's
say you've identified denial of service attacks as a risk to your website
let's
say you have 10 Curren is a year each one costs roughly $1,000 so $10,000 a
year
will
be lost well now we have to ask a question what will it cost to mitigate that
if there's a control that will reduce that to two times a year so our loss goes
from 10,000 a year to 2,000 a year should we Implement that control well
it's
a very simple formula how much does the control cost if it cost 5,000 but saves
us 8,000 then it's well worth it if it cost 15 ,000 and saves us 8,000 we're
actually better off without it.
now let's
look at the three formulas at the bottom that use these terms again some of
these items like annual rate of occurrence will be estimates exposure Factor
will be estimates but please use as much data as possible to make these good
estimates not just wild guesses
if you take the value
of the asset however much it was worth that can include
Purchase cost
maintenance cost
development cost
whatever the complete value of the asset is
multiply that by the exposure Factor
the result is the single loss expectancy
how much you expect to
lose if there's a single loss
what is risk
you take
the probability of something happening times the cost if that happened
for example what would
it cost you for your server to be down for a week
let's say your web
server calculate that cost now that should be something you can do with
concrete numbers with very little guessing
now
you try to estimate the probability of a risk multiply that times the cost and
you have your risk value
next let's look at
annualized loss
expectancy
you
take that single loss expectancy you previously computed multiply it time that
annual rate of occurrence and
remember this is an estimate but
it's
estimate hopefully based on statistical averages past performance and reports
from industry but
in any case once you
multiply
a Time SLE you have the annualized loss expectancy these three formulas and
these terms are Central to impact analysis
thus
they're Central to business continuity planning and Disaster Recovery planning
in other words this is how you calculate risk
risk should have as little guessing as possible
the risk-based audit approach
the
risk-based audit approach is simply based on the concept of determining which
area should be audited based on the level of risk
the things we've
already talked about including the formulas we just looked at are how you
decide the level of risk
now once you've looked
at a risk and you've looked at controls even added or enhanced controls you
have not totally eliminated risks
there is some risk
left over and that's called residual risk
now how much residual
risk is okay well that depends on the Management's risk appetite
so the goal of an audit is to make sure mitigating controls reduce risk
take that residual
risk down to a level that's acceptable to management
Risk Assessment and Treatment
let's summarize it now
risk assessment involves
identifying risks
prioritizing them which are more important and as much as possible quantifying
the risk that involves some of those formulas like Al and SLE that we already
looked at
now we evaluate those
against some criteria for risk tolerance what are the objectives and risk
tolerance for this organization
risk assessments
have to be carried out
regularly because things change the risk environment change regulatory
requirements change legal requirements change
the risk appetite of a
business may change so it's not adequate to base your audit on a really old
risk assessment
the risk assessment
should either immediately proceed your audit or very soon before your audit
once
you've identified a risk while we may have dozens and hundreds of different
technological answers all
risk treatment comes
down to four categories the first is
risk mitigation
and this is by far the most common it's a
control that lowers the risk hopefully lowers the risk to the point that the
residual risk is acceptable to management
now one you might not
have thought of is
risk accept acceptance
you
objectively and knowingly choose not to take action now this is not lack of
action due to ignorance
you weren't aware of
the risk what happens is you did the risk you looked at mitigating controls and
using formulas like the a and SLE formula you've recently seen
you determined that
the cost of mitigation was much much more expensive than the cost of
loss
or you determine that
the likelihood of a particular threat was so low as to be
almost impossible any
of these criteri as may lead you to Simply accept the risk and not Implement
mitigating controls
now before you take
that course of action this absolutely must have management Buy in and should
absolutely be documented thoroughly why are you choosing to accept
the risk avoidance
is
something we prefer but rarely can do you literally evade the risk there's zero
chance of risk occurring
that's
hard to do in most cases the best you can do is effectively mitigate
now risk transfer sharing that used to mean
simply you
have vendors Partners suppliers that take on part of the risk but more and more
we're seeing insurance companies issue it breach insurance
so they
share the risk they take on the cost of some issue should a threat occur
Risk Assessment Methods
whereas we will look at many
many different methods throughout this course they really come down to
a few different criteria a few different properties that
all risk assessment methods
have now there are some
formal methods like the scoring system method and judgmental method
first remember
that a combination of
methods can be used you don't have to pick a single risk assessment method and
stay with it
methods can develop
and change over time
they get
updated there are new methods that sort of thing
unfortunately
all methods to some
degree depend on your subjective judgment
now you
should always
evaluate the
appropriateness of any chosen risk methodology method for your environment
don't just pick one because it's the one you always use what's
appropriate for this environment and these specific goals
that concludes knowledge statement 1.2
knowledge statement 1.3
knowledge statement 1.3
knowledge of fundamental business processes things like purchasing
payroll accounts payable accounts receivable and the role of Information
Systems in these processes
the purpose of this knowledge statement is to emphasize that
before you can do a successful is audit
you need to understand
the underlying business process
that's being audited
as
we
already mentioned is this an accounts payable system is this a human resources
system what's the purpose of
the process
what are its goals how
does it function what are its constraints
now you need to also
understand the role that Information Systems play in these processes
clearly
some business processes are more is centric than others
you need to understand
the specific part that is plays in any given business process
information system
auditing involves assessment of all the information system related controls
but also
understanding those control objectives which is why you need to understand the
fundamental processes
it also involves
identifying key controls that help achieve a well controlled environment as per
particular standards
that that
may also involve the knowledge of certain industry standards and laws and we'll
visit that topic in later knowledge statements
here are just some
examples of fundamental business processes
using transactions as an example
a bank can have various transactions
mobile Banking ATM over the
counter deposits withdrawals wire transfers all sorts of accounts
a chain store might have point of sale transactions with credit card
Extranet cash transactions with suppliers using electronic data interchange
ordering from vendors
those sorts of processes whatever the particular business
you're auditing
you need to understand
what it is that business does and
what
what are the particular processes that are most critical to that
business
what information systems those processes use and
then apply things that we've looked at in earlier lessons
such as risk assessment a risk assessment that's particular to the
specific fundamental business processes for the organization
that you're about to audit
now there are a few different ways of looking at and understanding a
business better.
the following few screens will show you a few of these methodologies
none of these do you have to memorize for the cesa exam
and we won't cover them in any significant depth
you just need to
basically identify what these
Frameworks or processes are the
zachman framework
is a common one used
for defining an interprise
there are two ways to
classify an Enterprise that are combined together in the zachman framework
the first is very
simple what is the Enterprise how does it work when does it work who's involved
where do they work why do they do these tasks
the second is more
specific you identify the specific business elements in that Enterprise Define
them look at their representation specification configuration and instantiation
now again it's not important that you go into more depth than Zach
framework it's not important that you memorize it at least not for the cesa
exam
the goal here
is to Simply make sure
that you're aware that this is one framework
that you could utilize
in your audit practice to help you better understand a specific Enterprise
so you will know their
business processes in enough detail to be able to effectively audit their
information systems
but something similar to the zachman framework is the
Sherwood applied business security architecture
Sherwood applied business security architecture
as you might guess this is more specific to Security in the business
and
it looks at all the entprise from a risk driven perspective
looking at the
architecture as it relates to information security
so this deviates a bit
from zachman in that it's not so focused on General business processes and an
enterprise-wide description
but more focused on the risk associated with specific security
architectures
the primary characteristic of this Sherwood
applied business security architecture
is that
everything must be derived from an analysis of the business requirements for
security
so you look at what
that business needs for security and see if that's being met
it also involves an
ongoing what they call manage and measure phases of the life cycle in other
words
you're continually
measuring how close we are to meeting those business requirements and we manage
so that we make sure we're constantly Meeting those measurements.
I personally think that Sherwood applied business security architecture
should be used in combination with zachman to give you a more comprehensive
understanding of the business.
a third model you might consider devised by Michael Bell is the
service oriented modeling framework
often simply called SomF it allows you to
model business and software systems to specif ify service orientation
in other words we look
at what services the business provides what services specific systems within
the business provide and that perspective allows us to better understand the
business itself
it
can be used with any number of architectural approaches
in other
words you can combine it with the Sherwood model we just looked at
it
can also be used in addition to prepping an audit to design any application
business environment local or distributed
in other
words if you first consider what the business does what service it provides and
then consider what software systems are necessary to provide that service that
will drive not only audits but the designing of applications Technologies and
systems
and again
any of these particular options
service oriented modeling framework
Sherwood
OR
zachman
can be used in combination with others
the whole idea is not
that you memorize each of these three but that you be aware that there are
tools to help you better understand the underlying business
you don't simply have
to approach in an ad hoc fashion trying to understand the business you can use
one of these modeling tools to give yourself a deeper comprehension of the
business that you're preparing to audit
that concludes knowledge statement 1.3
knowledge statement 1.4
knowledge of control principles
related to controls and information systems
what we're going to attempt to do under this knowledge statement
is to ensure that you the candidate
understand the different types of controls and
how they function and you can explain how those control principles
relate to Information Systems
Internal controls:
primarily were concerned with
internal controls
external controls would be laws and regulations that are external to a particular Enterprise but do impact how
they handle information security in their information systems
but
internal controls
are the Enterprise his
own internal processes that have been implemented to achieve specific
objectives while minimizing risk
they comprise the
Enterprise structures procedures policies and practices that have been
implemented to lower the level of risk in an Enterprise
now that includes
everything from Information Technology projects such as intrusion detection
system
anti malware
to policies
to training
to procedures
everything within the Enterprise
that's meant to minimize risk and achieve specific objectives
and they can be
manual or automated
now in the information system world we often think of
automated
things such as
antimalware intrusion detection systems and that sort of thing
but
manual things
such as having a
second party confirm a payment over a certain level before that payment is
processed well that can be manual or automated but it's still a control.
internal controls really consider
two things by implementing
this control
what can be attained
or what can be evaded what can be attained
let's take
for example manual spot checks of source code someone reviews source code
before the project is compiled and distributed throughout the organization
what can be attained
by that
well first
and foremost better quality of software we can look and see that all the basic
software procedures were implemented correctly
what can be evaded
well at
least some of the more obvious bugs will be evaded through this process
internal controls and procedures have
two categories
the general control procedures
previously
we mentioned having a
second party authorized payments over a certain level well that's a business
control that's a general control for the entire Enterprise it may or may not be
implemented through technology
information system control procedures
regard control
procedures directly related to your information systems
how do we secure
databases web servers and that sort of thing
Classification of internal controls:
all internal controls fall
into one of
three categories
preventative controls
corrective controls
and
detective controls
preventatives stop something before it occurs
locking
an office to prevent unauthorized access
using RSA
tokens encrypting a hard drive to prevent someone from viewing files using
a virtual private Network to prevent EES drop droppers from monitoring your
communic
corrective controls
are meant to either minimize or actually
correct when a problem occurs
for
example data backup you can put the data back to where it was and correct the
situation
detective controls
help you
learn that something negative has occurred
now these
can be things that are physical or information secure in the information security realm you're
probably thinking of things like automated systems intrusion detection systems
and
things of that nature but
something as simple as a physical access log
an audit Trail
Access Control list to server room
all of these are detective controls
that help you detect what occurred and when.
now it's not the case that any one of these three types of controls is
more important than the other
a good system has to have
preventive
corrective and
detective controls
and during your audit you need to ensure that all three are in place to
support the Enterprise's objectives
IS control objectives
now IS control objectives
are top level requirements that management sets
for adequate control of each it process
is control objectives
are first
of all a statement of the preferred purpose or result to be attained by
applying controls to particular Information Systems
in other words
by
implementing this control whether it be a physical login sheet an anti-malware
system or whatever it might be what is it you want to attain by doing this what
do you hope will be gained.
is control objectives are also
procedures policies
organizational structures and practices
anything that's
intended to reasonably assure that Enterprise objectives will be achieved
while undesired events
are detected corrected or prevented
so we're looking at the entire process we're looking at your company's
policies
we're looking at the inherent organizational structures that can
include everything from something as simple as
an organizational chart who do you report a particular issue to
to something far
more complex and intricate any procedures that you might have in place
that might help assure Enterprise objectives This falls under the head set of
is controls
here are some examples now I note that these are very general they're
meant to be
this isn't telling you how to implement them
this is telling you the objectives
for example ensure the
Integrity of the system
for example an
operating system ensure the Integrity of sensitive and critical application
systems
your financial data
your customer data
Safeguard your assets
that include clud physical assets as well as technology assets
ensure the
Effectiveness and efficiency of operations it's not enough that things work
they have to work well
ensure proper
authentication processes for users this is a critical part of information
system security
ensure the
availability of Any Given service and
this is accomplished
through Disaster Recovery planning and business continuity planning
there are other knowledge objectives later on in this course which will
cover disaster recover recovery and business continuity in much more detail
information system control
information system control procedures
information system control procedures include all of the following and
let's talk briefly about each of these
strategy and direction of the it function
what are
we trying to accomplish with this specific function
how does
it integrate with the organizational goals
it
sometimes occurs that Enterprise goals change and Technology changes and a
particular is control or particular it function May no longer fit with the
strategy
system development procedures
we have lessons later on specifically on that
topic but that's
one of the things you will check in an audit
are
systems being developed in a proper manner and
that ties in closely with do we have
quality assurance processes
that are
appropriate and that are being adhered to
what about the
communications in the network
do they
meet security needs do they mesh with the Enterprise uh objective
do they support the goals of business
General organization and management
of the it
function how is it this particular function we're auditing
how is it
managed how is it organized
are there
operation procedures
in place
that support Enterprise objectives
are there appropriate
physical access controls
if a
database is involved and it usually is with an information system
is database
Administration done in a way that's consistent with Enterprise objectives
what about
access to it programs data and resources
is it
controlled appropriately
are there appropriate
system programming and system support departments
to support
the Enterprise objectives
of course do we have
business continuity planning
in place
that's appropriate and sufficient to support this particular business process
do we have
detective and protection mechanisms
all of
these questions need to be addressed
when looking at each and every is control during the course of your
audit
Audit Program
an audit work program represents your audit plan and strategy it has
procedure scope and objectives.
it's basically
a guide
for documenting the various steps you take during the audit the type and extent
of evidentiary matters reviewed
it gives a
trail for the entire process used
at some point you'll want to do quality Assurance of your audit process
and only through an audit work program do you have the trail necessary to do
that
and
it
provides accountability for performance
whatever
approach you use to auditing it always
comes down to four basic steps
first is planning
you always
assess risks first and you develop your audit program in light of those risks
you also
have
objectives and procedures recall guidance 5 that we looked at in an earlier
lesson once you have your plan you have to
obtain and evaluate evidence
it's all
about evidence you don't have any pre preconceived notions about whether or not
a control is meeting the objectives
when
you're auditing you seek evidence to determine the strengths and weaknesses of
controls
once you've done all of that you have to
prepare and present a report
there's usually a draft version in the final report
just as important and
covered in guidance 35 is the
follow up
were corrective
actions taken to the issues
you found during the
audit were they fixed or do those negative conditions still exist that's very
important
audit methodology
audit methodology
are the
standard audit procedures that are used to attain the objectives of the audit
this is a
documented approach for performing the audit and it continues from occurring
manner in order to achieve the planned audit objectives
audit
methodology always has a scope of the audit
the audit objectives
and the work programs we previously mentioned
that concludes knowledge statement 1.4
knowledge statement 1.5
knowledge of risk-based audit planning and audit project management
techniques including followup.
Risk based Audit Planning
what this means is we're going to look at an approach to audit that's
based on the Enterprise's risks as you already realize
it's usually not possible or at
least not practical
to audit every single function of every single is that you have in the
organization all of your information systems are very complex and checking each
and every control in each and every possible scenario is usually impractical
risk-based audit planning
starts with
identifying
the key Enterprises risks what are the risks
that are
particularly important to this Enterprise
in other
words a risk analysis has been conducted
now for
this to work you have to have an understanding of the organization
what sort
of business are they
in what
sort of transactions are they conducting
what is
the business environment Now by environment
we're
talking
about the information
systems environment
their technology
environment and
perhaps a regulatory
environment
you also need to know
what the
business's control objectives are
what are
they trying to accomplish by implementing certain controls
it's important to understand the
type and nature of
transactions that organization engages in
for
example B2B wire transfers are very different than consumer initiated credit
card transactions that
changes
the entire scenario what risks are present
and how
one goes about auditing
you also need to understand
the flow of these
transactions and how they're captured in Information Systems
remember
our focus is information system auditing so it's not just the transactions
but how
are they processed within computer systems
Inherent, Control,Detection and overall Audit risk
there are four different risks we're concerned about
let's begin with
inherent risk stated
formally
the
probability
of an error existing that might be material assuming compensating controls not
exist
this exist
irrespective of an audit and is contributed to by the nature of a business
put
another way certain businesses
have
certain risks that are just part of how they do business
if your
business routinely takes in paper checks
then
there's always the chance of fraudulent checks or insufficient funds
if your
business is engaged in e-commerce then you must have a website and
that
website is susceptible to attack such as SQL injection
control risk
now formally that is a
probability that a
material error exists which will not be prevented or detected in a timely basis
by the system of internal controls
put in
another way you either
lack the
appropriate controls to detect an issue or the controls won't detect it in
time or there is some issues some difference between what you would like the control
to do and what it actually accomplishes
then we have
detection risk now
this is very important
to the auditor
put formally the
probability that the
information system auditor used inadequate checks and surmises that material
errors are absent. when in fact they are present put much more succinctly and
simply the
chance that you the auditor miss something this is terribly important to you as
an auditor and
it's
really combed by simply using all the appropriate standards tools and
techniques that you'll learn throughout your study for the cisa exam
now if you take all three of these
inherent risk
control risk and
detection risk
and bring together
into a cumulative risk
that is described as
the
overall audit risk
it's the
summation of all the audit risk groups for each control objective
that last
part is critical you usually identify risks per control
or
per
specific business activity a
specific
business activity has an inherent risk the specific control for that
specific activity have a control risk
the
overall audit risk is broken down for each control
let's use
an e-commerce example let's say you have an e-commerce website
the
inherent risk is web attack such as SQL injection
you've
put
in place a specialized application firewall that's designed to prevent those
attacks
the
control risk is that that control may or may not adequately prevent all of
those attacks
the
detection risk is that in the process of doing an audit you may or may not have
detected any gaps in the control
now
if you put all that together we have an overall audit risk for that specific
control
being the application firewall that's there to help prevent a tax on a
very specific business process the e-commerce transactions
GAP Analysis
Gap analysis
now this
term has been used in marketing and other areas to mean something a little
different than what we mean here
here we really have
two issues we have
a product Gap and
a usage Gap
let's start with usage Gap in a
usage Gap issue
you have a control
that if used totally properly would be an adequate control
but
either the control is
not implemented
or the control is not
properly configured
or is not being
properly used
there is some gap
between the potential that control has to mitigate risk and the actual use of the control
now a product Gap
is when there's some
issue the product itself is missing something
it's unable to fully
meet your control needs
that's actually fairly
common which is why most security situations require multiple controls to address specific issues
Assurance Definitions:
now when doing your risk-based audit there's some definitions
you need to have in mind
Target of evaluation
this is
the particular information security deliverable the object for which assurances
are made
what is it
you're testing
Assurance activities
are the
things you use to test the methods of testing
we'll
discuss those at length later on the
security Target
these are
the security specifications and requirements that you use to test the target of
evaluation
put
another way Assurance activities check a target of evaluation to discover
whether or not that Target of evaluation has met the security targets
security protection profile
is similar
to a security Target but it's broader in scope it's not about a specific
deliverable but
it's more
about General Security needs of a given business or group
risk-based audit definitions
risk-based audit definitions
need to be familiar with we've used some of these terms already and I
believe you probably know what they mean but let's just make sure
what is a control I think we addressed this in earlier lessons but
let's be clear again
control
is anything meant to
mitigate a risk
now that can be
technological things we mentioned previously in
application firewall
that's a control
antivirus sofware is a
control
intrusion detection
systems that's a control
but controls also
include
processes
any sort of
educational program to train people in security that's a control
any sort of process
whereby supervisors double check something that's a control
now an
IT control objective
is a statement of what
you want that control to do exactly General statements
like make things more
secure stop attacks those aren't useful a control objective should be very specific
risk
is the chance that
something will happen
now we've looked at
this definition in multiple different ways throughout the preceding lessons and you'll see it again
throughout the course
the idea of
risk is
that there is a probability that something negative will occur and will have some level of damage
evidence
we've not yet talked
about evidence is all about data
auditing
is not an art it is a
science and
like any science it's
based on evidence
you collect data to
make determinations at the end of the day
what an audit really
comes down to is looking at the risks of an organization
that's why we're
talking about risk-based auditing
examining the controls
that are put in place
to mitigate those risks and
then Gathering
evidence that will determine factually whether or not those controls meet
their control
objectives or not it's as simple as that
it all comes down to
evidence
it governance
is the
entire process of managing your information systems
now this
is very important to audit because specific issues in governance can affect
security
for
example what party is responsible for which aspect of security
who
approves changes
all of
these things affect your it security
and
therefore they have to be addressed in your risk-based audit
that concludes knowledge statement 1.5
knowledge statement 1.6
knowledge the applicable laws and regulations that affect the scope
evidence collection and preservation and frequency of an audit
applicable laws and regulations for IS audit
certainly that won't occur in every audit
but if you routinely conduct Information Systems audits
it seems a guarantee that you will eventually uncover fraud
for this reason
fraud investigations
are legal
procedings require the Integrity of evidence be maintained throughout its life
cycle this is called chain of custody and forensic evidence
so
for this reason your audit needs to be conducted assuming there might be
evidence of fraud or something criminal that will have to be presented in a
court proceeding
put
another way you need to handle your audit
as
if you were gathering evidence for court and
make
sure you've maintained things like chain of custody
now
don't be too concerned about that at this point there are later lessons and
knowledge statements that will give you some general knowledge of
forensics
the
legal requirements
include laws
regulations contractual agreements
all these things can
be placed on your audit or the audit
management and audit
Personnel in any organization have to be aware of these external requirements for computer system
practices and controls
how your data is
processed transmitted or stored
there's a need to
comply with lots of different laws and lots of different legal requirements and that has an impact
on your audit
now what we mean by all this is
every industry is affected by some laws
and in this lesson we will look at a few laws from the United States
now depending on where you are when you take the cisa usually the cisa
exam will focus primarily on us laws because that's where the largest number of
cesa testers are at
however they may throw in a few local laws for European Union Canada
and other regions
so make sure you take the time to familiarize yourself with your local
laws
but
back to the actual audit
no matter what organization you're auditing
there are some legal
requirements
there may be industry
regulations
that aren't laws but
are really important for that particular organization
there may be
contractual agreements
for example that
entity has a contractual obligation with one of their clients to reach a certain level of information
assurance
you have to be aware of all of these requirements
legal Regulatory and contractual
so that you can put those thoughts into your audit
and make sure your audit addresses those issues
there are a few essential areas that are covered under this knowledge
statement
let's begin with
evidence now in previous lessons
we've mentioned
evidence is important
evidence is factual
data
speculation really is
not important in an audit
we're not interested
in guessing in supposing
we need evidence that
shows certain things are or are not true
in respect to Legal
regulatory contractual requirements those usually relatively clear
you need evidence that
the information systems you're auditing the controls you're auditing
either do or do not
meet those requirements.
now of course that
requires you to have in-depth familiar with that requirement
evidence goes hand in hand with
audit documentation
you need to have very
thorough documentation of exactly what you audited
how you audited and
what your conclusions were based on evidence
to some degree some
level of continuous auditing is necessary
that doesn't
necessarily mean
that a professional
cisa auditor comes out and audits the organization continuously
it may mean such a
simple thing
as internal spot
checks it may
mean log examination
it may mean
automated systems but
something to ensure
that not only did the organization
meet its legal
Regulatory and contractual requirements
today when you did the
audit but
that they're still
meeting them next month
legal requirements
are perhaps the most
important
it is not the goal of
the cisa to make you an attorney and not all the major laws will be reviewed on the cisa
it's important for you
to spend some time familiarizing yourself with appropriate law
and
that will be based on
your legal jurisdiction your industry and facts of that nature
but you do need to be
aware there are legal requirements that do impact your audit
HIPPA & HITECH
here's a few laws that are very important in the United States
Hippa and high-tech
the health insurance
portability and accountability Act of 1996
now that's a very
lengthy law but
most important for
auditing
is it identifies
what is considered
personal health information
and how it has to be
handled
this was augmented by
the
high-tech or health information technology for economic and clinical
Health act
which
redefined what a breach is and
gave
stricter standards for notifying people in case of a breach
if you're auditing not just medical clinics not just hospitals
but medical billing companies
health insurance companies
anything of that nature
then these two laws become very critical
and again our goal is not to go in depth into every law
but to briefly
introduce you to a few of the most important ones
sarban Oxley & PCI
sarban Oxley is strictly United States issue
it does
not affect other countries it is all about publicly traded companies so a
privately held company does not have to adhere to sarbanes Oxley
sarban Oxley
was a rather complex
piece of legislation and it was meant to address some financial fraud that had taken place in the early
2000s
most important for it
is the publicly traded
companies must keep electronic records for 5 years
the reason
I point
out this specific one is not so much that you have to memorize this for the test
but
it gives us a great example of
how we take a legal
requirement and that gives us a very clear control objective
and it's very easy to
audit
if there are
electronic records that don't go back 5 years
there needs to be an
explanation or an understanding because
you're legally
required to keep them
now the
PCI DSS or payment card industry data stand security standards
that's an
extensive set of documents that could take an entire course in and of
themselves.
cisa does
not ask you to be a PCI DSS expert
but
basically any organization that processes credit cards will to some level
have to
comply with PCI DSS
now notice
these are standards in the industry
it's not a
law it's
the Visa
Mastercard Discover American Express companies
saying
look if you're going to process and handle credit card data you have
to do these things
and that
applies in many countries
in fact
anywhere that you're processing credit cards PCI DSS comes into play
so anytime
you're auditing a company
that
processes credit card information you need to be familiar with PCI DSS and incorporate
that in your audit
now these are just examples of legal and regulatory requirements
an exhaustive list would be humongous depending on where you live and
your industry there can be any number of legal and regulatory requirements you
don't have to memorize them all but be generally familiar with them
here's another set of standards that the test will not ask you to
memorize
I'm just giving you an example of all the industry standards out there
for cryptography there are a number of
ISO standards
used around the world you see a brief
description of each here
digital signatures
how to handle Cipher algorithms
hash functions
how to manage Keys
data processing
the point is very clearly it can become overwhelming the number of
regulations the number of standards that you need to be familiar with
the good news is you don't have to be an expert in these areas
cisa does not assume that you're an expert in cryptography by any means
it just assumes that you know which standards to refer to
when conducting an audit if cryptography for
example is a part of
the business activity and you need to refer to some standards to see if they
meet control objectives
and these are just
here exemplary you don't have to commit these to memory
Audit Report Basics:
when you're doing a report there
are some Basics
first of all obviously
who are you auditing
the organization
who should receive a
copy of this audit and
are there restrictions
should
this audit not be
forwarded
can it be forwarded to
certain people
basically these are
demographic issues
who's being audited
who gets to know about the audit
then the scope
what was the scope of
your audit
what did you audit now
I personally this is not on the cisa this is just my personal practice
I also like to identify anything that was omitted
if I conduct an audit and certain items were not audited I want to
point that out these were not audited and here's why
but for the test you need to
know your scope your objectives
what
were you trying to accomplish
the period of coverage I audited
for a
certain period of time and
that
should be sufficient for 6
months or 12 months or however long you think
the nature of the audit
was it
automated
was it a
team did it involve penetration testing
as well as
auditing or
vulnerability
scanning
what
happened
the timing and extent of the audit
how in-
depth was it
timing is
important because auditing at different times may give different results
for
example if you're auditing retail credit card transactions in a heavy holiday
season you may get different results
than
you would at a different time
my favorite part is
findings conclusions recommendations followup reservations or
qualifications
what this
means is first of all
what did
you find
what did
your audit discover next
what do
you conclude from that
probably the most
important thing is what are your recommendations
if a
particular control you found to be inadequate
how do you
recommend they fix it
it's not
enough for an auditor to look at an organization and say
this
specific it control does not meet control objectives
you need
to tell them how they can Rectify that situation
what if you found
something did meet control objectives
do you
have any reservations or qualifications
for
example this might be a place to state
that yes
this particular control does meet the control objectives
but that
in your opinion those control objectives
may not
adequately account for certain risks
now you should put this in some sort of
organization grouping them by materiality or by the intended recipient
or by the
business group or by the particular control
those
sorts of things some sort of organization
you also have to
mention any faults you found
in any constructive
Corrections
normally
your report
will either be very
large starting with an executive summary
or the report will
essentially tell your findings
and then there will be
appendices that have the evidence to support your results
either way
there has to be some
way for the AUD audit recipient
to refer to your
evidence
it's not appropriate
for you to say because I said so you
have to show the
evidence
now often times
executives are not going to take the time to read all your evidence
Executives May simply
read your conclusions but the evidence needs to be available
should they desire to
look at it
of course your
overall findings conclusion and your opinion
and always signed and
dated
balance scorecard
one tool that the cisa occasionally will bring up is the
balance scorecard
this is a way of
looking at an organization that was originally designed as a Performance
Management tool
so it
wasn't really designed for audits
it was used to track
execution of activities
basically
it's looking at
here is an
objective
how is
that objective
me sort of
a scorecard
that's the
name
now you can use
this to measure controls their performance against an expected value
and you
can look at things from four perspectives
Financial
perspective
how
much did it cost
was
there a return on investment was money lost
customer
perspective
sometimes
security controls can be so honorous that they negatively impact customer
experience
well
that should be involved in your audit report
internal
processes
did
the controls affect internal processes in a positive or negative way and
then
finally
Innovation
or learning
have
you learned something from measuring this control
now
again the balance scorecard was not originally meant for auditing
but
it can be applied to the auditing situation
that concludes knowledge 1.6
Domain 1 Information System Auditing Process
knowledge statement 1.7 Knowledge
CISA knowledge statement 1.7
Knowledge of the
Evidence collection techniques, observation, inquiry, inspection, interview,
data analysis, forensic investigation techniques, computer assisted audit
techniques used to gather, protect and preserve audit evidence.
Now what this means is first and foremost your
audit must be
supported by objective evidence.
It cannot
be a matter of opinion. So the next question becomes
how do you collect and
preserve such evidence
for your CISA exam? You need to
know the various
techniques used to gather and preserve evidence.
There are several ways to gather information.
Inquiry is one of
them. literally conducting surveys of key personnel in an organization to
discover if particular control objectives are being met.
This is
particularly effective when part of your audit is checking on compliance with
certain policies and industry regulation.
Observation.
This involves observing people and systems to see if control objectives are
being met.
Interviews
can also be used where you interview key personnel and ask them specific
questions.
Now, in
both the interview and the inquiry options, you need to ensure that you've
carefully selected the questions to get optimal information.
Don't just
do ad hoc questioning.
And of
course, we have analysis using computer as assisted auditing techniques.
We've
listed a few here.
\ It's not
critical that you know these specific computer assisted auditing packages.
However,
you should be aware that computer assisted auditing techniques are very common,
particularly when you have to sample large amounts of data.
Normally, you'll store
and retain audit evidence in some sort of electronic media, USB drives, hard
drives, that sort of thing.
And there
should be retention policies established ahead of time that show the
requirements for storing such evidence,
how long
it has to be stored, that sort of a thing.
The main areas covered under this knowledge
statement are
particularly computer
assisted audit techniques,
but also evidence.
Now, evidence we've discussed in other
lessons, and we're going to continue to discuss it because it's a key part of
auditing.
Interviewing and
observing personnel and the performance of their duties,
continuous auditing.
Now
remember continuous auditing are processes that ensure that audit goals are
still being met even between audits and
of course audit
documentation.
evidence
Remember evidence is
the information that you're going to base your conclusions on.
The information
systems auditor gathers conclusive objective data in the course of performing
an is audit.
The idea
of evidence is to have objective data to support your audit findings.
Now, evidence has to
directly relate to the objectives of the audit.
Tangential
information or inconsequential information is not pertinent to an audit. We
need evidence or data that directly relates to control objectives.
Now, how
you gather that evidence is a key issue.
Remember the various
standards we looked at in an earlier lesson. S6 performance of audit work talks
about evidence and evidence gathering.
In addition to
gathering it, you have to appropriately organize it and document it in order to
support findings and conclusions.
reliable is the evidence:
How reliable is the
evidence though? Just like with a criminal case that you might have seen on
some sort of television drama or movie, different types of evidence have
different levels of reliability.
What are the factors
that determine if a particular piece of evidence is reliable?
First of all, whoever
provided the evidence, be that a person or a system, are they independent? Do
they have no particular stake in the outcome? Independent evidence is what you
always want.
The qualification of
the person providing the information or evidence. Is that person qualified to
make the observations and conclusions they're providing you?
Objectivity is the
evidence clearly objective. It's not biased in any particular way either for or
against the audit target.
And of course, the
timing of the evidence.
evidence characteristics and types:
Now, there are different characteristics that we're concerned with
evidence.
The confidence level
of evidence is based on its value.
You also look at audit evidence and consider
the following.
Is it complete,
adequate, and convincing in and of itself?
In other
words, would this particular piece of evidence or group of evidence pieces lead
another information systems auditor to form the same conclusions you have?
If so,
then that evidence is sufficient.
Now, if it wouldn't, if other data is required
to come to the same conclusion, then this evidence in and of itself is
insufficient.
Is it useful?
Does it
assist any auditor in meeting the audit objectives?
You can
come up with a great deal of information during an audit. You'll learn a great
deal about their information systems, their business processes and practices.
All kinds
of data will come into your hands. However, not all of it assists you in
meeting your audit objectives.
It may be
evidence, but it's not pertinent to the audit.
It has to be reliable.
It has to
be valid, factual, objective, and supportable. If it's not reliable, none of
the rest really matters.
You can
deal with evidence that in and of itself is not quite sufficient. And evidence
that may not be useful, may not help your audit, but doesn't hurt it.
But evidence that's not reliable is a deep,
deep concern.
Is the evidence
relevant, that's very similar to useful.
Does it
pertain to the audit objectives? Is there a logical relationship to the
findings and conclusions that you're basing on this piece of evidence?
In other
words, if your conclusion is based on a specific piece of evidence, that spec
piece of evidence needs to have a specific and clear logical relationship to
your conclusion.
Techniques for
gathering evidence:
There are lots of ways to gather
evidence. We start with
reviewing the organizational structure
as it
relates to information systems. This will give you a clue as to who to
interview, who to inquire with, who to observe.
You'll want to review is documentation.
If the
information systems documentation doesn't adequately describe or meet control
objectives, then it's very unlikely that the practices of the information
systems department will meet those objectives.
Review the information system standards.
Are they
based on well-known, well established third party standards, or are they
internal standards? If they're internal standards, do they meet the control
objectives?
Reviewing policies and procedures.
How does
this organization handle a security breach? How does it handle data disposal of
old media? What are their policies and procedures for each of these issues?
Frankly,
it's impossible to do an adequate audit if you don't know what the company's
policies and procedures are.
Now, and this is based on the previous review of the organizational
structure, you can
interview appropriate
personnel.
You want
to make sure those personnel are in a position to give you reliable and
sufficient evidence.
You may wish to also
observe processes and
employees actually performing their duties. This can really let you know whether
or not the policies and procedures are actually being implemented on a regular
basis.
You can always
reperform a particular
task to see if it meets or fails to meet control objectives.
And of course, a
generalized
walkthrough can be helpful.
Any of these methods or in fact all of them you can use on any given
audit to try to gather as much evidence as possible.
My personal feeling is
you should always heir on the side of gathering too much evidence and then
leave out extraneous or irrelevant data from your final report.
But it's better to
have data that you have to pair down than to discover you didn't gather enough
data.
Audit documentation.
It's really difficult
to overdo an audit.
Now I'm talking about the documentation that you personally gather, not
necessarily what goes in your final report.
Your audit
documentation should at a minimum include a complete record of the following
things.
The planning and
preparation of audit scope and objectives.
How did you select the scope? How did you
choose the objectives? How did you plan your audit?
If you're doing
walkthroughs,
let's
have a description of those walkthroughs or let's actually do a walkthrough of
any particular audit area.
Do we have an audit
program exact plan for how we're going to do our audit, what test we'll
conduct, what tools we'll use, and
then we also
absolutely must document the steps that were actually performed and the
evidence gathered.
You may use the
services of other auditors or experts.
One
example might be let's assume that as part of your audit you have to gather
information regarding the security policies as implemented on workstations.
