-
We'll start with the CISA,
-
and I have a pretty good idea that, yes, you
-
guys come from diverse backgrounds--
-
some from finance, some from IT--and you
-
want to
-
do this training. That’s a very good
-
thing, especially
-
as we’re facing the situation where
-
the entire world, people are trying to
-
upskill themselves. And CISA is one of the
-
the
-
most valuable certifications you
-
have chosen
-
to upskill yourself. CISA has
-
not been very recently. It
-
was there since a long time, since
-
1990s.
-
Okay? Now, even in the 1990s, you know, our IT
-
systems weren’t
-
as prevalent, I would say.
-
But, however, since then...
-
However, by the year 2000,
-
moving into the 21st century, you know,
-
people started
-
using systems more. With that came a lot of risks
-
associated with
-
with those systems. Okay? Everyone
-
agreed that risks were present
-
and needed to be mitigated, you know.
-
That’s the reason,
-
you know, the board or the owners of
-
those systems,
-
the owners of organizations
-
using those systems,
-
wanted to implement certain controls in
-
place,
-
in terms of getting to know how the
-
systems are working, whether
-
those systems are working and to give
-
adequate value to the organization.
-
So that's the reason this
-
certification was
-
introduced. And auditing, which is one of
-
the important controls from the
-
board of directors
-
and organization owners point of view.
-
They introduced information systems
-
to be audited, you know, and for that
-
reason, there was a lack of resources
-
and there were a lack of
-
competencies in the market to understand
-
those systems and
-
understand the controls within those
-
systems--
-
whether they are working as,
-
you know, expected or
-
whether they're giving value to the
-
organizations as per the expectations of
-
what the stakeholders want.
-
So that's the reason the CISA
-
certification was introduced.
-
Gradually, it has become one
-
of the pioneering certifications in terms of
-
auditing.
-
I think pioneer, I would say it is the
-
only certification
-
which is recognized in the world in
-
terms of
-
information system auditing. No other
-
certification
-
and ISACA is the monopoly there. So no
-
one has beaten
-
ISACA there. Those knowledge base which
-
is there in ISACA
-
is found elsewhere, but combining all of
-
them together
-
and using it as a mechanism to upskill
-
people
-
is something, you know, fabulous, which
-
ISACA has done.
-
Now, just to introduce you to the ISACA
-
program: this is generally a five-day
-
course, okay,
-
in which, we cover the five areas
-
which the ISACA describes as the
-
domains. And so, I would be talking about
-
those
-
things, and I would like to have a very
-
interactive session along that
-
because it also covers
-
the knowledge part--the body of knowledge.
-
So it's not about,
-
you know, learning or it's not about, you
-
know, grasping things, or it's not about,
-
you know, knowing some terminologies. It's
-
also about understanding how those
-
terminologies
-
apply. For example, if we say
-
"risk," you know, I'm just taking an example
-
here. Risk. Now,
-
risk is any uncertainty
-
to the business operations--okay, any
-
uncertain event that could cause
-
disruption to an organization, you know,
-
any uncertain event
-
that could lead to our organization's
-
objectives
-
being impacted, you know, that is a risk. Okay?
-
So, you have to
-
not only understand the terminology.
-
That's the
-
basic definition of risk, but you
-
also see
-
how you can apply that in your
-
organization.
-
Okay? Look at the risk, any uncertain
-
events,
-
okay? What could be an uncertain events
-
to my organizations
-
and how those
-
uncertain events can affect my
-
organization's objectives?
-
Now, when I say "my organization," it
-
doesn't mean, you know, any
-
organization which you work for
-
means an organization which ISACA wants
-
you to think of.
-
As an organization, they would basically
-
want you to
-
apply those terminologies, those things
-
to an organization, and see what would
-
you
-
do to basically... what best step
-
you would take to address that issue. Okay? Now,
-
I won’t go into the details
-
of what kind of questions they ask
-
but honestly, the questions are asked as,
-
you know, just that the questions are
-
asking the most important,
-
the first thing which you do, the
-
primary
-
option you have, you know. So all the
-
options would be right
-
as per the question, but you have to
-
choose
-
the best option as per how
-
ISACA perceives the best option is. So, you
-
also have to
-
understand ISACA's perspective towards
-
that question on
-
how you can address that. Okay? That's the
-
reason we are understanding from ISACA's
-
perspective,
-
an organization's viewpoint.
-
Okay? And then, we would also have certain
-
activities which basically enables you
-
to understand those perspectives,
-
and there will be discussion
-
questions, there will be group
-
discussions,
-
in terms of case study. I would
-
try to...
-
Because when it's a classroom session,
-
the group discussions becomes very
-
interactive. I will try to
-
be as interactive as possible in the
-
group discussions.
-
Okay? Then, we would also take real-world
-
examples
-
of CISA's subject matter. It would...
-
The real-world examples could come from
-
my experiences, would come from your
-
experiences,
-
or also it can come from what ISACA
-
is putting up. Now, what are the benefits?
-
I've already told you it's the pioneer
-
certifications.
-
It gives you competitive edge, it helps
-
you to achieve
-
high professional standards when you go
-
to say that I have ISACA certification,
-
your CV speaks about your knowledge
-
and experience.
-
And it also quantifies and
-
markets your experience.
-
Okay? So we have people here with 18
-
years of experience,
-
you know, those people,
-
I would say, it's a leap,
-
you know, which you can take up by having
-
these certifications. So your 18 years of
-
experience can speak
-
even louder when you have this
-
certification with you.
-
So you would have, you know, I have
-
trained people from
-
4 to 5 years of experience to
-
28,
-
26, 30 years of experience also. And if
-
only the CISO position, you know,
-
they
-
were getting into CISO positions,
-
but they want to have the certification
-
before
-
getting to CISO position. Now, those
-
kind of people also have trained,
-
okay? And they were able to clear the
-
exams. So it
-
basically recognizes and you know marks
-
and...
-
recognizes your experience also, you know.
-
There you can leverage your experience
-
with this certification, then it also
-
increases
-
value to your organization. Okay? I was
-
selling,
-
you know, CISA certification was
-
introduced in 1978, okay?
-
But it got prominent in 1990s when you
-
have the
-
information systems in place, you know,
-
in the world.
-
Okay? So, there’s a new
-
version
-
of which came in 2019, okay, and we would
-
be
-
dealing with that version, okay? I have
-
been certified in the previous
-
version, which was the 2016 version.
-
Now, after, you know, three years,
-
ISACA,
-
they changed the organization.
-
ISACA changed some certain,
-
you know, structures, and we will
-
be doing the latest version, which is the
-
2019 version.
-
So, these are the five domains of
-
ISACA, okay?
-
If you see the five domains,
-
the first is the information system audit
-
process. Now, what does information
-
system audit mean?
-
What does audit mean? Audit means to
-
check and verify, right?
-
So, audit means to
-
check and verify whether the systems and
-
controls are working appropriately or not
-
or not. Okay? So we will look at how
-
you ensure the systems, you know,
-
are checked appropriately
-
in terms of auditing. We will also study
-
about the audit standards,
-
guidelines, and the code of ethics
-
when auditing information systems.
-
You will be
-
understanding the business processes
-
under audit because audit itself is a
-
project, you know. When you go for an
-
audit in an organization,
-
we have people from Deloitte, for example. It’s an
-
audit project
-
altogether for the organization. Okay? So,
-
how do you
-
plan an audit? How do
-
you conduct an
-
audit? How do you report
-
audit findings and communicate
-
with stakeholders?
-
And what are the post-audit activities?
-
All these topics will be
-
studied here.
-
Then we will also look at the types of
-
controls.
-
There's a specific concept of risk-based
-
auditing
-
in domain one. Okay? So, that would be
-
domain one.
-
In domain two, we will discuss the
-
governance and management of IT. You need to understand the
-
governance and management. So, you have to
-
understand the difference between the
-
governance and management here. We will see,
-
from a board of directors’
-
perspective,
-
what they want from the IT
-
infrastructure
-
of the organization, and you will also
-
understand from a CEO’s perspective--
-
how they enable IT
-
to add value to the organization.
-
Okay?
-
So, we’ll understand the difference
-
between governance and management,
-
and also understand where they meet
-
each other
-
and how the IT systems work. From an
-
auditor's
-
perspective, how do you check whether
-
IT
-
is providing value to the organization,
-
okay,
-
and whether we are realizing the
-
benefits of
-
IT in our organization? Then, in
-
domain three, we're going to talk about
-
information system acquisition,
-
development, and implementation.
-
In information system acquisitions, or
-
when you acquire new systems in the
-
organizations, when you buy
-
new systems, or you develop new systems,
-
or you implement those systems in the
-
organization,
-
from an auditor's perspective, how do you
-
ensure
-
that the steps for acquiring, developing,
-
and implementing the systems
-
are appropriately addressed
-
or not? And whether those systems which
-
are implemented,
-
are they basically implemented
-
effectively in the organization or not? Okay?
-
Then, we will talk about
-
operations and maintenance of
-
information systems. Once the system has been
-
acquired, developed,
-
and implemented in the organization,
-
now you also need to worry about how do
-
you maintain it?
-
How can that system continually
-
provide benefits to the
-
organization?
-
For that, you need maintenance
-
activities and business
-
resilience
-
to ensure that the system
-
is working appropriately until the end
-
of its life cycle.
-
Okay? Then, we will also talk about the protection
-
of information assets, which is very
-
important,
-
not only from a
-
regulatory and legal perspective.
-
Nowadays,
-
because that's where the higher focus is
-
in these days, because there are a lot of
-
regulations
-
in terms of banking, telecom, oil, and gas
-
sectors.
-
You know, there are a lot of regulations
-
in terms of protection of information
-
assets because
-
information security has now or
-
cybersecurity has now become an
-
important aspect,
-
even at a national level,
-
around the world. Okay? Every country in
-
the world
-
takes information security or cybersecurity
-
is a serious threat
-
towards their critical
-
infrastructure.
-
Okay? So we will also talk about
-
protection of those information assets.
-
You know, when you talk about
-
information assets,
-
we're talk about the confidential
-
information which the organizations have,
-
the secret and top-secret information which
-
the countries have, you know, at a
-
higher level or at a national level. So,
-
these are the five domains. Okay? Let me
-
also tell you about
-
the structure of the CISA
-
certification exam. So, now
-
this is called the domains. Okay?
-
Each domain
-
is divided or is, you know,
-
structured in a certain way. Okay?
-
So, we'll go through that structure. So every
-
domain would have task statements.
-
Okay? For example, in information system
-
auditing, what tasks do
-
we have in information system
-
auditing? You would have,
-
you know, driving a risk-based audit
-
strategy--how to make an audit strategy.
-
Okay? That is one task. Making
-
audit
-
strategies.
-
Then there’s the task of planning the audit,
-
there would be a task to
-
conducting the audit, there would be
-
a task to, you know,
-
communicating the audit results,
-
okay, and then there would be a task of
-
reporting the audit results, and
-
there would be a task of post-audit,
-
you know, what are the activities of post-audit.
-
Okay? So, this is how,
-
you know, every domain is being
-
structured. And then,
-
for doing those tasks, there would be
-
knowledge statements.
-
You know, for example, for conducting the
-
audit, you would require knowledge of
-
sampling. You require knowledge of
-
controls, and etc. Okay? So,
-
this is how
-
every domain has been divided. Okay?
-
And then there would be certain test
-
questions we would discuss that would
-
validate whether
-
you have understood the concepts
-
well enough. Also, as I said in the
-
beginning, there is a practical
-
knowledge part of it, which is how you apply those
-
tasks in an organization. This
-
organization is basically a
-
perceived organization,
-
from any perspective, and you
-
are the auditor.
-
Okay, so all the questions that would be
-
asked
-
in the exam are from an auditor's
-
perspective. So, being an auditor,
-
what would you do in this situation? So
-
the question would be very
-
situational, okay? If you are
-
given a scenario and you are
-
the auditor,
-
what would you choose to do
-
in that scenario? Okay, that's
-
how the questions would be framed.
-
Okay, so the application of general
-
concepts and standards--
-
to understand the application of general
-
concepts and standards is very important.
-
And all questions would be multiple
-
choice and designed
-
for one best answer. Okay? All the answers
-
would be right, but
-
you have to choose the one best answer. Now, the
-
catch here is that you may
-
think from your perspective that
-
this is not the best answer,
-
and I also contradict ISACA a lot
-
in terms of the best answers. I think
-
that
-
they are wrong in their perspective
-
of the best answer,
-
but I have to, right now, think that I
-
have to clear the exam,
-
not my own exam. So, I have to accept
-
their best answer,
-
okay, and make a thought process
-
such that I understand what their thought
-
process is,
-
you know. So, ISACA is trying to
-
create a thought process
-
for you, okay, and that's
-
something weird, but
-
that's how it is. Okay, so from the
-
beginning, you must
-
be aware of these things.
-
And this is what I'm speaking from my
-
experience.
-
People may have their
-
own experiences,
-
and so you will have your own
-
experience when you take your
-
exam, and hopefully, you will clear it.
-
Don't worry. Okay, you have to read each
-
question carefully and
-
eliminate known incorrect
-
answers.
-
Okay, and this is also my experience
-
and the experience of many others,
-
people's experience that you know. You
-
have to eliminate the wrong answers.
-
Don't go for the right answer too
-
quickly. If you find the right answer,
-
don't just say "yes." Okay? You have to
-
also
-
look at the other options and try
-
to eliminate them first.
-
Okay, so if you think that this answer is
-
right,
-
just stick to it and try to eliminate the
-
other three
-
first. Eliminate means that you
-
should be very convinced that
-
the other three
-
answers are wrong. Okay, and you might
-
perceive that from the
-
other three
-
answers. There could be some contention
-
between
-
one or two of the answers, and then you
-
might,
-
you know, reduce the element of reuse in your
-
options for yourself.
