Pass Isaca CISA Exam in First Attempt Easily

Lesson 1

1. Introduction

Hello, and welcome to the Certified Information Systems Auditing, or SISA, class. My name is Chris Thorson, and we're going to be going over what you need to know to prepare for the SISA exam. If you come from a technology background like I do, it's not just about port scanning and looking for open passwords and things like that. Instead, it is a much broader topic. So we're going to be covering things like the audit process itself and its governance. We'll also talk about the system and infrastructure, lifecycle maintenance, and management. We'll talk about IT service delivery and support, protecting information assets, and a little bit of business continuity and disaster recovery. So why don't we get going and start on our preparation for the SISA exam?

2. Audit Process

All right, let's get started on our studies. On Sisa, let's first talk about the process. When you do an audit, there is a whole process, and in order to take the exam, they expect you to know this process. They don't expect you to know this particular pen test tool or that particular methodology, because when you do auditing, the field is so broad and vast that you can cover anything from the nuclear industry to health informatics, which is my background. Instead, we're going to be focusing on the general process, which can apply to any industry or any type of audit situation. Before we get going, I'd really like to share with you a couple of things to impress upon you the seriousness of cybersecurity. Let's first take a look at a document here. This is from Price Waterhouse Cooper's, and it was recently published. And Price water house Coopers is a big audit firm, and they do both internal auditing as well as financial auditing. And you'll notice they talk about 10-minute lectures on the stark realities of cybersecurity. It's more than an it challenge; it's a business necessity.

