-
We'll start with the CISA,
-
and I have a pretty good idea that, yes, you
-
guys come from diverse backgrounds--
-
some from finance, some from IT--and you
-
want to
-
do this training. That’s a very good
-
thing, especially
-
as we’re facing the situation where
-
the entire world, people are trying to
-
upskill themselves. And CISA is one of the
-
the
-
most valuable certifications you
-
have chosen
-
to upskill yourself. CISA has
-
not been very recently. It
-
was there since a long time, since
-
1990s.
-
Okay? Now, even in the 1990s, you know, our IT
-
systems weren’t
-
as prevalent, I would say.
-
But, however, since then...
-
However, by the year 2000,
-
moving into the 21st century, you know,
-
people started
-
using systems more. With that came a lot of risks
-
associated with
-
with those systems. Okay? Everyone
-
agreed that risks were present
-
and needed to be mitigated, you know.
-
That’s the reason,
-
you know, the board or the owners of
-
those systems,
-
the owners of organizations
-
using those systems,
-
wanted to implement certain controls in
-
place,
-
in terms of getting to know how the
-
systems are working, whether
-
those systems are working and to give
-
adequate value to the organization.
-
So that's the reason this
-
certification was
-
introduced. And auditing, which is one of
-
the important controls from the
-
board of directors
-
and organization owners point of view.
-
They introduced information systems
-
to be audited, you know, and for that
-
reason, there was a lack of resources
-
and there were a lack of
-
competencies in the market to understand
-
those systems and
-
understand the controls within those
-
systems--
-
whether they are working as,
-
you know, expected or
-
whether they're giving value to the
-
organizations as per the expectations of
-
what the stakeholders want.
-
So that's the reason the CISA
-
certification was introduced.
-
Gradually, it has become one
-
of the pioneering certifications in terms of
-
auditing.
-
I think pioneer, I would say it is the
-
only certification
-
which is recognized in the world in
-
terms of
-
information system auditing. No other
-
certification
-
and ISACA is the monopoly there. So no
-
one has beaten
-
ISACA there. Those knowledge base which
-
is there in ISACA
-
is found elsewhere, but combining all of
-
them together
-
and using it as a mechanism to upskill
-
people
-
is something, you know, fabulous, which
-
ISACA has done.
-
Now, just to introduce you to the ISACA
-
program: this is generally a five-day
-
course, okay,
-
in which, we cover the five areas
-
which the ISACA describes as the
-
domains. And so, I would be talking about
-
those
-
things, and I would like to have a very
-
interactive session along that
-
because it also covers
-
the knowledge part--the body of knowledge.
-
So it's not about,
-
you know, learning or it's not about, you
-
know, grasping things, or it's not about,
-
you know, knowing some terminologies. It's
-
also about understanding how those
-
terminologies
-
apply. For example, if we say
-
"risk," you know, I'm just taking an example
-
here. Risk. Now,
-
risk is any uncertainty
-
to the business operations--okay, any
-
uncertain event that could cause
-
disruption to an organization, you know,
-
any uncertain event
-
that could lead to our organization's
-
objectives
-
being impacted, you know, that is a risk. Okay?
-
So, you have to
-
not only understand the terminology.
-
That's the
-
basic definition of risk, but you
-
also see
-
how you can apply that in your
-
organization.
-
Okay? Look at the risk, any uncertain
-
events,
-
okay? What could be an uncertain events
-
to my organizations
-
and how those
-
uncertain events can affect my
-
organization's objectives?
-
Now, when I say "my organization," it
-
doesn't mean, you know, any
-
organization which you work for
-
means an organization which ISACA wants
-
you to think of.
-
As an organization, they would basically
-
want you to
-
apply those terminologies, those things
-
to an organization, and see what would
-
you
-
do to basically... what best step
-
you would take to address that issue. Okay? Now,
-
I won’t go into the details
-
of what kind of questions they ask
-
but honestly, the questions are asked as,
-
you know, just that the questions are
-
asking the most important,
-
the first thing which you do, the
-
primary
-
option you have, you know. So all the
-
options would be right
-
as per the question, but you have to
-
choose
-
the best option as per how
-
ISACA perceives the best option is. So, you
-
also have to
-
understand ISACA's perspective towards
-
that question on
-
how you can address that. Okay? That's the
-
reason we are understanding from ISACA's
-
perspective,
-
an organization's viewpoint.
-
Okay? And then, we would also have certain
-
activities which basically enables you
-
to understand those perspectives,
-
and there will be discussion
-
questions, there will be group
-
discussions,
-
in terms of case study. I would
-
try to...
-
Because when it's a classroom session,
-
the group discussions becomes very
-
interactive. I will try to
-
be as interactive as possible in the
-
group discussions.
-
Okay? Then, we would also take real-world
-
examples
-
of CISA's subject matter. It would...
-
The real-world examples could come from
-
my experiences, would come from your
-
experiences,
-
or also it can come from what ISACA
-
is putting up. Now, what are the benefits?
-
I've already told you it's the pioneer
-
certifications.
-
It gives you competitive edge, it helps
-
you to achieve
-
high professional standards when you go
-
to say that I have ISACA certification,
-
your CV speaks about your knowledge
-
and experience.
-
And it also quantifies and
-
markets your experience.
-
Okay? So we have people here with 18
-
years of experience,
-
you know, those people,
-
I would say, it's a leap,
-
you know, which you can take up by having
-
these certifications. So your 18 years of
-
experience can speak
-
even louder when you have this
-
certification with you.
-
So you would have, you know, I have
-
trained people from
-
4 to 5 years of experience to
-
28,
-
26, 30 years of experience also. And if
-
only the CISO position, you know,
-
they
-
were getting into CISO positions,
-
but they want to have the certification
-
before
-
getting to CISO position. Now, those
-
kind of people also have trained,
-
okay? And they were able to clear the
-
exams. So it
-
basically recognizes and you know marks
-
and...
-
recognizes your experience also, you know.
-
There you can leverage your experience
-
with this certification, then it also
-
increases
-
value to your organization. Okay? I was
-
selling,
-
you know, CISA certification was
-
introduced in 1978, okay?
-
But it got prominent in 1990s when you
-
have the
-
information systems in place, you know,
-
in the world.
-
Okay? So, there’s a new
-
version
-
of which came in 2019, okay, and we would
-
be
-
dealing with that version, okay? I have
-
been certified in the previous
-
version, which was the 2016 version.
-
Now, after, you know, three years,
-
ISACA,
-
they changed the organization.
-
ISACA changed some certain,
-
you know, structures, and we will
-
be doing the latest version, which is the
-
2019 version.
-
So, these are the five domains of
-
ISACA, okay?
-
If you see the five domains,
-
the first is the information system audit
-
process. Now, what does information
-
system audit mean?
-
What does audit mean? Audit means to
-
check and verify, right?
-
So, audit means to
-
check and verify whether the systems and
-
controls are working appropriately or not
-
or not. Okay? So we will look at how
-
you ensure the systems, you know,
-
are checked appropriately
-
in terms of auditing. We will also study
-
about the audit standards,
-
guidelines, and the code of ethics
-
when auditing information systems.
-
You will be
-
understanding the business processes
-
under audit because audit itself is a
-
project, you know. When you go for an
-
audit in an organization,
-
we have people from Deloitte, for example. It’s an
-
audit project
-
altogether for the organization. Okay? So,
-
how do you
-
plan an audit? How do
-
you conduct an
-
audit? How do you report
-
audit findings and communicate
-
with stakeholders?
-
And what are the post-audit activities?
-
All these topics will be
-
studied here.
-
Then we will also look at the types of
-
controls.
-
There's a specific concept of risk-based
-
auditing
-
in domain one. Okay? So, that would be
-
domain one.
-
In domain two, we will discuss the
-
governance and management of IT. You need to understand the
-
governance and management. So, you have to
-
understand the difference between the
-
governance and management here. We will see,
-
from a board of directors’
-
perspective,
-
what they want from the IT
-
infrastructure
-
of the organization, and you will also
-
understand from a CEO’s perspective--
-
how they enable IT
-
to add value to the organization.
-
Okay?
-
So, we’ll understand the difference
-
between governance and management,
-
and also understand where they meet
-
each other
-
and how the IT systems work. From an
-
auditor's
-
perspective, how do you check whether
-
IT
-
is providing value to the organization,
-
okay,
-
and whether we are realizing the
-
benefits of
-
IT in our organization? Then, in
-
domain three, we're going to talk about
-
information system acquisition,
-
development, and implementation.
-
In information system acquisitions, or
-
when you acquire new systems in the
-
organizations, when you buy
-
new systems, or you develop new systems,
-
or you implement those systems in the
-
organization,
-
from an auditor's perspective, how do you
-
ensure
-
that the steps for acquiring, developing,
-
and implementing the systems
-
are appropriately addressed
-
or not? And whether those systems which
-
are implemented,
-
are they basically implemented
-
effectively in the organization or not? Okay?
-
Then, we will talk about
-
operations and maintenance of
-
information systems. Once the system has been
-
acquired, developed,
-
and implemented in the organization,
-
now you also need to worry about how do
-
you maintain it?
-
How can that system continually
-
provide benefits to the
-
organization?
-
For that, you need maintenance
-
activities and business
-
resilience
-
to ensure that the system
-
is working appropriately until the end
-
of its life cycle.
-
Okay? Then, we will also talk about the protection
-
of information assets, which is very
-
important,
-
not only from a
-
regulatory and legal perspective.
-
Nowadays,
-
because that's where the higher focus is
-
in these days, because there are a lot of
-
regulations
-
in terms of banking, telecom, oil, and gas
-
sectors.
-
You know, there are a lot of regulations
-
in terms of protection of information
-
assets because
-
information security has now or
-
cybersecurity has now become an
-
important aspect,
-
even at a national level,
-
around the world. Okay? Every country in
-
the world
-
takes information security or cybersecurity
-
is a serious threat
-
towards their critical
-
infrastructure.
-
Okay? So we will also talk about
-
protection of those information assets.
-
You know, when you talk about
-
information assets,
-
we're talk about the confidential
-
information which the organizations have,
-
the secret and top-secret information which
-
the countries have, you know, at a
-
higher level or at a national level. So,
-
these are the five domains. Okay? Let me
-
also tell you about
-
the structure of the CISA
-
certification exam. So, now
-
this is called the domains. Okay?
-
Each domain
-
is divided or is, you know,
-
structured in a certain way. Okay?
-
So, we'll go through that structure. So every
-
domain would have task statements.
-
Okay? For example, in information system
-
auditing, what tasks do
-
we have in information system
-
auditing? You would have,
-
you know, driving a risk-based audit
-
strategy--how to make an audit strategy.
-
Okay? That is one task. Making
-
audit
-
strategies.
-
Then there’s the task of planning the audit,
-
there would be a task to
-
conducting the audit, there would be
-
a task to, you know,
-
communicating the audit results,
-
okay, and then there would be a task of
-
reporting the audit results, and
-
there would be a task of post-audit,
-
you know, what are the activities of post-audit.
-
Okay? So, this is how,
-
you know, every domain is being
-
structured. And then,
-
for doing those tasks, there would be
-
knowledge statements.
-
You know, for example, for conducting the
-
audit, you would require knowledge of
-
sampling. You require knowledge of
-
controls, and etc. Okay? So,
-
this is how
-
every domain has been divided. Okay?
-
And then, there would be certain test
-
questions we would discuss that would
-
validate...