-
Okay, for example, if you have four
-
options, try to eliminate
-
two first--those you think
-
absolutely cannot be the
-
answer. Then, you will
-
be stuck between the two remaining options.
-
This is where you will find yourself stuck with most of the
-
questions--
-
you will be stuck between two possible
-
answers. Okay, and then you have to
-
think from ISACA's perspective. Okay,
-
what would be the right answer
-
from what I have studied in the
-
training or what
-
I have read in the manual? Okay?
-
So, identify the key words. Make the
-
best choice possible as I said.
-
Identify the key words or phases in the
-
questions.
-
So I said, as I said earlier, most,
-
you know, these kind of
-
questions would be there.
-
So, identify the keywords or phrases in
-
the questions before selecting and
-
recording an answer.
-
Read the provided instructions carefully.
-
So there would be instructions
-
for you guys when you sit for the exams.
-
Skipping over these directions or
-
reading them too quickly could result
-
in missing important information and
-
possibly losing credit points.
-
This has happened with people
-
I know. Okay, and they had to please it
-
for the exams.
-
Okay, they sometimes, you know,
-
accidentally
-
end the exam when they’re
-
sitting, when you're sitting
-
accidentally,
-
you know, you don't read the
-
instructions properly,
-
and then they click on "end exam"
-
and end the exam
-
in the first or
-
second question. Okay,
-
and then it doesn’t resume
-
immediately. Okay, then you have to,
-
you know, somehow... because it's an
-
expensive exam,
-
you know, $750, it's not a
-
small amount of money. So, and then you
-
have to,
-
you know, sometimes ISACA gives the option
-
of
-
resetting, and sometimes they don’t. In either case,
-
you could lose that money.
-
Now, grading is based solely on the
-
number of questions answered correctly,
-
so there’s
-
no negative marking like we have for
-
CISSP exams.
-
Okay, at no negative marking. If
-
you mark an answer wrong, it counts as zero.
-
Okay, you are not minus. And it is also
-
the CISSP exams
-
in which if you have 150 questions and
-
if you
-
mark 80 questions right, it will
-
automatically finish.
-
You know, the CSI exam are
-
like that, but...
-
However, CSI exams will take you to 150
-
questions. You can
-
go back and forth, you know. And you know,
-
you can navigate to the
-
to the questions easily. So these are
-
somewhere for us.
-
The exam period is four hours, okay?
-
So around 1.5 minutes per question, and
-
that's
-
not, you know, less I would say. Okay, if
-
you
-
are thorough with the material. You would
-
answer in 30 seconds.
-
Okay. Okay, I would skip these rules
-
for you. I will go to the important one,
-
which is exam scoring.
-
So, a scale score is a,
-
is a conversion of the candidate's raw score
-
on the exam to a common scale.
-
Okay, so for example, if there are
-
32 questions in domain
-
one, so basically, it
-
will not give you...
-
Okay, 32 questions, 32 marks. Okay, so it
-
would be a,
-
you know, all the 32 questions would have
-
different marks.
-
Different marks. Okay, so everyone will
-
not be one mark each
-
like that. Okay, so 150 questions are
-
scaled
-
under 800. Okay? And you have to...
-
So it uses and report scores
-
on a common scale from 200 to 800. Okay,
-
no one gets less than 200.
-
Okay, no one gets more than 800, obviously.
-
Okay, so it's between 200 to 800.
-
Then, a candidate must receive a score of
-
450
-
or higher, you know. That's a minimum
-
score. I got 656
-
in the exam. Okay, and
-
one of the important domains, you know,
-
you have to pass all the domains. So,
-
you have to score
-
450 in all the domains. Okay, so it's
-
not if you,
-
even if you get a score of, for example,
-
600,
-
but you score less than 450 in any
-
of the domains,
-
then you have to repeat the exam. So
-
that's how
-
it is. Okay, you get the score
-
at the end of the exam, so it will give
-
you a very
-
little indication, you know, small
-
indication
-
to say pass. You know, it will flash on
-
your screen,
-
that says "you passed." Okay, and it would be
-
a very small,
-
you know, sentence written there, and
-
you will know that
-
you have passed. You will not get the
-
official result there, but you
-
can leave the center
-
if you have passed. Okay, so...
-
But official results come 10
-
days later,
-
and after those 10 days, you can apply for
-
the certification with your experience.
-
Okay, so there will be a score report,
-
okay, in which you will see
-
how much you have scored in each
-
domain. Okay,
-
so these are the steps for the user for
-
the certification. You need to
-
pass the exam first, and then you have to
-
submit the application with your
-
experience.
-
You have to kind of sign a
-
checklist
-
stating that you follow
-
the ISACA code of practices and ethics,
-
and you agree to comply with
-
the CPE (Continuous Professional Education) policy,
-
which is continuous professional education points. You must also
-
comply with information systems auditing
-
standards,
-
which ISACA publishes. Alright, let's
-
start with Domain One.
-
First and foremost, we have to
-
understand
-
the definition of information systems--
-
how we perceive
-
those information systems to be.
-
Information systems
-
include your laptop, your desktop,
-
your mobile phone,
-
and your servers. It's everything
-
around you in terms of digital technology.
-
Okay, so those are the information
-
systems. Now, when we look at information
-
systems, we're not looking at hardware
-
only.
-
Okay, we are also looking at the
-
processes around that hardware. For
-
example, your laptop--
-
you know, as simple as that--we have the
-
process of,
-
you know, antivirus updating
-
on the laptop, the
-
maintenance process
-
of the laptop, etc. Similarly, for servers,
-
you have backup, release
-
management, change management,
-
patch management, and
-
antivirus on the server. You know, all
-
those processes around the server
-
are also part of the information systems.
-
So, when we are auditing an information
-
system, we are not just auditing the hardware;
-
we are also auditing the processes
-
around that hardware.
-
Why we are auditing is because
-
there is a dependency of the business
-
on that system. Okay, that's the reason we
-
need to
-
have processes around it. When we talk
-
about information system auditing
-
practices, it encompasses the standards,
-
the principles, the methods, the
-
guidelines, and the techniques that an
-
auditor
-
uses to plan, execute, assess, and review
-
business or information systems and
-
related processes.
-
Okay, now as I said, information systems
-
definition is
-
very important for you to understand. You
-
also need to understand that there are
-
certain
-
governing mechanisms that have been
-
defined by the industry.
-
Okay, and these governing mechanisms
-
basically are the standards.
-
Okay, for example, if you see ISO 27001,
-
okay, which is a standard for information
-
security
-
management systems, okay, that
-
standard basically governs how
-
information
-
security shall be managed in an
-
organization.
-
Similarly, there are certain principles.
-
Similarly, there are certain methods.
-
There are certain guidelines, best
-
practices (which we also call
-
techniques) that the
-
auditor can use
-
to complete the audit
-
across
-
all the phases of auditing, okay,
-
which are planning, execution, assessment, and review.
-
As an auditor, you must have a thorough
-
understanding of the.
-
of the auditing processes. You should also
-
have an understanding
-
of the information system processes.
-
But what I said, like change management,
-
patch management,
-
etc. Whatever systems
-
you are dealing with, you should have an
-
understanding of those processes around
-
the information system. You
-
should also
-
understand the overall goal.
-
Ultimately, the benefit
-
of the information system is realized
-
by the business.
-
Okay, and it helps the business
-
achieve its own
-
objectives. Okay, and the business also
-
wants
-
certain controls in place to ensure that,
-
you know, those objectives are achieved
-
effectively
-
and efficiently. So, you should also
-
have an understanding of the controls.
-
Now, if I take an example, you know,
-
for example, the information system
-
we are talking about is a server. You
-
know, and in that...
-
From that server, the
-
processes around that
-
information system include backup
-
is important. You know,
-
making
-
changes to the server,
-
new releases, patch management, etc. You need to understand the
-
important processes
-
around that system. Okay, so you have
-
to understand how
-
these process around that, and then you
-
have to understand
-
how these processes would also have an
-
affect
-
on the business processes. Okay, for
-
example, that server is supporting an HR
-
function
-
in an organization, particularly in terms of payroll.
-
Okay.
-
Now, if there is a patch release
-
or patch management or a new
-
password release, or if there is a
-
change to
-
the server,
-
how will that affect my HR
-
payroll system in
-
the organization? Okay,
-
and you have to see what control
-
you can put in place
-
so that it doesn't affect my business.
-
Okay.
-
Now, change management itself
-
is a process. Okay?
-
Processes themselves are controls,
-
but how do I ensure
-
that the processes are in line
-
with my business objectives? Okay, so...
-
As an auditor, you
-
are there to check. You are there to
-
verify those processes--
-
whether
-
the controls in place
-
are working adequately and whether
-
those processes
-
continue to serve their business
-
objectives.
-
Any issues with those processes?
-
You know,
-
how I would, you know, as an
-
auditor, would
-
you try to verify those
-
things
-
through sampling,
-
you know, through various
-
other auditing techniques
-
to see whether, you know, the processes
-
and controls are
-
effectively working. So, what
-
we are trying
-
to see here is whether the business
-
processes and controls are designed
-
to achieve the organization's objectives
-
and protect
-
the organizational assets. Now, upon the
-
completion of this domain,
-
you would be
-
able to plan an audit. Okay, now audit, as
-
I said,
-
is a kind of project. Okay, the same
-
project management techniques
-
or the same project management
-
methodology
-
also works for an audit. Okay. So,
-
when you say
-
project management, you
-
have planning,
-
you’re planning
-
the implementation of that
-
project--in this case, the scheduling of that
-
project--and then
-
implementation and development, and then
-
post-implementation. Similarly, you have
-
planning the audit, conducting it (which is
-
your implementation),
-
communicating the audit progress,
-
conducting audit follow-ups,
-
and then evaluating the
-
management and monitoring of controls in
-
the auditing. You also utilize data
-
analytics tools to streamline audit
-
processes.
-
After that, you will have to
-
provide consulting services and guidance
-
to the organization to improve the
-
quality and control of the information
-
systems. Now, this is not part of the
-
audit,
-
but sometimes when we have an audit
-
called internal audit, you know,
-
your role is also something
-
related to consulting, where you
-
try to improve the internal
-
process. However, if you go for an
-
external audit, you don't do that.
-
Okay, you don’t provide consulting
-
services. Then, you also identify
-
opportunities for process improvements
-
in the organization's IT policies and
-
practices. These are some of the areas,
-
and there will be many more,
-
so this is not an exhaustive list.
-
These are some of the areas
-
where you,
-
as an auditor, should be aware. Now,
-
these are
-
the topics in this domain are divided
-
into two parts.
-
One is planning, and the second one
-
is execution. In the planning part, we
-
will study about
-
the audit standard guidelines, code of
-
ethics (as given by ISACA), and we
-
will understand the various business
-
processes in an organization. For example,
-
we are aware of
-
HR, finance, procurement,
-
you have the
-
physical security, the real
-
estate of the organization,
-
managing the administration of the
-
organization, and
-
the operations,
-
and etc.
-
We will study some of the common
-
processes in every organization.
-
You will also see the types of controls.
-
Now, what are controls? Controls are
-
there to mitigate the risk,
-
to mitigate the risk to the
-
business objectives. Then we will also
-
talk about a
-
very important principle of risk-based
-
audit planning.
-
Now, you must be aware that
-
in an
-
organization, resources are limited.
-
Every organization's resources are
-
limited. Okay, that's the fundamental
-
principle you need to understand.
-
And if you see the process, the resources
-
are limited. You have to align those
-
resources to the max...
-
to an area where there is a
-
maximum risk for an organization. Okay,
-
that's the reason we call it
-
risk-based audit planning. So, as an
-
auditor, I am limited;
-
I am a single person in the whole
-
organization.
-
My focus should be on core banking,
-
core applications, or core business
-
operations
-
rather than, maybe, HR.
-
That's the reason we look at the maximum
-
risk area of an organization and start
-
auditing from there.
-
Okay, so that the maximum risks
-
are addressed in an organization. So, this
-
is basically the risk-based audit
-
planning:
-
you plan audit based on the risk to the
-
organization. So, you go for high risk
-
first, and then medium, and then low.
-
Okay, and this is how every organization
-
works. Then, you have types of audits.
-
There are internal audits,
-
second-party audits, and third-party
-
audits.
-
Okay, we will see what arrangements we
-
have
-
in the various audits and also what
-
the difference is between an
-
audit and an assessment. Audits are
-
basically done
-
to verify things; assessments are
-
also done to verify things, but due to the
-
the
-
different arrangements in an audit and
-
assessment, your
-
communication changes. Okay, your
-
job responsibilities also change.
-
Okay, in the execution part, we will study
-
about
-
the project management of an audit. Okay.
-
As I’m continuously repeating from the
-
beginning, audit is a project,
-
right? We have to treat it as a project.
-
Okay, and then we will also look at
-
sampling methods.
-
Okay, we will try to look at the audit
-
evidence collection techniques. It's
-
very important because, as an auditor, by
-
principle, you should not give any
-
findings unless you have evidence
-
against it. Okay?
-
Then you have data analytics. Nowadays,
-
we are using systems
-
like banking
-
systems and, you know,
-
telecommunication systems
-
where you require data analytics
-
techniques to basically ensure
-
that the system is working effectively.
-
Okay.
-
So, we will study how auditing,
-
you know,
-
how data analytics helps auditing to
-
give better results.
-
Then, reporting and communication
-
techniques are very important.
-
Again, this would depend on the
-
reporting commission technique. It would
-
also depend on the arrangement of the
-
audit.
-
Okay, what kind of arrangement is it? Then
-
we'll talk about quality assurance and
-
improvement of the audit process.
