-
We'll start with the CISA,
-
and I have a pretty good idea that, yes, you
-
guys come from diverse backgrounds--
-
some from finance, some from IT--and you
-
want to
-
do this training. That’s a very good
-
thing, especially
-
as we’re facing the situation where
-
the entire world, people are trying to
-
upskill themselves. And CISA is one of the
-
the
-
most valuable certifications you
-
have chosen
-
to upskill yourself. CISA has
-
not been very recently. It
-
was there since a long time, since
-
1990s.
-
Okay? Now, even in the 1990s, you know, our IT
-
systems weren’t
-
as prevalent, I would say.
-
But, however, since then...
-
However, by the year 2000,
-
moving into the 21st century, you know,
-
people started
-
using systems more. With that came a lot of risks
-
associated with
-
with those systems. Okay? Everyone
-
agreed that risks were present
-
and needed to be mitigated, you know.
-
That’s the reason,
-
you know, the board or the owners of
-
those systems,
-
the owners of organizations
-
using those systems,
-
wanted to implement certain controls in
-
place,
-
in terms of getting to know how the
-
systems are working, whether
-
those systems are working and to give
-
adequate value to the organization.
-
So that's the reason this
-
certification was
-
introduced. And auditing, which is one of
-
the important controls from the
-
board of directors
-
and organization owners point of view.
-
They introduced information systems
-
to be audited, you know, and for that
-
reason, there was a lack of resources
-
and there were a lack of
-
competencies in the market to understand
-
those systems and
-
understand the controls within those
-
systems--
-
whether they are working as,
-
you know, expected or
-
whether they're giving value to the
-
organizations as per the expectations of
-
what the stakeholders want.
-
So that's the reason the CISA
-
certification was introduced.
-
Gradually, it has become one
-
of the pioneering certifications in terms of
-
auditing.
-
I think pioneer, I would say it is the
-
only certification
-
which is recognized in the world in
-
terms of
-
information system auditing. No other
-
certification
-
and ISACA is the monopoly there. So no
-
one has beaten
-
ISACA there. Those knowledge base which
-
is there in ISACA
-
is found elsewhere, but combining all of
-
them together
-
and using it as a mechanism to upskill
-
people
-
is something, you know, fabulous, which
-
ISACA has done.
-
Now, just to introduce you to the ISACA
-
program: this is generally a five-day
-
course, okay,
-
in which, we cover the five areas
-
which the ISACA describes as the
-
domains. And so, I would be talking about
-
those
-
things, and I would like to have a very
-
interactive session along that
-
because it also covers
-
the knowledge part--the body of knowledge.
-
So it's not about,
-
you know, learning or it's not about, you
-
know, grasping things, or it's not about,
-
you know, knowing some terminologies. It's
-
also about understanding how those
-
terminologies
-
apply. For example, if we say
-
"risk," you know, I'm just taking an example
-
here. Risk. Now,
-
risk is any uncertainty
-
to the business operations--okay, any
-
uncertain event that could cause
-
disruption to an organization, you know,
-
any uncertain event
-
that could lead to our organization's
-
objectives
-
being impacted, you know, that is a risk. Okay?
-
So, you have to
-
not only understand the terminology.
-
That's the
-
basic definition of risk, but you
-
also see
-
how you can apply that in your
-
organization.
-
Okay? Look at the risk, any uncertain
-
events,
-
okay? What could be an uncertain events
-
to my organizations
-
and how those
-
uncertain events can affect my
-
organization's objectives?
-
Now, when I say "my organization," it
-
doesn't mean, you know, any
-
organization which you work for
-
means an organization which ISACA wants
-
you to think of.
-
As an organization, they would basically
-
want you to
-
apply those terminologies, those things
-
to an organization, and see what would
-
you
-
do to basically... what best step
-
you would take to address that issue. Okay? Now,
-
I won’t go into the details
-
of what kind of questions they ask
-
but honestly, the questions are asked as,
-
you know, just that the questions are
-
asking the most important,
-
the first thing which you do, the
-
primary
-
option you have, you know. So all the
-
options would be right
-
as per the question, but you have to
-
choose
-
the best option as per how
-
ISACA perceives the best option is. So, you
-
also have to
-
understand ISACA's perspective towards
-
that question on
-
how you can address that. Okay? That's the
-
reason we are understanding from ISACA's
-
perspective,
-
an organization's viewpoint.
-
Okay? And then, we would also have certain
-
activities which basically enables you
-
to understand those perspectives,
-
and there will be discussion
-
questions, there will be group
-
discussions,
-
in terms of case study. I would
-
try to...
-
Because when it's a classroom session,
-
the group discussions becomes very
-
interactive. I will try to
-
be as interactive as possible in the
-
group discussions.
-
Okay? Then, we would also take real-world
-
examples
-
of CISA's subject matter. It would...
-
The real-world examples could come from
-
my experiences, would come from your
-
experiences,
-
or also it can come from what ISACA
-
is putting up. Now, what are the benefits?
-
I've already told you it's the pioneer
-
certifications.
-
It gives you competitive edge, it helps
-
you to achieve
-
high professional standards when you go
-
to say that I have ISACA certification,
-
your CV speaks about your knowledge
-
and experience.
-
And it also quantifies and
-
markets your experience.
-
Okay? So we have people here with 18
-
years of experience,
-
you know, those people,
-
I would say, it's a leap,
-
you know, which you can take up by having
-
these certifications. So your 18 years of
-
experience can speak
-
even louder when you have this
-
certification with you.
-
So you would have, you know, I have
-
trained people from
-
4 to 5 years of experience to
-
28,
-
26, 30 years of experience also. And if
-
only the CISO position, you know,
-
they
-
were getting into CISO positions,
-
but they want to have the certification
-
before
-
getting to CISO position. Now, those
-
kind of people also have trained,
-
okay? And they were able to clear the
-
exams. So it
-
basically recognizes and you know marks
-
and...
-
recognizes your experience also, you know.
-
There you can leverage your experience
-
with this certification, then it also
-
increases
-
value to your organization. Okay? I was
-
selling,
-
you know, CISA certification was
-
introduced in 1978, okay?
-
But it got prominent in 1990s when you
-
have the
-
information systems in place, you know,
-
in the world.
-
Okay? So, there’s a new
-
version
-
of which came in 2019, okay, and we would
-
be
-
dealing with that version, okay? I have
-
been certified in the previous
-
version, which was the 2016 version.
-
Now, after, you know, three years,
-
ISACA,
-
they changed the organization.
-
ISACA changed some certain,
-
you know, structures, and we will
-
be doing the latest version, which is the
-
2019 version.
-
So, these are the five domains of
-
ISACA, okay?
-
If you see the five domains,
-
the first is the information system audit
-
process. Now, what does information
-
system audit mean?
-
What does audit mean? Audit means to
-
check and verify, right?
-
So, audit means to
-
check and verify whether the systems and
-
controls are working appropriately or not
-
or not. Okay? So we will look at how
-
you ensure the systems, you know,
-
are checked appropriately
-
in terms of auditing. We will also study
-
about the audit standards,
-
guidelines, and the code of ethics
-
when auditing information systems.
-
You will be
-
understanding the business processes
-
under audit because audit itself is a
-
project, you know. When you go for an
-
audit in an organization,
-
we have people from Deloitte, for example. It’s an
-
audit project
-
altogether for the organization. Okay? So,
-
how do you
-
plan an audit? How do
-
you conduct an
-
audit? How do you report
-
audit findings and communicate
-
with stakeholders?
-
And what are the post-audit activities?
-
All these topics will be
-
studied here.
-
Then we will also look at the types of
-
controls.
-
There's a specific concept of risk-based
-
auditing
-
in domain one. Okay? So, that would be
-
domain one.
-
In domain two, we will discuss the
-
governance and management of IT. You need to understand the
-
governance and management. So, you have to
-
understand the difference between the
-
governance and management here. We will see,
-
from a board of directors’
-
perspective,
-
what they want from the IT
-
infrastructure
-
of the organization, and you will also
-
understand from a CEO’s perspective--
-
how they enable IT
-
to add value to the organization.
-
Okay?
-
So, we’ll understand the difference
-
between governance and management,
-
and also understand where they meet
-
each other
-
and how the IT systems work. From an
-
auditor's
-
perspective, how do you check whether
-
IT
-
is providing value to the organization,
-
okay,
-
and whether we are realizing the
-
benefits of
-
IT in our organization? Then, in
-
domain three, we're going to talk about
-
information system acquisition,
-
development, and implementation.
-
In information system acquisitions, or
-
when you acquire new systems in the
-
organizations, when you buy
-
new systems, or you develop new systems,
-
or you implement those systems in the
-
organization,
-
from an auditor's perspective, how do you
-
ensure
-
that the steps for acquiring, developing,
-
and implementing the systems
-
are appropriately addressed
-
or not? And whether those systems which
-
are implemented,
-
are they basically implemented
-
effectively in the organization or not? Okay?
-
Then, we will talk about
-
operations and maintenance of
-
information systems. Once the system has been
-
acquired, developed,
-
and implemented in the organization,
-
now you also need to worry about how do
-
you maintain it?
-
How can that system continually
-
provide benefits to the
-
organization?
-
For that, you need maintenance
-
activities and business
-
resilience
-
to ensure that the system
-
is working appropriately until the end
-
of its life cycle.
-
Okay? Then, we will also talk about the protection
-
of information assets, which is very
-
important,
-
not only from a
-
regulatory and legal perspective.
-
Nowadays,
-
because that's where the higher focus is
-
in these days, because there are a lot of
-
regulations
-
in terms of banking, telecom, oil, and gas
-
sectors.
-
You know, there are a lot of regulations
-
in terms of protection of information
-
assets because
-
information security has now or
-
cybersecurity has now become an
-
important aspect,
-
even at a national level,
-
around the world. Okay? Every country in
-
the world
-
takes information security or cybersecurity
-
is a serious threat
-
towards their critical
-
infrastructure.
-
Okay? So we will also talk about
-
protection of those information assets.
-
You know, when you talk about
-
information assets,
-
we're talk about the confidential
-
information which the organizations have,
-
the secret and top-secret information which
-
the countries have, you know, at a
-
higher level or at a national level. So,
-
these are the five domains. Okay? Let me
-
also tell you about
-
the structure of the CISA
-
certification exam. So, now
-
this is called the domains. Okay?
-
Each domain
-
is divided or is, you know,
-
structured in a certain way. Okay?
-
So, we'll go through that structure. So every
-
domain would have task statements.
-
Okay? For example, in information system
-
auditing, what tasks do
-
we have in information system
-
auditing? You would have,
-
you know, driving a risk-based audit
-
strategy--how to make an audit strategy.
-
Okay? That is one task. Making
-
audit
-
strategies.
-
Then there’s the task of planning the audit,
-
there would be a task to
-
conducting the audit, there would be
-
a task to, you know,
-
communicating the audit results,
-
okay, and then there would be a task of
-
reporting the audit results, and
-
there would be a task of post-audit,
-
you know, what are the activities of post-audit.
-
Okay? So, this is how,
-
you know, every domain is being
-
structured. And then,
-
for doing those tasks, there would be
-
knowledge statements.
-
You know, for example, for conducting the
-
audit, you would require knowledge of
-
sampling. You require knowledge of
-
controls, and etc. Okay? So,
-
this is how
-
every domain has been divided. Okay?
-
And then there would be certain test
-
questions we would discuss that would
-
validate whether
-
you have understood the concepts
-
well enough. Also, as I said in the
-
beginning, there is a practical
-
knowledge part of it, which is how you apply those
-
tasks in an organization. This
-
organization is basically a
-
perceived organization,
-
from any perspective, and you
-
are the auditor.
-
Okay, so all the questions that would be
-
asked
-
in the exam are from an auditor's
-
perspective. So, being an auditor,
-
what would you do in this situation? So
-
the question would be very
-
situational, okay? If you are
-
given a scenario and you are
-
the auditor,
-
what would you choose to do
-
in that scenario? Okay, that's
-
how the questions would be framed.
-
Okay, so the application of general
-
concepts and standards--
-
to understand the application of general
-
concepts and standards is very important.
-
And all questions would be multiple
-
choice and designed
-
for one best answer. Okay? All the answers
-
would be right, but
-
you have to choose the one best answer. Now, the
-
catch here is that you may
-
think from your perspective that
-
this is not the best answer,
-
and I also contradict ISACA a lot
-
in terms of the best answers. I think
-
that
-
they are wrong in their perspective
-
of the best answer,
-
but I have to, right now, think that I
-
have to clear the exam,
-
not my own exam. So, I have to accept
-
their best answer,
-
okay, and make a thought process
-
such that I understand what their thought
-
process is,
-
you know. So, ISACA is trying to
-
create a thought process
-
for you, okay, and that's
-
something weird, but
-
that's how it is. Okay, so from the
-
beginning, you must
-
be aware of these things.
-
And this is what I'm speaking from my
-
experience.
-
People may have their
-
own experiences,
-
and so you will have your own
-
experience when you take your
-
exam, and hopefully, you will clear it.
-
Don't worry. Okay, you have to read each
-
question carefully and
-
eliminate known incorrect
-
answers.
-
Okay, and this is also my experience
-
and the experience of many others,
-
people's experience that you know. You
-
have to eliminate the wrong answers.
-
Don't go for the right answer too
-
quickly. If you find the right answer,
-
don't just say "yes." Okay? You have to
-
also
-
look at the other options and try
-
to eliminate them first.