-
that if you have understood the concepts
-
well enough also as i said in the
-
beginning that there is a practical
-
knowledge part of it how you apply those
-
tasks in an organization which
-
which is a which is basically a
-
perceived organization
-
uh from any circus perspective and you
-
are the auditor
-
okay so all the questions which would be
-
asked
-
in the exam is from an auditor's
-
perspective so being an auditor
-
what would you do in this situation so
-
the question would be situational very
-
situational okay if you
-
have been given a scenario and you are
-
an auditor
-
what would you choose to do in those
-
in that scenario okay that how that's
-
how the questions would be
-
okay so the application of general
-
concepts and standards is
-
to understand the application of general
-
concepts and standards is very important
-
and all questions would be multiple
-
choice and designed
-
for one best answer okay all the answers
-
would be right
-
you have to choose the one best now the
-
catch here is that
-
you from your perspective may think that
-
this is not the best answer
-
and i i also contradict asaka a lot
-
in terms of the best answers i think
-
that
-
they are wrong uh in their perspective
-
as the best answer
-
but i have to right now think that i
-
have to clear the sagas except
-
not my own exam so i have to accept
-
their best answer
-
okay and make a thought process
-
such that uh you know what is thought
-
processes
-
you know so you asaka is trying to
-
create a thought process
-
uh for you okay and that's uh that's
-
something weird but
-
that's how it is okay so from the
-
beginning you must
-
you must uh be aware of these things
-
and this is what i'm speaking from my
-
experience
-
people may have their own experiences
-
for inside them
-
and so you know you will have your own
-
experience when you give your
-
exam and hopefully you you will clear it
-
don't worry okay you have to read each
-
question carefully uh
-
you have to eliminate known incorrect
-
answers
-
okay and this is also my experience and
-
everyone's experience many of these
-
people's experience that you know you
-
have to eliminate the wrong answer
-
you don't go for the right answer very
-
quickly so if you found the right answer
-
don't just say yes okay you just have to
-
also
-
look at the other options okay and try
-
to eliminate them first
-
okay so if you think that this answer is
-
right
-
uh just stick to it try to eliminate the
-
other three
-
first uh eliminate means either you
-
should you should be very convinced that
-
the other three
-
answers are wrong okay and you might
-
perceive that from the from the the
-
other three uh
-
answers there might be some contention
-
on
-
on one of the two answers and then you
-
might
-
you know reduce the element of reuse the
-
options for yourself
-
okay for example you if you have four
-
options you try to eliminate
-
two first um you know which you think
-
that absolutely no this can't be
-
answers or these questions and then you
-
are stuck between the two
-
and that's where you will find the most
-
questions you will
-
you will be stuck between the two um you
-
know two the two
-
maybe answers okay and then you have to
-
think from misaka's perspective okay
-
what would be the right answer
-
from what i have studied in the in the
-
training in the
-
uh i have read in the in the manual okay
-
so identify the words make the make the
-
best choice possible as i said
-
identify the key words or phases and the
-
questions
-
so i said as i said earlier most
-
best first you know these kind of
-
questions would be there
-
so identify the keywords or phrases in
-
the questions before selecting and
-
recording an answer
-
read the provided instructions carefully
-
so there would be instructions
-
to you guys when you set for the exams
-
skipping over these directions
-
reading them too quickly uh could result
-
in missing important information
-
possibly losing credit points
-
and this has happened with people uh
-
i know okay and they had to please it
-
for the exams
-
okay they sometimes you know
-
accidentally
-
end the exam you know when you're
-
sitting when you're sitting you
-
accidentally
-
you know you if you don't read the
-
instructions properly
-
and then you you click on end exam and
-
you end exam
-
in the first first one first question
-
second question okay
-
and then uh it doesn't resume
-
immediately okay then you have to
-
uh you know somehow because it's an
-
expensive exam
-
you know you 750 dollars not a
-
small amount of money so and then you
-
have to
-
you know sometimes isaka gives an option
-
of
-
resetting sometimes they don't okay then
-
you lose that money
-
now grading is basically solely on the
-
number of questions answered correctly
-
so
-
no negative marking uh how we have for
-
cissp exams
-
okay at the no no negative marking if
-
you mark it wrong you are zero
-
okay you are not minus and it is also
-
not like cssp
-
in which if you have 150 questions then
-
if you
-
if you mark 80 questions right it will
-
automatically finish
-
you know this the the cssp exams are
-
like that but
-
however csi exams will take you to 150
-
questions you can
-
go back for front you know and you know
-
you can navigate to the
-
to the questions easily so these are
-
somewhere for for us
-
uh the exam is in four hours period okay
-
so around 1.5 minutes per questions and
-
that's
-
not you know less i would say okay if
-
you
-
are thorough with the material you would
-
answer in 30 seconds
-
okay okay i would skip these rules
-
for you i will go to the important one
-
which is exam scoring
-
uh so a scale score uh is a
-
is a conversion of candidates raw score
-
on the exam to a common scale
-
okay so for example if you if there are
-
32 questions in domain
-
one so it will basically they will so it
-
will not give you
-
okay 32 questions 32 marks okay so it
-
would be a
-
you know all the 32 questions would have
-
different marks
-
different markings okay so everyone will
-
not be one mark each
-
like that okay so 150 questions are
-
scaled
-
under 800 okay and you have to
-
so so it uses and reports scores
-
on a common scale from 200 to 800 okay
-
no one gets less than 200
-
okay no one gets more than 800 obviously
-
okay so it's between 200 to 800
-
then a candidate must receive a score of
-
450
-
or higher uh you know that's a minimum
-
score i got 650 656
-
in the exam okay and
-
one of the important domains you know uh
-
and you have to pass all the domains so
-
you have to score
-
uh 450 in all the domains okay so it's
-
not if you
-
even if you get a score of for example
-
600
-
uh but you score uh less than 450 in any
-
of the domains
-
then you you have to repeat the exam so
-
that's how
-
how it is okay you get the score
-
at the end of the exam so it will give
-
you a very
-
little indication uh you know small
-
indication
-
to say pass you know it will flash on
-
your screen
-
that you passed okay and it would be
-
very small
-
uh you know sentence written there and
-
you will know that
-
you have passed you will not get the
-
official result there but you would you
-
can come out of the centers
-
last night if you have passed okay so
-
but officially official result comes 10
-
days
-
and post those 10 days you can apply for
-
the certifications with your experience
-
okay so there will be a score report
-
okay in which you will see
-
that how much you have scored in each
-
domain okay
-
so these are the steps for the user for
-
the season certification you need to
-
pass the exam first and then you have to
-
submit the application with your
-
experience
-
you have to sign you know it's kind of
-
checklist you
-
say that you you follow you would follow
-
the sacca code of practices and ethics
-
and you agree to comply to
-
the c cpe cpe policy which is continuous
-
professional education uh points then
-
comply with information systems auditing
-
standards
-
which isaka publishes all right let's
-
start with domain one
-
so first and foremost we have to
-
understand uh
-
is the definition of information systems
-
how we perceive
-
those information systems to be now
-
information systems
-
is your laptop is your is your desktop
-
is your mobile phone
-
okay is your servers so it's everything
-
around you in terms of digital
-
okay so those are the information
-
systems now when we look at information
-
system we are not looking at a hardware
-
only
-
okay we are also looking at the
-
processes around that hardware for
-
example your laptop
-
you know as simple as that we have the
-
process of
-
you know the anti-virus updating uh
-
on the on the laptop there is a
-
maintenance process
-
of the laptop etc similarly for servers
-
you have backup you have release
-
management you have change management
-
you have the other processes patch
-
management
-
anti-virus on the server you know all
-
those processes around that server
-
is also part of the information systems
-
so when we are auditing information
-
system we are not auditing that hardware
-
we are also auditing the processes
-
around that hardware
-
uh and why we are auditing is because
-
there is a dependency of the business
-
on that system okay that's the reason we
-
need to
-
have processes around it so when we talk
-
about information system ordering
-
practices it encompasses the standards
-
the principles the methods the
-
guidelines practicing techniques that an
-
auditor
-
used to plan execute assess and review
-
business or information systems and
-
related processes
-
okay now as i said information systems
-
definition is
-
very important for you to understand you
-
also just need to understand there are
-
certain
-
governing mechanisms which has been
-
defined by the industry
-
okay and those governing mechanism
-
basically are the standards
-
okay for example if you see iso 27001
-
okay which is a standard for information
-
security management
-
management system okay and now that
-
standard basically governs that how the
-
information
-
security shall be managed uh in in an
-
organization
-
similarly there are certain principles
-
similarly there are certain methods
-
there are certain guidelines uh best
-
practices what we also call it as
-
and techniques uh which basically the
-
auditor can use
-
uh to be able to complete its audit
-
around
-
all the phases of the auditing okay
-
which is plan execute assess and review
-
so as an order you must have a thorough
-
understanding of the processes
-
or the auditing processes you should
-
have for understanding
-
of the information system processes
-
but what i said like change management
-
patch management
-
uh et cetera et cetera whatever systems
-
you are dealing with you should have the
-
understanding of those processes around
-
it around the information system you
-
should also
-
have the understanding of the bill
-
ultimately the the benefit
-
of that information system is realized
-
by the business
-
okay and it is helping the business to
-
achieve its own
-
objectives okay and also the business
-
wants
-
certain controls to be in place so that
-
you know those objectives are achieved
-
effectively
-
and efficiently so you should also be
-
having an understanding of the controls
-
now if i take an example here you know
-
for example the information systems
-
uh we're talking about is a server you
-
know and in that
-
from that server if you say what are the
-
processes around that
-
information systems for a server backup
-
is important you know
-
changes to the server making change uh
-
changes to the server
-
new releases hash management is an
-
important process
-
around that that system okay so you have
-
to understand
-
the process around that and then you
-
have to understand
-
how these processes would also have an
-
effect
-
on the business processes okay for
-
example that server is supporting an hr
-
function
-
in an organization in terms of payroll
-
okay
-
now uh if there is a patch release
-
if there is a pass management or a new
-
password lease or if there is
-
a is less you know if there is change to
-
that server
-
how that will affect my hr
-
payroll system hr payroll management in
-
an organization okay
-
and you have to see okay what control
-
shall i can i put in place
-
so that it doesn't affect my business
-
okay
-
now if you say change management itself
-
is a process okay
-
processes itself are controls uh okay
-
but how do i you know uh ensure
-
that the process are uh you know in line
-
uh with my business objectives okay so
-
as an auditor you
-
are there to check you you are there to
-
verify those processes
-
whether those processes you know where
-
those controls which are in place
-
are working adequately okay and whether
-
those processes
-
continue to serve their business
-
objectives
-
any any issue with those processes uh
-
you know
-
how i would i would you know as an
-
auditor would try
-
as an order you try to verify uh those
-
things
-
through pv through through sampling
-
you know through uh through various
-
other auditing techniques
-
to to see whether you know the processes
-
and controls are
-
effectively working so that's what uh
-
we're trying to
-
try to see here so whether business
-
processes and control designed
-
to achieve the organization's objectives
-
and protect
-
the organizational assets now upon the
-
completion of this domain as an auditor
-
you should be you would be
-
able to plan an audit okay now audit as
-
i said is
-
is is a kind of a project okay so same
-
project management techniques
-
or the same project management
-
methodology
-
also works for an audit okay so
-
when you see when you when you say
-
project management you have planning you
-
have
-
you you're planning the the the planning
-
the uh the implementation of that
-
project this case the scheduling of that
-
project and then
-
implementation and development and then
-
post implementation similarly you have
-
planning the audit conducting which is
-
your implementation
-
you communicate the audit progresses
-
okay you conduct audit follow-ups
-
okay and then you evaluate the
-
management and monitoring of controls
-
the auditing you also utilize data
-
analytics tools to streamline audit
-
processes
-
look at that then you will have to
-
provide consulting services and guidance
-
to the organization or to improve the
-
quality and control of the information
-
systems now this is not part of the
-
audit
-
but um sometimes when we have an audit
-
called internal audit you know
-
there your your role is something also
-
you know related to consulting where you
-
try to improve the internal
-
done process but if you go for an
-
external audit uh you don't do that
-
okay you don't provide consulting
-
services then you also identify
-
opportunities for process improvements
-
in the organization's id policies and
-
practices so these are some of the areas
-
and there will be many more
-
so this is not an exhaustive list so
-
these are some of the areas where you
-
would
-
as an auditor you should be aware of now
-
these are
-
the topics in this domain are divided
-
into two parts
-
one is planning okay and the second one
-
is the execution in the planning part we
-
would study about
-
the audit standard guidelines code of
-
ethics okay that is given by isaka we
-
will understand the various business
-
processes in an organization for example
-
we are aware
-
hr finance you have procurement
-
uh you have the the the
-
uh the physical security or the real
-
estate of the organization
-
manage the administration of the
-
organization okay
-
and you have the ops your operations
-
okay etc etc so
-
we would study about some of the common
-
processes in every organization
-
you also see the types of controls
-
now what are controls for controls are
-
there to mitigate the risk
-
okay to mitigate the risk to the
-
business objectives then we will also
-
talk about
-
very important principle of risk based
-
audit planning
-
now you must you must be aware that in
-
an
-
organization resources are limited in