And as we talk about a certified IS auditor, we need to think not just as technologists, not just "I'm looking for buffer overflows or I'm looking for open ports," but we need to think about a much broader range of issues here. We need to look at whether people are doing what they're supposed to be doing, and do they even know what they're supposed to be doing? As we progress through this class, we'll discuss how we approach ensuring that there is some kind of procedure in place and that they are following it, how we report it, how we handle irregularities, and even how management tries to conceal things. Like I said, this is a very broad topic. You're not expected to know specific little tools or exact standards or procedures, but you are expected to know that they exist and how they fit in the overall framework. I'd like to share with you another thing. If we go to Sans.org and we go down to the 20 critical security controls here, we can see that, okay, inventory of authorized and unauthorized devices, wireless device control, data recovery, malware defense, boundary defense, data loss, and incident response. Yes, these are the topics that we're very comfortable with. As technologists, we need to, as the auditor, look beyond that. We need to see, okay, is there even some kind of control or procedure in place? So this is what we're going to be focusing on. Why don't we get going on talking about the audit process? Starting out, we're going to talk about what ISAKER is all about. And Isaka is actually an acronym that they use now. It used to actually stand for something longer. Get to that in a moment. We'll talk about developing and implementing an audit strategy and how you plan for and conduct an audit. However, again, because this can be everything from automotive to government, there are no specific individual "one size fits all" plans. However, there are many recommendations, standards, guidelines, procedures, and tools that we're going to take a quick look at. On the ISACA site, we'll talk about conducting that audit. Like I said, we'll talk about evidence, its life cycle, how you maintain evidence, and how you make sure the evidence is relevant and good. And we'll talk about communicating issues and risks, and we'll talk about supporting the implementation of risk management and control practices. So let's talk about ISAACA. And this is the term "Isaka." They call themselves by that name only, the acronym only, but it used to stand for the Information Systems Audit Control Association. They don't use that whole big name anymore. If we go to Isaka's site, we can familiarise ourselves a little bit with them. We can see this is Isaka site. You can become an ISAACA member. There are over 100,000 members in almost all countries around the world. And their whole idea when they started out was that there were similar people who did a similar job of trying to figure out, Are we in compliance? And they got together and they said, "Okay, what is it that we all have in common, and can we come up with some standards, some global standards that can be adopted in any situation?" As we go through these topics, keep in mind that they are aimed at much larger organizations, but the concepts can be applied to smaller organisations as well. You don't have to think in terms of many, many departments and people; the principles remain the same regardless of what. So we can see the Issaca site here, and one of the first things that they talk about is this concept of the Code of Ethics. And as a TA, you are required to uphold the professional code of ethics. And basically, it's about how you conduct yourself, how you protect your client's assets, how you do your audit, and how you report your findings. So this Code of Ethics guides our conduct as professionals and also in a personal way when we conduct our audit. And we're all required to follow the guidelines, and we must perform tasks that adhere to the Code of Ethics. And if we actually go take a look at Isaka's Code of Ethics right here, we can see that they require us to. And you'll need to at least know the gist of this, support the implementation of, and encourage compliance with, appropriate standards. And Isaker is all about standards. We're going to take a quick look at some of the standards in a moment. perform duties with objectivity and diligence. The idea is that we do everything that is reasonably possible. We are diligent, and we do everything that is reasonable to discover and report any irregularities when we do our audit, and we maintain privacy and confidentiality. We only communicate our findings to appropriate persons, and we maintain our own competency. The Isaka group, when you get yourSisa, requires that you maintain your certificationby getting regular continuing education and thatwe inform appropriate parties. So we don't just go telling anybody about what we discover, only the appropriate parties. And we try to educate all the stakeholders involved. So we want to professionally educate not only the managers we work with, but also upper management and employees, so that everyone understands all stakeholders. They understand their role in information security. When we talk about auditing, auditing is not, like I said, just scanning for open ports or looking for default passwords or services that need to be shut down. It is about looking at whole processes. How do you guys actually do this? I mean, if you're creating this, how do you go from here to here? and every process that you go through to get here? In larger organizations, they have established processes, and these are processes that have worked for them for a very long time. And a good organisation that's doing its own due diligence will have established standards and procedures. There are also, depending on the type of industry, lots of regulatory requirements. And as an auditor, we need to understand, first of all, how it is that you guys do things. How is it that you want to do things? What's your best practise now? What's the industry best practice? What are any government regulations? So you can see that if you're an auditor, you need to know, first of all, the industry you're working in, and you need to understand the process of this particular business that you're looking at. And I assure you, you're not going to be doing it alone. You'll be part of a larger team, and you'll be doing things that work with your own particular skill set. So it's all process and procedure. What are your procedures? Are you guys actually doing the "washing your hands before preparing food" kind of thing? Are you actually locking desktops before you leave your workstation? Are you actually closing server doors? Do you actually have a guard there watching cameras? I mean, what is your procedure? And now, are you adhering to it also? Not only that, but what is the actual organisation itself? Are there any gaps in the way the organisation is set up or in the way its jobs function? So we're going to be auditing how people—individuals—do their jobs. And we're not trying to come down on them like the cops or anything. We're trying to help organisations determine: Are they on target? Because really, as Price Waterhouse Coopers pointed out in their other documents, if you don't have a secure environment in terms of your data and your systems, you don't have much of a business. So we're helping them do that. And then, of course, we're also looking at systems; we're looking at databases; we're looking at networks. We're looking at firewalls. We're looking at the more technical aspects of their systems. So when we do auditing, it's called a function, an audit function. And we don't just go charging in there. We spend some time planning, really understanding whatit is that we're supposed to do. And then, of course, we perform our audit. We organise our report; we report it to the appropriate parties. And also, we manage to come back and say, "Okay, I recommend that within six months, you should have done ABC." Let me see if you've done it. So we do a follow up.Did you guys follow up on the recommendations? And then also, of course, we use standards and legal requirements to do our auditing. Next thing we're going to do is actually go to the Isaka site and look at some of their standards. Again, you don't need to memorise them, but you should be aware of them and understand how they relate to the job of the sisa.