-
Now, an audit also has a quality
-
department.
-
Generally, all auditing functions have a
-
quality department.
-
For example, if I give a finding as an
-
auditor,
-
the quality of that finding
-
would also be judged.
-
Okay? I wouldn't say judged basically;
-
I would say it would be assessed. Okay.
-
For example, what kind of evidence is
-
it? How has that evidence been captured?
-
How effective is that evidence in saying
-
that this particular finding can affect
-
the business?
-
All those parameters are basically
-
assessed.
-
Okay. Many auditing firms, for
-
example,
-
EY, Deloitte, PwC,
-
all these auditing firms have quality
-
departments
-
that verify this. Also, external
-
auditors.
-
Also, you know, sometimes, though not
-
very rigorously, look into,
-
look into
-
what kind of findings the auditor
-
gives.
-
And because we also have some
-
contentions when we are audited. If
-
the auditor gives a finding, we can raise
-
a question like, "Why did you give this
-
finding to me?"
-
You know, we can question them. They
-
should be able to answer those questions
-
appropriately to us. Okay, let's start
-
with the first topic, which is planning.
-
Okay, so what is an audit? An audit is
-
basically,
-
as I said, verifying. Another word for
-
auditing is verifying,
-
checking. Okay, so it's a formal
-
examination on testing or information
-
systems to determine whether
-
those systems are working as per the
-
applicable laws, regulations, contracts,
-
and industry guidelines.
-
Now, these compliances--laws,
-
regulations, contracts, and industry
-
guidelines--
-
depend on, again,
-
country to country,
-
industry to industry, supplier or
-
contractor to contractor,
-
third-party to third-party. Also,
-
regulations are typically set by
-
regulatory bodies.
-
So, it also depends on, again,
-
regulatory bodies for industries.
-
For example, there’s TRAI for India, RBI for
-
banking, TRAI
-
for telecom, RBI for banking, NPCI for
-
payment gateways,
-
IRDA for insurance. These bodies also have
-
certain
-
guidelines for the information systems.
-
So, information systems
-
have to comply with those guidelines or
-
regulations set by the regulatory
-
body.
-
Okay, so that is one thing you check. Okay.
-
Then, the other thing you check
-
is whether those comply with the
-
governance criteria
-
and relevant policies and procedures. Now,
-
you also
-
see that information should function
-
under--so, information
-
is owned by an organization. For example,
-
that information system has to work
-
according to the internal policies and
-
internal compliances
-
of an organization. Okay, if you,
-
for example,
-
take a server, it
-
should work according to the change
-
management process,
-
patch management process, and, you know,
-
backup process defined by the
-
organization.
-
Okay, so that is one thing you
-
check: whether it’s compliant with the
-
policies, compliant with the laws and
-
regulations,
-
and whether it is complying with the
-
internal policies and procedures of the
-
organization.
-
The third thing you check is whether
-
that information system
-
is compliant with the CIA
-
is resilient to the CIA--which is
-
Confidentiality, Integrity, and
-
Availability--
-
at an appropriate level. Now, what is
-
confidentiality? What is integrity?
-
And what is availability? Confidentiality
-
is basically
-
that the system doesn’t allow
-
unauthorized access.
-
Okay, you know, the system doesn't allow
-
unauthorized access.
-
Integrity means the system doesn’t allow
-
inadequate modification or unauthorized
-
modification. The
-
system doesn’t allow unauthorized
-
modification to data
-
or any other parameters of information
-
systems. The third
-
thing is availability, which means the
-
system
-
allows authorized people to work. For
-
example, if you're going to
-
want to create a ticket,
-
raise a ticket, you should be allowed to
-
do that. Okay, you want to,
-
for example, if you want to
-
access your emails,
-
as email is a very important
-
operation, you should be allowed
-
to operate your email because
-
you're authorized to do so.
-
Okay, so that’s also an important thing
-
to look at from an information
-
systems perspective.
-
So, confidentiality, integrity, and
-
availability should be maintained
-
in the information systems, and
-
we apply controls to reduce the
-
impact on the CIA.
-
Okay, so you should also test
-
the CIA parameters
-
of the system. Then, the fourth thing is whether
-
the efficient
-
and effective targets are met. Now,
-
efficiency
-
is something related to
-
cost. Okay. So,
-
IT operations are accomplished
-
efficiently, which means reducing costs.
-
Okay. Effectiveness means that they are
-
done effectively. For example, you have an
-
antivirus.
-
First and foremost, efficiency means the
-
cost of the antivirus should
-
not be too high according to
-
the organization.
-
Effectiveness means it should also prevent
-
viruses
-
and malware attacks on the
-
organization or
-
the system or the information system. Okay.
-
So, these are the four parameters
-
you need to look at when you are
-
verifying and checking information
-
systems.
-
The first thing is the compliance
-
with laws and regulations. The second is governance,
-
is about governance,
-
the compliance level, and the internal
-
policies and procedures.
-
Okay. The third thing is the impact on the CIA,
-
to the CIA.
-
And the fourth thing is about the efficient
-
and effective
-
operations of the information systems. So,
-
these are the four parameters you check
-
in the audit.
-
Okay, so the audit process has
-
three steps. One is planning
-
the audit,
-
then conducting the audit, and finally,
-
reporting and follow-up.
-
Okay, so we’ll discuss that. First and
-
foremost, you need to understand the
-
ISACA standards. There is an audit
-
standard by ISACA. I’ll go to the ISACA website.
-
I'll go to the website of ISACA
-
to show you where it is. If you check
-
the resources,
-
in the resources, you will
-
go to Frameworks, Standards, and
-
Models. Okay.
-
Okay, there is this process called ITAF,
-
which is the Information Technology
-
Assurance Framework.
-
Okay, this is a free standard.
-
Okay, you might download this.
-
Okay, so you have to select the language and
-
and download it.
-
Now, this is an important standard to
-
look at. Okay, it has been downloaded, and I
-
have that
-
with me.
-
Okay, so this is called ITAF,
-
which is your IT Assurance Framework.
-
Okay, and this talks about IS
-
audit and assurance, so this is a
-
standard, basically.
-
Okay. So,
-
first and foremost, the standard for IS
-
audit and assurance
-
is divided into three parts:
-
one is the general standard,
-
okay, and performance standard,
-
and reporting standard.
-
Okay, so in the general standard, it
-
talks about planning,
-
okay, there. Performance talks about
-
conducting the audit,
-
okay? And then, the reporting standard
-
talks about the third space, which is
-
reporting. Now,
-
how to apply this standard. There is
-
a certain guideline,
-
which has been defined. Now, the
-
guidelines is this one.
-
If you say, I saw it at assurance
-
guideline. Okay.
-
Now, basically, both of these, if you see
-
this is also audit charter. This is also
-
audit charter.
-
Here, if you see, talks about a very brief...
-
of what it is. Okay? This would... this
-
guideline will tell you how to implement
-
this audit charter
-
in the audit assurance guidelines. Then,
-
there is
-
tools and techniques in this particular
-
document. Okay? IS audit issues tools and
-
techniques. And then, there is
-
also professional ethics part
-
also there. In the tools and techniques,
-
there is also,
-
you know, professional
-
ethics and standards.
-
Now, coming back to the presentation,
-
what is this standard
-
about? ISACA's audit and
-
assurance standard defines mandatory
-
requirements
-
for IS auditing. Obviously, whenever
-
you .
-
see the word "standard," you must be aware
-
that it’s mandatory.
-
Okay, and how do you understand that it's
-
mandatory? Because the word "shall" is used
-
there. Okay, so if you see here
-
in the audit charter,
-
if you go to page number 12 quickly,
-
if you see the audit charter,
-
you'll see the word "shall" is used.
-
Let me show you. If you see,
-
the word "shall" is used. Okay.
-
So, if you see everywhere "shall" is used,
-
this is mandatory. When you say
-
"standard,"
-
this is mandatory. Okay, and when you go
-
to the guideline, go to
-
page number 40, go to page number 42
-
quickly,
-
and you'll see the audit charter. The word
-
"should"
-
is used. If you see here, the
-
purpose of this guideline is to assist, and
-
the ISO
-
should consider this guideline. Now, this
-
is a guideline. A
-
guideline is non-mandatory. A
-
standard is mandatory.
-
Okay, so this is one difference you must
-
understand. You will see this is
-
basically the guideline's purpose
-
and linkage to the standard. Okay, coming
-
back,
-
that’s the reason the
-
standard defines mandatory requirements
-
for
-
IS auditing, reporting, and informing.
-
Okay,
-
as an auditor, you must isolate
-
the minimum level of acceptable
-
performance required to meet the
-
professional responsibilities
-
set in the ISACA Code of Professional
-
Ethics. So,
-
you have to minimally practice the
-
standard.
-
Okay, that’s the reason I said reading
-
the standard is important
-
for you guys because that’s the minimum
-
requirement of an auditor.
-
Okay, yes, you can also read the guideline,
-
which will basically
-
help you implement that standard in
-
your job practices.
-
Okay. Now, then, management and other
-
interested parties have
-
professional expectations concerning the
-
work of practitioners.
-
Now, you also have to understand that as
-
an auditor,
-
you work with other experts in an
-
organization.
-
For example, an auditor,
-
you know, also works with IT people.
-
For IT, there are specific audits--
-
that’s what information system auditors
-
are. Then, there are
-
network people, network
-
audits,
-
software audits, and
-
then there are
-
information security audits. So, as
-
an auditor, whatever
-
your expertise is, you also work with
-
other auditors
-
or take the expertise of
-
other auditors
-
during your job. Okay,
-
so this particular standard also
-
talks about that--that’s how to take the
-
work of other practitioners in your
-
job, okay, in your auditing.
-
Okay, now, you
-
may not be a network expert. If you are not a network expert,
-
how would you audit a network?
-
You will take the expert’s
-
opinion--someone who has
-
expertise in the network field--
-
so you take their results to
-
basically
-
fulfill your auditing assignment. Okay.
-
So,
-
this particular standard also talks
-
about that. Then, it also
-
helps, basically, this is also a
-
requirement from CISA.
-
Okay. As a CISA designation holder, you must be
-
aware of the
-
requirements of this. Okay, so
-
holders of the CISA designation have
-
their professional
-
performance requirements, which is
-
something, which are
-
also mentioned here. If you want, I can
-
specifically go to
-
that document and tell you where it is
-
mentioned.
-
So, if you see here, you know, the
-
proficiency of an auditor
-
is also something that’s an important
-
parameter. Okay, now using the work of
-
other experts--that’s what I was talking
-
about.
-
Okay, 1206,
-
clause 1206 talks about
-
using the work of other experts. Now, I
-
will also go to the Code of Professional
-
Ethics.
-
So, these are the seven codes of
-
professional ethics,
-
which every auditor must be aware of.
-
That’s what
-
you also sign when you go for
-
certification after the exam.
-
Okay, these are the seven principles, I
-
would say,
-
or ethical statements that you must
-
comply with.
-
Okay, if you are found not adhering to
-
any of the seven principles,
-
there is a possibility of getting your
-
certification revoked.
-
There is also a disciplinary
-
process from ISACA
-
against the CISA certification. Okay, I
-
will go to that
-
later in the presentation as well.
-
Okay, I will move forward now. The
-
framework, which has
-
already been talked about--ITAF. Okay, ISACA’s
-
audit and assurance standards framework.
-
The framework of ISACA provides
-
national standard, provides the multiple
-
levels of documents. It talks about
-
the standard. Okay, I talked
-
about the guideline.
-
Okay, so the standard defines mandatory
-
requirements for IS audit assurance and
-
reporting.
-
Okay, then there are guidelines. I
-
told you that guidelines provide guidance in applying
-
the standard.
-
Okay, as an auditor, you should consider
-
them in determining how to achieve
-
and implement this particular
-
standard. Use
-
professional judgment here. Okay?
-
And their application,
-
okay? Now, professional judgment.
-
When the word "judgment" comes,
-
it is not mandatory. It is
-
discretionary, I would say.
-
Okay, when you say judgment, it
-
becomes discretionary. Okay, in their
-
application,
-
and you must be prepared to justify any departure
-
from the standard.
-
Okay, there is a possibility of
-
exceptions.
-
Okay, there is always a possibility of exceptions,
-
and then there has to be an
-
exception process around it
-
when you're applying that standard.
-
You must be able to justify those
-
exceptions from the standard as well. So, a
-
standard is not law.
-
Okay, so it’s not something that
-
you will be
-
persecuted for not following. Okay?
-
But
-
if you have an exception, you must justify it,
-
which is good for
-
the overall practice of auditing.
-
Then, there are tools and techniques
-
that provide examples of processes that
-
the IS auditor
-
might follow in an audit. Okay, and that’s
-
also
-
basically mentioned here. Tools and
-
techniques documents provide
-
information on how to meet the standard
-
when completing IS audit work,
-
but do not set the requirements. Okay,
-
and the requirements are again linked to
-
these standards. Okay. So, if you see, it
-
doesn't,
-
here it talks about mandatory
-
requirements, but these tools
-
do not set the requirements. Okay.
-
They never set the requirements. So, as I
-
said, the
-
general principles apply to the conduct of
-
all assignments. It's
-
applied to the conduct of all
-
assignments, and deal with ethics,
-
independence, objectivity, and
-
due care as well as knowledge, competency
-
and skill.
-
Okay, when you talk about performance, it
-
is about conducting.
-
Okay. It talks about planning,
-
supervision, scoping, risk, and materiality.
-
What is materiality, guys?