-
Okay, so if you think that this answer is
-
right,
-
just stick to it and try to eliminate the
-
other three
-
first. Eliminate means that you
-
should be very convinced that
-
the other three
-
answers are wrong. Okay, and you might
-
perceive that from the
-
other three
-
answers. There could be some contention
-
between
-
one or two of the answers, and then you
-
might,
-
you know, reduce the element of reuse in your
-
options for yourself.
-
Okay, for example, if you have four
-
options, try to eliminate
-
two first--those you think
-
absolutely cannot be the
-
answer. Then, you will
-
be stuck between the two remaining options.
-
This is where you will find yourself stuck with most of the
-
questions--
-
you will be stuck between two possible
-
answers. Okay, and then you have to
-
think from ISACA's perspective. Okay,
-
what would be the right answer
-
from what I have studied in the
-
training or what
-
I have read in the manual? Okay?
-
So, identify the key words. Make the
-
best choice possible as I said.
-
Identify the key words or phases in the
-
questions.
-
So I said, as I said earlier, most,
-
you know, these kind of
-
questions would be there.
-
So, identify the keywords or phrases in
-
the questions before selecting and
-
recording an answer.
-
Read the provided instructions carefully.
-
So there would be instructions
-
for you guys when you sit for the exams.
-
Skipping over these directions or
-
reading them too quickly could result
-
in missing important information and
-
possibly losing credit points.
-
This has happened with people
-
I know. Okay, and they had to please it
-
for the exams.
-
Okay, they sometimes, you know,
-
accidentally
-
end the exam when they’re
-
sitting, when you're sitting
-
accidentally,
-
you know, you don't read the
-
instructions properly,
-
and then they click on "end exam"
-
and end the exam
-
in the first or
-
second question. Okay,
-
and then it doesn’t resume
-
immediately. Okay, then you have to,
-
you know, somehow... because it's an
-
expensive exam,
-
you know, $750, it's not a
-
small amount of money. So, and then you
-
have to,
-
you know, sometimes ISACA gives the option
-
of
-
resetting, and sometimes they don’t. In either case,
-
you could lose that money.
-
Now, grading is based solely on the
-
number of questions answered correctly,
-
so there’s
-
no negative marking like we have for
-
CISSP exams.
-
Okay, at no negative marking. If
-
you mark an answer wrong, it counts as zero.
-
Okay, you are not minus. And it is also
-
the CISSP exams
-
in which if you have 150 questions and
-
if you
-
mark 80 questions right, it will
-
automatically finish.
-
You know, the CSI exam are
-
like that, but...
-
However, CSI exams will take you to 150
-
questions. You can
-
go back and forth, you know. And you know,
-
you can navigate to the
-
to the questions easily. So these are
-
somewhere for us.
-
The exam period is four hours, okay?
-
So around 1.5 minutes per question, and
-
that's
-
not, you know, less I would say. Okay, if
-
you
-
are thorough with the material. You would
-
answer in 30 seconds.
-
Okay. Okay, I would skip these rules
-
for you. I will go to the important one,
-
which is exam scoring.
-
So, a scale score is a,
-
is a conversion of the candidate's raw score
-
on the exam to a common scale.
-
Okay, so for example, if there are
-
32 questions in domain
-
one, so basically, it
-
will not give you...
-
Okay, 32 questions, 32 marks. Okay, so it
-
would be a,
-
you know, all the 32 questions would have
-
different marks.
-
Different marks. Okay, so everyone will
-
not be one mark each
-
like that. Okay, so 150 questions are
-
scaled
-
under 800. Okay? And you have to...
-
So it uses and report scores
-
on a common scale from 200 to 800. Okay,
-
no one gets less than 200.
-
Okay, no one gets more than 800, obviously.
-
Okay, so it's between 200 to 800.
-
Then, a candidate must receive a score of
-
450
-
or higher, you know. That's a minimum
-
score. I got 656
-
in the exam. Okay, and
-
one of the important domains, you know,
-
you have to pass all the domains. So,
-
you have to score
-
450 in all the domains. Okay, so it's
-
not if you,
-
even if you get a score of, for example,
-
600,
-
but you score less than 450 in any
-
of the domains,
-
then you have to repeat the exam. So
-
that's how
-
it is. Okay, you get the score
-
at the end of the exam, so it will give
-
you a very
-
little indication, you know, small
-
indication
-
to say pass. You know, it will flash on
-
your screen,
-
that says "you passed." Okay, and it would be
-
a very small,
-
you know, sentence written there, and
-
you will know that
-
you have passed. You will not get the
-
official result there, but you
-
can leave the center
-
if you have passed. Okay, so...
-
But official results come 10
-
days later,
-
and after those 10 days, you can apply for
-
the certification with your experience.
-
Okay, so there will be a score report,
-
okay, in which you will see
-
how much you have scored in each
-
domain. Okay,
-
so these are the steps for the user for
-
the certification. You need to
-
pass the exam first, and then you have to
-
submit the application with your
-
experience.
-
You have to kind of sign a
-
checklist
-
stating that you follow
-
the ISACA code of practices and ethics,
-
and you agree to comply with
-
the CPE (Continuous Professional Education) policy,
-
which is continuous professional education points. You must also
-
comply with information systems auditing
-
standards,
-
which ISACA publishes. Alright, let's
-
start with Domain One.
-
First and foremost, we have to
-
understand
-
the definition of information systems--
-
how we perceive
-
those information systems to be.
-
Information systems
-
include your laptop, your desktop,
-
your mobile phone,
-
and your servers. It's everything
-
around you in terms of digital technology.
-
Okay, so those are the information
-
systems. Now, when we look at information
-
systems, we're not looking at hardware
-
only.
-
Okay, we are also looking at the
-
processes around that hardware. For
-
example, your laptop--
-
you know, as simple as that--we have the
-
process of,
-
you know, antivirus updating
-
on the laptop, the
-
maintenance process
-
of the laptop, etc. Similarly, for servers,
-
you have backup, release
-
management, change management,
-
patch management, and
-
antivirus on the server. You know, all
-
those processes around the server
-
are also part of the information systems.
-
So, when we are auditing an information
-
system, we are not just auditing the hardware;
-
we are also auditing the processes
-
around that hardware.
-
Why we are auditing is because
-
there is a dependency of the business
-
on that system. Okay, that's the reason we
-
need to
-
have processes around it. When we talk
-
about information system auditing
-
practices, it encompasses the standards,
-
the principles, the methods, the
-
guidelines, and the techniques that an
-
auditor
-
uses to plan, execute, assess, and review
-
business or information systems and
-
related processes.
-
Okay, now as I said, information systems
-
definition is
-
very important for you to understand. You
-
also need to understand that there are
-
certain
-
governing mechanisms that have been
-
defined by the industry.
-
Okay, and these governing mechanisms
-
basically are the standards.
-
Okay, for example, if you see ISO 27001,
-
okay, which is a standard for information
-
security
-
management systems, okay, that
-
standard basically governs how
-
information
-
security shall be managed in an
-
organization.
-
Similarly, there are certain principles.
-
Similarly, there are certain methods.
-
There are certain guidelines, best
-
practices (which we also call
-
techniques) that the
-
auditor can use
-
to complete the audit
-
across
-
all the phases of auditing, okay,
-
which are planning, execution, assessment, and review.
-
As an auditor, you must have a thorough
-
understanding of the.
-
of the auditing processes. You should also
-
have an understanding
-
of the information system processes.
-
But what I said, like change management,
-
patch management,
-
etc. Whatever systems
-
you are dealing with, you should have an
-
understanding of those processes around
-
the information system. You
-
should also
-
understand the overall goal.
-
Ultimately, the benefit
-
of the information system is realized
-
by the business.
-
Okay, and it helps the business
-
achieve its own
-
objectives. Okay, and the business also
-
wants
-
certain controls in place to ensure that,
-
you know, those objectives are achieved
-
effectively
-
and efficiently. So, you should also
-
have an understanding of the controls.
-
Now, if I take an example, you know,
-
for example, the information system
-
we are talking about is a server. You
-
know, and in that...
-
From that server, the
-
processes around that
-
information system include backup
-
is important. You know,
-
making
-
changes to the server,
-
new releases, patch management, etc. You need to understand the
-
important processes
-
around that system. Okay, so you have
-
to understand how
-
these process around that, and then you
-
have to understand
-
how these processes would also have an
-
affect
-
on the business processes. Okay, for
-
example, that server is supporting an HR
-
function
-
in an organization, particularly in terms of payroll.
-
Okay.
-
Now, if there is a patch release
-
or patch management or a new
-
password release, or if there is a
-
change to
-
the server,
-
how will that affect my HR
-
payroll system in
-
the organization? Okay,
-
and you have to see what control
-
you can put in place
-
so that it doesn't affect my business.
-
Okay.
-
Now, change management itself
-
is a process. Okay?
-
Processes themselves are controls,
-
but how do I ensure
-
that the processes are in line
-
with my business objectives? Okay, so...
-
As an auditor, you
-
are there to check. You are there to
-
verify those processes--
-
whether
-
the controls in place
-
are working adequately and whether
-
those processes
-
continue to serve their business
-
objectives.
-
Any issues with those processes?
-
You know,
-
how I would, you know, as an
-
auditor, would
-
you try to verify those
-
things
-
through sampling,
-
you know, through various
-
other auditing techniques
-
to see whether, you know, the processes
-
and controls are
-
effectively working. So, what
-
we are trying
-
to see here is whether the business
-
processes and controls are designed
-
to achieve the organization's objectives
-
and protect
-
the organizational assets. Now, upon the
-
completion of this domain,
-
you would be
-
able to plan an audit. Okay, now audit, as
-
I said,
-
is a kind of project. Okay, the same
-
project management techniques
-
or the same project management
-
methodology
-
also works for an audit. Okay. So,
-
when you say
-
project management, you
-
have planning,
-
you’re planning
-
the implementation of that
-
project--in this case, the scheduling of that
-
project--and then
-
implementation and development, and then
-
post-implementation. Similarly, you have
-
planning the audit, conducting it (which is
-
your implementation),
-
communicating the audit progress,
-
conducting audit follow-ups,
-
and then evaluating the
-
management and monitoring of controls in
-
the auditing. You also utilize data
-
analytics tools to streamline audit
-
processes.
-
After that, you will have to
-
provide consulting services and guidance
-
to the organization to improve the
-
quality and control of the information
-
systems. Now, this is not part of the
-
audit,
-
but sometimes when we have an audit
-
called internal audit, you know,
-
your role is also something
-
related to consulting, where you
-
try to improve the internal
-
process. However, if you go for an
-
external audit, you don't do that.
-
Okay, you don’t provide consulting
-
services. Then, you also identify
-
opportunities for process improvements
-
in the organization's IT policies and
-
practices. These are some of the areas,
-
and there will be many more,
-
so this is not an exhaustive list.
-
These are some of the areas
-
where you,
-
as an auditor, should be aware. Now,
-
these are
-
the topics in this domain are divided
-
into two parts.
-
One is planning, and the second one
-
is execution. In the planning part, we
-
will study about
-
the audit standard guidelines, code of
-
ethics (as given by ISACA), and we
-
will understand the various business
-
processes in an organization. For example,
-
we are aware of
-
HR, finance, procurement,
-
you have the
-
physical security, the real
-
estate of the organization,
-
managing the administration of the
-
organization, and
-
the operations,
-
and etc.
-
We will study some of the common
-
processes in every organization.
-
You will also see the types of controls.
-
Now, what are controls? Controls are
-
there to mitigate the risk,
-
to mitigate the risk to the
-
business objectives. Then we will also
-
talk about a
-
very important principle of risk-based
-
audit planning.
-
Now, you must be aware that
-
in an
-
organization, resources are limited.
-
Every organization's resources are
-
limited. Okay, that's the fundamental
-
principle you need to understand.
-
And if you see the process, the resources
-
are limited. You have to align those
-
resources to the max...
-
to an area where there is a
-
maximum risk for an organization. Okay,
-
that's the reason we call it
-
risk-based audit planning. So, as an
-
auditor, I am limited;
-
I am a single person in the whole
-
organization.
-
My focus should be on core banking,
-
core applications, or core business
-
operations
-
rather than, maybe, HR.
-
That's the reason we look at the maximum
-
risk area of an organization and start
-
auditing from there.
-
Okay, so that the maximum risks
-
are addressed in an organization. So, this
-
is basically the risk-based audit
-
planning:
-
you plan audit based on the risk to the
-
organization. So, you go for high risk
-
first, and then medium, and then low.
-
Okay, and this is how every organization
-
works. Then, you have types of audits.
-
There are internal audits,
-
second-party audits, and third-party
-
audits.
-
Okay, we will see what arrangements we
-
have
-
in the various audits and also what
-
the difference is between an
-
audit and an assessment. Audits are
-
basically done
-
to verify things; assessments are
-
also done to verify things, but due to the
-
the
-
different arrangements in an audit and
-
assessment, your
-
communication changes. Okay, your
-
job responsibilities also change.
-
Okay, in the execution part, we will study
-
about
-
the project management of an audit. Okay.
-
As I’m continuously repeating from the
-
beginning, audit is a project,
-
right? We have to treat it as a project.
-
Okay, and then we will also look at
-
sampling methods.
-
Okay, we will try to look at the audit
-
evidence collection techniques. It's
-
very important because, as an auditor, by
-
principle, you should not give any
-
findings unless you have evidence
-
against it. Okay?
-
Then you have data analytics. Nowadays,
-
we are using systems
-
like banking
-
systems and, you know,
-
telecommunication systems
-
where you require data analytics
-
techniques to basically ensure
-
that the system is working effectively.