-
every organization's resources are
-
limited okay that's the fundamental
-
principle you need to understand
-
and if you say the process the resources
-
are limited you have to align those
-
resources to the max
-
to the to an area where there is a
-
maximum risk for an organization okay
-
that's the reason we call it
-
risk based audit planning so as an
-
auditor i am limited i
-
am i i am a single person in the whole
-
organization i
-
my focus should be on a core banking or
-
a core application or a core business
-
operations
-
uh rather than on maybe hr okay so
-
that's the reason we look at the maximum
-
risk area of an organization and start
-
auditing from there
-
okay so that the maximum risks
-
are addressed in an organization so this
-
is basically the risk based audit
-
planning
-
you plan audit based on the risk to the
-
organization so you go for high risk
-
first and then medium and then low
-
okay and this is how every organization
-
uh
-
works then you have types of audits now
-
there are internal audits
-
gun orders second party audit third
-
party audit
-
okay we will see what arrangements we
-
have
-
in the various audits and also what is
-
the difference between
-
audit and assessment okay so audits are
-
basically done basically audits are done
-
to verify things assessments are
-
also done to verify things but due to
-
the
-
different arrangements in an audit and
-
assessment your
-
communication changes okay your your
-
job responsibility also uh changes
-
okay in the execution part we will study
-
about
-
the project management of an audit okay
-
as i'm continuously repeating from the
-
beginning audit is a project
-
right we have to deal it as a project
-
okay and then we will also look at
-
sampling methods
-
okay we will try to look at the audit
-
evidence collection techniques
-
very important because as an auditor by
-
principle you should not give any
-
findings unless until you have evidence
-
against it okay
-
then you have data analytics nowadays
-
we are using you know uh systems for
-
example banking
-
uh systems and you know
-
telecommunication systems
-
where you require data analytics
-
techniques to basically ensure
-
that the system is working effectively
-
okay
-
so we will study about that how auditing
-
uh you know
-
how data analytics helps auditing to
-
give better results
-
then reporting in communication
-
techniques very important
-
again that would also depend on
-
reporting commission technique would
-
also depend on the arrangement of the
-
audit
-
okay what kind of arrangement it is then
-
we'll talk about quality assurance and
-
improvement of the audit process
-
now a audit also has a quality
-
department so
-
generally all auditing functions have
-
already auditing depart or quality
-
department
-
in which for example if i give as an
-
audit if i give a finding
-
then the the quality of that frightening
-
would also be
-
would be judged okay i would not say
-
judged basically i
-
would say that would be assessed okay
-
for example what kind of evidence is
-
it how that evidence has been captured
-
how effective that evidence is to say
-
that this particular finding can affect
-
the business
-
uh all that parameters are basically
-
assessed
-
okay many like auditing firms for
-
example
-
ey deloitte pwc
-
all these auditing firms have quality
-
departments
-
which verify that okay and also external
-
auditors
-
also you know sometimes not they don't
-
very gravely look into it but they do
-
look into
-
uh that what kind of finding the auditor
-
gives
-
and because we also have some
-
contentions when we are audited
-
uh auditor gives a finding we can raise
-
a question that why did you give this
-
finding to me
-
you know we can question them they
-
should be able to answer those questions
-
appropriately to us okay let's start
-
with the first topic which is planning
-
okay so what is an audit so audit is
-
basically
-
as i said verify okay another word for
-
auditing is verifying
-
checking okay so it's a formal
-
examination on testing or information
-
system to determine whether
-
that systems is working as per the
-
applicable laws or regulations contracts
-
and industry guidelines
-
now these compliances like laws
-
regulations contracts and industry
-
guidelines
-
these are basically depends on again
-
country to country
-
industry to industry okay supplier or
-
contractor to contractor
-
third party to third party okay and also
-
regulations is basically through
-
regulatory bodies
-
so it also depends on you know again
-
regulatory bodies are for industries
-
for example their try for india rbi for
-
bank uh try
-
for telecom rbi for banking npcifo
-
payment gateway
-
uh irda for insurance so they also have
-
certain
-
guidelines for the information systems
-
uh so information system
-
has to comply by that guideline or
-
by that regulation by that regulatory
-
body
-
okay so that is one thing you check okay
-
then the other thing you check
-
is whether those comply with the
-
governance criteria
-
and relevant policies and procedures now
-
you also
-
see that information should function
-
under under so information
-
is owned by an organization for example
-
that information systems has to work
-
according to the internal policies
-
internal compliances
-
of an organization okay if you if you
-
for example if you
-
take a server that should also uh that
-
should work according to the change
-
management process
-
patch management process and you know
-
backup process defined by the
-
organization
-
okay so that is one thing you check you
-
check whether it's compliant to the
-
policy compliant to the laws and
-
regulations
-
you check whether it is complying to the
-
internal policies and procedures of the
-
organization
-
third thing you check is whether that
-
that information systems
-
is compliant to the cia is is
-
is resilient to the cia which is
-
confidentiality integrity and
-
availability
-
at appropriate level now what is
-
confidentiality what is integrity
-
and what is availability confidentiality
-
is basically
-
that the system doesn't allow
-
unauthorized success
-
okay you know the system doesn't allow
-
unauthorized success
-
integrity means the system doesn't allow
-
inadequate modification or unauthorized
-
modification
-
system doesn't allow unauthorized
-
modification to data
-
or any other parameters of information
-
systems the third
-
thing is availability which is the
-
systems
-
allows the authorized people to work for
-
example you're going on a
-
want to create you want you want to
-
raise a ticket you should be allowed to
-
do that okay you want to
-
for example if you want to go to
-
accessing your emails
-
as email has been a very important
-
operations you you should be allowed to
-
uh operate your email okay because
-
you're authorized to do so
-
okay so that's also an important thing
-
um
-
to look at from uh from information
-
systems perspective
-
so a confidentiality integrity
-
inevitability should be maintained
-
and the information systems and
-
we apply the controls to reduce the
-
impact to the cia
-
okay so you should also uh you know test
-
the cia parameters of an organ
-
of the system then the fourth thing is
-
the efficient
-
and effective targets are met now
-
efficient
-
is is is something which is related to
-
cost okay so
-
ies operations are accomplished
-
efficiently you know you reduce the cost
-
okay effective means that they are
-
done effectively for example you have an
-
antivirus
-
first and foremost efficient means the
-
cost of the antivirus should be should
-
not be too high you know according to
-
the organization
-
effective means it should also prevent
-
viruses
-
you know prevent malware attacks to the
-
organization
-
a system or the information system okay
-
so these are the four parameters
-
uh you need to look at when you are
-
verifying and checking information
-
systems
-
so first thing is the the compliance to
-
the laws of laws and regulation second
-
is about governance pedia or the
-
the compliance level the internal
-
policies and procedures
-
okay the third thing is the cia impact
-
to the cia
-
and the fourth thing is about efficient
-
and effective bureau
-
operations of the information systems so
-
these are the four parameters you check
-
in the audit
-
okay okay so audit process we have
-
three steps to it okay one is planning
-
the audit
-
we have conducting the audit and you
-
have the reporting and follow-up
-
okay so we'll discuss that uh first and
-
foremost you need to understand the
-
saga uh is what it measure the standard
-
so there is an order standard by asaka
-
i'll go to the website of visakha
-
to show you where it is so if you check
-
the resources
-
in the resources uh you will
-
go to framework standards and
-
models okay
-
okay there is this process called itaf
-
which is information technology
-
assurance framework
-
okay so this is a free standard
-
okay you might download this
-
okay so you have to select the language
-
and download it
-
now this is an important standard uh
-
to look at okay it has been downloaded i
-
have that
-
with me
-
okay so this is called itaf
-
uh which is your i.t assurance framework
-
okay and this talks about the is
-
audit and assurance so this is a
-
standard basically
-
okay so
-
so first and foremost the standard so is
-
audit insurance standards
-
uh which is divided into three parts uh
-
one is general standard
-
okay and performance standard and
-
reporting standard
-
okay so uh in the general standard it
-
talks about planning
-
okay there performance and talks about
-
conducting the audit
-
okay and then the the reporting channel
-
talks about the third space which is
-
reporting now
-
this how to apply this standard there is
-
a certain guidelines
-
which has been defined now the
-
guidelines is this one
-
if you say i saw it at assurance
-
guideline okay
-
now basically uh both these if you see
-
this is also audit charter this is also
-
ordered charter
-
here if you see talks about a very brief
-
brief
-
of what it is okay this would uh this
-
guideline will tell you how to implement
-
this order charter
-
in the audit assurance guidelines then
-
there is
-
tools and techniques in this particular
-
document okay is audit issues tools and
-
techniques and then there is
-
also professional ethics part
-
also there in the tools and techniques
-
there is also
-
you know professional the professional
-
ethics and standards
-
coming back to the presentation so now
-
what is this standard
-
all about so isaka is audit and
-
assurance standard defined mandatory
-
requirements
-
for is auditing obviously uh whenever
-
you
-
see a word standard uh you must be aware
-
that that's mandatory
-
okay and how do you understand that it's
-
mandatory because the word shall is used
-
there okay so if you see here
-
in the audit charter wherever what
-
if you go to page number 12 quickly so
-
if you see her audit charter
-
you will see the word shall is used
-
let me if you see
-
the word sal is used okay
-
so if you see everywhere challenge use
-
so this is mandatory when you say
-
standard
-
this is mandatory okay and when you go
-
to guideline
-
page number 40 go to page number 42
-
quickly
-
and you go to order charter and the word
-
should
-
is some is used if you see here the
-
purpose of this guidelines to assist and
-
the iso
-
should consider this guideline now this
-
is guideline
-
guideline is non-mandatory okay a
-
standard is mandatory
-
okay so this is one difference you must
-
be you must
-
understand and you will see this is
-
basically guideline purpose
-
and linkage to the standard okay coming
-
back
-
so that's the reason it is just in
-
standards defined mandatory requirements
-
for
-
is auditing and reporting and inform
-
okay
-
so as an auditor you must isolators of
-
the minimum level of acceptable
-
performance required to meet the
-
professional responsibilities
-
set in the isaka code of professional
-
ethics so
-
you have to minimally practice the
-
standard
-
okay that's the reason i said reading
-
the standard is important
-
for you guys because that's the minimum
-
requirement of an auditor
-
okay yes you can also read the guideline
-
which will basically
-
help you to implement that standard in
-
your job practices
-
okay now then management and other
-
interested parties of the
-
professional expectations concerning the
-
work of practitioners
-
now you also have to understand that as
-
an auditor
-
you work with other experts in an
-
organization
-
okay for example an auditor uh
-
you know also works with with id people
-
okay for i t there are specific audits
-
that's what information system auditors
-
are okay then there is
-
network people that there's uh network
-
audit
-
then there is a software audit okay and
-
then there are
-
information security audits okay so as
-
an auditor whatever
-
your expertise is you also work with
-
other auditors
-
or you take the expert expertise of
-
other auditors
-
during your job okay so so that's
-
uh so this particular standard also
-
talks about that that how to take
-
work of other practitioners in in your
-
job okay in your auditing
-
okay now you may not be a parent uh you
-
you
-
you may not be a network expert okay
-
then how would you audit a network so
-
you will take the uh expert
-
uh you know a person who is a who has an
-
expertise in network
-
so take his opinion take his results to
-
basically
-
uh fulfill your auditing assignment okay
-
so that
-
this particular standard also talks
-
about that then it also
-
helps uh basically this is also also a
-
requirement from sisa
-
okay as a cesar designation you must be
-
aware of this
-
uh the requirements of this okay so
-
holders of the cesar designation of
-
their professional
-
performance requirements uh is also
-
something which is
-
mentioned here if you want i can
-
specifically go to
-
that document and tell you where
-
mentioned
-
so if you see here uh you know
-
proficiency of an auditor
-
is also something which is an important
-
parameter okay now using the work of
-
other experts that's what i was talking
-
about
-
okay 1206
-
clause 1206 okay that talks about
-
using the work of other experts now i
-
will also go to the code of professional
-
ethics
-
so these are the uh seven code of
-
professional ethics uh
-
which every auditor must be aware of
-
that's what
-
you also sign when you go for
-
certification after the exam
-
okay these are the seven principles i
-
would say
-
or ethic statements that you you must
-
comply to
-
okay if you are found not adhering to
-
any of the seven principles
-
there is a possibility of getting your
-
certification remote
-
uh also there is a disciplinary uh
-
process of visaka
-
against the cesa certification okay i
-
will go to that
-
uh later in the presentation as well
-
okay i will move forward now the
-
framework which has
-
talked about already itaf okay uh isaka
-
is ordered assurance standards framework
-
the framework of i is or written
-
national standard provides the multiple
-
level of documents it talks about
-
as i said standard okay okay i talked
-
about the guideline
-
okay so standard defined mandatory
-
requirement of ice audit assurance and
-
reporting
-
okay then there's guide guidelines i
-
told that provides guidance in applying
-
the standard
-
okay as an auditor you should consider
-
them in determining how to achieve
-
how to implement this particular
-
standard use
-
professional judgment here okay in their
-
application
-
okay now professional judgment now this
-
when the word judgment comes
-
it is not mandatory it is like it is
-
discretionary i would say
-
okay when you say the judgment it
-
becomes discretionary okay in their
-
application
-
and be prepared to justify any departure
-
from the standard
-
okay there is a possibility of
-
exceptions
-
okay always is possibility of exceptions
-
and then there's there has to be
-
exception process around it
-
okay when you're applying that standard
-
or and that