3. Auditing Standards

Let's go take a look at Isaka's publishing standards. Now, again, you're not expected to memorise these, but you are expected to know them in general and how they relate to the whole IS audit process. While we're looking at standards, we'll also look at some of the published guidelines and procedures. We'll even drill down a little and take a look at some tools. You're not expected to know the tools at all, but you are expected to understand the technology behind these tools and why these tools are chosen. So let's actually go to Isaka's website, and here's Issaca's website, and you can join. But there's a lot of stuff you can do without having to be a member of ISEKA. And if we go up to the Knowledge Center up here, we can take a look right now at the standards. This is a very handy page to take a look at. So we're going to take a look at the standards you're auditing. This is what I do. I have these standards handy, sort of as a checklist. And depending upon what I'm auditing, planning, and working on with a team, It's not just myself. And we're figuring out our strategy, okay? It's this particular type of business. They have these constraints and these kinds of conditions. And I just look at our plan and our strategy and everything we do, and I just double-check it against the standards, which serve as a checklist. Are we still in compliance? And the whole reason why is that we can maintain the highest level of standard and integrity. And that was the whole idea behind Isaka. Let's try to have standards and guidelines that work in any situation, and people can always look to them and adhere to them to the best of their ability, so that we're producing the best service and the best product. So when we look down here, we can see the IT Audit and Assurance Standards. And there's actually a link down here that talks about the goal of advancing globally applicable standards—advanced globally applicable standards that address the specialised nature of it. And if we click more about standards, guidelines, tools, and techniques, it'll take us to where we can look at standards first. And here's something you do need to know. Standards are mandatory. You must adhere to the standards. whereas guidelines provide guidance and additional information. They're not mandatory, but they help you stay on track. And then there are specific tools and techniques. Let's actually look at the standards. Now, of course, they had the whole thing about the Code of Professional Ethics, but let's actually take a look at some of the standards. We're going to view the standards right here, and we can see that the standards are published in a bunch of different languages. We're going to go to the English version right here and notice that there are many standards, and they all start with an S in front of the numbers. So there are 16 standards, starting with S, starting with the idea of having a charter for the audit. We're going to click the charter for the audit, and there's a little introduction and then what the standard itself is. And we can see for standard number one the IS audit function's purpose, responsibility, authority, and accountability. meaning that the audit that you're going to do for the IS audit assignment should be documented in a charter or engagement letter. In other words, I should have a document that says, Why are we doing this? Who's responsible? On whose authority are we doing this? Because, let me tell you, you need absolute upper management authority saying you can do this because you're going to run into all kinds of resistance down in the lower departments. And who is accountable for all this? This should be clearly written down, so that's our first standard: have a documented thing saying why we're doing it, who is doing it, and who's responsible. So our very first thing is the idea of the audit charter going on to independence. The next thing here is, in all matters related to the audit, you're independent. You do not answer to the people you're auditing. You don't even answer to the people who hired you except to give them the report. You are completely independent of who you're auditing in terms of attitude and appearance. So that's your second standard. Next up: professional ethics and standards. And then, of course, as Iseka and as an Iseka auditor, we are going to adhere to that code of professional ethics that we looked at a little bit earlier. And we will exercise, which really means exercising due professional care and observing all applicable standards. We're going to do our very best and take due care; we'll be complete, thorough, and methodical. our next standard, professional competence. We should be professionally qualified to audit what we are auditing. Like I said, when you're auditing something large, you'll be part of a team, and you should be assigned to audit something that is within your realm of skills and your particular professional competence. Do not attempt to do things that are outside your area of expertise because you are failing yourself and everyone else. That's why we have a team. Different people have different skill sets. So you should also maintain and improve your professional competence through continuing training and education. going on to plan. We should plan this whole thing. We just don't go charging in there. We actually plan how we are going to do it, including the objectives. And this complies with any laws as well as our professional standards. And here's a big one right here. We should develop and document a risk-based audit approach. We'll talk more about risk-based approaches, but in short, risk-based approaches mean we start by identifying potential risks and then figure out, okay, what is being done to mitigate those risks. Is anything being done to mitigate those risks? And the risks are not just to the system, the process, or the people that were auditing, but also to our own audit process itself. And we'll come back to risk-based auditing in a bit. Then we go ahead and do the audit. We perform the work, and supervision is essential. Audit staff should be supervised to provide reasonable assurance that objectives are met. In other words, there will be a lead, and that lead will make sure that every person is doing what they're supposed to do in their part of the audit. Then, in reporting, we'll provide an appropriate report, and generally, it starts with an executive summary, and then it can drill down farther and farther. But we provide a report because ultimately we want to give people some actionable items, some reports they can look at that they can quickly understand, and then they can go deeper and deeper as they need to. So we provide a report to the appropriate parties in a format that's appropriate for them as well. And so we'll see in the report, which will state our scope and our objective, what our findings and conclusions are. We'll also be open about what our limits were. And also, we'll point to the fact that we gathered specific evidence and will point to the evidence in our report. Then we're not done as auditors when we just say, "Here's the report, thanks, see you." We come back; we have recommendations. We work with the managers. We work with the managers and we say, "Look, we found that you guys were doing this and this, and this and this happened, and it happened a bunch of times, and we traced it back because folks were doing it this way." We're not like those who say you're bad. That's not the point. We're helping them be compliant so that they can run their business in the best possible way. So our whole thing is we come back and say, "Okay, we gave you about six months to try to correct this," and then we do a follow up.Did they follow up on our recommendations or our requirements? So we come and we say, all right, we should request and evaluate relevant information to conclude whether appropriate action has been taken in a timely manner. What's the point of an audit if you don't act on it, right?And then irregularities and illegal acts And this is a sensitive issue here. When conducting an audit, you are likely to encounter individuals who attempted to conceal or conceal information. And it may not be necessarily fraudulent, but they knew they were kind of cutting corners or skimping or not following procedures. Even senior management sometimes tries to hide things, such as fraudulent activity. And so you need to realise that there's a good possibility you'll run into this. You should consider the risk of irregularities and illegal acts. But when you go in there, you have this sort of attitude of what they call professional skepticism, where you just go, "I need to see first," and you don't just trust them right off the bat. You're not there to be trusted; you're there to learn the facts. And you realise that upper management, lower management, or coworkers may be attempting to conceal information. And this is where your professionalism comes in. You're not there to judge; you're there to gather evidence and form an opinion and make recommendations. And further on, talking about its governance And the question is whether or not this is a big deal. I remember that as a technologist, I started out as a system administrator. And back then, 10 or 15 years ago, 15 years ago, the entire world revolved around what we were doing. And what we didn't realise was that we were just part of a bigger business. And Isaka recognises that when we do auditing, how it is conducted must not just be something unto itself. The whole purpose of IT is to make the business work. The whole reason why we as IT technologists do anything is so that the people who actually make the money can do their job and can do it effectively. So the management of it and the governance of it must align with the organization's mission and vision. We don't just have firewalls because we like them. We don't have this particular operating system because it's cool; we have it because it supports completely the organization's mission and vision, objectives, and strategies. So we must ensure that it actually does this and that it is governed to do so. Then we also talk about risk assessment. So when we do our audit, we do it with a risk-based approach. What are the risks? And like I said, we'll talk more aboutrisk approach to auditing in a little bit. But we're going to be looking for risks, and we're going to see if there are any controls in place to mitigate those risks. When we collect evidence auditmateriality, is is this substantial? You ever hear the term, "that's not material or material evidence, it's immaterial?" We're looking for stuff that has substance but really has no meaning. It will actually hurt the business, or it will hurt the IS process. So we're looking for something that actually has some substance to its materiality. Also, using the work of other experts is highly recommended. You should consider using the work of other experts who came before you. You should also judge whether or not that work was actually substantial and adequate. Going further, as we gather evidence, there's a whole way of maintaining evidence. We need to get sufficient and appropriate evidence, and we need to maintain it in a way that we can always account for it. From A to Z, from the beginning to right now, were there any lapses in the control of that evidence, in the chain of ownership? More on evidence in a bit. And then we need to look at what controls it. What controls does the organisation have in place? What controls do they have in place to try to reduce or mitigate risk? So, do they have any kind of control? And we'll talk a whole lot more about controls in a bit. And then finally, trying to make sure that since so much business now is e-commerce, are there applicable controls for the e-commerce operations of that organization? And are the ecommerce transactions properly controlled? So those are the ISaka standards. Again, you don't need to memorize, but you need to knowthey exist and you need to know them in general. The next thing we are going take alook at are the guidelines and the procedures.

