This content outlines Domain One of an Information Systems (IS) auditing certification, focusing on the fundamental processes, principles, and risk assessment methodologies essential for conducting effective IS audits. It emphasizes a scientific, methodical approach guided by professional standards and ethical conduct.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
welcome to domain one the process of
auditing Information Systems this domain
will account for 21% of the exam and
it's really the guts of an audit this is
where we talk about how you actually
conduct an audit at this point we're not
as concerned with regulations and laws
and technical issues so much as we're
concerned with actual auditing process
and it is a formal process it's a
science it's not an art now for the test
again this is 21% but I would say as an
actual Auditor in practice this is
exactly the place to start domain one
should be the process we need to get in
the habit early on of having a
methodical scientific approach to
auditing in this domain we're going to
have several lessons that walk you
through the process so let's go ahead
and get started with domain one after
completing this domain domain one you'll
be able to understand basically what an
audit is and how an is audit function
should be managed you'll be able to
detail the ISAC is audit and Assurance
guidelines and standards you'll be able
to discuss risks and how to analyze them
and discuss and understand internal
controls you'll also be able to explain
the control
assessment you'll be able to demonstrate
how an information system audit should
be performed and expounded upon the
details of the audit process possibly
most importantly you'll be able to apply
the isaka audit principles to your
audits the cisa divides up the task for
the test into task and knowledge
statements we focus the lessons on
knowledge statements but those include
the tasks as well task statements are
what a CA candidate is expected to know
how to do or perform knowledge
statements are what a CA students should
know if you first know the items
involved then applying them is all
that's required to perform a task so
while we break the lessons down by
knowledge statements you will also learn
to perform the tasks tasks and knowledge
statements establish and maintain the
process of auditing Information Systems
tasks can be mapped to more than one
knowledge statement now within this and
the subsequent lessons we're going to
walk you through what you need to know
to pass the cisa it's important that you
take time to study and make sure you
fully understand each of these lessons
before proceeding to the next lesson
let's begin with cisa domain one
knowledge statement
1.1 that knowledge statement tells us
the knowledge of isaca it audit and
Assurance standards guidelines tools and
techniques the code of professional
ethics and other applicable standards
are all required for those hoping to
certified there's an explanation for
this knowledge statement first and
foremost The credibility of any audit is
based at least in part on the use of
commonly accepted
standards it just so happens that ISAC
is a global Pioneer of is assurance and
audit guidelines tools and techniques
standards and has a comprehensive code
of professional
ethics isaca standards provide you with
audit now the main areas that are
covered under this knowledge statement
include first and foremost the isaca
code of professional ethics that's
important to keep in mind because isaca
will emphasize this in the cisa exam you
need to know the professional ethics
code and be able to apply it to
scenarios that you're
given ISAC Information Systems assurance
and audit standards
framework as well as Information Systems
assurance and audit guidelines will be
covered but in less detail than the
professional ethics in other words for
the framework and the guidelines you
need a general
understanding the ISAC Information
Systems Assurance audit tools and
techniques will permeate the cesa exam
you'll see some under this knowledge
statement and other tools and techniques
will show up in other knowledge
statements and even other
domains and finally you need to
understand the relationship between
standards the code of professional
ethics is critical to understand we're
going to read it right now pausing with
certain portions to give a little extra
commentary where
needed isaca set forth a code governing
the professional conduct and ethics of
all certified as Auditors and all
members of
isaca members and certification holders
shall support the implementation of and
encourage compliance with appropriate
standards procedures and controls for information
information
systems perform their duties with due
diligence and Professional Care in
accordance with Professional Standards
and best
practices serve in the interest of
stakeholders in a lawful and honest
manner while maintaining high standards
of conduct and character and not engage
in Acts discreditable to the
profession maintain the privacy and
confidentiality of information obtained
in the course of their duties unless
disclosure is required by legal
Authority such information shall not be
used for personal benefit or released to
inappropriate parties now this last one
requires some extra
commentary as an is auditor you're going
to see all sorts of confidential
information perhaps be exposed to
proprietary data processes plans
Personnel information that sort of thing
you must make confidentiality a
Cornerstone of your professional
ethics members and certification holders
shall also maintain competency in their
respective fields and agree to undertake
only those activities which they can
reasonably expect to complete with professional
professional
competence what this means is first and
foremost you have to continue learning
make sure you increase your competency
you're aware of new techniques and
strategies and also make sure you don't
take on projects you're not fully
qualified for inform appropriate parties
of the results of work performed
revealing all significant facts known to
them support the professional education
of stakeholders and enhancing their
understanding of Information Systems
security and control this last one also
Bears some commentary the entire purpose
of an audit is to inform the
stakeholders of the situation of their
information systems how does it stand in