-
Materiality means the importance of the
-
effect
-
of that area. Okay, now,
-
whenever we look at materiality, we are
-
not looking at,
-
you know, it is basically the quality
-
of
-
the practice or the
-
transaction or the amount. For example,
-
for an organization,
-
a loss for a big organization like
-
PWC, a loss of one thousand dollars is
-
not material. Okay. But for them, a
-
one million dollar loss is
-
significant. Okay, so materiality is the
-
importance of that particular,
-
you know, loss or transaction. We
-
use this in auditing a lot because
-
we are trying to capture the
-
most significant
-
things first from an information
-
systems perspective.
-
Okay, for example, we're looking at the
-
most important application of an
-
organization,
-
which can affect their
-
business operations.
-
So, always look for the material
-
things. Always look for
-
the most important things for an
-
organization.
-
Okay, for example, if I go for a
-
bank or a bank audit,
-
I go in asking, "What is the card
-
doing?" You know,
-
I’m not looking at a CBC, a core banking
-
system (CBS); I’m looking at a process in
-
HR, for example,
-
which every bank has. But I
-
should be looking at
-
the most important thing, which is the CBS,
-
the core banking system.
-
Okay, so as an auditor, you look for
-
the most material things, the
-
most important things to the organization when
-
you are doing the audit.
-
Okay, so scoping, risk, and materiality.
-
Okay, the importance of that
-
area is very important. I hope
-
I was able to give that answer. Okay, and
-
then resources.
-
We also talk about
-
resources because, as I said,
-
every organization has limited resources.
-
So, how you utilize the resources to the
-
maximum extent is crucial.
-
Mobilization of the auditors, okay?
-
Mobilization of the auditors is also important--because
-
again, limited resources--you have to
-
mobilize
-
effectively, in terms of
-
logistics, etc.
-
Supervision: Supervision of the
-
auditors is very important
-
in terms of the
-
quality of the audit and
-
assignment management. Big auditing
-
firms like EY,
-
PwC, and Deloitte
-
understand this,
-
you know, in terms of assignment
-
management. We have audits
-
every year, we have civilian audits, we
-
have recertification
-
audits every three years, etc. All
-
that assignment management is also very
-
important. Then, audit and assurance
-
evidence.
-
Evidence collection, storing
-
those evidences,
-
proving the quality of the evidence--
-
everything is very important here. So,
-
in the performance category, we will look
-
at all those things.
-
Then, the third category is reporting.
-
Okay,
-
so these three categories among the
-
categories of standards and guidelines--
-
reporting is very important in terms of
-
types of reports,
-
means of communication, and the
-
information that is communicated.
-
All three are very important.
-
And reporting also, as I said earlier,
-
would depend on the type of arrangement
-
or the type of audit it is.
-
Auditory assurance guidelines: We
-
talked about
-
the standard. The guideline basically
-
helps you consider,
-
helps you to determine how to implement
-
these ISACA standards.
-
It also helps, as I said, by using professional
-
judgment in applying them. You should
-
be able to justify any departure from
-
ISACA or international standards.
-
Now, as we discussed, the Code of Professional
-
Ethics is very important,
-
and we must understand that these seven
-
principles must be followed. We will discuss these in detail.
-
So, these are the three, and
-
we have two more.
-
These are the total of seven codes of
-
professional ethics.
-
I would like to discuss them from the
-
standard itself because that
-
gives a more better perspective. Okay,
-
same here.
-
Now, ISACA's Code of Professional
-
Ethics is
-
for its members and certification
-
holders. So,
-
members and certification holders
-
shall support the implementation. So,
-
as an auditor, you are not there on
-
a fault-finding mission.
-
Okay, you are there to
-
verify and check,
-
show the faults, but ultimately, you are
-
there to help them implement
-
and encourage compliance,
-
compliance with the standards.
-
Okay, so you should support the
-
implementation of and encourage compliance
-
with appropriate standards and
-
procedures
-
for the effective governance and management
-
of information systems,
-
including audit control, security, and
-
risk management. Okay,
-
then the second is to perform duties
-
with objectivity.
-
Now, when you talk about objectivity,
-
you are also talking about materiality.
-
Okay. As I said,
-
objectivity means you are there to assess
-
certain things, and you should have the audit
-
objective in your mind.
-
For example, if I’m going for an
-
information security
-
audit, I must be sure of
-
what I’m checking. Okay, I should
-
have an audit objective that I
-
would be checking this particular
-
information system while looking for
-
these things. Okay. So from an objectivity
-
perspective,
-
you know you should perform your
-
duties. Okay.
-
Now, you might go for a network audit, and
-
you're looking for faults in the network. You
-
might go for a software audit, where you're
-
looking for
-
anomalies in the software. Okay. If you're
-
going for
-
a penetration audit or a VAPT (Vulnerability Assessment
-
and Penetration Testing), you're looking for
-
various anomalies in the system.
-
Okay, so the objective of the
-
audit should be clear.
-
Also, from the organization’s
-
perspective, it must be clear to
-
the person who has given you the
-
assignment.
-
What the stakeholder is trying to
-
achieve through this audit should be understood.
-
For example, many organizations do ISO
-
27001
-
to achieve tenders, for
-
brand reputation, or also
-
to ensure they are
-
are completed with according to
-
the
-
industry guidelines,
-
okay, etc. So the objectivity should be
-
very much
-
clear. Then, due diligence. Due diligence means
-
you have to be very careful
-
when you are doing the audit and when you
-
perform your duties.
-
You should not be influenced by
-
people. Due diligence is about
-
independence.
-
You should not be
-
influenced by people; you should not take
-
bribes, etc. Due diligence is
-
not only about
-
taking bribes but also about
-
not getting influenced
-
for any reason. Okay.
-
Then, professional care. Again, this is
-
also about
-
ensuring that
-
you are professional in your
-
approach, and also
-
that your work is in accordance with the
-
professional standards that have been
-
outlined in the standards document.
-
Always serve in the interest of the
-
stakeholders in a lawful manner,
-
while maintaining high standards of
-
conduct and character, not discrediting
-
their profession or association. Okay,
-
maintaining privacy and confidentiality is
-
very important.
-
Okay, you might be dealing with a lot of
-
confidential information of the
-
organization.
-
Okay, so you should always ensure confidentiality,
-
generally through NDAs, etc. However, I don’t believe
-
those are very effective mechanisms.
-
People may say they have an NDA with you,
-
but just because
-
someone should give you access to
-
all the information. An NDA is
-
not a good mechanism in an
-
organization.
-
Then, maintain competency in your
-
respective fields.
-
Okay, you are competing in information
-
security already.
-
You're competing in your network, so
-
always try to achieve expertise in
-
whatever area
-
you are working in, okay? And agree to
-
undertake only those activities that are
-
very important. Agree to undertake only
-
those activities that you can reasonably
-
expect to complete with the necessary skills,
-
knowledge, and competence. Now, I do not do
-
a network audit, I don't do a software
-
audit, I do not do,
-
you know, penetration testing audits, okay?
-
Or,
-
you know, availability audits, what we
-
call it as.
-
So, I do information security
-
audits from a compliance perspective. I'm a
-
compliance person, okay? I don't take
-
those assignments which I’m not
-
competent
-
enough for, okay? Because that would not
-
justify
-
my job. Then, inform the
-
appropriate parties of the results of
-
the work performed, including disclosure
-
of all
-
facts, if not disclosed, which may distort
-
the reporting of the results.
-
Then the last one is to support the
-
professional education of stakeholders,
-
enhancing their understanding of the
-
governance and management of enterprise
-
information systems technology, including
-
audit control, security, and risk
-
management.
-
Now, also, you are supporting the
-
stakeholders and increasing their
-
knowledge about their systems.
-
Now, stakeholders invest money in
-
their
-
systems, okay? They are asking you
-
also to
-
come and audit them, so you
-
should always,
-
you know, make them more aware of their
-
information systems. You should
-
also make them aware of the defaults
-
in their
-
information systems and how those faults
-
can affect their businesses.
-
Okay, so these are the seven, what we
-
call it,
-
as, you know, the code of professional
-
ethics that the auditor
-
must follow. Okay, we've gone through
-
these three
-
slides, getting to ITAF again. So, again,
-
this particular domain
-
itself is a description of ITAF.
-
Okay, so ITAF is a comprehensive and good
-
practice--setting framework model.
-
Okay, it establishes the standards, it
-
defines the terms and concepts,
-
concepts of IS assurance. Now, I have
-
not discussed this
-
term, which is "assurance," and I would like to
-
know what’s your perspective on
-
the word "assurance." How do we define
-
assurance? So,
-
assurance is basically a promise or a
-
guarantee
-
or a trust that we have in the system.
-
For example, if you're sitting on a
-
roller coaster,
-
and you are on a dangerous roller coaster,
-
you are actually
-
having assurance that you will come back
-
alive,
-
you know, from that. So, that's the reason
-
you're sitting on that.
-
Okay, so it's kind of a trust you have in
-
that
-
system, okay, that this would perform
-
as per the
-
standards, and you have
-
confidence in that system.
-
So, this is very important
-
when you talk about
-
air traffic control systems. You know,
-
you're sitting in an airplane,
-
and you are believing that the air
-
traffic control system
-
is working as per the proper
-
guidelines.
-
Okay, so that's how, you know,
-
sometimes it is that critical as well.
-
And also, sometimes, you know, it’s not
-
that much critical. You know, when you are
-
talking about, for example, banking, it is
-
critical. It is
-
for air traffic control. It is
-
critical for critical infrastructures.
-
All the critical
-
infrastructures, it is critical. But, for
-
example, for an organization, for a small
-
organization, it may not be that
-
critical.
-
Okay, so all that would depend on
-
the materiality
-
of the area. Okay, so this
-
particular,
-
so it provides… So, assurance is
-
that. So, I was just getting to the
-
definition only. I will come to the
-
dependencies and resilience part later
-
in the other domains as well. Then ITAF
-
also provides guidance and tools and
-
techniques on the planning, design,
-
conduct, and reporting of IS audit
-
and assurance assignments. So, audit is
-
basically a part of the
-
comment on audit. Audit is also a
-
mechanism
-
where we try to get a certain level of
-
assurance.
-
Okay, now, we don't get a guarantee from
-
the audit.
-
Okay, it doesn't say
-
that you have zero faults in a system.
-
Okay, audit is just one, you know,
-
kind of a level playing field assurance
-
perspective. Okay,
-
so audit is just a mechanism for getting
-
assurance.
-
Okay, then we go to business processes we
-
are aware of.
-
We’ll go through this quickly because we are
-
aware of the business processes.
-
But from an auditor’s perspective, when
-
you’re going for the audit, you must
-
do some
-
research in terms of
-
what kind of business processes that
-
organization
-
is dealing with, and if you get an
-
understanding of that
-
process, it would be easy for you to
-
audit that.
-
You may not have a
-
complete understanding; obviously, you
-
will interview people,
-
and then you would not have the complete
-
understanding. But,
-
for example, HR--what does HR do,
-
which is basically,
-
you know, hire people, talent management,
-
payroll,
-
training and development, etc.
-
So, you should be
-
aware of that. You should understand
-
and evaluate business processes.
-
Okay, test and evaluate operational
-
controls
-
there, and then identify the controls
-
such as policies, procedures, practices,
-
and organizational structures.
-
Okay, do you think organizational
-
structure is a control, and why do you
-
think organizational structure is a
-
control?
-
I… Policies are high-level intent of the
-
organizations.
-
Okay, procedures are also controls. Okay,
-
why procedures? The policies are very
-
important because
-
once the high-level intent is not there…
-
if the high-level intent is not there,
-
okay, for example, if an organization doesn’t
-
have an information security policy,
-
stakeholders are not endorsing
-
information security as an important
-
enabler to their organization, then you
-
cannot do anything. Okay, you will not
-
have any control. So,
-
first and foremost, policies are
-
important because those are the high-level
-
intent of the organization.
-
Then, procedures are important. Okay,
-
procedures will tell you the day-to-day,
-
you know, activities which you have to
-
perform, okay, and how to perform those
-
activities--basically step-by-step
-
directions. Okay, then you have
-
practices.
-
Now, practices are best practices. Now,
-
those are guidelines. Okay, those are like,
-
"This
-
is the best way to do it," okay?
-
Or,
-
"These are things that you must take care
-
of while doing it."
-
Okay? You may or may not take care
-
of that, but
-
those are helping. Then, organizational
-
structures are also control.
-
How do you think organizational
-
structure is a control? How does it help
-
as a control? For segregation of duties,
-
job descriptions are
-
segregated. Okay, so organizational
-
structure is a control because it helps
-
in decision-making.
-
Okay, so basically, organizational structures
-
have segregation of duties. So,
-
it is more important from that
-
perspective.
-
I mean, so this is like you are
-
defining a job description
-
of a person. Okay, based on the job,
-
he’s been assigned certain things. Okay,
-
and that control should be there that
-
there’s a maker and a checker.
-
Okay, that’s the reason organizational
-
structures are important. Okay, it would
-
reduce the risk. So,
-
I'm asking about when you talk about
-
controls, it is trying to reduce or
-
mitigate the risk.
-
Okay, so from a segregation of duties
-
perspective,
-
it is very important because segregation
-
of duties is a control
-
that basically reduces the
-
risk of any errors, faults, frauds,
-
etc. For this year, in this section, we
-
will also talk about the
-
internal audit function. Okay, internal
-
function in the sense that how an
-
internal
-
function is different from the
-
external audit, okay,
-
or the other functions, then management
-
of the IS audit function.
-
Okay, the planning of the audit,
-
effective laws and regulations of IS
-
audit planning,
-
business processes, applications, and so on.
-
Internal functions--so, as an auditor,
-
as an internal auditor,
-
you should
-
establish your audit charter first. Now,
-
what is an audit charter? An audit charter
-
talks about the responsibility, the
-
accountability, and
-
the scope of an audit, okay? And
-
it must be approved by the board of
-
directors and the audit committee.