4. Auditing Guidelines

We've looked at standards. Let's go take a look at guidelines and procedures, because it's all very well to talk about them. Well, you need to adhere to standards. There are guidelines, but we should actually take a look. Again, you don't need to memorise these, but you need to know that they're there. And when you're actually in the field, you need to refer to these constantly. So we're going to take a look at guidelines, which will guide us. Again, guidelines are not required, but they help us when we do our audit and they help us adhere to standards. We'll also look at procedures. And just like with the standards that start with an S, guidelines start with a G, and procedures start with a P. And so there are many specific methods that align with the standards for risk assessment: digital signatures, intrusion detection, antivirus firewall irregularities, Why don't we go take a look at Isaka's site? So here is the guidelines page in Isaka. and you can see it starts with a G. And you can see that some of these guidelines were withdrawn recently and have been replaced by others. Now, I have to warn you that if you want to see some of this stuff, you actually have to join Isaka, and you can join them. And there's a local chapter in your area. The don'ts aren't too bad, depending upon where you are. like in LA. They're about $25 for twice a year. So it's not bad at all. But some of the stuff you have to actually join if you're going to join the professional membership is also available as a reduced-cost student membership as well.So we're just going to take a look at some of these so that you can see these guidelines. like, for example, audit evidence requirements. Let's just click this one here, g (2). And when I go down here, the first thing they do is talk about it, and you can download the PDF if you want. We're just going to scroll through the website. They show how it links to the standards, like standard S-6 or standard S-9. So, in relation to Standard S-6, this guideline describes audit work performance. During the course of the audit, the auditor should obtain sufficient, reliable, and relevant evidence. So they show how the guideline relates directly to the standard, and they show all the other standards that this relates to. They also talk about its linkage to something called COBIT, which we'll talk about in a little bit, and about why we need the guideline. And as you're planning how this guideline helps you, So remember how we talked about how so much of auditing begins with really good planning? Here's the thing you want to plan so that you know exactly what to go in and do. You realise your audit will disrupt the business that you're auditing. So you want to go in and use their convenience as much as possible. I mean, if they're trying to hide stuff from you, you have to detect that, but you're trying to not disrupt them if you can help it. That is why planning is so important, so you know exactly where to go and what to do. And we're out of their hair, but we can gather the evidence we need and have an informed opinion. So, when planning, we should consider the various types of audit evidence. That's been gathered, and so, too, is the evidence. What needs to be considered are the independence and qualifications of the provider. So, like, the person is giving us evidence. Are they feeding us something only they want us to see? They don't want us to see the real thing, or are they independent? So how good is the source of the evidence, and how reliable is the source of the evidence? And we should consider testing whether controls have been completed and are tested by an independent third party. You go there with professional skepticism. You don't just automatically believe. And the more that you can get it from an independent third party that says, "Yeah, this is how it's done or this is the real data," the better. And so now, looking for types of audit evidence, let's look at two, one, four observed processes and the existence of physical items. You say it exists. Does it really show me? Can I see where it is? documentary audit evidence, representations, and analysis. So then I can look here, and I can see that physical items could be inventory of media or a computer room security system. Notice that these things are very broad. Like I said, it's because we're covering any possible industry or any possible business. So you have to fill in the blanks, but always use this as your checklist. And then okay, for documentary audit evidence, can I see your transactions? Can I see your invoices? Can I see your logs? Can I actually see documentation of activity and then also representations of those being audited? Okay, you say that you have a system in place. May I see your policy? May I see your written procedure? You say you do it this way. May I see the procedure that you've established and see how it's really happening? Let me tell you a story. So I was at this one center, and basically I noticed that upper management simply sent an email around saying you need to be in compliance. So go to this website and take this little training, and that will put you in compliance for the level of education. And so I turned to the receptionist and said, Hey, Nini, do you know about that email? And she said, What email? So we have to actually see, okay, I could go to upper management. They could say, "We've got training in place, and everyone takes the training." But when you really get down to it, it's like, "Did you see about that email that said, Go to that site and get the training?" You have to actually see. It's one thing for management to say they've got something. It's a whole other thing to see what's really going on. And I'm not saying that management will necessarily try to hide stuff from you. They won't, but they think things are okay. You must go down, all the way to the bottom, and verify. You have to verify for yourself and document that, yeah, everybody did get the email. Everyone went, and everyone took that little training. Everybody digitally signed something. Now, also, when they talk about the availability of evidence, they say, realise if you want to see transactions, logs, and