a relationship to security well your job
when the audit is over is to educate the
stakeholders failure to comply with the
code of professional ethics can result
in an investigation into a member's
Andor certification holder conduct and
ultimately in disciplinary measures
isaka may choose to ban you from isaka
or to revoke your certification if to
situation warrant
it it audit and Assurance standards
framework EST established by isaka has
specific objectives is Auditors should
be informed of the bare minimum level of
performance needed to meet the
professional responsibilities set out in
the professional code of ethics now keep
that in mind these standards are the
minimum you should always strive to do
better the standard should also inform
the management of the profession's
requirements concerning the work of audit
audit
practitioners and these stand standard
should also inform holders of cesa
certification that failure to meet with
these standards may result in a review
Into the cesa holders conduct by the
isaka board of directors which may
ultimately result in disciplinary
action isaka is Assurance audit
guidelines provide additional
information on how to comply with isaka
information technology assurance and audit
audit
standards the information systems
auditor should use professional judgment
which means sometimes you may differ
from the standards but you need to be
able to justify any
difference the guidelines are documents
that are all identified by a prefix G
followed by number for example G10 g12
G20 there's actually 42 categories of
guidelines in the next few screens we'll
briefly look at all of them you don't
have to memorize them and therefore we
won't read everyone to you I will point
out a few of them that are of particular
what we see here due Professional Care
that ties directly in with the
professional code of ethics so G7 is particularly
particularly
important there's an entire knowledge
statement on G10 audit sampling which
discusses how to do proper sampling
audit evidence requirement G2 also is
prominent on the certification
test g15 planning a properly planned
audit is the only way you're going to
have a good audit and of course G20
reporting the way you report your audit
is essential to communicating your
findings to the
stakeholders g28 computer forensics may
seem like an odd one to you it's not
required that you be a forensics expert
or professional but there is a forensics
component and you need to have at least
a basic understanding of forensics being
able to effectively conduct an
audit continuous Assurance G 42 even if
your audit shows that everything meets
standards are we sure it will still meet
standards a week from now a month from
now any time period between now and the
next audit g38 access controls those are
always a common point to check during your
your
audit ISAC also has standards and
guidelines related to audit the
ITF and you can see here a listing of
those standards as with the G standards
you don't have to to memorize each of
these and we won't read them to you but
you should be familiar with them this
1.1 cisa knowledge statement
1.2 knowledge of the risk assessment
Concepts and tools and techniques used
in planning examination reporting and
followup first of all your overall audit
plan has to FOC focus on business risks
related to the use of it now throughout
this course we're going to look at a lot
of methodologies standards and
techniques but if you think about it for
just a moment I think you'll agree that
information system auditing comes down
to one simple concept identify the risks
a business faces look at the controls in
place to mitigate those risks and
evaluate the efficacy of those controls
that's really what auditing is all
about the area under our audit
represents the audit scope we're not
going to audit everything so let's find
out what we are going to audit what is
the scope of our
audit Auditors should use risk analysis
techniques to find out what are the
critical areas to focus on within the
audit scope in other words you determine
the audit scope by risk
analysis you obviously have limited
audit resources you don't have an
infinite number of personnel number of
hours or number of dollars to spend on
an audit so this requires a focus in
drawing the audit plan and the focus is
on the risks that are important to this
business it's also important to prepare
a proper audit report think about it for
just a moment once you're done with your
audit one of the big goals is to inform
the odity of the issues you found and
the remediation steps you
recommend the primary communication
vehicle you have for this is your audit
report so writing a good audit report is
very important
follow up on issues that are found in
the audit that's also very critical it's
not enough to identify an issue it's not
even enough to recommend remediation
there has to be some process to discover
done the main areas we'll look at in
this lesson include risk analysis now
throughout this course you're going to
see other looks at risk analysis but
we'll begin in this lesson looking at
risk analysis methodologies Pro
processes and techniques this leads us
to audit methodology now that's another
issue that will permeate the course
obviously various methodologies we'll
begin in this lesson our whole focus is
on risk-based auditing using risk
analysis to drive the entire audit
process we also will be discussing
inherent risks in the audit itself what
we call audit risk and
materiality we'll begin looking at risk
assessment how do we determine what is a
risk and and treatment what are our
steps to remediate a risk this will
involve beginning your introduction to
risk assessment techniques we'll also be
followup let's start with looking at
risk analysis this is a process that
helps an auditor recognize the
vulnerabilities and risks that's the
first part you have to be aware of what
the risk and vulnerabilities to this
specific organization are now some risks
and some vulnerabilities are common to
everyone everyone is at risk for a virus
outbreak everyone is at risk for a fire
in the server room but we also have very
specific risk to specific
Industries then we need to look at how
do we Define controls that can be put in
place or may already be in place to
mitigate those
risks now throughout this lesson you're
going to see several different phrasings