-
you must be able to justify those
-
exceptions from the standard also so
-
standard is not law
-
okay so it is it is not something you
-
you will be
-
persecuted if you don't follow it okay
-
but
-
if you have an exception to justify that
-
it is good for you it is good for
-
the the overall practice of auditing
-
then there are tools and techniques
-
okay that provide examples of processes
-
the isolator
-
might follow in an audit okay and that
-
also
-
is basically mentioned here tools and
-
techniques documents provide
-
information how to meet the standard
-
when completing isolate work
-
but do not set the requirements okay
-
and requirements is again linked to
-
these standards okay so if you see it
-
doesn't
-
here it talks about mandatory
-
requirements okay but these tools
-
are do not set the requirements okay
-
they never set the requirements so as i
-
said the
-
general which applied to the conduct of
-
all assignments
-
deals with applied to the conduct of all
-
assignments deal with ethics
-
independence okay objectivity
-
due care as well as knowledge competency
-
and skill
-
okay when you talk about performance it
-
is about conducting
-
okay it talks about planning
-
supervision scoping risk and materiality
-
what is materiality guys
-
reality means the importance of that
-
effect
-
of that that area okay now
-
whenever we look at materiality we are
-
not looking at
-
uh you know it is basically the quality
-
of
-
uh the uh the practice okay or the
-
transaction or the amount for example if
-
for an organization
-
a loss of uh for a big organization like
-
pwc a loss of one thousand dollars is
-
not material okay but for for for them a
-
one million dollar loss is
-
significant okay so materiality is the
-
importance of that particular
-
you know loss or or a transaction so we
-
use this in auditing a lot because
-
we are look we are trying to capture the
-
most significant
-
things first from an from information
-
systems perspective
-
okay for example we're looking at the
-
most important application of an
-
organization
-
which can have an effect to their
-
business operations
-
uh so always look for the material
-
things always look for
-
the most important things for an
-
organization
-
okay for example if i go for an uh for a
-
bank or a bank audit
-
i go into okay what is what is the card
-
doing you know
-
i'm not looking at a cbc a core banking
-
system cbs i'm looking at a process of
-
hr for example
-
okay which every bank has okay but i
-
should be looking at
-
the most important which is your cbs the
-
the core banking system
-
okay so always an auditor you look for
-
the most material things
-
most important to the organization when
-
you are doing the audit
-
okay so scoping risk and materiality
-
okay the importance of that
-
uh area is very important i hope you uh
-
i'm able to give that answer okay and
-
then resource
-
uh resources also so we also talk about
-
resources because as i said
-
every organization has limited resources
-
so how you utilize the resources to a
-
maximum extent
-
mobilization of the auditors okay
-
mobilization of the auditors because
-
again limited resources so you have to
-
mobilize uh
-
effectively you know in terms of
-
logistics etc
-
supervision okay supervision of the
-
auditors are very important
-
in terms of again in terms of the
-
quality of the audit and
-
assignment management okay big auditing
-
forms like eve
-
like ebay and pwc deloitte they
-
understand this
-
you know in terms of assignment
-
management so we have audits
-
every year we have civilians audit uh we
-
have re-certifications
-
audit every three years etc etc so all
-
that assignment management is also very
-
important then audit and assurance
-
evidence
-
against evidence collection um storing
-
those evidences
-
proving the quality of the evidence
-
everything is very important here so
-
in the performance category we will look
-
at all those things
-
then the third category is reporting
-
okay
-
so these third category among the
-
categories of standards and guidelines
-
reporting is very important in terms of
-
types of report
-
okay means of communication the
-
information that is communicated
-
okay all three are very much important
-
and reporting also as i said earlier
-
would depend on the type of arrangement
-
or the type of audit it is
-
is auditory insurance guideline okay we
-
talked about
-
uh the standard the guideline basically
-
uh helps to consider
-
helps you to determine how to implement
-
these hacker standards
-
it also helps as i said use professional
-
judgment applying them
-
be able to justify any departure from
-
asaka or deter national standards
-
now as we discussed code of professional
-
ethics is very important
-
and we must understand that these seven
-
uh
-
of them so we'll discuss so these are
-
the three we have two more and then
-
these are two more
-
these are total of seven code of
-
professional ethics
-
i would like to discuss it from the
-
standard itself because uh that
-
gives a more better perspective okay
-
same here
-
now isaka said code of professional
-
ethics okay
-
for its members and certification
-
holders so
-
members and insider certificate holders
-
shall support the implementation so
-
you are an auditor you are not there as
-
a fault finding mission
-
okay you are the you are there you will
-
verify and check will
-
show the faults but ultimately you are
-
there to help them implement
-
and encourage the compliance encourage
-
compliance to the standards
-
okay so you should support the
-
implementation of encourage compliance
-
with appropriate standards and
-
procedures
-
for effective governance and management
-
of information systems
-
including audit control security and
-
risk management okay
-
then the second is to perform duties
-
with objectivity
-
now when you talk about objectivity
-
you are also talking about materiality
-
okay as i said
-
objective means you are there to assess
-
certain you should have the audit
-
objective in your mind
-
for example if i'm going for a
-
information security
-
audit i am sure that i must be sure
-
that what i'm checking okay i should
-
have a kind of an audit objective that i
-
would be checking this particular
-
information systems however looking for
-
these things okay so from objectivity
-
perspective
-
uh you know you should perform your
-
duties okay
-
now you might go for network audit
-
you're looking for faults in network you
-
might go for software audit where you're
-
looking for
-
anomalies in the software okay if you're
-
going for
-
a penetration order a vpt uh
-
or a penetration testing okay the
-
various anomalies in the in the system
-
okay so the objective objective of the
-
audit should be clear
-
and also from the organization
-
perspective you uh it must be clear
-
from the person who has given you this
-
assignment okay what he
-
what the stakeholder is trying to
-
achieve through this audit okay
-
for example many organizations uh do iso
-
27001
-
to achieve tenders basically uh for
-
brand reputation or also for
-
for ensuring that you know uh they they
-
are completed with their uh according to
-
the
-
uh according to the industry guidelines
-
okay etc so the objectivity should be
-
very much
-
clear then due diligence due religion is
-
you have to very careful
-
when you are doing the audit when you
-
perform your duties
-
uh you should not be influenced by
-
people okay due diligence is
-
independence
-
uh you should you should not be
-
influenced by people you should not take
-
tribes etc etc okay and due diligence is
-
not only about
-
you know uh taking price but also about
-
you not getting influence
-
uh due to any uh reason okay
-
then professional care again this is
-
also about
-
uh ensuring um you know um
-
you are you are professional in your
-
approach okay and also
-
so that should be in accordance with the
-
professional standards that has been
-
uh guided in the standards uh document
-
always serve in the interest of the
-
stakeholders in a lawful manner
-
okay while maintaining high standards of
-
conduct and character not discrediting
-
uh their profession or association okay
-
maintaining privacy and confidentiality
-
very important
-
okay you might be dealing with a lot of
-
confidential information of the
-
organization
-
okay so you should always
-
generally ndas etc etc i don't believe
-
those are very effective mechanisms the
-
people say that they have an nda with me
-
i
-
can please give me access to all the
-
information i have an nda
-
oh nda is never a good mechanism in an
-
organization
-
then maintain competency in their
-
respective fields
-
okay you are competing in information
-
security already
-
you're competing in your network so
-
always try to achieve the expertise in
-
whatever area
-
you are working in okay and agree to
-
undertake only those activities that's
-
very important agree to undertake only
-
those activities that can reasonably
-
expect to complete with necessary skills
-
knowledge and competence now i do not do
-
a network audit i don't do a software
-
audit i do not do um
-
you know penetration testing audit okay
-
or
-
or you know availability audit what we
-
call it as
-
so uh i do information security uh
-
audit from a compliance so i'm a
-
compliance person okay i don't take
-
those assignments which i'm not
-
competing
-
enough okay because that would not
-
justify the
-
uh the job my job then inform
-
appropriate parties of the results of
-
the work performed including disclosure
-
of all
-
in facts if not disclosed may distort
-
the reporting of the results
-
then the last one is support the
-
professional education of stakeholders
-
enhancing their understanding of the
-
governance and management of enterprise
-
information systems technology including
-
audit control security and risk
-
management
-
now also you are supporting the the
-
stakeholders and increasing their
-
knowledge about their systems
-
now stakeholders invest the money in
-
their
-
in the systems okay they are asking you
-
also to
-
come and audit them so you should you
-
should always
-
you know make them more aware of their
-
information systems you you should
-
also make them aware of their defaults
-
in their
-
information systems and how those faults
-
can affect their businesses
-
okay so these are the seven uh what we
-
call it
-
as uh you know code of professional
-
ethics that the auditor
-
must follow okay we've gone through
-
these three uh
-
slides getting to itaf again so again
-
this particular domain
-
itself is is a description of itaf
-
okay so itaf is a comprehensive and good
-
practice setting difference model
-
okay it establishes the standards it
-
defines the terms and concepts
-
uh concepts of iis assurance now i have
-
not discussed this
-
term which is assurance i would like to
-
know what's your perspective on
-
the word assurance how do we define
-
insurance so
-
insurance is basically a promise or a
-
guarantee or a
-
or a trust that we have of the system
-
for example if you're sitting on a
-
roller coaster
-
and you are a dangerous roller coaster
-
you are actually
-
having assurance that i would come back
-
alive
-
you know from that so that's the reason
-
you're sitting on that
-
okay so it's kind of a trust you have on
-
that
-
system uh okay that this would perform
-
as per the
-
as per the standards and you have
-
confidence on that system
-
so this is very important in terms of
-
when you talk about
-
air traffic control systems you know
-
you're sitting in an airplane
-
and you are believing that the a80 air
-
traffic control
-
is working as per the uh proper
-
guidelines
-
okay so that that's how you know
-
sometimes it is that critical as well
-
and also is sometimes you know that not
-
that much critical you know when you are
-
talking about for example banking it is
-
critical it is for
-
a for air traffic controls it is
-
critical for critical infrastructures
-
all the critical
-
infrastructures it is critical but for
-
example for an organization for a small
-
organization it is it may not be that
-
critical
-
okay so all that would depend on the uh
-
the materiality
-
of that uh the area okay so this
-
particular
-
so it provides uh so so assurance is
-
that so i was just getting to the
-
definition only i would come to the
-
dependencies and resilience part later
-
in the other domains as well then itaf
-
also provides guidance and tools and
-
techniques on the planning design
-
conduct and reporting of the is audit
-
and assurance assignments so audit is
-
basically a part of uh
-
comment on audit audit is also a
-
mechanism
-
where we we try to get certain level of
-
assurance
-
okay now uh we don't get a guarantee of
-
the audit uh
-
from the audit okay it doesn't say
-
that you have zero faults in a system
-
okay audit is just a one uh you know
-
kind of a level playing field assurance
-
perspective okay
-
so audit is just a mechanism getting
-
assurance
-
okay then we go to business processes we
-
are aware of
-
we'll go to this quickly because we are
-
aware of the business processes
-
uh but from an auditor perspective when
-
you're going for the audit you must
-
get do something research do some
-
research in terms of
-
what kind of business processes that
-
organization
-
uh is dealing with and uh if you get an
-
understanding of that
-
process it would be easy for you to
-
order the
-
or audit that you may not have a
-
complete understanding obviously you
-
will interview people
-
and then you would not have the complete
-
understanding but uh
-
from for example hr what does an hr do
-
which are basically
-
you know hire people talent management
-
payroll
-
training and development et cetera et
-
cetera so you you should be
-
aware of that so you should understand
-
and evaluate business processes
-
okay test and evaluate operational
-
controls
-
there and then identify the controls
-
such as policies procedures practices
-
and organizational structures
-
okay do you do you think organization
-
structure is a control and why do you
-
think organizational structure is a
-
control i
-
i policies are high level intent of the
-
organizations
-
okay procedures are also controls okay
-
why procedures the policies are very
-
important because it's
-
once the high level intent is not there
-
if the high level intent is not there
-
okay for example organization doesn't
-
have information security policy
-
uh stakeholders are not endorsing the
-
information security as an important
-
enabler to their organization then you
-
cannot do anything okay you will not
-
have any control so
-
first and foremost policies are
-
important because those are high level
-
intent of the organization
-
then procedures are important okay
-
procedures will tell you the day-to-day
-
you know activities which you have to
-
perform okay and how to perform those
-
activities basically step-by-step
-
uh directions okay then you have
-
practices
-
now practices are our best practices now
-
those are guidelines okay those are like
-
this
-
is uh this is the best way to do it okay
-
or this is the best
-
these are things that you must take care
-
uh while doing it
-
okay you may or may not do uh take care
-
of that but
-
those are helping then organization
-
structures is also control
-
how do you think organizational
-
structure is a control how does it help
-
as a control for segregation of duties
-
uh job descriptions are
-
segregated okay so organizational
-
structure is a control because it helps
-
in decision making
-
okay so basically aggressive structures
-
as uh
-
that you know segregation of duties so
-
it is more important from that
-
perspective
-
i mean so this is this is like you are
-
defining a job description
-
of a person okay based on the job
-
he's been assigned certain things okay
-
and that control should be there that
-
there's a maker and a checker
-
okay that's the reason operating
-
structures are important okay it would
-
reduce the risk so from
-
i'm i'm asking about when you talk about