invoices, that stuff may not always be available by just snapping your fingers. They may have to drag it out of storage. It may only be available at certain times because they're using it for something. So you have to be sensitive to that and work with them and plan ahead of time with them So they can make that stuff available to you. And then when you look at it, they talk about the selection of evidence and the nature of evidence. So when you gather your evidence here, the following procedures should be considered. You inquire about it. You actually observe and inspect. You confirm. Yeah, they really do it. Or, yeah, that really does exist. Yes, there really were cameras and locks. Yes, the log says that So and So did actually sign in at this time, and can you do it again? Can it be performed again? Also, what monitoring is in place. So when you look at the guidelines, they take you through this whole thing. First of all, how does it adhere to the standards? How do you plan with this guideline? Furthermore, how do you apply this guideline when performing your audit, and how do you apply it when reporting, and so on? So these guidelines are really great to help you understand how to actually execute the standards. In addition to the guidelines, we also have the procedures, and you have to dig down a little bit further. But for procedures, we can see that they start with a P number, and so we can see that there are different procedures. For example, these now, of course, get much more into the nitty gritty of the tools, techniques, and technology. So we could say, okay, well, what is the procedure for assessing risk? And we can go to that very first P there. And again. It links to the standards and the guidelines. talks about why we need the procedure. And then it talks about Okay. What is "risk"? What is this procedure all about? And how do we measure? What's our methodology? What's our whole audit approach for this particular procedure? I highly encourage you to go to Isaac's site and look at these again. You don't need to memorise them. But you need to know that they're in place. And what I do is keep them as a sort of checklist. Have I followed the standard? Have I followed the guidelines? Have I followed the procedure? Remember, the standard is mandatory. The guideline helps you achieve your standard. The procedure gets down to the nitty-gritty details of what you actually do, what techniques or technologies you use. And so I can see here that a risk-based audit approach gives me some information about that. And then it gives me actual techniques and measurement methods here, how to collect the data, and how I can actually have auditable units, so to speak. And then it gives me examples and measurements. So I recommend that you go and take a look at these. As we look back on our list here, we can see that there are procedures for risk assessment itself, procedures for digital signatures and intrusion detection, for antivirus and firewalls, and for self assessment. There are procedures for auditing irregularities and illegal acts, as well as for penetration testing itself and vulnerability analysis. And they're not going to say "use this particular tool or that particular tool," but they'll say what that tool should do in general and what your output should be. Also, we'll talk about it. They talk about encryption, procedures for encryption or electronic funds transfer, or changing control. So know that we have the standards, the guidelines, and the procedures that are all in place. Now, there is a comprehensive model framework called ITAF. It's the Information Technology Assurance Framework. It is an all-inclusive sort of assurance model that the ISAACA has basically put together, as well as the IT Governance Institute. And they talk about its assurance, auditing guidelines, and assurance standards used by professionals. Let's take a look at ITAF. The IT assurance framework, the ITAFsummary document, is available for download from ISAACA. As you can see, we scrolled down, we took a look, and they talked about why we even need this and why it's so important. Again, information security has got to not just be the focus of the technology people; it's also the business focus now because everything we do is online, everything we do is saved in databases, and there's some kind of transaction that is electronic. And so it's a business problem here. We require a common framework of assurance that we have followed the best practises possible, which we can obtain for free. They talk about it, and they talk about when you're using it in auditing. They talk about how it's organized. And you can see that in the assurance framework, there are standards for general performance and reporting, there are guidelines, and then there are tools and techniques, and they go through the whole thing. I recommend you get it. You don't need to memorise it, but in the field you should use it as your frame of reference, along with those standards, guidelines, and procedures. So this is the framework that has been put out by Isaka and It GI, the It Governance Institute. So these folks have, like I said, put out that summary that you can get for free. You can get a much more in-depth one if you're willing to pay for that. And the ITAF model basically says, "Okay, as the auditor, we have these general standards." So they basically take all those standards and guidelines we've talked about and put them into one framework, one model, and you'll have not only the standards you adhere to but also performance standards used to provide auditing and assurance. In other words, is your audit producing the results we expected? And also reporting standards. So once we actually have done the audit, there are standards for how we actually report our findings. And then, of course, the guidelines. We've taken a little bit from the guidelines. We've looked at all the standards provided to assist us, as well as the tools and techniques. We also took a quick look at the procedures. So realise that all of this has been rolled into this ITAF model, to which you can download the summary and examine all of the sources that it came from. when you go to the Isaka site.

