-
We'll start with the CISA,
-
and I have a pretty good idea that, yes, you
-
guys come from diverse backgrounds--
-
some from finance, some from IT--and you
-
want to
-
do this training. That’s a very good
-
thing, especially
-
as we’re facing the situation where
-
the entire world, people are trying to
-
upskill themselves. And CISA is one of the
-
the
-
most valuable certifications you
-
have chosen
-
to upskill yourself. CISA has
-
not been very recently. It
-
was there since a long time, since
-
1990s.
-
Okay? Now, even in the 1990s, you know, our IT
-
systems weren’t
-
as prevalent, I would say.
-
But, however, since then...
-
However, by the year 2000,
-
moving into the 21st century, you know,
-
people started
-
using systems more. With that came a lot of risks
-
associated with
-
with those systems. Okay? Everyone
-
agreed that risks were present
-
and needed to be mitigated, you know.
-
That’s the reason,
-
you know, the board or the owners of
-
those systems,
-
the owners of organizations
-
using those systems,
-
wanted to implement certain controls in
-
place,
-
in terms of getting to know how the
-
systems are working, whether
-
those systems are working and to give
-
adequate value to the organization.
-
So that's the reason this
-
certification was
-
introduced. And auditing, which is one of
-
the important controls from the
-
board of directors
-
and organization owners point of view.
-
They introduced information systems
-
to be audited, you know, and for that
-
reason, there was a lack of resources
-
and there were a lack of
-
competencies in the market to understand
-
those systems and
-
understand the controls within those
-
systems--
-
whether they are working as,
-
you know, expected or
-
whether they're giving value to the
-
organizations as per the expectations of
-
what the stakeholders want.
-
So that's the reason the CISA
-
certification was introduced.
-
Gradually, it has become one
-
of the pioneering certifications in terms of
-
auditing.
-
I think pioneer, I would say it is the
-
only certification
-
which is recognized in the world in
-
terms of
-
information system auditing. No other
-
certification
-
and ISACA is the monopoly there. So no
-
one has beaten
-
ISACA there. Those knowledge base which
-
is there in ISACA
-
is found elsewhere, but combining all of
-
them together
-
and using it as a mechanism to upskill
-
people
-
is something, you know, fabulous, which
-
ISACA has done.
-
Now, just to introduce you to the ISACA
-
program: this is generally a five-day
-
course, okay,
-
in which, we cover the five areas
-
which the ISACA describes as the
-
domains. And so, I would be talking about
-
those
-
things, and I would like to have a very
-
interactive session along that
-
because it also covers
-
the knowledge part--the body of knowledge.
-
So it's not about,
-
you know, learning or it's not about, you
-
know, grasping things, or it's not about,
-
you know, knowing some terminologies. It's
-
also about understanding how those
-
terminologies
-
apply. For example, if we say
-
"risk," you know, I'm just taking an example
-
here. Risk. Now,
-
risk is any uncertainty
-
to the business operations--okay, any
-
uncertain event that could cause
-
disruption to an organization, you know,
-
any uncertain event
-
that could lead to our organization's
-
objectives
-
being impacted, you know, that is a risk. Okay?
-
So, you have to
-
not only understand the terminology.
-
That's the
-
basic definition of risk, but you
-
also see
-
how you can apply that in your
-
organization.
-
Okay? Look at the risk, any uncertain
-
events,
-
okay? What could be an uncertain events
-
to my organizations
-
and how those
-
uncertain events can affect my
-
organization's objectives?
-
Now, when I say "my organization," it
-
doesn't mean, you know, any
-
organization which you work for
-
means an organization which ISACA wants
-
you to think of.
-
As an organization, they would basically
-
want you to
-
apply those terminologies, those things
-
to an organization, and see what would
-
you
-
do to basically... what best step
-
you would take to address that issue. Okay? Now,
-
I won’t go into the details
-
of what kind of questions they ask
-
but honestly, the questions are asked as,
-
you know, just that the questions are
-
asking the most important,
-
the first thing which you do, the
-
primary
-
option you have, you know. So all the
-
options would be right
-
as per the question, but you have to
-
choose
-
the best option as per how
-
ISACA perceives the best option is. So, you
-
also have to
-
understand ISACA's perspective towards
-
that question on
-
how you can address that. Okay? That's the
-
reason we are understanding from ISACA's
-
perspective,
-
an organization's viewpoint.
-
Okay? And then, we would also have certain
-
activities which basically enables you
-
to understand those perspectives,
-
and there will be discussion
-
questions, there will be group
-
discussions,
-
in terms of case study. I would
-
try to...
-
Because when it's a classroom session,
-
the group discussions becomes very
-
interactive. I will try to
-
be as interactive as possible in the
-
group discussions.
-
Okay? Then, we would also take real-world
-
examples
-
of CISA's subject matter. It would...
-
The real-world examples could come from
-
my experiences, would come from your
-
experiences,
-
or also it can come from what ISACA
-
is putting up. Now, what are the benefits?
-
I've already told you it's the pioneer
-
certifications.
-
It gives you competitive edge, it helps
-
you to achieve
-
high professional standards when you go
-
to say that I have ISACA certification,
-
your CV speaks about your knowledge
-
and experience.
-
And it also quantifies and
-
markets your experience.
-
Okay? So we have people here with 18
-
years of experience,
-
you know, those people,
-
I would say, it's a leap,
-
you know, which you can take up by having
-
these certifications. So your 18 years of
-
experience can speak
-
even louder when you have this
-
certification with you.
-
So you would have, you know, I have
-
trained people from
-
4 to 5 years of experience to
-
28,
-
26, 30 years of experience also. And if
-
only the CISO position, you know,
-
they
-
were getting into CISO positions,
-
but they want to have the certification
-
before
-
getting to CISO position. Now, those
-
kind of people also have trained,
-
okay? And they were able to clear the
-
exams. So it
-
basically recognizes and you know marks
-
and...
-
recognizes your experience also, you know.
-
There you can leverage your experience
-
with this certification, then it also
-
increases
-
value to your organization. Okay? I was
-
selling,
-
you know, CISA certification was
-
introduced in 1978, okay?
-
But it got prominent in 1990s when you
-
have the
-
information systems in place, you know,
-
in the world.
-
Okay? So, there’s a new
-
version
-
of which came in 2019, okay, and we would
-
be
-
dealing with that version, okay? I have
-
been certified in the previous
-
version, which was the 2016 version.
-
Now, after, you know, three years,
-
ISACA,
-
they changed the organization.
-
ISACA changed some certain,
-
you know, structures, and we will
-
be doing the latest version, which is the
-
2019 version.
-
So, these are the five domains of
-
ISACA, okay?
-
If you see the five domains,
-
the first is the information system audit
-
process. Now, what does information
-
system audit mean?
-
What does audit mean? Audit means to
-
check and verify, right?
-
So, audit means to
-
check and verify whether the systems and
-
controls are working appropriately or not
-
or not. Okay? So we will look at how
-
you ensure the systems, you know,
-
are checked appropriately
-
in terms of auditing. We will also study
-
about the audit standards,
-
guidelines, and the code of ethics
-
when auditing information systems.
-
You will be
-
understanding the business processes
-
under audit because audit itself is a
-
project, you know. When you go for an
-
audit in an organization,
-
we have people from Deloitte, for example. It’s an
-
audit project
-
altogether for the organization. Okay? So,
-
how do you
-
plan an audit? How do
-
you conduct an
-
audit? How do you report
-
audit findings and communicate
-
with stakeholders?
-
And what are the post-audit activities?
-
All these topics will be
-
studied here.
-
Then we will also look at the types of
-
controls.
-
There's a specific concept of risk-based
-
auditing
-
in domain one. Okay? So, that would be
-
domain one.
-
In domain two, we will discuss the
-
governance and management of IT. You need to understand the
-
governance and management. So, you have to
-
understand the difference between the
-
governance and management here. We will see,
-
from a board of directors’
-
perspective,
-
what they want from the IT
-
infrastructure
-
of the organization, and you will also
-
understand from a CEO’s perspective--
-
how they enable IT
-
to add value to the organization.
-
Okay?
-
So, we’ll understand the difference
-
between governance and management,
-
and also understand where they meet
-
each other
-
and how the IT systems work. From an
-
auditor's
-
perspective, how do you check whether
-
IT
-
is providing value to the organization,
-
okay,
-
and whether we are realizing the
-
benefits of
-
IT in our organization? Then, in
-
domain three, we're going to talk about
-
information system acquisition,
-
development, and implementation.
-
In information system acquisitions, or
-
when you acquire new systems in the
-
organizations, when you buy
-
new systems, or you develop new systems,
-
or you implement those systems in the
-
organization,
-
from an auditor's perspective, how do you
-
ensure
-
that the steps for acquiring, developing,
-
and implementing the systems
-
are appropriately addressed
-
or not? And whether those systems which
-
are implemented,
-
are they basically implemented
-
effectively in the organization or not? Okay?
-
Then, we will talk about
-
operations and maintenance of
-
information systems. Once the system has been
-
acquired, developed,
-
and implemented in the organization,
-
now you also need to worry about how do
-
you maintain it?
-
How can that system continually
-
provide benefits to the
-
organization?
-
For that, you need maintenance
-
activities and business
-
resilience
-
to ensure that the system
-
is working appropriately until the end
-
of its life cycle.
-
Okay? Then, we will also talk about the protection
-
of information assets, which is very
-
important,
-
not only from a
-
regulatory and legal perspective.
-
Nowadays,
-
because that's where the higher focus is
-
in these days, because there are a lot of
-
regulations
-
in terms of banking, telecom, oil, and gas
-
sectors.
-
You know, there are a lot of regulations
-
in terms of protection of information
-
assets because
-
information security has now or
-
cybersecurity has now become an
-
important aspect,
-
even at a national level,
-
around the world. Okay? Every country in
-
the world
-
takes information security or cybersecurity
-
is a serious threat
-
towards their critical
-
infrastructure.
-
Okay? So we will also talk about
-
protection of those information assets.
-
You know, when you talk about
-
information assets,
-
we're talk about the confidential
-
information which the organizations have,
-
the secret and top-secret information which
-
the countries have, you know, at a
-
higher level or at a national level. So,
-
these are the five domains. Okay? Let me
-
also tell you about
-
the structure of the CISA
-
certification exam. So, now
-
this is called the domains. Okay?
-
Each domain
-
is divided or is, you know,
-
structured in a certain way. Okay?
-
So, we'll go through that structure. So every
-
domain would have task statements.
-
Okay? For example, in information system
-
auditing, what tasks do
-
we have in information system
-
auditing? You would have,
-
you know, driving a risk-based audit
-
strategy--how to make an audit strategy.
-
Okay? That is one task. Making
-
audit
-
strategies.
-
Then there’s the task of planning the audit,
-
there would be a task to
-
conducting the audit, there would be
-
a task to, you know,
-
communicating the audit results,
-
okay, and then there would be a task of
-
reporting the audit results, and
-
there would be a task of post-audit,
-
you know, what are the activities of post-audit.
-
Okay? So, this is how,
-
you know, every domain is being
-
structured. And then,
-
for doing those tasks, there would be
-
knowledge statements.
-
You know, for example, for conducting the
-
audit, you would require knowledge of
-
sampling. You require knowledge of
-
controls, and etc. Okay? So,
-
this is how
-
every domain has been divided. Okay?
-
And then there would be certain test
-
questions we would discuss that would
-
validate whether
-
you have understood the concepts
-
well enough. Also, as I said in the
-
beginning, there is a practical
-
knowledge part of it, which is how you apply those
-
tasks in an organization. This
-
organization is basically a
-
perceived organization,
-
from any perspective, and you
-
are the auditor.
-
Okay, so all the questions that would be
-
asked
-
in the exam are from an auditor's
-
perspective. So, being an auditor,
-
what would you do in this situation? So
-
the question would be very
-
situational, okay? If you are
-
given a scenario and you are
-
the auditor,
-
what would you choose to do
-
in that scenario? Okay, that's
-
how the questions would be framed.
-
Okay, so the application of general
-
concepts and standards--
-
to understand the application of general
-
concepts and standards is very important.
-
And all questions would be multiple
-
choice and designed
-
for one best answer. Okay? All the answers
-
would be right, but
-
you have to choose the one best answer. Now, the
-
catch here is that you may
-
think from your perspective that
-
this is not the best answer,
-
and I also contradict ISACA a lot
-
in terms of the best answers. I think
-
that
-
they are wrong in their perspective
-
of the best answer,
-
but I have to, right now, think that I
-
have to clear the exam,
-
not my own exam. So, I have to accept
-
their best answer,
-
okay, and make a thought process
-
such that I understand what their thought
-
process is,
-
you know. So, ISACA is trying to
-
create a thought process
-
for you, okay, and that's
-
something weird, but
-
that's how it is. Okay, so from the
-
beginning, you must
-
be aware of these things.
-
And this is what I'm speaking from my
-
experience.
-
People may have their
-
own experiences,
-
and so you will have your own
-
experience when you take your
-
exam, and hopefully, you will clear it.
-
Don't worry. Okay, you have to read each
-
question carefully and
-
eliminate known incorrect
-
answers.
-
Okay, and this is also my experience
-
and the experience of many others,
-
people's experience that you know. You
-
have to eliminate the wrong answers.
-
Don't go for the right answer too
-
quickly. If you find the right answer,
-
don't just say "yes." Okay? You have to
-
also
-
look at the other options and try
-
to eliminate them first.