-
controls it is trying to reduce or
-
mitigate the risk
-
okay so from a segregation or duties
-
perspective
-
it is very important because segregation
-
of duties is a control
-
that uh that basically reduces the
-
risk for any errors it falls and frauds
-
etc for this year in this uh section we
-
will also talk about
-
internal audit function okay internal uh
-
function in the sense that how a
-
interval
-
function is different uh from the
-
external audit okay
-
or the other functions then management
-
of the is audit function
-
okay the planning the audit okay
-
effective laws and regulations of ios
-
audit planning
-
business processes applications and so
-
internally functions so as an
-
uh as an auditor as an internal auditor
-
uh you should
-
establish your audit charter first now
-
what is audit charter audit charter
-
talks about the responsibility the
-
accountability
-
the scope of an audit okay and
-
it must be approved by the board of
-
directors and the audit committee
-
okay so if we if we go to order charter
-
definition
-
in uh in the sarkar guideline in the
-
itap you know so if you see here
-
in the audit charter it talks about the
-
purpose
-
sorry the audit charter it talks about
-
audit charter indicating the purpose
-
the purpose responsibility authority and
-
accountability
-
okay so it has four things you have to
-
remember this
-
and maybe if you want to uh four things
-
which is the purpose
-
responsibility authority and
-
accountability okay these are the four
-
things that
-
that audit charter must have okay the
-
purpose of the audit
-
the responsibility of the responsibility
-
of conducting that audit the authority
-
okay which initiated this audit or who
-
the audit results would be communicated
-
to
-
and the accountability okay from a
-
downloaded function should be
-
established by audit charter
-
okay which has to be approved by the
-
board of directors in the audit
-
committee
-
now sometimes the board of directors uh
-
also get uh get uh you know they have
-
another committee which uh which which
-
represents the audit
-
okay that's what the audit committee is
-
about okay
-
now audit charter is an overarching
-
document that covers the entire scope of
-
audit activities in
-
an entity while engagement letter is
-
more focused on a particular audit
-
exercise
-
now sometimes we have uh you know one is
-
audit charter in which you have the
-
complete plan
-
of the audit of the whole organization
-
whereas engagement letter is
-
specific to certain function okay for
-
example you're going for a network audit
-
so there's an engagement you have done
-
with ey for example
-
now you will sign an engagement letter
-
with that organization
-
and it is basically focused okay and you
-
have certain uh
-
time limits etc okay it's more focused
-
on a particular audit exercise that is
-
sought to be initiated in an
-
organization with a specific objective
-
in mind for example
-
as i said network audit order or
-
information security compliance audit
-
etc said from the definition this is
-
also clear here
-
if you see the charter should clarify
-
the state
-
management's responsibility and
-
objectives for delegation of authority
-
to the is audit function okay so charter
-
should clearly state
-
the responsibility the objectives or the
-
purpose
-
the authority okay of the audit function
-
why do you or why do you think the
-
auditors will also require authority
-
from the board of directors asking
-
questions to our
-
you know area which organization
-
auditing you should people may ask you
-
who are you you know why do you ask
-
these questions etc
-
that's the basic questions when you go
-
uh to interview anyone
-
okay so by what the authority or so
-
audit charter is a document which you
-
can
-
you know show as a warrant you know that
-
i am and i have an authority to
-
basically audit you and this is this has
-
been uh
-
asked by uh the highest authority of
-
your organization which is board of
-
directors that's the reason
-
charter has the authority as well so
-
that
-
you have the senior management or top
-
management
-
approval on on asking questions to the
-
to the area or to the function okay
-
that's the reason authority is very
-
important
-
now management of the ias audit function
-
managing or isolated functions should
-
ensure
-
value-added contribution to the senior
-
management again if they're giving you
-
authority
-
to audit they also want and they are
-
doing it for a reason
-
that you would tell them calls in my
-
organization what are the areas doing
-
for improvement
-
how do i you are basically building upon
-
their assurance
-
you're building their assurance on the
-
organization's i.t infrastructure
-
okay so if you're saying that you know
-
these are the
-
areas of improvement and
-
you know of your organization if you're
-
giving them findings
-
it will basically help them improve it
-
help them improve the overall operations
-
and
-
efficiency of their organization okay so
-
as an auditor
-
you should ensure value-added
-
contribution okay to the senior
-
management in the efficient management
-
of i.t
-
and achievement of the business
-
operations when you give you give them
-
findings
-
they would act upon it and they would
-
that would also help them to
-
achieve their business objectives
-
appropriately
-
okay now first step is planning when
-
you're planning for an audit
-
okay so adequate planning is very
-
important uh in the japanese that are
-
saying that 70
-
of the time you spend on planning that's
-
that's very important because
-
all the major i'm doing an
-
implementation
-
assignment and i i know this very well
-
deep from my heart that how important it
-
is the planning part the audit plan is
-
how important
-
it is if you fail in planning properly
-
you mess up the whole thing okay so plan
-
an ordered
-
following task must be completed list
-
all the processes
-
uh means the scope has to be very clear
-
when you're
-
uh going for audit so you're listing all
-
processes
-
you get the scope approved for the audit
-
okay
-
then you evaluate each process by
-
performing qualitative risk assessment
-
now for example i have four departments
-
to audit
-
okay uh scope is clear i have four
-
departments
-
now who to start with that is also very
-
very
-
important who does again the the
-
the concept of materiality is very
-
important so you will do a qualitative
-
or a quantitative risk assessment now
-
this risk assessment is not a risk
-
assessment that we do it
-
for information security and you know
-
the detailed assessment which you do
-
this is a kind of a kind of assessment
-
which you which is a very high level
-
assessment
-
okay we in which you understand and you
-
try to understand which are the critical
-
areas of the organization
-
now for example you have four
-
applications to order now if you say one
-
two three four
-
and you say okay how would you check
-
which application is important
-
number of users which applications do
-
you so you will
-
okay number of users easy for any
-
organization to give you
-
okay and you will also do a risk
-
assessment on uh on the
-
the the type of data that organize
-
that application is storing how that
-
application
-
which process that application is
-
supporting which businesses
-
operation operations is uh supporting so
-
this is kind of high level assessment
-
of risk you will do okay so so why you
-
are doing this
-
again materiality okay you will uh
-
you're doing this to evaluate whether um
-
you know you're you're trying to capture
-
the maximum risk in an
-
organization okay so evaluate each
-
process performing a qualitative
-
quantitative risk assessment these
-
evaluations should be based on
-
objective criteria what i just said okay
-
i gave you some examples of
-
objective criteria for example for
-
applications similarly you can apply
-
to business processes you can apply to
-
different departments as well from a
-
high level perspective
-
okay etc etc so then our thing is to
-
define the overall risk of each process
-
okay then construct an audit plan to
-
include all the processes that are rated
-
high
-
okay which would represent the ideal
-
ideal audit plan
-
okay and that's what we call it as audit
-
based risk strategy or audit based risk
-
plan
-
okay basically we call it strategy okay
-
so audit based risk
-
strategy now when to audit that's also a
-
question
-
why we have this question is because
-
again this depends on the criticality of
-
the processes so there is short-term
-
audit
-
there is long-term audit planning now in
-
short-term audit planning
-
you have you know short frequent uh
-
auditing the periodicity reduces okay
-
long term audit planning
-
uh you have high periodicity okay so
-
short term planning involves all the
-
audit issues that will be covered during
-
the year okay for example you have to
-
conduct
-
you have to conduct a surveillance order
-
terrorist every year so that is the
-
short term
-
okay long term plan takes into account
-
all the resolutions for example there's
-
a
-
there's a there's a department which is
-
uh
-
which is slowly improving okay which is
-
slowly proving this
-
that's a new department it's not very
-
mature so you might go for a long term
-
audit here
-
so you are assessing for example some
-
areas of that department
-
and then you um you give them a gap to
-
mature and then you are auditing the
-
other areas
-
of the of the department okay similarly
-
you know
-
so it's a very phased approach okay in
-
the long term planning
-
and that would only that would also
-
depend on the id strategic direction of
-
the organization
-
okay for example i i was working in
-
uh in a bank in uae uh
-
and they have they had they had the new
-
area of banking
-
okay treasury for example and no i don't
-
remember the name of that
-
area but for example treasury they were
-
you know trying to
-
have another area of business
-
for them now that department has just
-
begin
-
okay that that area of business is just
-
now
-
initiated obviously they will not have
-
hundred percent they will not have the
-
same processes what a bank uh
-
initially has they are trying to have
-
one or two processes
-
in place for the customers for the new
-
customers
-
and then mature they would have a
-
maturity
-
um along the line okay so if i go on the
-
first day
-
uh or maybe the first year
-
and say that okay show me all the
-
processes i start finding faults in them
-
you know
-
starting reviewing them then it may not
-
be very much
-
fruitful for that particular area of
-
business
-
okay immediately okay you will have a
-
lot of findings you cannot address those
-
findings
-
etc etc okay so you will take a
-
long-term
-
approach so that would that depends on
-
the itc iit strategy version of that
-
organization
-
now audit can be also be triggered when
-
there is a control issue okay so there's
-
a new issue that is coming up there are
-
a lot of incidents that are happening
-
in hr okay there are a lot of data being
-
data breaches that have that happened in
-
hr et cetera et cetera so
-
if there are control issues there the
-
the board of directors take a decision
-
okay now we must audit this hr
-
department try to under
-
try to try to assess those gaps uh in
-
that department okay so new control
-
issues can also trigger
-
fraud can trigger the audit okay so
-
there's
-
there so that that could also happen
-
also there's a change in risk
-
environment
-
you acquire a new organization okay you
-
you merge
-
you you have mergers and acquisitions
-
okay
-
now that could also change so the risk
-
environment has changed
-
okay so that uh risks as i mentioned the
-
technology has changed
-
okay all the business processes are
-
changed uh you know
-
drastically that can also basically
-
trigger an audit
-
okay so these are the steps for having
-
the audit
-
okay um just quickly naming them first
-
and foremost
-
take an understanding of the business
-
process mission of that organization
-
what is mission mission is what
-
operation does for example banking
-
the organization deals with money uh you
-
know uh they they
-
they create accounts now what what do
-
they do they manage people's money
-
basically so you should you should
-
understand the mission of the
-
organization
-
okay you should understand the
-
objectives uh whatever the
-
the the top management has decided that
-
these should be the objectives
-
you should understand the purpose of
-
that organization how that organization
-
is helping its
-
community uh stakeholders basically i
-
would not say community stakeholders
-
like customers suppliers
-
the internal employees okay so that's
-
important and the processes okay then
-
understanding the business environment
-
of the auditee
-
what is already already is basically the
-
organization you are auditing you are
-
the auditor
-
and the other organization is the oddity
-
okay and then review
-
uh or sometimes already is also another
-
party
-
okay you must understand oddity can be
-
can be another organization
-
okay which is asking you to audit that
-
organization already is
-
is who has given you the assignment okay
-
then uh review
-
uh prior work papers okay prior work
-
papers is basically a
-
kind of a checklist if you have if you
-
have certain questions to the auditee
-
uh or auditing management then you ask
-
them certain questions
-
you ask them for certain documentation
-
for understanding
-
their organization that is basically
-
review of work papers
-
then identify stated contents okay
-
now the work papers are basically your
-
content policy
-
standards required guidelines procedures
-
my structure you study them
-
okay and then you perform a risk
-
analysis to help designing the audit
-
plan so based on
-
the work papers based on the organized
-
structures you will understand
-
okay what are the various things which
-
are important to the organization
-
due do a risk assessment or risk
-
analysis
-
okay and you prepare an audit plan and
-
then based on the audit plan
-
you will define the audit scope okay and
-
the audit objectives
-
okay and develop the audit approach okay
-
approach and order strategy okay then
-
assign resources the auditors to
-
different areas
-
okay and then finally you will address
-
the
-
engagement logistics so that's the
-
planning steps now
-
after planning you will have the
-
conducting of the audit will come to
-
that
-
okay so audit plan should take into
-
consideration of the objectives of the
-
audit
-
okay uh the relevant to the audit area
-
it's technology infrastructure business
-
strategy direction
-
okay so you should uh you know to
-
to have a better understanding as i said
-
the work papers which is your pattern
-
material
-
publication industry publication reports
-
independent financial analysis reports
-
etc now reviewing prior audit reports
-
now as an auditor you can also ask prior
-
audit reports
-
you know so for example if you're going
-
for a village already you can ask
-
give me a previous year's international
-
report okay
-
reviewing the business and id long term
-
strategic plans
-
okay the materiality would uh could be
-
just based on that okay
-
additional considerations you interview
-
key managers
-
understand their business issues key
-
regulations 75 specific regulations to
-
id for example lot of regulations
-
nowadays as we said
-
uh in the earlier for example rbi
-
for banking try for telecom npci for
-
payment gateways
-
etc the idea of iit functions or related
-
activities that have been outsourced
-
very very important in these times every
-
organization
-
is has certain outsourcing okay any
-
third-party
-
collaborations okay i was auditing a
-
it's repayment banks so the other day
-
every department has something that is
-
outsourced to for example the creative
-
department
-
uh the social the the marketing
-
department also
-
you know for campaign development they
-
sign agreements with the other
-
departments now there's a lot of
-