5. Cobit Model

We've looked at standards and guidelines and procedures from the auditor's perspective. But remember how I talked about a large part of our job and part of our professional code of ethics being to help educate the stakeholders? There's a tool, or actually a collection of tools, specifically for that, and it's called COBIT. Now we can see that COBIT was created by ISAACA and the IT Governance Institute. It's a best practise model, but it's a best practise model for managers. Not so much for auditors, but as auditors, we need to encourage managers to go and use it as a tool. And so it promotes good IT security and control implementations. And again, while we as auditors need to know that it's there, it's really for managers to use it to support the business. And of course, in that sense, it is related to our job as auditors. So looking here at Wikipedia, we can see that COBIT control objectives cover information and related technology. COBIT, you don't need to memorise that long, drawn-out name; you just need to know the acronym. and it is for the managers. You can see that it was started in '96. Kobit version five was published just last year by Isaka, and it is for the managers. And there's a little bit of history here, but let's actually go to Kobitz's site itself, and we can see that it's the latest edition of Saka's globally accepted framework for managers. And it talks about the benefits so that we can have high-quality information to support our business decisions. We achieve our strategic goals through it; we achieve operational excellence through efficient application of technology, et cetera. And there are a bunch of different things that the managers can download. So when you're in the field, when you're trying to educate and encourage those managers, they can get an executive summary, essential facts, an introduction, and more and more deep information. But this is the framework for managers to use it and information systems effectively to support business. And for that reason, we, as auditors, need to know about it and encourage and promote its use. Now, the very next thing we're going to talk about is management of the audit process.