-
Okay, so if you think that this answer is
-
right,
-
just stick to it and try to eliminate the
-
other three
-
first. Eliminate means that you
-
should be very convinced that
-
the other three
-
answers are wrong. Okay, and you might
-
perceive that from the
-
other three
-
answers. There could be some contention
-
between
-
one or two of the answers, and then you
-
might,
-
you know, reduce the element of reuse in your
-
options for yourself.
-
Okay, for example, if you have four
-
options, try to eliminate
-
two first--those you think
-
absolutely cannot be the
-
answer. Then, you will
-
be stuck between the two remaining options.
-
This is where you will find yourself stuck with most of the
-
questions--
-
you will be stuck between two possible
-
answers. Okay, and then you have to
-
think from ISACA's perspective. Okay,
-
what would be the right answer
-
from what I have studied in the
-
training or what
-
I have read in the manual? Okay?
-
So, identify the key words. Make the
-
best choice possible as I said.
-
Identify the key words or phases in the
-
questions.
-
So I said, as I said earlier, most,
-
you know, these kind of
-
questions would be there.
-
So, identify the keywords or phrases in
-
the questions before selecting and
-
recording an answer.
-
Read the provided instructions carefully.
-
So there would be instructions
-
for you guys when you sit for the exams.
-
Skipping over these directions or
-
reading them too quickly could result
-
in missing important information and
-
possibly losing credit points.
-
This has happened with people
-
I know. Okay, and they had to please it
-
for the exams.
-
Okay, they sometimes, you know,
-
accidentally
-
end the exam when they’re
-
sitting, when you're sitting
-
accidentally,
-
you know, you don't read the
-
instructions properly,
-
and then they click on "end exam"
-
and end the exam
-
in the first or
-
second question. Okay,
-
and then it doesn’t resume
-
immediately. Okay, then you have to,
-
you know, somehow... because it's an
-
expensive exam,
-
you know, $750, it's not a
-
small amount of money. So, and then you
-
have to,
-
you know, sometimes ISACA gives the option
-
of
-
resetting, and sometimes they don’t. In either case,
-
you could lose that money.
-
Now, grading is based solely on the
-
number of questions answered correctly,
-
so there’s
-
no negative marking like we have for
-
CISSP exams.
-
Okay, at no negative marking. If
-
you mark an answer wrong, it counts as zero.
-
Okay, you are not minus. And it is also
-
the CISSP exams
-
in which if you have 150 questions and
-
if you
-
mark 80 questions right, it will
-
automatically finish.
-
You know, the CSI exam are
-
like that, but...
-
However, CSI exams will take you to 150
-
questions. You can
-
go back and forth, you know. And you know,
-
you can navigate to the
-
to the questions easily. So these are
-
somewhere for us.
-
The exam period is four hours, okay?
-
So around 1.5 minutes per question, and
-
that's
-
not, you know, less I would say. Okay, if
-
you
-
are thorough with the material. You would
-
answer in 30 seconds.
-
Okay. Okay, I would skip these rules
-
for you. I will go to the important one,
-
which is exam scoring.
-
So, a scale score is a,
-
is a conversion of the candidate's raw score
-
on the exam to a common scale.
-
Okay, so for example, if there are
-
32 questions in domain
-
one, so basically, it
-
will not give you...
-
Okay, 32 questions, 32 marks. Okay, so it
-
would be a,
-
you know, all the 32 questions would have
-
different marks.
-
Different marks. Okay, so everyone will
-
not be one mark each
-
like that. Okay, so 150 questions are
-
scaled
-
under 800. Okay? And you have to...
-
So it uses and report scores
-
on a common scale from 200 to 800. Okay,
-
no one gets less than 200.
-
Okay, no one gets more than 800, obviously.
-
Okay, so it's between 200 to 800.
-
Then, a candidate must receive a score of
-
450
-
or higher, you know. That's a minimum
-
score. I got 656
-
in the exam. Okay, and
-
one of the important domains, you know,
-
you have to pass all the domains. So,
-
you have to score
-
450 in all the domains. Okay, so it's
-
not if you,
-
even if you get a score of, for example,
-
600,
-
but you score less than 450 in any
-
of the domains,
-
then you have to repeat the exam. So
-
that's how
-
it is. Okay, you get the score
-
at the end of the exam, so it will give
-
you a very
-
little indication, you know, small
-
indication
-
to say pass. You know, it will flash on
-
your screen,
-
that says "you passed." Okay, and it would be
-
a very small,
-
you know, sentence written there, and
-
you will know that
-
you have passed. You will not get the
-
official result there, but you
-
can leave the center
-
if you have passed. Okay, so...
-
But official results come 10
-
days later,
-
and after those 10 days, you can apply for
-
the certification with your experience.
-
Okay, so there will be a score report,
-
okay, in which you will see
-
how much you have scored in each
-
domain. Okay,
-
so these are the steps for the user for
-
the certification. You need to
-
pass the exam first, and then you have to
-
submit the application with your
-
experience.
-
You have to kind of sign a
-
checklist
-
stating that you follow
-
the ISACA code of practices and ethics,
-
and you agree to comply with
-
the CPE (Continuous Professional Education) policy,
-
which is continuous professional education points. You must also
-
comply with information systems auditing
-
standards,
-
which ISACA publishes. Alright, let's
-
start with Domain One.
-
First and foremost, we have to
-
understand
-
the definition of information systems--
-
how we perceive
-
those information systems to be.
-
Information systems
-
include your laptop, your desktop,
-
your mobile phone,
-
and your servers. It's everything
-
around you in terms of digital technology.
-
Okay, so those are the information
-
systems. Now, when we look at information
-
systems, we're not looking at hardware
-
only.
-
Okay, we are also looking at the
-
processes around that hardware. For
-
example, your laptop--
-
you know, as simple as that--we have the
-
process of,
-
you know, antivirus updating
-
on the laptop, the
-
maintenance process
-
of the laptop, etc. Similarly, for servers,
-
you have backup, release
-
management, change management,
-
patch management, and
-
antivirus on the server. You know, all
-
those processes around the server
-
are also part of the information systems.
-
So, when we are auditing an information
-
system, we are not just auditing the hardware;
-
we are also auditing the processes
-
around that hardware.
-
Why we are auditing is because
-
there is a dependency of the business
-
on that system. Okay, that's the reason we
-
need to
-
have processes around it. When we talk
-
about information system auditing
-
practices, it encompasses the standards,
-
the principles, the methods, the
-
guidelines, and the techniques that an
-
auditor
-
uses to plan, execute, assess, and review
-
business or information systems and
-
related processes.
-
Okay, now as I said, information systems
-
definition is
-
very important for you to understand. You
-
also need to understand that there are
-
certain
-
governing mechanisms that have been
-
defined by the industry.
-
Okay, and these governing mechanisms
-
basically are the standards.
-
Okay, for example, if you see ISO 27001,
-
okay, which is a standard for information
-
security
-
management systems, okay, that
-
standard basically governs how
-
information
-
security shall be managed in an
-
organization.
-
Similarly, there are certain principles.
-
Similarly, there are certain methods.
-
There are certain guidelines, best
-
practices (which we also call
-
techniques) that the
-
auditor can use
-
to complete the audit
-
across
-
all the phases of auditing, okay,
-
which are planning, execution, assessment, and review.
-
As an auditor, you must have a thorough
-
understanding of the.
-
of the auditing processes. You should also
-
have an understanding
-
of the information system processes.
-
But what I said, like change management,
-
patch management,
-
etc. Whatever systems
-
you are dealing with, you should have an
-
understanding of those processes around
-
the information system. You
-
should also
-
understand the overall goal.
-
Ultimately, the benefit
-
of the information system is realized
-
by the business.
-
Okay, and it helps the business
-
achieve its own
-
objectives. Okay, and the business also
-
wants
-
certain controls in place to ensure that,
-
you know, those objectives are achieved
-
effectively
-
and efficiently. So, you should also
-
have an understanding of the controls.
-
Now, if I take an example, you know,
-
for example, the information system
-
we are talking about is a server. You
-
know, and in that...
-
From that server, the
-
processes around that
-
information system include backup
-
is important. You know,
-
making
-
changes to the server,
-
new releases, patch management, etc. You need to understand the
-
important processes
-
around that system. Okay, so you have
-
to understand how
-
these process around that, and then you
-
have to understand
-
how these processes would also have an
-
affect
-
on the business processes. Okay, for
-
example, that server is supporting an HR
-
function
-
in an organization, particularly in terms of payroll.
-
Okay.
-
Now, if there is a patch release
-
or patch management or a new
-
password release, or if there is a
-
change to
-
the server,
-
how will that affect my HR
-
payroll system in
-
the organization? Okay,
-
and you have to see what control
-
you can put in place
-
so that it doesn't affect my business.
-
Okay.
-
Now, change management itself
-
is a process. Okay?
-
Processes themselves are controls,
-
but how do I ensure
-
that the processes are in line
-
with my business objectives? Okay, so...
-
As an auditor, you
-
are there to check. You are there to
-
verify those processes--
-
whether
-
the controls in place
-
are working adequately and whether
-
those processes
-
continue to serve their business
-
objectives.
-
Any issues with those processes?
-
You know,
-
how I would, you know, as an
-
auditor, would
-
you try to verify those
-
things
-
through sampling,
-
you know, through various
-
other auditing techniques
-
to see whether, you know, the processes
-
and controls are
-
effectively working. So, what
-
we are trying
-
to see here is whether the business
-
processes and controls are designed
-
to achieve the organization's objectives
-
and protect
-
the organizational assets. Now, upon the
-
completion of this domain,
-
you would be
-
able to plan an audit. Okay, now audit, as
-
I said,
-
is a kind of project. Okay, the same
-
project management techniques
-
or the same project management
-
methodology
-
also works for an audit. Okay. So,
-
when you say
-
project management, you
-
have planning,
-
you’re planning
-
the implementation of that
-
project--in this case, the scheduling of that
-
project--and then
-
implementation and development, and then
-
post-implementation. Similarly, you have
-
planning the audit, conducting it (which is
-
your implementation),
-
communicating the audit progress,
-
conducting audit follow-ups,
-
and then evaluating the
-
management and monitoring of controls in
-
the auditing. You also utilize data
-
analytics tools to streamline audit
-
processes.
-
After that, you will have to
-
provide consulting services and guidance
-
to the organization to improve the
-
quality and control of the information
-
systems. Now, this is not part of the
-
audit,
-
but sometimes when we have an audit
-
called internal audit, you know,
-
your role is also something
-
related to consulting, where you
-
try to improve the internal
-
process. However, if you go for an
-
external audit, you don't do that.
-
Okay, you don’t provide consulting
-
services. Then, you also identify
-
opportunities for process improvements
-
in the organization's IT policies and
-
practices. These are some of the areas,
-
and there will be many more,
-
so this is not an exhaustive list.
-
These are some of the areas
-
where you,
-
as an auditor, should be aware. Now,
-
these are
-
the topics in this domain are divided
-
into two parts.
-
One is planning, and the second one
-
is execution. In the planning part, we
-
will study about
-
the audit standard guidelines, code of
-
ethics (as given by ISACA), and we
-
will understand the various business
-
processes in an organization. For example,
-
we are aware of
-
HR, finance, procurement,
-
you have the
-
physical security, the real
-
estate of the organization,
-
managing the administration of the
-
organization, and
-
the operations,
-
and etc.
-
We will study some of the common
-
processes in every organization.
-
You will also see the types of controls.
-
Now, what are controls? Controls are
-
there to mitigate the risk,
-
to mitigate the risk to the
-
business objectives. Then we will also
-
talk about a
-
very important principle of risk-based
-
audit planning.
-
Now, you must be aware that
-
in an
-
organization, resources are limited.
-
Every organization's resources are
-
limited. Okay, that's the fundamental
-
principle you need to understand.
-
And if you see the process, the resources
-
are limited. You have to align those
-
resources to the max...
-
to an area where there is a
-
maximum risk for an organization. Okay,
-
that's the reason we call it
-
risk-based audit planning. So, as an
-
auditor, I am limited;
-
I am a single person in the whole
-
organization.
-
My focus should be on core banking,
-
core applications, or core business
-
operations
-
rather than, maybe, HR.
-
That's the reason we look at the maximum
-
risk area of an organization and start
-
auditing from there.
-
Okay, so that the maximum risks
-
are addressed in an organization. So, this
-
is basically the risk-based audit
-
planning:
-
you plan audit based on the risk to the
-
organization. So, you go for high risk
-
first, and then medium, and then low.
-
Okay, and this is how every organization
-
works. Then, you have types of audits.
-
There are internal audits,
-
second-party audits, and third-party
-
audits.
-
Okay, we will see what arrangements we
-
have
-
in the various audits and also what
-
the difference is between an
-
audit and an assessment. Audits are
-
basically done
-
to verify things; assessments are
-
also done to verify things, but due to the
-
the
-
different arrangements in an audit and
-
assessment, your
-
communication changes. Okay, your
-
job responsibilities also change.
-
Okay, in the execution part, we will study
-
about
-
the project management of an audit. Okay.
-
As I’m continuously repeating from the
-
beginning, audit is a project,
-
right? We have to treat it as a project.
-
Okay, and then we will also look at
-
sampling methods.
-
Okay, we will try to look at the audit
-
evidence collection techniques. It's
-
very important because, as an auditor, by
-
principle, you should not give any
-
findings unless you have evidence
-
against it. Okay?