However,
some of the workstations are Macintosh computers and you don't have adequate
Macintosh experience. You might use the services of a Macintosh professional to
do that portion of your audit or to at least advise and assist you.
Of course, you'll need
to fully document whatever you found, your conclusions, and your
recommendations.
It
really cannot be overstated that recommendations are a critical part of an
audit. It's inadequate to simply tell a customer what gaps they have in their
security coverage.
You
need to give them recommendations to remediate those.
And of course, audit
documentation relation with document identification and dates.
What
documents did you get? What were the dates on those documents? How were they
used? All of these items should be part of your audit documentation.
That concludes knowledge statement 1.7.
Knowledge statement 1.8
knowledge of different sampling
methodologies and other substantive data analytical procedures
In this knowledge
statement, we're going to look at two things.
First, comparing compliance to substantive testing and
then looking at sampling methodologies.
Compliance testing
involves gathering evidence in order to test the enterprises compliance with
control procedures.
Now what
we're talking about here is any sort of requirement be it legal, regulatory,
industry norm or internal requirements.
We
essentially look at various security controls to determine whether they do or
do not comply with a specific requirement.
This
generally involves looking at the overall performance of the control, not
specific transactions.
Substantive testing is
evidence gathered to evaluate the integrity of individual transactions, data,
or other information.
Put
another way, with substantive testing, you're going to be looking at specific
transactions or specific data records.
Obviously,
this gives you a better basis to draw conclusions, but just as obviously, it's
much more resource intensive.
Throughout this lesson, we'll consider a hypothetical e-commerce
company
we'll call Acme E-commerce that had 100,000 records,
100,000 transactions during the audit period, which was last calendar
year.
Now, the presence of
internal controls can minimize the number of substantive tests that have to be
done. How do we know there are adequate internal controls? Well, that's
established via compliance testing.
If the
controls pass compliance testing, then there is less need for substantive
testing.
Conversely, any
weakness or inadequacy in internal controls will increase the need or number of
substantive tests.
We still
don't want to check every single transaction. And that's where we use something
from statistics called sampling.
Sampling is done when
it's not logical or practical or even possible to test all the transactions.
This is usually due to the time and cost needed.
Again, we have 100,000 transactions in our hypothetical scenario.
Obviously, it is too cost prohibitive to look at all of them.
Main areas of coverage
So, once again, we'll
be looking at
compliance versus substantive testing and
we'll be looking at sampling.
So, what is a sample?
First, let's look at what a population is.
A
population consists of the entire group of items that we need to examine and
draw conclusions on.
In
our scenario, it's 100,000 records that took place last year.
A sample is a subset of that population that
we use to infer characteristics about the population. Those inferences are
based on examining the characteristics of the sample and extrapolating those
results to the population.
Now
because of this the sample has to represent as closely as possible the
characteristics of the whole population.
Let
me explain that with another hypothetical scenario. Let's assume that you've
been tasked with determining the average height for males in France. You're not
going to measure every single male in France.
That's
simply not practical, not even possible. So you're going to get a sample of
males in France. But you chose your sample from a convention for horse jockeys,
men who ride horses in horse races.
Now,
horse jockeys tend to be abnormally small men, much smaller than average. So,
all of the conclusions you draw don't really apply to the population. Because
you used poor sampling methodology, all of the inferences you draw are going to
be inaccurate.
That
same thing applies to every audit you do.
When
you're sampling records, if you make the wrong selection in your sample, then
your conclusions will be wrong.
In
some cases, even the exact opposite of what the reality is for the general
population. So, you can see that sampling methodology is very important.
Sampling can be either statistical or non-statistical.
Let's look at
statistical first.
Statistical sampling
uses objective methods
to determine first the sample size.
Let's
pause and comment on that. We have 100,000 transactions to consider without any
reference to statistical methodologies. I think you already intuitively know
that selecting five records for your sample is not enough. And I think just as
much you're aware that you don't need to select 50,000 records.
So we use objective
methods to select sample size. Our selection criteria is based on objective
methods. The most obvious is to randomly select.
But are we sure we
randomly selected?
Are we sure we
selected in such a way as to not skew our results and that gives us the
precision of our sample.
All of these things
are going to impact the reliability or confidence level we have in our sample.
Now for just a moment,
let's reflect on confidence levels and statistics. The term confidence level
has a very specific meaning within the world of statistics.
For the purpose of the
CISA exam, you don't have to know statistics. There will be no questions
wherein you have to perform statistical calculations.
And I know that's
quite a relief to some of you.
However, let me state
that in my opinion, the better knowledge you have of statistics and the more
you apply statistics, the better auditor you will be.
But for our purposes,
prepping you for the CISA, you don't need to know statistics. And I say that
because the word confidence level has a very specific meaning in the world of
statistics.
Now, statistical
sampling can be used to infer population characteristics from the sample. And
so, it's the preferred method.
Well, you might be
wondering if it's the preferred method, why do we have an alternative method?
Why not just always use statistical?
Well, let's look at
that alternative method. And I think that will answer that question.
Non-statistical sampling
does not use any
objective methods. It's purely subjective judgment to determine the method of
sampling, sample size, and sample selection.
Non-statistical
sampling cannot be used to infer population characteristics, and it's not the
preferred method. So, when might you use it? Well,
let's look
at that first statement. It cannot be used to infer population characteristics.
So, non-statistical sampling can be used when you don't wish to infer
population characteristics.
Let's
assume that of our 100,000 transactions, the overwhelming majority are all
roughly $100 in amount or less. I would like to look at the small handful of
transactions that exceeded $1,000.
Well, I
already know that these are not representative of the population. I already
know that any conclusions about this very small sample cannot be extrapolated
to the population.
I don't
intend to infer population characteristics from the sample. In that scenario,
it's possible to use non-statistical sampling.
Sampling methods are of two types.
Attribute sampling and
variable sampling.
Let's look at attribute first.
Sometimes this is
called proportional sampling.
We will select some specific attribute and look for either the presence
of that attribute or the absence.
For
example, I might look at those transactions that had sales tax or did not have
sales tax.
This is
often used in compliance testing. Our sales tax scenario is a great example. If
you did not apply sales tax, did you comply with regulatory requirements for
scenarios where sales tax is not required?
The
conclusions are often expressed in rates of incidents. How many transactions
per 100, per 10,000, or per million actually meet or fail to meet that presence
or absence of the attribute?
Lots of
ways to do this. You can simply sample all the transactions grabbing those that
have the attribute. Or you can pick a fixed sample size, or you can pick a
frequency. Another way to do this is stop or go sampling.
Let's
assume you've determined that the appropriate sample size is 1,000
transactions.
You first examine the
very first 10,00 transactions in the database. If they have the attribute
you're looking for, you stop and that just became the sample you'll work with.
If not, you go to the next 1,00 and look again to see if that attribute exists.
You'll continue this until you find a group of 1,00 that has your attribute,
and that's your sample.
Discovery sampling is even less common.
Essentially, you have an item that is so uncommon, so rare that you're
basically waiting until it's discovered.
Now, in addition to attribute sampling, we have
variable sampling.
Variable sampling
is often used to
estimate some quantitative measure like dollar value or weight. Dollar value is
far more common, so this is often called dollar estimation.
Usually we're going to
calculate a statistical mean for whatever measurement we're looking at.
For
example, dollar. So it's also often called mean estimation sampling or
quantitative sampling.
This is
often applied in substantive testing and it provides conclusions related to any
deviations from that norm.
There's
basically two main ways to do this.
Unstratified or
stratified.
Stratified
simply means we've already divided up the population into ranges such as all
transactions ranging from $10 to $100,
all
transactions ranging from $11 to 200, all ranging from $21 to 300, so on and so
forth. So we have stratified or unstratified.
Computer assisted audit techniques CAATS
are often used for gathering and
analyzing data from computer systems to meet some audit objective.
Now you can probably
realize that with sampling of large number of transactions used in substantive
testing a computer assisted audit technique is almost a requirement.
It's
almost impossible to do this effectively by hand.
involve a few things
in the process. First, you have to understand the client, the client's needs,
and their goals.
That's
going to help you select the appropriate computer assisted audit technique.
Now, you have to ensure that that technique will obtain effective evidence.
You have
to ensure that it provides data analysis. I mentioned previously that you're
not going to be asked to do any sort of statistical calculation, but your
computer assisted audit technique should be able to and it should be able to
report on findings.
Now, these
techniques are going to vary and they're based on differences in hardware,
software, data structures, record formats, the general IT environment, and the
processing functions.
There are lots of examples of computer assisted audit techniques.
First of all, we have
generalized audit software like IDEA and ACL.
Then we have utility
software.
Your transactions are
undoubtedly stored in a database. Most database management systems have a
variety of report writers and even the ability to extract specific elements of
data.
As a side note, the
CISA exam does not require you to know structured query language or SQL.
However, in your actual audit practice, if you're going to rely on database
management systems, particularly relational database management systems,
a basic knowledge of
SQL structured query language, will allow you to extract data with all kinds of
formats with all kinds of criteria and even to perform some basic statistical
calculations such as calculating the mean.
Debugging and scanning
software is often used in auditing the IT systems themselves. In many cases,
test data is important.
You want to be able to
test to ensure that your computer assisted audit technique is functioning
properly.
Expert systems rely on
elements of artificial intelligence. And essentially, the issue with expert
systems is that they're able to answer more questions than you asked.
With normal techniques
like SQL commands that we've already mentioned, you have to ask a specific
question. I want all transactions in this date range with this dollar amount.
Expert systems can
look at the complete body of data and often are able to pull out specific
relationships you didn't know to ask for. They're less common and far more
expensive.
Third party access
control software can use to audit the access control process.
Any application
software tracing and mapping will allow you to map out exactly what particular
software is doing and therefore audit it.
Many systems have all
kinds of options built in them including reporting. All of these techniques can
be used to assist in your audit.
The functional capabilities of all the generalized audit software
should be as follows.
File access.
Your
data is going to come to you in a variety of file structures and record
formats. You need to ensure that your audit software is capable of accessing
all of the record formats and structures that you need to access.
It should
also provide you with reorganization so you can sort, merge, link, and index
the data as you see fit.
It should
give you a wide variety of data selection options, filtering data, selecting
data, that sort of thing.
It should
have built into it a number of statistical functions including sampling,
stratification, frequency analysis, and computing basic statistics such as
statistical mean, mode, standard deviation, variance, that sort of thing.
There
should also be arithmetic functions and operators within the software.
This concludes knowledge statement 1.8. CISA
knowledge statement 1.9
knowledge statement 1.9
knowledge of reporting
and communication techniques including facilitation, negotiation, conflict
resolution, audit report structure, issue writing, the management summary and
result verification.
Communication needs to be effective and clear in order to improve the
quality of the audit and maximize results.
The final
product that you produce from any audit is essentially communication. There
will be a written report along with an executive summary and usually a verbal
briefing at the end of the audit.
No matter
how effective and how high a quality your audit was, if your communication of
the results and findings is inefficient, then the audit itself will be less
effective.
Put
another way, your report's going to have to give clear and concise as well as
detailed information regarding your conclusions, your recommendations, and the
basis for those conclusions and recommendations.
It's also
the case that your verbal communication can either improve or be a negative
impact have a deleterious effect on the audit outcome.
When an argument
ensues between the auditor and the audit during the final findings report
presentation, it's usually over the accuracy of the findings in the report.
This makes the audit process counterintuitive, perhaps even counterproductive,
and quickly dilutes the audit process and its value.
Now, you
may be wondering, an argument ensuing, when might this occur? You have to
consider the perspective of the audit.
Many
auditees will consider any deficiencies documented in your report as
essentially an attack on the quality of their work because your report is
essentially stating that current existing IS controls fail to meet requisite
standards.
They're
substandard. They're not effective. And that is often taken as a criticism of
at least certain members of the oddity staff.
A natural
and common reaction is to reject your findings, to question the accuracy of
your findings, and that's where disputes will occur.
Now, we will look at some techniques both in your written report and
your verbal communication that can ameliorate this situation.
Audit findings will
often be ultimately reported to stakeholders. Before that occurs, they need to
have appropriate buy in from the auditees. This is the only way to have a
successful audit process and add value to the audit organization.
In other
words, it's a good idea to get the appropriate audit IT staff members involved
before you present to stakeholders.
In other
words, if you can get the IT staff to agree with your conclusions and your
recommendations before presenting to stakeholders, it's much more likely that
these implementations will be agreed upon and will be affected
throughout your entire audit.
Good communication and
negotiation skills are required. And it's not possible to overemphasize this
point.
You might
be the most excellent information system auditor on the planet. And you might
conduct a perfect audit from a technical point of view, but if you have poor
communication skills that alienate the audit or at least members of the audit
staff, you will decrease the efficacy of your audit.
Communication skills
determine the effectiveness of the audit reporting process.
So, our
main areas of coverage are
how to communicate
audit results
along with the
information technology assurance framework section 2600 reporting standards.
In addition to the material in this lesson, it's probably a good idea
to refer to that specific standard prior to taking the CISA exam.
Communication of audit results
During the exit interview, that's your final briefing with the audit.
The IS auditor has to ensure several things.
First and foremost, make absolutely certain that the
facts you present in
your report are accurate.
You must
be aware that anyone can make a mistake, including you or me. So first double
check your results particularly any results that point to any flaws in the
audit systems particularly egregious and significant flaws you need to double
check your accuracy.
Now part of your
report will be to recommend remediation steps.
Make sure
your steps that you've recommended are both realistic and cost effective. It's
not helpful if your recommendations are too expensive, maybe too vague or
simply unrealistic.
Then recommend
specific implementation dates for those recommendation that they have agreed
upon.
In other
words, once you get the audit to agree on a specific step to remediate an
issue, recommend a specific date to implement it. And again, make sure that
date is both realistic and cost-effective.
There's lots of things
you can do in your presentation. You should always include an executive
summary.
An executive summary
is essentially an easy to- read concise summary of your report. It lacks some
of the detail and supporting evidence, but gives the overall picture.
You may choose to use
visual presentation aids such as slides or computer graphics.
I often like to
include charts wherever possible.
Before you communicate
any results of an audit to senior management, it's a good idea to discuss the
findings with the lower level management staff and perhaps even the IT staff of
the audited entity.
That way, you can work
out any discrepancies or issues prior to informing senior staff.
The purpose of this is
to ensure that all relevant parties agree on both what you found and the
corrective actions you recommended.
Now, it's a good idea
if you become familiar with the Isaca S7 reporting and S8 follow-up activities
prior to taking the CISA exam.Both those are important to know.
Let's talk about communication skills.
We've already
indicated that poor communication skills can have a negative impact on the
entire auditing process, particularly on the reporting and recommendation
phase.
Let's start with facilitation.
There are a lot of
techniques you can use to facilitate clear communication.
The first,
at least in my opinion, is to put yourself in the other person's perspective.
If you
are, for example, going to list an issue with network security that impacts the
gateway router, how would you react to this news if you were the network
administrator responsible for that router?
And how
can you phrase the issue so as
not to be
accusatory and
not to
engage in conflict?
That's one
step to facilitating good communication.
Another one is good listening skills.
Now, a lot of people
overlook listening skills. Clearly, you're capable of hearing what the other
person said, but that's not the same thing as listening.
You need
to fully understand the factual information they're communicating to you and
their emotional tone.
The idea
of communication is to take information from party A and get it to party B.
Anything that degrades the communication received is adversarial to
communication.
Let me put
that another way.
When
you're listening, be engaged, be focused. Don't simply be waiting to talk. Listen
carefully to what the person is saying, but also listen to their tone of voice,
their posture, facial expressions, and try to imagine how you would feel if you
were in their position.
Another
thing you can use is called active listening. Where appropriate, either ask a
clarifying question brief or restate it in your own terms and see if you're
hearing what they meant you to hear.
Make
absolutely sure you fully understand by facilitating your
It's also
important to not use any language that's accusatory.
Let's not
come across as if we're blaming the oddities IT staff.
Now, in
most cases, you're not. In most cases, they're simply human beings.
They
executed very good procedures, but something was missed. That's okay. That's
why we have audits.
In a few
rare cases, the IT staff has egregiously mismanaged security, and it is perhaps
really their fault, but you still don't want to come off saying that.
You want
them to support your audit goals and recommendations and to be on board.
This also can involve
negotiation and conflict resolution.
Negotiation,
you have to be willing to give up something in return for something.
For
example, you may be recommending a remediation step that the IT staff opposes.
See if you can find a common ground. Now, don't compromise to the point that
you've impacted negatively on network security.
Your idea
of an audit is to improve the organizational security controls, not to damage
them. So negotiation only goes so far, but you have to be actually involved and
actively interested in compromise for negotiation to work.
Conflict resolution
often involves some of the exact same steps I've already mentioned.
Looking at
things from the other person's perspective, communicating in such a way as to
not inflame any negative emotions,
not being
accusatory, certainly not talking down to the person or anything of that
nature. You are equals. You are colleagues. And you all have the same goal in
mind. That's to have a robust security posture for the organization you're
auditing.
You're all
on the same team. You may have different ideas of how to get there. You may
have different opinions on the specific deficiencies that need to be addressed
and how they need to be addressed, but you do have the same goal.
If you
keep that in mind and you communicate that through your words, your body
language, and your expressions, you're going to go a long way to resolving
conflict.
When you write up
issues, make sure you write them up in a positive light, not an accusatory or
negative light.
When
you're writing your report, you're going to have individual issues that you
believe are substandard and need remediation.
Think
about the use of words.
For
example, I just use the word substandard. that tends to have a negative
connotation. Instead of talking about deficiencies, talk about room for
improvement. Talk about ways to make the situation better, not necessarily how
bad it is.
Now, I do
not suggest that you take this to such an extreme that you're glossing over
real issues.
Real
issues need to be clearly and concisely described, but be careful in your
language so that you're not using terms that are almost guaranteed to inflame a
negative response from the audit's IT staff.
Audit Report
Audit report:
Your report,
we have a lot to say
on the report. Let's start with the essentials that should be in there.
Obviously,
the
organization you're auditing, who should receive a copy of this audit, and any
restrictions. Now, that may sound a little odd, but audits contain a lot of
confidential information.
We
shouldn't be distributing them to just anyone. Are there restrictions on
circulation?
What was the scope of
your audit?
Specifically,
what was it you audited?
And I like
to add anything that was expressly excluded. I want to be very clear in my
audit that these items were not audited. And here's why.
What
were the objectives of your audit?
This
should be numerous. there's not just an objective and not something generic
like to test security. You had very specific issues. We wanted to find out if
the web server was vulnerable to these specific attacks.
We
wanted to check to see if the authorization and access control mechanisms were
resistant to these specific attacks.
We wanted
to find out if the database integrity steps met these regulatory requirements.
Those are specific objectives.
The period of coverage, often times years, a
month, 12 months is a common one, a one-year audit, but you may do a six-month
audit, a quarterly audit, a two-year audit, whatever. What was the period of
coverage,
the
nature of your audit, the techniques you used, the overall approach, that sort
of thing, the timing and extent, when did you do the audit, and how extensive
was it?
Obviously,
your findings, this needs to be quite detailed.
Exactly.
What did you find? How did you find it? And what does it mean?
Conclusions.
What are your conclusions? And more particularly, your recommendations for
follow-up.
And
particularly, the conclusions need to be supported by solid evidence. There
needs to be a clear reason for these conclusions.
It's
not enough for it simply to be your opinion.
Do
you have any reservations or qualifications?
For
example, you might be saying that a particular security control is adequate as
long as a second security control is also kept in place. There are two security
controls. In our hypothetical situation, let's say a firewall and an intrusion
detection system. In your opinion, the firewall is good enough.
It
meets standard provided the intrusion detection system is operating normally
because it can make up for whatever the firewall lacks.
Now,
that's just a hypothetical. If you have any reservations or qualifications to
your conclusions or recommendations at all, make sure you clearly state them in
your report.
Now,
you can take these finding and conclusions and organize them in a variety of
ways.
One
way to do that is to group them by materiality.
\ In
other words, what is this relevant to? How material is this specific conclusion
or finding? Or you might group them by intended recipient.
You
always want to mention the specific faults and constructive construct
corrections, but you want to do it in a non-creating way.
Yes,
you have constructive corrections. Yes, there were faults, but you want to
phrase it in such a way as to ensure that the IT staff doesn't feel like
they're under attack.
You
must have evidence to support your results. And in many cases, this will be
many pages of detailed data. So, it's common place to put those in a separate
appendix.
You
of course have to have your overall findings, conclusion, and opinion.
And
absolutely, this has to be signed and dated.
Make
sure you keep in mind and you go over again and again appropriate communication
techniques.
Now,
the test will ask you something about these and about reporting, but there's a
limit to how much the test can cover in a written test regarding listening and
verbal communication skills.
If
you feel you have any lack in any of these areas, it's worth your time to take
a class in appropriate listening, conflict resolution, or business
communication.
This concludes knowledge statement 1.9.
knowledge statement 1.10
Knowledge of audit quality assurance systems and
frameworks.
Knowledge of audit quality assurance systems and frameworks.
This lesson is the beginning of our discussion of audit quality.
We will revisit that issue in subsequent lessons and it will be met
again and again throughout the course.
This one will be just an introduction here.
Remember that auditing
standards are the minimum parameters or minimum requirements to be taken into
account of when performing an audit.
And keep
that term minimum in mind.
It's
always appropriate to exceed these standards. But audit standards give you a
minimum level that you must achieve.
It's important for any
information systems auditor to understand the impact of the information systems
environment on traditional auditing practices and techniques. This is to ensure
that audit objectives are achieved.
Put
another way, there are a number of auditing techniques and practices, some of
which have been borrowed from other domains outside of information systems.
You need to know your specific information
system environment that you're working with and how it might impact your
practices and
Control self
assessments. This is going to be a major part of this particular lesson.
In this process, the
auditor is basically acting as a facilitator facilitating the business process
owners in assisting them in defining and assessing appropriate controls.
Now the is
auditor doesn't actually conduct the control self assessment.
The
process owner does.
The auditor helps them
to take into account the risk appetite of the organization and how that control
fits into the overall organizational strategy.
This is done because
process owners are often in the best place to define appropriate controls
because they have an intimate knowledge of that process.
Consider
controls designed to protect your database. who understands those needs better
than the database administrator.
However, the IAS
auditor can help that process owner in our scenario a database administrator
understand the needs for controls based on business risk.
What is
the business appetite for risk? What are other controls in place outside the
database domain that might impact it?
There are
a lot of broader factors the is auditor can assist with.
main areas of coverage
So, the main areas we're going to look at under this
knowledge statement are we're going to start looking at
audit programs and
methodologies.
We'll revisit that again in more detail in later lessons.
We're going to take a look at
audit objectives.
We're also going to start our
evaluation of audit
strengths and weaknesses.
The major focus of this lesson is
control self-
assessments.
Now, let's stop right there.
What does a control self assessment have to do with quality assurance?
Well, let's assume
this organization in question does a full audit every year.
That may
be inadequate. Control self assessments allow business process owners to
evaluate specific controls within their domain of influence and to assure
compliance with various standards at any point during the year.
They can
do it quarterly, monthly, or as needed. that's always going to impact
positively the quality of your audit.
We're going to look at
objectives,
advantages, and disadvantages of the control self- assessment.
We're going to examine the auditor's role in a CSA, and
we'll talk about
using the services of
other auditors and experts.
We'll also look at the
traditional versus CSA
approach.
Now, before we move on,
let's discuss using the services of other auditors and experts.
This is a relatively brief but important subsection of this knowledge
statement.
First of all, we might
rely on other auditors, particularly if an auditor came in and recently did an
audit of a specific system.
Let's
assume you're doing a general audit of an enterprise, but just last month they
had a PCI compliance audit.
It's
probably not cost effective for you to repeat the same things that were done in
the PCI compliance audit. So you might include by reference that audit in your
audit report and use the conclusions of that audit to help you conduct your own
audit.
Now
obviously there's always a concern that you're relying on the product of
another auditor depending on the scope and the level of reliance.
This
doesn't need to be too great a concern. Normally, you do this when a very
specific audit was recently done for a specific purpose and you're only relying
a little bit on that auditor's
You also
may frequently need to rely on experts. Let's assume in the process of your
auditing, you have to check compliance on a web server. The web server is a
Linux-based server running Apache.
You are
strictly a Windows person. You know nothing about Linux or Apache other than
the names.
it's
probably inappropriate for you to audit that system without some assistance
from someone more knowledgeable in Linux and Apache. This is a frequent thing
in audits. You cannot know everything.
So, from
time to time, you're going to have to rely on an expert in a specific
technology field.
Control self assessment:
Now, let's start looking at CSA.
This is a methodology
used to review key business objectives.
Let's
start with that. CSAs are limited.
We have a
specific business objective in mind.
We have
risks only those associated with that specific objective and only those
internal controls designed to mitigate those specific risks.
Now,
the CSA takes that very narrow view and gives us a formal documented process to
collaborate on assessing that specific control.
Think for
a moment about the name control self assessment.
We're
going to look at a specific control or at most a grouping of very closely
related controls. We're going to assess the efficacy of those controls as
compared to some standard. And this is going to be a self assessment.
It's going
to be conducted by the process owner that owns those controls.
This can be a
management technique used to assure stakeholders, customers, and any other
relevant party that the internal control systems are reliable.
It's
helpful in between audits. If you do an annual audit, you may wish to
quarterly, monthly, or as needed do a quick CSA.
It can
also be used to recheck very specific critical processes.
Because it's a self
assessment, it ensures employees are aware of business risk and that they're
conducting periodic proactive reviews of controls.
The term
proactive is critical. We would like these to be done on a periodic basis, not
only done in response to an incident.
Let's not
wait till something negative has occurred that indicates some gap in our
controls. Let's proactively evaluate. Let's not even wait for the annual
review. If we have a concern, let's conduct a CSA and evaluate the concerned
controls.
Now, now CSA and can
involve any number of tools or techniques on a continuum of sophistication.
Could be as simple as a questionnaire. Could be a facilitated workshop
involving tools, techniques, and studies.
The simple
questionnaire, let me give you an example of that.
Perhaps
you're doing a control self assessment on a policy that's meant to control some
issue. A simple questionnaire sent to relevant employees can help you ascertain
whether or not the policy is being applied or not.
In a
facilitated workshop, a little more time is required because individuals
related to the group of controls or the specific control in question get
together.
The
process is usually facilitated by an IS auditor but still the process owners
work together through this workshop to do a control self assessment.
objectives of a CSA
What are the objectives of a CSA? Well,
let's start with
leveraging the internal audit function.
We should have some level of internal audit
functionality even if we periodically and routinely do extensive external
audits.
With the
CSA, we're taking some of that internal audit function and shifting some of the
control monitoring responsibilities out to the functional areas.
This does
two things. It distributes the workload more evenly, but it also gets the line
managers who are directly working with the processes and systems in questions
directly in charge of monitoring the controls within their sphere of influence.
This can
also be used to educate management on control design and monitoring. Now, the
Cobbert standard provides some guidance on the development of a CSA.
Let's take
a brief look at COBIT.
First and
foremost, you should know that COBIT was designed and developed by ISACA. Given
that the CISA exam is also designed and developed by ISAKa, it should come as
no surprise to you to expect a great many COBIT questions on the exam.
What we're
doing in this particular lesson is introducing you to COBIT. You're going to
see much more in-depth details on COBIT as we go throughout this course.
COBIT is an acronym
for control objectives for information and related technology.
Isaca
first released the standard in 1996. It's been revised several times.
In 2005,
it became an international standards organization standard called ISO-17799
2005.
The
current version as of this video was published in 2012 and it's COBIT 5. There
are 134 detailed information security controls based on 11 areas.
Now,
you're not going to have to memorize all 134 information security controls, but
you will need to have a general understanding of COBIT. And I would suggest
beginning by memorizing these specific facts you see on the screen.
COBIT:
Now, first and foremost, you should know that Isaca.
Given that the CISA exam is also designed and developed by Isaca,
it COBIT is an acronym
for control objectives for information and related technology.
ISACA first released
the standard in 1996. It's been revised several times.
In 2005, it became an
international standards organization standard called ISO17799 published in 2012
and it's COBIT 5.
general understanding
of COBIT. And I screen now.
Benefits of CSA:
Benefits of CSA:
Now, as an auditor,
you might be a little suspicious of the control self assessment. Isn't an
external auditor more objective? Well, usually they are.
They're also more
experienced at auditing. So what are our advantages of a CSA?
Put another way, why
do people do them?
Early detection of
risk may be the most important.
Comprehensive audits
can be very effective, but due to their resource intensive nature, they don't
happen quickly enough.
You're
lucky if they happen once a year, sometimes not even that often.
A CSA can be conducted
much more frequently, providing early detection of risk as opposed to waiting
for the next full audit.
This will lead to more
effective and improved internal controls because the process owners that
understand those processes and controls better than almost anyone else
are the
ones assessing their controls. They're better positioned to give feedback and
perhaps recommend changes.
This gets employees
involved in the auditing process which creates a more cohesive team. The
employees and the auditors are working closely together.
The employees now have
a sense of ownership of the controls. They are directly auditing or at least
assessing their own controls and they feel more a part of the process
because in between
major audits you're doing CSAs. You're finding and either correcting problems
or perhaps establishing and confirming that controls are effective in between
the audits.
This is going to
improve your audit rating process and it's going to reduce control cost. We
don't wait until an incident has occurred and we don't wait till an extensive
audit to identify any control deficiencies.
We can do that at any
time via CSA.
This is also going to
cause an increased communication between operations and top management because
the operations personnel conducting the CSA will have to be discussing the
results with upper management.
This can lead to
highly motivated employees since they're involved directly in their own control
assessment. They have much more of a stake in it. They're much more motivated,
much more engaged.
This also provides
assurance to both customers and other stakeholders that you are routinely
checking critical controls.
And that's a point we
haven't discussed deeply enough yet.
How do you pick the
target of a CSA? You don't just check any system because although a CSA is
quicker and easier than an actual audit, it still does take some time and
resources.
The way you select the
target for a CSA are those systems or those controls you have the most concern
over. based on prior risk analysis.
Disadvantages of CSA
There are some
disadvantages.
Some people may think,
well, if we're doing these CSAs, do we really need a full audit?
Well, a CSA is not a
replacement for audit.
Obviously, the people
doing the CSA are going to perceive this as an additional workload.
They may already be
taxed to the limit of their capabilities.
If the employees take
the time to be fully engaged, fully motivated, conduct the self assessment,
come up with improvement suggestions, and they're ignored, that can be damaging
to employee morale.
They can begin to view
their self assessments as a simple wasteful exercise and become less engaged
and they'll become less effective.
Inadequate motivation
will limit the effectiveness in discovery of weak controls. If the people doing
the self assessment are not motivated to do it or not totally engaged then it
will be ineffective.
Now remember in a CSA
the auditor is not conducting the assessment the process owner is. So what is
the auditor's role in CSA?
as a
control professional and assessment facilitator.
Basically, the management staff and the
process owners are doing the CSA, not the auditor.
All you
can do is provide expert consulting and to facilitate assessments as needed,
answer questions, recommend tools or techniques, that sort of thing.
CSA VS traditional approach
So, let's look at the CSA and traditional approach.
In a traditional audit approach,
tasks are assigned.
Now, some
of those tasks may be assigned to employees within the organization. Most will
be done by the audit staff.
In a CSA,
the employees
themselves are empowered, but they're also accountable for the results.
Traditional audits
are driven by policy
requirements. Period.
CSAs are
a continuous
improvement learning curve. You do them whenever it's necessary. You learn and
you improve.
With a traditional audit,
there's very limited
employee participation.
With the CSA,
there's extensive
participation and training.
That is probably the
most obvious difference between a CSA and an audit.
In a traditional audit,
there's limited
stakeholder focus. The stakeholders are simply initiating the audit.
In the CSA, there's more broad stakeholder focus.
The traditional audit
is done by auditors
and other specialists.
The CSA is
conducted by staff at
all levels.
Anyone who's directly
related to the business process or the controls for that business process can
be involved in a CSA.
This concludes knowledge statement 1.10.
knowledge statement 1.11
knowledge statement 1.11.
knowledge of various types of
audits, internal, external, financial, etc. and methods for assessing and
placing reliance on the work of other auditors or control entities.
Within the scope of this knowledge statement,
we're going to examine the nuance
differences between
internal and external
audits,
when one
or the other is appropriate, and the weaknesses and strengths.
We're also going to
take a look at
specific
domain audits, a financial audit, a PCI compliance audit, audits that have a
very narrow scope.
We're also going to
look at criteria for relying on the work product of other auditors
Now, we've looked at the strengths and weaknesses.
When are good times to use an internal audit?
First of all is a pre-
audit.
If you have an
external audit that could have severe repercussions if you fail it, such as
regulatory compliance audits, legal compliance audits,
you might
wish to do a pre- audit several weeks in advance so you have an opportunity to
identify and correct issues before the formal audit.
You may wish to check
periodically to ensure that you're in compliance with various regulations,
laws, and industry norms.
If there's been an
incident such as a cyber breach or virus outbreak, it's often a good idea to do
at least a limited post incident audit. That allows you to identify the extent
of the breach or problem or incident and to look and see if there are other vulnerabilities
that could lead to a repetition of that same incident.
If you have specific
processes or systems that are often targeted, those might require internal
audit.
What about external audits?
What are their strengths and weaknesses?
The first obvious
strength is they are totally unbiased. Another strength is presumably these are
audit professionals.
Their primary job
function is to conduct audits.
They've learned a lot
from all of the other audits of other organizations they've conducted.
Things that your
internal team could not possibly know due to their limited exposure.
The weaknesses of an
external audit are
first and foremost cost.
It's
expensive.
It costs a lot to
bring in external firms or teams to audit your systems.
It's also not as easy
to schedule.
These audit teams are
always conducting audits all over the country or world. You may have difficulty
scheduling it exactly when you need.
They're often used to
absolutely ensure you're in compliance.
Many industry
standards, many legal requirements require that you have an external audit. So do many regulatory requirements.
They insist that the audit be done externally.
Also, a general
overall audit of your system from an unbiased professional auditor can be an
excellent way to check to see if your system is actually in compliance.
It's not a case of
whether you should use internal or external.
You should actually
use both.
It's a case of when to
use one or the other.
Specific domain audits.
You might have a
financial audit.
You're
looking at those systems directly involved in financial transactions.
There are sometimes
regulatory audits.
If you're
in a business that does banking or health care, you have specific regulations
and you must have audits to see if you're in compliance with those regulations.
If you process credit
card payments,
the
payment card industry data security standards require periodic PCI audits. So,
you have to have an audit and the sole goal of that audit is to determine
whether or not you're in compliance with the PCI data security standards.
You might have
specific IT audits.
For
example, you may wish to audit just the
web
and e-commerce systems or
maybe
just the database systems or
just
network infrastructure.
Any item
that requires attention outside of that of a general audit.
There are lots of
occasions where you might do a specific domain audit.
The last category we
looked at, IT specific,
you might
do a risk analysis and determine which of your systems is most vulnerable and
periodically do an internal domain specific audit for that specific system.
RELIANCE ON OTHERS AUDITORS:
There are occasions when you need to rely on other auditors work.
It's always a good
idea to look at
previous
audits if their reports exist.
that will
allow you to see if the items listed for remediation in those audits have since
been addressed.
It will
let you see if there's been a persistent problem that's existed throughout many
audit periods.
It will
allow you to compare and contrast what you find with what past auditors have
found.
It may be the case
that you need to incorporate other audits into your audit report.
For
example, if two months ago there was a PCI audit or an internal database
specific audit, rather than repeat those audit processes and steps,
you might
wish to incorporate them within your own audit. That's usually more
cost-effective.
Now, one
of the things you want to look out for is ensuring that you're not
incorporating or relying on a past audit or other audit that wasn't
appropriately done.
Any experienced auditor should be able to
review an audit report and determine if it was appropriate, complete, and
reliable.
You do
that by looking at the evidence presented. Take a close look not just at the
other auditor's conclusions, but the evidence he or she used to base those
conclusions.
Audit factors
There are several factors to be considered in any audit,
whether it's internal
or external, domain specific, it doesn't matter.
What is the audit
subject?
What's the area to be
audited?
This needs
to be quite specific. You can't say, "I just want to audit all my
systems."
What
specific things are going to be checked? This will often be a detailed
inventory of the systems and processes to be audited.
What are your
objectives?
Now, this
is normally not a single objective. It's a list of subobjectives. And in some
cases, that can go many levels deep. You might have subobjectives to
subobjectives to subobjectives.
For
example, your goal is to preserve the integrity of financial transactions.