of the definition of risk they're all
worded slightly differently because they
come from different sources but they all
essentially mean the same thing let's
start with this first one risk is
defined as the mixture of the likelihood
of an event and its magnitude first of
all an event we're defining as some
negative incident How likely is it to
happen some events are more likely than
others not everything has an equal
likelihood for example for any
organization the likelihood of a hard
drive crash in a server is relatively High
High
but the likelihood of an intrusion by a
state sponsored cyber terrorist is only
high for certain businesses high-tech
companies defense contractors it's
extremely low for a pizza delivery
business or a book seller so we have to
look at the likelihood of an event then
let's look at the magnitude not all
events have the same magnitude for every
industry let's consider a hypothetical
an event that causes your web server to
crash and to be offline temporarily
let's assume your business is pizzas you
sell pizzas you have a chain of pizza
restaurants if your web server is down
some of your customers will not do
business with you during that time they
can't order online so they will order
from a competitor you will lose some
business but some customers will come
into your restaurants and eat there some
will come in and get takeout some will
phone in for their delivery orders so
you will lose some business but by no
means all now let's assume the same web
server crash
but your business is that of e-commerce
you sell things online it's what you do
if your web server is down you're making
zero money you're losing all dollars for
every minute the web server is down now
in both scenarios the web server going
down is negative it's a risk but the
magnitude is different in the second
scenario than in the
first let's look at another definition
that's very
similar it risk is specifically the
Enterprise risk associated with the
ownership use operation influence
involvement and Adoption of Information
Technology within a business now let's
think about that for just a moment we
all like new technologies myself more
than most the convenience the
productivity all these things that are
afforded Us by new technologies but
every technology also involves a risk
simply by owning and using it for
example we already mentioned websites
that expand your customer base let you
sell to customers more conveniently and
in some cases to customers in other
areas that you normally wouldn't get to
reach however every website is
vulnerable To Deni of service attacks
SQL injection cross-site scripting and a
variety of other
attacks smartphones these are now
ubiquitous everyone has one and I
personally depend on mine all the time
and many people now bring these phones
into the workplace and connect them to
the organization's Wi-Fi this is
referred to as byf bring your own
device well that poses a lot of risks
yes it's incredibly convenient and it
allows employees to blend work with
personal time they may on their own time
address a work issue through their phone
and they may be able to take a critical
personal issue such as a sick relative
and still come to work because of the
access they have with the phone so it
Blends our worlds however you now have
attached to your Wi-Fi a diverse number
of phones with a a wide range of
operating systems software and Hardware
this is a risk so every technology just
owning it and using it gives us some
Enterprise let's consider two other
definitions of risks and these are
slightly worded differently but very
similar and almost identical in meaning
to what we've already
seen the probable frequency and probable
magnitude of a future loss now what I
really like about this definition is the
use of the word
probable it's unlikely that you'll be
able to know exactly how frequent an
event may occur or the exact magnitude
you have to perform an
estimate the second definition the
potential that a given threat will
exploit vulnerabilities of an asset or
group of assets and cause harm to the
organization now this comes from the
standard ISO
27005 which you're definitely going to
see on the C Isa exam not just this
definition but you'll see more about the
standard and we'll revisit again in
future lessons definitely be familiar
with ISO
27005 but I like this definition because
it emphasizes two things first and
foremost we're concerned about harm to the
the
organization if a particular it system
is offline but it doesn't harm the
organization it's not that big a concern
if you have 20 printers and one of them
is offline it's an inconvenience it
doesn't have great harm to the
organization I also like this definition
because it's talking about the
exploiting of vulnerabilities and that's
what we're really concerned about in Risk
mitigation now the process of risk
analysis is complex and involved and
it's applied in a variety of areas such
as Disaster Recovery planning and
business continuity
planning but let's look at it
specifically from the auditor's point of view
view
from the information system audit point
of view risk analysis is used for the
following purposes first it helps the
auditor identify threats and risks
within the is environment we've already
stated that your audit has to be risk
driven but that begins by identifying
the threats and risks that are of most
concern in this specific
environment it also lets you plan the
audit by looking at the controls in
place and we look at those controls in
light of the specific risks and threat
we've already identified now you're in a
position to know the audit objectives
you're basically testing to see if the
controls in place appropriately and
adequately mitigate the threats and
risks you've identified this makes
decision making a much easier process
when you're using risk based
methodology now on the right hand side
of the screen here you see several steps
these are actually occurring initially
in a linear fashion for our initial Audi
but then in an ongoing basis let's start
with identifying business objectives
this literally means what is the
business trying to do now you can think
about this in a very broad scope but
we're being more specific for example if
you have a pizza business there
objective is to sell pizzas but we need
to break this down much more fine-tuned