-
Then you have data analytics. Nowadays,
-
we are using systems
-
like banking
-
systems and, you know,
-
telecommunication systems
-
where you require data analytics
-
techniques to basically ensure
-
that the system is working effectively.
-
Okay.
-
So, we will study how auditing,
-
you know,
-
how data analytics helps auditing to
-
give better results.
-
Then, reporting and communication
-
techniques are very important.
-
Again, this would depend on the
-
reporting commission technique. It would
-
also depend on the arrangement of the
-
audit.
-
Okay, what kind of arrangement is it? Then
-
we'll talk about quality assurance and
-
improvement of the audit process.
-
Now, an audit also has a quality
-
department.
-
Generally, all auditing functions have a
-
quality department.
-
For example, if I give a finding as an
-
auditor,
-
the quality of that finding
-
would also be judged.
-
Okay? I wouldn't say judged basically;
-
I would say it would be assessed. Okay.
-
For example, what kind of evidence is
-
it? How has that evidence been captured?
-
How effective is that evidence in saying
-
that this particular finding can affect
-
the business?
-
All those parameters are basically
-
assessed.
-
Okay. Many auditing firms, for
-
example,
-
EY, Deloitte, PwC,
-
all these auditing firms have quality
-
departments
-
that verify this. Also, external
-
auditors.
-
Also, you know, sometimes, though not
-
very rigorously, look into,
-
look into
-
what kind of findings the auditor
-
gives.
-
And because we also have some
-
contentions when we are audited. If
-
the auditor gives a finding, we can raise
-
a question like, "Why did you give this
-
finding to me?"
-
You know, we can question them. They
-
should be able to answer those questions
-
appropriately to us. Okay, let's start
-
with the first topic, which is planning.
-
Okay, so what is an audit? An audit is
-
basically,
-
as I said, verifying. Another word for
-
auditing is verifying,
-
checking. Okay, so it's a formal
-
examination on testing or information
-
systems to determine whether
-
those systems are working as per the
-
applicable laws, regulations, contracts,
-
and industry guidelines.
-
Now, these compliances--laws,
-
regulations, contracts, and industry
-
guidelines--
-
depend on, again,
-
country to country,
-
industry to industry, supplier or
-
contractor to contractor,
-
third-party to third-party. Also,
-
regulations are typically set by
-
regulatory bodies.
-
So, it also depends on, again,
-
regulatory bodies for industries.
-
For example, there’s TRAI for India, RBI for
-
banking, TRAI
-
for telecom, RBI for banking, NPCI for
-
payment gateways,
-
IRDA for insurance. These bodies also have
-
certain
-
guidelines for the information systems.
-
So, information systems
-
have to comply with those guidelines or
-
regulations set by the regulatory
-
body.
-
Okay, so that is one thing you check. Okay.
-
Then, the other thing you check
-
is whether those comply with the
-
governance criteria
-
and relevant policies and procedures. Now,
-
you also
-
see that information should function
-
under--so, information
-
is owned by an organization. For example,
-
that information system has to work
-
according to the internal policies and
-
internal compliances
-
of an organization. Okay, if you,
-
for example,
-
take a server, it
-
should work according to the change
-
management process,
-
patch management process, and, you know,
-
backup process defined by the
-
organization.
-
Okay, so that is one thing you
-
check: whether it’s compliant with the
-
policies, compliant with the laws and
-
regulations,
-
and whether it is complying with the
-
internal policies and procedures of the
-
organization.
-
The third thing you check is whether
-
that information system
-
is compliant with the CIA
-
is resilient to the CIA--which is
-
Confidentiality, Integrity, and
-
Availability--
-
at an appropriate level. Now, what is
-
confidentiality? What is integrity?
-
And what is availability? Confidentiality
-
is basically
-
that the system doesn’t allow
-
unauthorized access.
-
Okay, you know, the system doesn't allow
-
unauthorized access.
-
Integrity means the system doesn’t allow
-
inadequate modification or unauthorized
-
modification. The
-
system doesn’t allow unauthorized
-
modification to data
-
or any other parameters of information
-
systems. The third
-
thing is availability, which means the
-
system
-
allows authorized people to work. For
-
example, if you're going to
-
want to create a ticket,
-
raise a ticket, you should be allowed to
-
do that. Okay, you want to,
-
for example, if you want to
-
access your emails,
-
as email is a very important
-
operation, you should be allowed
-
to operate your email because
-
you're authorized to do so.
-
Okay, so that’s also an important thing
-
to look at from an information
-
systems perspective.
-
So, confidentiality, integrity, and
-
availability should be maintained
-
in the information systems, and
-
we apply controls to reduce the
-
impact on the CIA.
-
Okay, so you should also test
-
the CIA parameters
-
of the system. Then, the fourth thing is whether
-
the efficient
-
and effective targets are met. Now,
-
efficiency
-
is something related to
-
cost. Okay. So,
-
IT operations are accomplished
-
efficiently, which means reducing costs.
-
Okay. Effectiveness means that they are
-
done effectively. For example, you have an
-
antivirus.
-
First and foremost, efficiency means the
-
cost of the antivirus should
-
not be too high according to
-
the organization.
-
Effectiveness means it should also prevent
-
viruses
-
and malware attacks on the
-
organization or
-
the system or the information system. Okay.
-
So, these are the four parameters
-
you need to look at when you are
-
verifying and checking information
-
systems.
-
The first thing is the compliance
-
with laws and regulations. The second is governance,
-
is about governance,
-
the compliance level, and the internal
-
policies and procedures.
-
Okay. The third thing is the impact on the CIA,
-
to the CIA.
-
And the fourth thing is about the efficient
-
and effective
-
operations of the information systems. So,
-
these are the four parameters you check
-
in the audit.
-
Okay, so the audit process has
-
three steps. One is planning
-
the audit,
-
then conducting the audit, and finally,
-
reporting and follow-up.
-
Okay, so we’ll discuss that. First and
-
foremost, you need to understand the
-
ISACA standards. There is an audit
-
standard by ISACA. I’ll go to the ISACA website.
-
I'll go to the website of ISACA
-
to show you where it is. If you check
-
the resources,
-
in the resources, you will
-
go to Frameworks, Standards, and
-
Models. Okay.
-
Okay, there is this process called ITAF,
-
which is the Information Technology
-
Assurance Framework.
-
Okay, this is a free standard.
-
Okay, you might download this.
-
Okay, so you have to select the language and
-
and download it.
-
Now, this is an important standard to
-
look at. Okay, it has been downloaded, and I
-
have that
-
with me.
-
Okay, so this is called ITAF,
-
which is your IT Assurance Framework.
-
Okay, and this talks about IS
-
audit and assurance, so this is a
-
standard, basically.
-
Okay. So,
-
first and foremost, the standard for IS
-
audit and assurance
-
is divided into three parts:
-
one is the general standard,
-
okay, and performance standard,
-
and reporting standard.
-
Okay, so in the general standard, it
-
talks about planning,
-
okay, there. Performance talks about
-
conducting the audit,
-
okay? And then, the reporting standard
-
talks about the third space, which is
-
reporting. Now,
-
how to apply this standard. There is
-
a certain guideline,
-
which has been defined. Now, the
-
guidelines is this one.
-
If you say, I saw it at assurance
-
guideline. Okay.
-
Now, basically, both of these, if you see
-
this is also audit charter. This is also
-
audit charter.
-
Here, if you see, talks about a very brief...
-
of what it is. Okay? This would... this
-
guideline will tell you how to implement
-
this audit charter
-
in the audit assurance guidelines. Then,
-
there is
-
tools and techniques in this particular
-
document. Okay? IS audit issues tools and
-
techniques. And then, there is
-
also professional ethics part
-
also there. In the tools and techniques,
-
there is also,
-
you know, professional
-
ethics and standards.
-
Now, coming back to the presentation,
-
what is this standard
-
about? ISACA's audit and
-
assurance standard defines mandatory
-
requirements
-
for IS auditing. Obviously, whenever
-
you .
-
see the word "standard," you must be aware
-
that it’s mandatory.
-
Okay, and how do you understand that it's
-
mandatory? Because the word "shall" is used
-
there. Okay, so if you see here
-
in the audit charter,
-
if you go to page number 12 quickly,
-
if you see the audit charter,
-
you'll see the word "shall" is used.
-
Let me show you. If you see,
-
the word "shall" is used. Okay.
-
So, if you see everywhere "shall" is used,
-
this is mandatory. When you say
-
"standard,"
-
this is mandatory. Okay, and when you go
-
to the guideline, go to
-
page number 40, go to page number 42
-
quickly,
-
and you'll see the audit charter. The word
-
"should"
-
is used. If you see here, the
-
purpose of this guideline is to assist, and
-
the ISO
-
should consider this guideline. Now, this
-
is a guideline. A
-
guideline is non-mandatory. A
-
standard is mandatory.
-
Okay, so this is one difference you must
-
understand. You will see this is
-
basically the guideline's purpose
-
and linkage to the standard. Okay, coming
-
back,
-
that’s the reason the
-
standard defines mandatory requirements
-
for
-
IS auditing, reporting, and informing.
-
Okay,
-
as an auditor, you must isolate
-
the minimum level of acceptable
-
performance required to meet the
-
professional responsibilities
-
set in the ISACA Code of Professional
-
Ethics. So,
-
you have to minimally practice the
-
standard.
-
Okay, that’s the reason I said reading
-
the standard is important
-
for you guys because that’s the minimum
-
requirement of an auditor.
-
Okay, yes, you can also read the guideline,
-
which will basically
-
help you implement that standard in
-
your job practices.
-
Okay. Now, then, management and other
-
interested parties have
-
professional expectations concerning the
-
work of practitioners.
-
Now, you also have to understand that as
-
an auditor,
-
you work with other experts in an
-
organization.
-
For example, an auditor,
-
you know, also works with IT people.
-
For IT, there are specific audits--
-
that’s what information system auditors
-
are. Then, there are
-
network people, network
-
audits,
-
software audits, and
-
then there are
-
information security audits. So, as
-
an auditor, whatever
-
your expertise is, you also work with
-
other auditors
-
or take the expertise of
-
other auditors
-
during your job. Okay,
-
so this particular standard also
-
talks about that--that’s how to take the
-
work of other practitioners in your
-
job, okay, in your auditing.
-
Okay, now, you
-
may not be a network expert. If you are not a network expert,
-
how would you audit a network?
-
You will take the expert’s
-
opinion--someone who has
-
expertise in the network field--
-
so you take their results to
-
basically
-
fulfill your auditing assignment. Okay.
-
So,
-
this particular standard also talks
-
about that. Then, it also
-
helps, basically, this is also a
-
requirement from CISA.
-
Okay. As a CISA designation holder, you must be
-
aware of the
-
requirements of this. Okay, so
-
holders of the CISA designation have
-
their professional
-
performance requirements, which is
-
something, which are
-
also mentioned here. If you want, I can
-
specifically go to
-
that document and tell you where it is
-
mentioned.
-
So, if you see here, you know, the
-
proficiency of an auditor
-
is also something that’s an important
-
parameter. Okay, now using the work of
-
other experts--that’s what I was talking
-
about.
-
Okay, 1206,
-
clause 1206 talks about
-
using the work of other experts. Now, I
-
will also go to the Code of Professional
-
Ethics.
-
So, these are the seven codes of
-
professional ethics,
-
which every auditor must be aware of.
-
That’s what
-
you also sign when you go for
-
certification after the exam.
-
Okay, these are the seven principles, I
-
would say,
-
or ethical statements that you must
-
comply with.
-
Okay, if you are found not adhering to
-
any of the seven principles,
-
there is a possibility of getting your
-
certification revoked.
-
There is also a disciplinary
-
process from ISACA
-
against the CISA certification. Okay, I
-
will go to that
-
later in the presentation as well.
-
Okay, I will move forward now. The
-
framework, which has
-
already been talked about--ITAF. Okay, ISACA’s
-
audit and assurance standards framework.
-
The framework of ISACA provides
-
national standard, provides the multiple
-
levels of documents. It talks about
-
the standard. Okay, I talked
-
about the guideline.
-
Okay, so the standard defines mandatory
-
requirements for IS audit assurance and
-
reporting.
-
Okay, then there are guidelines. I
-
told you that guidelines provide guidance in applying
-
the standard.
-
Okay, as an auditor, you should consider
-
them in determining how to achieve
-
and implement this particular
-
standard. Use
-
professional judgment here. Okay?
-
And their application,
-
okay? Now, professional judgment.
-
When the word "judgment" comes,
-
it is not mandatory. It is
-
discretionary, I would say.
-
Okay, when you say judgment, it
-
becomes discretionary. Okay, in their
-
application,
-
and you must be prepared to justify any departure
-
from the standard.
-
Okay, there is a possibility of
-
exceptions.
-
Okay, there is always a possibility of exceptions,
-
and then there has to be an
-
exception process around it
-
when you're applying that standard.
-
You must be able to justify those
-
exceptions from the standard as well. So, a
-
standard is not law.
-
Okay, so it’s not something that
-
you will be
-
persecuted for not following. Okay?
-
But
-
if you have an exception, you must justify it,
-
which is good for
-
the overall practice of auditing.