exchange of confidential information
-
between
-
you and your third party okay so that
-
kind of arrangements also you need to
-
check that what do you share with them
-
so that the outsourcing is an important
-
aspect it's just to
-
cut short this uh thing that outsourcing
-
is an important aspect that the auditors
-
must
-
look into what kind of arrangement uh is
-
uh
-
is there with the with the third party
-
during keep organization facilities
-
again this is a walk through
-
call it walk through we call it uh um
-
the
-
you know this is an important aspect
-
when we look at physical security of an
-
optimization
-
uh in terms of information security we
-
go and tour the facility of the
-
organization try to assess the awareness
-
of the people
-
we try to assess whether what kind of
-
controls they have
-
in terms of physical security etc and
-
physical and environmental security
-
okay also uh you know touring the
-
foreground facility will also give you a
-
ins inside of the culture
-
of the organization sometimes okay so as
-
an order you must also
-
also match available audit resources
-
such as staff with
-
the tasks defined in the audit plan so
-
you have limited resources you have
-
certain auditors
-
uh you will you will you will have the
-
you know tasks assigned to the various
-
auditors
-
according to the audit plan now certain
-
laws and regulations uh
-
we were discussing them earlier as well
-
isps
-
banks internal service providers are
-
closely regulated so
-
these legal regulations may pertain to
-
financial operational and isolated
-
functions so there is a legal
-
ex financial or you know general sox
-
compliance
-
you know that is basically financial uh
-
regulation okay
-
for for u.s companies and now
-
many companies which are working across
-
the globe are
-
has to be sox compliant so you have to
-
uh you have to
-
consider that as well and then
-
operational regulations are there
-
okay in terms of for example try rbi bci
-
these are operational regulations
-
then there are isolated functions um
-
regulations also so for example
-
uh rbi says that you have to get every
-
year audited by a cisa
-
okay and you have to submit the csi
-
report to the rbi
-
okay whether it is a bank of india so so
-
that kind of
-
regulations are also there okay you have
-
to submit audit reports
-
to the to the regulatory body uh
-
every year as they demand sometimes they
-
don't want you every year or they would
-
they would demand for an audit and then
-
they will ask for a report
-
okay now there are two areas of concern
-
that impact the audit scope
-
and objectives what is legal requirement
-
based on the audit as i said
-
i gave you an example that that this
-
legal requirement okay and then legal
-
coin based on the audit
-
and systems data management reporting
-
etcetera now
-
is audit role and compliance to
-
determine the organization level of
-
compliance auditor must
-
the isolator must identify those
-
government or other relevant
-
uh external requirements now auditor
-
it's not a responsibility of the auditor
-
to basically
-
uh look at the various regulations
-
because that's the compliance department
-
in organization
-
so for example i am i am a telecom i
-
should be aware that
-
what are the various telecom regulations
-
i should be following
-
okay now so you will get that regulation
-
so you should be aware of that
-
regulations okay
-
and then you also assess whether whether
-
what level of compliance
-
the organization is maintaining okay so
-
already
-
basically ask for a legal plan or a
-
compliance plan
-
or a you know kind of a process sop
-
document
-
which the organization maintains to
-
ensure that they comply to all the all
-
the regulations
-
okay so and the external requirements
-
and the auditor basically checks whether
-
they are fulfilling that
-
now already may question the the
-
compliance plan itself
-
so that's the other case that ought to
-
say that this comprised plan itself is
-
not
-
adequate so then a plan is not adequate
-
obviously the compliance level is
-
is is very doubtful okay so as an
-
auditor you must uh
-
also assess both the things as
-
compliance plan of the organization as
-
well as the level of compliance
-
okay so i identify those government
-
other elimination
-
requirements dealing with electronic
-
data personal data copyrights ecommerce
-
e signatures etc
-
uh computer system practices and
-
controls then
-
we have it act uh 2008 for that then the
-
manner in which the computers programs
-
data
-
are stored many countries have retention
-
policies
-
okay for example india the retention
-
policies is
-
seven years uh for logs
-
and so you have to go and dug out
-
that what kind of requirements you have
-
in terms of retention
-
okay and you have to follow that and
-
every country has its own
-
okay then the organization or the
-
activities of the it services
-
okay then you have the is audits as well
-
so you have to also see that what are
-
the requirements for the ios audits
-
okay for example if you are maintaining
-
an iso 27001 certificate
-
you have to go for every year you have
-
to go for a
-
surveillance audit and go for a
-
re-certification audit
-
so you have to see that what kind of
-
arrangement it is
-
what kind of audit cycles uh the
-
organizations require to have
-
if you don't do a surveillance audit you
-
know your your certification
-
is invalid for iso 27001
-
or any any of the iso basically now i
-
have ordered steps and determining
-
organizational compliance so you
-
document the applicable laws as i said
-
every organization documents the
-
applicable laws and regulations
-
okay then assess whether the management
-
and id function have considered them
-
okay consider the relevant external
-
requirements in their plans
-
okay now external requirements are are
-
contractual obligations sometimes
-
okay you have a contractual obligations
-
towards third party
-
towards the customer basically mostly
-
those are towards the customer
-
you are an organization of telecom okay
-
you have certain
-
requirement towards uh you are giving
-
product for example
-
telecom okay you have you have certain
-
requirements towards availability of
-
that product towards that customer
-
okay in terms of services the service
-
level agreement so you must also assess
-
what are the relevant external
-
requirements um there
-
okay then all obviously sell
-
requirements in their plans policy
-
standard procedures as well as business
-
application features
-
so that's what i said in the service
-
level agreements
-
then review the internal id department
-
function activity document that
-
addresses adherence to
-
the laws applicable to the industry okay
-
determine adherence to the procedures
-
that addresses these requirements
-
and then because the procedures would
-
should support the laws and uh
-
obligations okay so if the procedure
-
says
-
that the the backup is for example a
-
procedure says that backup is
-
has to be done conducted okay however uh
-
yeah no so sorry the law says that you
-
should have a backup of seven years
-
but you should have a retention of seven
-
years okay the law says that you have a
-
retention of seven years
-
but you don't have a backup mechanism
-
based on that okay you don't
-
you you delete the data every three
-
years okay you delete the backup every
-
three years so
-
so your your procedures should basically
-
the backup procedure should basically
-
support your retention
-
policy or detention
-
law of that country okay then determine
-
if there are procedures in place to
-
ensure contracts
-
agreements with external id service
-
providers reflect any legal requirements
-
related to responsibilities
-
now certain sometimes what happens is
-
that you have a contractual obligation
-
to maintain the certificate
-
uh of iso or you have to maintain pci
-
dss
-
uh payment card industry data security
-
standards
-
okay so you also have to see that
-
whether those
-
the the external i.t service providers
-
you know and they combine it with the
-
legal requirement
-
okay let me give you an example for
-
example if you
-
if you're a try member if you are a
-
telecom provider
-
uh you have to actually follow the
-
regulatory guideline
-
now for a particular license in a
-
telecom
-
you require iso 27001 certificate
-
okay for example you are a wallet
-
provider
-
i uh paytm okay
-
you have to follow the npci guidelines
-
okay
-
and you also uh need to uh you know
-
comply so and that becomes
-
a legal requirement for you okay so it
-
is bound because
-
pci is a also a statutory organization
-
which is bound by
-
uh by the government of india okay and
-
then it becomes a law
-
or a legal requirement for an
-
organization so it is
-
so it becomes a legal requirement for
-
them to fulfill
-
now okay it is not no more uh a kind of
-
non-statutory requirement for them it's
-
a statutory uh requirement for them to
-
fulfill
-
okay now we'll further move on to the
-
business processes
-
applications and controls so in an
-
integrated application environment our
-
controls are embedded and designed into
-
the
-
business applications as you are know as
-
you are aware that we are using for
-
example c
-
for banking applications for banking
-
applications for banking sector we are
-
using some
-
some you know oracle system for example
-
for
-
in telecom for various
-
you know or we use sap sap uh systems
-
in our organizations okay these are
-
basically a very
-
uh integrated application uh environment
-
for
-
in a in an organization okay they have
-
multiple support
-
uh their but their multiple supports and
-
uh their multiple processes around that
-
application
-
okay and they're supporting basically
-
the multiple
-
departments in an organization at the
-
same time
-
okay so you must there are certain
-
controls and assurance levels
-
that the organizations must uh must
-
must adhere to okay for that reason
-
there are
-
assurance levels okay that that is
-
defined
-
for example sap sap is used by multiple
-
departments for multiple uh
-
purpose okay multiple and it basically
-
for multiple processes in that
-
department
-
okay so you must understand that there
-
are certain controls that which we place
-
to to
-
provide assurance of that uh activity
-
so these controls for for providing
-
those assurances you need to have
-
adequate controls so these are three uh
-
controls um
-
you know that can be embedded in the in
-
the in a bigger application
-
okay so that uh you are providing
-
adequate uh
-
you you are providing um adequate risk
-
uh litigation
-
okay now three types of controls are
-
management controls
-
okay program controls and manual
-
controls
-
okay so to effectively uh audit business
-
application system the ifriter must
-
obtain a clear understanding of the
-
applications
-
under review and also when you are doing
-
the review of their application what do
-
you
-
what as an order what you are checking
-
you are checking the adequacy at the
-
eddy
-
the adequacy of okay now there are
-
different types of application
-
for example an e-commerce application uh
-
which is also a very bigger application
-
you have multiple
-
processes in it you have electronic data
-
interchange
-
okay now electronic data intel
-
interchange is basically your
-
you know scada systems uh your uh
-
your systems which basically provides
-
inputs to another system
-
okay that kind of electron data
-
interesting now now these
-
electron data interchanges is basically
-
sometimes
-
enter organizations uh inter departments
-
uh etc okay then email we know uh
-
point of sale pause systems which is
-
basically used in retail
-
there are multiple processes in it the
-
cost you have billing section your
-
purchase your purchase return your
-
procurement
-
etc etc then you have electronic banking
-
electronic finance
-
then you have payment systems electronic
-
funds transfer
-
eft or atms supply chain management
-
purchase accounting systems integrated
-
manufacturing systems ics
-
your inter ah industrial control systems
-
like uh
-
air traffic control scada etc
-
iterative voice response systems okay
-
generally if you see ivr we know when we
-
call a support
-
support test uh it goes to ivr so that
-
kind of systems are there the image
-
processing systems
-
ai dss and customer relationship
-
management
-
okay moving on to uh using the services
-
of
-
other auditors okay now using service
-
order again experts
-
uh basically or maybe auditors
-
in the same in the sense of
-
maybe you're auditing a third party and
-
that third party
-
is getting us at uh getting audited by
-
another third party who you are
-
believing to
-
be let me give you an example here for
-
example i am
-
uh i am a i am a bank okay
-
and i have been i am a bank and
-
pwc is working uh is auditing me
-
okay i have asked the pwc sorry
-
if i am a bank i have asked a pwc to
-
audit my third party
-
okay this is arrangement okay i have
-
partnered
-
i have given a job to pwc to audit a
-
third party
-
for me okay the auditor the the customer
-
or the customer wants to come and uh
-
my customer wants to look at the reports
-
that uh you know that how my bank is
-
performing
-
okay so now i would be uh i
-
i am showing a pwc report of the third
-
party okay subcontracting
-
so from a customer perspective i want to
-
look at how a bank is complying
-
how how much bank suppliers are also so
-
my bank shares customer information with
-
also the suppliers
-
okay so my bank would also always say
-
that i am protecting our information but
-
my information is not with the bank
-
my information is with the information
-
with the
-
third party of a bank okay so this kind
-
of arrangement it is okay
-
now should i believe uh my bank's report
-
or should i believe the pwc report here
-
so basically uh what i'm saying is i'm a
-
bank
-
okay and my customer wants to
-
look at how i'm you know protecting its
-
information
-
okay but as a bank i'm also sharing the
-
customer's information with the third
-
party
-
okay i've asked the pwc to audit that
-
third party okay who's storing that
-
information
-
shall the customer believe the bank's
-
report or the pwc's report could not
-
trust the
-
bank's report okay because the bank is
-
my
-
bank will always say that i am
-
protecting the information right i would
-
trust a third party
-
it's a pwc report as a customer i'm
-
auditing a bank
-
and i ask bank who are you sharing that
-
my information with
-
bank would say i am i am sharing the
-
information
-
with the with a supplier or a vendor
-
okay
-
now how do you ensure that the supplier
-
is protecting my information
-
okay so bank would say i am getting it
-
uh
-
getting the supply getting the supplier
-
audited by pwc every year and that's how
-
it is been protected yes i would not
-
believe what
-
bank would say i would believe the pwc
-
report
-
it says that my information is protected
-
by the third party
-
okay so that's how you know you
-
understand
-
i use the services of you know that
-
that's how you basically use the
-
services of other auditors and experts
-
okay and other auditors basically
-
okay you you look at their reports you
-
substantiate your uh
-
substantiate your findings uh based on
-
the on the reports
-
okay so when when using external and
-
outside experts consider the following
-
restrictions on outsourcing as i said i
-
discussed the outsourcing because that's
-
the most important
-
aspect when when talk about using the
-
services of other auditors
-
okay restrictions on outsourcing audit
-
security services provided by laws and
-
regulations
-
audit charter or contractual
-
stipulations okay
-
uh impact on overall specific ice audit
-
objectives
-
okay that uh these kind of arrangements
-
can also have impact on your audit
-
objectives
-
okay impact on audit risk and
-
professional liability
-
okay now there's a lot of in a lot of
-
agreements in terms of independence in
-
the organizations
-
and it's a very big kind of confusing
-
zone uh
-
for many organizations uh in in terms of