That's a high-end high-level objective.
Beneath
that, since you do e-commerce, you want to ensure the security of your web
server and the integrity of web-based transactions.
Beneath
that, you want to specifically test to see if your e-commerce site is
vulnerable to cross-sight scripting.
So
you can see how we have subobjectives.
Audit scope is also
important.
What are
the constraints to audit the specific system, function, unit or period of time?
In
other words, you've been given a scope that may limit the time period of the
audit, what systems you're going to audit, how much you can audit, how
disruptive your audit can be.
All
of these are issues that should be taken into account when conducting any
audit.
This concludes knowledge statement 1.11.
exam pointers for domain one
We're going to talk about some exam pointers for domain one.
And we'll talk about these for all the domains.
Do keep in mind that I'm not saying that this is all you need to know
for this domain.
I'm saying these are points that are so key that if you don't know
them,
you have no chance of passing the test.
So, I'm going to read some of these. I won't read every single one of
them because you can read them yourself, but some bear a little comment.
The auditor is a
facilitator in a control self- assessment.
That's
listed first because it's an important point to keep in mind and you'll
definitely be asked about it.
Control self
assessment enhances audit responsibility.
In other
words, individuals are basically checking their own controls. Now, these are
two different points about the control self assessment. You should expect to
see quite a few.
Number four is one of
my favorite. If you don't have authentication and identification as part of
your access control, you just don't have accountability at all.
Responsibility and
accountability can be established by use of audit trails.
That's
point number eight. Very important to keep in mind that the whole point of an
audit is checking for responsibility and accountability.
Now again, it's not important that I read these to you.
You're certainly capable of reading.
I am simply pointing out a few key ones that are of most importance.
Identifying those
high-risk areas should be one of the first things to look at when you're going
to start auditing and monitoring
because
those are the areas you need to audit.
Now, this next few points are all talking about risk and
risk based auditing is
an important part of the CISA and you should expect to see questions about it.
Knowing about risks
such as inherent risk,
known
threats and their impact, things like that are very important for the CISA
exam.
Detection of risk can
be minimized by use of statistical sampling. What we mean is the work you put
into detecting risk, not the actual detection.
So
statistically sampling things allows you detect risk without having to look at
each and everything.
These are just a few pointers. Really make sure you know all of the
major concepts of domain one. Now you've completed domain one.
Case Study
These are just a few pointers. Really make sure you know all of the
major concepts of domain one. Now you've
completed domain one.
Let's summarize what we covered.
In domain one, we
outlined the framework for performing an IS audit.
We look specifically
at mandatory requirements, what an ISIT's mission is, what they actually do,
what the best
practices are to have an effective is audit, and
the basic process of
auditing.
This is a fundamental
lesson that gets you comfortable with the basic process of auditing.
This will form the
basis and the foundation for the additional lessons we'll cover in the other
four domains.
This concludes domain one.
Domain 5
Protection of Information Assets
26 percent
by the end of this domain you should be able to
understand and provide
assurance that the Enterprises security policies standards procedures
and controls ensure the confidentiality integrity and availability of information
assets
detail the design
implementation and monitoring of security controls
discuss the risks
associated with use of mobile and wireless devices
understand encryption
techniques such as public key infrastructure and risks related to data
leakage
detail Network
detection tools and techniques
discuss how
confidential information can be stored retrieved transported and disposed
the following screen gives an overview of this domain an
information asset is a
component related to provision of accurate data or information for
decision-making purposes by an entity
it is considered to
hold value to that particular organization and should therefore be protected by
ensuring confidentiality integrity and availability CIA
examples of
information assets are information or data
computer
application systems
computers
personal
computers
PCS
laptops pdas phones
networks
local area network landan wide area network Wan wireless networks
Human
Resources facilities
main
distribution facilities mdfs
data
centers server room and
other
Technologies
such as
database Technologies among others
let us continue with the overview
the risks to business include
Financial loss
electronic fraud
legal repercussions
privacy issues
loss of credibility or
Competitive Edge
blackmail industrial
Espionage
sabotage and
breach of
confidentiality
security failures can be costly to business
as more costs are
incurred to secure systems and prevent further failure
further more costs are
incurred from
losses from the
failure itself and
when recovering from
such losses
let us now look at
threats to information Assets
the threats to information assets
include hackers
crackers freakers
authorized or
unauthorized employees
is personnel and users
former employees
interested or educated
Outsiders competitors organized Criminal criminals
part-time and
temporary Personnel
vendors and
consultants and finally
accidental ignorance
knowledge statement 5.1
key
knowledge statement is to understand the techniques for the design
security controls including security awareness programs
discussing design implementation and monitoring:
security
needs to be aligned with business objectives to provide reasonable reduction in
risk
security objectives
may include the following
ensure the
continued availability of Information Systems
ensure the
Integrity of information stored on its computer systems
and
security while the information is in transit
preserve
the confidentiality of sensitive data while stored and in transit
ensure
compliance with applicable laws regulations and standards
let us continue discussing design implementation and monitoring of
screen
ensure adherence to
trust and obligation requirements for any information assets accordance with
the applicable privacy policy or privacy laws and regulations
Prudence in
application of control is important because controls entail a cost either
directly or indirectly by impacting on business operations
the business impact
analysis Bia is the process used to establish the material Adverse Events the
business should be worried about
the main areas to cover here are
key
elements of Information Security Management
critical success
factors to information security
inventory and
classifications of information assets
Network infrastructure
Security
Information Security Management
Information Security Management
effective ism is the
most critical factor in protecting information assets and privacy the factors
that raise the profile of information and privacy risk
include electronic
trading through service providers and directly with customers
loss of organizational
barriers through use of remote access facilities
and high profile
security exposures
viruses
denial
of service
dos attacks
intrusions
unauthorized access
disclosures
and identity theft
over the Internet Etc
security awareness and education through training and regular updates
written policies and
procedures and updates
non-disclosure
statements signed by employees
newsletters web pages
videos and other media
visible enforcement of
security rules
simulated security
incidents and simulated drills
rewards for reporting
suspicious events
periodic audits
monitoring and compliance
control includes an
element of monitoring
and usually relates to
regulatory legal compliance
incident handling and
response
roles and responsibilities
roles and responsibilities under the information security management
the security objectives to meet business requirements are
to ensure continued
availability of Information Systems
to ensure Integrity of
information stored in systems and while in transit
to preserve
confidentiality of sensitive data
to ensure Conformity
to applicable laws regulations and standards
to ensure adherence to
trust and obligation requirements
to ensure protection
of sensitive data
data Integrity as it relates to security objectives
generally refers to
accuracy completeness
consistency or neutrality validity and verifiability of the data once
loaded on the system
Integrity refers to
reliability of data
key elements of ism
Senior Management
commitment and support
the risk
management begins at the top
policies and
procedures
the
framework that captures top management Declaration of Direction
organization
clearly
defined and allocated roles and responsibilities
supplemented
with guidance
usually
relates to regulatory legal compliance
roles and
responsibilities must be defined documented and communicated to personnel and
management
is security steering
committee
is
represented by individuals from various management levels
it also
discusses and approves security policies guidelines and procedures with input
from end users executive management Auditors Security Administration is
personnel and legal council
the
committee is formally established with appropriate terms of reference
executive management
responsible
for the overall protection of information assets and issuing and maintaining
the policy framework
security advisory group
is
responsible for defining information risk management process and acceptable
level of risk and reviewing security plans
it is
comprised of people involved in the business
and
provides comments on security issues to Chief security officer CSO
it also
advises the business whether the Security Programs meet business objectives
Chief Information Security Officer ciso is
a senior
level corporate official
responsible
for articulating and enforcing policies used to protect information assets
he has a
much broader role than CSO who is normally only responsible for physical
security within the organization
information asset owners and data owners
are
entrusted with the responsibility for the owned asset including performance of
a risk assessment selection of appropriate controls to mitigate the risk and to
accept the residual risk
process owners
ensure
appropriate security measures consistent with organizational policy are
maintained
users
comply
with procedures set out in the security policy
and adhere
to privacy and security regulations
often
specific to sensitive data
for
example Health legal Finance Etc
Chief privacy officer CPO
is a senior level
corporate official and is responsible for articulating and enforcing policies
used to protect customers and employees privacy rights
external parties
follow
procedures set out in the security policy
they
adhere to privacy and security regulations often specific to sensitive data for
example Health legal Finance Etc
Information Security administrator
is a staff
level position
he is
responsible for providing adequate physical and logical security for is programs
data and Equipment
normally
Guided by the information security policies
security specialist and advisors
assist
with the design implementation management and review of security policies
standards and procedures
it developers
implements
information security within their applications
is Auditors
provide
independent Assurance on appropriateness and effectiveness of information
security objectives and controls related to these objectives
system access permissions system
system access permissions
system
access permission is the ability to do something with a computer resource read
create modify or delete a file or data execute a program or use an external
connection
it is
controlled at the physical And or logical level
logical
controls govern access to information and programs
it is
built into operating system invoked through Access Control software and
Incorporated in application programs DBS Network control devices and utilities
physical controls
restrict
entry and exit of personnel movement of equipment and media
they
include badges memory cards keys and Biometrics
access is
granted on a documented need to know basis with legitimate business requirement
based on least privilege and on segregation of Duties principles
access
principles relate to four layers of security namely
Network
platform
typically the operating system
database
and
application
mandatory and discretionary access controls
mandatory and discretionary access controls
the
mandatory access controls Mac's are logical access controls
Mac's that
cannot be modified by normal users or data owners
they act
by default
and are
used to enforce critical security without possible exception
only
administrators can grant a right of access Guided by an established policy of
the organization
discretionary access controls dac's
controls
may be configured or Modified by the users or data owners
access may
be activated or Modified by a data owner
dac's
cannot override Mac's
and they
act as additional filters to restrict access further
privacy management issues and role of is Auditors
privacy management issues and role of is Auditors
privacy issues
relates to
personally identifiable information
for
example personal identification number pin
regulations generally
restrict
use of such data by
giving the
subject individual rights to access and correct that data
it also
governs how such data is obtained requiring knowledge and consent of the data
subject
impact of risks
including
marketing risks
transported
data flow and variations in regulations and
may
require privacy experts during risk assessment
the goals of a privacy impact assessment are
identifying
the nature of personally identifiable information relating to business
processes
documenting
The Collection use disclosure storage and destruction of
providing
management with an understanding of privacy risk and options to mitigate this
risk
ensuring
accountability for privacy and facilitating compliance with relevant
regulations
is audit considerations relating to privacy
include adequacy of
privacy assessment
for
example compliance with with privacy policy laws and other regulations
and the
manner in which it is used for competitive gain
another consideration
is the ongoing assessments conducted when new products Services Systems Operations processes and
third parties are under consideration
besides trans border
and Multinational laws should also be considered
focus and extent of privacy impact assessment may depend on changes in
technology processes or people as shown by Below
information security and external parties
Human Resources security and third parties
security
roles and responsibilities of employees contractors and thirdparty users should
be defined and documented in accordance with the organizational security policy
information
security policies to guide employees contractors and thirdparty users
information security and external parties
security
of information and processing facilities must be maintained when external Party
Services or products are introduced
controls
must be agreed to and defined in a formal agreement o
organization must have right to audit the implementation and operations
external party Arrangements include
service
providers isps Network providers
manage
security services
customers
Outsourcing
facilities Andor operations it systems sys data collection Services
management
and Business Consultants and Auditors
developers
and suppliers
cleaning
catering
and other
outsourced Support Services
others
include temporary Personnel student placement and other casual short-term
appointments
the risks related to external party access is information processing
facilities required to be accessed by external parties
these types of access
include
physical access
logical access
network connectivity
organization and external party
value and sensitivity
of information involved and its criticality for business operations
and
legal and other
regulatory requirements
Security in relation to customers involve identifying security
requirements for customers access
the
customer access security considerations
asset
protection
description
of product or service to be provided
reasons
requirements and benefits for customer access
Access
Control policy
arrangements
for reporting notification and investigation of information inaccuracies
Target
levels of service and unacceptable levels of service
right to
Monitor and revoke any activity related to an organization's assets
intellectual
property rights and copyright assignment
knowledge statement 5.2
monitoring and responding to security incidents
key knowledge point is the processes related to monitoring and
responding to security incidents for example escalation procedures emergency
incident Response Team
a formal
incident response capability should be established to minimize the impact of
security incidents recovery in a Time ly and controlled Manner and learn from
such incidents history should be kept through properly recording of incidents
while
Security Management may be responsible for monitoring and investigating events
and may have drafted or set a requirement for escalation procedures other
functions must be involved to ensure proper response
these
functions must have well-defined and communicated processes in place that are
tested periodically
the main areas covered here are
security
incident handling and response
incident handling and response
an
incident is an adverse event that threatens some aspect of information security
to minimize damage from security incidents and to recover and to learn from
such incidents a formal incident response capability had to be established and
it includes
planning
and preparation did
detection
initiation
recording
evaluation
containment
eradication
escalation
response
recovery
closure
and
post
incident review
incident handling and response
procedures
are defined for reporting different types of incidents
the
process involves quick reporting and collection of evidence and
formal
disciplinary process and
where
applicable automated intrusion detection systems
incident handling and response roles involve
coordinator
who is the liaison to business process owners
director
who oversees incident response capability
managers
who manage individual incidents
security
Specialists that detect investigate contain and recover from incidents
non-security
technical Specialists that provide assistance on subject matter expertise
business
unit leader liaison which include legal HR and PR
knowledge statement 5.3
logical access controls
knowledge point to learn here is logical access controls for the
identification authentication and restriction of user users to authorized
functions and data
logical
access controls are used to manage and protect information assets controls
enact and substantiate policies and procedures designed by management to
protect information assets
controls
exist at both the operating system level and the application Level so it is
important to understand logical access
controls
as they apply to systems that may reside on multiple operating system platforms
and involve more than one application system or authentication Point
logical security
is often
determined based on the job function of users the success of logical access
controls is tied to the strength of the authentication method for example
strong passwords
all user
access to systems and data should be appropriately authorized and should be
commensurate it with the role of the individual
authorization
generally takes the form of signatures physical or electronic a relevant
management
the
strength of the authentication is proportional to the quality of the method
used strong authentication may include dual or multifactor authentication using
user 10 password tokens and Biometrics
the main areas covered here are
logical
access
logical access
controls are the primary means used to manage and protect information assets
these
exposures can result in minor inconveniences to a total shutdown of computer
functions
logical access controls
involve
managing and controlling access to information resources
it is
based on management policies and procedures for information security
logical
access controls must be evaluated Visa V information security objectives
familiarization
with the it environment
helps
in determining which areas from a risk standpoint warrant is auditing attention
this
includes reviewing security layers associated with is architecture Network OS
database application
Paths of logical
access points of Entry to is infrastructure
backend
front-end systems
internal
based users
externally
based users and direct access to specific servers
All Points of Entry
must be known
General points of Entry
relate to network or
Telecom infrastructure in controlling access to information resources
typical client server environment
primary domain
controllers Network management devices for example routers and firewalls
General modes of access
network connectivity
remote access remotely dialing into a network for services that can be
performed remotely for example email
traditional points of Entry
mainly
applicable for Mainframe based systems used for large database systems or
Legacy applications
operator console
these are
privileged computer terminals that control most computer operations and
functions
they provide high level of system access but
do not have strong logical access controls
it is located in a suitably controlled
facility so that physical access can only be gained by authorized Personnel
online workstations in client server environments
this
method typically requires at least a log on ID and password to gain access to
the host computer system
it may
also require further entry of authentication or identification data for access
to application specific systems
is resources are more accessible and available anytime and anywhere
computers
store large volumes of data
sharing of
resources has increased from one system to another
and
accessibility has increased through internet and internet
logical Access Control software
has become
critical in protecting is resources
it
prevents unauthorized access and modification to sensitive data and use of
critical functions
it is
applied across all layers of is architecture Network OS DBS and applications
common attributes
of this
software is that it has some form of identification and authentication
provides
access authorization
it also
checks specific information resource
and
provide logs and reporting of user activities
greatest degree of protection is applied at the network and platform OS
level
mainly
because it is the primary point of entry two systems
besides it
is the foundation primary infrastructure on which applications and DBS will
reside
also an OS
system Access Control software interfaces with databases And or applications to
protect system libraries and data sets
these
network devices for example routers and firewalls manage external access to
networks
thus need
the highest degree of protection
General OS application Access Control software functions
include
creating or changing user profiles
assigning
user identification and authentication
applying
user log on limitation rules for example restrict log on IDs to specific
workstations at specific times
establishing
rules for access to specific resources
creating
individual accountability and auditability by logging user activities
logging
events and
Reporting
capabilities
data database or application Level
controls
creates or changes data files and database profiles
it also
verifies user authorization
at the
application and transaction level
within the
application and at the field level for changes within the database
it also
verifies subsystem authorization for the user at the file level
in
addition it logs database data Communications access activities for monitoring
access by violations .
Knowledge statement 5.4
security controls related to Hardware system
software
Knowledge of the security controls related to Hardware system software
for example applications operating systems and database Management Systems
Access
Control soft Ware utilizes both identification and authentication I and a
once
authenticated the system then restricts access based on the specific role of
the user
I and a is
the process by which the system obtains identity from a user the credentials
needed to authenticate identity and validates both pieces of information
I & A
is a critical building block of computer security since it is needed for most
types of access control and is necessary for establishing user accountability
for most
systems Ina is the first line of defense because it prevents unauthorized
access or unauthorized processes to a computer system or an information asset
security controls related to hardware and system software:
logical access can be implemented in various ways the
is auditor
should be aware of the strengths and weaknesses of various architectures such
as single sign on SSO where a single authentication will enable access to all
authorized applications identity management multifactor authentication
if this
risk is considered manageable it should drive the implementation of multifactor
authentication
the main areas covered here are
identification and
authentication
single sign on in the
next screen
identification and authentication
involves proving one's
identity which is authenticated prior to being granted access
it is a critical
building block of is Security
in which
the basis of most Access Control Systems first line of defense preventing
unauthorized access
I and A
also establishes you user accountability linking activities to users
multifactor authentication
is a combination of
more than one method for example
token and password or
pin token and
biometric device
categories
can be something you
know for example password
something you have for
example token card
something you are or
do a biometric feat teacher or
where you are
these techniques can be used independently or in combination single
factor or two-factor authentication
some of the
common vulnerabilities
expected are
weak authentication
methods
potential for
bypassing authentication mechanism
lack of
confidentiality and integrity of stored authentication information
lack of encryption for
transmitted authentication information
lack of user knowledge
regarding risks of sharing authentication elements for example password
identification and authentication log on IDs and
passwords
log on IDs and passwords
is a two-phase user
identification authentication process based on something you know
log on ID
individual identification
password
individual authentication
it is used to restrict
access to computerized information transactions programs and system software
it may involve an
internal list of valid logon IDs and a corresponding set of access rules for
each log on ID
the access rules can
be specified at OS level controlling access to files or within individual
applications controlling access to menu functions and types of data
features of passwords
include easy for the
user to remember but difficult for a perpetrator to guess
when the user logs on
for the first time the system should force a password change to improve confidentiality
limited number of log
on attempts typically three
user verification for
forgotten passwords
internal one-way
encryption and not displayed in any form
changed periodically
for example every 30 days
unique if it is known
by more than one person responsibility for activity cannot be enforced
password syntax format rules
ideally a minimum of
eight characters in length a combination of at least three of the following alpha numeric upper and
lower case and special characters some prohibit use of vowels not particularly identifiable to the user
system should enforce
regular change of password WS for example after every 30 days
no reuse of previous
passwords for example at least one year after being changed
deactivate dormant log
on IDs
automatic session
inactivity timeouts
powerful user IDs
accounts such as supervisor and administrator accounts should be strictly controlled
these
could have full access to the system
administrator password
should be known only by one person
however
the pass password should be kept in a sealed envelope for business continuity
passwords token devices and one-time passwords
is a two-factor
authentication technique
for
example a micro processor controlled smart card which generates unique time dependent one-time
passwords called session passwords
this is good for only
one logon session
the users enter this
password along with the password they have met memorized to gain access to the
system
it is characterized by
unique session characteristic ID or time appended to the password
technique involves
something you have a device subject to theft and something you know a pin
identification and authentication biometric Access
Control
identification and authentication biometric Access Control
biometric security access control
is the best means of
authenticating a user's identity based on a unique measurable attribute or
trait for verifying the identity of a human being
it restricts computer
access based on a physical something you are or behavioral something you do
feature of the user for example a fingerprint or I retina pattern
a reader interprets
the individual's biometric features before permitting authorized access
however it is not a
foolproof process certain biometric features can change for example scarred
fingerprints change in voice
the final template is
derived through an iterative averaging process of acquiring samples
physically oriented Biometrics are
palm
hand
geometry
Iris
retina
fingerprint
face
Behavior oriented biometric
can be
signature recognition and
voice
recognition
single sign on SSO single
single sign on SSO
single sign on
SSO is a consolidation
of the organization platform-based Administration authentication and
authorization functions
it interfaces with
client
server and distributed systems
Mainframe
systems and
network
security including remote access
the primary domain
handles the first instance where user credentials are entered and
the secondary domain
is any other resource that uses these credentials
single sign on SSO challenges
single sign on SSO challenges
overcoming
heterogeneous nature of diverse architecture networks platforms databases and
applications
requires understanding
of each system's authorization rules and audit logs and ports
allowing host systems to control the set of
users allowed access to particular host systems
SSO advantages
multiple passwords not
required users motivated to select stronger passwords
efficiency in managing
users and their authorizations
reduced administrative
overheads for resetting passwords
efficiency of
disabling deactivating user accounts
reduced log on time
sso disadvantages
single point of
network failure
few software Solutions
accommodate all major OS
substantial interface
development required development costly
logical access Security Administration
logical access Security Administration
logical access Security Administration can be centralized or
decentralized
advantages of decentralized administration
Administration on site
at distributed location
timely
resolution of issues
more
frequent monitoring
controlling remote and
distributed sites
software
access controls
physical access
controls lockable terminals locked computer rooms
control over dial-in
facilities modems laptops
controls over access
to system documentation
controls over data
transmission access accuracy completeness
controls over
replicated files and their updates accuracy and reduced duplication
risks associated with decentralized Administration
local standards rather than organizational may be implemented
level of Security
Management may be below that of the Central site
unavailability of
management checks and audits by the Central site
remote access security
remote access security
business need of
remote access provides users with the same functionality that exists within
their offices the components of remote access
remote environment
employees branches laptops
telecommunication
infrastructure the carrier used
corporate Computing
infrastructure corporate connecting devices communication software
remote access risks could be
denial of service
malicious third party
access
misconfigured
communication software
misconfigured devices
host systems not
secured appropriately and
physical security
weaknesses at the remote stations
remote access methods
are analog modems and
the public telephone Network
dedicated network
connections proprietary circuits and
TCP IP internet-based
remote access
the remote access controls are
policy and standards
proper authorization
identification and
authentication mechanisms
encryption tools and
techniques
system and network
Management
pdas and mobile technology
pdas augment desktops
and laptops due to their ease of use and functionality
the inherent risks is
that they are
easy to
steal easy to lose ready access to information stored
access issues with
mobile technologies includes
flash disk and
controls
control issues to address are
compliance with
policies and procedures incl including approval for PDA use
awareness of
responsibilities and due care
compliance with
security requirements
authorization and
approval of use
standard PD
applications authorized and licensed
synchronization backup
and updating
encryption
virus detection and
control
device registration
camera use
audit logging in
monitoring system access
most
Access Control software automatically log and report all access attempts
success and failures
it
provides management with an audit Trail to monitor activities
it
facilitates accountability
access
rights to system logs
should
be for review purposes and
it
is a form of security against modification
the tools for analysis of audit log information
audit reduction tools
filter out in significant data
Trend variance
detection tools
attack signature
detection tools
reviewing audit logs
monitors
patterns or Trends and
violations
And or use of incorrect passwords
restricting and
monitoring access features that bypass security
accessed
by software programmers including
bypass
label processing blp
system
exits and
special
system logon id's
knowledge statement 5.5
risks and controls associated with virtualized
systems
knowledge of risks and controls associated with virtualization of
systems
virtualization
provides an organization with a significant opportunity to increase efficiency
and decree costs in its it operations
the is auditor needs
to know the different advantages and disadvantages and needs to consider
whether the Enterprise has considered the applicable risks in its decision to
adopt Implement and maintain this technology
at a higher level
virtualization allows OSs multiple operating systems os's or guests to Coexist
on the same physical server or host in isolation of one another
virtualization creates
a layer between the hardware and the guest os's to manage shared processing and
memory resources on the host machine
a manag M console
often provides administrative access to manage the virtualized system
virtualization
introduced additional risks that the Enterprise must manage effectively
key risk is that the
host represents a single point of failure within the system a successful attack
on the host could result in a compromise very large in Impact
main areas covered here are
virtualization
knowledge statement 5.6
network security controls
knowledge of the configuration implementation operation and maintenance
of network security controls
Enterprises can
effectively prevent and detect most attacks on their networks by employing
perimeter security controls
firewalls and
intrusion detection system IDs provide protection and critical alert
information at borders between trusted and untrusted networks
proper implementation
and maintenance of firewalls and IDs is critical to successful in-depth
security program
the is auditor must
understand the level of intruder detection provided by the different possible
locations of the IDS and the importance of policies and procedures to determine
the action required by security and Technical staff when an intruder is reported
main areas of covered here are
internet threats and
Security
Network infrastructure security
the table demonstrates
Network infrastructure security
auditing use of the internet involves ensuring a business case for
email communication
marketing customer
communication
sales Channel or
e-commerce
channel for delivery
of goods and services online stores internet banking and
information gathering
research
auditing networks
review Network
diagrams
to
identify networking infrastructure and
network
design
also review Network management policies
procedures standards guidance distributed to staff
besides identify
responsibility for security and operation and
review staff training
duties and responsibilities
you will further
review legal issues regarding the use of the internet
service level
agreements with third parties and
network administrator
procedures
auditing remote access
involves identify all
remote access facilities ensuring they have been documented
review policies
governing the use of remote access
review architecture
identifying points of entry and assessing their controls
test dialup access
controls review
relation to business
requirements
General network controls are
functions performed by
technically qualified operators
these functions are
separated and rotated regularly
apply least privilege
access rights for operators
audit trail of
operator activities must be periodically reviewed by management
Network operation
standards must be documented
a review of workload
balance response times and system efficiency must also be performed
further
consider
terminal
authentication and
data encryption
some of the network management Control software include novel NetWare
Windows nt2000 Unix
knowledge statement 5.7
network and internet security devices protocols and
techniques
knowledge to network and internet security devices protocols and
techniques
application
and evaluation of Technologies to reduce risk and secure data is dependent on
proper understanding of security devices their functions and protocols used in
delivering functionality
an
organization implements specific applications of cryptographic systems in in
order to ensure confidentiality of important data
there are
a number of cryptographic protocols which provide secure Communications on the
internet
Additionally
the security landscape is filled with Technologies and solutions to address
many needs Solutions include firewalls intrusion detection and prevention
devices proxy devices web filters antivirus and anti-spam filters data leak
protection functionality identity and access control mechanisms secured remote
access and wireless security
understanding
the solutions function and its application to the underlying infrastructure
requires knowledge of the infrastructure itself and the protocols in use
main areas covered here are
encryption
Network infrastructure Security
firewalls
firewalls
firewall is a security perimeter for corporate networks connecting to
the internet aimed at
preventing external
Intruders and
untrusted internal
users internal hackers
it applies rules to control Network traffic flowing in and out of a
network
allowing users to
access the internet and
stopping hackers or
others on the internet from Gaining access to the network
the guiding principle used is least privilege need to use basis
General firewall features include
combination of
Hardware routers servers and software
it should control the
most vulnerable point between a corporate Network and the internet
General functions of firewalls
includes blocking
access to particular sites
limiting traffic on
public services to relevant ports
preventing access to
certain servers And or Services
monitoring and
recording communication between internal and external networks
Network
penetration internal subversion
encryption and VPN and
single choke point
concentrating Security on a single system
General firewall features include techniques used to control traffic
are
service control IP
address TCP Port
Direction control
direction of traffic
user control based on
user rights
Behavior control based
on how services are being used for example filter email for spam
types of firewalls
types of firewalls
the types of firewalls are
router packet
filtering
application firewall
systems and
stateful inspection
firewalls
router packet filtering firewall is
deployed between the
private Network and the internet
screening routers
examine packet headers to ascertain IP address identity of the sender and
receiver and
the authorized port
numbers allowed to use the information transmitted kind of Internet service
being used
these information is
used to prevent certain packets from being sent between the network and the
internet
the common attacks against packet filtering are
IP spoofing
Source routing
specification and
miniature fragment
attack
this method is
simple and
stable
the demerit is that it is
easily weakened by
improperly configured filters
also it is unable to
prevent attacks tunnel over permitted service
the diagram in the slide describes this type of firewall application
firewall systems this type of firewall
application firewall systems
this type of firewall
allows information
flow between internal and external systems but do not allow direct exchange of
packets
host applications must
be secured against threats posed by allowed packets
they rest on hardened
operating systems for example win NT Unix
it works on the
application layer of the OSI model
the firewall analyze
packets through a series of proxies one for each service
there are
two types
application
Level fire walls and
circuit
level firewalls
application Level firewalls
analyze
packets through a series of proxies one for each service
circuit level firewalls
validates
TCP and UDP sessions through a single general purpose proxy
the diagram in the slide demonstrates this
application firewall systems are
set up as
proxy servers acting on behalf of network users
it employs
Bastion hosting and
it
is heavily fortified against attack
handling
all incoming requests from the internet to the network
single
host makes security maintenance easier as only the firewall system is
compromised not the network
types of firewalls and firewall issues
types of firewalls and firewall issues
stateful inspection firewalls
track destination IP
address of each packet leaving the network and references responses to requests
that went out
it Maps source IP
addresses of incoming packets to destination IP addresses of outgoing requests
it prevents attacks
initiated and originated by Outsiders
main advantage is that
it is more efficient than application firewall systems
the disadvantage is
that it is more complex to administer
issues related to firewalls
false sense of
security no additional internal controls are needed
weak against internal
threats for example a disgruntled employee cooperating with an external
attacker
cannot protect against
attacks that bypass the firewall
for
example modem dial-in
misconfigured
firewalls
misunderstanding of
what constitutes a firewall
monitoring activities
not done regularly
implementation of firewalls
implementation of firewalls
firewalls can be implemented in three ways
screened host firewall
dual homed firewall and
demilitarized zone screened subnet firewall
in the
screened host firewall
screened host firewall
this method utilizes packet filtering and a Bastion host proxy Services
Bastion
host connects to the internal Network
packet
filtering router installed between the internet and the Bastion host
Intruder has to
penetrate two systems before the network is compromised
internal hosts reside
on the same network as the Bastion host
security
policies determine whether
hosts
connect directly to the internet or
hosts
use proxy Services of the Bastion host
dual homed firewall
this type of implementation is
more restrictive form of screen host firewall
one interface is established for information
servers and a separate interface for private Network hosts
direct
traffic to internal hosts is physically prevented as explained in the diagram
demilitarized zone screened subnet firewall
demilitarized zone screened subnet firewall
DMZ this mode utilizes
two packet filtering routers and a Bastion host
it is the most secure
firewall system and supports Network and application Level security
the separate DMZ
functions are an isolated Network for public servers proxy servers and modem
pools
key benefits are that the
Intruder must
penetrate three separate devices
the private Network
addresses are not disclosed to the internet also
internal systems do
not have direct access to the internet
intrusion detection systems IDs
monitor Network usage
anomaly
it is used together
with firewalls and routers it
continuously operates
in the background and the administrator is alerted when intrusions are detected
it protects against
external and internal misuse
IDs components
sensor this collects
Data Network packets log files system call traces
analyzer this receives
input from sensors and determines intrusive activity
admin console
user interface
IDs are categorized into
network-based IDs nids
which
identifies attacks within a network and
host-based ids's
HIDs which
is configured for a specific environment and monitor internal resources of
systems
IDs types are
signature-based
intrusion pattern store as signatures and limited by detection rules
statistical based
monitors expected Behavior
neural networks
similar to statistical but adding learning functionality
a signature
statistical combination offers better protection
IDs and intrusion prevention systems IPS
the key features of intrusion detection systems
intrusion
detection and alerts
Gathering
evidence automated response for example disconnect
security
policy Administration and monitoring
interfaces
with system tools logging facilities
IDs limitations include
weaknesses
in policy definition
application
Level vulnerabilities
back doors
to Applications
weaknesses
in schemes
intrusion prevention systems IPS
IPS is
closely related to IDs
it is
designed to detect and prevent attacks by predicting an attack before it
happens hence limiting damage or disruption to systems that are attacked
it must be
properly configured and tuned to be effective
honeypots and honey Nets
Honeypot is a software
application that pretends to be an unfortunate server on the internet and is
not set up to actively protect against break-ins
rather they act as
decoy systems that lure hackers and therefore are attractive to hackers
the more a Honeypot is
targeted by an intruder the more valuable it becomes
Honeypot is
technically related to ids's and firewalls but it has no real production value
as an active Sentinel of networks
the two basic types of honeypots are
high interaction gives
hackers a real environment to attack
low interaction
emulate production environments
honey net
is
multiple honeypots Network together to simulate a larger Network installation
known as a honey net
honey net let hackers
break into the false Network while allowing invest investigators to watch their
every move by a combination of surveillance Technologies
Knowledge statement 5.8:
information system attack methods and techniques
the candidate needs to grasp the
knowledge of
information system attack methods and techniques covered under this topic
risks
arise from vulnerable abilities whether technical or human within an
environment
several
attack techniques exploit those vulnerabilities and may originate either within
or outside the organization
computer
attacks can result in proprietary or confidential data being stolen or modified
loss of customer confidence and market share embarrassment to management and
legal actions against an organization
information system attack methods and techniques
understanding the
methods techniques and exploits used to compromise an environment provides the
is auditor with a more complete context for understanding the risk and
organization faces
the is auditor should
understand enough of these attack types to recognize their risk to the business
and how they should be addressed by appropriate controls
the is auditor should
understand the concept of social engineering since these attacks can circumvent
the strongest technical security the only effective control is regular user
education
main areas covered here are
computer crime issues
and exposures
wireless security
threats and risks mitigation
computer crime issues and exposures
computer crimes can be
committed from various sources including
computer
is the object of the crime
perpetrator
uses another computer to launch an attack
computer
is the subject of the crime
perpetrator
uses computer to commit crime and the target is another computer
computer
is the tool of the crime
perpetrator
uses computer to commit crime but the target is not the computer but instead
data stored on the computer
computer
symbolizes the crime
perpetrator
lures the user of computers to get confidential information for example social
engineering methods
common attack methods and techniques include
alteration
attack
bot's Nets
Brute
Force attack
denial of
service dos attack
dial-in
penetration attack War dialing
eavesdropping
email
bombing and spamming
email
spoofing
more common attack methods and techniques include
flooding
interrupt attack
malicious codes
man in the- Middle
attack
masquerading
message modification
network analysis
packet replay
fishing
piggybacking
race conditions
local area network land security
local area network is faced with a lot of risks examples of these
risks are
unauthorized access
and changes to data And or programs
inability to maintain
Version Control
limited user
verification and potential public Access
General access as
opposed to need to know access
impersonation or
masquerading as a legitimate lan user
internal user sniffing
internal user spoofing
Virus Infection
unlicensed or
excessive numbers of software copies
destruction of logging
and auditing data
lack of land
administrator experience expertise
varying media protocol
Hardware network software that make standard management difficult
security set aside for
operational efficiency
land administrative capabilities
include
declaring ownership of programs and files
limiting
access to read only
record and
file locking to prevent simultaneous update and
enforcing
user ID password sign on procedures
in order to understand lands it is Paramount for a candidate
to have good knowledge of
lan