-
Then, there are tools and techniques
-
that provide examples of processes that
-
the IS auditor
-
might follow in an audit. Okay, and that’s
-
also
-
basically mentioned here. Tools and
-
techniques documents provide
-
information on how to meet the standard
-
when completing IS audit work,
-
but do not set the requirements. Okay,
-
and the requirements are again linked to
-
these standards. Okay. So, if you see, it
-
doesn't,
-
here it talks about mandatory
-
requirements, but these tools
-
do not set the requirements. Okay.
-
They never set the requirements. So, as I
-
said, the
-
general principles apply to the conduct of
-
all assignments. It's
-
applied to the conduct of all
-
assignments, and deal with ethics,
-
independence, objectivity, and
-
due care as well as knowledge, competency
-
and skill.
-
Okay, when you talk about performance, it
-
is about conducting.
-
Okay. It talks about planning,
-
supervision, scoping, risk, and materiality.
-
What is materiality, guys?
-
Materiality means the importance of the
-
effect
-
of that area. Okay, now,
-
whenever we look at materiality, we are
-
not looking at,
-
you know, it is basically the quality
-
of
-
the practice or the
-
transaction or the amount. For example,
-
for an organization,
-
a loss for a big organization like
-
PWC, a loss of one thousand dollars is
-
not material. Okay. But for them, a
-
one million dollar loss is
-
significant. Okay, so materiality is the
-
importance of that particular,
-
you know, loss or transaction. We
-
use this in auditing a lot because
-
we are trying to capture the
-
most significant
-
things first from an information
-
systems perspective.
-
Okay, for example, we're looking at the
-
most important application of an
-
organization,
-
which can affect their
-
business operations.
-
So, always look for the material
-
things. Always look for
-
the most important things for an
-
organization.
-
Okay, for example, if I go for a
-
bank or a bank audit,
-
I go in asking, "What is the card
-
doing?" You know,
-
I’m not looking at a CBC, a core banking
-
system (CBS); I’m looking at a process in
-
HR, for example,
-
which every bank has. But I
-
should be looking at
-
the most important thing, which is the CBS,
-
the core banking system.
-
Okay, so as an auditor, you look for
-
the most material things, the
-
most important things to the organization when
-
you are doing the audit.
-
Okay, so scoping, risk, and materiality.
-
Okay, the importance of that
-
area is very important. I hope
-
I was able to give that answer. Okay, and
-
then resources.
-
We also talk about
-
resources because, as I said,
-
every organization has limited resources.
-
So, how you utilize the resources to the
-
maximum extent is crucial.
-
Mobilization of the auditors, okay?
-
Mobilization of the auditors is also important--because
-
again, limited resources--you have to
-
mobilize
-
effectively, in terms of
-
logistics, etc.
-
Supervision: Supervision of the
-
auditors is very important
-
in terms of the
-
quality of the audit and
-
assignment management. Big auditing
-
firms like EY,
-
PwC, and Deloitte
-
understand this,
-
you know, in terms of assignment
-
management. We have audits
-
every year, we have civilian audits, we
-
have recertification
-
audits every three years, etc. All
-
that assignment management is also very
-
important. Then, audit and assurance
-
evidence.
-
Evidence collection, storing
-
those evidences,
-
proving the quality of the evidence--
-
everything is very important here. So,
-
in the performance category, we will look
-
at all those things.
-
Then, the third category is reporting.
-
Okay,
-
so these three categories among the
-
categories of standards and guidelines--
-
reporting is very important in terms of
-
types of reports,
-
means of communication, and the
-
information that is communicated.
-
All three are very important.
-
And reporting also, as I said earlier,
-
would depend on the type of arrangement
-
or the type of audit it is.
-
Auditory assurance guidelines: We
-
talked about
-
the standard. The guideline basically
-
helps you consider,
-
helps you to determine how to implement
-
these ISACA standards.
-
It also helps, as I said, by using professional
-
judgment in applying them. You should
-
be able to justify any departure from
-
ISACA or international standards.
-
Now, as we discussed, the Code of Professional
-
Ethics is very important,
-
and we must understand that these seven
-
principles must be followed. We will discuss these in detail.
-
So, these are the three, and
-
we have two more.
-
These are the total of seven codes of
-
professional ethics.
-
I would like to discuss them from the
-
standard itself because that
-
gives a more better perspective. Okay,
-
same here.
-
Now, ISACA's Code of Professional
-
Ethics is
-
for its members and certification
-
holders. So,
-
members and certification holders
-
shall support the implementation. So,
-
as an auditor, you are not there on
-
a fault-finding mission.
-
Okay, you are there to
-
verify and check,
-
show the faults, but ultimately, you are
-
there to help them implement
-
and encourage compliance,
-
compliance with the standards.
-
Okay, so you should support the
-
implementation of and encourage compliance
-
with appropriate standards and
-
procedures
-
for the effective governance and management
-
of information systems,
-
including audit control, security, and
-
risk management. Okay,
-
then the second is to perform duties
-
with objectivity.
-
Now, when you talk about objectivity,
-
you are also talking about materiality.
-
Okay. As I said,
-
objectivity means you are there to assess
-
certain things, and you should have the audit
-
objective in your mind.
-
For example, if I’m going for an
-
information security
-
audit, I must be sure of
-
what I’m checking. Okay, I should
-
have an audit objective that I
-
would be checking this particular
-
information system while looking for
-
these things. Okay. So from an objectivity
-
perspective,
-
you know you should perform your
-
duties. Okay.
-
Now, you might go for a network audit, and
-
you're looking for faults in the network. You
-
might go for a software audit, where you're
-
looking for
-
anomalies in the software. Okay. If you're
-
going for
-
a penetration audit or a VAPT (Vulnerability Assessment
-
and Penetration Testing), you're looking for
-
various anomalies in the system.
-
Okay, so the objective of the
-
audit should be clear.
-
Also, from the organization’s
-
perspective, it must be clear to
-
the person who has given you the
-
assignment.
-
What the stakeholder is trying to
-
achieve through this audit should be understood.
-
For example, many organizations do ISO
-
27001
-
to achieve tenders, for
-
brand reputation, or also
-
to ensure they are
-
are completed with according to
-
the
-
industry guidelines,
-
okay, etc. So the objectivity should be
-
very much
-
clear. Then, due diligence. Due diligence means
-
you have to be very careful
-
when you are doing the audit and when you
-
perform your duties.
-
You should not be influenced by
-
people. Due diligence is about
-
independence.
-
You should not be
-
influenced by people; you should not take
-
bribes, etc. Due diligence is
-
not only about
-
taking bribes but also about
-
not getting influenced
-
for any reason. Okay.
-
Then, professional care. Again, this is
-
also about
-
ensuring that
-
you are professional in your
-
approach, and also
-
that your work is in accordance with the
-
professional standards that have been
-
outlined in the standards document.
-
Always serve in the interest of the
-
stakeholders in a lawful manner,
-
while maintaining high standards of
-
conduct and character, not discrediting
-
their profession or association. Okay,
-
maintaining privacy and confidentiality is
-
very important.
-
Okay, you might be dealing with a lot of
-
confidential information of the
-
organization.
-
Okay, so you should always ensure confidentiality,
-
generally through NDAs, etc. However, I don’t believe
-
those are very effective mechanisms.
-
People may say they have an NDA with you,
-
but just because
-
someone should give you access to
-
all the information. An NDA is
-
not a good mechanism in an
-
organization.
-
Then, maintain competency in your
-
respective fields.
-
Okay, you are competing in information
-
security already.
-
You're competing in your network, so
-
always try to achieve expertise in
-
whatever area
-
you are working in, okay? And agree to
-
undertake only those activities that are
-
very important. Agree to undertake only
-
those activities that you can reasonably
-
expect to complete with the necessary skills,
-
knowledge, and competence. Now, I do not do
-
a network audit, I don't do a software
-
audit, I do not do,
-
you know, penetration testing audits, okay?
-
Or,
-
you know, availability audits, what we
-
call it as.
-
So, I do information security
-
audits from a compliance perspective. I'm a
-
compliance person, okay? I don't take
-
those assignments which I’m not
-
competent
-
enough for, okay? Because that would not
-
justify
-
my job. Then, inform the
-
appropriate parties of the results of
-
the work performed, including disclosure
-
of all
-
facts, if not disclosed, which may distort
-
the reporting of the results.
-
Then the last one is to support the
-
professional education of stakeholders,
-
enhancing their understanding of the
-
governance and management of enterprise
-
information systems technology, including
-
audit control, security, and risk
-
management.
-
Now, also, you are supporting the
-
stakeholders and increasing their
-
knowledge about their systems.
-
Now, stakeholders invest money in
-
their
-
systems, okay? They are asking you
-
also to
-
come and audit them, so you
-
should always,
-
you know, make them more aware of their
-
information systems. You should
-
also make them aware of the defaults
-
in their
-
information systems and how those faults
-
can affect their businesses.
-
Okay, so these are the seven, what we
-
call it,
-
as, you know, the code of professional
-
ethics that the auditor
-
must follow. Okay, we've gone through
-
these three
-
slides, getting to ITAF again. So, again,
-
this particular domain
-
itself is a description of ITAF.
-
Okay, so ITAF is a comprehensive and good
-
practice--setting framework model.
-
Okay, it establishes the standards, it
-
defines the terms and concepts,
-
concepts of IS assurance. Now, I have
-
not discussed this
-
term, which is "assurance," and I would like to
-
know what’s your perspective on
-
the word "assurance." How do we define
-
assurance? So,
-
assurance is basically a promise or a
-
guarantee
-
or a trust that we have in the system.
-
For example, if you're sitting on a
-
roller coaster,
-
and you are on a dangerous roller coaster,
-
you are actually
-
having assurance that you will come back
-
alive,
-
you know, from that. So, that's the reason
-
you're sitting on that.
-
Okay, so it's kind of a trust you have in
-
that
-
system, okay, that this would perform
-
as per the
-
standards, and you have
-
confidence in that system.