-
Okay, so if we go to the audit charter
-
definition
-
in the Sarbanes-Oxley guideline or in
-
ITAF, you know, so if you see here,
-
in the audit charter, it talks about the
-
purpose.
-
Sorry, the audit charter talks about the
-
audit charter indicating the purpose,
-
the responsibility, authority, and
-
accountability.
-
Okay, so it has four things you have to
-
remember this
-
and maybe if you want to... Four things,
-
which is the purpose,
-
responsibility, authority, and
-
accountability. Okay, these are the four
-
things that
-
the audit charter must have. Okay, the
-
purpose of the audit,
-
the responsibility
-
of conducting that audit, the authority
-
(who initiated this audit or who
-
the audit results would be communicated
-
to),
-
and the accountability, okay? From a
-
downloaded function, it should be
-
established by the audit charter,
-
which has to be approved by the
-
board of directors and the audit
-
committee.
-
Now, sometimes the board of directors
-
also gets, you know, they have
-
another committee which
-
represents the audit.
-
Okay, that's what the audit committee is
-
about. Okay.
-
Now, the audit charter is an overarching
-
document that covers the entire scope of
-
audit activities in
-
an entity, while the engagement letter is
-
more focused on a particular audit
-
exercise.
-
Now, sometimes we have, you know, one
-
audit charter in which you have the
-
complete plan
-
of the audit of the whole organization,
-
whereas the engagement letter is
-
specific to a certain function. Okay, for
-
example, you're going for a network audit,
-
so there's an engagement you have done with,
-
say, EY. For example,
-
now you will sign an engagement letter
-
with that organization,
-
and it is basically focused. Okay, and you
-
have certain
-
time limits, etc. It’s more focused
-
on a particular audit exercise that is
-
sought to be initiated in an
-
organization with a specific objective
-
in mind. For example,
-
as I said, a network audit or
-
information security compliance audit,
-
etc. From the definition, this is
-
also clear here.
-
If you see, the charter should clarify
-
the
-
management’s responsibility and
-
objectives for delegation of authority
-
to the IS audit function. Okay, so the charter
-
should clearly state
-
the responsibility, the objectives or the
-
purpose, and
-
the authority of the audit function.
-
Why do you think the
-
auditors will also require authority
-
from the board of directors when asking
-
questions to,
-
you know, an area that the organization is
-
auditing? People may ask you,
-
“Who are you?” “Why do you ask
-
these questions?” etc.
-
Those are basic questions when you go
-
to interview anyone.
-
Okay, so the
-
audit charter is a document that you
-
can
-
show as a warrant, you know, that
-
you have the authority to
-
basically audit them, and this has
-
been
-
asked by the highest authority of
-
your organization, which is the board of
-
directors. That’s the reason the
-
charter has the authority as well, so
-
that
-
you have the senior management or top
-
management’s
-
approval on asking questions
-
to the area or to the function. Okay,
-
that’s the reason authority is very
-
important.
-
Now, management of the IS audit function--
-
managing or isolating functions should
-
ensure
-
value-added contributions to senior
-
management. Again, if they’re giving you the
-
authority
-
to audit, they also want, and they are
-
doing it for a reason,
-
that you would tell them the causes in their
-
organization, what areas
-
need improvement, and
-
how to improve. You are basically building upon
-
their assurance,
-
you're building their assurance on the
-
organization’s IT infrastructure.
-
Okay, so if you’re saying that, you know,
-
these are the
-
areas of improvement
-
in your organization, if you’re
-
giving them findings,
-
it will basically help them improve,
-
help them improve the overall operations
-
and
-
efficiency of their organization. Okay, so
-
as an auditor,
-
you should ensure value-added
-
contributions to senior
-
management in the efficient management
-
of IT
-
and the achievement of the business
-
operations. When you give them
-
findings,
-
they would act upon it, and
-
that would also help them to
-
achieve their business objectives
-
appropriately.
-
Okay, now the first step is planning. When
-
you're planning for an audit,
-
adequate planning is very
-
important. The Japanese
-
say that 70%
-
of the time you spend on planning. That’s
-
very important because
-
all the major--I'm doing an
-
implementation
-
assignment, and I know this very well,
-
deep from my heart, how important
-
the planning part is. The audit plan is
-
how important
-
it is. If you fail in planning properly,
-
you mess up the whole thing. Okay, so plan
-
an audit.
-
Following tasks must be completed: List
-
all the processes.
-
I mean, the scope has to be very clear
-
when you're
-
going for an audit. So you're listing all
-
processes,
-
you get the scope approved for the audit.
-
Okay,
-
then you evaluate each process by
-
performing a qualitative risk assessment.
-
Now, for example, I have four departments
-
to audit.
-
Okay, the scope is clear; I have four
-
departments.
-
Now, who to start with? That is also very,
-
very
-
important. Again,
-
the concept of materiality is very
-
important. So, you will do a qualitative
-
or a quantitative risk assessment. Now,
-
this risk assessment is not a risk
-
assessment that we do
-
for information security and
-
the detailed assessment we do.
-
This is a kind of,
-
kind of an assessment which is a
-
high-level assessment.
-
Okay, we are in which you understand, and you
-
try to understand which are the critical
-
areas of the organization.
-
Now, for example, you have four
-
applications to order. Now, if you say one,
-
two, three, four,
-
and you say, "Okay, how would you check
-
which application is important?" You look at the
-
number of users. Which applications do
-
you use? So, you will check the
-
number of users. This is easy for any
-
organization to give you.
-
Okay, and you will also do a risk
-
assessment on
-
the type of data that
-
the application is storing, how that
-
application
-
operates, and which processes that application
-
supports. You will assess which business
-
operations it is supporting. So,
-
this is a kind of high-level assessment
-
of risk you will do. Okay, so why
-
are you doing this?
-
Again, it's materiality.
-
You’re doing this to evaluate whether
-
you are trying to capture
-
the maximum risk in an
-
organization. So, evaluate each
-
process by performing a qualitative and
-
quantitative risk assessment. These
-
evaluations should be based on
-
objective criteria, like I just mentioned.
-
I gave you some examples of
-
objective criteria for
-
applications. Similarly, you can apply this
-
to business processes or
-
different departments as well, from a
-
high-level perspective.
-
Okay, etc., etc. So, then our goal is to
-
define the overall risk of each process,
-
and then construct an audit plan to
-
include all the processes that are rated
-
high.
-
This would represent the ideal
-
audit plan.
-
And that's what we call an audit-based
-
risk strategy or audit-based risk plan.
-
Okay, basically, we call it a strategy.
-
So, audit-based risk
-
strategy. Now, when to audit, that's also a
-
question.
-
Why we have this question is because,
-
again, this depends on the criticality of
-
the processes. So, there is short-term
-
audit and
-
there is long-term audit planning. Now, in
-
short-term audit planning,
-
you have short, frequent
-
audits, and the periodicity reduces. In
-
long-term audit planning,
-
you have a higher periodicity. Okay, so
-
short-term planning involves all the
-
audit issues that will be covered during
-
the year. For example, you have to
-
conduct
-
surveillance audits every year.
-
That is, every year. So that is the
-
short term.
-
Okay. The long-term plan takes into account
-
all the resolutions. For example, there’s
-
a
-
department
-
which is slowly improving.
-
Slowly improving this.
-
That department is not very
-
mature yet, so you might go for a long-term
-
audit here.
-
You are assessing some
-
areas of that department,
-
giving them time to
-
mature, and then auditing
-
other areas
-
of the department. Okay, similarly,
-
you know,
-
it's a phased approach
-
in long-term planning.
-
And that would also
-
depend on the IT strategic direction of
-
the organization.
-
Okay, for example, I was working
-
in a bank in the UAE,
-
and they had a new
-
area of banking.
-
For example, treasury.
-
Remember the name of that
-
area. But, for example, treasury. They were,
-
you know, trying to
-
have another area of business
-
for them. Now, that department has just
-
begun.
-
Okay. That area of business has just been
-
now
-
initiated. Obviously, they will not have
-
100% of the processes,
-
same processes that a bank
-
initially has. They are trying to have
-
one or two processes
-
in place for the new
-
customers,
-
and then they will mature,
-
maturity
-
over time. Okay. So, if I go on the
-
first day,
-
or maybe the first year,
-
and say, "Okay, show me all the
-
processes," and start finding faults in them,
-
you know,
-
it may not
-
be very much
-
fruitful for that particular area of
-
business.
-
Okay. You will have a
-
lot of findings that you cannot address those
-
findings immediately.
-
So, you will take a
-
long-term
-
approach. This depends on
-
the IT strategy version of the
-
organization.
-
Now, an audit can also be triggered when
-
there is a control issue. For example, if there’s
-
a new issue coming up or there are
-
a lot of incidents happening
-
in HR, such as
-
data breaches,
-
etc.,
-
if there are control issues,
-
the board of directors will take a decision.
-
Okay, now we must audit this HR
-
department.
-
Try to assess those gaps in
-
that department. Okay, so new control
-
issues can also trigger an audit.
-
Fraud can trigger the audit as well.
-
So, that could also happen.
-
Also, there's a change in the risk
-
environment.
-
You acquire a new organization, or
-
you merge, or
-
you have mergers and acquisitions.
-
Okay.
-
Now, that could also change, so the risk
-
environment has changed.
-
Okay. As I mentioned,
-
technology has changed.
-
Okay, all the business processes have
-
changed, you know,
-
drastically. That can also basically
-
trigger an audit.
-
Okay, so these are the steps for having
-
the audit.
-
Okay. Just quickly naming them: first
-
and foremost,
-
take an understanding of the business
-
process mission of that organization.
-
What is the mission? The mission is what the
-
operation does. For example, in banking,
-
the organization deals with money.
-
They
-
create accounts,
-
manage people's money, etc.
-
You should
-
understand the mission of the
-
organization.
-
Okay. You should understand the
-
objectives that
-
the top management has decided
-
should be the objectives.
-
You should understand the purpose of
-
that organization and how
-
it helps its
-
stakeholders. Basically, I
-
would not say stakeholders--
-
like customers, suppliers,
-
and internal employees. Okay, so that's
-
important. And the processes, okay? Then,
-
understanding the business environment
-
of the auditee.
-
What is already... basically, the
-
organization, you are auditing. You are
-
the auditor,
-
and the other organization is the auditee.
-
Okay, and then review.
-
Sometimes the auditee can also be another
-
party.
-
Okay. You must understand that the auditee
-
can be another organization
-
that is asking you to audit their
-
organization already, is
-
who has given you the assignment. Okay?
-
Then, review
-
prior work papers. Prior work
-
papers are basically a
-
kind of checklist. If you
-
have certain questions for the auditee
-
or auditing management, you ask
-
them certain questions or
-
request certain documentation
-
to understand
-
their organization. That is, basically,
-
review of work papers.
-
Then identify stated contents. Okay.
-
Now, the work papers are basically your
-
content policy,
-
standards required, guidelines, procedures,
-
and structure. You study them.
-
Okay, and then, you perform a risk
-
analysis to help design the audit
-
plan. Based on
-
the work papers and the organizational
-
structures, you will understand
-
what the various
-
important aspects of the organization
-
are. You perform a risk assessment or risk
-
analysis.
-
Then, you prepare an audit plan.
-
Based on the audit plan,
-
you will define the audit scope and
-
the audit objectives.
-
You develop the audit approach
-
and audit strategy. Then,
-
assign resources--the auditors--to
-
different areas.
-
Okay. And then, finally, you will address
-
the
-
engagement logistics. So, those are the
-
planning steps. Now,
-
after planning, you will move on to
-
conducting the audit. We will get to
-
that.
-
Okay, so the audit plan should take into
-
consideration the objectives of the
-
audit,
-
the relevance to the audit area,
-
its technology infrastructure, and business
-
strategy direction.
-
You should
-
have a better understanding, as I said, through
-
the work papers, which include your pattern
-
material,
-
publications, industry reports,
-
independent financial analysis reports,
-
etc. Now, reviewing prior audit reports:
-
as an auditor, you can also ask for prior
-
audit reports.
-
For example, if you're going
-
for a village audit, you can ask
-
for the previous year's international
-
report. Okay.
-
Reviewing the business and IT long-term
-
strategic plans:
-
materiality could be
-
just based on that. Okay.
-
Additional considerations: interview
-
key managers to
-
understand their business issues, key
-
regulations--75 specific regulations to
-
IT, for example. There are many regulations
-
nowadays, as we said
-
earlier, such as RBI
-
for banking, TRAI for telecom, NPCI for
-
payment gateways,
-
etc. The idea of IT functions or related
-
activities that have been outsourced is
-
very important in these times. Every
-
organization
-
has certain outsourcing or
-
third-party
-
collaborations. I was auditing a
-
repayment bank recently, and
-
every department has something that is
-
outsourced. For example, the creative
-
department,
-
the marketing
-
department, etc.,
-
you know, for campaign development--they
-
sign agreements with other
-
departments. Now, there's a lot of
-
exchange of confidential information
-
between
-
you and your third party, so these
-
kinds of arrangements also need to be
-
checked. What do you share with them?
-
Outsourcing is an important
-
just to...
-
To cut this short, outsourcing
-
is an important aspect that auditors
-
must
-
look into--what kind of arrangement
-
is there with the third party.
-
Lastly, when considering organization facilities,
-
we conduct a walkthrough. We
-
call it a "walkthrough."
-
You know, this is an important aspect
-
when we look at the physical security of an
-
organization, particularly
-
in terms of information security. We
-
go and tour the facility of the
-
organization, trying to assess the awareness
-
of the people.
-
We try to assess what kind of
-
controls they have
-
in terms of physical security, etc., and
-
physical and environmental security.