-
Okay.
-
So, we will study how auditing,
-
you know,
-
how data analytics helps auditing to
-
give better results.
-
Then, reporting and communication
-
techniques are very important.
-
Again, this would depend on the
-
reporting commission technique. It would
-
also depend on the arrangement of the
-
audit.
-
Okay, what kind of arrangement is it? Then
-
we'll talk about quality assurance and
-
improvement of the audit process.
-
Now, an audit also has a quality
-
department.
-
Generally, all auditing functions have a
-
quality department.
-
For example, if I give a finding as an
-
auditor,
-
the quality of that finding
-
would also be judged.
-
Okay? I wouldn't say judged basically;
-
I would say it would be assessed. Okay.
-
For example, what kind of evidence is
-
it? How has that evidence been captured?
-
How effective is that evidence in saying
-
that this particular finding can affect
-
the business?
-
All those parameters are basically
-
assessed.
-
Okay. Many auditing firms, for
-
example,
-
EY, Deloitte, PwC,
-
all these auditing firms have quality
-
departments
-
that verify this. Also, external
-
auditors.
-
Also, you know, sometimes, though not
-
very rigorously, look into,
-
look into
-
what kind of findings the auditor
-
gives.
-
And because we also have some
-
contentions when we are audited. If
-
the auditor gives a finding, we can raise
-
a question like, "Why did you give this
-
finding to me?"
-
You know, we can question them. They
-
should be able to answer those questions
-
appropriately to us. Okay, let's start
-
with the first topic, which is planning.
-
Okay, so what is an audit? An audit is
-
basically,
-
as I said, verifying. Another word for
-
auditing is verifying,
-
checking. Okay, so it's a formal
-
examination on testing or information
-
systems to determine whether
-
those systems are working as per the
-
applicable laws, regulations, contracts,
-
and industry guidelines.
-
Now, these compliances--laws,
-
regulations, contracts, and industry
-
guidelines--
-
depend on, again,
-
country to country,
-
industry to industry, supplier or
-
contractor to contractor,
-
third-party to third-party. Also,
-
regulations are typically set by
-
regulatory bodies.
-
So, it also depends on, again,
-
regulatory bodies for industries.
-
For example, there’s TRAI for India, RBI for
-
banking, TRAI
-
for telecom, RBI for banking, NPCI for
-
payment gateways,
-
IRDA for insurance. These bodies also have
-
certain
-
guidelines for the information systems.
-
So, information systems
-
have to comply with those guidelines or
-
regulations set by the regulatory
-
body.
-
Okay, so that is one thing you check. Okay.
-
Then, the other thing you check
-
is whether those comply with the
-
governance criteria
-
and relevant policies and procedures. Now,
-
you also
-
see that information should function
-
under--so, information
-
is owned by an organization. For example,
-
that information system has to work
-
according to the internal policies and
-
internal compliances
-
of an organization. Okay, if you,
-
for example,
-
take a server, it
-
should work according to the change
-
management process,
-
patch management process, and, you know,
-
backup process defined by the
-
organization.
-
Okay, so that is one thing you
-
check: whether it’s compliant with the
-
policies, compliant with the laws and
-
regulations,
-
and whether it is complying with the
-
internal policies and procedures of the
-
organization.
-
The third thing you check is whether
-
that information system
-
is compliant with the CIA
-
is resilient to the CIA--which is
-
Confidentiality, Integrity, and
-
Availability--
-
at an appropriate level. Now, what is
-
confidentiality? What is integrity?
-
And what is availability? Confidentiality
-
is basically
-
that the system doesn’t allow
-
unauthorized access.
-
Okay, you know, the system doesn't allow
-
unauthorized access.
-
Integrity means the system doesn’t allow
-
inadequate modification or unauthorized
-
modification. The
-
system doesn’t allow unauthorized
-
modification to data
-
or any other parameters of information
-
systems. The third
-
thing is availability, which means the
-
system
-
allows authorized people to work. For
-
example, if you're going to
-
want to create a ticket,
-
raise a ticket, you should be allowed to
-
do that. Okay, you want to,
-
for example, if you want to
-
access your emails,
-
as email is a very important
-
operation, you should be allowed
-
to operate your email because
-
you're authorized to do so.
-
Okay, so that’s also an important thing
-
to look at from an information
-
systems perspective.
-
So, confidentiality, integrity, and
-
availability should be maintained
-
in the information systems, and
-
we apply controls to reduce the
-
impact on the CIA.
-
Okay, so you should also test
-
the CIA parameters
-
of the system. Then, the fourth thing is whether
-
the efficient
-
and effective targets are met. Now,
-
efficiency
-
is something related to
-
cost. Okay. So,
-
IT operations are accomplished
-
efficiently, which means reducing costs.
-
Okay. Effectiveness means that they are
-
done effectively. For example, you have an
-
antivirus.
-
First and foremost, efficiency means the
-
cost of the antivirus should
-
not be too high according to
-
the organization.
-
Effectiveness means it should also prevent
-
viruses
-
and malware attacks on the
-
organization or
-
the system or the information system. Okay.
-
So, these are the four parameters
-
you need to look at when you are
-
verifying and checking information
-
systems.
-
The first thing is the compliance
-
with laws and regulations. The second is governance,
-
is about governance,
-
the compliance level, and the internal
-
policies and procedures.
-
Okay. The third thing is the impact on the CIA,
-
to the CIA.
-
And the fourth thing is about the efficient
-
and effective
-
operations of the information systems. So,
-
these are the four parameters you check
-
in the audit.
-
Okay, so the audit process has
-
three steps. One is planning
-
the audit,
-
then conducting the audit, and finally,
-
reporting and follow-up.
-
Okay, so we’ll discuss that. First and
-
foremost, you need to understand the
-
ISACA standards. There is an audit
-
standard by ISACA. I’ll go to the ISACA website.
-
I'll go to the website of ISACA
-
to show you where it is. If you check
-
the resources,
-
in the resources, you will
-
go to Frameworks, Standards, and
-
Models. Okay.
-
Okay, there is this process called ITAF,
-
which is the Information Technology
-
Assurance Framework.
-
Okay, this is a free standard.
-
Okay, you might download this.
-
Okay, so you have to select the language and
-
and download it.
-
Now, this is an important standard to
-
look at. Okay, it has been downloaded, and I
-
have that
-
with me.
-
Okay, so this is called ITAF,
-
which is your IT Assurance Framework.
-
Okay, and this talks about IS
-
audit and assurance, so this is a
-
standard, basically.
-
Okay. So,
-
first and foremost, the standard for IS
-
audit and assurance
-
is divided into three parts:
-
one is the general standard,
-
okay, and performance standard,
-
and reporting standard.
-
Okay, so in the general standard, it
-
talks about planning,
-
okay, there. Performance talks about
-
conducting the audit,
-
okay? And then, the reporting standard
-
talks about the third space, which is
-
reporting. Now,
-
how to apply this standard. There is
-
a certain guideline,
-
which has been defined. Now, the
-
guidelines is this one.
-
If you say, I saw it at assurance
-
guideline. Okay.
-
Now, basically, both of these, if you see
-
this is also audit charter. This is also
-
audit charter.
-
Here, if you see, talks about a very brief...
-
of what it is. Okay? This would... this
-
guideline will tell you how to implement
-
this audit charter
-
in the audit assurance guidelines. Then,
-
there is
-
tools and techniques in this particular
-
document. Okay? IS audit issues tools and
-
techniques. And then, there is
-
also professional ethics part
-
also there. In the tools and techniques,
-
there is also,
-
you know, professional
-
ethics and standards.
-
Now, coming back to the presentation,
-
what is this standard
-
about? ISACA's audit and
-
assurance standard defines mandatory
-
requirements
-
for IS auditing. Obviously, whenever
-
you .
-
see the word "standard," you must be aware
-
that it’s mandatory.
-
Okay, and how do you understand that it's
-
mandatory? Because the word "shall" is used
-
there. Okay, so if you see here
-
in the audit charter,
-
if you go to page number 12 quickly,
-
if you see the audit charter,
-
you'll see the word "shall" is used.
-
Let me show you. If you see,
-
the word "shall" is used. Okay.
-
So, if you see everywhere "shall" is used,
-
this is mandatory. When you say
-
"standard,"
-
this is mandatory. Okay, and when you go
-
to the guideline, go to
-
page number 40, go to page number 42
-
quickly,
-
and you'll see the audit charter. The word
-
"should"
-
is used. If you see here, the
-
purpose of this guideline is to assist, and
-
the ISO
-
should consider this guideline. Now, this
-
is a guideline. A
-
guideline is non-mandatory. A
-
standard is mandatory.
-
Okay, so this is one difference you must
-
understand. You will see this is
-
basically the guideline's purpose
-
and linkage to the standard. Okay, coming
-
back,
-
that’s the reason the
-
standard defines mandatory requirements
-
for
-
IS auditing, reporting, and informing.
-
Okay,
-
as an auditor, you must isolate
-
the minimum level of acceptable
-
performance required to meet the
-
professional responsibilities
-
set in the ISACA Code of Professional
-
Ethics. So,
-
you have to minimally practice the
-
standard.
-
Okay, that’s the reason I said reading
-
the standard is important
-
for you guys because that’s the minimum
-
requirement of an auditor.
-
Okay, yes, you can also read the guideline,
-
which will basically
-
help you implement that standard in
-
your job practices.
-
Okay. Now, then, management and other
-
interested parties have
-
professional expectations concerning the
-
work of practitioners.
-
Now, you also have to understand that as
-
an auditor,
-
you work with other experts in an
-
organization.
-
For example, an auditor,
-
you know, also works with IT people.
-
For IT, there are specific audits--
-
that’s what information system auditors
-
are. Then, there are
-
network people, network
-
audits,
-
software audits, and
-
then there are
-
information security audits. So, as
-
an auditor, whatever
-
your expertise is, you also work with
-
other auditors
-
or take the expertise of
-
other auditors
-
during your job. Okay,
-
so this particular standard also
-
talks about that--that’s how to take the
-
work of other practitioners in your
-
job, okay, in your auditing.
-
Okay, now, you
-
may not be a network expert. If you are not a network expert,
-
how would you audit a network?
-
You will take the expert’s
-
opinion--someone who has
-
expertise in the network field--
-
so you take their results to
-
basically
-
fulfill your auditing assignment. Okay.
-
So,
-
this particular standard also talks
-
about that. Then, it also
-
helps, basically, this is also a
-
requirement from CISA.
-
Okay. As a CISA designation holder, you must be
-
aware of the
-
requirements of this. Okay, so
-
holders of the CISA designation have
-
their professional
-
performance requirements, which is
-
something, which are
-
also mentioned here. If you want, I can
-
specifically go to
-
that document and tell you where it is
-
mentioned.
-
So, if you see here, you know, the
-
proficiency of an auditor
-
is also something that’s an important
-
parameter. Okay, now using the work of
-
other experts--that’s what I was talking
-
about.
-
Okay, 1206,
-
clause 1206 talks about
-
using the work of other experts. Now, I
-
will also go to the Code of Professional
-
Ethics.
-
So, these are the seven codes of
-
professional ethics,
-
which every auditor must be aware of.
-
That’s what
-
you also sign when you go for
-
certification after the exam.
-
Okay, these are the seven principles, I
-
would say,
-
or ethical statements that you must
-
comply with.
-
Okay, if you are found not adhering to
-
any of the seven principles,
-
there is a possibility of getting your
-
certification revoked.
-
There is also a disciplinary
-
process from ISACA
-
against the CISA certification. Okay, I
-
will go to that
-
later in the presentation as well.
-
Okay, I will move forward now. The
-
framework, which has
-
already been talked about--ITAF. Okay, ISACA’s
-
audit and assurance standards framework.
-
The framework of ISACA provides
-
national standard, provides the multiple
-
levels of documents. It talks about
-
the standard. Okay, I talked
-
about the guideline.
-
Okay, so the standard defines mandatory
-
requirements for IS audit assurance and
-
reporting.
-
Okay, then there are guidelines. I
-
told you that guidelines provide guidance in applying
-
the standard.
-
Okay, as an auditor, you should consider
-
them in determining how to achieve
-
and implement this particular
-
standard. Use
-
professional judgment here. Okay?
-
And their application,
-
okay? Now, professional judgment.
-
When the word "judgment" comes,
-
it is not mandatory. It is
-
discretionary, I would say.
-
Okay, when you say judgment, it
-
becomes discretionary. Okay, in their
-
application,
-
and you must be prepared to justify any departure
-
from the standard.
-
Okay, there is a possibility of
-
exceptions.
-
Okay, there is always a possibility of exceptions,
-
and then there has to be an
-
exception process around it
-
when you're applying that standard.
-
You must be able to justify those
-
exceptions from the standard as well. So, a
-
standard is not law.
-
Okay, so it’s not something that
-
you will be
-
persecuted for not following. Okay?
-
But
-
if you have an exception, you must justify it,
-
which is good for
-
the overall practice of auditing.
-
Then, there are tools and techniques
-
that provide examples of processes that
-
the IS auditor
-
might follow in an audit. Okay, and that’s
-
also
-
basically mentioned here. Tools and
-
techniques documents provide
-
information on how to meet the standard
-
when completing IS audit work,
-
but do not set the requirements. Okay,
-
and the requirements are again linked to
-
these standards. Okay. So, if you see, it
-
doesn't,
-
here it talks about mandatory
-
requirements, but these tools
-
do not set the requirements. Okay.