topology and network diagram
functions
performed by the land administrator owner
Lan users
and user groups
applications
used on the Lan
procedures
and standards of network design support naming conventions data security
dialup access controls are having
encrypted passwords
portable PCS
dial back procedures
and
one-time password
generators or tokens
client server risks include
numerous
access routes and points
increased
risk of access to data and processing weaker access controls password change
controls or access rules
weaker
change control and change management
inaccurate
unauthorized access and changes to systems or data
loss of
network availability
obsolescence
of network components
unauthorized
connection of the network to other networks through modems
weak
connection to public switch telephone networks
application
code and data may not be stored on a secure machine
client server controls that will ensure security include
disabling
floppy drives
automatic
boot or startup batch files login scripts
network
monitoring devices
data
encryption
environment-wide
authentication procedures and
application
Level Access Control
organization
of users into functional groups
internet threats
the internet is a
global TCP IP based system that enables public and private heterogeneous
networks to communicate with one another
internet threats are categorized into
passive attacks
involves probing for Network information
active attacks
intrusion or penetration into a network gaining full control or enough to cause
certain threats
unauthorized access to
modified data Andor programs
obtaining sensitive
information for personal gain
escalating privileges
denial of service
impact could affect
financial legal or Competitive Edge
types of passive attacks are
network analysis
involves creating a profile of a network security infrastructure foot printing
system aliases
internal addresses
potential gateways
firewalls
vulnerable operating
system Services
eavesdropping involves
gathering information flowing through the network for personal analysis or
third parties
traffic analysis
entails determining the nature of traffic flow between defined hosts
active attacks can be in the following ways
Brute Force attack
this entails launching many attacks to gain unauthorized access for example
password cracking
masquerading this is
presenting an identity other than the original identity which is unauthorized
packet replay
passively capturing data packets and actively inserting them into the network replayed packets treated as another
genuine stream it is effective when data received is interpreted and acted upon
without human intervention
message modification
making unauthorized changes or deletions to captured messages
unauthorized access through the Internet
telnet
passwords transmitted in clear text
releasing
CGI scripts as shareware
client
side execution of scripts Java applets
denial of service flooding servers with data requests
systems
are paralyzed
genuine
users are frustrated with unavailability of system
dial in penetration attacks using phone number ranges and social
engineering
email bombing repeating identical messages to particular addresses
email spamming sending messages to numerous users
email spoofing altering the identity of the source of the message
Trojan horses hiding
malicious fraudulent code in an authorized computer program
rounding down drawing
off small amounts of money from a computerized transaction or account to the
perpetrator's account
salami technique
slicing off truncating small amounts of money from a computerized transaction
or account similar to rounding down
viruses malicious
program code inserted into other executable code that can self-replicate and
spread for from computer to computer
worms destructive
programs that may destroy data or utilize tremendous computer and communication
resources do not replicate like viruses
logic bombs similar to
computer viruses but do not self-replicate destruction or modification of data
is programmed to a specific time in the future difficult to detect before they
blow up
trap doors are
exits out of an
authorized program
they allow insertion
of specific logic such as program interrupts to permit a view of data during
processing
used by programmers to
bypass OS Integrity during debugging and maintenance
they are meant to be
eliminated in final editing of the code but sometimes forgotten or
intentionally left for future access
asynchronous attacks these are
os-based attacks in a
multi-processing environment job scheduling resource scheduling checkpoint
restart capabilities
checkpoint copy data
system parameters security levels
attacks involve access
to and modification of this data to allow higher priority security
results in
unauthorized access to data other programs and the OS
data leakage involves
siphoning or leaking information out of the computer dumping files to paper
stealing tape
wiretapping this is
eves dropping on information being transmitted over telecommunication lines
piggybacking
is
following an authorized person through a secure door also it means
electronically
attaching to an authorized telecommunications link to intercept and possibly
alter Transmissions
computer shutdown
initiated through terminals or micro computers connected directly online or
remotely dialup line to the computer
denial of service
disrupt or completely deny service to legitimate users networks systems or
other resources
Knowledge statement 5.9
virus detection tools and control techniques
the key is
understanding detection tools and control techniques for example malware virus
detection spyware
computer
viruses and other malware continue to emerge at increasing rates and
sophistication and present significant threats to individuals and organizations
layered
tools should be implemented and distributed throughout the environment in order
to mitigate the ability of this malware to adversely impact the organization
antivirus
and anti-spam software is an necessary and critical component of an
organization security program providing a mechanism to detect contain and
notify whenever malicious code is detected
it is
essential that the is auditor understand not only the need for the
implementation of antimalware software but that it should be constantly be
updated to ensure that it will detect and eradicate the latest attacks detected
by the solutions providers
main areas are covered here are
viruses
viruses are
malicious programs
designed to
self-propagate by
appending to other programs
they are easily
transmitted via the Internet email attachments local area networks
viruses attack four parts of the computer
executable program
files
the file directory
system which tracks the location of all the computer's files another area is
Boot and systems areas
which are needed to start the computer
data files is also a
target for viruses
virus controls available are
virus and worm
controls
management procedural
controls
technical controls
antivirus
software periodically updated
Hardware
controls remote booting boot virus protection
antivirus software
implementation strategies
Dynamic antivirus program
sound policies and
procedures
antivirus software implementation strategies
detecting the virus at
its point of entry is crucial
at user workstation
level through scheduled continuous and manual OnDemand scans
at corporate Network
level as part of the firewall virus wall SMTP HTTP and FTP protection
besides automatically
updating antivirus software
features of antivirus software
it should be reliable
and offer quality of detection
it should be Memory
resident to facilitate continuous checking
it should as well have
efficient working speed and use of resources
types of antivirus software
scanners
virus
masks or signatures
heuristic
scanners based on statistical probability
active monitors
looking for virus-like activity
Integrity CRC Checkers
used to detect changes in files and executable code
Behavior blockers
focus on detecting potentially abnormal behavior for example writing to the
boot sector
immunizers append
themselves to files and continuously check for changes
knowledge statement 5.10
security testing techniques
it is Paramount for cisa candidates to have
knowledge of security
testing techniques for example intrusion testing vulnerability scanning
tools are
available to assess the effectiveness of network infrastructure security
these
to tools permit identification of real-time risks to an information processing
environment and corrective actions taken to mitigate these risks
such risks
often involve the failure to stay updated on patch management for operating
systems or the misconfiguration of security settings assessment tools whether
open- Source or commercially produced can quickly identify weaknesses that
would have taken hundreds of hours to identify manually
the is
auditor should also be aware that security testing may be carried out by an
approved third party for example a company specializing in penetration testing
let us see the main area to cover under this topic
main areas covered here are
auditing Network infrastructure Security
Network infrastructure security
network penetration
testing is
also called intrusion
tests or ethical hacking
it involves using
techniques available to a hacker
open-source
intelligence gathering and Discovery
attempting
to guess passwords
searching
for back doors into systems
exploiting
known operating system vulnerabilities it is
popular for testing
firewalls
only performed by
skilled experienced professionals
it requires permission
from top level Senior Management but without informing is security staff
knowledge statement 5.11
risks and controls Associated data leakage
risks and controls Associated data leakage
data
leakage is the risk that sensitive information may be inadvertently made public
it occurs
in different ways such as job postings that list the specific software and
network devices with which applicants should have experience in to system
administrators posting questions on technical websites that include posting
with the specific details on the firewall or database version they are running
and the IP addresses they are trying to connect
posting organization charts and strategic
plans to externally accessible websites
data
classification policies security awareness training and periodic audits of data
leakage are elements that the is auditor will want to ensure are in place
main areas to be
computer Crime and
exposures
knowledge statement 5.12
Network infrastructure security encryption
Network infrastructure security encryption
knowledge of encryption related techniques
knowledge of encryption related techniques
one of the
best ways to protect the confidentiality of information is through the use of
encryption
effective
encryption systems depend on
algorithm
strength secrecy and difficulty of compromising a key
the
non-existence of back doors by which an encrypted file can be decrypted without
knowing the key
the
inability to decrypt an entire Cipher text message if one knows the way a
portion of it Crypts is known this is called known text attack
properties
of the plain text being known by a perpetrator
although
the is auditor is not expected to be an expert in how these algorithms are
designed the auditor should be able to understand how these techniques are used
and the relative advantages and disadvantages of each
main areas to be covered
encryption
encryption
means converting plain text messages into secure coded text Cipher text
it is done
via a mathematical function and a key a special encryption decryption password
encryption is
used to
protect
data in transit over networks
protect
information stored on computers
deter and
detect alterations of data and
verify
authenticity of a transaction or do document
note
we assume
that the more difficult it is to decrypt the cipher text the better
key elements of encryption systems
encryption algorithm
mathematical function calculation
encryption key piece
of information used in the algorithm to make the process unique
key length
predetermined length of key
effectiveness of encryption is based on
secrecy and difficulty
of compromising the key
lack of other means of
decrypting without the key
inability to perform a
known text attack
knowing
how a portion of encrypted text decrypts
tradeoffs in encryption
if the algorithm is
too complex and it takes too long to use or
requires keys that are
too large to store easily it becomes impractical to use
the need to balance
between the strength of the encryption
that is
how difficult it is for someone to discover the algorithm and the key and ease
of use
there are two main types of encryption in use for computer security
referred to as
symmetric and
asymmetric key encryption
symmetric:
these are based on
symmetric encryption algorithm
same key
private to encrypt plain text and decrypt Cipher text
also called private or
secret key cryptography
the common private Key
cryptographic Systems are
data
encryption systems Dees 64-bit
Advanced
encryption standard AES 128bit 256bit
the advantage of this method is that it uses
one key to encrypt and
decrypt and hence
uses less processing
power
Disadvantages:
however getting the
key to those you want to exchange data with is the problem
an illustration of symmetric key
cryptographic system is on the next slide
symmetric key :
Key Management is an
issue
each pair of
communicating entities needs a shared key
for an N
party system there are n (n minus one)/ two distinct keys
in the
system and each party needs to maintain n minus one distinct Keys
how to reduce the number of shared keys in the system
centralized Key
Management
session Keys
use public Keys
asymmetric public Key cryptographic Systems
this system uses
different keys for encrypting and decrypting a message
it solves the problem
of getting the key to those you want to exchange data with
it involves two keys
working as a pair
one to
encrypt and the other to decrypt
a
symmetric equals inversely related to each other
one key
secret private is known only to one person
the other
key public is known to many people
common form of asymmetric encryption is RSA
Smith has two keys
public and private
Smith publishes her
public key such that the key is publicly known
Smith keeps her
private key secret
other people use
Smith's public key to encrypt messages for Smith
Smith uses her private
key to decrypt messages
only Smith can decrypt
since only she has the private key
advantages of public
key cryptography are
the
necessity of Distributing Secret keys to large numbers of users is eliminated
the
algorithm can be used for authentication as well as for creating Cipher text
Security: to compute the private
key from the public key is assumed difficult
public key cryptography ensures
authentication and
non-repudiation encrypting with the sender's secret key
confidentiality
encrypting with the receiver's public key
authentication and
confidentiality for first encrypting with the sender's secret key and secondly
with the receiver's public key
let us learn the differences between symmetric key and public key
in symmetric key encryption the
two parties must trust
each other
typically both share
the same key
symmetric key
encryption is generally 100 times faster than public key encryption
examples
include Dees Ida or rc5 AES
in public key encryption
the two parties do not
need to trust each other
there are two separate
Keys a public key and a private key
it is slower than
symmetric key encryption
examples
are RSA ElGamal encryption ECC
elliptical curve cryptography ECC
a variant and more
efficient form of public key cryptography how to manage more security out of
minimum resources gaining prominence is the elliptical curve crypto system
Quantum cryptography
the next generation of
cryptography that will solve existing problems associated with current
cryptographic systems
Advanced encryption standard AES
AES replaces data
encryption standard Dees as the cryptographic algorithm standard due to its
short key length the former standard for symmetric encryption Dees reach the
end of its life cycle
digital signatures
electronic
identification of a person or entity
intended for the
recipient to verify the Integrity of the data and the identity of the sender
Ensures:
data signature ensures
data Integrity one-way cryptographic hashing algorithm digital signature
algorithms
server identity
authentication public key cryptography
non-repudiation
replay protection
timestamps and sequence numbers are built into the messages
digital envelope
used to send encrypted
information and the relevant key along with it
the message to be sent
can be encrypted by using either
asymmetric
key or
symmetric
key
knowledge statement 5.13
public key infrastructure PKI and digital signature techniques
knowledge statement 5.13
public key
infrastructure pki and digital signature techniques
encryption is the
process of converting a plain text message into a secure coded form of text
called Cipher text
which cannot be
understood without converting back via decryption the reverse process to plane
text
pkis use encryption to
facilitate the following
prect prot
data in transit over networks from unauthorized interception and manipulation
protect
information stored on computers from unauthorized viewing and manipulation
deter and
detect accidental or intentional alterations of data
verify
authenticity of a transaction or document for example when transmitted over a
web-based connection in online banking share dealing Etc
protect
data in such situations from unauthorized disclosure
understanding the
business use of digital signatures is also expected especially its use in
providing non-repudiation of and replay protection to messages
main areas covered here are
encryption public key
infrastructure pki
public key infrastructure pki
public key
infrastructure pki framework by which a trust Ed party issues maintains and
revokes public key certificates
pki reasons
many applications need
key distribution
digital signature
vulnerability senders private key and public key may be faked or intercepted
and changed
anyone can derive keys
so there is a need to have a mechanism to assure that Keys belong to entities
they claim to come from
in pki a certification
Authority CA validates Keys
distribution in pki is
done via a hierarchy of CA's process
CA's process:
the ca checks real
world credentials
gets key from user in
persons
signs certificate cert
validating key
then a certificate is
attached to assure an endpoint that an entity is who it claims to be
if the endpoint trusts the ca then it will
trust that entity and who it claimed to be
elements of pki include
digital certificates
certificate Authority
CA
registration Authority
ra
certificate revocation
list crl
certification practice
statement CPS
digital certificates
digital credential
compromising
a public
key of an individual and
identifying
information about the individual
it is digitally signed
by The Trusted entity with its private key
receiver relies on the
public key of The Trusted party
it also includes
algorithm used and validity period
certificate Authority CA
trusted provider of
public and private key pairs
attest to the
authenticity of owner of public key
uses due diligence to
issue certificate on evidence or knowledge upon on verification of the user the
ca signs the certificate using its private key
responsible for
managing the certificate throughout its life cycle
authoritative for the
name or key space it represents certificate
certificate revocation list crl
details digital certificates that are no longer valid
it is used for
checking continued validity of certificates
time gaps between two
updates are very critical
certification practice statement CPS is a detailed set of rules
governing ca's operations it provides
understanding of the
value and trustworthiness of certificates issued in terms of controls observed
method used to
authenticate applicants
ca's expectations on
how certificates may be used
registration Authority R A optional entity separate from the ca
that performs admin
ministrative tasks like
recording and
verifying information needed by the ca to issue certifications or crls
also performing
certificate management functions
CA remains solely
responsible for signing digital certificates or crls
Knowledge statement 5.14
peer-to-peer Computing instant messaging and
web-based Technologies
Peer-to-peer Computing instant messaging and web-based Technologies:
knowledge of
peer-to-peer Computing instant messaging and web-based Technologies for example
social networking message boards blogs
knowledge of
peer-to-peer Computing instant messaging and web-based Technologies for example
social networking message boards blogs
social networks
message boards blogs are technologies that introduce new risk to the Enterprise
information posted on
social network sites May inadvertently disclose confidential non-public
information that may violate Financial Security laws or violate customer
privacy laws
peer-to-peer Computing
is inherently insecure and may lead to the introduction of malicious code into
an otherwise secure environment
main areas to be covered here are
computer crime issues
and exposures
peer-to-peer Computing instant messaging and
web-based Technologies
peer-to-peer Computing
in peer-to-peer
Computing no specific server to which a user connects generally connection is
between two peers
as a result there are
risks associated with peer-to-peer
which
include no Central server hence the risks include virus infected files can be
directly shared with others
Trojans
and spyware may be inadvertently copied across systems
users May
expose their IP addresses that could result in for example IP spoofing traffic
sniffing and other IP based attacks a user from the pier network May access
sensitive data in unprotected folders
Controls in peer-to-peer Computing:
proper security policies and control measures are
required for peer-to-peer Computing
safest approach is to
deny such connections unless there is a business need
instant messaging
instant messaging IM
is a popular mechanism for collaboration and keeping in touch involves two or
more users connecting and chatting on topics of Interest with prompt
acknowledgement and response rather than emails.
Risks of instant messaging are
eavesdropping if
sensitive information is sent over unencrypted channels
exchange of virus
infected files and other malicious codes
data leakage if the
file is and unmonitored over IM channels
exploitation of
vulnerabilities if the public IM client software is not adequately patched
controls
good IM policy and
user awareness required
advisable to use
internal IM software instead of public software
only Enterprise
employees should be allowed to connect and
adequate monitoring of
IM use to minimize risk of data leakage of confidential information
social networking sites social
networking sites SNS
include sites such as Facebook and Linkedin that help establish connection with
colleagues friends and relatives
risks
uploading of personal
and private information
fishing
URL spoofing
cyberstalking
controls
policies on what
information can be shared on such sites
education and
awareness to staff on what information to share or not share on such sites
also
having a policy Banning use of such sites in the office let us continue
discussing social networking sites
example of an incident
a hacker was able to
gather information about names of friends and date of birth of an employee they
use this information to do email spoofing and manag to receive money from the
Friends by impersonating him and claiming to be stranded in another country
with no passport and money
knowledge statement 5.15
controls and risks associated with the use of mobile
and wireless devices
knowledge of controls and risks associated with the use of mobile and
wireless devices.
portable and wireless
devices present a new threat to an organization's information assets and must
be properly controlled
policies and
procedures as well as additional protection mechanisms must be put into place
to ensure that data are protected to a greater extent on portable devices
since such devices
will most likely operate in environments where physical controls are lacking or
non-existent
most transportable
media including including pdas Blackberry devices Etc are easily lost or stolen
and thus require the use of encryption Technologies as well as strong
authentication
it also may be
necessary to classify some data as inappropriate for storage on a mobile device
the is auditor should understand that all such media and devices which may
include personal music MP3 devices can also be used by an individual to steal
both data and programs for personal use or gain
we will focus on
mobile Computing
main areas covered here are
mobile Computing
Laptop security
risk of using laptops
is the
difficulty to implement logical and physical security in a mobile environment
laptop security controls
laptop security
measures engraving the serial number company name
cable locks monitor
detectors
regular backup of
sensitive data
encryption of data
allocating passwords
to individual files
theft response
procedures
you will now attempt a 5.16 let us discuss about
voice communication Security
knowledge statement 5.16
voice communication Security
Voiceover IP
VoIP IP
IP telephony internet
telephony is the technology that makes it possible to have a voice conversation
over the Internet protocols used to carry the signal over the IP network are
referred to as VoIP
VoIP is a technology
where voice traffic is carried on top of existing data infrastructure in
VoIP sounds are
digitized into IP packets and transferred through the network layer before
being decoded back into the original voice
VoIP has reduced
long-distance call costs in a number of organizations
thus we will focus on voice over IP and private Branch exchange
let us continue to discuss VoIP in the next slide
VoIP advantages over traditional telephony
VoIP
Innovation progresses at Market rates rather than at the rates of itu
international telecommunications Union
lower
costs per call or even free calls for long distance calls
lower
infrastructure costs
the risk associated with the use of VoIP are the
need to protect two
assets the data and the voice
inherent or security
the current Internet
architecture does not provide the same physical wire security as the phone
lines
controls for securing voip
is implementing
security mechanisms such as those deployed in data networks for example
firewalls encryption to emulate the security level currently used by pstn
Network users
private Branch exchange PBX
PBX is a sophisticated
computer-based phone system from the early 1920s originally it was analog but
is now digital principal purpose was to save the cost of providing each person
with a line
attributes incl include
multiple telephone
lines
digital phones for
both voice and data
switching calls within
pvx
non-blocking
configuration that allows simultaneous calls
operator console or
switchboard
risks associated with use of PBX
are theft of service
and toll fraud
disclosure of
information through eavesdropping
unauthorized access to resources
denial of service
traffic analysis
passive attack
knowledge statement 5.17
evidence preservation techniques
knowledge
of the evidence preservation techniques and processes followed in forensic
investigations
for example it process chain of custody
audit
conclusions should be supported by reliable and relevant evidence
evidence
is collected during the course of an audit follows a life cycle
the life
cycle introduces collection analysis and preservation and destruction of
evidence
the source
of evidence should be reliable and qualified that is from an appropriate
original Source rather than obtained as a common or hearsay
evidence
should originate directly from a trusted source to help ensure objectivity in
fraud investigations or legal proceedings maintaining the Integrity of evidence
throughout the evidence life cycle may be referred to as the chain of custody
when the evidence is classified as forensic
audit evidence should
include information regarding date of creation
main areas covered here are
evidence
audit documentation
investigation
techniques
continuous auditing
investigation
techniques
investigation
techniques include the investigation of computer crime and the protection of
evidence and chain of custody among others
investigation of computer crime
computer crimes are
not reported in most cases simply because they are not detected or of the
negative publicity they generate
in many countries laws
are directed toward protecting physical property making it very difficult to
use such laws against computer crime
it is very important
that proper procedures are used to collect evidence from a crime scene
the environment and
evidence must be left unaltered and specialist law enforcement officials must
be called in after a crime
computer forensics is
the process of identifying preserving and analyzing and presenting digital
evidence in a manner that is legally acceptable in any legal proceedings for
example Court
includes activities
involving exploration and application of methods to gather process interpret
and use digital evidence
loss of preservation
of Integrity of evidence means loss of value in legal proceedings
the chain of evidence
contains information regarding
who had
access to the evidence cross chronological manner
procedures
followed in working with the evidence
proving
analysis is based on copies identical to original evidence
considerations regarding evidence
identify
identify
information that may form evidence
preserve
practice
of retrieving identified information and preserving it as evidence involves
Imaging of original data and documenting chain of custody
analyze
involves
extracting processing and interpreting the evidence analysis performed on image
of the media not the original
present
involves a
presentation to the various audiences such as management attorneys presenter to
be qualified and the process of preservation and Analysis credible
key elements of computer forensics the
is auditor should
consider
data
protection measures to ensure sought-after information isn't altered
data
acquisition all required data transferred to controlled location and writable
media right protected
Imaging
process allowing for bit forbit replication of data on disk that avoids damage
to original data
extraction
process of identification and selection of relevant data from the imaged data
set
interrogation
used to obtain prior indicators or relationships from extracted data
ingestion
normalization process of converting extracted information to a format that can
be understood by investigators
reporting
information should be collected and reported in a proper way for it to be
valuable
knowledge statement 5.18
data classification standards and supporting
procedures
knowledge of data classification standards and supporting procedures
information assets have varying degrees of sensitivity and criticality
in meeting business objectives data is classified and protected according to
the set degree
an important first
step to data classification is Discovery inventory and risk assessment once
this is accomplished data classification can then be put into use
by assigning classes
or levels of sensitivity and criticality to information resources and
establishing specific security rules for each class Enterprises can Define the
level of access controls and the retention time and destruction requirements
that should be applied to each information asset
the is auditor should understand the process of classification and the
interrelationship between data classification and the need for inventorying
information assets and assigning responsibility to data owners
data owner
responsibilities should be clearly identified documented and implemented
main areas to be covered here are
inventory and classification of information assets
inventory and classification of information assets
a detailed inventory
of information assets is required for Effective control
the inventory is the first step in classifying
the assets and determining level of protection required
inventory record
should include
specific
identification of the asset
relative value to the
organization
location
security risk
classification
asset group where the
asset forms part of a larger is
owner
designated custodian
classification should
be simple and employed during risk assessment by end user managers and system
admins use ISO IEC 2005
reduce risk and cost
of over or under protection
used to identify
who has
access to what
who
determines access rights and levels
approvals required for
Access
classification done by
differing degrees for data sensitivity and mission criticality of the business
applications
classification of assets
information assets
have varying degrees of sensitivity criticality which determine appropriate
levels of control
application database
criticality classification for example
Mission
critical
significant
moderate
or
low
knowledge statement 5.19
physical access
controls
physical access controls for the
identification authentication and restriction of users to authorized facilities
physical security
weaknesses can result in financial loss legal repercussions loss of credibility
or loss of Competitive Edge
thus information
assets must be protected against physical attacks such as vandalism and theft
through controls that restrict access to sensitive areas containing computer
equipment or confidential data files
such controls usually
employ the use of a access door locks that require the use of a password key
token or biometric authentication of the person attempting entry
in high security areas access may require authentication through
multiple means and the use of strong security measures such as the airlock type
or Man Trap entrances
the is auditor should
understand the nature of physical controls and the ways in which they can be
circumvented as well as the con concept of the security boundary to establish
where such devices should be placed and how effective they must be
main areas covered here are
physical access
controls and
exposures
physical access controls and exposures is our main focus
physical access controls
door locks bolting
combination electronic biometric
dead man doors
logging manual
electronic
identification badges
video cameras
security guards
controlled visitor
access
bonded Personnel
not advertising
locations of sensitive facilities
computer workstation
locks
controlled single
entry points
alarm systems
secured report
documentation distribution cards
primarily originate
from natural and man-made hazards
Exposures include
unauthorized entry
damage vandalism theft
viewing or copying sensitive information
alteration of data
public disclosure of
sensitive information
abuse of processing
facilities
blackmail and
embezzlement
let us continue discussing physical access exposures
auditing physical access
auditing physical access involves
during the information
processing facility
visibly observing
physical access controls
reviewing physical
security documentation
evaluating
General cleanliness
doors windows walls
curtains
ceilings raised floors
and
ventilation
knowledge statement 5.20
Environmental Protection devices and supporting
practices
knowledge of Environmental Protection devices and supporting practices
certain natural and
man-made events have the ability to do great damage to an organization's
information systems and business processes
most data centers have
mechanisms to prevent detect or mitigate the impact of these threats
however it is
important that the Readiness and sufficiency of these controls be periodically
tested by management to ensure that they will function as intended
the is auditor should
understand the nature of these controls and how to ensure that they are
functioning properly and are adequate to protect
the about Environmental
Protection devices and supporting practices
environmental controls
generally include fire and smoke detectors fire suppression systems water
detectors and temperature and humidity controls
the is auditor should
know the relative merits of different fire suppression systems and in what
circumstances one type is more appropriate than another
main areas of coverage are
environmental exposures and
controls
environmental exposures and
controls
the environmental exposures
include
natural events like lightning storms earthquakes Etc
power
failures is of particular concern
total
failure blackouts
severely
reduced voltage brownouts
sags
spikes and surges
electromagnetic
interference Emi caused by electrical storms or noisy electrical equipment
static
electricity magnetic fields
water
damage and flooding
Fire
Man and
terrorism vandalism smoke food
natural
elements humidity dust temperature
environmental controls
power
continuity
power
generators long-term power interruptions
surge
protectors at least on all expensive equipment
UPS
devices sags spikes surges
emergency
power off switch
redundant
power lines for example leads from two substations
fire controls
fire
extinguishers strategically placed throughout facility
fire
suppression systems either
water
based sprinklers damages equipment or
dry
pipe sprinklers Halon systems or CO2 based
regular
inspection by the fire department
also use
of audible fire alarms
smoke
detectors
having
defined responsibilities
marked
locations
fireproof
walls floors and ceilings
environmental controls that can be applied are
more however
environmental controls that can be applied are
strategically
locating the computer room not basement
raised
floors and water detectors water
proper
ventilation humidity and temperature control
wiring
placed in fire resistant panels and conduits
prohibit
eating drinking and smoking within information processing facilities
documented
and tested emergency evacuation plan
auditing environmental controls involve
checking
that systems work as specified and
are
inspected and tested at least once a year
placing
and assigning responsibility to concerned persons
maintaining
communication and awareness
having a
business continuity plan that will be used in case of a disaster
this plan
should be fully documented and tested
knowledge statement 5.21
handling confidential information Assets
knowledge of the processes and procedures used to store retrieve
transport and disposal of confidential information assets
is key for
a cisa candidate to learn
confidential
information assets are vulnerable during storage retrieval and transport and
must be disposed of properly
management
should Define and Implement procedures to prevent unauthorized access to or
loss of sensitive information and software from computers Diss and other
equipment or media when they are stored transported or transmitted during
processing retrieval and output
the is
auditor should also understand the need for correct disposal of information and
media in order to ensure that no unauthorized person gain access to the
information by restoration or Recreation
thus we will mainly discuss about [Main areas of coverage]
storing retrieving
transport and disposing of confidential information Assets
handling confidential information
storing retrieving
transporting and disposing of confidential information
need
procedures to prevent access to or software
further
controls are required for
backup
files and databases
data
banks
disposal
of media previously used to hold confidential information
management
of equipment sent for off-site maintenance
public
agencies and organizations concerned with sensitive critical or confidential
information
e
token electronic Keys
storage
records
preserving information during shipment or storage
by keeping out of
direct sunlight
keeping free of dust
keep free of liquids
minimize exposure to
magnetic fields radio equipment or any sources of vibration
do not Air transport
in areas and at times of exposure to a strong magnetic storm
Summary
Summary
you have learned so far protection of information assets
one a long asymmetric
encryption key public key encryption increases encryption overhead cost
two creating user
accounts that automatically expire by predetermined date is an effective
control for granting temporary access to vendors and external support Personnel
three worms are
malicious programs that can run independently and can propagate without the aid
of a carrier program such as email
four identifying
Network applications such as mail web of FTP servers to be externally accessed
is an initial step in creating a proper firewall policy
five SSL protocol
provides confidentiality through symmetric encryption such as data encryption
standard
six intrusion
detection systems IDs are used to gather evidence of network attacks
seven time stamps are
an effective control for detecting duplicate transactions such as payment made
or received
eight traffic analysis
is a passive attack method used by Intruders to determine potential Network
attacks
nine file encryption
is a good control for protecting confidential data that resides on a PC
10 although many
methods of fire suppression exist dry pipe sprinklers are considered to be the
most environmentally friendly
11 logical access
controls should be reviewed to ensure that access is granted on a least
privilege basis for the organization's data owners
12 a callback system
is a remote access control in which the user initially connects to the network
systems via dialup access only to have the connection terminated by the server
which then subsequently dials back the user at a predetermined number stored in
the server's configuration database
13 information system
security policies are used as the framework for developing logical access
This concludes the domain on protection of
information assets
EXAM Reviews:
**********************************************************************************************
Udemy ISACA's Certified Information System Auditor (CISA) Exam
Domain 1: Information System Auditing process:
Audit Planning:
The objective of an IS audit is
to evaluate whether implemented controls are efficient and
effective in protecting
information assets,
maintaining data integrity, and
ensuring the availability of assets
in order to meet the organization’s goals and objectives.
An audit charter includes the following:
• The mission, purpose, and objective of the audit function
• The scope of the audit function
• The responsibilities of management
• The responsibilities of internal auditors
• The authorized personnel of the internal audit work
An audit plan helps to determine the following:
• The objectives of the audit
• The scope of the audit
• The periodicity of the audit
• The members of the audit team
• The method of audit
Audit universe: An inventory of all the functions/processes/units under
the organization.
• Qualitative risk assessment: In a qualitative risk assessment, risk
is assessed using qualitative
parameters such as high, medium, and low.
• Quantitative risk assessment: In a quantitative risk assessment, risk
is assessed using numerical
parameters and is quantified; for example, for a 50% chance of failure,
the amount at risk is 1000 $.
• Risk factors: Factors that have an impact on risk. The presence of
such factors increases the
risk, whereas their absence decreases the risk.
Selection Criteria
The resultant risk is evaluated against the criteria set by management.
The audit plan can then be designed to consider all high-risk areas.
What should be your first step in risk-based audit
planning?
Your answer should be to identify high-risk processes in the company.
In risk-based audit planning,
the objective is to allocate audit resources effectively by focusing on
areas with the highest level of risk.
By identifying high-risk processes within the company, auditors can
prioritize their efforts
and concentrate on areas that are more likely to have significant
control deficiencies
or potential financial misstatements.
This step involves assessing various factors, such as the complexity of
the processes, the inherent risk associated with them.
What is the advantage of risk-based audit planning?
Your answer should be optimum use of audit resources for high-risk
processes.
A major advantage of a risk-based approach to audit planning is the
optimum use of audit resources
for high-risk processes.
By identifying and prioritizing high-risk areas within the
organization, auditors can allocate their resources
and efforts effectively.
By focusing on high-risk processes, auditors can perform more thorough
and detailed audit procedures in those areas, leading to more reliable and
meaningful audit findings.
What is the first step to conduct a data center
review?
Your answer should be the evaluation of vulnerabilities and threats to
the data center location.
Getting information and an understanding of the processes being audited
and evaluating the risks and various threats will help auditors to
concentrate
on high-risk areas,
thereby making the audit more effective and relevant.
QAE questions - audit planning
Which of the following is the first step in risk-based audit planning?
please try to understand the question thoroughly.
Question is about first step of a risk-based audit planning.
Now evaluate the available option
and select the best answer.
The correct answer here is
That is to identify high risk processes in the company.
In risk-based audit planning the objective is to allocate audit resources effectively by
focusing on areas with the highest level of risk.
By identifying high risk processes within the company, auditors can prioritize their efforts and
concentrate on areas that are more likely to have significant controlled
deficiencies.
Which of the following is a major advantage of a risk-based approach to
audit planning?
Correct answer is
That is optimum use of audit resources for high risk processes.
A major advantage of a risk-based approach to audit planning is the
optimum use of audit resources for high risk processes.
By identifying and prioritizing high risk areas within the organization, auditors can
allocate their resources
and efforts effectively. By focusing on high risk processes, auditors
can perform more thorough and detailed audit procedures in those areas, leading
to more reliable and meaningful audit findings.
Which of the following should be the first exercise while reviewing
data center security?
Correct answer is
That is the evaluation of vulnerabilities and threats to the data
center location.
Getting information and an understanding of the processes being audited
and evaluating the risks and various threats will help auditors to concentrate
on high risk areas thereby making the audit more effective and relevant.
Which of the following is the most important aspect of planning an
audit?
Correct answer is
That is identifying high risk processes.
By identifying high risk processes, auditors can design appropriate
audit procedures to address the identified risks. This includes understanding
the nature of the processes, assessing the control environment and valuating
the effectiveness of internal controls.
Audit charter
The audit charter is the formal document that
contains
scope of the audit functions,
authority of the audit functions,
and responsibility of the audit functions.
Scope means which processes, department, locations,
et cetera, should be audited.
Authority means what are the authorities of the
audit department to access the records and relevant data for the audit.
Responsibility of audit function means what is the
responsibility of the head of the audit, and whom he should be reporting.
Actions of the audit department are primarily
influenced by the audit charter.
The question arises, "Who should approve the audit charter?"
The audit charter should be approved by Senior Management. In most
organizations, it is approved by audit
committee of the board.
Now let us discuss what the audit charter should be and what the audit
charter should not be.
The audit chatter should be approved
by the highest level of the management.
It should be a written document,
and it defines the roles and responsibility
of the audit function.
But, the audit charter should not be dynamic in nature.
That is, it should not be changed too often.
It should not include a detailed yearly audit
calendar,
audit planning, yearly resource allocation,
and other routine audit activities.
It should not include aspects like
like Professional fees, travel expenses, et cetera.
Let us discuss some key aspects from CISA exam perspective.
Who should approve the audit charter of an organization?
Senior management.
What should be the content of an audit charter?
Scope of the audit function, authority of the audit
function, and responsibility of the audit function.
What is the prime reason for review of an organization chart?
To understand the authority and responsibility of
the individuals.
Actions of an IS auditor are primarily influenced by?
audit charter.
Which document provides the overall authority for an auditor to perform
an audit?
Again, audit charter.
What is the primary reason for the audit function directly reporting to
the audit committee board?
Yes, independence. The audit function must be
independent of the business function and should have direct access to the audit
committee of the board.
Practical questions:
The audit charter should?
incorporate the scope, authority, and responsibility
of the audit department.
The prime objective of an audit charter is to?
to document the
responsibility and authority of the audit department.
Electronic Data Interchange
EDI is the online transfer of data or information
between two organizations. Traditional exchange of paper documents between two
organizations have been replaced with the EDI platforms.
It contains the processing features, such as transmission, translation,
and storage of transactions flowing between two enterprises.
risk associated with EDI process.
As we know in the EDI process, systems of two
partners are connected. So it is very important to have an agreement, trading
partner agreement.
In absence of agreement, there could be related
uncertainty with specific legal liability.
Also an
important aspect and important concern is transaction authorization and
transaction authentication for EDI processes.
Other EDI related risks include unauthorized access,
data integrity, and confidentiality, and loss or duplication of EDI
transactions.
Controls for EDI process
What kind of control is required for my inbound transactions?
Inbound transactions
are the transactions that my system is receiving from my partner's system.
First thing, I need to maintain log of each inbound
transaction on its receipt.
I need to
ensure proper reconciliation between inbound transaction by building a segment
count totals. Segment count total will help me to do proper reconciliation
between whatever transaction that I have received and whatever transaction that
I have processed.
Any deviation or difference to be properly sorted
out by doing root cause analysis.
I need to implement check digit control to detect
transposition and transcription error.
Control requirements for outbound transactions.