for example the objective of the website
is to allow people to order online
underneath that objective we have
subobjectives we want to be able to
effectively securely processed credit
cards we want it to be a userfriendly
experience and there may be a host of
other objectives but before you can even
begin looking at the audit you have to
know what the business is trying to do
now that flows very naturally into
identifying those information assets
that support the business objective it
may sound odd but normally an
organization has a number of Information
Systems some of which are not absolutely
critical to the business objective we're
concerned about those are again if you
have 20 printers and most of your
business is online anyway doesn't
require printing for each transaction
printing is used for things like monthly
reports and invoicing well then one
printer being down is not a big concern
the web server being down is a huge
concern now that you've identified the
information assets that support those business
business
objectives now we flow straight to doing
a risk assessment on those assets what
are the threats to those assets what
vulnerabilities are in those assets that
would allow a threat to be
realized and what would be the impact
now impact often involves something we
haven't discussed yet called a criticality
criticality
analysis that's just a nice way of
saying we look at each particular asset
and evaluate how critical it is to the
organization and that's often based
simply on how much damage would it cause
if that particular asset wasn't
available now that you've done a risk
assessment now we can do risk management
let's look at the risks and map them to existing
controls although that can be an
involved process it really comes down to
two questions are there controls in
place that address each and every risk
you have any place you have a risk that
does not have a control that's an
obvious place that needs to be
addressed the second question is
assuming there is a control in place for
that risk does it adequately mitigate
the risk does it bring the risk down to
a level that's
tolerable once you've done that now we
can do risk treatment let's look at
those risks that are not mitigated by
existing controls or at least the
existing controls don't adequately
mitigate it now as I mentioned your
initial audit this is a linear process
but I think you'll agree things change
business objectives change all the time
sometimes a business may add on new
objectives they may leave old objectives
they may add on a new line of business
or or abandon the line of business
information assets definitely change
there are new operating systems there
are changes to Hardware all of these
change things certain threats change for
example SQL injection is still a threat
but it's less of a threat today than it
was 5 years ago denial of service
attacks are still a big threat but a
specific old one called a sin flood Sy
YN flood is not near as much a danger
today as it once was due to Modern fire
walls threats have changed on the other
hand there are new threats that didn't
exist 5 years ago all of these changes
cause this process to now become
cyclical we will re-evaluate the risk
process there are some basic risk
assessment terms and these are borrowed
from business continuity and Disaster
Recovery planning that you need to be
familiar with assets are the resources
you're trying to protect now your
natural inclination may be to think
about servers and those are certainly
assets but I think if you'll reflect on
this for a moment you'll agree that in
most cases the data on the server is
worth a lot more than the server
itself risk and this is yet another
definition that may seem to be worded
differently but means essentially the
same that we've seen so far it's the
potential that a chosen action or
activity will lead to a loss threats any
negative action that could harm a system
vulnerabilities any weakness that allows
a threat to cause harm impact the
severity of damage whenever possible we
dollars now to express that in dollars
we have some very specific formulas
these formulas are also borrowed from
disaster recovery and business
continuity planning exposure Factor this
is the percentage value of an asset loss
due to an in
now what we mean is in many cases you
won't completely lose an asset let's
assume you have a database and you do a
full backup every hour then the worst
you can lose is 59 minutes worth of data
because if the database crashes one
minute before your next backup you will
have lost those 59 minutes you can
recover all the other data now if we
look at a single loss expectancy that
means what do we lose in a single
negative incident we start with the
asset value how much is the asset worth
times that exposure
factor that will give us a single loss
expectancy next we have to consider the
annual rate of occurrence that's the
number of losses you might expect to
have in a year now this can be
effectively estimated through a number
of different methods first look at
previous years what was the number of
losses last year and the year before
then there are a variety of security
firms that every year publish reports
that tell you the preceding years
various losses various attacks various
threats broken down by industry and size
of company for example insurance
companies that do over $20 million a
year in business but less than 100
million how many virus outbreaks do they
have on average that sort of information
is publicly available now I want to stop
and point out something here there are a
number of things throughout this process
that are estimates annual rate of
occurrence is one but as I was just
indicating an estimate doesn't mean a
wild guess you shouldn't just think and
come up with some random number annual
rate of occurrences 15 times that's very
ineffective and in fact
counterproductive but if you look at
your prior Year's annual rate of
occurrence how many virus outbreaks did
you have a year ago two years ago three
years ago is there an upward Trend in
them if you look at industry reports
that give you the norm for your industry
and size of business and you use all of
this to estimate the annual rate of
occurrence then yes it's an estimate no
it's not exact but it's a good estimate
you should do the same thing when
looking at asset value exposure factor
or any number of factors that we've