-
They never set the requirements. So, as I
-
said, the
-
general principles apply to the conduct of
-
all assignments. It's
-
applied to the conduct of all
-
assignments, and deal with ethics,
-
independence, objectivity, and
-
due care as well as knowledge, competency
-
and skill.
-
Okay, when you talk about performance, it
-
is about conducting.
-
Okay. It talks about planning,
-
supervision, scoping, risk, and materiality.
-
What is materiality, guys?
-
Materiality means the importance of the
-
effect
-
of that area. Okay, now,
-
whenever we look at materiality, we are
-
not looking at,
-
you know, it is basically the quality
-
of
-
the practice or the
-
transaction or the amount. For example,
-
for an organization,
-
a loss for a big organization like
-
PWC, a loss of one thousand dollars is
-
not material. Okay. But for them, a
-
one million dollar loss is
-
significant. Okay, so materiality is the
-
importance of that particular,
-
you know, loss or transaction. We
-
use this in auditing a lot because
-
we are trying to capture the
-
most significant
-
things first from an information
-
systems perspective.
-
Okay, for example, we're looking at the
-
most important application of an
-
organization,
-
which can affect their
-
business operations.
-
So, always look for the material
-
things. Always look for
-
the most important things for an
-
organization.
-
Okay, for example, if I go for a
-
bank or a bank audit,
-
I go in asking, "What is the card
-
doing?" You know,
-
I’m not looking at a CBC, a core banking
-
system (CBS); I’m looking at a process in
-
HR, for example,
-
which every bank has. But I
-
should be looking at
-
the most important thing, which is the CBS,
-
the core banking system.
-
Okay, so as an auditor, you look for
-
the most material things, the
-
most important things to the organization when
-
you are doing the audit.
-
Okay, so scoping, risk, and materiality.
-
Okay, the importance of that
-
area is very important. I hope
-
I was able to give that answer. Okay, and
-
then resources.
-
We also talk about
-
resources because, as I said,
-
every organization has limited resources.
-
So, how you utilize the resources to the
-
maximum extent is crucial.
-
Mobilization of the auditors, okay?
-
Mobilization of the auditors is also important--because
-
again, limited resources--you have to
-
mobilize
-
effectively, in terms of
-
logistics, etc.
-
Supervision: Supervision of the
-
auditors is very important
-
in terms of the
-
quality of the audit and
-
assignment management. Big auditing
-
firms like EY,
-
PwC, and Deloitte
-
understand this,
-
you know, in terms of assignment
-
management. We have audits
-
every year, we have civilian audits, we
-
have recertification
-
audits every three years, etc. All
-
that assignment management is also very
-
important. Then, audit and assurance
-
evidence.
-
Evidence collection, storing
-
those evidences,
-
proving the quality of the evidence--
-
everything is very important here. So,
-
in the performance category, we will look
-
at all those things.
-
Then, the third category is reporting.
-
Okay,
-
so these three categories among the
-
categories of standards and guidelines--
-
reporting is very important in terms of
-
types of reports,
-
means of communication, and the
-
information that is communicated.
-
All three are very important.
-
And reporting also, as I said earlier,
-
would depend on the type of arrangement
-
or the type of audit it is.
-
Auditory assurance guidelines: We
-
talked about
-
the standard. The guideline basically
-
helps you consider,
-
helps you to determine how to implement
-
these ISACA standards.
-
It also helps, as I said, by using professional
-
judgment in applying them. You should
-
be able to justify any departure from
-
ISACA or international standards.
-
Now, as we discussed, the Code of Professional
-
Ethics is very important,
-
and we must understand that these seven
-
principles must be followed. We will discuss these in detail.
-
So, these are the three, and
-
we have two more.
-
These are the total of seven codes of
-
professional ethics.
-
I would like to discuss them from the
-
standard itself because that
-
gives a more better perspective. Okay,
-
same here.
-
Now, ISACA's Code of Professional
-
Ethics is
-
for its members and certification
-
holders. So,
-
members and certification holders
-
shall support the implementation. So,
-
as an auditor, you are not there on
-
a fault-finding mission.
-
Okay, you are there to
-
verify and check,
-
show the faults, but ultimately, you are
-
there to help them implement
-
and encourage compliance,
-
compliance with the standards.
-
Okay, so you should support the
-
implementation of and encourage compliance
-
with appropriate standards and
-
procedures
-
for the effective governance and management
-
of information systems,
-
including audit control, security, and
-
risk management. Okay,
-
then the second is to perform duties
-
with objectivity.
-
Now, when you talk about objectivity,
-
you are also talking about materiality.
-
Okay. As I said,
-
objectivity means you are there to assess
-
certain things, and you should have the audit
-
objective in your mind.
-
For example, if I’m going for an
-
information security
-
audit, I must be sure of
-
what I’m checking. Okay, I should
-
have an audit objective that I
-
would be checking this particular
-
information system while looking for
-
these things. Okay. So from an objectivity
-
perspective,
-
you know you should perform your
-
duties. Okay.
-
Now, you might go for a network audit, and
-
you're looking for faults in the network. You
-
might go for a software audit, where you're
-
looking for
-
anomalies in the software. Okay. If you're
-
going for
-
a penetration audit or a VAPT (Vulnerability Assessment
-
and Penetration Testing), you're looking for
-
various anomalies in the system.
-
Okay, so the objective of the
-
audit should be clear.
-
Also, from the organization’s
-
perspective, it must be clear to
-
the person who has given you the
-
assignment.
-
What the stakeholder is trying to
-
achieve through this audit should be understood.
-
For example, many organizations do ISO
-
27001
-
to achieve tenders, for
-
brand reputation, or also
-
to ensure they are
-
are completed with according to
-
the
-
industry guidelines,
-
okay, etc. So the objectivity should be
-
very much
-
clear. Then, due diligence. Due diligence means
-
you have to be very careful
-
when you are doing the audit and when you
-
perform your duties.
-
You should not be influenced by
-
people. Due diligence is about
-
independence.
-
You should not be
-
influenced by people; you should not take
-
bribes, etc. Due diligence is
-
not only about
-
taking bribes but also about
-
not getting influenced
-
for any reason. Okay.
-
Then, professional care. Again, this is
-
also about
-
ensuring that
-
you are professional in your
-
approach, and also
-
that your work is in accordance with the
-
professional standards that have been
-
outlined in the standards document.
-
Always serve in the interest of the
-
stakeholders in a lawful manner,
-
while maintaining high standards of
-
conduct and character, not discrediting
-
their profession or association. Okay,
-
maintaining privacy and confidentiality is
-
very important.
-
Okay, you might be dealing with a lot of
-
confidential information of the
-
organization.
-
Okay, so you should always ensure confidentiality,
-
generally through NDAs, etc. However, I don’t believe
-
those are very effective mechanisms.
-
People may say they have an NDA with you,
-
but just because
-
someone should give you access to
-
all the information. An NDA is
-
not a good mechanism in an
-
organization.
-
Then, maintain competency in your
-
respective fields.
-
Okay, you are competing in information
-
security already.
-
You're competing in your network, so
-
always try to achieve expertise in
-
whatever area
-
you are working in, okay? And agree to
-
undertake only those activities that are
-
very important. Agree to undertake only
-
those activities that you can reasonably
-
expect to complete with the necessary skills,
-
knowledge, and competence. Now, I do not do
-
a network audit, I don't do a software
-
audit, I do not do,
-
you know, penetration testing audits, okay?
-
Or,
-
you know, availability audits, what we
-
call it as.
-
So, I do information security
-
audits from a compliance perspective. I'm a
-
compliance person, okay? I don't take
-
those assignments which I’m not
-
competent
-
enough for, okay? Because that would not
-
justify
-
my job. Then, inform the
-
appropriate parties of the results of
-
the work performed, including disclosure
-
of all
-
facts, if not disclosed, which may distort
-
the reporting of the results.
-
Then the last one is to support the
-
professional education of stakeholders,
-
enhancing their understanding of the
-
governance and management of enterprise
-
information systems technology, including
-
audit control, security, and risk
-
management.
-
Now, also, you are supporting the
-
stakeholders and increasing their
-
knowledge about their systems.
-
Now, stakeholders invest money in
-
their
-
systems, okay? They are asking you
-
also to
-
come and audit them, so you
-
should always,
-
you know, make them more aware of their
-
information systems. You should
-
also make them aware of the defaults
-
in their
-
information systems and how those faults
-
can affect their businesses.
-
Okay, so these are the seven, what we
-
call it,
-
as, you know, the code of professional
-
ethics that the auditor
-
must follow. Okay, we've gone through
-
these three
-
slides, getting to ITAF again. So, again,
-
this particular domain
-
itself is a description of ITAF.
-
Okay, so ITAF is a comprehensive and good
-
practice--setting framework model.
-
Okay, it establishes the standards, it
-
defines the terms and concepts,
-
concepts of IS assurance. Now, I have
-
not discussed this
-
term, which is "assurance," and I would like to
-
know what’s your perspective on
-
the word "assurance." How do we define
-
assurance? So,
-
assurance is basically a promise or a
-
guarantee
-
or a trust that we have in the system.
-
For example, if you're sitting on a
-
roller coaster,
-
and you are on a dangerous roller coaster,
-
you are actually
-
having assurance that you will come back
-
alive,
-
you know, from that. So, that's the reason
-
you're sitting on that.
-
Okay, so it's kind of a trust you have in
-
that
-
system, okay, that this would perform
-
as per the
-
standards, and you have
-
confidence in that system.
-
So, this is very important
-
when you talk about
-
air traffic control systems. You know,
-
you're sitting in an airplane,
-
and you are believing that the air
-
traffic control system
-
is working as per the proper
-
guidelines.
-
Okay, so that's how, you know,
-
sometimes it is that critical as well.
-
And also, sometimes, you know, it’s not
-
that much critical. You know, when you are
-
talking about, for example, banking, it is
-
critical. It is
-
for air traffic control. It is
-
critical for critical infrastructures.
-
All the critical
-
infrastructures, it is critical. But, for
-
example, for an organization, for a small
-
organization, it may not be that
-
critical.
-
Okay, so all that would depend on
-
the materiality
-
of the area. Okay, so this
-
particular,
-
so it provides… So, assurance is
-
that. So, I was just getting to the
-
definition only. I will come to the
-
dependencies and resilience part later
-
in the other domains as well. Then ITAF
-
also provides guidance and tools and
-
techniques on the planning, design,
-
conduct, and reporting of IS audit
-
and assurance assignments. So, audit is
-
basically a part of the
-
comment on audit. Audit is also a
-
mechanism
-
where we try to get a certain level of
-
assurance.
-
Okay, now, we don't get a guarantee from
-
the audit.
-
Okay, it doesn't say
-
that you have zero faults in a system.
-
Okay, audit is just one, you know,
-
kind of a level playing field assurance
-
perspective. Okay,
-
so audit is just a mechanism for getting
-
assurance.
-
Okay, then we go to business processes we
-
are aware of.
-
We’ll go through this quickly because we are
-
aware of the business processes.
-
But from an auditor’s perspective, when
-
you’re going for the audit, you must
-
do some
-
research in terms of
-
what kind of business processes that
-
organization
-
is dealing with, and if you get an
-
understanding of that
-
process, it would be easy for you to
-
audit that.
-
You may not have a
-
complete understanding; obviously, you
-
will interview people,
-
and then you would not have the complete
-
understanding. But,
-
for example, HR--what does HR do,
-
which is basically,
-
you know, hire people, talent management,
-
payroll,
-
training and development, etc.
-
So, you should be
-
aware of that. You should understand
-
and evaluate business processes.
-
Okay, test and evaluate operational
-
controls
-
there, and then identify the controls
-
such as policies, procedures, practices,
-
and organizational structures.
-
Okay, do you think organizational
-
structure is a control, and why do you
-
think organizational structure is a
-
control?
-
I… Policies are high-level intent of the
-
organizations.
-
Okay, procedures are also controls. Okay,
-
why procedures? The policies are very
-
important because
-
once the high-level intent is not there…
-
if the high-level intent is not there,
-
okay, for example, if an organization doesn’t
-
have an information security policy,
-
stakeholders are not endorsing
-
information security as an important
-
enabler to their organization, then you
-
cannot do anything. Okay, you will not
-
have any control. So,
-
first and foremost, policies are
-
important because those are the high-level
-
intent of the organization.
-
Then, procedures are important. Okay,
-
procedures will tell you the day-to-day,
-
you know, activities which you have to
-
perform, okay, and how to perform those
-
activities--basically step-by-step
-
directions. Okay, then you have
-
practices.
-
Now, practices are best practices. Now,
-
those are guidelines. Okay, those are like,
-
"This
-
is the best way to do it," okay?
-
Or,
-
"These are things that you must take care
-
of while doing it."
-
Okay? You may or may not take care
-
of that, but
-
those are helping. Then, organizational
-
structures are also control.
-
How do you think organizational
-
structure is a control? How does it help
-
as a control? For segregation of duties,
-
job descriptions are
-
segregated. Okay, so organizational
-
structure is a control because it helps
-
in decision-making.
-
Okay, so basically, organizational structures
-
have segregation of duties. So,
-
it is more important from that
-
perspective.
-
I mean, so this is like you are
-
defining a job description
-
of a person. Okay, based on the job,
-
he’s been assigned certain things. Okay,
-
and that control should be there that
-
there’s a maker and a checker.
-
Okay, that’s the reason organizational
-
structures are important. Okay, it would
-
reduce the risk. So,
-
I'm asking about when you talk about
-
controls, it is trying to reduce or
-
mitigate the risk.