That is the transaction moving
from my system to my partner's system.
Again to maintain log of each outbound
transaction. Transactions to be compared with trading partner's input.
Transactions to be compared
with trading partner's input. So reconciliation between my output and my
partner's input. Proper segregation of duties for high-risk transaction. For
authentication, authorization, appropriate segregation of duties should be (indistinct).
CISA Exam perceptive:
What is the major risk of EDI transaction?
EDI means the system connecting two organization,
two partner organization.
Major risk will be absence of proper agreement.
What is the objective of encryption?
To ensure the integrity and confidentiality of
transactions.
How are the inbound transactions controlled in an EDI environment?
By maintaining the
logs for receipt of inbound transactions, use of segment count totals, and use
of check digit.
What is the objective of key verification control?
Key verification is the method where data is entered
a second time and compared with the initial data entry to ensure that data
entered is correct.
This is generally used in EFT transactions, where
another employee re-enters the same data to perform this check before any
amount is transferred.
What is the objective of non-repudiation?
Non-repudiation ensures that a transaction is
enforceable and that the sender cannot deny generating and sending the message.
What is the most important component of the artificial
intelligence/expert system area?
Knowledge base.
practice questions.
Which of the following is the area of greatest concern in an EDI
process?
Unavailability of contract.
Encryption helps in achieving which of the following objectives in an
EDI environment?
Confidentiality and integrity of the transactions.
In an EDI environment, which of the following procedures ensures the
completeness of an inbound transaction?
Building a segment count total.
In which of the following process details entered by one employee is
re-entered by another employee to check their accuracy?
Key verification.
Which of the following is used in an e-commerce application to ensure
that a transaction is enforceable?
Non-repudiation.
Internal Controls
internal controls and different forms of internal controls.
Internal controls provide reasonable assurance to
management about the achievement of business objectives.
Internal controls are implemented through policies,
procedures, practices, and organizational structures to address risks.
Internal controls help in achieving the objectives
of the organization by mitigating various risks.
Through internal controls, risk events are prevented, or detected and
corrected.
Thus, objective of implementing the internal controls is to provide
reasonable assurance to management
about the achievement of business objectives.
There are primarily
four types of controls.
They are
preventive,
detective,
corrective and
deterrent.
Preventive controls are designed to be implemented
in such a way that prevents a threat event and thus
avoids any potential impact of that threat event.
Detective controls are designed to detect a threat event
once that event has occurred. Detective controls aim
to reduce the impact of such events.
Corrective controls are designed to minimize the impact
of a threat event once it has occurred, and help in
restoring a business to normal operations.
The purpose of a deterrent control is to give a warning signal to deter
a threat event.
Examples of preventive controls includes:
use of qualified personnel, segregation of duties,
edit checks, firewalls, et cetera.
Examples of detective controls includes:
internal audits, parity and checkpoint controls,
echo control, et cetera.
Examples of corrective controls includes:
BCP, DRP, et cetera.
Examples of deterrent controls includes:
CCTV cameras or under surveillance signs, et cetera.
different type of controls by evaluating a few examples.
Hash total.
A hash total is a value calculated by applying a hash function to a set of data
elements. By comparing the hash totals of data sets, we can determine
whether the data has been
altered,
tampered with or corrupted in
any way.
If the hash totals match, it
indicates
that the data has likely
remained intact.
However, if the hash
totals differ, it suggests that changes have occurred, and further
investigation is required. Thus, hash controls is primarily considered
as detective control.
Rerun procedures.
Rerun procedures involve repeating or re-executing a
specific process or task to rectify the situation.
These procedures aim to achieve the desired outcome or restore the
system to a proper state. Thus, rerun
procedures are primarily considered
as corrective control.
Log reviews.
Log reviews are considered detective controls
because they involve the examination and analysis of system logs, event logs, or audit logs to
identify anomalies, suspicious activities or potential security incidents that
may have occurred.
Thus, log reviews are considered as detective
control.
Contingency planning.
Contingency planning
often includes developing procedures and protocols for responding to incidents
or disruptions that have already occurred.
These
response plans outline the steps to be taken to mitigate the impact of the
incident, minimize downtime, and restore normal operations.
The focus is on correcting the situation and recovering from the
incident.
Thus, contingency planning is considered as
corrective control.
Transaction authorization.
Transaction authorization involves establishing a
formal process by which transactions are reviewed
and approved before they are executed or processed.
This process ensures that transactions meet specific
criteria such as proper approval levels, sufficient funds or resources and
compliance with policies or regulations.
Thus, transaction authorization is considered as a
preventive control.
Error messages over tape label.
By monitoring the error messages displayed on tape
labels, organizations can proactively identify potential issues such as data
corruption, incomplete backups or failed tape operations.
These error messages act as a form of detective
control by providing real-time feedback about the health and integrity of the
tape data.
Thus, error messages are considered as a detective
control.
Exam perspective Internal controls
"Segregation of duties is an example of which type of
control?"
The answer should be preventive control.
Segregation of duties involves
separating critical functions or responsibilities among multiple individuals to
ensure that no single person has complete control over a process or transaction
from start to finish.
This control helps prevent
fraud, errors, and misuse of resources by reducing the likelihood of
unauthorized activities or intentional misconduct.
"Controls that enable a risk or deficiency to be corrected before
a loss occurs are known as?"
The answer should be corrective control.
"Controls that directly
mitigate a risk or lack of controls
directly acting upon a risk are known as?"
The answer
should be compensating control.
Compensating controls are
typically put in place when organizations cannot fully implement
a required control due to various reasons, such as
technical limitations, cost constraints, or compatibility issues.
Rather than leaving the vulnerability or security
gap unaddressed, compensating controls are implemented to reduce the risk to an
acceptable level.
CISA questions
1st Ques
An organization has designed a well-structured process documentation to
prevent processing errors.
This is an example of?
The correct answer is preventive control.
Preventive controls are measures put in place to
avoid or minimize the occurrence of errors, risks, or problems.
They are proactive in nature and aim to prevent
issues from happening in the first place.
By documenting the processes and providing clear
guidelines, the organization is taking steps to prevent errors by ensuring that
employees have access to accurate information and instructions.
Detective controls, on the other hand, are designed
to identify errors or problems after they have occurred.
Corrective controls are implemented to address and
rectify errors or problems that have been detected.
Deterrent controls are measures put in place to
discourage individuals from engaging in undesirable behaviors or actions.
2 Next question.
An organization has designed a control that enables a deficiency to be
corrected before a loss occurs.
This is an example of?
The correct answer is corrective control.
Corrective controls are designed to minimize the
impact of a threat event once it has occurred
and help in restoring the routine operations of the business.
3 Next question.
Utilizing a service of only qualified resources is an example of?
Correct answer
preventive control.
Preventive controls are measures put in place to
prevent errors, risks, or problems from occurring in the first place.
By ensuring that only qualified resources are
utilized, the organization aims to prevent potential issues that may arise from
the use of unqualified or inexperienced individuals.
4 Next question.
A check subroutine that identifies an error and makes a correction
before enabling the process to continue
is an example of what kind of control?
Correct answer corrective control.
A check subroutine refers to a specific section of
code or a function that is designed to validate or verify certain conditions or
inputs.
It is a routine or procedure that performs checks or
tests to ensure the correctness, integrity, or compliance of data, processes,
or systems.
The check subroutine serves as a control mechanism
that detects errors and takes corrective action to fix them before allowing the
process to continue.
By automatically identifying and correcting errors,
the control aims to prevent further issues or negative consequences that could
occur if the error were to persist.
5 Next question.
An organization has put up warning signs restricting unauthorized entry
to its data center. This is an example of?
The correct answer is deterrent control.
Deterrent controls are measures put in place to
discourage individuals from engaging in undesirable behaviors or actions.
In this scenario, the warning
signs serve as a deterrent by clearly indicating that unauthorized entry is
restricted.
The purpose of these signs is
to create awareness and communicate the consequences of unauthorized access,
thus deterring individuals from attempting to enter the data center without
authorization.
6 Next question.
An organization has implemented echo protocol in its telecommunication
channel. This is an example of?
The correct answer is detective control.
In the context of telecommunication and networking,
an echo message refers to a type of message that is sent from one device or
system to another with the purpose of testing the round trip time or latency of
the communication channel.
Echo messages can be used for diagnostic purposes,
troubleshooting network problems, or monitoring network performance.
They provide valuable information about the quality
and efficiency of the communication channel, allowing administrators to
identify and address any issues that may be impacting the overall communication
experience.
7 Next question.
Checkpoints in a production job are examples of what kind of control?
The correct answer is detective control.
By implementing checkpoints, the organization can
track the job's execution and compare it against predetermined criteria or
expectations.
If any
deviations or errors are detected at the checkpoints, they can be flagged and
appropriate actions can be taken to investigate and resolve the issues.
8 Next question.
Controls that minimize the impact of a threat are what kind of
controls?
The correct answer is corrective controls.
Corrective controls are designed to minimize the impact of a threat event once
it has occurred and help in restoring to the routine operations of a business.
Examples of corrective controls include business
continuity planning, disaster recovery planning, incident response planning, et
cetera.
9 Next question.
Controls that indirectly address a risk or address the absence of
controls that would otherwise directly
act upon that risk are what kind of controls?
Correct answer is
compensating controls.
Compensatory controls are put in place when it is
not possible or practical to implement the primary or ideal control measures.
These controls are designed to counterbalance or
compensate for the shortcomings of the primary controls, reducing the risk to
an acceptable level.
10 next question.
An organization has implemented biometric access control for entering
one of its critical databases.
This is an example of?
The correct answer is preventive control.
Biometric access control systems use unique
physiological or behavioral characteristics such as fingerprints, iris
patterns, or facial recognition to verify the identity of individuals seeking
access.
By using biometrics, the organization aims to
prevent unauthorized individuals from gaining entry to the database protecting
sensitive information and reducing the risk of data breaches or unauthorized
use.
11 next question.
Which of the following risks represents a process failure to detect a
serious error?
Correct answer control risk.
Control risk refers to the risk that internal controls in an organization are
not effective in preventing or detecting errors, fraud, or non-compliance.
It signifies the possibility that control measures
are not properly designed, implemented, or functioning as intended, which can
lead to errors or issues going undetected.
12 next question.
Which of the following statements best describes detective controls and
corrective controls?
The correct answer is, that detective controls are
used to identify that an error has occurred and corrective controls fix a
problem before a loss occurs.
Detective controls are designed to detect or
indicate that an error has occurred.
Examples of detective controls
include audits, hash totals, echo controls, and so on.
Corrective controls are designed to correct a risk or deficiency to
prevent losses.
Examples of corrective controls include business continuity
planning, backup procedures, and more.
Risk - understanding of Risk
How do we define risk?
There are multiple definitions of the risk.
These are some of the definitions from widely accepted sources.
But for the risk exam, we need not worry about any
of data.
All the above definitions directly or indirectly uses two words.
What are they?
Probability and impact.
So for us, risk is probability and impact and we need not worry about
of any of the above definition for exam perspective.
In simple language, risk is the product of
probability and impact.
Both probability and impact should exist to
constitute a risk.
Let us take an example.
Risk of rain damaging equipment.
How to calculate this particular risk.So in scenario
one,
we have 0% chance of rain as probability, whereas impact
equipment costing $10,000.
So what will be the risk in this case?
As there cannot be any rain,
there is no chance of equipment being
damaged. So there is zero risk.
In another scenario,
There is a hundred percent chance of rain but
equipment is costing only $0, maybe all the scrap item.
So here again risk will be nil.
This indicates both probability and impact plays an
important part in calculating risk. So even if my equipment cost $10,000 but my
probability is zero, my risk will be zero.
On the other hand, even if I have a hundred percent
probability, my equipment is zero,
so my risk will also be zero.
Exam perspective.
Risk can be defined as ?
product of probability and impact.
Once the likelihood has been determined
What should be the next step?
Likelihood means probability.
To determine the risk we need to have two elements,
probability and impact.
So the next step is to determine the magnitude of
the impact.
Let us practice some questions.
Risk can be defined as?
product of probability and severity of the impact.
Next question.
Once the likelihood of an event has been determined, Which of the below
factors would be assessed next?
Severity Of impact.
The most important factor for evolution of the risk is to?
consider the probability and likelihood of loss.
Risk evaluation should take into account the
potential size and likelihood of a loss.
Though other factors are important, the impact of the risk should be the
primary driver for risk evaluation.
Inherent risk = It should be the residual risk that is more relevant.
It is not mandatory to protect all the assets.
Review incidents occurred in similar companies = This is not a primary
factor.
Next question.
The most important factor for mitigation of risk is to?
risk mitigation strategy.
That is what kind of control to be implemented
which risk to be controlled first. In such cases,
Answer = it is important to rank the risk first.
Ranking of the risk
helps the organization to determine the priority,
and resources should be utilized to address the top level risk.
Threats and vulnerability are more important from a
risk identification perspective rather than a risk mitigation perspective.
A risk owner identification is more important during
risk analysis.
It is not possible to address or it is in fact not
practical to address all the risks.
Threat and vulnerability and their relationship.
One of the favorite and most preferred game of ISACA
is to get us confused between the terms threat and vulnerability during CISA
exams.
So basically,
a threat
is the potential danger or harm.
Example of threat
can be a robber trying to break into your house or
a virus trying to infect your computer,
whereas a vulnerability
is a weakness
that makes you more exposed to threats.
For example,
leaving your front door unlocked is a vulnerability
because it makes it easier for a robber to get into your house.
Similarly,
not updating your computer's antivirus software is a vulnerability because it
makes it easier for viruses to infiltrate your system.
Also, another important point to understand is that organization cannot
have any control on threat.
You cannot stop anyone to become a robber, right?
Whereas a vulnerability can be controlled by the organization by taking
appropriate action.
In this image, sweet little kid
is vulnerable as he cannot defend.
Cat is a threat factor.
Other example of threat includes
hacker, earthquake, fire, malware, system failure,
criminals, and many other unknown forces.
Example of vulnerability includes
missing antivirus, weak coding, weak access control,
et cetera.
Practical exercise
to understand
both the terms more precisely.
So when I say door is open, please close it to avoid thieves. If they
get in, we will be robbed.
So what is the threat here and
what is the vulnerability and
what is the risk?
In this scenario,
thief is a threat.
We cannot control thief. We
cannot dictate him to what to do and what not.
In this scenario,
An open door is a vulnerability. We can control the
vulnerability by taking appropriate action.
So overall risk when a thief takes advantage of open door is robbery.
Let us take more example.
If antiviruses are not updated regularly, then new type of virus can
destroy our data.
In this scenario,
virus is a threat.
We cannot control hackers who create different types
of viruses.
But we can control viruses from entering our
organization by installing and keeping updated antivirus software.
In this scenario,
expired antivirus in a vulnerability.
So overall risk when a virus takes advantage of
expired antivirus software is compromise of data by way of data leakage or data
destruction.
Three Types of RISK
Types of risk.
First one is, and very important one is,
Inherent risk.
Inherent risk is basically risk before controls,
We call it
gross risk.
Then we have
Residual risk.
Residual risks are the res after controls.
So we take inherent risk, we apply the controls and
what we get is residual risk.
Now,
control risk.
Control risk is basically ineffective controls,
though controls are in place, they are not effective.
We do have
Detection risk.
Basically it speaks about ineffective audit.
Then we do have
Audit risk.
Audit risk is the sum total of inherent risk,
control risk and detection risk.
Let us differentiate between
Inherent risk and residual risk.
So first,
Inherent risk.
The risks that an activity would pose if no controls
or other mitigative factors were in place.
We call it gross risk or risk before controls.
Residual risk.
Risk there remains after controls are taken into
account.
We call it net risk or we call risk after controls.
So now how to differentiate both detail.
Inherent risk is the gross risk and
The residual risk is net risk.
Inherent risk is Risk before control,
The residual risk is risk after control.
So if you take inherent risk, you apply the controls and what you get a
residual risk.
control risk.
What are control risk?
Risk that a misstatement could occur but may not be
detected and prevented by entity's internal control mechanism
that is ineffective controls.
Here though controls are in
place they are not that effective.
What are detection risks?
Is an ineffective audit.
Risk that the auditors fail to detect a material misstatement in the
financial statement.
So what is audit risk?
Audit risk is the sum total of inherent risk,
control risk and detection risk.
concepts are more clear.
So for example,
First question
Business or process to make an error that is material in nature,
assuming there are no internal controls.?
So when there are no internal controls there is
inherent risk.
So answer here will be inherent risk.
Control risk means, the risk even though controls
are in place is not effective.
Detection risk is the risk where auditor fail to
identify material misstatement in financial statement.
Next question.
The risk that the controls put in place will not prevent, correct,
detect error on a timely basis?
Answer is control risk.
Next question.
The actions of an IS auditor are most likely to affect which of the
following risks?
Options - whether inherent, detection, control or business?
Answer - Auditors risk basically will impact
detection risk.
Detection risk are the risk where auditor fails to
identify material misstatement or error in financial statement.
Again,
inherent risk are the risk without any controls.
Controls risk are the risk where control are in place but are not ineffective.
Next question.
Risk of an IS auditor certifying existence of proper system and
procedure?.
So again,
here
ineffective audit and so our answer will be
detection risk.
Next question.
Log reviews may not result in timely detection or correction of error.
This is an example of?
Options - Inherent, control,
detection or race condition risk.
Now log reviews are basically a kind of control, but
they are not effective in the sense, timely detection or correction of errors
is not happening. So even though controls are in place they are not effective,
so the risk that we are facing here is control risk.
Risk Response methods : Risk treatment plans.
Discuss about
risk mitigation,
risk avoidance,
risk acceptance,
risk transferring,
risk sharing.
M A A T,
Mitigation,
Acceptance,
Avoidance,
Transfer.
Now,
Risk mitigation is also known as
risk reduction, wherein
Risk transfer is also known as risk sharing.
Risk mitigation,
The objective is to reduce the risk to an acceptable
level.
Efforts are made over here, to reduce the
probability or impact of the risk event by designing appropriate controls.
Either probability is reduced or impact is reduced.
Risk Acceptance
In this
approach, risk is accepted as it is. No steps are taken to reduce the risk.
This is more prevalent where the cost of controlling
the risk is more than the cost of the risk event.
Risk Avoidance
In this
approach projects or activities that cause the risk are avoided.
Risk avoidance is the last choice when no other
option is adequate.
Risk transfer
Transfer. In this approach, risk is shared with
partners, or transferred via insurance coverage, contractual agreement, or some
other means.
Risk transfer option is generally used for the
events with low probability, but high impact.
Example for each option.
Risk mitigation,
installing a firewall to mitigate the risk of
unauthorized access.
Risk Acceptance
cost of anti-malware installation is more than the
anticipated cost of damage due to malware attack.
In such cases
it is preferable to accept the risk rather than doing any investment.
Risk avoidance,
declining a project when the business case shows a
high risk of failure. So, to avoid that particular project.
Risk transfer
Example,
taking insurance for damage due to natural disasters
where the probability of disaster is very low, but
there can be a high impact.
So, what is the most risky approach among all the four options?
Risk acceptance,
organizations need to be utmost careful while
accepting the risk.
If risk is accepted without knowing the correct
level of risk, it may result in a higher level of liabilities.
Recap: Exam perspective
So, out of four options, in which option
risk is reduced at an acceptable level?
Answer = Risk Mitigation
In which option,
risk is accepted as it is, without taking any action.
Answer = Risk acceptance
Which option is the last choice for risk response?
Answer = risk avoidance
Example of insurance coverage?
Answer = Risk transfer
In which options, no steps are taken to reduce the risk?
Answer = Risk acceptance
Natural disasters are covered through?
Answer = Risk transfer
Cost of anti-malware is more than the cost of damage, which option
would you like to such?
Answer = Risk acceptance
In which option a project is
declined because of high risk?
Answer = risk avoidance
Chances of higher liabilities.
If you accept the risk without knowing the actual
risk, it may amount to higher liabilities.
Exam perspective.
Risk response where cost of control exceeds the cost of risk event?
Answer = Risk Acceptance
Risk avoidance can be done by?
Answer = Exiting the process that causes the risk.
Risk response options that are most likely to increase the liability?
Answer = Risk acceptance
Risk response in which process is outsourced to a professional
organization having expertise knowledge is?
Answer
= risk mitigation
Most suitable risk response where risk related to a specific business
process is greater than the potential opportunity.
Answer = Risk avoidance, To avoid the risk.
Risk response in form of purchasing and insurance is?
Answer = Risk transfer
What is the most important aspect for risk mitigation?
Answer= To ensure that
risk is reduced to an acceptable level.
Most effective way to treat a risk with a low probability and a high
impact, such as natural disaster.
Answer= Best way is to transfer the risk through
insurance.
Practice questions.
Most effective risk response where cost of installation of anti-malware
software exceeds the expected loss of threat is?
Answer risk acceptance
Characteristic of risk avoidance is?
Answer is Stop the process that give rise to the perceived risk.
When a risk practitioner recommends implementation of various controls
to protect IT resources, which of the following approaches is recommended?
Answer, Risk mitigation
Risk response that most likely increases the liability of the
organization is?
Answer, Risk acceptance.
Outsourcing of a process is an example of?
Answer,Risk mitigation.
In a scenario where risk is greater than potential opportunity, the
best risk response is?
Answer,Risk avoidance.
Taking an insurance is an example of?
Answer, Risk transfer
Which of the following is utilized by a risk practitioner to propose a
risk mitigation activity?
Answer,Business case.
To ensure that information systems controlled deficiencies are
appropriately remediated, a risk practitioners should review?
Answer, Risk mitigation plan.
Objective of a risk mitigation is?
Answer, To reduce the risk within acceptable level.
Best response for a risk scenario with low probability and high impact,
like natural disaster is?
Answer, Risk transfer.
Key Aspects of Risk based Auditing
The most important step in a risk assessment is to identify.
Most important step
to identify threats and vulnerabilities
In risk based audit planning, an IS auditor's first step is to identify
what?
The first step is to identify high risk areas.
Once the threats and vulnerabilities are identified, what should be the
next step?
To identify and evaluate the existing controls.
It'll help us to draw conclusions about the residual risk.
What is the advantage of risk based audit planning?
It helps to
plan the resources as per high risk areas.
What does the level of protection of information assets depend on?
Level of protection means, whether stringent control
should be there, moderate control should be there, mild controls or no
controls.
It depends on the criticality of the assets.
What is the risk that is influenced by the actions of an auditor known
as?
Actions of an auditor.
It'll be termed as detection risk.
Risk detection risk refers to the risk that an
internal audit fails to either identify or detect irregularities.
What is audit risk?
Audit risk is the sum total of inherent risk,
controlled risk, and detection risk.
Now let us understand
what is
inherent risk.
Inherent risk means gross risk or risk before
implementing any control.
Control risk
means implemented controls are not effective and
detection risk means the
The audit process is not effective.
So auditors should be concerned about inherent risk,
control risk, and detection risk.
Risk is the product of?
PI, that is probability and impact.
Risk is the product of probability and impact.
If probability is zero and there is a huge impact,
risk is zero because there is no probability.
On the other hand if there is high probability, but
the impact is zero then also there is no risk as there is no impact.
So both the elements should be present to constitute
a risk.
What are the results of risk management processes used for?
To design the
control.
Management of risk to an acceptable level is the responsibility of?
senior management.
Absence of proper security measures is known as?
vulnerability.
What is the advantage of bottom-up approach for development of
organizational policies?
Policies are considered on the basis of risk
assessment.
Risk, before the controls are applied is known as?
inherent risk / gross risk.
Once the controls are applied, it is known as
residual risk or net risk.
QAE Risk based Auditing
Q1 Which of the following is the most critical aspect of a risk
analysis?
Answer: To identify the vulnerabilities.
Q2 What is the initial step in a risk focused audit planning?
Answer: To identify the high-risk processes.
Q3 What is the main objective of conducting a risk assessment?
Answer: To ensure that critical vulnerabilities and
threats are recognized.
Q4 What should be the next step of an IS auditor after identifying the
threats and vulnerabilities in a business process?
Once threats and vulnerabilities are identified next
step is to identify the current level of controls.
Q5 Which of the following is the main benefit of risk-based audit
planning?
To focus on high-risk areas.
Q6 Which of the following should be primary focus when considering the
level of security of an IT assets?
Criticality
of the IT assets.
Q7 The actions of the IS auditor is most likely to influence which of
the following risk?
Detection risk.
Detection risk refers to the risks that internal
auditor fails to identify or detect the irregularities.
Q8 What is the risk of an
inadequate audit methodology known as?
Detection risk.
Q9 Particular threat of an overall business risk is indicated as:?
Product of probability and impact.
Q10 Which of the following is the first step in performing risk
assessment of an information system?
The first step will be to review the threats and
vulnerabilities impacting the assets.
Q11 What is the first step in evaluating the security controls of a
data center?
To evaluate the threats and vulnerabilities
applicable to the data center site.
Q12 What does the classification of information assets help to ensure?
That the information assets are subject to suitable
level of protection.
They are not underprotected.
They are not overprotected.
Q13 Which of the following should be performed first in a risk-focused
audit?
To analyze the inherent risk.
Q14 In a risk-focused audit, which of the following is the most
critical step?
To determine the high risk processes.
Q15 Which of the following options best describes the process of
assessing a risk?
Risk is subject-oriented.
Q16 What is the outcome of a risk assessment exercise utilized for?
To implement relevant controls.
Q17 With whom does the responsibility of managing risks to an
acceptable level rest?
Senior business management.
Q18 Which of the following is a major factor in the evaluation of IT
risk?
Finding vulnerabilities and threats that are
applicable to IT assets.
This is very important and major factor.
Q19 An IS auditor has determined
a few vulnerabilities in a critical application. What should their next step
be?
To identify the threats and their likelihood of
occurrence.
Q20 What does a lack of appropriate control measures indicate?
Vulnerability.
Q21 Which of the following is the first step in a risk management
program?
To identify the asset.
We should know what we are going to protect.
Q22 What is the advantage of a bottom-up approach to the development of
enterprise policies?
They were created on the pages of risk analysis.
Q23 The mitigation of risk can be done through which of the following?
By implementing the controls.
Q24 The most important factor when implementing the controls is to
ensure that control does which of the following?
Controls would help to mitigate the risk.
Q25 The absence of an internal control mechanism is known as:
Inherent risk.
Absence of
internal control mechanism means there is no control as of now and then they
are known as inherent risk. That is risk before control.
Q26 Which of the following
represents the risk that the controls will not prevent, correct, or detect the
errors in a timely manner?
Controls are present, but they are not effective.
They're known as control risk.
Q27 What is the primary consideration when evaluating the risk
management process?
All relevant risks must be recognized and documented
for the analysis.
Q28 What is the best approach when focusing an audit on a high-risk
area?
To perform a risk assessment first and then to
concentrate on high-risk areas.
Q29 In a risk based audit approach, which of the following is the least
relevant to audit planning?
Adoption of mature technology by the organization.
Steps of risk assessment
steps to be followed while conducting this
assessment.
So now, there are six steps for this assessment activity.
So what are these six steps?
First Step:
One is to understand the business environment.
It is the basic requirement of any risk assessment
activity to understand the business environment.
What is the
Second step?
Identify the critical assets.
So next, once you are aware of the business
environment, you need to identify the critical assets that support that
particular business.
Third one is?
identify all
potential risks for that particular critical assets.
You identify the business environment, you identify
the assets that support that business environment then you identify the risks
that are applicable for that particular critical assets.
Fourth one is?,
now, all risks cannot be that important,
because their impact may not be that much. So we
need to prioritize the risks in order of its criticality.
Fifth one?.
Now, for each risk, we can have multiple control
mechanisms.
All mechanisms may not be relevant in the term that
cost of control should always be less than cost of risk.
So we will need to evaluate all the available
control mechanisms. And then
Last step?,
we need to
apply the relevant control.
So again,
first step is to understand the business
environment,
you understand the critical assets that support the
business environment,
you identify the risk for the critical assets,
you prioritize all the risk,
you evaluate the control mechanism, and
then which control mechanism is relevant,
Do you apply the particular control mechanism?
Q1 Most important step in this analysis is to identify?
Options - critical assets, controls,
vulnerabilities, and liabilities.
If you see in our earlier slide, we discuss what are
the steps of risk assessment.
First one is we will identify the business
environment.
Second one is we will identify the critical assets
that support that particular business environment.
So in this question, we do not have an option on our
business environment.
So my answer in this question will be to understand the critical
assets.
So once critical assets been identified,
The second step will be to ensure what are the
risks, what are the controls and so on.
Q2 Next question in risk-based audit planning, what would be the first
step of ISA's audit?
Options: Responsibilities of stakeholders, high-risk
area within the organization, cost center controls.
So again, if you'll see the steps, first is business
environment,
Second is assets, third is high-risk and so on.
But we do not have the option of a business
environment, and critical assets.
So the third area of our steps, that is the
identification of critical risks will be our answer in this point.
That is point number B, a high-risk area within the
organization.
Q3 Let us understand one more question, which actually assembles the
question asked in the CISA exam.
ISA auditor in post office audit identifies certain
threats, and vulnerabilities, what should be his next step?
Options:
Identify stakeholder for that particular business, identify information,
assets and underlying system, disclose the threats and impacts to the
management, identify and evaluate the existing controls.
So once threats and vulnerability identified,
we saw in our earlier slide, the next step is to
ensure what are the actual controls in its place.
So if threats and vulnerabilities are there, but
proper mitigating controls are in place, then fine.
If residual risks are within the acceptance level of
the management, then we need not go for option A, B, and C.
So here, once threats and vulnerability are
identified, our next step is to understand whether any existing controls are
there.
Then mitigate that particular threats and
vulnerabilities.
If it's there, then the answer is yes, D, identify
and evaluate the existing control.
Q4 Next question. An ISA auditor is evaluating management's risk
assessment of information system. So what should be his first review?
Options: With the controls already in place,
effectiveness of the controls mechanism for monitoring the risk and the
threats, vulnerability affecting the assets.
So here, first we need to understand what the risks
are.
Only if we understand what are the risks, will we'll
able to understand what should be the controls, whether controls are effective,
or whether risk has been identified and monitored properly.
So our answer here will be to understand the
threats, and vulnerabilities affecting the assets.
If you know this, then option A, B and C are the
next steps.
Q5 Let us take one more example. An ISA auditor is reviewing data
center. So what should be his first step?
Options: Whether he should evaluate physical access
control, or he should determine the vulnerability, threat or review screening
process, or evaluate logical access control.
So all these three controls, option A, C and D will
be relevant only if he knows what are the vulnerability or threats to a
particular data center.
Once he identify the risks, then he can evaluate the
controls, and then he can see whether particular relevant controls are in place
and are actually in effect.
So answer here, the first step is you need to
understand what are the vulnerabilities, and threats to the data center site.
Q6 Let us take one more example. So again, in a risk-based audit
approach, what should be the role of ISA auditor? What should be the first
role?
Options; Whether he needs to do inherent risk
assessment, or control risk assessment, test of control, substantive test.
Inherent risk assessment means assessment of
particular assets without any control mechanism. So it's basically gross risk
assessment, or risk assessment before any controls.
Controlled assessment means whether controls are
actually in place but may not be effective. That is known as controlled risk.
Test of control, same thing. Whether controls are
effective. Substantive test assessment means testing of transaction.
So here,
first step, he will understand what are the actual risks before implementation
of the controls.
So the answer
will be inherent risk assessment.
Q6 So again, one more question. In planning an audit, the most critical
step is the identification of the?
Options: area
of high-risk, skillset of the audit staff, test steps in the audit and time
allotted for the audit.
So as we discussed earlier, only when he'll be
knowing what the area of risk is, then only other points like B, C, and D can
be taken care of.
So the answer will be areas of high-risk.
Q7 Let us take one more example.
An ISA auditor is reviewing payroll applications. He identified some
vulnerabilities, so what should he do?
Options : Report the vulnerabilities to the
management immediately.
I don't think
so. Vulnerabilities can have some major impact, can have minor impact or can
have no impact at all.
So unless and until he will identify what are the
impact of that vulnerabilities, he need to directly report to the management.
Examine
application development process. This is irrelevant here.
Identify threats and likelihood of occurrence.
Exactly. So very next step is to identify what are
the impacts of this particular vulnerability in this system.
So once he
identifies, then he needs to take the second step whether to recommend a new
application or whether to report to the management. Or maybe, he again needs to
examine the full application development process.
But this step will be taken care only if he'll
identify threats and likelihood of occurrence.
Q8 Let us take one more example. The auditor is developing a risk
management program. The first activity to be performed is an?
Options:
vulnerability assessment, control evaluation, identification of assets,
gap analysis.
So again, if you go to the steps, first is the
business environment, second is asset, third is risk, and so on.
So in our question, the answer will be
identification of assets.
Audit Project Management:
For Audit Project Management.
What are the steps for conducting a audit?
First step is to
determine the audit subject.
For example, the IT department is one of the
subjects that I want to audit.
Define the audit objective.
So once your subject is ready, you then decide what
within this subject you are going to audit. So I want to audit IS policy,
adherence to IS policy.
Then set the audit scope.
Which
applications or locations to be covered.
Pre-audit planning.
You need to do risk assessment, you need to have
business knowledge and other relevant knowledge to conduct the audit.
Then you determine the audit process.
On the basis of risk assessment you decide what kind
of audit resource you require, what kind of methodology you will adopt, what
kind of sampling you will follow.
Field work and
documentation.
So in this step, you are evaluating the controls and
documenting the evidence and doing the actual audit work.
Finally, the reporting phase.
Audit closure meeting, issues of the report,
conducting the follow up audit, et cetera. will come under this particular
phase.
steps in chronological order.
So what will be the
First step?
To determine the audit subject. Once subject is
being identified,
Next step 2 is to...
Define your objective.
Next step 3
You set the audit scope.
Step 4
Pre-audit planning, risk assessment, you acquire the
business knowledge and other relevant functions.
Step 5
You determine the audit process. What kind of
methodology, what kind of sampling, what kind of audit resource you will use.
Step 6
Field work is an actual audit that is evaluating the
controls and documenting the evidence. And
Finally Step
you will
report the observations.
Key aspects from the CISA exam perspective.
Q1 What does the information system audit provide?
Reasonable assurance about coverage of material
items.
Q2 What is the primary reason for a functional walkthrough?
Functional walkthrough means understanding the
business processes.
The primary reason is to understand the business
process.
Q3 What is the major concern in the absence of established audit
objectives?
If you're not clear about the audit objectives, what
you want to audit or what is your scope of audit, you are not able to determine
the key business risk.
Q4 What is the primary objective for performing risk assessment prior
to the audit?
To allocate audit resources to the areas of high
risk.
So in the business of risk assessment you will
identify which areas are critical and where resources are required for audit
purposes.
Q5 What is the objective of the audit planning phase?
To connect the risk assessment and determine the
areas of high risk.
QAE Audit Management
Explanation with respect to Audit Project Management.
Q1 The first step to review a service-oriented application is?
Service-oriented application means application that
supports the multiple clients, that serves the multiple clients.
The first step is to understand the services and
their allocation to the business processes.
Q2 An information system audit provides?
Reasonable assurance about the coverage of material
items. It will not provide the definite assurance and it is very difficult to
cover all the items.
Q3 The best sampling method when an IS auditor is concerned about fraud
is?
When an IS auditor is concerned about fraud, the
best sampling method is discovery sampling.
Q4 Which of the following is the first step in an audit project?
To develop an audit plan on the basis of risk
assessment.
Q5 What is the primary goal during the planning phase of an IS audit?
To address the audit objectives.
Q6 What is the primary reason for a functional walkthrough?
Functional walkthrough means to gain knowledge about
the function or the process.
To understand the business process.
Q7 An IS auditor has a strong suspicion of fraud during a preliminary
investigation. What should they do next?
To collect more evidence for further investigation.
Q8 Which of the following is the first activity to be performed when
developing a risk management program?
Inventory of
assets. You need to know first what things that you need to protect.
Q9 An IS auditor has been assigned to audit a business continuity plan.
The same auditor was involved in designing the business continuity plan. The IS
auditor should?
To provide a disclaimer of conflict of interest to
the audit management before accepting the audit.
Q10 Which of the following would be a major concern in absence of
established audit objectives?
Answer: Established audit objectives means what is
the purpose of the audit?
Not being able to determine the key business risk.
Q11 Which of the following is the next step once the audit findings
have been identified?
To discuss the same with the auditee management to
find the agreement on the findings.
Q12 The first step in developing an annual internal IS audit plan is
to?
To determine the audit universe.
Audit
universe means list of all the processes.
Q13 What will be the immediate step once the business process to be
audited is identified?