-
Okay, also, touring the
-
organization's facility will give you an
-
insight into the culture
-
of the organization sometimes. Okay? So,
-
as an auditor, you must
-
also match available audit resources,
-
such as staff, with
-
the tasks defined in the audit plan. Since
-
you have limited resources and
-
certain auditors,
-
you will have,
-
you know, tasks will be assigned to the various
-
auditors
-
according to the audit plan. Now, certain
-
laws and regulations
-
we were discussing earlier, such as
-
ISPs,
-
banks, and internal service providers, are
-
closely regulated.
-
These legal regulations may pertain to
-
financial, operational, and isolated
-
functions. There are legal,
-
financial, or general SOX
-
compliance,
-
you know. That is basically financial
-
regulation, particularly
-
for U.S. companies.
-
Many companies working
-
globally
-
must be SOX compliant, so you need to
-
consider that as well. And then,
-
operational regulations exist,
-
such as RBI, BCI.
-
These are operational regulations.
-
Then, there are isolated function
-
regulations. For example,
-
RBI requires that every
-
year you get audited by a CISA
-
and submit the CSI
-
report to the RBI,
-
whether it is the Bank of India or not. So,
-
that kind of
-
regulation exists as well. You must
-
submit audit reports
-
to the regulatory body
-
every year as they demand. Sometimes, they
-
may not want it every year, but
-
they will demand an audit and then
-
they will ask for a report.
-
Okay. Now, there are two areas of concern
-
that impact the audit scope
-
and objectives. One is the legal requirement
-
based on the audit, as I said, which
-
I gave you an example of. Then, there are
-
legal
-
concerns based on the audit,
-
and systems, data management, reporting,
-
etc. Now...
-
The audit role in compliance is to
-
determine the organization’s level of
-
compliance. The auditor must identify--
-
the auditor must identify those
-
those government or other relevant
-
external requirements. However,
-
it's not the responsibility of the auditor
-
to basically
-
look at the various regulations,
-
because that's the job of the compliance department
-
within the organization.
-
For example, if I am in telecom, I
-
should be aware of
-
the various telecom regulations
-
I need to follow.
-
So, you will gather those regulations and ensure
-
you are aware of the
-
regulations.
-
Then, you will also assess whether the organization is maintaining
-
the level of compliance.
-
The organization is maintaining. Okay, so
-
basically,
-
the auditor should request a legal plan, a
-
compliance plan,
-
or a process SOP
-
document
-
which the organization maintains to
-
ensure compliance with all
-
regulations
-
and external requirements.
-
The auditor basically will check whether
-
they are fulfilling that.
-
Now, the auditor may question the
-
compliance plan itself.
-
In this case,
-
say that if the compliance plan is
-
not
-
adequate, then
-
obviously the compliance level
-
is very doubtful.
-
As an auditor, you must
-
also assess both the
-
compliance plan of the organization as
-
well as the level of compliance.
-
Okay. Next, identify those government or
-
other relevant
-
requirements dealing with electronic
-
data, personal data, copyrights, e-commerce,
-
e-signatures, etc.
-
Computer system practices and
-
controls must also be considered. For example,
-
we have the IT Act of 2008 for this. Then, consider the
-
manner in which computer programs and
-
data
-
are stored. Many countries have retention
-
policies.
-
For example, in India, the retention
-
policy is
-
seven years for logs,
-
so you need to find out
-
what kind of
-
retention requirements exist.
-
Okay, and you have to follow that. And
-
every country has its own.
-
Okay. Then, consider the organization or the
-
activities of the IT services.
-
Okay, then you have the IS audits as well.
-
You also have IS audits to look at. You must assess the
-
requirements for IS audits.
-
For example, if you are maintaining
-
an ISO 27001 certification,
-
you must go every year.
-
Go for a
-
surveillance audit every year and go for a
-
re-certification audit.
-
You need to see what kind of
-
arrangement is in place and
-
what kind of audit cycles the
-
organization requires.
-
If you don't conduct a surveillance audit, you
-
know, your certification
-
is invalid for ISO 27001
-
or any of the ISO. Basically, now I
-
have outlined the steps for determining
-
organizational compliance. So you must
-
document the applicable laws, as I said.
-
Every organization documents the
-
applicable laws and regulations.
-
Okay, then assess whether the management
-
and IT function have considered them.
-
Okay, consider the relevant external
-
requirements in their plans.
-
Okay, now external requirements are
-
contractual obligations sometimes.
-
You have contractual obligations
-
towards a third party, mostly
-
towards the customer.
-
Those are towards the customer.
-
You are an organization in telecom, and
-
you have certain
-
requirements towards,
-
for example, providing
-
telecom products. You have specific
-
requirements regarding the availability of
-
that product for that customer
-
in terms of services, such as the service
-
level agreement. So, you must also assess
-
what the relevant external
-
requirements are there.
-
Okay. Then, obviously,
-
self-requirements in their plans, policies,
-
standards, procedures, as well as business
-
application features.
-
So that's what I said in the service
-
level agreements.
-
Then, review the internal IT department
-
function activity document that
-
addresses adherence to
-
the laws applicable to the industry.
-
Determine adherence to the procedures
-
that address these requirements,
-
and then because the procedures
-
should support the laws and
-
obligations. So, if the procedure
-
says
-
for example,
-
says that backup
-
should be conducted,
-
but the law says you
-
should have a backup of seven years,
-
but you should have a retention of seven
-
years. Okay, the law says that you have a
-
retention of seven years.
-
But you don’t have a backup mechanism
-
based on that, or
-
you delete the data every three
-
years. Delete the backup every
-
three years.
-
Then, your procedures should...
-
The backup procedure should basically
-
support your retention
-
policy or the retention
-
law of that country. Okay, then determine
-
if there are procedures in place to
-
ensure contracts or
-
agreements with external IT service
-
providers reflect any legal requirements
-
related to responsibilities.
-
Now, sometimes what happens is
-
that you have a contractual obligation
-
to maintain the certificate,
-
such as ISO, or you have to maintain PCI
-
DSS
-
(Payment Card Industry Data Security
-
Standards).
-
Okay, so you also have to check
-
whether those
-
external IT service providers,
-
you know, combine it with the
-
legal requirement.
-
Okay, let me give you an example. For
-
example, if
-
you're a telecom provider... If you're a
-
telecom provider,
-
you must follow the
-
regulatory guidelines
-
for a particular license in
-
telecom. For example, you
-
require an ISO 27001 certificate.
-
If you are a wallet
-
provider like
-
Paytm,
-
you must follow the NPCI guidelines,
-
okay,
-
and you also need to
-
comply. So, it becomes
-
a legal requirement for you
-
is bound because
-
PCI is a statutory organization.
-
Which is bound by
-
the government of India, and
-
then it becomes a law
-
or a legal requirement for an
-
organization. It’s...
-
So, it becomes a legal requirement for
-
them to fulfill
-
now. Okay, it is not just a
-
non-statutory requirement for them; it's
-
a statutory requirement for them to
-
fulfill.
-
Okay. Now, we’ll further move on to
-
business processes,
-
applications, and controls. In an
-
integrated application environment, our
-
controls are embedded and designed into
-
the
-
business applications. As
-
you are aware, we use, for
-
example,
-
banking applications like C,
-
and for banking sectors, we
-
use systems
-
like Oracle,
-
for example.
-
in telecom, for various,
-
you know, or we use SAP systems
-
in our organizations. These are
-
basically very
-
integrated application environments
-
in an organization. They have
-
multiple supports...
-
But there are multiple supports and
-
there are multiple processes around that
-
application.
-
Okay, and they're supporting basically
-
the multiple
-
departments in an organization at the
-
same time.
-
Okay, so you must understand there are certain
-
controls and assurance levels
-
that the organizations must
-
adhere to. Okay. For that reason,
-
there are
-
assurance levels that are
-
defined.
-
For example, SAP is used by multiple
-
departments for multiple
-
purposes and
-
for multiple processes in that
-
department.
-
Okay, so you must understand that there
-
are certain controls in which we place
-
to
-
provide assurance to that activity.
-
So, these controls are for providing
-
those assurances. You need to have
-
adequate controls. So, these are three
-
controls,
-
you know, that can be embedded in the
-
bigger application.
-
Okay, so you are providing
-
adequate...
-
You are providing adequate risk
-
mitigation.
-
Okay, now three types of controls are
-
management controls,
-
program controls, and manual
-
controls.
-
Okay. To effectively audit business
-
application systems, the auditor must
-
obtain a clear understanding of the
-
applications
-
under review. Also, when you are
-
reviewing the application,
-
as an auditor,
-
you are checking the adequacy of it.
-
The adequacy of... Okay, now there are
-
different types of applications.
-
For example, an e-commerce application,
-
which is a larger application
-
with multiple
-
processes. You have electronic data
-
interchange (EDI).
-
Okay, now electronic data
-
interchange is basically,
-
you know, SCADA systems
-
or systems that provide
-
inputs to another system.
-
Okay, that kind of electronic data
-
interchanges. Now, these
-
electronic data interchanges is basically
-
sometimes
-
enter organizations, inter-departments,
-
etc. Okay, then, there are email systems,
-
point-of-sale (POS) systems which is
-
basically used in retail.
-
There are multiple processes in it, the
-
cost, you have the billing section, your
-
purchase, your purchase return, your
-
procurement, and
-
etc. Then you have electronic banking,
-
electronic finance.
-
Then you have payment systems, electronic
-
funds transfer
-
(EFT), or ATMs, supply chain management,
-
purchase accounting systems, integrated
-
manufacturing systems (ICS),
-
and industrial control systems
-
like
-
air traffic control, SCADA, etc.
-
Iterative voice response systems, okay.
-
Generally, if you see IVR, we know when we
-
call support,
-
it goes to IVR. So, that
-
kind of system is there, along with image
-
processing systems,
-
AI DSS, and customer relationship
-
management.
-
Okay, moving on to using the services
-
of
-
other auditors. Now, using service
-
auditors or experts,
-
basically, or maybe auditors
-
in the sense of...
-
maybe you're auditing a third party, and
-
that third party
-
is getting audited by
-
another third party, whom you are
-
believing to.
-
Let me give you an example here. For
-
example,
-
I am a bank. Okay.
-
And I have a bank.
-
PwC is working, is auditing for me.
-
Okay, I have asked PwC... Sorry.
-
If I have asked PwC to
-
audit my third party.
-
This is the arrangement. I have
-
partnered
-
with PwC to audit a
-
third party
-
for me. The auditor, the customer,
-
or the customer
-
wants to look at the reports
-
to see how my bank is
-
performing.
-
Now,
-
I would be showing a PwC report of the third
-
party, i.e., subcontracting.
-
From a customer perspective, I want to
-
look at how the bank is complying and
-
how much the bank suppliers are complying. So,
-
my bank shares customer information with
-
also its suppliers.
-
Okay, so my bank would always say that
-
I am protecting the information, but
-
my information is not with the bank;
-
my information is
-
with the
-
third party of the bank. So this kind
-
of arrangement exists. Okay.
-
Now, should I believe my bank's report
-
or should I believe the PwC report here?
-
Basically, what I am saying is, I am a
-
bank,
-
and my customer wants to
-
look at how I am protecting its
-
information.
-
But as a bank, I am also sharing the
-
customer’s information with the third
-
party.
-
I have asked PwC to audit that
-
third party who is storing that
-
information.
-
Should the customer believe the bank's
-
report or the PwC report? I could not
-
trust the
-
bank's report because
-
the
-
bank will always say that it is
-
protecting the information, but I would
-
trust a third-party
-
PwC report. As a customer, I am
-
auditing a bank,
-
and I ask the bank, "Who are you sharing
-
my information with?" The
-
bank would say, "I am sharing the
-
information
-
with a supplier or a vendor."
-
Okay.
-
Now, how do you ensure that the supplier
-
is protecting my information?
-
The bank would say, "I am getting
-
the supplier
-
audited by PwC every year, and that's how
-
it is being protected." Yes, I would not
-
believe what the
-
bank says, I would believe the PwC
-
report,
-
which says that my information is protected
-
by the third party.
-
Okay, so that’s how you
-
understand
-
the services of you know that.
-
That's how to you basically use the
-
other auditors and experts.
-
Okay, and other auditors basically.
-
Okay, You look at their reports and
-
substantiate
-
your findings based
-
on those reports.
-
Okay, so when using external and
-
outside experts, consider the following
-
restrictions on outsourcing, as I
-
discussed earlier. Outsourcing is
-
the most important
-
aspect when talking about using the
-
services of other auditors.
-
Okay. Restrictions on outsourcing audit
-
security services provided by laws and
-
regulations,
-
audit charter or contractual
-
stipulations, and the
-
impact on overall specific audit
-
objectives.
-
Okay, These kinds of arrangements
-
can also impact your audit
-
objectives.
-
Okay, impact on audit risk and
-
professional liability.
-
Okay, now there's a lot of
-
agreements in terms of independence in
-
organizations,
-
and it's a very big, kind of confusing
-
zone
-
for many organizations in terms of
-
independence. Okay, for example, PwC is
-
also working
-
for some organizations and is not
-
allowed to audit them.
-
For example, in India, PwC is not allowed
-
to do financial audits
-
due to certain frauds that happened,
-
you know, three years ago.
-
Okay. So, that kind of
-
liability is also present. Okay, then there is the
-
independent objectivity of other
-
auditors and experts. Independence is
-
one of the
-
important aspects for auditors and
-
experts. Other factors include
-
professional competence, qualifications,
-
and experience. You should also consider the scope of
-
work proposed to be outsourced and
-
approached. Then, supervisory and audit
-
management
-
controls. Okay, so these are things that
-
we should consider when
-
auditing while taking the services
-
from from auditors and experts. Now,
-
this is a quick activity I want to
-
do with you. You have been
-
assigned to an integrated audit. What is
-
an integrated audit? You are...