-
Okay, so from a segregation of duties
-
perspective,
-
it is very important because segregation
-
of duties is a control
-
that basically reduces the
-
risk of any errors, faults, frauds,
-
etc. For this year, in this section, we
-
will also talk about the
-
internal audit function. Okay, internal
-
function in the sense that how an
-
internal
-
function is different from the
-
external audit, okay,
-
or the other functions, then management
-
of the IS audit function.
-
Okay, the planning of the audit,
-
effective laws and regulations of IS
-
audit planning,
-
business processes, applications, and so on.
-
Internal functions--so, as an auditor,
-
as an internal auditor,
-
you should
-
establish your audit charter first. Now,
-
what is an audit charter? An audit charter
-
talks about the responsibility, the
-
accountability, and
-
the scope of an audit, okay? And
-
it must be approved by the board of
-
directors and the audit committee.
-
Okay, so if we go to the audit charter
-
definition
-
in the Sarbanes-Oxley guideline or in
-
ITAF, you know, so if you see here,
-
in the audit charter, it talks about the
-
purpose.
-
Sorry, the audit charter talks about the
-
audit charter indicating the purpose,
-
the responsibility, authority, and
-
accountability.
-
Okay, so it has four things you have to
-
remember this
-
and maybe if you want to... Four things,
-
which is the purpose,
-
responsibility, authority, and
-
accountability. Okay, these are the four
-
things that
-
the audit charter must have. Okay, the
-
purpose of the audit,
-
the responsibility
-
of conducting that audit, the authority
-
(who initiated this audit or who
-
the audit results would be communicated
-
to),
-
and the accountability, okay? From a
-
downloaded function, it should be
-
established by the audit charter,
-
which has to be approved by the
-
board of directors and the audit
-
committee.
-
Now, sometimes the board of directors
-
also gets, you know, they have
-
another committee which
-
represents the audit.
-
Okay, that's what the audit committee is
-
about. Okay.
-
Now, the audit charter is an overarching
-
document that covers the entire scope of
-
audit activities in
-
an entity, while the engagement letter is
-
more focused on a particular audit
-
exercise.
-
Now, sometimes we have, you know, one
-
audit charter in which you have the
-
complete plan
-
of the audit of the whole organization,
-
whereas the engagement letter is
-
specific to a certain function. Okay, for
-
example, you're going for a network audit,
-
so there's an engagement you have done with,
-
say, EY. For example,
-
now you will sign an engagement letter
-
with that organization,
-
and it is basically focused. Okay, and you
-
have certain
-
time limits, etc. It’s more focused
-
on a particular audit exercise that is
-
sought to be initiated in an
-
organization with a specific objective
-
in mind. For example,
-
as I said, a network audit or
-
information security compliance audit,
-
etc. From the definition, this is
-
also clear here.
-
If you see, the charter should clarify
-
the
-
management’s responsibility and
-
objectives for delegation of authority
-
to the IS audit function. Okay, so the charter
-
should clearly state
-
the responsibility, the objectives or the
-
purpose, and
-
the authority of the audit function.
-
Why do you think the
-
auditors will also require authority
-
from the board of directors when asking
-
questions to,
-
you know, an area that the organization is
-
auditing? People may ask you,
-
“Who are you?” “Why do you ask
-
these questions?” etc.
-
Those are basic questions when you go
-
to interview anyone.
-
Okay, so the
-
audit charter is a document that you
-
can
-
show as a warrant, you know, that
-
you have the authority to
-
basically audit them, and this has
-
been
-
asked by the highest authority of
-
your organization, which is the board of
-
directors. That’s the reason the
-
charter has the authority as well, so
-
that
-
you have the senior management or top
-
management’s
-
approval on asking questions
-
to the area or to the function. Okay,
-
that’s the reason authority is very
-
important.
-
Now, management of the IS audit function--
-
managing or isolating functions should
-
ensure
-
value-added contributions to senior
-
management. Again, if they’re giving you the
-
authority
-
to audit, they also want, and they are
-
doing it for a reason,
-
that you would tell them the causes in their
-
organization, what areas
-
need improvement, and
-
how to improve. You are basically building upon
-
their assurance,
-
you're building their assurance on the
-
organization’s IT infrastructure.
-
Okay, so if you’re saying that, you know,
-
these are the
-
areas of improvement
-
in your organization, if you’re
-
giving them findings,
-
it will basically help them improve,
-
help them improve the overall operations
-
and
-
efficiency of their organization. Okay, so
-
as an auditor,
-
you should ensure value-added
-
contributions to senior
-
management in the efficient management
-
of IT
-
and the achievement of the business
-
operations. When you give them
-
findings,
-
they would act upon it, and
-
that would also help them to
-
achieve their business objectives
-
appropriately.
-
Okay, now the first step is planning. When
-
you're planning for an audit,
-
adequate planning is very
-
important. The Japanese
-
say that 70%
-
of the time you spend on planning. That’s
-
very important because
-
all the major--I'm doing an
-
implementation
-
assignment, and I know this very well,
-
deep from my heart, how important
-
the planning part is. The audit plan is
-
how important
-
it is. If you fail in planning properly,
-
you mess up the whole thing. Okay, so plan
-
an audit.
-
Following tasks must be completed: List
-
all the processes.
-
I mean, the scope has to be very clear
-
when you're
-
going for an audit. So you're listing all
-
processes,
-
you get the scope approved for the audit.
-
Okay,
-
then you evaluate each process by
-
performing a qualitative risk assessment.
-
Now, for example, I have four departments
-
to audit.
-
Okay, the scope is clear; I have four
-
departments.
-
Now, who to start with? That is also very,
-
very
-
important. Again,
-
the concept of materiality is very
-
important. So, you will do a qualitative
-
or a quantitative risk assessment. Now,
-
this risk assessment is not a risk
-
assessment that we do
-
for information security and
-
the detailed assessment we do.
-
This is a kind of,
-
kind of an assessment which is a
-
high-level assessment.
-
Okay, we are in which you understand, and you
-
try to understand which are the critical
-
areas of the organization.
-
Now, for example, you have four
-
applications to order. Now, if you say one,
-
two, three, four,
-
and you say, "Okay, how would you check
-
which application is important?" You look at the
-
number of users. Which applications do
-
you use? So, you will check the
-
number of users. This is easy for any
-
organization to give you.
-
Okay, and you will also do a risk
-
assessment on
-
the type of data that
-
the application is storing, how that
-
application
-
operates, and which processes that application
-
supports. You will assess which business
-
operations it is supporting. So,
-
this is a kind of high-level assessment
-
of risk you will do. Okay, so why
-
are you doing this?
-
Again, it's materiality.
-
You’re doing this to evaluate whether
-
you are trying to capture
-
the maximum risk in an
-
organization. So, evaluate each
-
process by performing a qualitative and
-
quantitative risk assessment. These
-
evaluations should be based on
-
objective criteria, like I just mentioned.
-
I gave you some examples of
-
objective criteria for
-
applications. Similarly, you can apply this
-
to business processes or
-
different departments as well, from a
-
high-level perspective.
-
Okay, etc., etc. So, then our goal is to
-
define the overall risk of each process,
-
and then construct an audit plan to
-
include all the processes that are rated
-
high.
-
This would represent the ideal
-
audit plan.
-
And that's what we call an audit-based
-
risk strategy or audit-based risk plan.
-
Okay, basically, we call it a strategy.
-
So, audit-based risk
-
strategy. Now, when to audit, that's also a
-
question.
-
Why we have this question is because,
-
again, this depends on the criticality of
-
the processes. So, there is short-term
-
audit and
-
there is long-term audit planning. Now, in
-
short-term audit planning,
-
you have short, frequent
-
audits, and the periodicity reduces. In
-
long-term audit planning,
-
you have a higher periodicity. Okay, so
-
short-term planning involves all the
-
audit issues that will be covered during
-
the year. For example, you have to
-
conduct
-
surveillance audits every year.
-
That is, every year. So that is the
-
short term.
-
Okay. The long-term plan takes into account
-
all the resolutions. For example, there’s
-
a
-
department
-
which is slowly improving.
-
Slowly improving this.
-
That department is not very
-
mature yet, so you might go for a long-term
-
audit here.
-
You are assessing some
-
areas of that department,
-
giving them time to
-
mature, and then auditing
-
other areas
-
of the department. Okay, similarly,
-
you know,
-
it's a phased approach
-
in long-term planning.
-
And that would also
-
depend on the IT strategic direction of
-
the organization.
-
Okay, for example, I was working
-
in a bank in the UAE,
-
and they had a new
-
area of banking.
-
For example, treasury.
-
Remember the name of that
-
area. But, for example, treasury. They were,
-
you know, trying to
-
have another area of business
-
for them. Now, that department has just
-
begun.
-
Okay. That area of business has just been
-
now
-
initiated. Obviously, they will not have
-
100% of the processes,
-
same processes that a bank
-
initially has. They are trying to have
-
one or two processes
-
in place for the new
-
customers,
-
and then they will mature,
-
maturity
-
over time. Okay. So, if I go on the
-
first day,
-
or maybe the first year,
-
and say, "Okay, show me all the
-
processes," and start finding faults in them,
-
you know,
-
it may not
-
be very much
-
fruitful for that particular area of
-
business.
-
Okay. You will have a
-
lot of findings that you cannot address those
-
findings immediately.
-
So, you will take a
-
long-term
-
approach. This depends on
-
the IT strategy version of the
-
organization.
-
Now, an audit can also be triggered when
-
there is a control issue. For example, if there’s
-
a new issue coming up or there are
-
a lot of incidents happening
-
in HR, such as
-
data breaches,
-
etc.,
-
if there are control issues,
-
the board of directors will take a decision.
-
Okay, now we must audit this HR
-
department.
-
Try to assess those gaps in
-
that department. Okay, so new control
-
issues can also trigger an audit.
-
Fraud can trigger the audit as well.
-
So, that could also happen.
-
Also, there's a change in the risk
-
environment.
-
You acquire a new organization, or
-
you merge, or
-
you have mergers and acquisitions.
-
Okay.
-
Now, that could also change, so the risk
-
environment has changed.
-
Okay. As I mentioned,
-
technology has changed.
-
Okay, all the business processes have
-
changed, you know,
-
drastically. That can also basically
-
trigger an audit.
-
Okay, so these are the steps for having
-
the audit.
-
Okay. Just quickly naming them: first
-
and foremost,
-
take an understanding of the business
-
process mission of that organization.
-
What is the mission? The mission is what the
-
operation does. For example, in banking,
-
the organization deals with money.
-
They
-
create accounts,
-
manage people's money, etc.
-
You should
-
understand the mission of the
-
organization.
-
Okay. You should understand the
-
objectives that
-
the top management has decided
-
should be the objectives.
-
You should understand the purpose of
-
that organization and how
-
it helps its
-
stakeholders. Basically, I
-
would not say stakeholders--
-
like customers, suppliers,
-
and internal employees. Okay, so that's
-
important. And the processes, okay? Then,
-
understanding the business environment
-
of the auditee.
-
What is already... basically, the
-
organization, you are auditing. You are
-
the auditor,
-
and the other organization is the auditee.
-
Okay, and then review.
-
Sometimes the auditee can also be another
-
party.
-
Okay. You must understand that the auditee
-
can be another organization
-
that is asking you to audit their
-
organization already, is
-
who has given you the assignment. Okay?
-
Then, review
-
prior work papers. Prior work
-
papers are basically a
-
kind of checklist. If you
-
have certain questions for the auditee
-
or auditing management, you ask
-
them certain questions or
-
request certain documentation
-
to understand
-
their organization. That is, basically,
-
review of work papers.
-
Then identify stated contents. Okay.
-
Now, the work papers are basically your
-
content policy,
-
standards required, guidelines, procedures,
-
and structure. You study them.
-
Okay, and then, you perform a risk
-
analysis to help design the audit
-
plan. Based on
-
the work papers and the organizational
-
structures, you will understand
-
what the various
-
important aspects of the organization
-
are. You perform a risk assessment or risk
-
analysis.
-
Then, you prepare an audit plan.
-
Based on the audit plan,
-
you will define the audit scope and
-
the audit objectives.
-
You develop the audit approach
-
and audit strategy. Then,
-
assign resources--the auditors--to
-
different areas.
-
Okay. And then, finally, you will address
-
the
-
engagement logistics. So, those are the
-
planning steps. Now,
-
after planning, you will move on to
-
conducting the audit. We will get to
-
that.
-
Okay, so the audit plan should take into
-
consideration the objectives of the
-
audit,
-
the relevance to the audit area,
-
its technology infrastructure, and business
-
strategy direction.
-
You should
-
have a better understanding, as I said, through
-
the work papers, which include your pattern
-
material,
-
publications, industry reports,
-
independent financial analysis reports,
-
etc. Now, reviewing prior audit reports:
-
as an auditor, you can also ask for prior
-
audit reports.
-
For example, if you're going
-
for a village audit, you can ask
-
for the previous year's international
-
report. Okay.
-
Reviewing the business and IT long-term
-
strategic plans:
-
materiality could be
-
just based on that. Okay.
-
Additional considerations: interview
-
key managers to
-
understand their business issues, key
-
regulations--75 specific regulations to
-
IT, for example. There are many regulations
-
nowadays, as we said
-
earlier, such as RBI
-
for banking, TRAI for telecom, NPCI for
-
payment gateways,
-
etc. The idea of IT functions or related
-
activities that have been outsourced is
-
very important in these times. Every
-
organization
-
has certain outsourcing or
-
third-party
-
collaborations. I was auditing a
-
repayment bank recently, and
-
every department has something that is
-
outsourced. For example, the creative
-
department,
-
the marketing
-
department, etc.,
-
you know, for campaign development--they
-
sign agreements with other
-
departments. Now, there's a lot of
-
exchange of confidential information
-
between
-
you and your third party, so these
-
kinds of arrangements also need to be
-
checked. What do you share with them?