already discussed or will discuss where
we say it's an estimate estimate should
never be guessed I would also recommend
that in your final audit report you
actually include the basis for your
estimates where'd you get this
number now with that said we're ready to
compute annualized loss expectancy
that's the year L cost due to a risk you
take the single loss expectancy times
the annual rate of occurrence and
normally this is done per asset per risk
in other words the web server and denial
of service attacks what's the annualized
rate of occurrence what's the annualized loss
loss
expectancy now the reason we do this is
we can now calculate the cost
effectiveness of mitigating controls
let's say you've identified denial of
service attacks as a risk to your
website let's say you have 10 Curren is
a year each one costs roughly $1,000 so
$10,000 a year will be lost well now we
have to ask a question what will it cost
to mitigate that if there's a control
that will reduce that to two times a
year so our loss goes from 10,000 a year
to 2,000 a year should we Implement that
control well it's a very simple formula
how much does the control cost if it cost
cost
5,000 but saves us 8,000 then it's well
worth it if it cost5 ,000 and saves us
it now let's look at the three formulas
at the bottom that use these terms again
some of these items like annual rate of
occurrence will be estimates exposure
Factor will be estimates but please use
as much data as possible to make these
good estimates not just wild
guesses if you take the value of the
asset however much it was worth that can
include Purchase cost maintenance cost
development cost whatever the complete
value of the asset is multiply that by
the exposure Factor the result is the
single loss expectancy how much you
expect to lose if there's a single
loss what is risk you take the
probability of something happening times
the cost if that happened for example
what would it cost you for your server
to be down for a week let's say your web
server calculate that cost now that
should be something you can do with
concrete numbers with very little
guessing now you try to estimate the
probability of a risk multiply that
times the cost and you have your risk
value next let's look at annualized loss
expectancy you take that single loss
expectancy you previously computed
multiply it time that annual rate of
occurrence and remember this is an
estimate but it's estimate hopefully
based on statistical averages past
performance and reports from industry
but in any case once you multiply a Time
SLE you have the annualized loss
expectancy these three formulas and
these terms are Central to impact
analysis thus they're Central to
business continuity planning and
Disaster Recovery planning in other
words this is how you calculate risk
risk should have as little guessing as possible
possible
the risk-based audit approach is simply
based on the concept of determining
which area should be audited based on
the level of risk the things we've
already talked about including the
formulas we just looked at are how you
decide the level of
risk now once you've looked at a risk
and you've looked at
controls even added or enhanced controls
you have not totally eliminated risks
there is some risk left over and that's
called residual risk now how much
residual risk is okay well that depends
on the Management's risk appetite so the
goal of an audit is to make sure
mitigating controls reduce risk take
that residual risk down to a level
that's acceptable to
management we have another risk risks in
the audit itself these aren't risks from
outside threats these are risks for
example your report might contain an
error an error that's material a simple
typo isn't what we're concerned about
although those certainly look bad we're
concerned about an error that's material
this can be through some mistake in your
reporting or auditing process or it's
possible that an audit might not detect
a specific threat risk or vulnerability
that audit risk that something might be
important now risk assessment we've
already looked at that in some depth
risk assessment involves identifying
risks prioritizing them which are more
important and as much as possible
quantifying the risk that involves some
of those formulas like Al and SLE that
we already looked at now we evaluate
those against some criteria for risk
tolerance what are the objectives and
risk tolerance for this
organization risk assessments have to be
carried out regularly because things
change the risk environment change
regulatory requirements change legal
requirements change the risk appetite of
a business may change so it's not
adequate to base your audit on a really
old risk assessment the risk assessment
should either immediately proceed your
audit once you've identified a risk
while we may have dozens and hundreds of
different technological answers all risk
treatment comes down to four
categories the first is risk mitigation
and this is by far the most common it's
a control that lowers the risk hopefully
lowers the risk to the point that the
residual risk is acceptable to
management now one you might not have
thought of is risk accept acceptance you
objectively and knowingly choose not to
take action now this is not lack of
action due to ignorance you weren't
aware of the risk what happens is you
did the risk you looked at mitigating
controls and using formulas like the a
and SLE formula you've recently seen you
determined that the cost of mitigation
was much much more expensive than the
cost of loss or you determine that the
likelihood of a particular threat was so
low as to be almost impossible any of
these criterias may lead you to Simply
accept the risk and not Implement
mitigating controls now before you take
that course of action this absolutely
must have management Buy in and should
absolutely be documented thoroughly why
are you choosing to accept the
risk risk avoidance is something we
prefer but rarely can do you literally
evade the risk there's zero chance of
risk occurring that's hard to do in most
cases the best you can do is effectively
mitigate now risk transfer sharing that
used to mean simply you have vendors
Partners suppliers that take on part of
the risk but more and more we're seeing
insurance companies issue it breach
insurance so they share the risk they