-
so this is very important in terms of
-
when you talk about
-
air traffic control systems you know
-
you're sitting in an airplane
-
and you are believing that the a80 air
-
traffic control
-
is working as per the uh proper
-
guidelines
-
okay so that that's how you know
-
sometimes it is that critical as well
-
and also is sometimes you know that not
-
that much critical you know when you are
-
talking about for example banking it is
-
critical it is for
-
a for air traffic controls it is
-
critical for critical infrastructures
-
all the critical
-
infrastructures it is critical but for
-
example for an organization for a small
-
organization it is it may not be that
-
critical
-
okay so all that would depend on the uh
-
the materiality
-
of that uh the area okay so this
-
particular
-
so it provides uh so so assurance is
-
that so i was just getting to the
-
definition only i would come to the
-
dependencies and resilience part later
-
in the other domains as well then itaf
-
also provides guidance and tools and
-
techniques on the planning design
-
conduct and reporting of the is audit
-
and assurance assignments so audit is
-
basically a part of uh
-
comment on audit audit is also a
-
mechanism
-
where we we try to get certain level of
-
assurance
-
okay now uh we don't get a guarantee of
-
the audit uh
-
from the audit okay it doesn't say
-
that you have zero faults in a system
-
okay audit is just a one uh you know
-
kind of a level playing field assurance
-
perspective okay
-
so audit is just a mechanism getting
-
assurance
-
okay then we go to business processes we
-
are aware of
-
we'll go to this quickly because we are
-
aware of the business processes
-
uh but from an auditor perspective when
-
you're going for the audit you must
-
get do something research do some
-
research in terms of
-
what kind of business processes that
-
organization
-
uh is dealing with and uh if you get an
-
understanding of that
-
process it would be easy for you to
-
order the
-
or audit that you may not have a
-
complete understanding obviously you
-
will interview people
-
and then you would not have the complete
-
understanding but uh
-
from for example hr what does an hr do
-
which are basically
-
you know hire people talent management
-
payroll
-
training and development et cetera et
-
cetera so you you should be
-
aware of that so you should understand
-
and evaluate business processes
-
okay test and evaluate operational
-
controls
-
there and then identify the controls
-
such as policies procedures practices
-
and organizational structures
-
okay do you do you think organization
-
structure is a control and why do you
-
think organizational structure is a
-
control i
-
i policies are high level intent of the
-
organizations
-
okay procedures are also controls okay
-
why procedures the policies are very
-
important because it's
-
once the high level intent is not there
-
if the high level intent is not there
-
okay for example organization doesn't
-
have information security policy
-
uh stakeholders are not endorsing the
-
information security as an important
-
enabler to their organization then you
-
cannot do anything okay you will not
-
have any control so
-
first and foremost policies are
-
important because those are high level
-
intent of the organization
-
then procedures are important okay
-
procedures will tell you the day-to-day
-
you know activities which you have to
-
perform okay and how to perform those
-
activities basically step-by-step
-
uh directions okay then you have
-
practices
-
now practices are our best practices now
-
those are guidelines okay those are like
-
this
-
is uh this is the best way to do it okay
-
or this is the best
-
these are things that you must take care
-
uh while doing it
-
okay you may or may not do uh take care
-
of that but
-
those are helping then organization
-
structures is also control
-
how do you think organizational
-
structure is a control how does it help
-
as a control for segregation of duties
-
uh job descriptions are
-
segregated okay so organizational
-
structure is a control because it helps
-
in decision making
-
okay so basically aggressive structures
-
as uh
-
that you know segregation of duties so
-
it is more important from that
-
perspective
-
i mean so this is this is like you are
-
defining a job description
-
of a person okay based on the job
-
he's been assigned certain things okay
-
and that control should be there that
-
there's a maker and a checker
-
okay that's the reason operating
-
structures are important okay it would
-
reduce the risk so from
-
i'm i'm asking about when you talk about
-
controls it is trying to reduce or
-
mitigate the risk
-
okay so from a segregation or duties
-
perspective
-
it is very important because segregation
-
of duties is a control
-
that uh that basically reduces the
-
risk for any errors it falls and frauds
-
etc for this year in this uh section we
-
will also talk about
-
internal audit function okay internal uh
-
function in the sense that how a
-
interval
-
function is different uh from the
-
external audit okay
-
or the other functions then management
-
of the is audit function
-
okay the planning the audit okay
-
effective laws and regulations of ios
-
audit planning
-
business processes applications and so
-
internally functions so as an
-
uh as an auditor as an internal auditor
-
uh you should
-
establish your audit charter first now
-
what is audit charter audit charter
-
talks about the responsibility the
-
accountability
-
the scope of an audit okay and
-
it must be approved by the board of
-
directors and the audit committee
-
okay so if we if we go to order charter
-
definition
-
in uh in the sarkar guideline in the
-
itap you know so if you see here
-
in the audit charter it talks about the
-
purpose
-
sorry the audit charter it talks about
-
audit charter indicating the purpose
-
the purpose responsibility authority and
-
accountability
-
okay so it has four things you have to
-
remember this
-
and maybe if you want to uh four things
-
which is the purpose
-
responsibility authority and
-
accountability okay these are the four
-
things that
-
that audit charter must have okay the
-
purpose of the audit
-
the responsibility of the responsibility
-
of conducting that audit the authority
-
okay which initiated this audit or who
-
the audit results would be communicated
-
to
-
and the accountability okay from a
-
downloaded function should be
-
established by audit charter
-
okay which has to be approved by the
-
board of directors in the audit
-
committee
-
now sometimes the board of directors uh
-
also get uh get uh you know they have
-
another committee which uh which which
-
represents the audit
-
okay that's what the audit committee is
-
about okay
-
now audit charter is an overarching
-
document that covers the entire scope of
-
audit activities in
-
an entity while engagement letter is
-
more focused on a particular audit
-
exercise
-
now sometimes we have uh you know one is
-
audit charter in which you have the
-
complete plan
-
of the audit of the whole organization
-
whereas engagement letter is
-
specific to certain function okay for
-
example you're going for a network audit
-
so there's an engagement you have done
-
with ey for example
-
now you will sign an engagement letter
-
with that organization
-
and it is basically focused okay and you
-
have certain uh
-
time limits etc okay it's more focused
-
on a particular audit exercise that is
-
sought to be initiated in an
-
organization with a specific objective
-
in mind for example
-
as i said network audit order or
-
information security compliance audit
-
etc said from the definition this is
-
also clear here
-
if you see the charter should clarify
-
the state
-
management's responsibility and
-
objectives for delegation of authority
-
to the is audit function okay so charter
-
should clearly state
-
the responsibility the objectives or the
-
purpose
-
the authority okay of the audit function
-
why do you or why do you think the
-
auditors will also require authority
-
from the board of directors asking
-
questions to our
-
you know area which organization
-
auditing you should people may ask you
-
who are you you know why do you ask
-
these questions etc
-
that's the basic questions when you go
-
uh to interview anyone
-
okay so by what the authority or so
-
audit charter is a document which you
-
can
-
you know show as a warrant you know that
-
i am and i have an authority to
-
basically audit you and this is this has
-
been uh
-
asked by uh the highest authority of
-
your organization which is board of
-
directors that's the reason
-
charter has the authority as well so
-
that
-
you have the senior management or top
-
management
-
approval on on asking questions to the
-
to the area or to the function okay
-
that's the reason authority is very
-
important
-
now management of the ias audit function
-
managing or isolated functions should
-
ensure
-
value-added contribution to the senior
-
management again if they're giving you
-
authority
-
to audit they also want and they are
-
doing it for a reason
-
that you would tell them calls in my
-
organization what are the areas doing
-
for improvement
-
how do i you are basically building upon
-
their assurance
-
you're building their assurance on the
-
organization's i.t infrastructure
-
okay so if you're saying that you know
-
these are the
-
areas of improvement and
-
you know of your organization if you're
-
giving them findings
-
it will basically help them improve it
-
help them improve the overall operations
-
and
-
efficiency of their organization okay so
-
as an auditor
-
you should ensure value-added
-
contribution okay to the senior
-
management in the efficient management
-
of i.t
-
and achievement of the business
-
operations when you give you give them
-
findings
-
they would act upon it and they would
-
that would also help them to
-
achieve their business objectives
-
appropriately
-
okay now first step is planning when
-
you're planning for an audit
-
okay so adequate planning is very
-
important uh in the japanese that are
-
saying that 70
-
of the time you spend on planning that's
-
that's very important because
-
all the major i'm doing an
-
implementation
-
assignment and i i know this very well
-
deep from my heart that how important it
-
is the planning part the audit plan is
-
how important
-
it is if you fail in planning properly
-
you mess up the whole thing okay so plan
-
an ordered
-
following task must be completed list
-
all the processes
-
uh means the scope has to be very clear
-
when you're
-
uh going for audit so you're listing all
-
processes
-
you get the scope approved for the audit
-
okay
-
then you evaluate each process by
-
performing qualitative risk assessment
-
now for example i have four departments
-
to audit
-
okay uh scope is clear i have four
-
departments
-
now who to start with that is also very
-
very
-
important who does again the the
-
the concept of materiality is very
-
important so you will do a qualitative
-
or a quantitative risk assessment now
-
this risk assessment is not a risk
-
assessment that we do it
-
for information security and you know
-
the detailed assessment which you do
-
this is a kind of a kind of assessment
-
which you which is a very high level
-
assessment
-
okay we in which you understand and you
-
try to understand which are the critical
-
areas of the organization
-
now for example you have four
-
applications to order now if you say one
-
two three four
-
and you say okay how would you check
-
which application is important
-
number of users which applications do
-
you so you will
-
okay number of users easy for any
-
organization to give you
-
okay and you will also do a risk
-
assessment on uh on the
-
the the type of data that organize
-
that application is storing how that
-
application
-
which process that application is
-
supporting which businesses
-
operation operations is uh supporting so
-
this is kind of high level assessment
-
of risk you will do okay so so why you
-
are doing this
-
again materiality okay you will uh
-
you're doing this to evaluate whether um
-
you know you're you're trying to capture
-
the maximum risk in an
-
organization okay so evaluate each
-
process performing a qualitative
-
quantitative risk assessment these
-
evaluations should be based on
-
objective criteria what i just said okay
-
i gave you some examples of
-
objective criteria for example for
-
applications similarly you can apply
-
to business processes you can apply to
-
different departments as well from a
-
high level perspective
-
okay etc etc so then our thing is to
-
define the overall risk of each process
-
okay then construct an audit plan to
-
include all the processes that are rated
-
high
-
okay which would represent the ideal
-
ideal audit plan
-
okay and that's what we call it as audit
-
based risk strategy or audit based risk
-
plan
-
okay basically we call it strategy okay
-
so audit based risk
-
strategy now when to audit that's also a
-
question
-
why we have this question is because
-
again this depends on the criticality of
-
the processes so there is short-term
-
audit
-
there is long-term audit planning now in
-
short-term audit planning
-
you have you know short frequent uh
-
auditing the periodicity reduces okay
-
long term audit planning
-
uh you have high periodicity okay so
-
short term planning involves all the
-
audit issues that will be covered during
-
the year okay for example you have to
-
conduct
-
you have to conduct a surveillance order
-
terrorist every year so that is the
-
short term
-
okay long term plan takes into account
-
all the resolutions for example there's
-
a
-
there's a there's a department which is
-
uh
-
which is slowly improving okay which is
-
slowly proving this
-
that's a new department it's not very
-
mature so you might go for a long term
-
audit here
-
so you are assessing for example some
-
areas of that department
-
and then you um you give them a gap to
-
mature and then you are auditing the
-
other areas
-
of the of the department okay similarly
-
you know
-
so it's a very phased approach okay in
-
the long term planning
-
and that would only that would also
-
depend on the id strategic direction of
-
the organization
-
okay for example i i was working in
-
uh in a bank in uae uh
-
and they have they had they had the new
-
area of banking
-
okay treasury for example and no i don't
-
remember the name of that
-
area but for example treasury they were
-
you know trying to
-
have another area of business
-
for them now that department has just
-
begin
-
okay that that area of business is just
-
now
-
initiated obviously they will not have
-
hundred percent they will not have the
-
same processes what a bank uh
-
initially has they are trying to have
-
one or two processes
-
in place for the customers for the new
-
customers
-
and then mature they would have a
-
maturity
-
um along the line okay so if i go on the
-
first day
-
uh or maybe the first year
-
and say that okay show me all the
-
processes i start finding faults in them
-
you know
-
starting reviewing them then it may not
-
be very much
-
fruitful for that particular area of
-
business
-
okay immediately okay you will have a
-
lot of findings you cannot address those
-
findings
-
etc etc okay so you will take a
-
long-term
-
approach so that would that depends on
-
the itc iit strategy version of that
-
organization
-
now audit can be also be triggered when
-
there is a control issue okay so there's
-
a new issue that is coming up there are
-
a lot of incidents that are happening
-
in hr okay there are a lot of data being
-
data breaches that have that happened in
-
hr et cetera et cetera so
-
if there are control issues there the
-
the board of directors take a decision
-
okay now we must audit this hr
-
department try to under
-
try to try to assess those gaps uh in
-
that department okay so new control
-
issues can also trigger
-
fraud can trigger the audit okay so
-
there's
-
there so that that could also happen
-
also there's a change in risk
-
environment
-
you acquire a new organization okay you
-
you merge
-
you you have mergers and acquisitions
-
okay
-
now that could also change so the risk
-
environment has changed
-
okay so that uh risks as i mentioned the
-
technology has changed
-
okay all the business processes are
-
changed uh you know
-
drastically that can also basically
-
trigger an audit
-
okay so these are the steps for having
-
the audit
-
okay um just quickly naming them first
-
and foremost
-
take an understanding of the business
-
process mission of that organization
-
what is mission mission is what
-
operation does for example banking
-
the organization deals with money uh you
-
know uh they they
-
they create accounts now what what do
-
they do they manage people's money
-
basically so you should you should
-
understand the mission of the
-
organization
-
okay you should understand the
-
objectives uh whatever the
-
the the top management has decided that
-
these should be the objectives
-
you should understand the purpose of
-
that organization how that organization
-
is helping its
-
community uh stakeholders basically i