-
It's basically... Just to cut short the
-
discussion,
-
an integrated audit is when you're auditing
-
multiple areas. Sorry. Multiple...
-
Not areas exactly,
-
but multiple
-
objectives basically. For example,
-
you're doing a quality audit
-
combined with an information security
-
audit.
-
Okay, that's an integrated audit. Or
-
you're doing an information security
-
audit combined with the operations audit. That's an integrated
-
audit.
-
Okay, that's an integrated auditor. So, you
-
have been assigned to an integrated
-
audit of
-
finance and business operations areas. No,
-
that's not an integrated audit.
-
That’s
-
basically not what an
-
integrated audit is. You're auditing
-
two
-
audit. You're checking for two
-
different areas criteria.
-
Okay, an audit criteria is, for example,
-
quality, information security,
-
operations, and finance. Okay, so you're
-
looking at the
-
quality of the system, you're
-
also looking at the
-
information security of the system,
-
you're also looking at the operational
-
effectiveness of the system,
-
and also you're looking at the finances
-
of that financial
-
effectiveness of that system. So,
-
that's
-
four things together--that's an
-
integrated product. Yeah, so you have been
-
assigned
-
to an integrated audit of a payroll
-
process and need to plan the
-
IT audit portion of the... And need to
-
plan the IT audit portion of the
-
engagement. Okay,
-
what is the most important business
-
process area that you need to
-
consider in a payroll to help you
-
perform the audit? Would it be better to
-
know the isolated budget or to know the
-
CIO and CFO risk profile for the payroll
-
process?
-
So, what is the most important business
-
process area that you need to consider
-
here?
-
Now, this is a question for you guys, okay?
-
So, due to resource constraints of
-
the team, the audit plan as originally
-
approved cannot be completed.
-
Assuming that the situation is
-
communicated in the audit report,
-
which course of action is most
-
acceptable? Okay,
-
so you will focus on auditing high-risk
-
areas
-
because of the resource crunch. Okay,
-
coming to the next question:
-
This is true, so you verify the software
-
and use it
-
through testing first. Okay, now this
-
would be...
-
We’ll try to complete this
-
section, which is the types of controls,
-
and this is a very easy section.
-
So, basically, there are different types
-
of controls in which you try to
-
manage the risk, such as
-
risk transfer and
-
risk avoidance. Now, avoidance is
-
different from elimination.
-
Risk avoidance is basically
-
when we don't take the risk. For
-
example, there's a business unit that
-
is not working properly and
-
there’s a lot of
-
business risk involved. You
-
put a,
-
put in... shut down that business. That
-
is to avoid the risk. For example, I'm
-
going from point A to point B, and
-
I plan to drive to point B
-
through a car.
-
If I see a risk, you know,
-
like rain, I just decide
-
not to go at all.
-
That is called risk avoidance. Okay.
-
Accepting the risk
-
means you go ahead, and
-
whatever rain comes, you will take the
-
proper controls,
-
but you will go. That is called risk
-
acceptance. Mitigating means you
-
take proper controls in place,
-
and then you accept the risk. Okay,
-
then...
-
What we have... the third option is risk
-
transfer. Okay, now there is no
-
transfer option here, but generally,
-
insurance or
-
other things are there or outsourcing
-
things you know where we transfer the
-
risk to another party.
-
Okay, so controls are there to basically
-
minimize the
-
risk, to maintain the risk. Every
-
organization
-
has controls in place, okay? Ineffective
-
controls
-
are ones that prevent, detect,
-
and contain or reduce the
-
impact. They reduce the impact
-
of that particular risk event.
-
Okay, so it prevents. So, controls prevent,
-
it detects,
-
and it contains, or reduces the impact.
-
And also
-
there are certain controls which
-
help in recovery. Okay.
-
Now, we'll come to those examples at a
-
later stage in this particular area.
-
In the domain, it is very important
-
to develop,
-
monitor, implement, and design
-
information systems controls to be in
-
place too,
-
basically. Okay. Now, controls,
-
as we discussed earlier, could be
-
policies. If you remember, we discussed
-
the controls. They could be policies,
-
procedures, practices,
-
or organizational structures.
-
Okay. Those four things you have to
-
remember: policies, procedures,
-
practices, and structures
-
that are implemented to reduce the
-
risk to the organization. Okay, coming
-
to
-
internal controls, they are normally composed
-
of policies, procedures, practical
-
structures, as I said, that are
-
implemented to reduce the risk
-
to the organization. Internal
-
controls should address
-
what should be achieved and what should
-
be avoided.
-
Now, they are preventive, as I said
-
earlier: preventive, detective, and
-
corrective controls. These
-
are some of the examples here.
-
Preventive controls always
-
detect. They can
-
detect the problem
-
before they arise.
-
They monitor both operations and inputs,
-
and they attempt to predict problems
-
before they occur. They prevent an error or
-
omission from occurring.
-
Segregation of duties, for example,
-
is a preventive control.
-
Okay, which basically detects errors,
-
prevents frauds,
-
etc. Then, control access to physical
-
facilities.
-
Control access to physical facilities.
-
For example, you have
-
access control systems for physical
-
security, and
-
you use well-designed documents for
-
printing, along with input validations
-
in an application. That’s also a part of a...
-
That's also an example of preventive
-
control. Detective controls, such as
-
CCTV, basically only detect and
-
report the occurrence of an error,
-
omission, or malicious act. Then, you
-
have corrective controls, which,
-
after detection, you know,
-
correct the issues.
-
They minimize the impact of a threat,
-
remedy problems discovered by detective
-
controls,
-
identify the cause of the
-
problem,
-
correct errors arising from a
-
problem, and modify the processing systems to
-
minimize the future recurrence of the
-
problem. Okay, so these are the different
-
control
-
types. Then we have the control
-
objectives and control measures.
-
Now, the control objective is basically very
-
simple to understand.
-
Every control has an objective
-
to
-
prevent. And then there could be...
-
First and foremost, we define the
-
control. First and foremost, we define the
-
control objectives. For example, what do
-
we want to protect
-
from based on the control objective? Once we define that,
-
we apply the control measure.
-
Okay, so, first and foremost, you have to
-
define the control objective. What do you
-
want to achieve from that control? Or
-
what risk are you trying to mitigate? From that
-
risk, you are to mitigate.
-
That would... From the risk, there would be
-
a control objective,
-
and from the control objective, there
-
would be a control.
-
Okay, for example, a control objective can
-
be malware protection. I want to
-
protect my systems from malware.
-
Now, to achieve that control objective, I
-
would
-
apply control. I would apply antivirus. I
-
would apply,
-
you know, patches. Okay, I would,
-
you know, perform penetration testing on my
-
system. All these are,
-
you know, controls to achieve that. Okay,
-
so control objective is basically
-
defined as an objective of one or more
-
operational areas
-
to be achieved in order to
-
contribute to the fulfillment of
-
strategic goals of the company.
-
Okay. Now, the strategic goals of the company
-
could be
-
also related to your risk, which is the
-
high-level risk of the organization.
-
And how that risk is... basically helps
-
mitigating of that risk, will basically
-
help your business objectives
-
to be achieved efficiently. Okay, so that
-
is the...
-
that is the control objective. Okay,
-
so that is...
-
The control objective is such a goal
-
that is especially related to the
-
strategy of the company. Okay,
-
then control objectives are basically,
-
you know, they are statements.
-
Okay, they are not basically... control
-
their statements, what we want to achieve.
-
Okay, always remember that control
-
objectives are statements
-
of the desired result, you know, or the
-
purpose to be achieved
-
by implementing that particular control.
-
Okay, now this control can be any
-
procedure,
-
any policies, any other structure, or
-
impacts.
-
Okay, now control objectives apply to all
-
controls.
-
Okay. So, for example, if you have a
-
control objective, as I was telling you,
-
malware protection, you should
-
have a control measure. An
-
activity contributing to the
-
fulfillment of a control objective, both
-
the control objective and control
-
measure,
-
serves the decomposition of strategic-level goals
-
into lower-level goals and
-
activities
-
that can be assigned as tasks to the
-
staff.
-
Okay, for example, a procedure.
-
This assignment can take the form of a
-
role description
-
or a job description.
-
Okay, I hope that the two definitions are
-
clear
-
in terms of control objective and
-
control measure, or what we generally call
-
a control.
-
Okay, so the next slide, which is control
-
objective, as I said,
-
is a statement of the desired result
-
that is we achieve by implementing the
-
controls around the information systems.
-
It can comprise policy, procedure,
-
practice, and operational structures
-
designed to provide reasonable assurance
-
that business
-
objectives will be achieved and
-
undesired events will be prevented,
-
detected, or
-
corrected. Now, these are some of the
-
control objectives that can be applied
-
to information systems.
-
Okay, now if I were to take a few
-
of them,
-
you know, here, safeguarding
-
assets, I think this is a control
-
objective every organization would
-
have: protecting the information assets.
-
Then, if you have an HCLC software
-
development in your organization, you
-
will say that
-
the process should be established in
-
place and should operate
-
effectively. Okay, and
-
if you're using an OS, you
-
will say that the integrity of the OS
-
environment should be maintained, the
-
integrity of sensitive and critical
-
application systems environments. These
-
should be maintained, but these are some
-
of the objectives that are common to an
-
organization.
-
Okay, in terms of, for example, if you come
-
down to SLAs, they
-
should meet the service level agreements
-
and contract terms and conditions to
-
ensure national assets are properly
-
protected and meet the operational goals and
-
and objectives.
-
But when you're looking at control
-
objectives, you must also,
-
you know, take into consideration how
-
this control objective
-
is linked to my business objectives as
-
well,
-
and how it is giving value to
-
my
-
organization. So, as an
-
auditor, you should also see, you
-
know, how this particular control
-
objective is serving the business
-
objective,
-
and how this control objective is
-
achieved through various controls in the
-
organization.
-
At the same time, there are many
-
general controls.
-
Every organization has these general
-
controls.
-
Now, internal accounting control
-
concerns safeguarding of assets
-
and the reliability of its financial
-
information.
-
Operational controls concern
-
day-to-day operations. There are
-
administrative controls,
-
which talk about operational
-
efficiency in terms of
-
cost in a functional area and enhance
-
the management policies. Internal
-
management policies.
-
Organizational security policies and
-
procedures ensure proper usage of
-
assets. We have overall policies
-
for the design and use of adequate
-
documents and records,
-
access and use procedures and practices,
-
physical and logical security policies
-
for all facilities. These are some of
-
the general controls that every
-
organization has.
-
Then there are specific information system (IS)
-
controls.
-
Okay, information specific controls now.
-
Each general control can be transferred
-
into a more detailed,
-
specific information system control.
-
For example,
-
if I ask you, "What do administrative
-
controls concern?" They concern operational
-
efficiency in a functional area.
-
Or, if I talk about the, you know,
-
reliability of financial information,
-
okay, if you take this example of
-
reliability,
-
a safeguarding of assets, and reliability
-
of financial information?
-
What do you think the information
-
system (IS) specific
-
control would be for
-
safeguarding assets?
-
You would have information security management
-
systems.
-
Okay, so each general control can be
-
translated into specific IS controls. The
-
IS auditors should understand the IS
-
controls and how to apply them in
-
planning the audit.
-
Okay, so you can do a... Based on the
-
general control, you can also,
-
you know, address information and then
-
drill down to the system-specific
-
controls.
-
IS control procedures include strategy
-
and direction of the IT function,
-
general organization management
-
of the IT function,
-
access to IT resources, including data
-
and programs. So, if
-
someone talked about transaction data,
-
obviously, you can assess...
-
look at how access to IT resources,
-
including data and programs, is handled.
-
Then there are system development methodologies
-
and change control.
-
Okay, these are some of the specific
-
areas where the organization can
-
apply controls. Then there are
-
operational procedures, system
-
programming, and technical support
-
functions. There's
-
quality assurance procedures, and
-
physical access control procedures.
-
Okay, there is business continuity
-
planning, asset recovery controls,
-
network and communications controls,
-
database administration controls.
-
Okay, and that's the reason we
-
want to look at the network and
-
communication controls. There's a network
-
audit that
-
has performed in many organizations.
-
A database audit is another area
-
where you also look at database
-
administration.
-
Okay, very important in many organizations.
-
Okay, their data is critical.
-
Okay, specifically banks, if you say
-
the administration of the database is
-
something very critical.
-
Then, protection and detective mechanisms
-
against international attacks, which is
-
your penetration testing, vulnerability
-
assessment, etc.
-
Okay, we will do the risk-based audit
-
planning.
-
Okay, so now, this is just a repetition
-
of what we have already
-
talked about a lot. Just go through it,
-
but you need to understand, you know,
-
here
-
the nature of the
-
business.
-
The auditor must understand, when you
-
talk about risk, the auditor
-
must understand the
-
nature of the business. The auditor can identify
-
and categorize the types of risks,
-
which will better help determine
-
the kind of
-
risk model or approach for conducting the
-
audit. Okay, for example, if you are in a
-
bank,
-
or a telecom, or oil and gas, the risks
-
would change.
-
Okay. Based on the risks of a particular
-
industry, you should be able to,
-
that you should be able to
-
model, you know, you should prepare your
-
model based on the type of industry.
-
Okay, for example, if you're doing an
-
audit of a nuclear power plant,
-
now your perspective would change.
-
Okay, and if you're doing for an audit for a bank,
-
there is a perspective you should change.
-
Okay, so you should... you
-
should understand the nature of business.
-
Based on that
-
business, you should
-
apply the auditing practice.
-
Knowledge of the business industry is a
-
very important thing.