take on the cost of some issue should a threat
occur whereas we will look at many many
different methods throughout this course
they really come down to a few different
criteria a few different properties that
all risk assessment methods have now
there are some formal methods like the
scoring system method and judgmental
method first remember that a combination
of methods can be used you don't have
have to pick a single risk assessment
method and stay with it methods can
develop and change over time they get
updated there are new methods that sort
of thing unfortunately all methods to
some degree depend on your subjective
judgment now you should always evaluate
the appropriateness of any chosen risk
methodology method for your environment
don't just pick one because it's the one
you always use what's appropriate for
this environment and these specific goals
goals
1.2 knowledge statement 1.3 of domain
exam knowledge of fundamental business
processes things like purchasing payroll
accounts payable accounts receivable and
the role of Information Systems in these processes
the purpose of this knowledge statement
is to emphasize that before you can do a
successful is audit you need to
understand the underlying business
process that's being audited as we
already mentioned is this an accounts
payable system is this a human resources
system what's the purpose of the process
what are its goals how does it function
what are its
constraints now you need to also
understand the role that Information
Systems play in these processes clearly
some business processes are more
isentric than others you need to
understand the specific part that is
plays in any given business process
information system auditing involves
assessment of all the information system
related controls but also understanding
those control objectives which is why
you need to understand the fundamental business
business
processes it also involves identifying
key controls that help achieve a well
controlled environment as per particular
standards that that may also involve the
knowledge of certain industry standards
and laws and we'll visit that topic in
statements here are just some examples
of fundamental business processes using
transactions as an example a bank can
have various transactions mobile Banking
ATM overthe counter deposits withdrawals
wire transfers all sorts of
accounts a chain store might have point
of sale transactions with credit card
Extranet cash transactions with
suppliers using electronic data
interchange ordering from vendors those
sorts of processes whatever the
particular business you're auditing you
need to understand what it is that
business does and what what are the
particular processes that are most
critical to that business what
information systems those processes use
and then apply things that we've looked
at in earlier lessons such as risk
assessment a risk assessment that's
particular to the specific fundamental
business processes for the organization
that you're about to
audit now there are a few different ways
of looking at and understanding a
business better the following few
screens will show you a few of these
methodologies none of these do you have
to memorize for the cesa
exam and we won't cover them in any
significant depth you just need to
basically identify what these Frameworks
are the zachman framework is a common
one used for defining an interprise
there are two ways to classify an
Enterprise that are combined together in
the zachman framework the first is very
simple what is the Enterprise how does
it work when does it work who's involved
where do they work why do they do these
tasks the second is more specific you
identify the specific business elements
in that Enterprise Define them look at
their representation specification
configuration and
instantiation now again it's not
important that you go into more depth
than Zach framework it's not important
that you memorize it at least not for
the cesa
exam the goal here is to Simply make
sure that you're aware that this is one
framework that you could utilize in your
audit practice to help you better
understand a specific Enterprise so you
will know their business processes in
enough detail to be able to effectively
systems but something similar to the
zachman framework is the Sherwood
applied business security architecture
as you might guess this is more specific
to Security in the business and it looks
at all the entprise from a risk driven
perspective looking at the architecture
as it relates to information security so
this deviates a bit from zachman in that
it's not so focused on General business
processes and an enterprise-wide
description but more focused on the risk
associated with specific security architectures
architectures
the primary characteristic of this
Sherwood applied business security
architecture is that everything must be
derived from an analysis of the business
requirements for security so you look at
what that business needs for security
and see if that's being met it also
involves an ongoing what they call
manage and measure phases of the life
cycle in other words you're continually
measuring how close we are to meeting
those business requirements and we
manage so that we make sure we're
constantly Meeting those measurements I
personally think that Sherwood applied
business security architecture should be
used in combination with zachman to give
you a more comprehensive understanding
business a third model you might
consider devised by Michael Bell is the
service oriented modeling framework
often simply called SF it allows you to
model business and software systems to
specif ify service orientation in other
words we look at what services the
business provides what services specific
systems within the business provide and
that perspective allows us to better
understand the business itself it can be
used with any number of architectural
approaches in other words you can
combine it with the Sherwood model we
just looked at it can also be used in
addition to prepping an audit to design
any application business environment
local or distributed in other words if
you first consider what the business
does what service it provides and then
consider what software systems are
necessary to provide that service that
will drive not only audits but the
designing of applications Technologies
and systems and again any of these particular