-
independence okay for example pwc is
-
also working for some uh some
-
for that organization and it is not
-
allowed to audit
-
for example in india pwc is not allowed
-
to do financial audit
-
okay due to some certain frauds happen
-
you know three years back
-
okay so so that kind of all that kind of
-
liability is also there okay then
-
independent objectivity of other
-
auditors and experts so independence is
-
one of the
-
important aspects for the auditors and
-
experts
-
professional competence qualification
-
and experience scope of
-
work proposed to be outsourced and
-
approached then supervisory and audit
-
management
-
controls okay so these are things that
-
we should be considered
-
auditing while uh taking the services
-
from the uh operators and experts now
-
this is a quick activity which i want to
-
uh do with you now you have been
-
assigned to an integrated audit what is
-
an integrated audit indicator you are
-
is basically just to cut short uh the
-
discussion
-
uh integer already when you're auditing
-
multiple areas people sorry multiple
-
not areas but multiple uh what you call
-
it
-
objectives basically for example you're
-
all you're doing a quality audit
-
combining with information security uh
-
audit
-
okay that's an indicator audit okay or
-
you're doing an information security
-
audit combining it with the operations
-
audit
-
okay that's an indicator order so you
-
have been assigned to an integrated
-
audit
-
finance business ops areas no uh so
-
that's not integrated audit so that
-
that's
-
basically that's not what indicator
-
integrator audit is you're doing uh
-
doing two
-
audit uh you're checking for two two
-
different audit criterias
-
okay an audit criteria is for example
-
quality information security
-
operations finance okay so you're
-
looking at the uh
-
the quality quality of the system you're
-
also looking at the
-
information security of the system
-
you're also looking at the operational
-
effectiveness of the system
-
and also you're looking at the finances
-
of that financial uh
-
uh effectiveness of that system so
-
that's
-
four things together that's our uh
-
integrated product yeah so you have been
-
assigned
-
to an indicator audit of a payroll
-
process and need to plan the
-
itu audit portion of the and need to
-
plan the it audit portion of the
-
engagement okay
-
what is the most important business
-
process area that you need to
-
consider in a payroll so to help you
-
perform the audit would it be better to
-
know the isolated budget or to know the
-
cio and cfo risk profile for the payroll
-
process
-
so what is the most important business
-
process area that you need to consider
-
here
-
now this is a question for you guys okay
-
so due to resource constraints of ii for
-
a team the audit plan as originally
-
approved cannot be completed
-
assuming that the situation is
-
communicated in the audit report
-
which course of action is most
-
acceptable okay
-
so you will focus on auditing high risk
-
areas
-
okay because of the resource crunch okay
-
coming to the next question
-
this is true so you verify the software
-
and use uh
-
through testing first okay now this
-
would be the
-
uh this would we'll try to complete this
-
section which is the types of controls
-
and this is a very easy sections
-
so basically there are different types
-
of controls in which you try to
-
manage the risk okay risk
-
risk transfers okay and
-
risk avoidance now avoidance is
-
different from elimination
-
risk avoidance is basically uh
-
when we don't take the risk okay for
-
example there's a business unit
-
which is not working properly okay and
-
there's a lot of
-
business risk to it you just you know uh
-
put a
-
uh put in a shut that business okay that
-
is for avoiding the risk for example i'm
-
going from point a to point b
-
i'm going to um find it to point b
-
through a car
-
and i see a risk of you know
-
the rain that the rain can happen okay
-
so i'm not going at all
-
that is called the risk avoidance okay
-
accepting the risk
-
is that you are going there okay and
-
whatever rain comes i would take the
-
proper controls
-
but i would go okay that is called
-
acceptance mitigating means you are
-
taking proper controls in place
-
okay and then you are accepting it okay
-
then
-
what we have the third option is risk
-
transfer okay now there is no
-
transfer option here okay but generally
-
insurance or
-
other things are there or outsourcing
-
things you know where we transfer the
-
risk to another party
-
okay so controls are there to basically
-
minimize the
-
risk okay to maintain the risk so every
-
organization
-
has controls in place okay ineffective
-
controls
-
that is one that prevents uh it detects
-
and contains okay or reduces the
-
impact okay and bc reducing the impact
-
of that particular risk event
-
okay so it prevents so controls prevent
-
it detects
-
and it contains or reduces the impact
-
and also
-
uh there are certain controls which
-
helps in recovery okay
-
now we'll come to those examples uh on a
-
later stage in this particular area
-
in the domain but it is very important
-
to develop
-
monitor uh implement design
-
the information systems controls okay in
-
place too
-
basically okay now controls
-
as we discussed earlier could be
-
policies if you remember we discussed
-
the controls it would be policies
-
could be procedures could be practices
-
could be organizational structures
-
okay so that four things you have to
-
remember could be policies procedures
-
practices are structures
-
that are implemented to reduce the
-
risk to the organization okay coming to
-
uh
-
internal controls are normally composed
-
of policies procedures practical
-
structures as i said that are
-
implemented to reduce the risk
-
to the organization okay internal
-
control should address
-
what should be achieved and what should
-
be avoided
-
now they are preventive as i said
-
earlier preventive detective
-
corrective controls now prevented these
-
are some of the examples here
-
and the preventive controls always
-
detect they can
-
detect the problem before they arrive
-
okay before they arise
-
they monitor both operations and inputs
-
okay attempt to predict problems
-
before they occur okay prevent an error
-
omission act of occurring okay
-
segregation of duties for example okay
-
it's a preventive control
-
okay which basically detects errors
-
prevents frauds
-
etc then control access to physical
-
facilities
-
control access to physical facilities
-
for example you have
-
acs access control systems for physical
-
security okay
-
you use well-designed documents uh for
-
printing you have input validations etc
-
in an application that's also a part uh
-
that's also an example of preventive
-
control detective control
-
cctv which basically only detects
-
reports the occurrence of an error
-
or mission or malicious act then you
-
have corrective control which basically
-
post detection uh you know it also
-
uh correct correctly the things okay so
-
it minimizes the impact of a threat
-
remedy problems discovered by detective
-
controls
-
identifies the cause of problem of a
-
problem
-
okay correct errors arising from a
-
problem modify the processing systems to
-
minimize the future reference of the
-
problem okay so these are the different
-
control
-
types then we have the control
-
objectives and control measures
-
now control objective is basically very
-
simple to understand
-
okay every control has an objective uh
-
to
-
to prevent and then there could be uh so
-
first and foremost we don't define the
-
control first and formal we define the
-
control objectives for example what do
-
we want to protect
-
us from based on the control objective
-
you apply the control measure
-
okay so first and foremost you have to
-
define the control objective what do you
-
want to achieve from that control
-
what do you want to achieve okay or what
-
risk you are to mitigate
-
that would from the wrist there would be
-
a control objective
-
and from the control objective there
-
would be a control
-
okay for example a control objective can
-
be malware protection okay i want to
-
protect my systems from malware
-
now to achieve that control objective i
-
would
-
apply control i would apply antivirus i
-
would apply
-
you know patches okay i would i would do
-
uh you know penetration testing of my
-
system all these are
-
you know controls to achieve that okay
-
so control objective is basically
-
defined as an objective of one or more
-
operational areas
-
okay uh to be achieved in order to
-
contribute to the fulfillment of
-
strategic goals of the company
-
okay now strategy goal of the company
-
could be related to
-
also related to your risk which is the
-
high level risk of the organization
-
and how that risk is basically helps uh
-
mitigating of that risk will basically
-
help your business objectives
-
to be achieved efficiently okay so that
-
is the
-
that is the control objective uh so okay
-
so that is
-
the control objective is such a goal
-
that is especially related to the
-
strategy of the company okay
-
then control objectives are basically uh
-
you know they are statements
-
okay they are not basically control
-
their statements what we want to achieve
-
okay always remember that control
-
objectives are statements
-
of the desired result um you know or the
-
purpose to be achieved
-
by implementing that particular control
-
okay now this control can be any
-
procedure
-
any policies any other structure or
-
impacts
-
okay now control objectives apply to all
-
controls
-
okay so so for example if you have a
-
control objective as i was telling you
-
uh malware protection okay you should
-
have a controlled measure okay an
-
activity contributing to the
-
fulfillment of a control objectives both
-
the control objective and control
-
measure
-
serves the decomposition of strategic
-
level goals
-
into such a lower level goals and
-
activities
-
that can be assigned as tasks to the
-
staff
-
okay for example a procedure okay so
-
this assignment can take a form of a
-
role description
-
in a job description
-
okay i hope that the two definitions are
-
clear
-
in terms of control objective and
-
control measure or we generally call it
-
as control
-
okay so the next slide which is control
-
objective as i said
-
is a statement of the desired result
-
that is we achieve by implementing the
-
controls around the information systems
-
can comprise of policy procedure
-
practice operation structures
-
designed to provide reasonable assurance
-
that the business
-
objectives will be achieved and
-
undesired events will be prevented
-
detected or
-
correct now these are some of the uh
-
control objectives that can be applied
-
to the information systems
-
okay now if i would uh you know take few
-
of them i
-
you know uh in in here so safeguarding
-
assets i think this is a control
-
objective with every organization would
-
have protecting the information assets
-
then if you have an hclc software
-
development in your organization so you
-
will see it you will say that okay
-
the processor should be established in
-
place and operating shall
-
operate effectively okay and
-
if you have uh if you're using os you
-
will say that okay integrity of the os
-
environment should be maintained
-
integrity of uh sensitive and critical
-
application systems environment
-
should be maintained but these are some
-
of the objectives that are common to an
-
organization
-
okay in terms of for example if you come
-
down to slas
-
should meet the service level agreements
-
and contract terms and conditions to
-
ensure national assets are properly
-
protected and meet the operational goals
-
and objectives
-
so but when you're looking at control
-
objectives you must also
-
you know take into consideration how
-
this control objective
-
is linked to my business objectives as
-
well
-
okay and how it is it is giving value to
-
the to my
-
uh organization okay so and as an
-
auditor you should also see that you
-
know from how this particular control
-
objective is serving the business
-
objective
-
and how how this control objective is
-
achieved through various controls in the
-
organization
-
at the same time now there's so many
-
general controls
-
uh every organization has these general
-
controls uh
-
now internal accounting control that
-
concerns safeguarding of assets
-
and reliability of its financial
-
information uh
-
operational controls that concern
-
day-to-day operations okay there are
-
administrative controls
-
uh which talks about operational
-
efficiency in terms of
-
cost in a functional area and enhance
-
the management policies internal
-
management policies
-
uh organizational security policies and
-
procedures to ensure proper usage of
-
assets we have overall policies
-
for the design and use of adequate
-
documents and records
-
access and use procedures and practices
-
physical and logical security policies
-
for all facilities so these are some of
-
the general controls which every
-
organization has
-
then there are specific ies specific
-
controls
-
okay information specific controls now
-
each general control can be transferred
-
into a more you know in detail
-
specific information system control okay
-
for example
-
here if i ask you administrative
-
controls concern the operational
-
efficiency in a functional area
-
okay or if i talk about uh you know
-
reliability of financial information
-
okay if you take this example
-
reliability
-
a safeguarding of assets and reliability
-
of financial rupees
-
what do you think is the information
-
system specific
-
control uh what uh would be for
-
safeguarding of assets
-
you have information security management
-
system
-
okay so each general control can be
-
translated into is specific controls the
-
isotopes should understand the is
-
control and how to apply them in
-
planning the audit
-
okay so you can do a based on the
-
general control you can also
-
you know address information you can
-
drop down to the system specific
-
controls
-
ice control procedures include strategy
-
and direction of id function
-
general general organization management
-
of the id function
-
access to it resources including data
-
and programs so
-
someone talked about transactions data
-
obviously you can assess
-
look at how the access to it resources
-
including data and programs
-
then system development methodologies
-
and change control
-
okay these are some of the specific
-
areas the organization can
-
apply the controls then there are
-
operational procedures the system
-
programming and technical support
-
functions there's
-
quality assurance procedures and there
-
is physical access controls procedures
-
okay there is business continuity
-
planning the asset recovery controls
-
network and communications controls
-
database administration controls
-
okay and that's the reason we have if
-
you want to look at network and
-
communication controls there's a network
-
audit that
-
has performed in many organization
-
database audit is is another area
-
where you also look at the database
-
administration
-
okay very important many organizations
-
okay their data is critical
-
okay specifically banks if you say so
-
the administration of the database is
-
something very critical
-
then protection and detective mechanism
-
against international attacks which is
-
your penetration testing vulnerability
-
assessment etc
-
okay we will do the risk-based audit
-
planning
-
okay so now uh this is just a repetition
-
of what we have already
-
talked about a lot just go through it
-
but you need to understand uh you know
-
here
-
is the nature of business okay nature of
-
business
-
the auditor must understand when you
-
talk about risk which order the monitor
-
must understand
-
nature of business order can identify
-
and categorize the types of risks
-
that will be better to determine the you
-
know kind of
-
risk model or approach of conducting the
-