-
Gather information and plan. Take prior
-
audit results
-
if possible. If you're doing a
-
first-time audit, then it's not possible to have
-
the previous financial information
-
of that organization because that is
-
important in terms of materiality.
-
For an organization, maybe a
-
thousand-dollar loss
-
is nothing. And then, inherent risk
-
assessment. Now...
-
Okay, so you're also looking at inherent
-
risk there. So, you are looking at
-
risks. Now, inherent risk is basically
-
risk without control. For example, there
-
is... I'm giving a very lame example. For
-
example, there's a building, and I would
-
say that this building can
-
catch fire. Okay, this building can
-
have earthquakes here
-
and etc. Okay,
-
it is flood-prone. Okay, I'm not looking
-
at the controls right now. I'm looking
-
at the inherent risk to that building.
-
Okay, now I can have fire extinguishers. I
-
can have
-
water detector systems. I can have
-
earthquake resistance,
-
and etc. But I'm not looking at... I'm not
-
factoring in those things. I'm just
-
looking at it from a high-level
-
perspective--what could be the risk to
-
my organization now. The
-
benefit of doing this is
-
that you would cover all the risks.
-
Okay, you are covering a lot of ground
-
there. You're not factoring in the
-
controls, you're covering a lot of
-
ground during your assessment.
-
Okay, you are factoring in fire,
-
factoring in earthquake. You're factoring
-
in flood. You're factoring in theft.
-
Okay, and but if you factor in the
-
controls--
-
for example, you say that there's
-
earthquake
-
resistance now--you're not factoring the
-
earthquake into your risk.
-
You're not putting that earthquake as
-
part of your risk. Okay, you might reduce
-
the risk
-
once you factor in the controls. Okay. So,
-
always
-
look at the inherent risk, not the risk
-
which is after the controls.
-
Okay, as an auditor, you should always
-
look for inherent risk, not the risk
-
after implementation of the controls.
-
Okay,
-
I hope inherent risk is clear to
-
you guys.
-
I'm not... Let me repeat
-
that because that's an important
-
concept in terms of CSA exams.
-
Inherent risk is
-
risk without factoring in the controls.
-
For example,
-
you know, I am going from point A to
-
point B. I am not looking at
-
any controls that can be applied here.
-
Okay. I'm just
-
saying, okay, if I go from point A to
-
point B, I can have
-
my tire punctured,
-
I can meet an accident, you know,
-
rain can come. These are the
-
inherent risks,
-
which I'm factoring in. I'm not saying,
-
"Okay, I'm wearing a
-
seatbelt, or I will
-
follow the traffic control rules, or
-
I will follow the traffic lights."
-
In terms of meeting an accident,
-
I would follow all the rules.
-
But I'm not factoring anything.
-
So we are looking at the
-
infrastructure. You're looking at
-
risk without factoring in the controls.
-
Then, obtain an understanding of internal
-
controls. Now you're factoring in the
-
controls. You're seeing,
-
"Okay, now these are the risks inherent to
-
the organization.
-
Now, I would look at the controls." I
-
will look
-
at the control environment. It's very
-
important in terms of control.
-
I will look at the control
-
procedures.
-
I will look at the detection risk
-
assessment and
-
control risk assessment to equate total
-
risks.
-
Then, perform compliance tests.
-
Okay, identify key controls to be tested.
-
Okay,
-
now once you know the controls are there,
-
now you will perform the
-
compliance test. You perform the
-
test of those controls. Perform the test
-
on reliability,
-
risk prevention, and errors to the
-
organization's policies and procedures.
-
Then, you also perform the substantive
-
test. Now, compliance tests are just yes or
-
no.
-
For example, do you have an
-
access control system? Yes or no.
-
Do
-
you have a security guard? Yes or no.
-
That's a compliance test.
-
But when you do a performance or
-
substantive test, you basically do
-
analytical procedures.
-
For example, with access control systems,
-
you will check if
-
people who left the organization,
-
you know, have been deleted from the
-
access control systems.
-
Have those people who
-
left the organization
-
accessed
-
the systems after they exited?
-
That's kind of an,
-
you know, analytical approach.
-
You do one step ahead, looking,
-
you know, more in-depth at those
-
compliances. You apply entity
-
procedures and do a detailed test of
-
account balances, among
-
other substantive audit procedures now.
-
These are used,
-
basically, in banking, for example.
-
If a person has
-
made a transaction, you check if the bank
-
account has,
-
you know, whether the bank,
-
whether the you know right-hand side is
-
equal to the left-hand side. So, you send
-
the money to someone.
-
Your account balance should go
-
down, the account balance of the other
-
person's should go up.
-
You know, so and now this basically...
-
This is a substantive test you perform
-
to ensure that the integrity of
-
that
-
transaction. Okay, to ensure the integrity
-
of that transaction.
-
Okay, it's kind of like a checkup or, you,
-
know, in a balance sheet, you have a left-hand
-
side equal to the
-
right-hand side, etc. It's kind of a procedure
-
which you apply to check
-
the logic of that
-
transaction. Okay, then you conclude the
-
audit.
-
Okay, in terms of recommendations
-
and writing the audit report, these
-
are the
-
risk-based audit planning techniques,
-
and these are things that may
-
impact the audit approach.
-
Audit risk and materiality.
-
As I said, inherent risk, I explained to you
-
earlier,
-
relates to the audit risk.
-
It is the risk level or exposure of the
-
process or entity to be audited without
-
considering the
-
controls that the management has
-
implemented. Enhanced risk exists
-
independent of an audit
-
and can occur because of the nature of the
-
business. Okay. As I said, for a building,
-
an earthquake can happen,
-
you know, a fire can occur, a flood can
-
happen. So this is the inherent risk. Now,
-
controlled risk is basically the
-
risk that a material error exists that
-
would not be prevented or detected
-
on a timely basis by a system of
-
internal controls.
-
So, control risk, even if the control
-
is present, there's a chance that the
-
control may miss
-
the risk. For example, control risk is
-
associated with manual reviews of
-
computer logs.
-
If you're doing a manual
-
review of a computer log, which is
-
thousands in number, there's a
-
high probability that
-
you would miss the information.
-
So, the control risk considered with
-
computerized data validation
-
processes
-
is ordinarily low if the process is
-
consistently
-
applied. Then, there is detection risk,
-
which is the risk that material errors
-
or misstatements that have
-
occurred will not be detected by the
-
auditor. Now, there is a possibility
-
because an audit is not a guarantee; it's
-
assurance.
-
So, there's a possibility that, as an
-
auditor,
-
we failed to detect risks in the system.
-
And that
-
happens; we are human beings, and
-
this has happened in
-
many organizations where the auditor
-
failed to
-
detect errors, and that error was
-
there for a very long time. Then, one
-
auditor came
-
and detected the error, and
-
then he looked at the previous reports.
-
Also, the error was missed
-
you know, etc. So, there's a detection
-
risk. Also,
-
from an auditor's perspective, the
-
overall audit risk is also there. Okay,
-
now the overall audit risk is the
-
probability that the information or
-
financial reports may contain material
-
errors, and the auditor may not detect
-
an error that has occurred. Okay, and now
-
the auditor is...
-
The auditor
-
or editor can also fail to detect an
-
error. Okay, that has occurred. Okay, now
-
there... Okay. Sorry.
-
So the difference between
-
detection risk and overall auditors. You
-
must understand
-
the detection risk there is, the
-
materials errors or misstatements that
-
have occurred will not be detected by
-
the auditor.
-
Okay, similarly, you know, the overall
-
audit risk is that the material
-
errors may not be detected
-
by the auditor. So, it is almost
-
a similar definition we
-
have for detection and overall
-
risk. Okay, now the objective
-
in formulating the audit approach is to
-
limit the audit risk
-
in the area under scrutiny so
-
that the overall
-
risk is at a sufficiently low level
-
at the completion of the examination.
-
Okay,
-
coming to risk assessment. Risk
-
assessment, we know, basically the
-
auditor...
-
A risk assessment basically assists the
-
auditor in identifying the high-risk
-
areas
-
and also it helps in evaluation of
-
controls now.
-
Risk assessment is used to identify, quantify,
-
prioritize risks
-
based on criteria for acceptance
-
objectives relevant to the organization.
-
Always remember that risk assessment
-
should be able to assess based
-
on a criteria. Okay, for every
-
organization, has different criteria.
-
Okay, every organization has to define
-
the criteria bases on what they
-
want to consider
-
as risk. Okay, every organization
-
would have different criteria.
-
Okay, for acceptance. Okay, now for me,
-
as I said, again, a thousand-dollar loss
-
is very significant, but for a big organization,
-
it's nothing. Okay, so...
-
Based on that, you would
-
say
-
high, medium, or low. An
-
organization must decide whether it
-
will
-
accept low risk,
-
medium risk, or
-
it will also accept the high-risk areas
-
the organization has today. And
-
it also depends on the nature of the
-
organization. For example, a nuclear power
-
plant,
-
even a low risk would be significant. So,
-
for an organization, for example, a
-
library, even a library organization.
-
But for them, you know, that risk
-
may not be that much.
-
Okay, they would only consider high-risk
-
to them so
-
it would depend on the nature of
-
business. And also, it supports...
-
Now, risk assessment supports the
-
risk-based audit decision-making,
-
as we have already studied about risk-based
-
auditing
-
principles. So, it supports the decision-making
-
by considering variables such as
-
technical complexity and the
-
level of control procedures in place.
-
Okay, for example, there
-
is an area where a lot of controls are
-
present and the risk is
-
less material, you may want to
-
consider it as a low-risk area.
-
Okay, the level of financial loss also
-
is something which you should be
-
considering. Okay, for example, if there is
-
materialize
-
risk, you know,
-
our risk is
-
basically materialized, that happens, you
-
know, a risk event
-
in reality happens, what would be the
-
financial loss?
-
Okay, generally, many organizations use
-
this financial loss as a criteria. Okay,
-
in terms of,
-
you know, high, medium, low, or maybe
-
sometimes organizations. Say that if
-
their
-
risk is less than one million, then it
-
would be
-
accepted. If it is more than one million,
-
would be,
-
you know, mitigated. Okay, for a
-
management decision, it needs to be
-
taken. So, it can... we can also
-
define a financial loss figure
-
as a multiple risk
-
response. As I said, risk mitigation
-
is to reduce the risk by implementing
-
appropriate controls. Accept the risk in
-
terms of knowing it.
-
Okay, knowingly, objectively not taking
-
action
-
because sometimes, for example, obviously,
-
there's too much
-
cost to accept. Too much cost to
-
basically mitigate it.
-
That's not how their business is there.
-
There's no financial
-
support there, you know, I will give you
-
acceptance. The example here, then the
-
risk avoidance is basically
-
not doing that activity at all. You're
-
not allowing action that would cause the
-
risk to occur.
-
Okay, for example, I'm giving you an
-
example of,
-
you know, going from one place to another.
-
He says, if i see that there has to be...
-
there's rain that would come, you know,
-
I foresee rain.
-
You know, I don't go. So that is avoiding
-
the risk. Okay,
-
then risk transfer is sharing and
-
transferring this
-
risk to the other party. Now, risk
-
transfer has to be very much, you know, a
-
decision
-
that the management has taken very
-
cautiously. Because
-
now, when you're transferring the risk,
-
you are not transferring the
-
responsibility
-
of the risk occurrence. For
-
you're taking insurance
-
for a fire. Now, your
-
fire has happened, and you
-
have only looked at the financial
-
aspect of that risk. But again, if you
-
see how
-
your employees are suffering, how your
-
suppliers are suffering, how your
-
customers are suffering,
-
again, that responsibility is on you; it's
-
not on the insurance provider to look at.
-
So, you are
-
basically not transferring the entire
-
risk; you are just
-
transferring the financial aspect of
-
that risk to the insurance company.
-
Okay, now in terms of risk acceptance, it is
-
very important to look at
-
deliberately not taking action. You
-
are not taking action
-
because the cost of that control
-
to be put in place is too high. For example, I went to
-
an audit where
-
it was a house I visited for an
-
ICICI Bank
-
audit. It was just a simple house, and you
-
know,
-
there were two systems there from a
-
third party
-
of ICICI Bank. One
-
system and only
-
one employee was there, and the other
-
employee was on leave.
-
Now, what they were doing is the bank was
-
sending them a form
-
for their club membership.
-
They were typing in the club membership,
-
they're scanning the document, and
-
sending it back to the bank.
-
So, it's a manual form that comes
-
to the third party,
-
which types in the data entry
-
for that form,
-
scans that form, and sends it to the bank
-
again.
-
Send it to the bank. Okay, now this is a
-
small organization, and they are dealing with
-
PII information of the bank’s customers.
-
Now, what I see here is that.
-
Now, I asked them to have antivirus software. I
-
asked them,
-
"These are the controls that should be in
-
place. You don’t have these controls;
-
you’re using personal
-
systems for storing bank information, and you
-
don’t have antivirus."
-
I gave the list of findings there. So, he
-
said, "I get 10 rupees per form
-
to fill this form. Do you
-
want me to
-
apply this control
-
for 10 rupees,
-
which I get from ICICI Bank?" That’s
-
what he said to me. So, I said,
-
"That’s how it is. You accept the
-
risk knowingly and objectively by
-
not taking action." But again, the
-
risk is to the bank.
-
Now, this has been transferred to
-
him, but again, he’s
-
not able to properly handle that.
-
Okay,
-
now I don’t know what happened after that. I gave
-
that report to them, but I don’t know
-
whether the business is still with that
-
third party or not or, you
-
know,
-
these situations can happen. So, your risk
-
response option should be
-
very much in line with the option, very
-
carefully choose.
-
Any organization should take that option
-
very carefully.
-
Okay, thank you, guys. Thank you very much.