-
Outsourcing is an important
-
just to...
-
To cut this short, outsourcing
-
is an important aspect that auditors
-
must
-
look into--what kind of arrangement
-
is there with the third party.
-
Lastly, when considering organization facilities,
-
we conduct a walkthrough. We
-
call it a "walkthrough."
-
You know, this is an important aspect
-
when we look at the physical security of an
-
organization, particularly
-
in terms of information security. We
-
go and tour the facility of the
-
organization, trying to assess the awareness
-
of the people.
-
We try to assess what kind of
-
controls they have
-
in terms of physical security, etc., and
-
physical and environmental security.
-
Okay, also, touring the
-
organization's facility will give you an
-
insight into the culture
-
of the organization sometimes. Okay? So,
-
as an auditor, you must
-
also match available audit resources,
-
such as staff, with
-
the tasks defined in the audit plan. Since
-
you have limited resources and
-
certain auditors,
-
you will have,
-
you know, tasks will be assigned to the various
-
auditors
-
according to the audit plan. Now, certain
-
laws and regulations
-
we were discussing earlier, such as
-
ISPs,
-
banks, and internal service providers, are
-
closely regulated.
-
These legal regulations may pertain to
-
financial, operational, and isolated
-
functions. There are legal,
-
financial, or general SOX
-
compliance,
-
you know. That is basically financial
-
regulation, particularly
-
for U.S. companies.
-
Many companies working
-
globally
-
must be SOX compliant, so you need to
-
consider that as well. And then,
-
operational regulations exist,
-
such as RBI, BCI.
-
These are operational regulations.
-
Then, there are isolated function
-
regulations. For example,
-
RBI requires that every
-
year you get audited by a CISA
-
and submit the CSI
-
report to the RBI,
-
whether it is the Bank of India or not. So,
-
that kind of
-
regulation exists as well. You must
-
submit audit reports
-
to the regulatory body
-
every year as they demand. Sometimes, they
-
may not want it every year, but
-
they will demand an audit and then
-
they will ask for a report.
-
Okay. Now, there are two areas of concern
-
that impact the audit scope
-
and objectives. One is the legal requirement
-
based on the audit, as I said, which
-
I gave you an example of. Then, there are
-
legal
-
concerns based on the audit,
-
and systems, data management, reporting,
-
etc. Now...
-
The audit role in compliance is to
-
determine the organization’s level of
-
compliance. The auditor must identify--
-
the auditor must identify those
-
those government or other relevant
-
external requirements. However,
-
it's not the responsibility of the auditor
-
to basically
-
look at the various regulations,
-
because that's the job of the compliance department
-
within the organization.
-
For example, if I am in telecom, I
-
should be aware of
-
the various telecom regulations
-
I need to follow.
-
So, you will gather those regulations and ensure
-
you are aware of the
-
regulations.
-
Then, you will also assess whether the organization is maintaining
-
the level of compliance.
-
The organization is maintaining. Okay, so
-
basically,
-
the auditor should request a legal plan, a
-
compliance plan,
-
or a process SOP
-
document
-
which the organization maintains to
-
ensure compliance with all
-
regulations
-
and external requirements.
-
The auditor basically will check whether
-
they are fulfilling that.
-
Now, the auditor may question the
-
compliance plan itself.
-
In this case,
-
say that if the compliance plan is
-
not
-
adequate, then
-
obviously the compliance level
-
is very doubtful.
-
As an auditor, you must
-
also assess both the
-
compliance plan of the organization as
-
well as the level of compliance.
-
Okay. Next, identify those government or
-
other relevant
-
requirements dealing with electronic
-
data, personal data, copyrights, e-commerce,
-
e-signatures, etc.
-
Computer system practices and
-
controls must also be considered. For example,
-
we have the IT Act of 2008 for this. Then, consider the
-
manner in which computer programs and
-
data
-
are stored. Many countries have retention
-
policies.
-
For example, in India, the retention
-
policy is
-
seven years for logs,
-
so you need to find out
-
what kind of
-
retention requirements exist.
-
Okay, and you have to follow that. And
-
every country has its own.
-
Okay. Then, consider the organization or the
-
activities of the IT services.
-
Okay, then you have the IS audits as well.
-
You also have IS audits to look at. You must assess the
-
requirements for IS audits.
-
For example, if you are maintaining
-
an ISO 27001 certification,
-
you must go every year.
-
Go for a
-
surveillance audit every year and go for a
-
re-certification audit.
-
You need to see what kind of
-
arrangement is in place and
-
what kind of audit cycles the
-
organization requires.
-
If you don't conduct a surveillance audit, you
-
know, your certification
-
is invalid for ISO 27001
-
or any of the ISO. Basically, now I
-
have outlined the steps for determining
-
organizational compliance. So you must
-
document the applicable laws, as I said.
-
Every organization documents the
-
applicable laws and regulations.
-
Okay, then assess whether the management
-
and IT function have considered them.
-
Okay, consider the relevant external
-
requirements in their plans.
-
Okay, now external requirements are
-
contractual obligations sometimes.
-
You have contractual obligations
-
towards a third party, mostly
-
towards the customer.
-
Those are towards the customer.
-
You are an organization in telecom, and
-
you have certain
-
requirements towards,
-
for example, providing
-
telecom products. You have specific
-
requirements regarding the availability of
-
that product for that customer
-
in terms of services, such as the service
-
level agreement. So, you must also assess
-
what the relevant external
-
requirements are there.
-
Okay. Then, obviously,
-
self-requirements in their plans, policies,
-
standards, procedures, as well as business
-
application features.
-
So that's what I said in the service
-
level agreements.
-
Then, review the internal IT department
-
function activity document that
-
addresses adherence to
-
the laws applicable to the industry.
-
Determine adherence to the procedures
-
that address these requirements,
-
and then because the procedures
-
should support the laws and
-
obligations. So, if the procedure
-
says
-
for example,
-
says that backup
-
should be conducted,
-
but the law says you
-
should have a backup of seven years,
-
but you should have a retention of seven
-
years. Okay, the law says that you have a
-
retention of seven years.
-
But you don’t have a backup mechanism
-
based on that, or
-
you delete the data every three
-
years. Delete the backup every
-
three years.
-
Then, your procedures should...
-
The backup procedure should basically
-
support your retention
-
policy or the retention
-
law of that country. Okay, then determine
-
if there are procedures in place to
-
ensure contracts or
-
agreements with external IT service
-
providers reflect any legal requirements
-
related to responsibilities.
-
Now, sometimes what happens is
-
that you have a contractual obligation
-
to maintain the certificate,
-
such as ISO, or you have to maintain PCI
-
DSS
-
(Payment Card Industry Data Security
-
Standards).
-
Okay, so you also have to check
-
whether those
-
external IT service providers,
-
you know, combine it with the
-
legal requirement.
-
Okay, let me give you an example. For
-
example, if
-
you're a telecom provider... If you're a
-
telecom provider,
-
you must follow the
-
regulatory guidelines
-
for a particular license in
-
telecom. For example, you
-
require an ISO 27001 certificate.
-
If you are a wallet
-
provider like
-
Paytm,
-
you must follow the NPCI guidelines,
-
okay,
-
and you also need to
-
comply. So, it becomes
-
a legal requirement for you
-
is bound because
-
PCI is a statutory organization.
-
Which is bound by
-
the government of India, and
-
then it becomes a law
-
or a legal requirement for an
-
organization. It’s...
-
So, it becomes a legal requirement for
-
them to fulfill
-
now. Okay, it is not just a
-
non-statutory requirement for them; it's
-
a statutory requirement for them to
-
fulfill.
-
Okay. Now, we’ll further move on to
-
business processes,
-
applications, and controls. In an
-
integrated application environment, our
-
controls are embedded and designed into
-
the
-
business applications. As
-
you are aware, we use, for
-
example,
-
banking applications like C,
-
and for banking sectors, we
-
use systems
-
like Oracle,
-
for example.
-
in telecom, for various,
-
you know, or we use SAP systems
-
in our organizations. These are
-
basically very
-
integrated application environments
-
in an organization. They have
-
multiple supports...
-
But there are multiple supports and
-
there are multiple processes around that
-
application.
-
Okay, and they're supporting basically
-
the multiple
-
departments in an organization at the
-
same time.
-
Okay, so you must understand there are certain
-
controls and assurance levels
-
that the organizations must
-
adhere to. Okay. For that reason,
-
there are
-
assurance levels that are
-
defined.
-
For example, SAP is used by multiple
-
departments for multiple
-
purposes and
-
for multiple processes in that
-
department.
-
Okay, so you must understand that there
-
are certain controls in which we place
-
to
-
provide assurance to that activity.
-
So, these controls are for providing
-
those assurances. You need to have
-
adequate controls. So, these are three
-
controls,
-
you know, that can be embedded in the
-
bigger application.
-
Okay, so you are providing
-
adequate...
-
You are providing adequate risk
-
mitigation.
-
Okay, now three types of controls are
-
management controls,
-
program controls, and manual
-
controls.
-
Okay. To effectively audit business
-
application systems, the auditor must
-
obtain a clear understanding of the
-
applications
-
under review. Also, when you are
-
reviewing the application,
-
as an auditor,
-
you are checking the adequacy of it.
-
The adequacy of... Okay, now there are
-
different types of applications.
-
For example, an e-commerce application,
-
which is a larger application
-
with multiple
-
processes. You have electronic data
-
interchange (EDI).
-
Okay, now electronic data
-
interchange is basically,
-
you know, SCADA systems
-
or systems that provide
-
inputs to another system.
-
Okay, that kind of electronic data
-
interchanges. Now, these
-
electronic data interchanges is basically
-
sometimes
-
enter organizations, inter-departments,
-
etc. Okay, then, there are email systems,
-
point-of-sale (POS) systems which is
-
basically used in retail.