6. Audit Management

All right, we've had some overviews. Now let's talk about managing the audit. You don't just charge in there and start auditing this and that; you actually have someone managing this. And whoever is managing this is not only doing project management. But they're also making sure that the audit is doing what it's supposed to be doing. that it is achieving the objectives laid out for us. that we have sufficient auditors and resources to actually do this audit effectively. And whoever is in charge of this or that aspect of the audit. that they're actually competent for that particular part of the audit. So the audit manager has got to make sure that this whole thing is achieved the way it should be, and that we are using our people and our resources effectively and properly. One of the first things you need is some kind of authority for having this audit.

And so the organisation that brings in the auditor, the business that is being audited, is going to have an audit committee. The audit committee will now be made up of people who do not work for the company on a daily basis. They'll be like boards of directors and those kinds of folks, or super senior management. But you have to be careful that the audit committee has its own level of independence, that they are genuinely interested and not trying to hide something. And so that's why we have additional stakeholders, a board of directors, and a few more outside people who are not directly involved in whatever the activities are. The Audit Committee has responsibilities. They are there to help, on a high level, manage risk and make sure that all of the financial reporting and processing is done appropriately. They're there to actually hire us as the auditors. They monitor the control functions—in other words, the things that are used to mitigate risk, be they procedures or technologies or processes. They oversee the guidelines and ensure that the audit job, or audit function, supports the objectives.

And they developed the audit charter, which we're going to talk about in just a second. They also look over the audit activities and the audit charter. If they're going to hire you as anauditor or an auditing firm, they're going tocreate this letter of engagement, this engagement letter. And the engagement letter basically says, Hey, we need you guys to do an audit within this sort of area. So if we take a look at this sample here, you should know that an engagement letter is basically going to state very clearly what it is that the third party who's doing the audit is going to do, and the scope and the target the tarWe can see the objective is that we're going to plan an evaluation of DA DA DA DA DA.So here's the objective. The scope will be for these systems or for this period of time, and the contact information is always contact information in the engagement letter. There's always a target area. What are we actually targeting when we audit? Because you don't like auditing the whole company. You target something specific, or you target a specific type of area or process, and then you do so in accordance with whatever requirements, standards, laws, or governance are in place.

And then here are the team members, and here is the time frame. So this is the engagement letter that we expect the audit committee to come up with when they engage us to do the auditing. Now, under the charter, here's another thing that they're required to be responsible for. Why are we even doing this audit? Well, there's a mission here to ensure operations are conducted in accordance with higher standards. Who is responsible? Okay, the internal audit is the responsibility of the CFO or the CIO, or whoever it is, probably the CFO, but it could also be the CIO as well. The chief financial officer, the chief information officer, and then the roles. So in the audit role, the internal audit will coordinate with the external audit. The scope is to review our risk management procedures, or whatever it is. You have to clearly state what it is we're auditing. We're not just looking through dumpsters or something. We're looking for something specific in a specific scope, in a specific area, and who will be held accountable? So the audit is responsible for planning, conducting, reporting, and following up. So the charter will state all of these things very clearly. Now, in common auditing practices, it's very, very common to not only audit using internal people but also to engage an external third party, like Price, Waterhouse, Coopers, or you as the Sisa team.

And it's very common to engage external folks, which is why we saw the letter of engagement. very common to use computer-aided auditing tools or auditing techniques. And it's very common to do, like I said before, risk-based auditing. That is the primary focus these days: risk-based auditing to better understand risk. The whole thing is that you could go on forever. So why don't we get to the point—what is it that we're trying to protect? When you do risk-based auditing, the first thing you do is identify: What are we protecting? Well, we're protecting our data. We're protecting our servers. We're protecting our documentation. We're protecting our people. We're protecting our processes. We're protecting our intellectual property. You need to make sure that management determines what's important to them and what they have to have to make their business run. And it's not just going to be the database. It's also going to be people, processes, and documentation, and it's going to be their data, and it's going to be their servers and their infrastructure. You get them to determine for this audit what it is that we are protecting now that we've written it down. What is it that we're protecting? And they should get a group of people together.