To determine the control objectives and activities.
Q14 The prime consideration in determining the objective and the scope
of an audit is?
Statutory requirements as applicable to the
organization.
Q15 Which of the following is the prime reason for performing a risk
assessment before conducting the audit?
The risk assessment is performed to identify the
high-risk area.
So, objective is to provide reasonable assurance
that at least high-risk areas are covered, so audit coverage of the material
items.
Q16 The first step in the planning phase of an audit is?
During the planning phase, basically, we prepare the
audit schedule, we decide the audit areas, we decide about the resource
requirement.
So the first step in the planning phase is to
conduct a risk assessment on the basis of which the above activity can be taken
care of.
Q17 What should be the next course of action for an IS auditor once the
potential material findings are discovered?
To conduct the additional test.
Q18 Which of the following is the best reason for a senior audit
manager reviewing the work of an auditor?
Professional standards.
Q19 Which of the following is the best course of action if it is not
possible to cover the total audit scope due to resource constraints?
To focus on high-risk areas.
Q20 The most reliable source of information when designing a risk-based
audit plan is?
A risk-based audit plan means our objective is to
audit high-risk areas. So high-risk areas and the critical areas are the areas
that can be identified by the senior management.
Once you've identified the business process to audit, determining the
control objectives and activities is essential because it establishes the
framework for evaluating the effectiveness and efficiency of that process. This
step aligns with your learning about the audit process, ensuring that you focus
on the critical elements that need to be assessed.
Testing Concept- Sampling
Let us discuss
Two basic sampling techniques:
statistical, non statistical.
In statistical sampling,
all items have an equal chance
of selection.
Whereas in non-statistics,
sampling is done on the basis
of some judgment of the auditor.
So for example, if an auditor
feels that one particular employee is more prone to error, he will select a
sample from the cases processed by this particular employee. So here,
subjectivity and judgment of the auditor is involved.
Other main distinction between statistical and
non-statistical
is that in statistical, probability of error can be
quantified.
So for example, my total population is a hundred,
and my sample size is 10. So out of 10, if I get an error of one, I can assume
there is 10% error read. So that cannot be assumed in non-statistical sampling.
And this is a very, very important point for the CISA exam.
So we need to remember that probability needs to be
objectively quantified. Then in such a scenario we need to select statistical
sampling.
Now let us discuss
attribute and variable sampling.
So, a simple rule for attribute sampling.
In attribute sampling we can
have answers as either yes or no. So either it's been complied or not complied.
There cannot be any third answer.
On the other hand, in variable sampling, it gives us
more information than attribute data.
This is because it allows us to understand how much,
or how bad, or how good, rather than just yes it's complied or no, it's not
complied.
So generally applied in complex testing, it is
applied in substantive testing.
Attribute sampling, expressing percentage, whereas
variable sampling expresses either monetary values, weight, or some other
methods.
So two things we need to understand from the CISA exam point of view is
that,
compliance testing, attribute sampling, substantive
testing, variable sampling.
So I request to remember this term.
AC: attribute compliance, VS: Variable substantive.
This is very, very important from a CISA exam point of view.
Let us
discuss
stop or go sampling and discovery sampling.
So stop and go sampling.
It is used when the auditor believes that very few
errors will be found.
It prevents excessive sampling by allowing an audit
test to be stopped at the last possible moment.
Now, discovery sampling,
It is used when the objective of an audit is to
discover fraud or other irregularities.
So, point remember for the CISA exam.
Whenever something like fraud or major irregularity
is given, and then sampling technique is to be selected, we need to select
discovery sampling.
important sampling topic.
What is the confidence coefficient?
It's a probability that samples are truly
representative of the population.
So, to have a high confidence correlation, we need
to select a high sample size.
In other words, if we select a high sample size, we
will get a confidence correlation that will be high.
So this is how it's done.
So for example, my population is hundred and my
sample size is 90. So it'll give me confidence of 95%.
On the other hand, if I select only 25 sample sizes,
my confidence will be lower, that is only 25%. So higher the sample size,
higher the confidence.
On the other hand, if we want to have higher
confidence correlation, we need to see a higher sample size.
So for the CISA exam, we need to remember,
Whenever the internal controls are strong, we need
not have more sample size.
So confidence correlation or sample size may be
lowered when strong internal controls are there.
On the other hand, when weak internal controls are
there confidence correlation or sampling size need to be increased.
So point to remember for the CISA exam.
Sampling.
Whenever compliance testing is there,
our answer should be attribute
sampling.
So remember AC, attribute C4
compliance testing.
Whenever substantive testing is there,
Our answer should be variable
sampling. So remember VS,
variable sampling and
substantive testing.
So whenever any fraud indication is there,
our answers would be discovery sampling.
so when probability needs to be objectively
quantifiable,
we need to select statistical sampling. So this is
the core of the sample.
Let us discuss some questions.
Q1 Use of statistical sampling will be more relevant as compared to
judgment sampling when? so, statistical
sampling is basically more relevant when we need to
help probability of error to be objectively quantified.
So option A and D will not be there because any
sampling technique of these two will not mitigate either sampling risk or audit
risk.
Q2 Second question, the IS auditor is reviewing internal control of
application software. The sampling method that will be most useful when testing
for compliance is?
So remember
AC, so for AC, attribute and compliance.
So our answer should be compliance.
So whenever attribute sampling is there our answer
should be compliance testing. And whenever variable sampling is there, our
answer should be substantive testing.
So AC and VS.
Q3 with regard to confidence correlation, can it be said that?
if an auditor
knows the internal controls are strong, confidence coefficient may be lowered.
So for the CISA exam we need to remember, when
internal controls are strong, your confidence correlation may be lowered.
When internal controls are vague, we need to have
high sample size and confidence correlation.
Q4 An IS auditor reviewing critical financial applications is concerned
about fraud? Which of the following sampling methods would best assist the
auditor?
So if you see, we are concerned about the fraud, and
so our audit technique should be discovery sampling.
Q5 an IS auditor is determining the appropriate sample size for testing
the effectiveness of CMP, change management process. No division noted in the
last two years audit, and management has assured no division in process for the
period under review. Auditor can adopt?
So from the
question it seems that internal controls are strong.
So we already discussed
When internal controls are strong, lower confidence
coefficient resulting in lower sample size can be used.
Q6 Statistical sampling reduces which of the following risks?
Answer; Audit
risk? No. Audit risk is the control risk, inherent risk, as well as detection
risk.
So, statistical sampling will not have any impact on
control as well as inherent risk.
Detection risk is the risk that an auditor fails to
detect any material misstatement in a financial statement.
So improper statistical sampling increases this kind
of risk.
Testing Concept - Compliance and Substantive
testing:
Discuss on
compliance testing as well as substantive testing and then how to
differentiate between both.
Please note both concepts are very important from
the CISA exam point of view.
compliance testing, as well as substantive testing.
So what is
compliance testing?
Compliance testing is basically a test of controls.
On the other hand, substantive testing is basically
a test of transactions.
In compliance testing we test whether the particular
controls are present or not
While in substantive testing we test the integrity
of transactions or integrity of data.
Let us again discuss both details more precisely.
In compliance testing,
we get the
evidence with the objective of testing and organization's compliance with
control procedure and
with respect to substantive testing.
What we do, if what we want to verify is integrity
of data or integrity of a particular transaction or integrity of particular
information.
So basically compliance testing
checks for the presence of control, either yes or no.
On the other hand in substantive use testing we check the integrity of
contents of particular transactions or particular information.
So these are the examples of compliance tests.
We verify our router whether it's properly
configured
We verify system exercise with a proper control
survey.
We review firewall settings and
We review complaints with a password policy.
So these all are compliance testing.
On the other hand when we do any testing which is related to trial
balance or balance sheet or profit and loss account or some inventory valuation
or physical fixed as a match record
These all are examples of substantial testing here.
Basically we, we basically review the integrity of
particular transactions or particular information.
So these are very, very, very important points to remember. For CISA
exam
First point, in any given scenario compliance
testing will be performed first.
Substantive testing will be the next step.
So you perform the compliance testing, you get the
result. If you are satisfied with the controls you may now go for the
substantive testing as well.
So result of compliance testing will be the basis
for deciding the area of substantial testing.
So in any given scenario compliance testing will be
the first step and then next step will be the substantive testing.
Second point In any given scenario, outcome results
of compliance testing will form the basis for planning of substantive testing.
So now this is a very important point to remember. For CISA exam point,
in any given scenario, attribute sampling method
will be useful when testing for compliance.
Now what is the attribute sampling method?
Attribute sampling will give us two results either
yes or no.
So in compliance we also need two results. Either
control is present or control is absent. Either yes or no. So whenever a
question is there where it's being asked, what is the sampling method to be
used for compliance testing? So we do not, we need either yes or no.
So that is attribute sampling. Either control is
present or absent.
Now let us discuss
some questions and the answer
to that closely resembles the
question and answer already asked in the CISA exam with respect to substantive
as well as compliance test procedure.
Q1 question first. Each of the following is a substantive test policy?
options: Reviewing compliance with firewall policy
reviewing IDs to change management policy using a statistical sample to
inventory the tape library, reviewing password history reports.
So the substantive test we already discussed is
basically a test of transaction or integrity of particular content.
So in all the four options here, integrity is
required in statistical sampling to the tape library.
So option A, B, and D are basically compliance
testing.
Q2 major difference between the compliance and substantive testing is
the compliance testing test:
A, B, C, D.
So
compliance testing we already discussed compliance
testing, test the controls while substantive testing test the details, details
integrity of particular transaction.
So option B is the correct one.
Q3 Reviewing the internal
control of an application software which sampling method will be used?
So we already discussed for compliance what we
required.
Either control is present or it's absent
The sampling method that gives us this definition is
attribute sampling.
In attribute sampling we can say either it's yes or
no there's no other way out.
So the correct option here will be attribute
sampling.
Q4 test to determine whether the last 50 new user requisitions were a
collective process in it is an example of.
what we are checking, we are checking basically
controls are present to give access right to new user requisition.
Whether they're correctly processed, proper controls
are in place.
So the answer will be compliance testing.
Either it's correctly processed or it's not
correctly processed
So If controls are placed, then it's correctly
processed If it's not in place,
then it's incorrectly processed
Q5 IS auditor performs a test to ensure that only active users have
access to a critical system.?
Here again it's basically a compliance test.
Whether proper controls are there to ensure rights
given to only active users.
So answer is compliance test
We are here
testing the control of this particular activity.
Q6 IS auditors are most likely to reduce substantive test processors.
If after the compliance test they concluded?
A substantive
test would be too costly. The control environment is below in enter risk is low
controlled excel within the acceptable limit.
So we already discussed first we test the compliance
part and on the basis of the result of complaints part we test the substantial
parts
Now while testing the compliance, if we fail there
are enough controls in place that we can do the substantial test also.
So if we
control risks that are within the acceptable limit we need not go for this
substantial test procedure.
Here the answer will be substantive. Test procedures
can be reduced if compliance tests conclude that control risks are within the
acceptable limits.
So again, remember the first test will be the
compliance and second will be the substantive.
So the result of compliance will be considered to
plan this substantive test.
Q7 Which of the following is a substantive audit test?
So we already discussed basically anything with
respect to trial balance, profit and loss account balance transactions where
integrity and content of data or information is checked are known as
substantial audit test
Q8 Evidence gathering to evaluate the integrity of individual
transaction data or other information is typically each of the following?
Already discussed is basically substance use test.
Substance use tests basically verify the integrity
of individual transaction data or other information.
Q9 The objective of the compliance test is to ensure?
controls are
implemented as prescribed.
1.8 Audit Evidence Collection Techniques
Audit Evidence Collection Techniques
Auditing is a process of providing an opinion (in the form of a written
audit report) about the functions or processes under the scope of an audit.
This audit opinion is based on the evidence obtained during the audit.
Audit evidence is critical in the audit as audit opinions are based on
reliability, competence, and objectivity. The objective and scope of an audit
are the most significant factors when determining the extent of the data
requirements.
Reliability of Evidence
An IS auditor should consider the sufficiency, competency, and
reliability of the audit evidence. Evidence can be considered competent when it
is valid and relevant. The following factors determine the reliability of audit
evidence.
Independence of the Evidence Provider
The source of the evidence determines the reliability of the evidence.
External evidence (obtained from a source outside the organization) is more
reliable than evidence obtained from within the organization. A signed
agreement with external parties is considered more reliable.
Qualifications of the Evidence Provider
The qualifications and experience of the evidence provider are major
factors when determining the reliability of audit evidence. Information
gathered from someone without relevant qualifications or experience may not be
reliable.
Objectivity of the Evidence
Evidence based on judgment (involving subjectivity) is less reliable
than objective evidence. Objective audit evidence does not have scope for
different interpretations.
Timing of the Evidence
Audit evidence that is dynamic in nature (such as logs, files, and
documents that are updated frequently) should be considered based on relevant
timing.
Above mentioned rules are very important from a CISA exam perspective.
An IS auditor should also be aware of the best practices and techniques to
gather evidence. These are discussed in the next section.
Evidence-Gathering Techniques The following techniques are used by IS
auditors to gather evidence during the audit process:
Review the organization’s structure
The IS auditor should review the organization’s structure and
governance model.
This will help the auditor determine the control environment of the
enterprise.
Review IS policies, processes, and standards
The audit team should review the IS policies, procedures, and standards
and determine the effectiveness of the controls implemented.
The audit team should also determine whether IS policies and procedures
are reviewed periodically and approved by a competent authority.
Observations
The IS auditor should observe the process to determine the following:
– The skill and experience of the staff
– The security awareness of the staff
– The existence of segregation of duties (SoD)
Interview technique
The IS auditor should have the skill and competency to conduct
interviews tactfully
Interview questions should be designed in advance to ensure that all
topics are covered.
To the greatest extent possible, interview questions should be
open-ended to gain insight into the process.
The staff being interviewed should be made comfortable and encouraged
to share information and areas of concern.
Re-performance
In re-performance, the IS auditor performs the activity that is
originally performed by the staff of the organization.
Re-performance provides better evidence than other techniques.
It should be used when other methods do not provide sufficient
assurance about control effectiveness.
Process walk-through
A process walk-through is done by the auditor to confirm the
understanding of the policies and processes.
The evaluation of evidence is a subjective matter, and the auditor
needs the relevant skills, experience, and qualifications to judge the
relevance, sufficiency, and appropriateness of the audit evidence. In the case
of inconclusive evidence, it is recommended to perform an additional test to
confirm the accuracy of the audit findings.
Evidence should be evaluated based on the business environment and the
complexity of the business processes. The following are some general guidelines
for evidence evaluation:
In the case of unavailability of evidence, the auditor should report
the relevant risk in the audit report.
Evidence obtained from a relevant third party is considered more
reliable compared to internal evidence. An audit report by a qualified auditor
is considered more reliable than a confirmation letter received from a third
party.
Evidence collected by the audit team directly from the source is
considered more reliable compared to evidence provided by business units.
Computer-Assisted Audit Techniques (CAATs) are the most effective
auditing tools for computerized environments. The use of a CAAT ensures the
reliability of audit evidence as data is directly collected, processed, and
analyzed by the IS auditor.
Key Aspects from the CISA Exam Perspective
The following table covers important aspects from the CISA exam
perspective:
CISA Questions
What does the extent of the data requirements for the audit depend on?
What should audit findings be supported by?
What is the most important reason to obtain sufficient audit evidence?
What is the most effective tool for obtaining audit evidence through digital
data?
What is the most important advantage of using CAATS for gathering audit
evidence?
What type of evidence is considered most reliable?
What is the primary reason for a functional walk-through?
Possible Answers
The objective and scope of the audit.
Sufficient and appropriate audit evidence.
To provide a reasonable basis for drawing conclusions.
Computer-assisted auditing techniques.
CAATS provide assurance about the reliability of the evidence
collected.
Evidence directly collected from the source by an IS auditor is
considered to be the most reliable. The source of evidence should be
independent.
To understand the business process.
Testing Concept - Online Auditing Techniques
In the CISA curriculum
Five online auditing techniques.
SCARF,
snapshots,
ITF,
Audit Hooks, and
Continuous Intermittent Simulation.
Let us discuss about
SCARF.
SCARF basically stands for
system control review audit file or embedded audit
model.
It's basically inbuilt audit software, used when
regular processing cannot be interrupted.
Then we do have
snapshots.
This technique actually takes pictures of the transaction when they are
in flow.
It's used when an audit trail is required.
ITF,
integrated test facility.
Here we need to remember two things, dummy entities,
live products, and environment.
So, dummy entities are created in a live production
environment.
Then we do have
audit hooks.
Audit hooks complexity is very low, and hence it
helps in early detection of error and fraud.
It's basically used when selected transactions need
to be examined.
Then we do have
CIS.
It stands for Continuous Intermittent Simulation, is
used with DBMS and
it is the best technique when a transaction meeting
certain criteria needs to be examined.
Its complexity level is slightly high. and as is
considered the best technique when some high or complex criteria need to be
defined.
So, audit hooks and CIS basically work on similar
models, but audit hooks are some low complexity level while CIS, high
complexity.
Let us discuss about
SCARF.
System Control Audit Review File,
embedded, there is an inbuilt audit module.
So, here only those transactions are recorded, which
have special audit significance and data has been defined by auditors.
It is useful when regular processing cannot be
interrupted.
So SCARF physically host itself in the application
module, and then they work simultaneously with the application module.
So let us take one example of how SCARF works.
So, in life insurance companies, generally chances
of fraud are increased when the address of the policy holder changes,
simultaneously or after sometimes this request of withdrawal of funds.
So this is basically a suspected transaction.
So here two conditions are set in the application
model.
First, need to identify the transaction where the
address has been changed. And
Second, for that particular transaction, if within
some days, let us still say seven days, withdrawal of fund is requested, so
this is kind of suspicious transaction for that particular activity.
So these transactions are recorded in a SCARF file,
which are further reviewed by the auditor to rule out any fraud.
Snapshots.
In this technique snaps are taken of the
transactions as the transaction moves through various data in the application
system.
Both, before processing and after processing, images
of the transaction are captured.
So, the auditor can verify the correctness of the
processing by checking before processing and after processing images of the
transaction.
These are very, very useful when an audit trail is
required.
ITF
It stands for integrated test facility.
Here, as we discussed earlier, two things, dummy
transactions but live production environment.
Process results and expected results are compared to
verify that systems are operating correctly,
As a live production environment is used. no need to
create a separate test environment,
however, need
to isolate the test data from the actual production data once the test has been
conducted and completed.
Let us take one example. A dummy asset of one let is
entered into the system to verify whether same has been capitalized under
correct head and depreciation is correctly as per correct rate.
So here, auditor will be entering this particular
transaction, dummy transaction, in actual system.
Then, he will see what are the impact of this
transaction.
So the impact of his transaction are compared to his
actual calculated transaction, and if his data correct, that means system is
working fine.
But here, subsequently, this dummy transaction need
to be removed after verification of system controls.
CIS,
continuous and intermittent simulation.
This is basically used along with the database
management system DBMS.
In this
process, DBMS raise the transaction which is passed to CIS.
If transaction is as per selected criteria, then CIS
examines the transaction for the correctness.
In case of any discrepancies, results are produced
for verification of the auditor.
The CIS replicates or simulates the application
system processing.
This is the best technique when a transaction
meeting certain criteria needs to be examined. Because of its complexity level,
even high complex criteria can be defined in CIS.
So how it works, again, data flows from the
application system.
So DBMS then, if its particular transaction is
within that particular criteria, is sent to CIS.
CIS then examined that particular criteria and then
verified the working of the result of CIS along with the application data.
So if both the data matches then it means the system
is working fine.
But in case of any deviation, its results are given
to the auditor for further verification.
Audit Hook.
These are audit software that captures suspicious transactions.
Criteria for suspicious transactions are designed by
the auditor as per their requirement.
Helps the IS auditor to act before an error or an
irregularity gets out of the hand.
Here also, basically the model works like CIS only,
but the thing is, that we cannot set complicated criteria in audit talk.
It basically takes low complexity data or criteria.
So in this one example, most of the organization
case transactions are monitored closely.
Criteria can be designed to capture search
transactions exceeding $50,000. So all search transitions can be further
reviewed by the auditor.
a point to remember for the CISA exam
When an audit trial is required, software to be used
is a snapshot.
When fictitious entities and live productions are
there in question, if you need to answer ITF.
When early detection is required, you need to answer
the audit hook.
When simulating the application system processing
you need to answer CIS.
some examples CISA Questions
Q1 So here objective is to when an audit trial is required.
We already discuss when an auditor trial is
required, we need some pictures or we need some snaps. So what are snaps and
pictures? Yes, snapshots.
Q2 Second question. ITF has an advantage over other automated audit
tools because of its following characteristics.?
So let us again go to the characteristics of ITF. To
the basic point,
What is there that uses fictitious transactions but
live production environments?
So the answer will be that creation of fictitious
entities is not required as testing is done on actual master files.
ITF does not require setting up separate test
environment test processes.
ITF is
continuous audit tool.
ITF eliminates the need to prepare the test data.
If you see creation of a dummy fictitious entity is
not required, that is wrong. We need to create a dummy or fictitious entity.
Second is that ITF does not require setting up
separate test environments. Yes it does not require setting up a separate test
environment because the environment which we will be using is the live
environment.
So answer will be ITF does not require setting up a
subject test environment.
Q3 Let us take one more example.
Characteristic that best describes an integrated test facility?
Technique to verify system processing,
technique to verify system integration,
technique to generate test data,
technique to validate ongoing operation of the
system.
ITF is not an ongoing monitoring process. ITF is not
the technique through which we can generate test data. Through ITF we will not
be verifying the various system integration, but through ITF we can verify
system processing.
So how ITF works, ITF basically checks the logic of
this system by creating dummy entries, so basically it helps us to understand
whether the system is throwing the correct picture or not.
So the answer is
technique to verify system processing.
Q4 Want to just take one more example.
Early detection of error or irregularity is required in this question.
As we already discussed, because of its low
complexity and easy to use audit hooks are correct answer in this case.
Q5 Let us discuss one more question.
Best tool to identify transactions as per pre-defined criteria?
So here most of the tools' predefined criteria can
be defined in SCARF, also in CIS, ITF portion, and audit hooks also.
Answer: But
if you see in CIS, multiple complexity data or criteria can be designed, so
they are the best tool when such criteria need to be defined.
Q6 Let us take one more example.
Again, characteristics of ITF?
Actual transactions are validated on an ongoing
basis, enable the IS auditor to generate test data, pre-determined results are
compared with processing output, and enables the auditor to analyze the large
amount of information.
So here the correct answer is, it helps us to
predetermined results are compared with processing output to ascertain the
correctness of the system process.
So dummy transactions with predetermined results are
entered into the system and then calculated values are actually compared with
the predetermined result to ensure whether the system is calculating correctly
or not.
Q7 So, to identify excess inventory for the previous year, which online
auditing technique can be used?
so here objective is to identify actual excess
inventory of the previous year.
So test data will not be applicable. The integrated
test facility also uses the test data, as it will not be applicable.
Embedded
audit models will not help us to give results of the previous year.
So the answer will be generalized audit software.
Q8 So here, the objective is to replicate or simulate the application
system processing?
As we already discussed it's CIS, continuous
intermittent simulation.
It basically simulates the application system
processing through DBMS database management system.
1.92 Data analytics
Discuss about data analytics and its important aspect from the CISA
exam perspective.
Q1 What is the first step of conducting data analytics?
The first step will be determining the objective and
scope of analytics.
Q2 Which is the most effective online audit technique when an audit
trail is required?
Audit trail means audit evidence. Snapshot
technique.
Q3 What is the advantage of an Integrated Test Facility?
In an integrated test facility, no separate test
environment is required, as live systems and live processing is being used to
test the system.
It helps to validate the accuracy of system
processing.
Q4 What is the most effective online audit technique when the objective
is to identify the transactions as per predefined criteria?
CIS is the
most useful to identify the transactions as per redefined criteria in a complex
environment.
some practice questions.
Q1 Which of the following steps will be taken first to carry out the
data analytics?
The first step will be to determine the analytics
targets, range and objective.
Q2 The prime benefit of the usage of CAAT is:?
CAAT is basically a computer-assisted audit
technique.
That is a tool used for auditing.
So the main benefit of CAAT is?
It provides
the reliability for source of information and thus reassurance on the audit
finding.
CAAT captures the data from its source, and hence,
there is no manual intervention. And hence, we can say there is reassurance on
the audit findings.
Q3 Which of the following is a prime consideration while using
computer-assisted audit techniques?
The most important aspect is to ensure the integrity
of the data that we are using for analysis.
We need to ensure confidentiality and integrity of
the data.
Q4 The best way to determine the proper functioning of the system
calculation is?:
Functioning
of the system calculation, it means transaction integrity is maintained in the
system.
There is no error or other loopholes in this system.
The best way is to use the computer-assisted audit
techniques to perform the substantive testing.
Q5 The best method when an audit trail is required?
Audit trail means audit evidence.
Remember, whenever an audit trail is required, the
best method is snapshot.
Q6 An important feature of ITF is?:
Setting up a separate test environment, test process
is not required.
Only test data is required. Test environment and
test process is not required.
So in ITF, test data is used in a live environment,
live system.
Q7 ITF is best used for?:
Verification of system processing.
Q8 The best continuous auditing technique for early detection of errors
or irregularities is?:
Audit hooks.
Q9 The best auditing tool to capture the transactions as per predefined
criteria is?:
CIS.
Q10 An important feature of the ITF is:?
The results of the test transaction are compared
with the predetermined value to validate the system processing.
Q11 The best technique to identify the excess inventory for the
previous year is:?
The question is about the previous year.
Answer is : Generalized audit software.
Reporting and communication techniques
About reporting and communication techniques.
Q1 What is the objective of an audit closure meeting?
The objective of an audit closure meeting is to
ensure that there is no misunderstanding or the misinterpretation of the facts.
Q2 What is the objective of conducting a follow-up audit?
To validate the remediation action.
Q3 What is the best way to settle for the follow-up audit?
On the basis of the due date agreed upon by the
auditee management.
some practice questions.
Q1 Which of the following should an IS auditor do when an auditee has
taken immediate corrective action of audit finding?
we should report the observation and risk in the
final report.
That's the professional standard.
Q2 The best course of action for an audit team if they find prior audit
reports without work papers is to?
inform the audit management and suggest retesting
the controls.
Please note, to inform the audit management and not
the auditee management.
Audit management may take a final call after
evaluating each aspect.
Q3 An auditor should hold the closure meeting with the objective of?
discussing the audit observations.
Q4 IS auditor is responsible for the communication of audit results to?
senior management, audit committee.
Q5 An auditor should hold the closure meeting with the objective of?
To ensure that there has been no misunderstanding or
misinterpretation of fact.
Q6 Which of the following should be the first action in case of
non-agreement by the department manager over the audit finding?
The first step will be to revalidate the supporting
evidence to ensure that evidence is proper.
Q7 The main reason for meeting with auditees before formally releasing
the audit report is to?
gain agreement on the audit findings
Q8 Which of the following should an IS auditor do when they find that a
critical disaster recovery plan does not cover all of the system?
To determine the impact of non-inclusion of a
critical system in DRP.
Q9 The main reason for meeting with the auditees before formally
releasing the audit report is to?
to validate the accuracy of the audit findings.
Q10 Which of the following should an IS auditor do when they observe
minor weaknesses in the database that are beyond this scope of the audit?
Beyond the scope of audit?.
Even if it is
beyond the scope of audit weakness should be reported in the report, audit
report.
Q11 An IS auditor is reviewing the finance application. During course
of audit, they observe major weakness in change management application
supporting the finance application. What should IS auditor do?
Beyond the scope of audit, should it be ignores or
reported?
Answer: As per professional standard it should be
part of report.
Q12 The prime objective of an audit team discussing the audit findings
with the auditee is to?
confirm the audit findings and propose a course of
corrective action.
Q13 An IS auditor is reviewing a critical application that has not yet
been implemented. Certain evidence is not yet available. The auditor should?
issue the report based on available information and
highlighting the potential security weakness and the requirement for follow-up
audit testing.
Q14 An IS auditor has observed inadequate controls for remote access
for a critical application. However, management does not consider this as a
risk. Auditor should?
Document the audit findings in the audit report.
Q15 The audit team should ensure that audit findings are supported by?
objective audit evidence.
Q16 Which of the following should an IS auditor do if an auditee does
not agree with the audit findings?
How to handle the conflict. To explain the impact of
the findings and risk of not correcting it.
Q16 The best way for an IS auditor to follow-up on the closure
activities is to?
Closure activities means whether audit observations
are closed appropriately or not.
Answer; To conduct a review of the controls after
the projected remediation date.
Q17 To review the accuracy of management's remediation action plan, the
most important factor is?
The criticality of the audit findings.
Q18 The best way to schedule a
follow-up for the audit findings is to?
Follow-up for audit finding means to verify whether
audit observations are closed appropriately.
So this can be done on the basis of closure dates
provided by the management.
Q19 Which of the following is the main objective of conducting the
follow-up audit?
Objective follow-up audit is to validate whether
audit observations are closed appropriately.
To validate the remediation action plan.
So whatever action plan was there that was actually
being followed or not.
Testing Concept- Control SelfAssment CSA
What is control self-assessment?
CSA is nothing but involvement of line managers in
risk identification and mitigation processes.
As per CRM, CSA allows managers and teams directly
enrolled in business unit to participate in assessing the organization's risk
management and control processes.
So in simple words, the team understands the
business processes, defines the controls, and generates an assessment of how
well the controls are working.
For CISA exam, we need to understand the
objectives of controlling self-assessment.
The 2 main objectives to
concentrate on areas of high risk. And second one,
to
enhance the audit responsibility.
This is done by shifting some of the control
monitoring responsibility to the functional areas.
But please note: It is not the replacement of the
audit responsibility.
It is an enhancement of the audit responsibility.
What are the benefits of CSA?
Early detection of risk because processors not
themselves will identify the risk,
more effective and improved internal controls.
Again,
assurance provided to stakeholders and customers.
Disadvantage of CSA
is that it could be mistaken as in audit function
replacement.
This is the main disadvantage of CSA.
So now, what is the role of auditor in CSA?
Simple answer: he should act as a facilitator.
So during a CSA workshop, the auditor will lead and
guide the auditee about the risk and control functions.
So in question, if the success factor of CSA is
being asked then you need to answer important criteria's involvement of line
management in control monitoring.
This is the
important success factor of CSA.
Now, I request you to remember the content of this particular table.
Questions on CSA will be from this particular table only.
So for example,
Q1 What are the objectives of CSA?
First one, to concentrate on areas of high risk. And
second one, to enhance the audit responsibility.
But in question, if both the options are there, then
you need to give preference to the first option. That is to concentrate on
areas of high risk.
Q2 Benefits of CSA:
early detection of risk, more effective and improved
internal controls, and then assurance provided to stakeholders.
So any of the three options should be our answer in
question.
Q3 ISACA wants to know about the disadvantages of CSA,
our answer should be: it could be mistaken as an
audit function replacement.
Q4 Auditor's role in CSA?
Simple answer: facilitator.
Q5 Success factor for CSA.
So our answer is that involvement of the line
management is the prime or important success factor for implementing CSA.
Discuss some questions.
Q1 An IS auditor is evaluating a controlled self-assessment program in
an organization. What is the main objective?
So here, as already seen, objective of the CSA
program is to concentrate on area of high risk.
And then second objective is to enhance the audit
responsibility.
Q2 Your question is about the auditor's role in a controlled
self-assessment.
We already discussed, in such a scenario our answers
should be: facilitator, program facilitator.
Q3 successful control self-assessment it is essential to have?:
Enrollment of line managers that take the
responsibility for control monitoring.
Q4 An IS auditor has been asked to participate in an implementation of
control self-assessment. So auditors should participate primarily as a?:
facilitator.
Q5 which of the following is an
objective of a CSA program?
A replacement, enhancement, evaluative risk
management program to provide audit training.
Objective CSA program is: first one is to identify
area of errors, and
second one is
to enhance the audit responsibility.
Q6 Which of the following best
time to perform control self-assessment?
Please note: control self-assessment will be helpful
when it will be done during the preliminary survey.
Q7 Primary advantage of control self-assessment is that:?
advantage of control self-assessment or traditional
audit that:
it ascertains higher area that might need a detailed
review later.
Q8 which of the following is the most important requirement for
successful CSA?
So they are asking about the success factor. And the
success factor depends upon the involvement of line managers.
Q9 So now, what is the advantage of CSA over traditional audit?
In traditional audit, basically we mostly do
postmortem of particular activities.
But in CSA, it helps us to identify the risks at the
earlier stage and the earlier identification of risk.
1.12 - IS Internal Audit Function
IS Internal Audit Function
The Internal Information Systems (IS) audit function
is a specialized area within the broader internal audit framework that focuses
on evaluating and assessing an organization's information systems, IT
infrastructure, and related processes. The primary objective of the IS audit
function is to ensure that the organization's IT systems are secure, reliable,
and operate efficiently. This function helps identify potential risks, ensure
compliance with relevant laws and regulations, and safeguard the organization's
digital assets. By conducting regular audits, the IS audit function provides
valuable insights and recommendations for improving the overall IT governance
and security posture of the organization.
Requirement for Separate IS Audit Function
A separate Information Systems (IS) audit function
is essential to ensure that the organization's IT systems and processes are
thoroughly examined. This independence allows the auditors to provide an
unbiased assessment of the IT environment. Having a dedicated IS audit function
helps in identifying risks and vulnerabilities in the IT infrastructure,
ensuring compliance with regulations, and safeguarding the organization's
assets. In fact, many regulations mandate having a dedicated IS audit
department. For example, the Sarbanes-Oxley Act (SOX) in the United States
requires public companies to have internal controls and procedures for
financial reporting, which includes an independent IS audit function.
Similarly, the Reserve Bank of India (RBI) mandates that banks must have a
separate IS audit team to oversee the security and integrity of their IT
systems. This enhances the credibility of the audit findings since the auditors
are not influenced by other departments.
Governance of IS Audit Function
The governance of the IS audit function involves
setting up policies and procedures to guide the audit activities. This includes
defining the scope of audits, setting audit objectives, and establishing
procedures and guidelines for conducting audits. Effective governance ensures
that the IS audit function aligns with the overall objectives of the
organization and complies with regulatory requirements. It also involves
regular reviews and updates to the audit processes to adapt to changes in
technology and the business environment.
Reporting Structure of IS Audit Function
The IS audit function should have a clear and
independent reporting structure. Typically, IS auditors report to the audit
committee or the board of directors rather than the IT department or other
operational areas. In many organizations, the IS audit function is a subset of
the Internal Audit department. However, it is essential to ensure that the Head
of Internal Audit has sufficient knowledge and expertise to understand
IT-related risks. This independence in reporting ensures that the auditors can
present their findings without any conflict of interest. It also helps in
maintaining the objectivity and integrity of the audit process.
Management of IS Audit Resources
Managing IS audit resources involves ensuring that
the audit team has the necessary skills, knowledge, and tools to perform their
tasks effectively. This includes hiring qualified auditors, providing ongoing
training and development, and ensuring access to the latest audit technologies
and methodologies. Effective resource management helps in conducting
comprehensive and efficient audits, ultimately contributing to the overall
security and efficiency of the organization's IT systems.
IS Audit objective should be aligned with overall
Business Objective
The objectives of the IS audit function should be
closely aligned with the overall business objectives of the organization. This
alignment ensures that the audit activities are not just focused on compliance
and risk management, but also support the strategic goals of the business. By
understanding and integrating the business objectives, IS auditors can provide
insights and recommendations that enhance business performance, improve
operational efficiency, and contribute to the achievement of the organization's
long-term goals. This synergy between IS audit objectives and business
objectives ultimately leads to a more resilient and successful organization.
By establishing a robust IS audit function,
organizations can better protect their information assets, ensure compliance
with regulations, and maintain trust with stakeholders.
1.13 - Managing third party IS Auditors and other
experts
Managing Third Party IS Auditors and Other Experts
In today's complex business environment, organizations often rely on third-party
IS auditors and other experts to ensure their information systems are secure
and compliant with regulations. Due to the non-availability of in-house
resources or cost considerations, the audit function may need to depend on
external professionals. Managing these external experts effectively is crucial
to achieving a successful audit outcome.
1.14 - Agile Auditing
Agile Auditing
In the rapidly changing business world, traditional audit processes can
sometimes be too rigid and slow to keep up with the pace of organizational
change. This is where Agile Auditing comes in. Inspired by Agile methodologies
used in software development, Agile Auditing offers a flexible and responsive
approach to auditing, ensuring that audit activities remain relevant and
effective in a dynamic environment. By adopting Agile Auditing, organizations
can continuously adapt to new risks and challenges, making their audit
processes more efficient and effective.