-
would not say community stakeholders
-
like customers suppliers
-
the internal employees okay so that's
-
important and the processes okay then
-
understanding the business environment
-
of the auditee
-
what is already already is basically the
-
organization you are auditing you are
-
the auditor
-
and the other organization is the oddity
-
okay and then review
-
uh or sometimes already is also another
-
party
-
okay you must understand oddity can be
-
can be another organization
-
okay which is asking you to audit that
-
organization already is
-
is who has given you the assignment okay
-
then uh review
-
uh prior work papers okay prior work
-
papers is basically a
-
kind of a checklist if you have if you
-
have certain questions to the auditee
-
uh or auditing management then you ask
-
them certain questions
-
you ask them for certain documentation
-
for understanding
-
their organization that is basically
-
review of work papers
-
then identify stated contents okay
-
now the work papers are basically your
-
content policy
-
standards required guidelines procedures
-
my structure you study them
-
okay and then you perform a risk
-
analysis to help designing the audit
-
plan so based on
-
the work papers based on the organized
-
structures you will understand
-
okay what are the various things which
-
are important to the organization
-
due do a risk assessment or risk
-
analysis
-
okay and you prepare an audit plan and
-
then based on the audit plan
-
you will define the audit scope okay and
-
the audit objectives
-
okay and develop the audit approach okay
-
approach and order strategy okay then
-
assign resources the auditors to
-
different areas
-
okay and then finally you will address
-
the
-
engagement logistics so that's the
-
planning steps now
-
after planning you will have the
-
conducting of the audit will come to
-
that
-
okay so audit plan should take into
-
consideration of the objectives of the
-
audit
-
okay uh the relevant to the audit area
-
it's technology infrastructure business
-
strategy direction
-
okay so you should uh you know to
-
to have a better understanding as i said
-
the work papers which is your pattern
-
material
-
publication industry publication reports
-
independent financial analysis reports
-
etc now reviewing prior audit reports
-
now as an auditor you can also ask prior
-
audit reports
-
you know so for example if you're going
-
for a village already you can ask
-
give me a previous year's international
-
report okay
-
reviewing the business and id long term
-
strategic plans
-
okay the materiality would uh could be
-
just based on that okay
-
additional considerations you interview
-
key managers
-
understand their business issues key
-
regulations 75 specific regulations to
-
id for example lot of regulations
-
nowadays as we said
-
uh in the earlier for example rbi
-
for banking try for telecom npci for
-
payment gateways
-
etc the idea of iit functions or related
-
activities that have been outsourced
-
very very important in these times every
-
organization
-
is has certain outsourcing okay any
-
third-party
-
collaborations okay i was auditing a
-
it's repayment banks so the other day
-
every department has something that is
-
outsourced to for example the creative
-
department
-
uh the social the the marketing
-
department also
-
you know for campaign development they
-
sign agreements with the other
-
departments now there's a lot of
-
exchange of confidential information
-
between
-
you and your third party okay so that
-
kind of arrangements also you need to
-
check that what do you share with them
-
so that the outsourcing is an important
-
aspect it's just to
-
cut short this uh thing that outsourcing
-
is an important aspect that the auditors
-
must
-
look into what kind of arrangement uh is
-
uh
-
is there with the with the third party
-
during keep organization facilities
-
again this is a walk through
-
call it walk through we call it uh um
-
the
-
you know this is an important aspect
-
when we look at physical security of an
-
optimization
-
uh in terms of information security we
-
go and tour the facility of the
-
organization try to assess the awareness
-
of the people
-
we try to assess whether what kind of
-
controls they have
-
in terms of physical security etc and
-
physical and environmental security
-
okay also uh you know touring the
-
foreground facility will also give you a
-
ins inside of the culture
-
of the organization sometimes okay so as
-
an order you must also
-
also match available audit resources
-
such as staff with
-
the tasks defined in the audit plan so
-
you have limited resources you have
-
certain auditors
-
uh you will you will you will have the
-
you know tasks assigned to the various
-
auditors
-
according to the audit plan now certain
-
laws and regulations uh
-
we were discussing them earlier as well
-
isps
-
banks internal service providers are
-
closely regulated so
-
these legal regulations may pertain to
-
financial operational and isolated
-
functions so there is a legal
-
ex financial or you know general sox
-
compliance
-
you know that is basically financial uh
-
regulation okay
-
for for u.s companies and now
-
many companies which are working across
-
the globe are
-
has to be sox compliant so you have to
-
uh you have to
-
consider that as well and then
-
operational regulations are there
-
okay in terms of for example try rbi bci
-
these are operational regulations
-
then there are isolated functions um
-
regulations also so for example
-
uh rbi says that you have to get every
-
year audited by a cisa
-
okay and you have to submit the csi
-
report to the rbi
-
okay whether it is a bank of india so so
-
that kind of
-
regulations are also there okay you have
-
to submit audit reports
-
to the to the regulatory body uh
-
every year as they demand sometimes they
-
don't want you every year or they would
-
they would demand for an audit and then
-
they will ask for a report
-
okay now there are two areas of concern
-
that impact the audit scope
-
and objectives what is legal requirement
-
based on the audit as i said
-
i gave you an example that that this
-
legal requirement okay and then legal
-
coin based on the audit
-
and systems data management reporting
-
etcetera now
-
is audit role and compliance to
-
determine the organization level of
-
compliance auditor must
-
the isolator must identify those
-
government or other relevant
-
uh external requirements now auditor
-
it's not a responsibility of the auditor
-
to basically
-
uh look at the various regulations
-
because that's the compliance department
-
in organization
-
so for example i am i am a telecom i
-
should be aware that
-
what are the various telecom regulations
-
i should be following
-
okay now so you will get that regulation
-
so you should be aware of that
-
regulations okay
-
and then you also assess whether whether
-
what level of compliance
-
the organization is maintaining okay so
-
already
-
basically ask for a legal plan or a
-
compliance plan
-
or a you know kind of a process sop
-
document
-
which the organization maintains to
-
ensure that they comply to all the all
-
the regulations
-
okay so and the external requirements
-
and the auditor basically checks whether
-
they are fulfilling that
-
now already may question the the
-
compliance plan itself
-
so that's the other case that ought to
-
say that this comprised plan itself is
-
not
-
adequate so then a plan is not adequate
-
obviously the compliance level is
-
is is very doubtful okay so as an
-
auditor you must uh
-
also assess both the things as
-
compliance plan of the organization as
-
well as the level of compliance
-
okay so i identify those government
-
other elimination
-
requirements dealing with electronic
-
data personal data copyrights ecommerce
-
e signatures etc
-
uh computer system practices and
-
controls then
-
we have it act uh 2008 for that then the
-
manner in which the computers programs
-
data
-
are stored many countries have retention
-
policies
-
okay for example india the retention
-
policies is
-
seven years uh for logs
-
and so you have to go and dug out
-
that what kind of requirements you have
-
in terms of retention
-
okay and you have to follow that and
-
every country has its own
-
okay then the organization or the
-
activities of the it services
-
okay then you have the is audits as well
-
so you have to also see that what are
-
the requirements for the ios audits
-
okay for example if you are maintaining
-
an iso 27001 certificate
-
you have to go for every year you have
-
to go for a
-
surveillance audit and go for a
-
re-certification audit
-
so you have to see that what kind of
-
arrangement it is
-
what kind of audit cycles uh the
-
organizations require to have
-
if you don't do a surveillance audit you
-
know your your certification
-
is invalid for iso 27001
-
or any any of the iso basically now i
-
have ordered steps and determining
-
organizational compliance so you
-
document the applicable laws as i said
-
every organization documents the
-
applicable laws and regulations
-
okay then assess whether the management
-
and id function have considered them
-
okay consider the relevant external
-
requirements in their plans
-
okay now external requirements are are
-
contractual obligations sometimes
-
okay you have a contractual obligations
-
towards third party
-
towards the customer basically mostly
-
those are towards the customer
-
you are an organization of telecom okay
-
you have certain
-
requirement towards uh you are giving
-
product for example
-
telecom okay you have you have certain
-
requirements towards availability of
-
that product towards that customer
-
okay in terms of services the service
-
level agreement so you must also assess
-
what are the relevant external
-
requirements um there
-
okay then all obviously sell
-
requirements in their plans policy
-
standard procedures as well as business
-
application features
-
so that's what i said in the service
-
level agreements
-
then review the internal id department
-
function activity document that
-
addresses adherence to
-
the laws applicable to the industry okay
-
determine adherence to the procedures
-
that addresses these requirements
-
and then because the procedures would
-
should support the laws and uh
-
obligations okay so if the procedure
-
says
-
that the the backup is for example a
-
procedure says that backup is
-
has to be done conducted okay however uh
-
yeah no so sorry the law says that you
-
should have a backup of seven years
-
but you should have a retention of seven
-
years okay the law says that you have a
-
retention of seven years
-
but you don't have a backup mechanism
-
based on that okay you don't
-
you you delete the data every three
-
years okay you delete the backup every
-
three years so
-
so your your procedures should basically
-
the backup procedure should basically
-
support your retention
-
policy or detention
-
law of that country okay then determine
-
if there are procedures in place to
-
ensure contracts
-
agreements with external id service
-
providers reflect any legal requirements
-
related to responsibilities
-
now certain sometimes what happens is
-
that you have a contractual obligation
-
to maintain the certificate
-
uh of iso or you have to maintain pci
-
dss
-
uh payment card industry data security
-
standards
-
okay so you also have to see that
-
whether those
-
the the external i.t service providers
-
you know and they combine it with the
-
legal requirement
-
okay let me give you an example for
-
example if you
-
if you're a try member if you are a
-
telecom provider
-
uh you have to actually follow the
-
regulatory guideline
-
now for a particular license in a
-
telecom
-
you require iso 27001 certificate
-
okay for example you are a wallet
-
provider
-
i uh paytm okay
-
you have to follow the npci guidelines
-
okay
-
and you also uh need to uh you know
-
comply so and that becomes
-
a legal requirement for you okay so it
-
is bound because
-
pci is a also a statutory organization
-
which is bound by
-
uh by the government of india okay and
-
then it becomes a law
-
or a legal requirement for an
-
organization so it is
-
so it becomes a legal requirement for
-
them to fulfill
-
now okay it is not no more uh a kind of
-
non-statutory requirement for them it's
-
a statutory uh requirement for them to
-
fulfill
-
okay now we'll further move on to the
-
business processes
-
applications and controls so in an
-
integrated application environment our
-
controls are embedded and designed into
-
the
-
business applications as you are know as
-
you are aware that we are using for
-
example c
-
for banking applications for banking
-
applications for banking sector we are
-
using some
-
some you know oracle system for example
-
for
-
in telecom for various
-
you know or we use sap sap uh systems
-
in our organizations okay these are
-
basically a very
-
uh integrated application uh environment
-
for
-
in a in an organization okay they have
-
multiple support
-
uh their but their multiple supports and
-
uh their multiple processes around that
-
application
-
okay and they're supporting basically
-
the multiple
-
departments in an organization at the
-
same time
-
okay so you must there are certain
-
controls and assurance levels
-
that the organizations must uh must
-
must adhere to okay for that reason
-
there are
-
assurance levels okay that that is
-
defined
-
for example sap sap is used by multiple
-
departments for multiple uh
-
purpose okay multiple and it basically
-
for multiple processes in that
-
department
-
okay so you must understand that there
-
are certain controls that which we place
-
to to
-
provide assurance of that uh activity
-
so these controls for for providing
-
those assurances you need to have
-
adequate controls so these are three uh
-
controls um
-
you know that can be embedded in the in
-
the in a bigger application
-
okay so that uh you are providing
-
adequate uh
-
you you are providing um adequate risk
-
uh litigation
-
okay now three types of controls are
-
management controls
-
okay program controls and manual
-
controls
-
okay so to effectively uh audit business
-
application system the ifriter must
-
obtain a clear understanding of the
-
applications
-
under review and also when you are doing
-
the review of their application what do
-
you
-
what as an order what you are checking
-
you are checking the adequacy at the
-
eddy
-
the adequacy of okay now there are
-
different types of application
-
for example an e-commerce application uh
-
which is also a very bigger application
-
you have multiple
-
processes in it you have electronic data
-
interchange
-
okay now electronic data intel
-
interchange is basically your
-
you know scada systems uh your uh
-
your systems which basically provides
-
inputs to another system
-
okay that kind of electron data
-
interesting now now these
-
electron data interchanges is basically
-
sometimes
-
enter organizations uh inter departments
-
uh etc okay then email we know uh
-
point of sale pause systems which is
-
basically used in retail
-
there are multiple processes in it the
-
cost you have billing section your
-
purchase your purchase return your
-
procurement
-
etc etc then you have electronic banking
-
electronic finance
-
then you have payment systems electronic
-
funds transfer
-
eft or atms supply chain management
-
purchase accounting systems integrated
-
manufacturing systems ics
-
your inter ah industrial control systems
-
like uh
-
air traffic control scada etc
-
iterative voice response systems okay
-
generally if you see ivr we know when we
-
call a support
-
support test uh it goes to ivr so that
-
kind of systems are there the image
-
processing systems
-
ai dss and customer relationship
-
management
-
okay moving on to uh using the services
-
of
-
other auditors okay now using service
-
order again experts
-
uh basically or maybe auditors
-
in the same in the sense of
-
maybe you're auditing a third party and
-
that third party
-
is getting us at uh getting audited by
-
another third party who you are
-
believing to
-
be let me give you an example here for
-
example i am
-
uh i am a i am a bank okay
-
and i have been i am a bank and
-
pwc is working uh is auditing me
-
okay i have asked the pwc sorry
-
if i am a bank i have asked a pwc to
-
audit my third party
-
okay this is arrangement okay i have
-
partnered
-
i have given a job to pwc to audit a
-
third party
-
for me okay the auditor the the customer
-
or the customer wants to come and uh
-
my customer wants to look at the reports
-
that uh you know that how my bank is
-
performing
-
okay so now i would be uh i
-
i am showing a pwc report of the third
-
party okay subcontracting
-
so from a customer perspective i want to
-
look at how a bank is complying
-
how how much bank suppliers are also so
-
my bank shares customer information with
-
also the suppliers
-
okay so my bank would also always say
-
that i am protecting our information but
-
my information is not with the bank
-
my information is with the information
-
with the
-
third party of a bank okay so this kind
-
of arrangement it is okay
-