particular
options service oriented modeling
framework Sherwood OR zachman can be
used in combination with others the
whole idea is not that you memorize each
of these three
but that you be aware that there are
tools to help you better understand the
underlying business you don't simply
have to approach in an ad hoc fashion
trying to understand the business you
can use one of these modeling tools to
give yourself a deeper comprehension of
the business that you're preparing to
knowledge of control principles related
systems what we're going to attempt to
do under this knowledge statement is to
ensure that you the ca candidate
understand the different types of
controls and how they function and you
can explain how those control principles
primarily were concerned with internal
controls external controls would be laws
and regulations that are external to a
particular Enterprise but do impact how
they handle information security in
their information systems but internal
controls are the Enterprise his own
internal processes that have been
implemented to achieve specific
objectives while minimizing risk they
comprise the Enterprise structures
procedures policies and practices that
have been implemented to lower the level
of risk in an Enterprise now that
includes everything from Information
Technology projects such as intrusion
detection system anti malware to
policies to training to procedures
everything within the Enterprise that's
meant to minimize risk and achieve
specific objectives and they can be
manual or automated now in the
information system world we often think
of automated things such as antimalware
intrusion detection systems and that
sort of thing but manual things such as
having a second party confirm a payment
over a certain level before that payment
is processed well that can be manual or
control internal controls really
consider two things by implementing this
control what can be attained or what can
be evaded what can be attained let's
take for example
manual spot checks of source code
someone reviews source code before the
project is compiled and distributed
throughout the organization what can be
attained by that well first and foremost
better quality of software we can look
and see that all the basic software
procedures were implemented correctly
what can be evaded well at least some of
the more obvious bugs will be evaded
through this process internal controls
and procedures have two categories the
general control procedures previously we
mentioned having a second party
authorized payments over a certain level
well that's a business control that's a
general control for the entire
Enterprise it may or may not be
implemented through
technology information system control
procedures regard control procedures
directly related to your information
systems how do we secure databases web
all internal controls fall into one of
three categories preventative controls
controls preventatives stop something
before it occurs locking an office to
prevent unauthorized access using RSA
tokens encrypting a hard drive to
prevent someone from viewing files using
a virtual private Network to prevent EES
drop droppers from monitoring your communic
a corrective controls are meant to
either minimize or actually correct when
a problem occurs for example data backup
you can put the data back to where it
situation detective controls help you
learn that something negative has
occurred now these can be things that
are physical or information secure
in the information security realm you're
probably thinking of things like
automated systems intrusion detection
systems and things of that nature but
something as simple as a physical access
log an audit Trail Access Control list
to server room all of these are
detective controls that help you detect
what occurred and when now it's not the
case that any one of these three types
of controls is more important than the
other a good system has to have
preventive corrective and detective
controls and during your audit you need
to ensure that all three are in place to
objectives now is control objectives are
top level requirements that management
sets for adequate control of each it
process is control objectives are first
of all a statement of the preferred
purpose or result to be attained by
applying controls to particular
Information Systems in other words by
implementing this control whether it be
a physical login sheet an anti-malware
system or whatever it might be what is
it you want to attain by doing this what
do you hope will be
gained is control objectives are also
procedures policies organizational
structures and practices anything that's
intended to reasonably assure that
Enterprise objectives will be be
achieved while undesired events are
detected corrected or prevented so we're
looking at the entire process we're
looking at your company's policies we're
looking at the inherent organizational
structures that can include everything
from something as simple as an
organizational chart who do you report a
particular issue to to something far
more complex and intricate any
procedures that you might have in place
that might help assure Enterprise
objectives This falls under the head set
controls here are some examples now I
note that these are very general they're
meant to be this isn't telling you how
to implement them this is telling you
the objectives for example ensure the
Integrity of the system for example an
operating system ensure the Integrity of
sensitive and critical application
systems your financial data your customer
customer
data Safeguard your assets that include
clud physical assets as well as
technology assets ensure the
Effectiveness and efficiency of
operations it's not enough that things
work they have to work well ensure
proper authentication processes for
users this is a critical part of
information system
security ensure the availability of Any
Given service and this is accomplished
through Disaster Recovery planning and
business continuity planning there are
other knowledge objectives later on in
this course which will cover disaster
recover recovery and business continuity
detail information system control
procedures include all of the following
and let's talk briefly about each of
these strategy and direction of the it
function what are we trying to
accomplish with this specific function