1.15 - Quality Assurance of Audit Process
Quality Assurance of Audit Process
Quality assurance in the audit process is crucial
for making sure audits are reliable and effective. It ensures that audits
follow established standards and best practices, giving stakeholders confidence
in the audit results. The quality assurance process includes oversight by the
audit committee, continuous education for IS auditors, and performance
monitoring of the IS audit function.
Oversight by Audit Committee
The audit committee, usually made up of members of
the board of directors, plays a vital role in ensuring the quality of the audit
process. They oversee the audit function to make sure audits are done fairly
and thoroughly. The audit committee approves the audit plan, reviews audit
reports, and ensures that any issues found are addressed properly. Their
oversight helps maintain the independence and objectivity of the audits, which
is essential for high-quality results.
Continuous Education and Updating of IS Auditors
In the fast-changing field of information systems
(IS), it is essential for IS auditors to keep their knowledge and skills up to
date. This involves staying informed about the latest technology developments,
regulatory changes, and new risks. IS auditors should participate in training
programs, earn certifications, and attend industry conferences to maintain
their expertise. Continuous education helps auditors effectively identify and
assess risks, use advanced audit techniques, and provide valuable insights to
their organization.
Performance Monitoring of IS Audit Functions
Monitoring the performance of the IS audit function
is a key part of quality assurance. Here are some examples of key performance
indicators (KPIs) that can be used to monitor and evaluate the performance of
the IS audit function:
Audit Coverage Rate:
· Definition: The percentage of planned audits that were completed
within a given period.
· Example KPI: Number of completed audits / Number of planned audits ×
100.
Audit Finding Closure Rate:
· Definition: The percentage of identified audit findings that have
been addressed and closed within the specified time frame.
· Example KPI: Number of closed audit findings / Number of total audit
findings × 100.
Timeliness of Audit Reports:
· Definition: The average time taken to issue audit reports after the
completion of an audit.
· Example KPI: Average number of days from audit completion to report
issuance.
Audit Recommendation Implementation Rate:
· Definition: The percentage of audit recommendations that have been
implemented by management.
· Example KPI: Number of implemented recommendations / Number of total
recommendations × 100.
Resource Utilization:
· Definition: The extent to which audit resources (e.g., personnel,
budget) are utilized effectively.
· Example KPI: Actual hours spent on audits / Budgeted hours for audits
× 100.
Stakeholder Satisfaction:
· Definition: The level of satisfaction among stakeholders (e.g., audit
committee, management) with the audit process and outcomes.
· Example KPI: Average satisfaction rating from stakeholder surveys.
Compliance Rate:
· Definition: The percentage of audits that comply with established
internal audit standards and procedures.
· Example KPI: Number of compliant audits / Number of total audits ×
100.
Risk Coverage:
· Definition: The extent to which critical risks are identified and
addressed through the audit process.
· Example KPI: Number of critical risks audited / Number of critical
risks identified × 100.
Training and Development:
· Definition: The investment in and effectiveness of training and
development programs for audit staff.
· Example KPI: Average training hours per auditor per year.
Audit Cost Efficiency:
· Definition: The cost-effectiveness of the audit function in relation
to the value it provides.
· Example KPI: Total audit cost / Number of audits conducted.
· By regularly tracking these KPIs, the IS audit function can ensure
continuous improvement, demonstrate its value to the organization, and align
its activities with the overall business objectives.
Continuous Improvement
In addition to the above points, the IS audit
function should also focus on continuous improvement and adaptation. This
involves staying updated with the latest trends and threats in the IT
landscape, regularly updating audit methodologies, and incorporating feedback
from previous audits. It also includes fostering a culture of collaboration
between the IS audit team and other departments to ensure a holistic approach
to risk management and compliance.
Accreditation/Certification of IS Audit Function
Accreditation or certification of the IS audit
function provides formal recognition that the audit process meets established
standards. This can enhance the credibility and reliability of the audit
function. For example, ISO 9001 QMS helps in standardizing the processes within
the IS audit function. This standardization ensures that all audits are
conducted in a consistent manner, following predefined procedures and
guidelines. By having a clear set of standards and procedures, IS auditors can
perform their tasks more effectively and efficiently, reducing variability and
improving the reliability of audit outcomes. Such accreditations not only boost
stakeholder confidence but also ensure that the audit function remains aligned
with industry standards and practices.
By implementing strong quality assurance measures,
organizations can ensure that their audit processes are compliant with
standards and contribute effectively to overall governance and risk management.
1.16 - Use of Artificial Intelligence in Audit Process
Use of AI in Audit Process
Artificial Intelligence (AI) is revolutionizing
various industries, including auditing. Traditionally, auditing has been a
manual and time-consuming process, requiring auditors to sift through large
volumes of data to identify discrepancies and ensure compliance. However, with
the advent of AI, the audit process is becoming more efficient, accurate, and
insightful. AI can analyze vast amounts of data quickly, identify patterns, and
even predict potential risks, making it an invaluable tool in modern auditing.
What is AI?
AI refers to the ability of machines to perform
tasks that typically require human intelligence. This includes learning from
experience, understanding complex patterns, making decisions, and even
recognizing natural language. In the context of auditing, AI can be used to
automate repetitive tasks, analyze data more comprehensively, and provide
insights that might be missed by human auditors.
Benefits of Use of AI in Audit Processes
The integration of AI in audit processes offers
several significant benefits:
1. Increased Efficiency: AI can process and analyze large datasets much
faster than humans. This reduces the time required for audits and allows
auditors to focus on more complex and judgment-based aspects of their work.
2. Improved Accuracy: AI algorithms can identify patterns and anomalies
that might be overlooked by human auditors. This leads to more accurate
identification of risks and errors, enhancing the overall quality of the audit.
3. Continuous Auditing: AI can facilitate continuous auditing by
constantly monitoring transactions and data flows. This real-time analysis
helps in identifying issues as they occur, rather than waiting for periodic
audits.
4. Cost Savings: By automating routine tasks, AI reduces the need for
extensive manual labor, leading to cost savings for organizations. This can be
particularly beneficial for large companies with complex audit requirements.
Risks of Use of AI in Audit Processes
While AI offers many advantages, its use in auditing
also comes with certain risks:
1. Data Privacy and Security: AI systems require access to large
amounts of data, which can raise concerns about data privacy and security.
Ensuring that AI tools comply with data protection regulations is crucial.
2. Algorithm Bias: AI systems can sometimes exhibit biases based on the
data they are trained on. If the training data is biased, the AI’s decisions
may also be biased, potentially leading to inaccurate audit results.
3. Dependence on Technology: Over-reliance on AI might lead to a
reduction in critical thinking skills among auditors. It’s important to balance
AI use with human judgment to ensure a comprehensive audit.
4. Complexity and Understanding: AI systems can be complex and
difficult to understand. Auditors need to be trained to understand how these
systems work and to interpret their findings correctly.
Use Cases of AI in Audit Process
AI is already being used in various aspects of the
audit process. Following are some of the example of use cases of AI in audit
process:
1. Data Analysis: AI can analyze financial transactions, identify
anomalies, and flag potential areas of concern. For instance, AI can detect
unusual patterns that may indicate fraud or non-compliance.
2. Document Review: AI tools can review and analyze large volumes of
documents, such as contracts and agreements, to ensure compliance with
regulations and identify any discrepancies.
3. Risk Assessment: AI can help in assessing risks by analyzing
historical data and predicting future trends. This enables auditors to focus on
high-risk areas and take preventive measures.
4. Compliance Monitoring: AI systems can continuously monitor
transactions and activities to ensure compliance with laws and regulations.
This is particularly useful in industries with stringent regulatory
requirements.
5. IT System Audits: AI can evaluate the security and performance of IT
systems by analyzing logs and detecting unusual activities that may indicate
security threats or system failures.
6. Network Traffic Analysis: AI can monitor network traffic to identify
potential security breaches or unusual patterns that could indicate malware or
unauthorized access.
7. Software License Compliance: AI can audit software usage to ensure
compliance with licensing agreements, helping organizations avoid legal and
financial penalties.
Best Practices for Using AI in Audit Process
To maximize the benefits of AI in auditing while
minimizing the risks, it's essential to follow best practices:
1. Data Quality and Integrity: Ensure that the data used for training
AI models is accurate, complete, and free from biases. High-quality data leads
to more reliable AI outputs.
2. Transparency and Explainability: Use AI tools that provide
transparency in their operations and make it easy to understand how decisions
are made. This helps auditors trust and verify AI findings.
3. Continuous Learning and Updates: Regularly update AI models to
reflect the latest data and trends. Continuous learning helps AI tools adapt to
changing conditions and improve over time.
4. Ethical Considerations: Consider the ethical implications of using
AI, such as data privacy, fairness, and accountability. Ensure that AI systems
are used responsibly and do not violate ethical standards.
5. Human Oversight: While AI can automate many tasks, human oversight
is crucial. Auditors should review AI outputs, provide context, and make final
decisions to ensure a balanced and comprehensive audit process.
6. Training and Skill Development: Invest in training for auditors to
understand AI tools and techniques. This helps them use AI effectively and
interpret its findings accurately.
7. Integration with Existing Processes: Seamlessly integrate AI tools
with existing audit processes and systems. This ensures that AI complements,
rather than disrupts, traditional auditing methods.
************************************************************************************
End of Domain 01
Domain 2 Governance and Management of IT
Enterprise Governance of Information &
Technology, EGIT
Key aspects of Enterprise Governance of Information & Technology,
EGIT.
Let us understand what EGIT is.
EGIT is a process that is used to monitor and
control IT activities.
Basically it has three objectives.
First, EGIT ensures that IT activities are aligned
with the business objectives.
Second, EGIT ensures that IT risks are appropriately
addressed.
Third, EGIT ensures that information technology
provides added value to the business processes.
So in simple terms EGIT is nothing but IT risk
management,
IT alignment with the business process, and deriving
value from the IT investment. So all these three objectives will ensure that
there is optimum use of technology.
key aspects from the CISA exam perspective.
Q1 What is the primary reason for reviewing the organizational chart?.
From an organization chart, one is able to
understand the hierarchy structure of the organization and roles and
responsibility of different individuals.
So to understand the structure of the organization
and to understand the roles and responsibility of different individuals.
Q2 How to determine whether IT adds value to the organization?
Alignment of IT strategy with the organizational
strategy.
Q3 Who has the final responsibility for IT governance?.
Final responsibility, Board of directors.
From a regulatory perspective, from stakeholders
perspective, from the outside world, it is the board of directors who will be
responsible for the governance. May it be enterprise governance or IT
governance.
Q4 What is the main objective of IT governance?
Optimum use of technology resources.
Q5 What is the prime purpose of corporate governance?
Corporate governance covers the entire organization.
And not only IT, IT governance is a subset of corporate governance.
The prime purpose of corporate governance is to
provide the strategic business related direction.
Practical questions:
Q1 The effectiveness of an IT governance implementation can be most
effectively determined by?:
Effectiveness of IT governance means what is IT
giving value to the business.
Answer : Ensuring involvement of stakeholders.
Q2 The IS auditor noted that roles and responsibility in terms of IT
governance and management are not properly documented and defined. What is the
most appropriate recommendation?
To define the accountability for each critical
function.
Q3 The primary reason for reviewing the organizational chart is?:
Organizational chart will have hierarchy structure
and different roles and responsibilities.
So the main reason is to understand the roles and
responsibility of the individuals.
To understand the structure of the organization may
be a secondary objective.
Q4 Which of the following is the prime consideration in determining
whether IT adds value to the business?
Alignment of IT strategy with the organizational
strategy.
Q5 A major risk associated with lack of top management support in terms
of IT strategic planning is:?
Lack of alignment between technology and business
objectives.
Q6 The greatest concern with respect to an organization's governance
model is:?
Senior management does not review information
security policy.
Q7 For sound IT governance, IT plan should be consistent with the
following:?
Organization's business plan.
Q8 Who among the following is responsible for IT governance?
Board of Directors.
Q9 To achieve the organization's objective, the most important
consideration for an IT department is to have which of the following?
Long- and short-term strategy is aligned with
organization's objective.
Q10 While reviewing the IT structure, a major concern revolves around
which of the following?
IT structure means processes, IT processes.
Alignment of IT processes and business requirements.
Q11 Which of the following is related to strategic planning?
Strategic planning means organizational level
objective.
Answer|: Approved supplier for the company's
product.
This is a strategy, long-term strategy.
Q12 The most important consideration when evaluating the IT strategy of
an organization is:?
Support for the objectives of the business.
Q13 The most important method for ensuring alignment of IT strategy
with the organization's business objective is:?
To review the compatibility of the IT plan and the
business plan.
Q14 Strategic alignment can be best improved by:?
Strategic alignment means alignment between
different department functions.
Answer: Involvement of top management in aligning
the business and technology requirements.
Q15 Which of the following best ensures effective IT governance?
Alignment of IT strategy with organization's
strategies and objectives.
Q16 The most important factor regarding effective implementation of IT
governance is:?
Effective implementation means whether IT is adding
value to the business.
Answer: Identified organizational strategies.
Q17 An IT strategic plan should contain:?
Strategic plan means long-term objectives.
A Mission and Vision.
Q18 Which of the following is the main objective of IT governance?
Optimal use of the technology resources.
Q19 Which of the following is the primary purpose of corporate
governance?
To provide strategic direction.
Q20 Which of the following is a prime indicator in deciding the area of
priority for IT governance?
Area of priority means critical areas. Business
risk.
Q21 An IS auditor evaluating an IT governance framework will be more
concerned about:?
Limited involvement of senior management.
IT policies, procedures, and standards.
about IT policies, procedures, and standards.
Let us discuss about policy, guideline and standards.
What is a policy?
Policy provides the direction regarding the
acceptable and unacceptable behaviors and actions to the organization.
Policy is a high level statement which provides the
intent and expectations of the management.
For example, information and technology policy in
the policy.
What are guidelines and procedures?
Guidelines and procedures provide the details about
the dos and don't to support the organization's policy.
For example, policy may state that every system
should have updated antivirus installed.
Now to support the above policy statement guidelines
and procedure
will give detailed explanation about who will be
responsible for the antivirus process, how antivirus operation will be carried
out, who will monitor and review this process and other related aspects.
What are standards.?
A standard is a mandatory requirement to be followed
to comply with a given framework or certification.
ISO 27,001 is a kind of standard.
So if organizations want to comply with ISO 27,001
standard they need to comply with all the clauses that are there in ISO 27,001
standard.
They are the mandatory requirements of 27,001
standard.
CISA Exam perspective:
Q1 The most important action following the dismissal of an employee is?
disabling their rights of access.
Q2 Information security policy should be approved by?
the Board of Directors.
Practice questions.
Q1 Which of the following is the first step for the auditor having
observed that IT policies are not approved by the management?
To include this point as a non-compliance in an
audit report.
Q2 An area of most concern while reviewing HR policy is the absence of?
termination process.
Q3 The best reason for a policy that restricts second employment is?
To prevent a conflict of interest.
Q4 The greatest concern for an IS auditor reviewing an information
security policy is ?
the fact that policy is not approved by the senior
management.
Q5 Policy compliance can be best ensured by?
Existing IT mechanisms that support compliance.
Q6 Which of the following is the most important action following the
dismissal of an employee?
To disable the access rights on the part of the
employee.
Q7 A major risk of an unstructured policy regarding data and system
ownership is the fact that?
unstructured policy means no formal rules or
guidelines to assign the system and data on to.
Answer: Access can be granted to unauthorized users.
Q8 Which of the following is a major risk when employees are not aware
of information security policy?
Unintentional disclosure of sensitive information.
Q9 Information security policy should be approved by?
Board of Directors.
Q10 Information security policy should include?
the basis of access control authorization.
Q11 The most important factor for successful implementation of a
security policy is?
Successful implementation means effectiveness of
security policy.
Answer: Assimilation and intent of all the users.
Q12 Which of the following is most critical in terms of being addressed
by email policy?
Email retention.
Q13 Development of an information security program starts with?
Development of a corporate information security
policy statement.
That is what is the intent and expectation from the
management with respect to information security policy.
Q14 The risk of unavailability of electronic evidence is reduced by.?
The objective is to ensure that evidence is
available.
Answer: An email archive policy.
Q15 The most important concern while reviewing information security
policy is the fact that?
IT department objectives drive the policy.
Q16 The development of operational policies by means of a top down
approach helps?
Top down approach means from management's
perspective.
Answer: To make them consistent across the
organization.
Q17 The most important factor while developing information security
policy is?
consideration of business requirements
Q18 The most important factor in determining the appropriate level of
protection is.?
Appropriate level of protection means whether
protection should be stringent control, moderate control, mild control because
every type of control will have different kinds of expenditure and budget.
Answer: Outcome of a risk assessment.
Q19 The first point of reference for an IS auditor conducting an audit
is?
Approved policies.
Q20 The most important factor in developing an information security
policy is?
Appetite for risk on part of enterprise.
Q21 The most important aspect in ensuring that an organization's policy
complies with legal requirements is to?
Have periodic review of policy conducted by a
subject matter expert.
Approaches for Policy Development: Top Down &
Bottom up
For development of a policy, that is top down
approach, and bottom up approach. Let us understand the difference between top
down approach and bottom up approach.
In a top down approach, policies developed and
designed from a senior management perspective.
Whereas in the bottom up approach, policies are
designed and developed from the process owner's employees' perspective.
In a top down approach, policies are developed and
aligned with the business objectives.
Bottom up approach begins by defining the
operational level requirements and policies.
One advantage of the top down approach is that it
ensures consistency across the organization.
Whereas bottom up approach is derived from and
implemented on the basis of results of the risk assessment of that particular
process.
Involvement
of senior management in designing the risk scenario is of utmost importance for
top down approach.
Which approach is best for developing the policies?
An organization should make use of both the top down
approach and bottom up approach when developing organizational policies.
They are complimentary to each other and should be
used simultaneously.
In the top down approach, major risks to the
business objectives are addressed, whereas in the bottom up approach,
process-level risks are addressed.
Key aspects from the CISA exam perspective.
Q1 Information security policy should be approved by?
The Board of Directors.
Q2 One advantage of developing operational policies by means of a top
down approach.?
Consistency across the organization.
Q3 One advantage of developing operational policies by means of a
bottom up approach.?
Risk assessment is considered.
Practice questions.
Q1 Which of the following is a first step for the auditor having
observed that IT policies are not approved by the management?
To include
this as non-compliance in an audit report.
Q2 The development of operational policies by means of a top down
approach helps.?
To make them consistent across the organization.
Organizational Structures -Roles and
responsibilities
understand the roles of various functionaries.
First function, Board of Directors.
The board is primarily responsible for all the IT
governance. Then we do have
IT Strategic Committee.
They advise the board on IT strategy and new IT
initiatives. Then we do
IT Steering Committee.
They take oral responsibility, monitor IT projects,
and they ensure alignment between IT and business objectives.
System Development Management.
They basically provide technical support.
The next important function is User Management/Project Sponsor.
They actually assume the ownership of the project
and resulting systems. They provide functional requirements and specifications,
and then they also take up unity, and then they finally review and approve the
deliverables.
So, what is the role of
Strategy Committee?
They advise the board on IT strategy. Well now,
What is the role of the Steering Committee?
It provides oral direction and monitors project cost
and schedules. Now
What is the role of User Management and Project Sponsor?
They review and approve the deliverables. So
What is the role of System Development Management?
They provide technical support.
Some questions on the concept.
Q1 Which of the following authorities is ultimately responsible for
development?
So, whenever ultimate responsibility comes it's but
of this: Board of Directors.
Q2 Senior Management's involvement is very vital in development of?
So whenever enrollment of Senior Management is
required, but of this, strategic plans are to be the, IS security guidelines,
procedures and IS function are basically routine activity.
Q3 Which of the following is a function of the IS Steering Committee?
the role of the IS Steering Committee is to monitor
the major projects and approve the same. option A, B and D are the routine
activities to be taken care of by the IT department.
Q4 Who is primarily responsible for IT governance?
Again, primarily responsibilities of the Board of
Directors.
Q5 Which of the following teams
should assume overall responsibility?
Whenever it comes to assume overall responsibility,
it should be Steering Committee. Project Steering Committee, they assume the
overall responsibility for system development project.
Q6 Which of the following should take ownership?
Now, ownership is basically the User Management or
Project Sponsor. They are the owners of a particular system or project.
Q7n requirement specification is ultimately the responsibility of?
Project Sponsor.
Project Sponsor again, means the same thing as User
Management. They should give the requirement for the system and then they
should do security and then they should accept the system, whether it is as per
the requirement or not. So, Project Sponsor.
Q8 An organization established a Steering Committee to oversee its
Application Development Program. Following is the function of the Steering
Committee.?
If you see
option A, option C, and option D are basically noting activity to be taken care
of by the IT department.
Answer: In case of any project issue, chairs need to
be escalated by the IS Steering Committee to the top Management of the Board of
Directors. The IS Steering Committee role is to monitor and approve the major
projects.
Q9 accountability for maintenance of appropriate security measure over
information asset reside with ?
the security administrator, database administrator,
resource owners, or IT group.
Resource owners are basically the data owners or the
process owners or the system owners. They are ultimately responsible or
accountable for maintenance of appropriate security measures.
Q10 Who assumes the ownership?
Purely discuss whenever what ownership comes, it's
basically the User Management or Project Sponsor. So in our question, User
Management should assume the oral ownership of a system development project and
the response presenting system.
Testing Concepts- IT Strategy & IT Steering
Committee
What is the
difference between these two terms and
How does CISA
confuse us, while using these two terms?
We do have two committees. IT strategy
committee and IT steering committee.
What are the
members of the IT Strategy Committee and Steering Committee?
1 - The IT Strategy Committee basically consists of board members and specialized
non board members.
1 - On the other hand, in the Steering Committee we do have executives
from the organization. We do have CEO and other functionaries, key
functionaries, as and when required.
2 - So what is the role of the Strategy Committee? Basically the
Strategy Committee advises the board and senior management on IT strategy. As
the name defines, Strategic Committee basically advises on the strategy part of
the IT implementation.
2 - While Steering Committee basically focuses on implementation part
of IT.
Responsibility
of Strategy Committee and Steering Committee.
Strategy Committee
is responsible for
advising board to ensure alignment of IT with business objectives.
What are the IT risks, and what are the organization's exposure to IT
risk?
It directs the management related to IT strategy and then it ensures
what are the contribution of IT to the business.
Steering Committee.
Responsibilities.
Implementation as per direction
of board.
Approved project plans and budget.
Setting priorities and
milestones.
Acquires and assigns appropriate resources.
Ensure project meets the business requirement and continuous
monitoring. And,
ensure efficient use of IT resources.
So basically if you see a Steering Committee take care of the
implementation part of the
Strategy Committee. Strategic Committee basically advises the board,
board approves the same, and then in turn asks Steering Committee to monitor
this particular IT strategy implementation.
So, the Strategy Committee. Sows the direction, while the Steering
Committee actually drives the implementation part of it.
So this picture makes things very, very clear.
IT strategy advises board on IT strategy.
The board of directors takes the decision on the basis of advice from
the IT Strategy Committee.
So once it's being finalized then they instruct the IT Steering
Committee to implement part of it.
Now the IT Steering Committee is responsible for implementations and
monitoring.
So this is the
basic difference between the IT Strategic Committee and IT Steering Committee.
Examples.
Q1 who is
responsible for monitoring the oral project direction cost and schedules for
system development project?
If you see here, the question is with respect to the implementation
part of IT. So as we already discuss, the IT Steering Committee is responsible
for the implementation part.
Q2 IT Steering Committee would most likely
perform which of the following functions?
So here the function of the IT Steering Committee is being asked. I
If you see placement of purchase, installation of system software,
interview staff. These are basically roles of the IS department or IT
department.
But, monitoring IT prior project prioritization, as well the business
requirement is the prime responsibility of the IT Steering Committee.
So they need to ensure what the project that IT is carrying out is as
per the business requirement.
Q3 on is with
respect to the role of the Steering Committee, IT Steering Committee.
If you see option A, C and D are basically routine role of IS or IT
department in coordination with user management.
Well option B is the correct one. So role of the Steering Committee is
to monitor the particular project and in case of any hurdles or in case of any
problems they need to escalate the project issues to the top management or to
the board.
Q4 role of Steering
Committee is being asked,
ensuring installation of genuine
software, efficient use of IT resource, vendor assessment, and advise board
members of the new project.
Now option D is basically roll of Strategy Committee.
Option A and option C are basically roll of IT department or IS
department in coordination with user department.
So basic answer here is option B. That is to ensure efficient use of IT
resources.
They need to monitor the performance and to ensure IT resources are
being optimally used.
Q5 IT steering
companies should review information system primarily to access.
So the basic role of the IT Steering Committee is to ensure whatever IT
processes are being carried out from the IT department but as basically they
support the business requirement.
So this is the very important role for IT Steering Committee.
Q6 Which of
following is a function of IS Steering Committee?
So again, role of IS Steering Committee.
So as we know, basically, approving and monitoring major projects,
status of IS plans, and budget.
Option A, B and C are basically routine work to be performed by the IS
department. Last question.
Q7 Which of the
following is a major control weakness that can adversely affect the system
development project?
So option is out of 10 recommendations from the IT Strategic Committee,
the board has approved only 8 recommendations. Now this is not to control
weakness, role of the IT Strategic Committee is to advise the board. Now it is
up to board either to accept the recommendation or to reject the
recommendation.
So, option A will not be valid here. Option B and C. Project deadline
and project manager not being part of project approval plan. Though these are
critical activities, they're not as critical as option D, wherein the
organization has decided that a project Steering Committee is not required.
Enterprise
Architecture
Enterprise
Architecture.
An enterprise architecture defines the structure and the operations of
the organization.
Enterprise Architecture's main focus is to ensure that technology
initiatives are compatible with the IT framework.
Goal of EA is to help the organization adopt the most successful
technologies.
Zachman framework
is one of the first enterprise architectures created by John Zachman.
It is a fundamental EA structure that provides a formal and structured
way of viewing and defining an enterprise.
Current as
well as future objectives.
The objective of EA is to determine how an organization can achieve its
current as well as future objectives.
So it is very important for EA to include the entire future outcome. If
a future state description is not included then EA is not considered to be
complete.
practice
questions.
Q1 An IS auditor
finds that the organization has two separate EAs, in other word, one for
current state representation and a new project has been initiated to build a
future state representation. The IS auditor should?
Two separate EAs. This will not give a complete picture of the
enterprise as a whole.
So report this problem in the audit report as an observation.
Q2 The main
advantage of an Enterprise Architecture initiative is to?
Allow the company to invest in the technology that is most suitable.
Q3 Which of the
following is a major concern when it is not enrolled in the system selection
procedure?
Application technologies may not be compatible with the architecture of
the organization.
Q4 A vendor has
been hired by a company to find a software solution for the Electronic Toll
Collection System. As a part of the solution, vendors have developed their own
application software. The most important aspect of the contract is?
When application software is developed by the vendor, concern will be
about the availability of source code, in case the vendor is not available in
future.
So the most important clause is, inclusion of source code in escrow.
Q5 Which of the
following factors is the most valuable on account of technology transition
rate?
Technology transition rate indicates constant changes in technology.
Sound processes.
Q6 An enterprise is
considering investing significantly in infrastructure implements. Which of the
following are the most critical options to consider?
Risk analysis.
Q7 Which of the
following is the most important advantage of open system architecture?
Open system architecture is the system that is easy to connect,
integrate and compatible with other systems.
So it facilitates the integration of proprietary components.
Proprietary components means components of a particular vendor or
particular manufacturer, particular systems.
Q8 Which of the
following steps should be carried out first before designing a security
architecture?
Define a security policy.
Q9 Compliance risk
is not directly addressed by?
Compliance risk is risk of no adherence to the legal rules and
regulations.
Risk transfer.
Q10 Following the
merger of two companies, a new common interface would replace several
self-developed legacy applications. Which of the following options constitute
the biggest risk?
Answer will be, having plans which are not integrated and without
incorporating resource allocation in an approach to portfolio management.
Q11 The best
recommendation for securing an organization's software investment is to?
Securing an organization's software investment means ensuring that a
software can be used for at least N number of years. It can be used for long
term purposes.
Answer = Inclusion of source code escrow arrangement in this service
level agreement.
Risk
Treatment Options
risk mitigation
Risk avoidance,
risk acceptance,
risk transferring,
risk sharing.
Risk mitigation is
also known as risk reduction,
Risk transfer is
also known as risk sharing.
Risk
mitigation
The objective is to reduce the risk to an acceptable level.
Efforts are made over here to reduce the probability or impact of the
risk event. By designing appropriate controls. Either probability is reduced or
impact is reduced.
Risk
acceptance.
In this approach, risk is accepted as it is. No steps are taken to
reduce the risk.
This is more prevalent where the cost of controlling the risk is more
than the cost of the risk event.
Risk
avoidance,
In this approach projects or activities that cause the risk are
avoided. Risk avoidance is the last choice when no other option is advocated.
Risk
Transfer,
In this approach risk is shared with partners or transferred via
insurance coverage contractual agreement, or some other means.
Risk transfer option is generally used for the events with low
probability, but high impact.
Understand
with examples
Risk mitigation,
installing a firewall to mitigate the risk of unauthorized access.
Risk acceptance,
cost of anti malware installation is more than the anticipated cost of
damage due to malware attack.
In such cases it is preferable to accept the risk rather than doing any
investment.
Risk avoidance,
declining a project when the business case shows a high risk of
failure. So to avoid that particular project.
Risk transfer.
Example: taking insurance for damage due to natural disasters where
probability of disaster is very low, but there can be a high impact.
Risk
acceptance
So what is the most risky approach among all the four options? Risk
acceptance. Organizations need to be utmost careful while accepting the risk.
If a risk is accepted without knowing the correct level of risk, it may
result into higher level of liabilities.
Risk
Response Examples:
in which option
risk is reduced at an acceptable level?
Risk mitigation
In which option
risk is accepted as it is without taking any action?
Risk acceptance.
Which option is the
last choice for risk response?
Risk avoidance.
Example of
insurance coverage?
Risk transfer.
In which options,
no steps are taken to reduce the risk?
Risk acceptance.
Natural disaster
are covered through?
Risk transfer.
Cost of
anti-malware is more than the cost of damage. Which option would you like to
suggest?
Risk acceptance.
In which option a
project is declined because of high risk?
Risk avoidance.
Chances of higher
liabilities.
If you accept the risk without knowing the actual risk it may amount to
higher liabilities.
Key
aspects from exam perspective.
Q1 Risk response,
where cost of control exceeds the cost of risk event?
Risk acceptance.
Q2 Risk avoidance
can be done by?
Exiting the process that causes the risk.
Q3 Risk response
options that are most likely to increase the liability?
Risk acceptance.
Q4 Risk response in
which processes outsource to a professional organization having expertise
knowledge is?
Risk mitigation.
Q5 Most suitable
risk response where risk related to a specific business process is greater than
the potential opportunity?
To avoid the risk.
Q6 Risk response in
the form of purchasing and insurance is?
Risk transfer.
Q7 What is the
advantage of a business case?
It helps to determine the cost and benefit of the risk response.
Q8 What is the most
important aspect for risk mitigation?
To ensure that risk is reduced to an acceptable level.
Q9 Most effective
way to treat a risk with a low probability and a high impact, such as natural
disaster?
Best way is to transfer the risk through insurance.
Practice
questions.
Q1 Most effective
risk response where cost of installation of anti-malware software exceeds the
expected loss of threat is?
Risk acceptance.
Q2 Characteristic
of risk avoidance is?
Stop the process that give rise to the perceived risk.
Q3 When a risk
practitioner recommends implementation of various controls to protect IT
resources, which of the following approaches is recommended?
Risk mitigation.
Q4 Risk response
that most likely increases the liability of the organization?
Risk acceptance.
Q5 Outsourcing of a
process is an example of?
Risk mitigation.
Q6 In a scenario
where risk is greater than the potential opportunity?
Risk Avoidance
Q7 Taking insurance is an example of.?
Risk transfer.
Q8 Which of the
following is utilized by a risk practitioner to propose a risk mitigation
activity? Business case.
Q9 To ensure that
information systems control deficiency are appropriately remediated a risk
practitioner should review?
Risk mitigation plan.
Q10 The objective
of a risk mitigation is?
To reduce the risk within acceptable levels.
Q11 Best response
for a risk scenario with low probability and high impact like natural disaster
is?
Risk transfer.
Risk
analysis methodology
what are the risk
analysis methodology and
how to analyze the
risk using various methods.
The first question
that we need to understand is what is risk analysis?
Risk analysis is the process of ranking various risk so that areas of
high risk can be prioritized for treating them.
Risk can be measured and ranked by use of any of the following methods.
Quantitative risk analysis,
qualitative risk analysis and
semi-quantitative risk analysis.
Let us discuss these three assessment methods in detail.
Quantitative
assessment,
a risk is measured on the basis of some numerical values.
These values may be in terms of dollar amount or some percentage or
some other numerical references
whereas in
qualitative
risk assessment
it is measured on the basis of some quality parameters for example,
high risk, medium or no risk, it cannot be quantified.
Semi
quantitative,
It is a combination of qualitative and quantitative risk assessment.
So for example, high, medium low can be converted into some weightage.
High may be given 5 weightage, medium may be given 3 weightage and lower may be
given 1 weightage.
Accordingly, semi quantitative risk assessment can be derived.
Now, the question
arises which method to be used when?
A risk practitioner would always prefer a quantitative approach because
it helps in cost benefit analysis as risk can be analyzed in some monetary
terms, and it can be easily compared to the cost of various risk responses.
A qualitative method is preferred when risk cannot be quantified due to
absence of relevant data.
Semi-quantitative methods are frequently used when it is not possible
to use a quantitative method or to reduce the subjectivity in qualitative
methods.
So what is the best method for risk analysis?
Quantitative risk assessment.
A risk practitioner will always prefer a
quantitative approach. It helps in cost benefit analysis as a risk in monetary
term can be easily compared to cost of various risk responses.
However, a major challenge in conducting a
quantitative risk analysis is availability of accurate data. In absence of
proper data or when data accuracy is questionable, qualitative risk analysis is
more preferable.
How to
analyze the risk using a quantification method.
As we all know,
Risk is a product of probability and impact.
To quantify the risk, these are the two important data elements,
probability and impact.
Example.
I do have one piece
of equipment costing a hundred dollars.
Now there is a 0.5 probability of damage for this equipment which is
0.5.
As we discussed, risk is probability & impact. So here risk will
come to 50, a hundred dollar into 0.5 probability.
Please note, this is the simple example in quantitative risk
assessment, where statistical methods are used to derive the risk.
Key
aspects from exam perspective.
Q1 What factors are
required to quantify the risk?
Probability and
impact
But in exams probability may also be referred to as possibility or
likelihood.
Impact can also be referred to as consequences.
Q2 In which risk
analysis method, statistical methods are used to derive the risk?
Quantitative risk analysis.
Q3 Financial impact
of a risk can be derived by?
quantitative risk
analysis.
Q4 In which risk
assessment process, likelihood and impact is used for risk quantification?
Quantitative risk analysis.
Q5 Which method is
best to get the comprehensive results when performing a qualitative risk
analysis?
To determine
various scenarios with threats and impact.
Q6 The primary
factor that determines whether to use a qualitative or quantitative approach?
is availability of
data.
Q7 Which is the
most difficult data to derive for performing quantitative analysis?
To derive accurate
frequency, probability, likelihood of the occurrence.
Practice
questions.
Q1 Risk
quantification can be arrived through combination of?
probability and
consequences.
Consequences, that is impact.
Q2 Use of
statistical methods to data Probability and impact is best considered in?
Quantitative risk analysis.
Q3 The most
important factor in the quantitative risk analysis process is?
Answer: expected monetary value.
Net present value is used for calculating present value for future case
flow
value analysis is used for monitoring the progress of the project.
Decision support system helps in support the decision making by
providing detailed analysis.
Q4 Impact of a
failed equipment can be arrived at by?
use of quantitative and qualitative approaches to determine the impact
of the business.
Q5 The main factor
for deciding between qualitative approach and qualitative approach is?
availability of the data .
Q6 In which of the
following risk assessment process, probability and impact is used to calculate
the level of risk?
Quantitative risk analysis.
Q7 The most
important challenge in conducting a quantitative risk analysis is?
Answer: getting the accurate details on frequency of risk events.