now should i believe uh my bank's report
-
or should i believe the pwc report here
-
so basically uh what i'm saying is i'm a
-
bank
-
okay and my customer wants to
-
look at how i'm you know protecting its
-
information
-
okay but as a bank i'm also sharing the
-
customer's information with the third
-
party
-
okay i've asked the pwc to audit that
-
third party okay who's storing that
-
information
-
shall the customer believe the bank's
-
report or the pwc's report could not
-
trust the
-
bank's report okay because the bank is
-
my
-
bank will always say that i am
-
protecting the information right i would
-
trust a third party
-
it's a pwc report as a customer i'm
-
auditing a bank
-
and i ask bank who are you sharing that
-
my information with
-
bank would say i am i am sharing the
-
information
-
with the with a supplier or a vendor
-
okay
-
now how do you ensure that the supplier
-
is protecting my information
-
okay so bank would say i am getting it
-
uh
-
getting the supply getting the supplier
-
audited by pwc every year and that's how
-
it is been protected yes i would not
-
believe what
-
bank would say i would believe the pwc
-
report
-
it says that my information is protected
-
by the third party
-
okay so that's how you know you
-
understand
-
i use the services of you know that
-
that's how you basically use the
-
services of other auditors and experts
-
okay and other auditors basically
-
okay you you look at their reports you
-
substantiate your uh
-
substantiate your findings uh based on
-
the on the reports
-
okay so when when using external and
-
outside experts consider the following
-
restrictions on outsourcing as i said i
-
discussed the outsourcing because that's
-
the most important
-
aspect when when talk about using the
-
services of other auditors
-
okay restrictions on outsourcing audit
-
security services provided by laws and
-
regulations
-
audit charter or contractual
-
stipulations okay
-
uh impact on overall specific ice audit
-
objectives
-
okay that uh these kind of arrangements
-
can also have impact on your audit
-
objectives
-
okay impact on audit risk and
-
professional liability
-
okay now there's a lot of in a lot of
-
agreements in terms of independence in
-
the organizations
-
and it's a very big kind of confusing
-
zone uh
-
for many organizations uh in in terms of
-
independence okay for example pwc is
-
also working for some uh some
-
for that organization and it is not
-
allowed to audit
-
for example in india pwc is not allowed
-
to do financial audit
-
okay due to some certain frauds happen
-
you know three years back
-
okay so so that kind of all that kind of
-
liability is also there okay then
-
independent objectivity of other
-
auditors and experts so independence is
-
one of the
-
important aspects for the auditors and
-
experts
-
professional competence qualification
-
and experience scope of
-
work proposed to be outsourced and
-
approached then supervisory and audit
-
management
-
controls okay so these are things that
-
we should be considered
-
auditing while uh taking the services
-
from the uh operators and experts now
-
this is a quick activity which i want to
-
uh do with you now you have been
-
assigned to an integrated audit what is
-
an integrated audit indicator you are
-
is basically just to cut short uh the
-
discussion
-
uh integer already when you're auditing
-
multiple areas people sorry multiple
-
not areas but multiple uh what you call
-
it
-
objectives basically for example you're
-
all you're doing a quality audit
-
combining with information security uh
-
audit
-
okay that's an indicator audit okay or
-
you're doing an information security
-
audit combining it with the operations
-
audit
-
okay that's an indicator order so you
-
have been assigned to an integrated
-
audit
-
finance business ops areas no uh so
-
that's not integrated audit so that
-
that's
-
basically that's not what indicator
-
integrator audit is you're doing uh
-
doing two
-
audit uh you're checking for two two
-
different audit criterias
-
okay an audit criteria is for example
-
quality information security
-
operations finance okay so you're
-
looking at the uh
-
the quality quality of the system you're
-
also looking at the
-
information security of the system
-
you're also looking at the operational
-
effectiveness of the system
-
and also you're looking at the finances
-
of that financial uh
-
uh effectiveness of that system so
-
that's
-
four things together that's our uh
-
integrated product yeah so you have been
-
assigned
-
to an indicator audit of a payroll
-
process and need to plan the
-
itu audit portion of the and need to
-
plan the it audit portion of the
-
engagement okay
-
what is the most important business
-
process area that you need to
-
consider in a payroll so to help you
-
perform the audit would it be better to
-
know the isolated budget or to know the
-
cio and cfo risk profile for the payroll
-
process
-
so what is the most important business
-
process area that you need to consider
-
here
-
now this is a question for you guys okay
-
so due to resource constraints of ii for
-
a team the audit plan as originally
-
approved cannot be completed
-
assuming that the situation is
-
communicated in the audit report
-
which course of action is most
-
acceptable okay
-
so you will focus on auditing high risk
-
areas
-
okay because of the resource crunch okay
-
coming to the next question
-
this is true so you verify the software
-
and use uh
-
through testing first okay now this
-
would be the
-
uh this would we'll try to complete this
-
section which is the types of controls
-
and this is a very easy sections
-
so basically there are different types
-
of controls in which you try to
-
manage the risk okay risk
-
risk transfers okay and
-
risk avoidance now avoidance is
-
different from elimination
-
risk avoidance is basically uh
-
when we don't take the risk okay for
-
example there's a business unit
-
which is not working properly okay and
-
there's a lot of
-
business risk to it you just you know uh
-
put a
-
uh put in a shut that business okay that
-
is for avoiding the risk for example i'm
-
going from point a to point b
-
i'm going to um find it to point b
-
through a car
-
and i see a risk of you know
-
the rain that the rain can happen okay
-
so i'm not going at all
-
that is called the risk avoidance okay
-
accepting the risk
-
is that you are going there okay and
-
whatever rain comes i would take the
-
proper controls
-
but i would go okay that is called
-
acceptance mitigating means you are
-
taking proper controls in place
-
okay and then you are accepting it okay
-
then
-
what we have the third option is risk
-
transfer okay now there is no
-
transfer option here okay but generally
-
insurance or
-
other things are there or outsourcing
-
things you know where we transfer the
-
risk to another party
-
okay so controls are there to basically
-
minimize the
-
risk okay to maintain the risk so every
-
organization
-
has controls in place okay ineffective
-
controls
-
that is one that prevents uh it detects
-
and contains okay or reduces the
-
impact okay and bc reducing the impact
-
of that particular risk event
-
okay so it prevents so controls prevent
-
it detects
-
and it contains or reduces the impact
-
and also
-
uh there are certain controls which
-
helps in recovery okay
-
now we'll come to those examples uh on a
-
later stage in this particular area
-
in the domain but it is very important
-
to develop
-
monitor uh implement design
-
the information systems controls okay in
-
place too
-
basically okay now controls
-
as we discussed earlier could be
-
policies if you remember we discussed
-
the controls it would be policies
-
could be procedures could be practices
-
could be organizational structures
-
okay so that four things you have to
-
remember could be policies procedures
-
practices are structures
-
that are implemented to reduce the
-
risk to the organization okay coming to
-
uh
-
internal controls are normally composed
-
of policies procedures practical
-
structures as i said that are
-
implemented to reduce the risk
-
to the organization okay internal
-
control should address
-
what should be achieved and what should
-
be avoided
-
now they are preventive as i said
-
earlier preventive detective
-
corrective controls now prevented these
-
are some of the examples here
-
and the preventive controls always
-
detect they can
-
detect the problem before they arrive
-
okay before they arise
-
they monitor both operations and inputs
-
okay attempt to predict problems
-
before they occur okay prevent an error
-
omission act of occurring okay
-
segregation of duties for example okay
-
it's a preventive control
-
okay which basically detects errors
-
prevents frauds
-
etc then control access to physical
-
facilities
-
control access to physical facilities
-
for example you have
-
acs access control systems for physical
-
security okay
-
you use well-designed documents uh for
-
printing you have input validations etc
-
in an application that's also a part uh
-
that's also an example of preventive
-
control detective control
-
cctv which basically only detects
-
reports the occurrence of an error
-
or mission or malicious act then you
-
have corrective control which basically
-
post detection uh you know it also
-
uh correct correctly the things okay so
-
it minimizes the impact of a threat
-
remedy problems discovered by detective
-
controls
-
identifies the cause of problem of a
-
problem
-
okay correct errors arising from a
-
problem modify the processing systems to
-
minimize the future reference of the
-
problem okay so these are the different
-
control
-
types then we have the control
-
objectives and control measures
-
now control objective is basically very
-
simple to understand
-
okay every control has an objective uh
-
to
-
to prevent and then there could be uh so
-
first and foremost we don't define the
-
control first and formal we define the
-
control objectives for example what do
-
we want to protect
-
us from based on the control objective
-
you apply the control measure
-
okay so first and foremost you have to
-
define the control objective what do you
-
want to achieve from that control
-
what do you want to achieve okay or what
-
risk you are to mitigate
-
that would from the wrist there would be
-
a control objective
-
and from the control objective there
-
would be a control
-
okay for example a control objective can
-
be malware protection okay i want to
-
protect my systems from malware
-
now to achieve that control objective i
-
would
-
apply control i would apply antivirus i
-
would apply
-
you know patches okay i would i would do
-
uh you know penetration testing of my
-
system all these are
-
you know controls to achieve that okay
-
so control objective is basically
-
defined as an objective of one or more
-
operational areas
-
okay uh to be achieved in order to
-
contribute to the fulfillment of
-
strategic goals of the company
-
okay now strategy goal of the company
-
could be related to
-
also related to your risk which is the
-
high level risk of the organization
-
and how that risk is basically helps uh
-
mitigating of that risk will basically
-
help your business objectives
-
to be achieved efficiently okay so that
-
is the
-
that is the control objective uh so okay
-
so that is
-
the control objective is such a goal
-
that is especially related to the
-
strategy of the company okay
-
then control objectives are basically uh
-
you know they are statements
-
okay they are not basically control
-
their statements what we want to achieve
-
okay always remember that control
-
objectives are statements
-
of the desired result um you know or the
-
purpose to be achieved
-
by implementing that particular control
-
okay now this control can be any
-
procedure
-
any policies any other structure or
-
impacts
-
okay now control objectives apply to all
-
controls
-
okay so so for example if you have a
-
control objective as i was telling you
-
uh malware protection okay you should
-
have a controlled measure okay an
-
activity contributing to the
-
fulfillment of a control objectives both
-
the control objective and control
-
measure
-
serves the decomposition of strategic
-
level goals
-
into such a lower level goals and
-
activities
-
that can be assigned as tasks to the
-
staff
-
okay for example a procedure okay so
-
this assignment can take a form of a
-
role description
-
in a job description
-
okay i hope that the two definitions are
-
clear
-
in terms of control objective and
-
control measure or we generally call it
-
as control
-
okay so the next slide which is control
-
objective as i said
-
is a statement of the desired result
-
that is we achieve by implementing the
-
controls around the information systems
-
can comprise of policy procedure
-
practice operation structures
-
designed to provide reasonable assurance
-
that the business
-
objectives will be achieved and
-
undesired events will be prevented
-
detected or
-
correct now these are some of the uh
-
control objectives that can be applied
-
to the information systems
-
okay now if i would uh you know take few
-
of them i
-
you know uh in in here so safeguarding
-
assets i think this is a control
-
objective with every organization would
-
have protecting the information assets
-
then if you have an hclc software
-
development in your organization so you
-
will see it you will say that okay
-
the processor should be established in
-
place and operating shall
-
operate effectively okay and
-
if you have uh if you're using os you
-
will say that okay integrity of the os
-
environment should be maintained
-
integrity of uh sensitive and critical
-
application systems environment
-
should be maintained but these are some
-
of the objectives that are common to an
-
organization
-
okay in terms of for example if you come
-
down to slas
-
should meet the service level agreements
-
and contract terms and conditions to
-
ensure national assets are properly
-
protected and meet the operational goals
-
and objectives
-
so but when you're looking at control
-
objectives you must also
-
you know take into consideration how
-
this control objective
-
is linked to my business objectives as
-
well
-
okay and how it is it is giving value to
-
the to my
-
uh organization okay so and as an
-
auditor you should also see that you
-
know from how this particular control
-
objective is serving the business
-
objective
-
and how how this control objective is
-
achieved through various controls in the
-
organization
-
at the same time now there's so many
-
general controls
-
uh every organization has these general
-
controls uh
-
now internal accounting control that
-
concerns safeguarding of assets
-
and reliability of its financial
-
information uh
-
operational controls that concern
-
day-to-day operations okay there are
-
administrative controls
-
uh which talks about operational
-
efficiency in terms of
-
cost in a functional area and enhance
-
the management policies internal
-
management policies
-
uh organizational security policies and
-
procedures to ensure proper usage of
-
assets we have overall policies
-
for the design and use of adequate
-
documents and records
-
access and use procedures and practices
-
physical and logical security policies
-
for all facilities so these are some of
-
the general controls which every
-
organization has
-
then there are specific ies specific
-
controls
-
okay information specific controls now
-
each general control can be transferred
-
into a more you know in detail
-
specific information system control okay
-
for example
-
here if i ask you administrative
-
controls concern the operational
-
efficiency in a functional area
-
okay or if i talk about uh you know
-
reliability of financial information
-
okay if you take this example
-
reliability
-
a safeguarding of assets and reliability
-
of financial rupees
-
what do you think is the information
-
system specific
-
control uh what uh would be for
-
safeguarding of assets
-
you have information security management
-
system
-
okay so each general control can be
-
translated into is specific controls the
-
isotopes should understand the is
-
control and how to apply them in
-
planning the audit
-
okay so you can do a based on the
-
general control you can also
-
you know address information you can
-
drop down to the system specific
-
controls
-
ice control procedures include strategy
-
and direction of id function
-
general general organization management
-
of the id function
-
access to it resources including data
-
and programs so
-
someone talked about transactions data
-
obviously you can assess
-
look at how the access to it resources
-
including data and programs
-
then system development methodologies
-
and change control
-
okay these are some of the specific
-
areas the organization can
-
apply the controls then there are
-
operational procedures the system
-
programming and technical support
-
functions there's
-
quality assurance procedures and there
-
is physical access controls procedures
-
okay there is business continuity
-
planning the asset recovery controls
-
network and communications controls
-