They should have a committee put together to figure this out. And it shouldn't just be people; it should also include managers and other stakeholders, including mid- and lower-level managers who understand what they need to do their jobs on a daily basis. So we list what we're protecting, and senior management can, of course, prioritise what's most important, and then, once we know what we're protecting, what are the known threats and risks? Okay? And this is where you get a bunch of people together and you think outside the box, and you're going to spend a couple of days on this. What are the risks? Or can you imagine the risks? I mean, maybe 20 years ago we never imagined the risk of someone deliberately flying an aeroplane into a building, right? But try to imagine: what are all the risks? There are known ones. We get viruses, we get hackers, we get people stealing stuff, we have employee fraud and theft, and we have the cleaning crew stealing things. We have unintentional information exposure because a salesperson clicks "reply all" when he or she should have been selective.

Some of these are honest risks and honest mistakes, and some of them are malicious, and some of them are environmental. Well, we're in an earthquake zone; we're in a flood zone; we're in a hurricane zone; we're in this; we're in that. We're at risk because, well, maybe our whole financial district will get flooded because of some hurricane. Maybe we're close to an airport, and so there can be incidents at the airport that cause things. So you get people to just totally think outside the box and list every possible risk. Don't bother trying to prioritise anything; justbrain busted out everyone. Think of any possibility, no matter how crazy. What's the risk? Well, there's a risk of solar flares shutting down satellites, which would cut our communications. I mean, think of everything. Okay? Then, what you do is make a list of everything. You're trying to protect every possible imaginable risk from those things, and then you start prioritizing.

OK, what are the things that are the most important that we have to be looking at? and you assign, and there are two ways of approaching this. You either assign a level of probability and impact or you assign a dollar value, and you can go either way. Sometimes you can't quantify something with a dollar value. So instead you say, "Well, on a scale of one to ten, the probability that this will happen is nine and the impact is two." And so therefore, nine times two on a scale of 100 This is a risk of 18. And you give this, or you say if we have a virus attack of some kind, it takes us half a day to clean, and we lose X number of dollars. So you either qualify or quantify the value of the risk. And that helps you prioritise what you should focus your time and effort on. At some point, you draw a line and say, okay, these risks are worth it. The rest of them are so unlikely, they'll just fall below the threshold. We'll call that residual risk. And we'll just have a general blanket plan for things that are extremely unlikely to happen or are so far beyond our control that we can't protect against them. like we can't protect against solar flares. But what we can do is have a contingency. So whenever you have that residual risk, you just have a contingency. And it can be like, well, either we backup and restore or we work somewhere else, or how do we just keep our business going?

And we'll talk about those contingencies when we talk about business continuity and disaster recovery. But anyway, you've identified what you're protecting. You've identified all of the potential risks. You've either assigned a dollar value to the risk based on what you know or what would happen if a server were stolen. That's $30,000 plus X amount of software plus man hours, plus don't be afraid. You should include soft cost as well as hard cost. So, like, what are the man hoursto get this thing functioning again? If you can't quantify it with dollars, thenyou do like a probability and an impacton a scale of ten probability, five. On a scale of 1010 being thehighest one, being the lowest impact, five. So therefore, on a scale of 100, this risk is worth $25. and you lay it all out. So you know, what should be your highest priority? What should you be targeting? And so when we talk about risk, we're talking about these threats. could be anything. Improper access, former employees, data theft But it could be all kinds of stuff. Environmental: lightning strikes; dust.

Like when I worked in Africa, an extremely high risk was the dust. Dust got into everything. And the dust also had such a high iron content that we actually would have had rust forming on circuit boards and destroying circuit boards. That was a risk that existed in that location. couldn't get around it because there was no way to keep it out. In those facilities, we couldn't maintain a clean-room environment. So our mitigation was: Don't buy super expensive stuff and realise we have to replace it maybe every two to three years. And that was our risk mitigation. So you identify what you're protecting. You identify all of the imaginable risks. You quantify the cost or the value of the risk, and at some point you have a cutoff line, and everything below that is residual. You can't do anything about it. So therefore, what's your contingency? And that is a risk-based approach to auditing. Now that we've identified the risks, the next thing we need to do is see if there are controls in place to mitigate the risk, and if so, are those controls being implemented properly? So the next thing we'll talk about is controls.

Hide