Getting details on impact or asset valuation or annual loss expectancy
is not as difficult as determining the frequency of the event.
Q8 Which of the
following approaches is used to used to arrive at financial impact of specific
individual risk scenario?
Answer: Quantitative risk analysis.
Financial risk modeling is generally used to determine the aggregate
risk as compared to individual risk scenario.
Q9 Which of the
following risk assessment methods involves conducting interviews and using
anonymous questionnaires by subject matter experts?
Answer: Qualitative risk analysis.
Quantitative and financial modeling uses statistical based analysis.
Monte carlo simulation combines both qualitative and quantitative
assessment methods.
Q10 Best method to
provide comprehensive result by conducting qualitative risk analysis is?
Answer: scenarios with threats and impact.
Other options are not as effective as scenarios with threats and
impact.
Enterprise
Risk Management
What is Enterprise
Risk Management?
ERM covers the entire gamut of the risks that are applicable to the
enterprise.
It'll include our IT risk, operational risk, investment risk, market
risk, reputational risk, legal risk, compliance risk. So all the risks that are
applicable to an enterprise are under the scope of ERM.
ERM is the practices, methods, and processes adopted by the
organizations to manage and monitor risk across the organization.
It is a structured process for managing various risks that can
adversely impact the business objectives.
Key
aspects from exam perspective.
Q1 What is the
first step in implementing a risk management program?
The first step is basically to identify what you want to protect.
So, the first step is asset identification and
to determine the threat, vulnerability and risk profile of the
organization.
So if asset identification is noted in the exam options,
then first steps would be to determine the threat.
practice
questions.
Q1 Which of the
following should be reviewed first while evaluating an organization's risk
management procedure?
First thing that we should know is about the asset that we want to
protect and then
Answer: threats and vulnerabilities affecting that particular asset.
Q2 Which of the
following treatments indicate the exchange of risk?
Exchange of risk means sharing of risk.
Transfer risk.
Q3 A team performing a risk analysis has
difficulty anticipating the financial losses that might result from a risk. To
evaluate the potential impact, the team should-?
Difficulty in anticipating the financial laws, that is quantification
is not possible. And in such cases, you need to
Answer: apply a qualitative approach.
Q4 Establishing the
level of acceptable risk is the responsibility of-?
senior business management.
Q5 Performance of
the process of risk management is an input for-?
So what should we do once we
identify the risk? Yes, it is used for making
Answer: decisions regarding security policy.
Q6 The First duty
of the IS auditor is to review any current e-business program in search of
vulnerabilities. What should the next task be?
Vulnerabilities means weakness. So the next step will be
Answer: to identify the risk and possibility of occurrence.
So once you understand the weakness you understand the vulnerabilities,
you see what impact it can have. Then you go to the other step.
Q7 An assessment of
IT risk is best achieved by-?
Best way is to
Answer: assess the risk and vulnerabilities relevant to the current IT
infrastructure and IT program.
It is very important to understand what risk lies currently.
Q8 A poor choice of
passwords and unencrypted data transmissions over unprotected communication
lines are the examples of-?
As we all know, these are the
forms of weakness. And weakness is also known as vulnerability.
Q9 The first step
in implementing a risk management program is to-?
The first step is to identify the asset.
Once the asset is being identified, you determine the threat
vulnerability to the particular asset. So in this part, this option answer
should be A.
Q10 What is the best recommendation for a small
sized IT organization that does not have an independent risk management
function, and where the organization's operational risk reporting includes only
very few forms of IT risk that are commonly defined?
In such a scenario, it is good to
establish regular IT risk management meetings to define and assess risk
and develop a contingency plan as an approach to control the risk within the
company.
Q11 Which of the
following types of insurance will cover a risk arising from employees'
fraudulent actions?
Fidelity coverage.
Q12 Which of the
following is of greatest interest to an IS auditor evaluating the risk strategy
of an organization?
The most important factor to be considered is whether
Answer: all the relevant risks are identified and categorized.
Without knowing the risk, there cannot be any risk strategy.
Q13 The most
important consideration while reviewing a risk management program is-?
Answer: The fact that IT risk is presented from a business perspective.
Impact of IT risk on business objectives should be presented.
Q14 The risk
appetite of an enterprise is best ascertained by-?
Risk appetite means willingness to take the risk.
Answer: Steering committee.
Capability
maturity model.
What is the
capability maturity model and what are the objectives?
The Capability maturity model is useful to determine the maturity level
of the risk management process.
This model assumes
a certain level of processes.
For example, at the
beginning the
THe process is incomplete
and it does not achieve its intended purpose. Next
step process is improved, it is
Performed
and it is able to achieve its intended purpose.
Further step process is
Managed
appropriately planned, monitored and controlled.
Further improvement
Processes established.
Now it is well defined, well documented and well
established.
The process is predictable
and operates within the defined parameter to achieve
its intended purpose. And last now,
The process is being optimized.
It is continuously improving to meet its intended
purpose and projected goals.
So each level is improving from its previous level.
This is what the
Capability Maturity Model assumes. Please note: This is only for understanding
purpose. There will not be any direct question about levels of Capability
Maturity Model.
What is
the objective of the Capability Maturity Model?
Every organization has some desired level for their risk management
processes but they may be there or may not be there. They may be far away, may
be near to their desired level.
So objective here is to
identify the gap between the current level and
desired level.
Maturity models helps to identify the
gaps between the current state of process and
desired state of process.
This helps the organization to
determine necessary action for improvement.
The main objective of the Capability Maturity Model is continuous
improvement.
You move from level 0 to level 1, 2, 3, and finally to the top level
where your desired level is achieved.
What are
the advantages of the Capability Maturity Model?
A mature organization is much more likely to prevent the incidents,
detect the incident sooner and recover rapidly from the incidents.
It is the best technique to enable a peer review of an organization's
risk management process and capacity.
What are
the pre-requisites for implementing the Capability Maturity model?
It requires an organization to have a defined, standard and reliable
process that should be followed consistently and continuously to seek
improvement.
Another most important aspect is the level of performance.
It is the most important factor when using a Capability Maturity Model.
Performance is safe to be achieved when the object you have implemented is met.
Key aspects from exam
perspective:
Q1 Measuring the
existing level of risk management processes against their desired state is best
done through?
Capability Maturity Model.
Q2 What is the
objective of the maturity model?
Constant
improvement.
Q3 What is the most
important criteria when using a Capability Maturity Model?
Performance.
Q4 Capability
Maturity Model is based on?
standard, repeatable and measurable processes.
Practice
questions.
Q1 Which of the
following is most helpful to improve the organization's risk management
process?
Maturity Model.
Q2 Practice that
helps the risk manager to determine the existing level of risk management
processes as against the desired level is:?
Capability Maturity Model.
Q3 A peer review of
risk management process is best enabled by:?
Capability Maturity Model.
Q4 The most
important capability dimension of the maturity model for assessing the risk
management process is:?
Performance.
Performance is the
most important capability dimension for Capability Maturity Model. It is
achieved when the implemented process achieves its intended purpose.
Q5 Primary benefit
of a maturity model for assessing the risk management process is:?
It helps to identify the gaps.
It helps to identify the gaps between current state and desired state,
and thus helps the organization to determine necessary remediation steps for
improvement.
Q6 To assess the
capability of a risk management process of the organization, a regulatory body
would rely on:?
independent team.
This will remove
the biased-ness.
Q7 Capability
Maturity Model is primarily based on:?
application of standard,
repeatable processes that can be measured.
This helps to determine the improvement or otherwise of the stated
process.
Others are a secondary factor.
Q8 An organization
is in process of selecting a consultant to conduct the maturity assessment of
its risk management program. The most important element for selection of the
consultant is:?
Answer: methodology to be used.
It helps to understand the process and the formulas for the assessment.
This is the most important element for selection of consultants. Others are
secondary factors.
Laws and
regulations impacting the organization.
Objectives of laws
and regulations.
Laws and regulations are being enacted with the aim of protecting the
interest of stakeholders.
In the field of IT, most common objectives are
to safeguard the privacy and
confidentiality of personal data,
to protect the intellectual property rights and
to ensure the integrity of financial information.
Please note there will be no direct question in the exam on any
particular laws and regulation Particular laws and regulations such as HIPAA or
maybe GDPR or any other specific laws and regulations.
From exam
perspective what we need to understand is,
what is
the role of an IS auditor while determining the adherence to the laws and
regulation.
So these are some
important aspect.
First one,
we need to ensure that organization has identified the applicable laws
and regulation. This is very important.
Second,
whether GRC programs are being implemented within the organization,
governance, risk, and compliance program?
Third, in case if
organization is operating in multiple jurisdictions, how legal and
regulatory requirements for all the areas are operated?
Fourth one, it is
very important
whether roles and responsibility for adhering to the regulatory
requirement is assigned to an individual at a senior management level? And also
it is very important to
have an appropriate monitoring, auditing, and reporting process with
relation to legal and regulatory requirements.
Key aspect
from exam perspective.
Q1 Major factor to
be considered in relation to offshore data storage and transfer.?
Data storage transfer or storage
offshore location means location outside of one's national boundaries outside
one's jurisdiction.
So a major concern can be
Answer: privacy laws.
Q2 What are the
important concerns regarding use of cloud services?
Two main aspects or two main concerns are
compliance with laws and regulations (first preference)
data confidentiality.
Practice
questions.
Q1 Which of the
following is a data mining factor in not maintaining customer data at an
offshore location?
Privacy laws could prevent the flow of information across the borders.
Q2 Which of the
following is a major concern for an IS auditor when reviewing regulatory
compliance of an organization?
No list of applicable laws and regulations is maintained.
Q3 The most
important factor to consider in terms of success of IT activities is?
Q4 Success of IT
activities means?
how far IT activities are helping the business processes.
Answer: The most important aspect will be compliance with regulatory
requirements.
Balance scorecard is an important factor but the most critical factor
is how far IT is supporting the compliance process of the business.
Q5 A major concern
regarding the storage of sensitive data in the cloud is?
Data confidentiality.
Q6 The most
important concern regarding the use of cloud services is?
Compliance with laws and regulations.
IT
resource management.
What is
the objective of software escrow agreement?
Software escrow agreement is basically deposit of the source code with
a third party escrow agent.
So the objective of escrow agreement is to address the risk of closure
of vendors of customized written software.
In the event of a vendor going out of business, the client can claim
back the source code from the third party.
This is how when escrow arrangement works on the basis of agreement
between software provider and software purchaser, software provider will
deposit the source code with a third party escrow agent.
This third party escrow agent will hand over the source code to the
purchaser on the happening of certain escrow events.
Key
Concepts
Q1 What is the
primary objective of mandatory holidays?
To detect fraud or illegal acts.
Q2 What is the
primary objective of job rotation?
to detect improper or illegal
employee acts.
Q3 Primary
compensating control for absence of segregation of duties.?
Transaction and log monitoring.
Q4 What is the
first step when an employee is terminated?
To revoke the employees access to all the systems, immediately.
Q5 What is the
primary consideration when reviewing the IT priorities and coordination?
Alignment of project as per the business objective.
Practice
questions.
Q1 Which of the
following is the primary consideration when reviewing the IT priorities and
coordination?
Alignment of project with
business objectives.
Q2 A software escrow agreement is intended
primarily to address which of the following?
Yes, risk of business closure of a vendor who has written the software.
Q3 The prime
objective of mandatory holidays for employees is which of the following?
To reduce the opportunity for fraud or illegal acts.
Q4 Which of the
following roles taken together should not be trusted to a single individual?
System administrator and application developer.
Q5 The integrity of
new staff can be determined by which of the following?
By conducting the background verification.
Q6 Which of the
following dual roles is an area of major concern?
system administrator and application programmer.
Q7 The rate of
change in technology increases the importance of which of the following?
Implementing and enforcing sound processes.
Q8 The most
important consideration when planning to implement a new technology is.?
A risk analysis.
Q9 The best
compensatory control for a lack of segregation of duties between IT staff and
end user is.?
To review the transaction and
application logs.
Q10 Which of the
following risks should be assessed by an IS auditor reviewing an organization
that uses cross training practices?
All parts of a system being known to a single individual.
Q11 The most
important consideration when reviewing an approved software product list is.?
Whether risk associated with each product is reviewed periodically.
Q12 The primary
control objective of job rotation is to achieve.?
To detect improper or illegal employee acts.
Q13 Which of the
following should be done as a priority when an employee with the high access to
highly confidential information resigns?
Revoking the employees' access to all the systems.
Q14 The primary
control objective of implementing a vacation policy is.?
To identify the potential errors or inconsistency in the business
processes.
IS
auditor's role in review of outsourcing function
IS auditor's role
in review of outsourcing function.
Points to remember
for the CISA exam.
What should be
there in an outsourcing contract?
The very first thing should be in writing. It should be a formal
written contract.
Three clauses should be there in this particular outsourcing contract.
What are these three clauses?
IPR, data privacy, BCP/DRP. IPR stands for Intellectual Property Right.
IPR clauses will protect a particular organization from someone else
claiming the ownership of any particular data or processes that have been
outsourced.
Now the IS auditor needs to ensure, at least, these three clauses
should be there in the outsourcing contract. If not, then it should be a point
of concern or consideration for the IS auditor.
Now two main
advantages of outsourcing are:
One, availing expert service and
second, to save the cost. So in any scenario,
wherever there is some indication of the advantage of outsourcing, you
need to look for either of this option in answer.
Either to avail expert service or to save the cost.
In scenario, if both the options are there as an answer, then you need
to give priority to expert service, to avail expert service.
In many questions or in many scenarios, it will be their service
provider being operating from an outside country.
In such a scenario, there are two considerations or two points of
concerns for an IS auditor. One is legal jurisdictions and the other is privacy
law.
So in such cases or in such scenarios, where a service provider is
operating from another country, the IS auditor needs to ensure these two points
or these two considerations have been given some thinking before entering into
agreement.
So points of concern will be legal jurisdiction and privacy laws.
So outsourcing
contracts should be in
written agreement,
inclusion of intellectual property clause and
inclusion of BCP/DRP clause.
These are the points the IS auditor needs to ensure while reviewing
your outsourcing contract.
What are
the advantages of outsourcing contracts?
To avail expert services and for cost saving.
But the prime advantage of outsourcing is to avail the expert services.
In case if the service provider is outside the country, legal
jurisdiction is the option and another option is privacy law.
So these are the major concerns in case the service provider is from an
outside country.
Legal jurisdictions and privacy.
What is
the role of the IS department?
One is monitoring the outsourcing providers performance and
Second is managing compliance with the contract for the outsource
service.
So if you see, almost both the things are the same.
Roll of IS department into a ensure outsource vendor is performing as
per the contract.
For
example, a question-answer.
Q1 "What is
the most important function to be performed by IS management in case of
outsourced office IT process?"
Options: Ensuring that outsourcing charges are paid per SLA, training
to staffs, levy of penalty, monitoring the outsourcing provider's performance.
Answer: The IS department is to monitor the outsourcing providers
performance.
Q2 Let us take one
more example. Here, "Which of the following is the responsibility of our
organization's IT management?"
They need to ensure compliance with the contract for the outsourced
services.
Q3 Is the auditor observing that outsourcing
vendors have been appointed without formal agreement? So what should be the
course of action?
Options: Obtain independent assurance, set up a process for monitoring
the service delivery,, appointment of outsourcing vendors to be revoked
Answer: ensure that formal contracts are in place
So we already see all the contract or all the agreement should be a
formal and actually should be in writing.
So in case of formal return agreement, this contract will not be stand
in court of law.
Q4 An organization
has outsourced IT support service. A probable advantage of outsourcing is
that.?
So we already discussed what are the advantages of outsourcing. One is
we can have expert service and second is cost saving.
So here, if you see there is no option with respect to cost saving, but
option with respect to expertise outsourcing vendor is there.
So that is the answer.
Q5 An organization
has outsourced designing of IT security policy. Which of the following function
cannot be outsourced?
No organization can outsource its accountability, even if they
outsource its function or its processing or its designing, (indistinct)
accountability lies with the organization. It cannot be outsourced.
Q6 An organization
has outsourced IT support service to a provider in another country.?
If service provider is not from the same country, there can be two
major (indistinct).
One is legal jurisdiction and other is law, privacy law.
So here we do have option legal jurisdiction.
Q7 An IS auditor
reviewing an outsourcing contract of IT facilities. He should be most concerned
if which of the following clauses is not included in the contract?
Some of the important clauses that an IS auditor should ensure, should
be there in the contract.
One is ownership of intellectual property,
other is BCP/DRP related thing and the
The third one is with respect to the privacy clause.
So here we do have that option, that is ownership of intellectual
property.
Q8 An organization
has outsourced data operations service to a provider in another country.?
Major two concerns
will be:
One is legal jurisdiction and
Second is privacy law.
So we do have one option here that is: Privacy laws could prevent
cross-border flow of information.
Q9 an IS auditor is reviewing outsourcing
operations of IT facilities. He should be most concerned about which of the
findings?
the auditor need to ensure this clause should be there in the IT
contract. So one of them is the inclusion of BCP/DRP for IT operation.
Q10 IS auditor is
reviewing the performance of a service provider. Which of the following is most
important document for such a review?
Performance report generated by ISP, service level agreement, penalty
imposed, ISP's reference.
If you see here, important documented service level agreement.
Unless an auditor reviews or service level agreement, he will not be
able to judge the performance or the penalty imposed.
ISP references will not be relevant over here. So the answer here will
be the service level agreement.
IT
performance monitoring and reporting processes.
Steps for developing performance metrics, best practices for
performance metrics, and what are the tools and techniques available for
performance metrics.
What are
performance metrics?
Performance metrics are the tools and the technique to evaluate the
performance of the system or processes.
What are
the steps for developing performance metrics?
Step one
is to identify the critical process.
The first step is to identify the critical process that needs to be
monitored.
For example, patch updation is one of the critical processes. This is
identified.
Now, in the second
step, you need to identify the expected output.
So the second step is to define the expected output or target for each
process that needs to be monitored.
Let us continue with the same example.
So for the patch updation process, what is the output that is expected?
What should be the TAT? How many percent of devices should be covered,
et cetera, should be defined. And
In the third step,
compare the actual output with the target, and this should be done on a
periodic basis.
If the target is not achieved, conduct a root cause analysis to
determine the areas of improvement.
Best
practices for performance metrics.
Targets for the performance metrics should be shared from the top down
and should be aligned with the business objectives.
Targets should be approved by the stakeholders, and accountability and
responsibility for achieving the target should be clearly defined.
Data should be readily available to be used for measurement of the
metrics. Data should be complete, accurate, and correct.
All key IT processes should have
proper metrics.
Important
tools and techniques for developing performance metrics.
One among them is
Six Sigma and Lean Six Sigma.
Six Sigma
is a quantitative process analysis methodology for process improvement
and reduction of the defects.
Anything outside the customer specification is defined as Six Sigma
defect.
Lean Six
Sigma.
Lean Six Sigma has a similar
approach to Six Sigma. It seeks to remove unnecessary steps that do not add
value to the product.
IT
Balanced Scorecard.
An IT balanced scorecard is one of the most effective IT governance
tools and shows the efficiency and value creation of the IT team and measures
the IT performance, IT risk, and IT capabilities.
IT balanced scorecard helps to measure the effectiveness with respect
to customer satisfaction, internal processes and innovation abilities.
so whether customers, either external or internal, are satisfied with
IT support.
It helps us to determine whether IT helps in improving the operational
processes and
It helps us to determine whether IT contributes to new innovation.
So, a balanced scorecard helps to measure the alignment of IT with the
business needs. This is a very important aspect from an exam perspective.
Key
Performance Indicator.
KPIs are used for measuring the performance against the predetermined
goals.
They are a key indicator of goal achievement. They also show the
abilities, practices, and the skills.
For example, one of the goals is
to keep the system up at least 95% of the total time.
So in January, the system was up by 96%, and hence it is good.
In February, the key performance indicator was 97%. But in March,
performance was not good as only 92% time system was up.
So this is basically KPIs, key performance indicators, which are used
to compare against the predetermined goal.
What is
benchmarking?
Benchmarking includes evaluating and comparing the business processes
and performance metrics with other organizations' best practices.
Benchmarking helps us to learn the best way to implement the processes.
Business
Process Re-engineering.
Business process re-engineering is the process of redesigning the
process functions to improve the performance and reduce the cost.
Redesigning with the purpose to improve the performance and cost.
What is
the root cause analysis?
Root cause analysis means finding the basic cause of something in order
to understand the cause of a given incident.
Once the root cause analysis has been performed, effective corrective
action is taken to prevent a system failure or deficiency.
It helps us to learn from errors
and issues and to ensure that a given incident does not occur again.
Life Cycle
Cost-Benefit Analysis.
Life Cycle Cost-Benefit Analysis is used to determine the overall cost
of the project throughout the project life cycle.
So it will include maintenance and upgradation cost of IT
infrastructure as well.
This cost is compared with the expected benefits.
Key
aspects from the CISA exam perspective.
Q1 What is the
pre-requirement for implementation of a balanced scorecard?
Balanced scorecard is used for measuring the efficiency.
So, to measure the efficiency, you need to have a key performance
indicator.
Q2 What is the
primary objective of an IT performance measurement process?
We measure the performance to improve the performance, to optimize the
performance.
Q3 Which is the
best method to understand the effectiveness of an organization's IT asset
planning and management?
To analyze the IT balanced scorecard.
An IT balanced scorecard will help us to understand how IT is
supporting the business objective.
Q4 What is the risk
of a lack of measurable performance indicator?
In absence of a measurable performance indicator, misleading
indications of IT performance could be presented to the management. And because
of this misleading indication, management may make some wrong decisions or
unsound decisions.
Practice
questions.
Q1 Which of the
following is a prerequisite for implementing an IT balanced scorecard?
Defining the KPIs. An IS auditor noted that the performance indicators
of key processes are not measurable.
Q2 Which of the
following is a major risk?
Misleading indications of IT performance could be presented to the
management,
and it will, in turn, may amount to unsound management decisions.
Q3 The most
significant function of IT management with respect to an outsourced service is?
To monitor and control the provider's performance.
Q4 The main
objective of measuring IT performance is?
To optimize the performance.
Q5 What is the most
important factor to determine the effectiveness of an organization's IT asset
planning and management?
To analyze the IT balanced scorecard.
Q6 An IS auditor is reviewing an organization's
project portfolio. Which of the following is the most important consideration?
Alignment with business plan.
Q7 The best enabler
for strategic alignment between business and IT is which of the following?
IT should support what,
Organization goals and metrics.
IT
balanced scorecard.
What are
the objectives of an IT balanced scorecard?
The first one, and the prime one, is to measure and evaluate the
performance of IT.
And by measuring and evaluating performance, they can improve the
performance and hence, to optimize the performance.
So there are dual objectives.
One is to measure and to take corrective action and to optimize the
performance.
So measuring the performance and
to optimize the performance.
measure IT
performance,
Now, when we say we need to measure IT performance, actually what we
need to measure?
So basically there
are three things there to be measured.
One is customer satisfaction,
second is internal processes,
Third is the ability to innovate.
So in the CISA exam you need to know this customer satisfaction,
internal processes, and ability to innovate.
One earlier CISA examination, this question was there. What are the
three key factors with respect to which IT balance score card can be measured?
You can remember CIA. That is customer satisfaction, internal
processes, and ability to innovate.
How to
measure?
So it's very simple logic: key performance indicator to be defined
before implementing the ITBSC. So only here before implementing IT Balanced
Scorecard,
we need to know: what are the key performance indicators, and what are
the key metrics?
So then after this, KPIs need to be evaluated on a regular basis to
measure the performance. So first we need to define the key performance, and
then we need to evaluate and monitor these key performance on a regular basis
to evaluate the performance.
objective
of IT balanced scorecard:
to measure and evaluate performance of the IT and to optimize the
performance by taking necessary corrective action.
What to
measure?
This is very, very important. Three things: Customer satisfaction,
internal processes, ability to innovate: CIA. And
how to
measure.
You would need
two different key performance indicators beforehand.
Then you need to monitor these KPIs at regular intervals to understand
where the organization IT function stands.
So these are the basic core of IT balance scorecard.
So let us
take one question.
As I said earlier, a similar question was asked in the CISA
examination.
Q1 The purpose of
IT Balanced Scorecard is to evaluate and monitor the performance indicators
other than:
We have seen here customer
satisfaction, internal process efficiency, and innovation capacity with part of
our IT balanced scorecard. But what was not there?
That is the financial results.
Financial results are basically traditionally measured in balanced
scorecard, generic balanced scorecard. But in the IT balance score card, it's
not included.
Q2 What is the
prerequisite before implementing an IT balance score card?
We need to define key performance indicators. Then only the IT balance
scorecard can evaluate that particular indicator.
Q3 Let us take one
more example. So here when observation is there, there is lack of senior
management involvement in IT strategy planning. So what can be the most likely
risk here?
Lack of investment, lack of methodology, technology not aligning, and
absence of control over technology.
If key IT management or senior management are not involved in strategic
planning then there can be chances technology is not aligned with the
organization's business object.
Q4 What is the
object of the IT performance measurement process?
So basically this question is asking about general IT performance
measurement but if you see a little, we discussed IT balanced scorecard
varying, it will say there are dual objectives.
One is to measure the performance and
Another one is to optimize the performance.
So the primary objective is to optimize the performance.
Quality
assurance and quality management.
What is
quality assurance?
Quality assurance is a process that aims to provide advocate confidence
that an item or product conforms to the requirements.
Responsibility of a QA staff is to verify that the changes to the
systems are appropriately approved, checked and implemented in a controlled
manner.
In short, the laid down process is being appropriately followed.
Quality
control.
Quality control is a method for performing the test or reviews to
verify that the product is free of defects and meets the user's requirement and
specification.
Quality assurance is about the process
whereas quality control is about the product.
The objective of quality assurance is to prevent the defect,
whereas objective quality control is to find the
defect.
Important
aspect of quality control.
QC team is responsible for ensuring that the program meets consumer
standards and is free from defects.
QC must be completed before the programs move into the development.
It is recommended that the QC department should be autonomous and
independent within the company in order to achieve the successful QC output.
Segregation
of duties.
The role of QC should not be performed by an individual whose position
would create a segregation of duties and therefore impact the independence.
An individual should not under any circumstances review their own work.
For example, a database administrator should not carry out a quality
assessment of the process that would affect the database because they work on
the system themselves.
Key
aspects from the CISA exam perspective.
Q1 What is the
primary objective of implementing a quality management system?
Continuous improvement.
Practice
questions.
Q1 Which of the
following is an area of major concern with respect to quality assurance
processes?
Quality assurance is performed by a staff member nominated by a
business manager.
This will have an impact on the independence of the quality assurance
process.
Q2 An IS auditor
reviewing the QC process of a software development company. Which of the
following would be an area of major concern?
QC activity is carried out three months after the program has been
moved to the production.
Q3 The prime
objective of implementing a quality management system is to?
monitor continuous improvement.
2.13 -
Data Privacy Program and Principles Data Privacy Program and Principles
In the modern
digital era, data privacy has become a fundamental concern for organizations
worldwide. As companies collect, store, and process vast amounts of personal
data, safeguarding this information against unauthorized access and misuse is
crucial. Private data, also known as personal data, refers to any information
that can be used to identify an individual directly or indirectly. This
includes, but is not limited to, names, addresses, email addresses, social
security numbers, and financial information. A robust data privacy program not
only helps in complying with various regulations but also builds trust with
customers and stakeholders. It ensures that personal data is handled
responsibly and ethically, maintaining the privacy rights of individuals.
Different
Privacy-Related Regulations
Several key
regulations have been established globally to protect personal data, each with
its own set of requirements and implications for organizations:
General Data
Protection Regulation (GDPR): Enforced by the European Union, GDPR provides
individuals with significant control over their personal data and imposes
severe penalties for non-compliance. It mandates transparent data processing,
explicit consent, and stringent data protection measures.
California Consumer
Privacy Act (CCPA): This regulation enhances privacy rights and consumer
protection for residents of California, USA. It grants individuals the right to
know what personal data is being collected, the purpose of collection, and the
right to request deletion of their data.
Digital Personal
Data Protection Act (DPDPA) of India: This regulation focuses on protecting the
privacy of individuals' data in India. It lays down the requirements for data
processing, data localization, and the rights of data subjects.
Personal Data
Protection Law (PDPL) of Saudi Arabia: PDPL aims to protect personal data
privacy in Saudi Arabia. It regulates the collection, processing, and storage
of personal data and ensures that data subjects have the right to access,
correct, and delete their information.
Personal
Information Protection and Electronic Documents Act (PIPEDA) of Canada: PIPEDA
governs how private sector organizations collect, use, and disclose personal
information in the course of commercial business. It requires organizations to
obtain consent for data collection and implement appropriate security measures.
Privacy Act of
Australia: This law regulates the handling of personal information by
Australian government agencies and some private sector organizations. It
includes principles on the collection, use, and disclosure of personal
information and grants individuals rights to access and correct their
information.
Privacy
Principles
Almost all the
regulations mentioned above is based on following privacy principles:
1. Lawfulness,
Fairness, and Transparency: Personal data should be processed lawfully, fairly,
and in a transparent manner, ensuring that data subjects are informed about how
their data is being used.
2. Purpose
Limitation: Personal data should be collected for specified, explicit, and
legitimate purposes and not further processed in a manner that is incompatible
with those purposes.
3. Data
Minimization: Only personal data that is necessary for the purposes for which
it is processed should be collected.
4. Accuracy:
Personal data should be accurate and, where necessary, kept up to date.
Inaccurate data should be corrected or deleted without delay.
5. Storage
Limitation: Personal data should be kept in a form that allows identification
of data subjects for no longer than is necessary for the purposes for which the
data is processed.
6. Integrity and
Confidentiality: Personal data should be processed in a manner that ensures
appropriate security, including protection against unauthorized or unlawful
processing, accidental loss, destruction, or damage.
7. Accountability:
Data controllers should be responsible for and be able to demonstrate
compliance with these principles.
Important
Privacy-Related Terminologies
Understanding key
terminologies is essential for effectively navigating data privacy regulations
and implementing a privacy program:
Personally
Identifiable Information (PII): Any information that can be used to identify an
individual, such as name, address, email, and social security number.
Data Subject: The
individual whose personal data is being collected, processed, or stored.
Data Controller:
The entity that determines the purposes and means of processing personal data.
Data Processor: The
entity that processes personal data on behalf of the data controller.
Consent: The data
subject's explicit permission for the collection and processing of their
personal data.
Privacy Notice: A
public statement that informs data subjects about how their personal data is
being collected, used, stored, and shared. It typically includes details about
the data controller, the purposes of data processing, and the data subjects'
rights.
Privacy Policy: An
internal document that outlines an organization's practices and procedures for
managing personal data. It includes guidelines for data collection, processing,
storage, and protection.
Privacy Impact
Assessment (PIA): A systematic process to identify and mitigate privacy risks
associated with data processing activities. It evaluates the impact of new
projects, policies, or technologies on personal data privacy.
Auditing a
Privacy Program
Auditing a privacy
program involves a comprehensive review to ensure compliance with relevant
privacy regulations and to verify that personal data is handled appropriately.
Here is a step-by-step guide:
Understanding the
Applicability of Different Acts to the Organization:
Identify which
privacy regulations are applicable to the organization based on its operations,
data processing activities, and geographical presence.
Ensure that the
organization complies with all relevant data protection laws.
Review of
Privacy Policy:
Examine the
organization’s privacy policy to ensure it is up-to-date, transparent, and
compliant with applicable regulations.
Verify that the
policy clearly outlines the types of data collected, the purposes of data
processing, and the rights of data subjects.
Review of Data
Mapping Process:
Assess the data
mapping process to ensure all personal data collected, stored, and processed by
the organization is accurately documented.
Verify data flows
to understand how personal data is transmitted and shared within and outside
the organization.
Review of Privacy
Impact Assessment (PIA) Process:
Evaluate the PIA
process to ensure potential privacy risks are identified and mitigated before
data processing activities commence.
Confirm that PIAs
are conducted regularly and whenever there are significant changes to data
processing activities.
Review of Consent
Management Process:
Assess how the
organization obtains, manages, and records consent from data subjects.
Ensure that consent
is obtained transparently, and data subjects can easily withdraw their consent
at any time.
Review of Data
Breach and Incident Management Procedures:
Examine the
procedures in place for detecting, reporting, and responding to data breaches
and incidents.
Verify that there
are clear protocols for notifying affected individuals and regulatory
authorities promptly.
Review of Privacy
Data Security Procedures:
Assess the
technical and organizational measures implemented to protect personal data.
Ensure that
measures such as encryption, access controls, and regular security audits are
in place to safeguard data against unauthorized access and breaches.
By following these
steps, auditors can provide assurance that an organization's privacy program is
effective, compliant with relevant regulations, and capable of protecting
personal data from potential risks and breaches.
2.14 -
Data Classification Data Classification
Data classification
is a process used to categorize data into different levels or types based on
its sensitivity and importance. This helps organizations protect sensitive
information, comply with regulatory requirements, and manage data more
effectively. By classifying data, organizations can apply the appropriate
security measures to ensure that the right level of protection is provided.
Benefits of Data
Classification
Following are some
of the benefits of a well-defined data classification process:
Enhanced Security:
Protects sensitive information from unauthorized access and breaches.
Compliance: Helps
organizations meet regulatory and legal requirements.
Efficiency:
Streamlines data management processes by organizing data according to its
importance.
Risk Management:
Reduces risks related to data handling and misuse.
Cost Savings:
Optimizes resource allocation by focusing security measures on the most
critical data.
Responsibility for
Data Classification
The responsibility
for data classification typically falls on several roles within an
organization:
Data Owners:
Responsible for correct classification and ensuring that data is accurately
categorized based on its sensitivity and importance. They also ensure that
appropriate access controls are in place.
IT and Security
Teams: Implement technical controls and monitor data access according to
classification levels.
Internal Audit:
Evaluating the effectiveness of classification procedures
Example: Public,
Internal, Confidential, Restricted
While selecting a
classification level, organizations should consider any legal or regulatory
requirements and the potential impact of data breaches. Following are generally
accepted classification levels:
Consideration of
Legal and Regulatory Requirements
Data classification
must consider various legal and regulatory requirements to ensure compliance:
Data Protection
Laws: Regulations such as GDPR, CCPA, and HIPAA mandate strict handling of
personal data.
Industry Standards:
Compliance with industry-specific standards like PCI DSS for payment data or
FERPA for educational records.
Contractual
Obligations: Adhering to data handling stipulations in contracts with clients
and partners.
End of
Domain 2
Popular Posts
HOME LAB : HANDS-ON
HOME LAB : HANDS-ON Disclaimer Home LAB Home Assistant on OMV Container in Raspberry Pi https://www.gouti1454.com/p/homeassistant.html Installing Home Assistant on Docker using OMV Compose, along with Portainer, Jellyfin, and MQTT. Here’s the breakdown: Home Assistant on OMV Compose Setting up MQTT and connected it to Home Assistant HomePage with Docker Compose https://www.gouti1454.com/p/homepage-docker.html Setting Up HomePage with Docker Compose Key things to get right, While installing HomePage Docker: Best Practices for Docker Compose: Widgets Configuration: Common Errors & Fixes: Lamma AI https://www.gouti1454.com/p/llama-ai.html This post covers some useful tips and tricks for extracting YouTube transcripts and using the Fabric framework. The topics include: ...
Marriage Registration Online steps [Tamil Nadu]
Marriage Registration Online 1. Hindu Marriage Act 2. TamilNadu Marriage Act Steps To follow 1. Log into :-> https://tnreginet.gov.in/portal/ 2. Click on "User Registration" under " LOGIN " section 3. Now Login with UserID & Password Hindu Marriage Registration 4. After Log in then select Home > Marriage Registration > Hindu Marriage Registration 5. Fill in the details 1. Husband details A. Details Must be know - District, Taluk, Village and then f rom Drop down select the " street name " B . if any of the parent is not alive mark the same and produce the death certificate while submitting the application in-person. 2. Wife Details A. same as above, have all the information to fill in details 3. Witness Options 4. Other Details 5. Proof Details: for Husband & Wife Home > Draft Listing T...
Next-DNS-Manager
Next-DNS-Manager Read DISCLAIMER A complete Open source Manager which helps in keeping privacy, protecting from phishing. The Simple setup Guide makes it more easier to use. Protect your phone using the Next-DNS Manager. https://github.com/doubleangels/NextDNSManager Google Play Store: https://play.google.com/store/apps/details?id=com.doubleangels.nextdnsmanagement&pcampaignid=web_share
Comments
Post a Comment