database administration controls
-
okay and that's the reason we have if
-
you want to look at network and
-
communication controls there's a network
-
audit that
-
has performed in many organization
-
database audit is is another area
-
where you also look at the database
-
administration
-
okay very important many organizations
-
okay their data is critical
-
okay specifically banks if you say so
-
the administration of the database is
-
something very critical
-
then protection and detective mechanism
-
against international attacks which is
-
your penetration testing vulnerability
-
assessment etc
-
okay we will do the risk-based audit
-
planning
-
okay so now uh this is just a repetition
-
of what we have already
-
talked about a lot just go through it
-
but you need to understand uh you know
-
here
-
is the nature of business okay nature of
-
business
-
the auditor must understand when you
-
talk about risk which order the monitor
-
must understand
-
nature of business order can identify
-
and categorize the types of risks
-
that will be better to determine the you
-
know kind of
-
risk model or approach of conducting the
-
order okay for example if you are in a
-
bank
-
or a telecom or for oil and gas the risk
-
would change
-
okay based on the risk of particular
-
industry you would you should be able to
-
that should be your
-
model you know you should prepare your
-
model based on the type of industry
-
okay for example if you're doing an
-
audit of a nuclear power plant
-
okay now your perspective would change
-
okay and if you're doing for a bank
-
there is perspective should change
-
okay so it so you should be uh you
-
should understand the nature of business
-
based on those uh based on the nature of
-
business you should
-
apply the auditing practice okay so
-
knowledge of the business industry is
-
very most important thing
-
gather information and plan take prior
-
audit results
-
if possible okay if you are doing a
-
first-time order then it's not possible
-
the decent financial information
-
of that organization because that is
-
important in terms of materiality
-
okay for an organization maybe a
-
thousand dollar loss
-
is nothing and then inherent risk
-
assessment now uh
-
okay so you're also looking at inherent
-
risk there so you are looking at
-
risks now inherent risk is basically
-
risk without control for example there
-
is i'm giving a very lame example for
-
example there's a building and i would
-
say uh that this building can
-
catch fire okay this building we can
-
have earthquake here
-
um and etc etc okay
-
it is flood prone okay i am not looking
-
at the controls right now i am looking
-
at the inherent risk to that building
-
okay now i can have fire extinguishers i
-
can have
-
uh water detector systems i can have
-
earthquake resistance
-
uh etc but i'm not looking at i'm not
-
factoring in those things i'm just
-
looking at a from a high level
-
perspective what could be the risk to
-
the
-
to my uh to my organization now the
-
benefit of doing that is
-
that you would cover the all the risks
-
okay you are covering a lot of ground
-
there you're not factoring in the
-
controls you're covering lot of ground
-
uh ground during during your assessment
-
okay you are factoring in fire
-
factoring an earthquake you're factoring
-
in flood uh you're factoring in a theft
-
okay and but if you factor in the
-
controls
-
for example you say that there's a
-
there's earthquake uh
-
resistance now you're not factoring the
-
earthquake you're only you're you're
-
you're not putting that earthquake as a
-
part of your risk okay you might reduce
-
the risk
-
once you factor in the controls okay so
-
always
-
look at the inherent risk not the risk
-
which is after the controls
-
okay as an auditor you should always
-
look for inherent risk not the risk
-
after implementation of the controls
-
okay
-
uh i hope uh inherent risk is clear to
-
you guys
-
i'm not in the in head let me repeat
-
that because that's an important
-
concept in terms of csa exams is
-
concerned inherent risk is
-
risk without factoring in the controls
-
for example
-
you know i am going from point a to
-
point b i am not looking at
-
any controls uh that can be applied here
-
okay i'm just
-
saying okay if i go from point a to
-
point b i can
-
my target can get punctured uh
-
i can meet an accident uh you know
-
a rain can come so these are the
-
inherent risk
-
which i'm factoring in i'm not saying
-
that okay i'm wearing a
-
input or i have i will
-
follow their traffic control uh you know
-
i will follow
-
if you know in terms of meeting accident
-
i would follow all the rules
-
except i'm not factoring anything okay
-
so we are looking at for my own
-
infrastructure you are looking at
-
a risk without factoring in the controls
-
then obtain understanding and internal
-
controls now you are factoring in the
-
controls you are seeing
-
okay now these are the risk inherent to
-
the organization
-
now i would look at the controls okay i
-
will look
-
at the control environment okay very
-
important in terms of control
-
okay uh i will look at the control
-
procedures
-
i will look at the detection risk
-
assessment
-
control risk assessment equate total
-
risks
-
okay and then perform compliance tests
-
okay identify key controls to be tested
-
okay
-
now once you know the controls are there
-
now you will perform the
-
compliance test okay you perform the
-
test of those controls perform the test
-
on reliability
-
risk prevention and errors to the
-
organization policies and procedures
-
then you also perform the substantive
-
test now compliance test is just yes or
-
no
-
okay for example you have a you have
-
access control system yes or no you have
-
a
-
you have a security guard yes or no so
-
that's a compliances
-
but when you do a performance
-
substantive test you basically do
-
analytic procedures
-
okay for example access control systems
-
you will see that okay
-
has the people who left the organization
-
you know have they been deleted from the
-
access control systems
-
have those uh deleted the people who
-
have left the organization have they
-
accessed
-
the systems uh after they exit okay
-
that's kind of a
-
you know analytical uh another approach
-
to
-
uh you know a one one step ahead
-
you know in depth to those uh
-
compliances okay so you apply entity
-
procedures you do a detailed test of
-
account balances
-
other substantive audit procedures now
-
these are used
-
in uh basically in banking for example
-
you say that a person has
-
made a transaction whether the bank
-
account has
-
uh you know um whether the bank
-
whether the you know right-hand side is
-
equal to the left-hand side so you send
-
the money to someone
-
your account balance should should get
-
down the account balance of the other
-
person should get up
-
you know so and now this this basically
-
this is a substantive test you perform
-
uh to ensure that the uh integrity of
-
that
-
transaction okay to ensure it integrity
-
of that transaction
-
okay it's kind of make a checkup or you
-
know in a balance sheet you have a left
-
hand side equal to the
-
right hand side etc kind of procedures
-
which you apply so so it's you you check
-
the logic of that
-
transaction okay then you conclude the
-
audit
-
okay in terms of recommendations
-
and write the audit report okay so these
-
are the
-
risk-based audit planning technique okay
-
and these are things that may
-
they may impact the audit approach okay
-
audit risk and materiality
-
as i said inherent risk i explained you
-
earlier
-
uh as it relates to the ordered risk it
-
it the risk level or exposure of the
-
process entity to be audited without
-
considering the
-
controls that the management has
-
implemented enhanced risk exists
-
independent of an audit
-
and can occur because the nature of the
-
business okay as i said building a
-
building earthquake can happen
-
you know fire can occur okay flood can
-
happen so this is the inherent risk now
-
controlled risk is basically the
-
risk that a material error exists that
-
would not be prevented detected
-
on a timely basis by a system of
-
internal controls
-
so control risk if even if the control
-
is present there's chances that the
-
control may miss
-
the risk okay for example control risk
-
associated with manual reviews of
-
computer locks
-
okay if you do if you're doing a manual
-
review of a computer log which is
-
thousands in number okay uh there's a
-
high probability that
-
you would miss miss the information okay
-
so the control risk considered with
-
computerized data validation process
-
procedure
-
is ordinarily low if the processor
-
consistently
-
applied then there is a detection risk
-
again the risk that the material errors
-
or mis-statement that have
-
occurred will not be detected by the
-
isolator now there is a possibility
-
because audit is not a guarantee it's
-
assurance okay
-
so there's a possibility that as an
-
auditor we failed to identify news
-
we failed to detect risk in the system
-
okay and that
-
happens you know we are human beings and
-
this has happened uh
-
many organization that the auditor
-
failed to
-
detect errors and that that error was
-
there for a very long time and then one
-
auditor came
-
from uh and he detected the error and
-
then he looked at the previous reports
-
also the error was missed
-
you know etc etc so there's a detection
-
risk also
-
from an auditor's perspective then the
-
overall audit risk is also there okay
-
now the overall audit risk is the
-
probability that the information or
-
financial reports may contain metal
-
errors and the auditor may not detect
-
an error that has occurred okay and now
-
the uh now the uh so to our auditor is
-
cased by the auditor
-
or editor can also fail to detect an
-
error okay that has occurred okay now
-
there uh okay sorry
-
so the the difference between uh
-
detection risk and order auditors you
-
must understand
-
the detection risk is there the
-
materials errors or mis-statements that
-
have occurred will not be detected by
-
the isolator
-
okay similarly you know the overall
-
audit risk is that the material errors
-
order may not detect an error that has
-
occurred so it is almost
-
um you know a similar definition what we
-
have for detection and overall
-
risk okay now the the objective uh
-
in formulating the audit approach is to
-
limit the audit risk
-
okay uh in the area under scrutiny so
-
that the overall
-
risk is at a sufficiently low level and
-
at the completion of the examination
-
okay
-
coming to risk assessment risk
-
assessment we know uh basically the
-
auditor
-
a risk assessment basically assists the
-
auditor in identifying the high risk
-
areas
-
and also it helps in evaluation of
-
controls now
-
risk assessment to identify quantify
-
prioritize risks
-
be against criteria for its acceptance
-
objectives relevant to the organization
-
always remember that risk assessment
-
should be able to assess based
-
on a criteria okay for me
-
organizations have different criterias
-
okay every organization has to define
-
the criteria on on basis of what they
-
want to consider
-
uh this risk okay every organization
-
would have different criterias
-
okay for acceptance okay now for me
-
as i said again one thousand dollar loss
-
is very much but for a big organization
-
uh it's it's it's nothing okay so
-
based on that level okay uh you would
-
say
-
is it high medium low okay and an
-
organization has to decide whether it
-
would
-
accept the low medium low risks or
-
medium risk or
-
it will also accept the high risk areas
-
okay that the organization has today and
-
it also depends on nature of the
-
organization for example a nuclear power
-
plant
-
even a low risk it would be very much
-
for an organization for example a
-
library even a libraries organization
-
but for for them you know that that risk
-
may not be that much
-
okay they would only consider high risks
-
to the to them so
-
it would depend on the nature of
-
business and also also okay it supports
-
uh
-
now risk assessment support the
-
risk-based order decision making
-
as we have already studied about based
-
auditing
-
principles so it supports the decision
-
making by considering variables such as
-
technical complexity
-
level of control procedures in place
-
okay for example there
-
is an area where a lot of controls are
-
present and the risk is
-
less material okay you may want to
-
consider it as a low risk area
-
okay the level of financial loss uh also
-
uh
-
is something which you should be
-
considered okay for example if there is
-
materializes
-
in a risk is uh triggered you know
-
our risk is is
-
basically materialized that happens you
-
know a risk event
-
in reality happens what would be the
-
financial loss
-
okay generally many organizations uh use
-
this financial loss as a criteria okay
-
in terms of
-
uh you know high medium low or maybe
-
sometimes organizations say that if
-
their
-
risk is less than one million then it
-
would be
-
accepted if it is more than one million
-
would be
-
um you know mitigated okay or a
-
management decision needs to be
-
needs to be taken so it can we can also
-
define a financial loss figure
-
against that now there are multiple risk
-
responses as i said risking mitigation
-
is to reduce the risk
-
appropriate controls accept the risk in
-
terms of knowing it
-
okay knowingly objectively not taking
-
action
-
because sometimes for example obviously
-
there's too much
-
cost to accept the uh too much cost to
-
basically mitigate it
-
that's not how their business is there
-
there's no financial
-
support there you know i will give you
-
acceptance the example here then the
-
risk avoidance is basically
-
not doing that activity at all you're
-
not allowing action that would cause the
-
risk to occur
-
okay for example i'm i give you an
-
example of
-
you know going from one place to another
-
he says if i see that there has to be
-
there's a rain that would come you know
-
i foresee a rain
-
you know i don't go so that is avoiding
-
the risk okay
-
then risk transfer is sharing and
-
transferring this
-
risk to the other party now risk
-
transfer has to be very much you know a
-
decision
-
that the management has taken with very
-
cautious cautiously because uh
-
now when you're transferring the risk
-
you are not transferring the
-
responsibility
-
of the risk occurrence means uh for
-
example you're taking insurance
-
for a fire now your your
-
fire you know happened now you have you
-
have only looked at the financial
-
aspect of that risk but again if you you
-
see that how
-
your employees are suffering how your
-
suppliers are suffering how your
-
customers are suffering
-
again that responsibility is on you it's
-
not on the insurance provider to look at
-
so you are
-
basically not transferring the entire
-
risk you are just
-
transferring the financial aspect of
-
that risk to the insurance company
-
okay now in terms of risk acceptance uh
-
very much important is look at uh
-
deliberately not taking action okay you
-
are not taking action
-
because cost of that control to be
-
to be put in place for example i went to
-
an audit where
-
it was a it was a house i went for an
-
icici bank
-
audit and it was just a simple house you
-
know
-
and there were two systems there it's a
-
third party
-
of an icsa bank okay there were two
-
systems and only
-
uh one employee was there and uh one
-
employee was on leave
-
now what they're doing is bank is
-
sending them a form
-
for their club membership okay they're
-
they're typing in the club membership
-
they're scanning the document and
-
there's they're sending it back to the
-
bank
-
okay so it's a manual form which comes
-
to the third party
-
third party types in do the data entry
-
of that form
-
scans that form and send it to the bank
-
again
-
send it to the bank okay now this is a
-
small organization they are dealing with
-
pi information of the bank customers
-
okay now what i see here is that
-
now i ask them to have an antivirus ask
-
them these are 100
-
these are the controls that each be in
-
place you don't have these controls
-
you have you're using your personal
-
systems for storing bank information you
-
don't have antivirus
-
i gave the list of findings there so he
-
said i get 10 rupees to form
-
to fill this form each form okay do you
-
want to have
-
do you want to apply this control
-
for 10 rupees uh which i get from i
-
don't want business from icc max that's
-
what he said to me so i said
-
that's how it is you know you accept the
-
risk knowingly and objectively
-
not taking action okay but again the
-
risk is to the bank
-
okay now this has been transferred to
-
him but again he's not
-
he he's not able to properly handle that
-
okay
-
now i don't know what happened i gave
-
that report to them i don't know what
-
whether the business is still with that
-
uh third party or not or whether you
-
know
-
these situations can happen so your risk
-
response option should be
-
very much in line with the option very
-
carefully
-
any organization should take that option
-
very carefully
-
okay thank you guys thank you very much