-
There are multiple processes in it, the
-
cost you have billing section your
-
purchase your purchase return your
-
procurement
-
etc etc then you have electronic banking
-
electronic finance
-
then you have payment systems electronic
-
funds transfer
-
eft or atms supply chain management
-
purchase accounting systems integrated
-
manufacturing systems ics
-
your inter ah industrial control systems
-
like uh
-
air traffic control scada etc
-
iterative voice response systems okay
-
generally if you see ivr we know when we
-
call a support
-
support test uh it goes to ivr so that
-
kind of systems are there the image
-
processing systems
-
ai dss and customer relationship
-
management
-
okay moving on to uh using the services
-
of
-
other auditors okay now using service
-
order again experts
-
uh basically or maybe auditors
-
in the same in the sense of
-
maybe you're auditing a third party and
-
that third party
-
is getting us at uh getting audited by
-
another third party who you are
-
believing to
-
be let me give you an example here for
-
example i am
-
uh i am a i am a bank okay
-
and i have been i am a bank and
-
pwc is working uh is auditing me
-
okay i have asked the pwc sorry
-
if i am a bank i have asked a pwc to
-
audit my third party
-
okay this is arrangement okay i have
-
partnered
-
i have given a job to pwc to audit a
-
third party
-
for me okay the auditor the the customer
-
or the customer wants to come and uh
-
my customer wants to look at the reports
-
that uh you know that how my bank is
-
performing
-
okay so now i would be uh i
-
i am showing a pwc report of the third
-
party okay subcontracting
-
so from a customer perspective i want to
-
look at how a bank is complying
-
how how much bank suppliers are also so
-
my bank shares customer information with
-
also the suppliers
-
okay so my bank would also always say
-
that i am protecting our information but
-
my information is not with the bank
-
my information is with the information
-
with the
-
third party of a bank okay so this kind
-
of arrangement it is okay
-
now should i believe uh my bank's report
-
or should i believe the pwc report here
-
so basically uh what i'm saying is i'm a
-
bank
-
okay and my customer wants to
-
look at how i'm you know protecting its
-
information
-
okay but as a bank i'm also sharing the
-
customer's information with the third
-
party
-
okay i've asked the pwc to audit that
-
third party okay who's storing that
-
information
-
shall the customer believe the bank's
-
report or the pwc's report could not
-
trust the
-
bank's report okay because the bank is
-
my
-
bank will always say that i am
-
protecting the information right i would
-
trust a third party
-
it's a pwc report as a customer i'm
-
auditing a bank
-
and i ask bank who are you sharing that
-
my information with
-
bank would say i am i am sharing the
-
information
-
with the with a supplier or a vendor
-
okay
-
now how do you ensure that the supplier
-
is protecting my information
-
okay so bank would say i am getting it
-
uh
-
getting the supply getting the supplier
-
audited by pwc every year and that's how
-
it is been protected yes i would not
-
believe what
-
bank would say i would believe the pwc
-
report
-
it says that my information is protected
-
by the third party
-
okay so that's how you know you
-
understand
-
i use the services of you know that
-
that's how you basically use the
-
services of other auditors and experts
-
okay and other auditors basically
-
okay you you look at their reports you
-
substantiate your uh
-
substantiate your findings uh based on
-
the on the reports
-
okay so when when using external and
-
outside experts consider the following
-
restrictions on outsourcing as i said i
-
discussed the outsourcing because that's
-
the most important
-
aspect when when talk about using the
-
services of other auditors
-
okay restrictions on outsourcing audit
-
security services provided by laws and
-
regulations
-
audit charter or contractual
-
stipulations okay
-
uh impact on overall specific ice audit
-
objectives
-
okay that uh these kind of arrangements
-
can also have impact on your audit
-
objectives
-
okay impact on audit risk and
-
professional liability
-
okay now there's a lot of in a lot of
-
agreements in terms of independence in
-
the organizations
-
and it's a very big kind of confusing
-
zone uh
-
for many organizations uh in in terms of
-
independence okay for example pwc is
-
also working for some uh some
-
for that organization and it is not
-
allowed to audit
-
for example in india pwc is not allowed
-
to do financial audit
-
okay due to some certain frauds happen
-
you know three years back
-
okay so so that kind of all that kind of
-
liability is also there okay then
-
independent objectivity of other
-
auditors and experts so independence is
-
one of the
-
important aspects for the auditors and
-
experts
-
professional competence qualification
-
and experience scope of
-
work proposed to be outsourced and
-
approached then supervisory and audit
-
management
-
controls okay so these are things that
-
we should be considered
-
auditing while uh taking the services
-
from the uh operators and experts now
-
this is a quick activity which i want to
-
uh do with you now you have been
-
assigned to an integrated audit what is
-
an integrated audit indicator you are
-
is basically just to cut short uh the
-
discussion
-
uh integer already when you're auditing
-
multiple areas people sorry multiple
-
not areas but multiple uh what you call
-
it
-
objectives basically for example you're
-
all you're doing a quality audit
-
combining with information security uh
-
audit
-
okay that's an indicator audit okay or
-
you're doing an information security
-
audit combining it with the operations
-
audit
-
okay that's an indicator order so you
-
have been assigned to an integrated
-
audit
-
finance business ops areas no uh so
-
that's not integrated audit so that
-
that's
-
basically that's not what indicator
-
integrator audit is you're doing uh
-
doing two
-
audit uh you're checking for two two
-
different audit criterias
-
okay an audit criteria is for example
-
quality information security
-
operations finance okay so you're
-
looking at the uh
-
the quality quality of the system you're
-
also looking at the
-
information security of the system
-
you're also looking at the operational
-
effectiveness of the system
-
and also you're looking at the finances
-
of that financial uh
-
uh effectiveness of that system so
-
that's
-
four things together that's our uh
-
integrated product yeah so you have been
-
assigned
-
to an indicator audit of a payroll
-
process and need to plan the
-
itu audit portion of the and need to
-
plan the it audit portion of the
-
engagement okay
-
what is the most important business
-
process area that you need to
-
consider in a payroll so to help you
-
perform the audit would it be better to
-
know the isolated budget or to know the
-
cio and cfo risk profile for the payroll
-
process
-
so what is the most important business
-
process area that you need to consider
-
here
-
now this is a question for you guys okay
-
so due to resource constraints of ii for
-
a team the audit plan as originally
-
approved cannot be completed
-
assuming that the situation is
-
communicated in the audit report
-
which course of action is most
-
acceptable okay
-
so you will focus on auditing high risk
-
areas
-
okay because of the resource crunch okay
-
coming to the next question
-
this is true so you verify the software
-
and use uh
-
through testing first okay now this
-
would be the
-
uh this would we'll try to complete this
-
section which is the types of controls
-
and this is a very easy sections
-
so basically there are different types
-
of controls in which you try to
-
manage the risk okay risk
-
risk transfers okay and
-
risk avoidance now avoidance is
-
different from elimination
-
risk avoidance is basically uh
-
when we don't take the risk okay for
-
example there's a business unit
-
which is not working properly okay and
-
there's a lot of
-
business risk to it you just you know uh
-
put a
-
uh put in a shut that business okay that
-
is for avoiding the risk for example i'm
-
going from point a to point b
-
i'm going to um find it to point b
-
through a car
-
and i see a risk of you know
-
the rain that the rain can happen okay
-
so i'm not going at all
-
that is called the risk avoidance okay
-
accepting the risk
-
is that you are going there okay and
-
whatever rain comes i would take the
-
proper controls
-
but i would go okay that is called
-
acceptance mitigating means you are
-
taking proper controls in place
-
okay and then you are accepting it okay
-
then
-
what we have the third option is risk
-
transfer okay now there is no
-
transfer option here okay but generally
-
insurance or
-
other things are there or outsourcing
-
things you know where we transfer the
-
risk to another party
-
okay so controls are there to basically
-
minimize the
-
risk okay to maintain the risk so every
-
organization
-
has controls in place okay ineffective
-
controls
-
that is one that prevents uh it detects
-
and contains okay or reduces the
-
impact okay and bc reducing the impact
-
of that particular risk event
-
okay so it prevents so controls prevent
-
it detects
-
and it contains or reduces the impact
-
and also
-
uh there are certain controls which
-
helps in recovery okay
-
now we'll come to those examples uh on a
-
later stage in this particular area
-
in the domain but it is very important
-
to develop
-
monitor uh implement design
-
the information systems controls okay in
-
place too
-
basically okay now controls
-
as we discussed earlier could be
-
policies if you remember we discussed
-
the controls it would be policies
-
could be procedures could be practices
-
could be organizational structures
-
okay so that four things you have to
-
remember could be policies procedures
-
practices are structures
-
that are implemented to reduce the
-
risk to the organization okay coming to
-
uh
-
internal controls are normally composed
-
of policies procedures practical
-
structures as i said that are
-
implemented to reduce the risk
-
to the organization okay internal
-
control should address
-
what should be achieved and what should
-
be avoided
-
now they are preventive as i said
-
earlier preventive detective
-
corrective controls now prevented these
-
are some of the examples here
-
and the preventive controls always
-
detect they can
-
detect the problem before they arrive
-
okay before they arise
-
they monitor both operations and inputs
-
okay attempt to predict problems
-
before they occur okay prevent an error
-
omission act of occurring okay
-
segregation of duties for example okay
-
it's a preventive control
-
okay which basically detects errors
-
prevents frauds
-
etc then control access to physical
-
facilities
-
control access to physical facilities
-
for example you have
-
acs access control systems for physical
-
security okay
-
you use well-designed documents uh for
-
printing you have input validations etc
-
in an application that's also a part uh
-
that's also an example of preventive
-
control detective control
-
cctv which basically only detects
-
reports the occurrence of an error
-
or mission or malicious act then you
-
have corrective control which basically
-
post detection uh you know it also
-
uh correct correctly the things okay so
-
it minimizes the impact of a threat
-
remedy problems discovered by detective
-
controls
-
identifies the cause of problem of a
-
problem
-
okay correct errors arising from a
-
problem modify the processing systems to
-
minimize the future reference of the
-
problem okay so these are the different
-
control
-
types then we have the control
-
objectives and control measures
-
now control objective is basically very
-
simple to understand
-
okay every control has an objective uh
-
to
-
to prevent and then there could be uh so
-
first and foremost we don't define the
-
control first and formal we define the
-
control objectives for example what do
-
we want to protect
-
us from based on the control objective
-
you apply the control measure
-
okay so first and foremost you have to
-
define the control objective what do you
-
want to achieve from that control
-
what do you want to achieve okay or what
-
risk you are to mitigate
-
that would from the wrist there would be
-
a control objective
-
and from the control objective there
-
would be a control
-
okay for example a control objective can
-
be malware protection okay i want to
-
protect my systems from malware
-
now to achieve that control objective i
-
would
-
apply control i would apply antivirus i
-
would apply
-
you know patches okay i would i would do
-
uh you know penetration testing of my
-
system all these are
-
you know controls to achieve that okay
-
so control objective is basically
-
defined as an objective of one or more
-
operational areas
-
okay uh to be achieved in order to
-
contribute to the fulfillment of
-
strategic goals of the company
-
okay now strategy goal of the company
-
could be related to
-
also related to your risk which is the
-
high level risk of the organization
-
and how that risk is basically helps uh
-
mitigating of that risk will basically
-
help your business objectives
-
to be achieved efficiently okay so that
-
is the
-
that is the control objective uh so okay
-
so that is
-
the control objective is such a goal
-
that is especially related to the
-
strategy of the company okay
-
then control objectives are basically uh
-
you know they are statements
-
okay they are not basically control
-
their statements what we want to achieve
-
okay always remember that control
-
objectives are statements
-
of the desired result um you know or the
-
purpose to be achieved
-
by implementing that particular control
-
okay now this control can be any
-
procedure
-
any policies any other structure or
-
impacts
-
okay now control objectives apply to all
-
controls
-
okay so so for example if you have a
-
control objective as i was telling you
-
uh malware protection okay you should
-
have a controlled measure okay an
-
activity contributing to the
-
fulfillment of a control objectives both
-
the control objective and control
-
measure
-
serves the decomposition of strategic
-
level goals
-
into such a lower level goals and
-
activities
-
that can be assigned as tasks to the
-
staff
-
okay for example a procedure okay so
-
this assignment can take a form of a
-
role description
-
in a job description
-
okay i hope that the two definitions are
-
clear
-
in terms of control objective and
-
control measure or we generally call it
-
as control
-
okay so the next slide which is control
-
objective as i said
-
is a statement of the desired result
-
that is we achieve by implementing the
-
controls around the information systems
-
can comprise of policy procedure
-
practice operation structures
-
designed to provide reasonable assurance
-
that the business
-
objectives will be achieved and
-
undesired events will be prevented
-
detected or
-
correct now these are some of the uh
-
control objectives that can be applied
-
to the information systems
-
okay now if i would uh you know take few
-
of them i
-
you know uh in in here so safeguarding
-
assets i think this is a control
-
objective with every organization would
-
have protecting the information assets
-
then if you have an hclc software
-
development in your organization so you
-
will see it you will say that okay
-
the processor should be established in
-
place and operating shall
-
operate effectively okay and
-
if you have uh if you're using os you
-
will say that okay integrity of the os
-
environment should be maintained
-
integrity of uh sensitive and critical
-
application systems environment
-
should be maintained but these are some
-
of the objectives that are common to an
-
organization
-
okay in terms of for example if you come
-
down to slas
-
should meet the service level agreements
-
and contract terms and conditions to
-
ensure national assets are properly
-
protected and meet the operational goals
-
and objectives
-
so but when you're looking at control
-
objectives you must also
-
you know take into consideration how
-
this control objective
-
is linked to my business objectives as
-
well
-
okay and how it is it is giving value to
-
the to my
-
uh organization okay so and as an
-
auditor you should also see that you
-
know from how this particular control
-
objective is serving the business
-
objective
-
and how how this control objective is
-
achieved through various controls in the
-
organization
-
at the same time now there's so many
-
general controls
-
uh every organization has these general
-
controls uh
-
now internal accounting control that
-
concerns safeguarding of assets
-
and reliability of its financial
-
information uh
-
operational controls that concern
-
day-to-day operations okay there are
-
administrative controls
-
uh which talks about operational
-
efficiency in terms of
-
cost in a functional area and enhance
-
the management policies internal
-
management policies
-
uh organizational security policies and
-
procedures to ensure proper usage of
-
assets we have overall policies
-
for the design and use of adequate
-
documents and records
-
access and use procedures and practices
-
physical and logical security policies
-
for all facilities so these are some of
-
the general controls which every
-
organization has
-
then there are specific ies specific
-
controls
-
okay information specific controls now
-
each general control can be transferred
-
into a more you know in detail
-
specific information system control okay
-
for example
-
here if i ask you administrative
-
controls concern the operational
-
efficiency in a functional area
-
okay or if i talk about uh you know
-
reliability of financial information
-
okay if you take this example
-
reliability
-
a safeguarding of assets and reliability
-
of financial rupees
-
what do you think is the information
-
system specific
-
control uh what uh would be for
-
safeguarding of assets
-
you have information security management
-
system
-
okay so each general control can be
-
translated into is specific controls the