order okay for example if you are in a
-
bank
-
or a telecom or for oil and gas the risk
-
would change
-
okay based on the risk of particular
-
industry you would you should be able to
-
that should be your
-
model you know you should prepare your
-
model based on the type of industry
-
okay for example if you're doing an
-
audit of a nuclear power plant
-
okay now your perspective would change
-
okay and if you're doing for a bank
-
there is perspective should change
-
okay so it so you should be uh you
-
should understand the nature of business
-
based on those uh based on the nature of
-
business you should
-
apply the auditing practice okay so
-
knowledge of the business industry is
-
very most important thing
-
gather information and plan take prior
-
audit results
-
if possible okay if you are doing a
-
first-time order then it's not possible
-
the decent financial information
-
of that organization because that is
-
important in terms of materiality
-
okay for an organization maybe a
-
thousand dollar loss
-
is nothing and then inherent risk
-
assessment now uh
-
okay so you're also looking at inherent
-
risk there so you are looking at
-
risks now inherent risk is basically
-
risk without control for example there
-
is i'm giving a very lame example for
-
example there's a building and i would
-
say uh that this building can
-
catch fire okay this building we can
-
have earthquake here
-
um and etc etc okay
-
it is flood prone okay i am not looking
-
at the controls right now i am looking
-
at the inherent risk to that building
-
okay now i can have fire extinguishers i
-
can have
-
uh water detector systems i can have
-
earthquake resistance
-
uh etc but i'm not looking at i'm not
-
factoring in those things i'm just
-
looking at a from a high level
-
perspective what could be the risk to
-
the
-
to my uh to my organization now the
-
benefit of doing that is
-
that you would cover the all the risks
-
okay you are covering a lot of ground
-
there you're not factoring in the
-
controls you're covering lot of ground
-
uh ground during during your assessment
-
okay you are factoring in fire
-
factoring an earthquake you're factoring
-
in flood uh you're factoring in a theft
-
okay and but if you factor in the
-
controls
-
for example you say that there's a
-
there's earthquake uh
-
resistance now you're not factoring the
-
earthquake you're only you're you're
-
you're not putting that earthquake as a
-
part of your risk okay you might reduce
-
the risk
-
once you factor in the controls okay so
-
always
-
look at the inherent risk not the risk
-
which is after the controls
-
okay as an auditor you should always
-
look for inherent risk not the risk
-
after implementation of the controls
-
okay
-
uh i hope uh inherent risk is clear to
-
you guys
-
i'm not in the in head let me repeat
-
that because that's an important
-
concept in terms of csa exams is
-
concerned inherent risk is
-
risk without factoring in the controls
-
for example
-
you know i am going from point a to
-
point b i am not looking at
-
any controls uh that can be applied here
-
okay i'm just
-
saying okay if i go from point a to
-
point b i can
-
my target can get punctured uh
-
i can meet an accident uh you know
-
a rain can come so these are the
-
inherent risk
-
which i'm factoring in i'm not saying
-
that okay i'm wearing a
-
input or i have i will
-
follow their traffic control uh you know
-
i will follow
-
if you know in terms of meeting accident
-
i would follow all the rules
-
except i'm not factoring anything okay
-
so we are looking at for my own
-
infrastructure you are looking at
-
a risk without factoring in the controls
-
then obtain understanding and internal
-
controls now you are factoring in the
-
controls you are seeing
-
okay now these are the risk inherent to
-
the organization
-
now i would look at the controls okay i
-
will look
-
at the control environment okay very
-
important in terms of control
-
okay uh i will look at the control
-
procedures
-
i will look at the detection risk
-
assessment
-
control risk assessment equate total
-
risks
-
okay and then perform compliance tests
-
okay identify key controls to be tested
-
okay
-
now once you know the controls are there
-
now you will perform the
-
compliance test okay you perform the
-
test of those controls perform the test
-
on reliability
-
risk prevention and errors to the
-
organization policies and procedures
-
then you also perform the substantive
-
test now compliance test is just yes or
-
no
-
okay for example you have a you have
-
access control system yes or no you have
-
a
-
you have a security guard yes or no so
-
that's a compliances
-
but when you do a performance
-
substantive test you basically do
-
analytic procedures
-
okay for example access control systems
-
you will see that okay
-
has the people who left the organization
-
you know have they been deleted from the
-
access control systems
-
have those uh deleted the people who
-
have left the organization have they
-
accessed
-
the systems uh after they exit okay
-
that's kind of a
-
you know analytical uh another approach
-
to
-
uh you know a one one step ahead
-
you know in depth to those uh
-
compliances okay so you apply entity
-
procedures you do a detailed test of
-
account balances
-
other substantive audit procedures now
-
these are used
-
in uh basically in banking for example
-
you say that a person has
-
made a transaction whether the bank
-
account has
-
uh you know um whether the bank
-
whether the you know right-hand side is
-
equal to the left-hand side so you send
-
the money to someone
-
your account balance should should get
-
down the account balance of the other
-
person should get up
-
you know so and now this this basically
-
this is a substantive test you perform
-
uh to ensure that the uh integrity of
-
that
-
transaction okay to ensure it integrity
-
of that transaction
-
okay it's kind of make a checkup or you
-
know in a balance sheet you have a left
-
hand side equal to the
-
right hand side etc kind of procedures
-
which you apply so so it's you you check
-
the logic of that
-
transaction okay then you conclude the
-
audit
-
okay in terms of recommendations
-
and write the audit report okay so these
-
are the
-
risk-based audit planning technique okay
-
and these are things that may
-
they may impact the audit approach okay
-
audit risk and materiality
-
as i said inherent risk i explained you
-
earlier
-
uh as it relates to the ordered risk it
-
it the risk level or exposure of the
-
process entity to be audited without
-
considering the
-
controls that the management has
-
implemented enhanced risk exists
-
independent of an audit
-
and can occur because the nature of the
-
business okay as i said building a
-
building earthquake can happen
-
you know fire can occur okay flood can
-
happen so this is the inherent risk now
-
controlled risk is basically the
-
risk that a material error exists that
-
would not be prevented detected
-
on a timely basis by a system of
-
internal controls
-
so control risk if even if the control
-
is present there's chances that the
-
control may miss
-
the risk okay for example control risk
-
associated with manual reviews of
-
computer locks
-
okay if you do if you're doing a manual
-
review of a computer log which is
-
thousands in number okay uh there's a
-
high probability that
-
you would miss miss the information okay
-
so the control risk considered with
-
computerized data validation process
-
procedure
-
is ordinarily low if the processor
-
consistently
-
applied then there is a detection risk
-
again the risk that the material errors
-
or mis-statement that have
-
occurred will not be detected by the
-
isolator now there is a possibility
-
because audit is not a guarantee it's
-
assurance okay
-
so there's a possibility that as an
-
auditor we failed to identify news
-
we failed to detect risk in the system
-
okay and that
-
happens you know we are human beings and
-
this has happened uh
-
many organization that the auditor
-
failed to
-
detect errors and that that error was
-
there for a very long time and then one
-
auditor came
-
from uh and he detected the error and
-
then he looked at the previous reports
-
also the error was missed
-
you know etc etc so there's a detection
-
risk also
-
from an auditor's perspective then the
-
overall audit risk is also there okay
-
now the overall audit risk is the
-
probability that the information or
-
financial reports may contain metal
-
errors and the auditor may not detect
-
an error that has occurred okay and now
-
the uh now the uh so to our auditor is
-
cased by the auditor
-
or editor can also fail to detect an
-
error okay that has occurred okay now
-
there uh okay sorry
-
so the the difference between uh
-
detection risk and order auditors you
-
must understand
-
the detection risk is there the
-
materials errors or mis-statements that
-
have occurred will not be detected by
-
the isolator
-
okay similarly you know the overall
-
audit risk is that the material errors
-
order may not detect an error that has
-
occurred so it is almost
-
um you know a similar definition what we
-
have for detection and overall
-
risk okay now the the objective uh
-
in formulating the audit approach is to
-
limit the audit risk
-
okay uh in the area under scrutiny so
-
that the overall
-
risk is at a sufficiently low level and
-
at the completion of the examination
-
okay
-
coming to risk assessment risk
-
assessment we know uh basically the
-
auditor
-
a risk assessment basically assists the
-
auditor in identifying the high risk
-
areas
-
and also it helps in evaluation of
-
controls now
-
risk assessment to identify quantify
-
prioritize risks
-
be against criteria for its acceptance
-
objectives relevant to the organization
-
always remember that risk assessment
-
should be able to assess based
-
on a criteria okay for me
-
organizations have different criterias
-
okay every organization has to define
-
the criteria on on basis of what they
-
want to consider
-
uh this risk okay every organization
-
would have different criterias
-
okay for acceptance okay now for me
-
as i said again one thousand dollar loss
-
is very much but for a big organization
-
uh it's it's it's nothing okay so
-
based on that level okay uh you would
-
say
-
is it high medium low okay and an
-
organization has to decide whether it
-
would
-
accept the low medium low risks or
-
medium risk or
-
it will also accept the high risk areas
-
okay that the organization has today and
-
it also depends on nature of the
-
organization for example a nuclear power
-
plant
-
even a low risk it would be very much
-
for an organization for example a
-
library even a libraries organization
-
but for for them you know that that risk
-
may not be that much
-
okay they would only consider high risks
-
to the to them so
-
it would depend on the nature of
-
business and also also okay it supports
-
uh
-
now risk assessment support the
-
risk-based order decision making
-
as we have already studied about based
-
auditing
-
principles so it supports the decision
-
making by considering variables such as
-
technical complexity
-
level of control procedures in place
-
okay for example there
-
is an area where a lot of controls are
-
present and the risk is
-
less material okay you may want to
-
consider it as a low risk area
-
okay the level of financial loss uh also
-
uh
-
is something which you should be
-
considered okay for example if there is
-
materializes
-
in a risk is uh triggered you know
-
our risk is is
-
basically materialized that happens you
-
know a risk event
-
in reality happens what would be the
-
financial loss
-
okay generally many organizations uh use
-
this financial loss as a criteria okay
-
in terms of
-
uh you know high medium low or maybe
-
sometimes organizations say that if
-
their
-
risk is less than one million then it
-
would be
-
accepted if it is more than one million
-
would be
-
um you know mitigated okay or a
-
management decision needs to be
-
needs to be taken so it can we can also
-
define a financial loss figure
-
against that now there are multiple risk
-
responses as i said risking mitigation
-
is to reduce the risk
-
appropriate controls accept the risk in
-
terms of knowing it
-
okay knowingly objectively not taking
-
action
-
because sometimes for example obviously
-
there's too much
-
cost to accept the uh too much cost to
-
basically mitigate it
-
that's not how their business is there
-
there's no financial
-
support there you know i will give you
-
acceptance the example here then the
-
risk avoidance is basically
-
not doing that activity at all you're
-
not allowing action that would cause the
-
risk to occur
-
okay for example i'm i give you an
-
example of
-
you know going from one place to another
-
he says if i see that there has to be
-
there's a rain that would come you know
-
i foresee a rain
-
you know i don't go so that is avoiding
-
the risk okay
-
then risk transfer is sharing and
-
transferring this
-
risk to the other party now risk
-
transfer has to be very much you know a
-
decision
-
that the management has taken with very
-
cautious cautiously because uh
-
now when you're transferring the risk
-
you are not transferring the
-
responsibility
-
of the risk occurrence means uh for
-
example you're taking insurance
-
for a fire now your your
-
fire you know happened now you have you
-
have only looked at the financial
-
aspect of that risk but again if you you
-
see that how
-
your employees are suffering how your
-
suppliers are suffering how your
-
customers are suffering
-
again that responsibility is on you it's
-
not on the insurance provider to look at
-
so you are
-
basically not transferring the entire
-
risk you are just
-
transferring the financial aspect of
-
that risk to the insurance company
-
okay now in terms of risk acceptance uh
-
very much important is look at uh
-
deliberately not taking action okay you
-
are not taking action
-
because cost of that control to be
-
to be put in place for example i went to
-
an audit where
-
it was a it was a house i went for an
-
icici bank
-
audit and it was just a simple house you
-
know
-
and there were two systems there it's a
-
third party
-
of an icsa bank okay there were two
-
systems and only
-
uh one employee was there and uh one
-
employee was on leave
-
now what they're doing is bank is
-
sending them a form
-
for their club membership okay they're
-
they're typing in the club membership
-
they're scanning the document and
-
there's they're sending it back to the
-
bank
-
okay so it's a manual form which comes
-
to the third party
-
third party types in do the data entry
-
of that form
-
scans that form and send it to the bank
-
again
-
send it to the bank okay now this is a
-
small organization they are dealing with
-
pi information of the bank customers
-
okay now what i see here is that
-
now i ask them to have an antivirus ask
-
them these are 100
-
these are the controls that each be in
-
place you don't have these controls
-
you have you're using your personal
-
systems for storing bank information you
-
don't have antivirus
-
i gave the list of findings there so he
-
said i get 10 rupees to form
-
to fill this form each form okay do you
-
want to have
-
do you want to apply this control
-
for 10 rupees uh which i get from i
-
don't want business from icc max that's
-
what he said to me so i said
-
that's how it is you know you accept the
-
risk knowingly and objectively
-
not taking action okay but again the
-
risk is to the bank
-
okay now this has been transferred to
-
him but again he's not
-
he he's not able to properly handle that
-
okay
-
now i don't know what happened i gave
-
that report to them i don't know what
-
whether the business is still with that
-
uh third party or not or whether you
-
know
-
these situations can happen so your risk
-
response option should be
-
very much in line with the option very
-
carefully
-
any organization should take that option
-
very carefully
-
okay thank you guys thank you very much