-
isotopes should understand the is
-
control and how to apply them in
-
planning the audit
-
okay so you can do a based on the
-
general control you can also
-
you know address information you can
-
drop down to the system specific
-
controls
-
ice control procedures include strategy
-
and direction of id function
-
general general organization management
-
of the id function
-
access to it resources including data
-
and programs so
-
someone talked about transactions data
-
obviously you can assess
-
look at how the access to it resources
-
including data and programs
-
then system development methodologies
-
and change control
-
okay these are some of the specific
-
areas the organization can
-
apply the controls then there are
-
operational procedures the system
-
programming and technical support
-
functions there's
-
quality assurance procedures and there
-
is physical access controls procedures
-
okay there is business continuity
-
planning the asset recovery controls
-
network and communications controls
-
database administration controls
-
okay and that's the reason we have if
-
you want to look at network and
-
communication controls there's a network
-
audit that
-
has performed in many organization
-
database audit is is another area
-
where you also look at the database
-
administration
-
okay very important many organizations
-
okay their data is critical
-
okay specifically banks if you say so
-
the administration of the database is
-
something very critical
-
then protection and detective mechanism
-
against international attacks which is
-
your penetration testing vulnerability
-
assessment etc
-
okay we will do the risk-based audit
-
planning
-
okay so now uh this is just a repetition
-
of what we have already
-
talked about a lot just go through it
-
but you need to understand uh you know
-
here
-
is the nature of business okay nature of
-
business
-
the auditor must understand when you
-
talk about risk which order the monitor
-
must understand
-
nature of business order can identify
-
and categorize the types of risks
-
that will be better to determine the you
-
know kind of
-
risk model or approach of conducting the
-
order okay for example if you are in a
-
bank
-
or a telecom or for oil and gas the risk
-
would change
-
okay based on the risk of particular
-
industry you would you should be able to
-
that should be your
-
model you know you should prepare your
-
model based on the type of industry
-
okay for example if you're doing an
-
audit of a nuclear power plant
-
okay now your perspective would change
-
okay and if you're doing for a bank
-
there is perspective should change
-
okay so it so you should be uh you
-
should understand the nature of business
-
based on those uh based on the nature of
-
business you should
-
apply the auditing practice okay so
-
knowledge of the business industry is
-
very most important thing
-
gather information and plan take prior
-
audit results
-
if possible okay if you are doing a
-
first-time order then it's not possible
-
the decent financial information
-
of that organization because that is
-
important in terms of materiality
-
okay for an organization maybe a
-
thousand dollar loss
-
is nothing and then inherent risk
-
assessment now uh
-
okay so you're also looking at inherent
-
risk there so you are looking at
-
risks now inherent risk is basically
-
risk without control for example there
-
is i'm giving a very lame example for
-
example there's a building and i would
-
say uh that this building can
-
catch fire okay this building we can
-
have earthquake here
-
um and etc etc okay
-
it is flood prone okay i am not looking
-
at the controls right now i am looking
-
at the inherent risk to that building
-
okay now i can have fire extinguishers i
-
can have
-
uh water detector systems i can have
-
earthquake resistance
-
uh etc but i'm not looking at i'm not
-
factoring in those things i'm just
-
looking at a from a high level
-
perspective what could be the risk to
-
the
-
to my uh to my organization now the
-
benefit of doing that is
-
that you would cover the all the risks
-
okay you are covering a lot of ground
-
there you're not factoring in the
-
controls you're covering lot of ground
-
uh ground during during your assessment
-
okay you are factoring in fire
-
factoring an earthquake you're factoring
-
in flood uh you're factoring in a theft
-
okay and but if you factor in the
-
controls
-
for example you say that there's a
-
there's earthquake uh
-
resistance now you're not factoring the
-
earthquake you're only you're you're
-
you're not putting that earthquake as a
-
part of your risk okay you might reduce
-
the risk
-
once you factor in the controls okay so
-
always
-
look at the inherent risk not the risk
-
which is after the controls
-
okay as an auditor you should always
-
look for inherent risk not the risk
-
after implementation of the controls
-
okay
-
uh i hope uh inherent risk is clear to
-
you guys
-
i'm not in the in head let me repeat
-
that because that's an important
-
concept in terms of csa exams is
-
concerned inherent risk is
-
risk without factoring in the controls
-
for example
-
you know i am going from point a to
-
point b i am not looking at
-
any controls uh that can be applied here
-
okay i'm just
-
saying okay if i go from point a to
-
point b i can
-
my target can get punctured uh
-
i can meet an accident uh you know
-
a rain can come so these are the
-
inherent risk
-
which i'm factoring in i'm not saying
-
that okay i'm wearing a
-
input or i have i will
-
follow their traffic control uh you know
-
i will follow
-
if you know in terms of meeting accident
-
i would follow all the rules
-
except i'm not factoring anything okay
-
so we are looking at for my own
-
infrastructure you are looking at
-
a risk without factoring in the controls
-
then obtain understanding and internal
-
controls now you are factoring in the
-
controls you are seeing
-
okay now these are the risk inherent to
-
the organization
-
now i would look at the controls okay i
-
will look
-
at the control environment okay very
-
important in terms of control
-
okay uh i will look at the control
-
procedures
-
i will look at the detection risk
-
assessment
-
control risk assessment equate total
-
risks
-
okay and then perform compliance tests
-
okay identify key controls to be tested
-
okay
-
now once you know the controls are there
-
now you will perform the
-
compliance test okay you perform the
-
test of those controls perform the test
-
on reliability
-
risk prevention and errors to the
-
organization policies and procedures
-
then you also perform the substantive
-
test now compliance test is just yes or
-
no
-
okay for example you have a you have
-
access control system yes or no you have
-
a
-
you have a security guard yes or no so
-
that's a compliances
-
but when you do a performance
-
substantive test you basically do
-
analytic procedures
-
okay for example access control systems
-
you will see that okay
-
has the people who left the organization
-
you know have they been deleted from the
-
access control systems
-
have those uh deleted the people who
-
have left the organization have they
-
accessed
-
the systems uh after they exit okay
-
that's kind of a
-
you know analytical uh another approach
-
to
-
uh you know a one one step ahead
-
you know in depth to those uh
-
compliances okay so you apply entity
-
procedures you do a detailed test of
-
account balances
-
other substantive audit procedures now
-
these are used
-
in uh basically in banking for example
-
you say that a person has
-
made a transaction whether the bank
-
account has
-
uh you know um whether the bank
-
whether the you know right-hand side is
-
equal to the left-hand side so you send
-
the money to someone
-
your account balance should should get
-
down the account balance of the other
-
person should get up
-
you know so and now this this basically
-
this is a substantive test you perform
-
uh to ensure that the uh integrity of
-
that
-
transaction okay to ensure it integrity
-
of that transaction
-
okay it's kind of make a checkup or you
-
know in a balance sheet you have a left
-
hand side equal to the
-
right hand side etc kind of procedures
-
which you apply so so it's you you check
-
the logic of that
-
transaction okay then you conclude the
-
audit
-
okay in terms of recommendations
-
and write the audit report okay so these
-
are the
-
risk-based audit planning technique okay
-
and these are things that may
-
they may impact the audit approach okay
-
audit risk and materiality
-
as i said inherent risk i explained you
-
earlier
-
uh as it relates to the ordered risk it
-
it the risk level or exposure of the
-
process entity to be audited without
-
considering the
-
controls that the management has
-
implemented enhanced risk exists
-
independent of an audit
-
and can occur because the nature of the
-
business okay as i said building a
-
building earthquake can happen
-
you know fire can occur okay flood can
-
happen so this is the inherent risk now
-
controlled risk is basically the
-
risk that a material error exists that
-
would not be prevented detected
-
on a timely basis by a system of
-
internal controls
-
so control risk if even if the control
-
is present there's chances that the
-
control may miss
-
the risk okay for example control risk
-
associated with manual reviews of
-
computer locks
-
okay if you do if you're doing a manual
-
review of a computer log which is
-
thousands in number okay uh there's a
-
high probability that
-
you would miss miss the information okay
-
so the control risk considered with
-
computerized data validation process
-
procedure
-
is ordinarily low if the processor
-
consistently
-
applied then there is a detection risk
-
again the risk that the material errors
-
or mis-statement that have
-
occurred will not be detected by the
-
isolator now there is a possibility
-
because audit is not a guarantee it's
-
assurance okay
-
so there's a possibility that as an
-
auditor we failed to identify news
-
we failed to detect risk in the system
-
okay and that
-
happens you know we are human beings and
-
this has happened uh
-
many organization that the auditor
-
failed to
-
detect errors and that that error was
-
there for a very long time and then one
-
auditor came
-
from uh and he detected the error and
-
then he looked at the previous reports
-
also the error was missed
-
you know etc etc so there's a detection
-
risk also
-
from an auditor's perspective then the
-
overall audit risk is also there okay
-
now the overall audit risk is the
-
probability that the information or
-
financial reports may contain metal
-
errors and the auditor may not detect
-
an error that has occurred okay and now
-
the uh now the uh so to our auditor is
-
cased by the auditor
-
or editor can also fail to detect an
-
error okay that has occurred okay now
-
there uh okay sorry
-
so the the difference between uh
-
detection risk and order auditors you
-
must understand
-
the detection risk is there the
-
materials errors or mis-statements that
-
have occurred will not be detected by
-
the isolator
-
okay similarly you know the overall
-
audit risk is that the material errors
-
order may not detect an error that has
-
occurred so it is almost
-
um you know a similar definition what we
-
have for detection and overall
-
risk okay now the the objective uh
-
in formulating the audit approach is to
-
limit the audit risk
-
okay uh in the area under scrutiny so
-
that the overall
-
risk is at a sufficiently low level and
-
at the completion of the examination
-
okay
-
coming to risk assessment risk
-
assessment we know uh basically the
-
auditor
-
a risk assessment basically assists the
-
auditor in identifying the high risk
-
areas
-
and also it helps in evaluation of
-
controls now
-
risk assessment to identify quantify
-
prioritize risks
-
be against criteria for its acceptance
-
objectives relevant to the organization
-
always remember that risk assessment
-
should be able to assess based
-
on a criteria okay for me
-
organizations have different criterias
-
okay every organization has to define
-
the criteria on on basis of what they
-
want to consider
-
uh this risk okay every organization
-
would have different criterias
-
okay for acceptance okay now for me
-
as i said again one thousand dollar loss
-
is very much but for a big organization
-
uh it's it's it's nothing okay so
-
based on that level okay uh you would
-
say
-
is it high medium low okay and an
-
organization has to decide whether it
-
would
-
accept the low medium low risks or
-
medium risk or
-
it will also accept the high risk areas
-
okay that the organization has today and
-
it also depends on nature of the
-
organization for example a nuclear power
-
plant
-
even a low risk it would be very much
-
for an organization for example a
-
library even a libraries organization
-
but for for them you know that that risk
-
may not be that much
-
okay they would only consider high risks
-
to the to them so
-
it would depend on the nature of
-
business and also also okay it supports
-
uh
-
now risk assessment support the
-
risk-based order decision making
-
as we have already studied about based
-
auditing
-
principles so it supports the decision
-
making by considering variables such as
-
technical complexity
-
level of control procedures in place
-
okay for example there
-
is an area where a lot of controls are
-
present and the risk is
-
less material okay you may want to
-
consider it as a low risk area
-
okay the level of financial loss uh also
-
uh
-
is something which you should be
-
considered okay for example if there is
-
materializes
-
in a risk is uh triggered you know
-
our risk is is
-
basically materialized that happens you
-
know a risk event
-
in reality happens what would be the
-
financial loss
-
okay generally many organizations uh use
-
this financial loss as a criteria okay
-
in terms of
-
uh you know high medium low or maybe
-
sometimes organizations say that if
-
their
-
risk is less than one million then it
-
would be
-
accepted if it is more than one million
-
would be
-
um you know mitigated okay or a
-
management decision needs to be
-
needs to be taken so it can we can also
-
define a financial loss figure
-
against that now there are multiple risk
-
responses as i said risking mitigation
-
is to reduce the risk
-
appropriate controls accept the risk in
-
terms of knowing it
-
okay knowingly objectively not taking
-
action
-
because sometimes for example obviously
-
there's too much
-
cost to accept the uh too much cost to
-
basically mitigate it
-
that's not how their business is there
-
there's no financial
-
support there you know i will give you
-
acceptance the example here then the
-
risk avoidance is basically
-
not doing that activity at all you're
-
not allowing action that would cause the
-
risk to occur
-
okay for example i'm i give you an
-
example of
-
you know going from one place to another
-
he says if i see that there has to be
-
there's a rain that would come you know
-
i foresee a rain
-
you know i don't go so that is avoiding
-
the risk okay
-
then risk transfer is sharing and
-
transferring this
-
risk to the other party now risk
-
transfer has to be very much you know a
-
decision
-
that the management has taken with very
-
cautious cautiously because uh
-
now when you're transferring the risk
-
you are not transferring the
-
responsibility
-
of the risk occurrence means uh for
-
example you're taking insurance
-
for a fire now your your
-
fire you know happened now you have you
-
have only looked at the financial
-
aspect of that risk but again if you you
-
see that how
-
your employees are suffering how your
-
suppliers are suffering how your
-
customers are suffering
-
again that responsibility is on you it's
-
not on the insurance provider to look at
-
so you are
-
basically not transferring the entire
-
risk you are just
-
transferring the financial aspect of
-
that risk to the insurance company
-
okay now in terms of risk acceptance uh
-
very much important is look at uh
-
deliberately not taking action okay you
-
are not taking action
-
because cost of that control to be
-
to be put in place for example i went to
-
an audit where
-
it was a it was a house i went for an
-
icici bank
-
audit and it was just a simple house you
-
know
-
and there were two systems there it's a
-
third party
-
of an icsa bank okay there were two
-
systems and only
-
uh one employee was there and uh one
-
employee was on leave
-
now what they're doing is bank is
-
sending them a form
-
for their club membership okay they're
-
they're typing in the club membership
-
they're scanning the document and
-
there's they're sending it back to the
-
bank
-
okay so it's a manual form which comes
-
to the third party
-
third party types in do the data entry
-
of that form
-
scans that form and send it to the bank
-
again
-
send it to the bank okay now this is a
-
small organization they are dealing with
-
pi information of the bank customers
-
okay now what i see here is that
-
now i ask them to have an antivirus ask
-
them these are 100
-
these are the controls that each be in
-
place you don't have these controls
-
you have you're using your personal
-
systems for storing bank information you
-
don't have antivirus
-
i gave the list of findings there so he
-
said i get 10 rupees to form
-
to fill this form each form okay do you
-
want to have
-
do you want to apply this control
-
for 10 rupees uh which i get from i
-
don't want business from icc max that's
-
what he said to me so i said
-
that's how it is you know you accept the
-
risk knowingly and objectively
-
not taking action okay but again the
-
risk is to the bank
-
okay now this has been transferred to
-
him but again he's not
-
he he's not able to properly handle that
-
okay
-
now i don't know what happened i gave
-
that report to them i don't know what
-
whether the business is still with that
-
uh third party or not or whether you
-
know
-
these situations can happen so your risk
-
response option should be
-
very much in line with the option very
-
carefully
-
any organization should take that option
-
very carefully
-
okay thank you guys thank you very much