how does it integrate with the
organizational goals it sometimes occurs
that Enterprise goals change and
Technology changes and a particular is
control or particular it function
May no longer fit with the
strategy system development procedures
we have lessons later on specifically on
that topic but that's one of the things
you will check in an audit are systems
being developed in a proper manner and
that ties in closely with do we have
quality assurance processes that are
appropriate and that are being adhered
to what about the communications in the
network do they meet security needs do
they mesh with the Enterprise uh
objective do they support the goals of the
the
business General organization and
management of the it function how is it
this particular function we're auditing
how is it managed how is it
organized are there operation procedures
in place that support Enterprise
objectives are there appropriate
physical access
controls if a database is involved and
it usually is with an information system
is database Administration done in a way
that's consistent with Enterprise
objectives what about access to it
programs data and resources is it
controlled appropriately are there
appropriate system programming and
system support departments to support
the Enterprise
objectives of course do we have business
continuity planning in place that's
appropriate and sufficient to support
this particular business process do we
have detective and protection mechanisms
all of these questions need to be
addressed when looking at each and every
audit an audit work program represents
your audit plan and strategy it has
procedure scope and objectives it's
basically a guide for documenting the
various steps you take during the audit
the type and extent of evidentiary
matters reviewed it gives a trail for
the entire process used at some point
you'll want to do quality Assurance of
your audit process and only through an
audit work program do you have the trail
necessary to do that and it provides
accountability for performance whatever
approach you use to auditing it always
comes down to four basic steps first is
planning you always assess risks first
and you develop your audit program in
light of those
risks you also have objectives and
procedures recall guidance 5 that we
looked at in an earlier lesson
once you have your plan you have to
obtain and evaluate evidence it's all
about evidence you don't have any pre
preconceived notions about whether or
not a control is meeting the objectives
when you're auditing you seek evidence
to determine the strengths and
weaknesses of
controls once you've done all of that
you have to prepare and present a report
there's usually a draft version in the
final report just as important and
covered in guidance 35 is the f follow
up were corrective actions taken to the
issues you found during the audit were
they fixed or do those negative
important audit methodology are the
standard audit procedures that are used
to attain the objectives of the audit
this is a documented approach for
performing the audit and it continues
from occurring manner in order to
achieve the planned audit objectives
audit methodology always has a scope of
the audit
the audit objectives and the work
programs we previously
mentioned that concludes knowledge statement
1.5 knowledge of risk-based audit
planning and audit project management
what this means is we're going to look
at an approach to audit that's based on
the Enterprise's risks as you already
realize it's usually not possible or at
least not practical to audit every
single function of every single is that
you have in the organization all of your
information systems are very complex and
checking each and every control in each
and every possible scenario is usually
impractical risk-based audit planning
starts with identifying the key
Enterprises risks what are the risks
that are particularly important to this
Enterprise in other words a risk
analysis has been conducted now for this
to work you have to have an
understanding of the organization what
sort of business are they in what sort
of transactions are they conducting what
is the business environment Now by
environment we're talking about the
information systems environment their
technology environment and perhaps a
regulatory environment
you also need to know what the
business's control objectives are what
are they trying to accomplish by
implementing certain controls it's
important to understand the type and
nature of transactions that organization
engages in for example B2B wire
transfers are very different than
consumer initiated credit card
transactions that changes the entire
scenario what risks are present and how
one goes about auditing you also need to
understand the flow of these
transactions and how they're captured in
Information Systems remember our focus
is information system auditing so it's
not just the transactions but how are
systems there are four different risks
we're concerned about let's begin with
inherent risk stated formally the
probability of an error existing that
might be material assuming compensating
controls not exist this exist
irrespective of an audit and is
contributed to by the nature of a
business put another way certain
businesses have certain risks that are
just part of how they do business if
your business routinely takes in paper
checks then there's always the chance of
fraudulent checks or insufficient funds
if your business is engaged in
e-commerce then you must have a website
and that website is susceptible to
attack such as SQL injection
control risk now formally that is a
probability that a material error exists
which will not be prevented or detected
in a timely basis by the system of
internal controls put in another way you
either lack the appropriate controls to
detect an issue or the controls won't
detect it in time or there is some
issues some difference between what you
would like the control to do and what it actually
actually
accomplishes then we have detection risk
now this is very important to the
auditor put formally the probability
that the information system auditor used
inadequate checks and surmises that
material errors are absent when in fact
they are present put much more
succinctly and simply the chance that
you the auditor miss something this is
terribly important to you as an auditor
and it's really combed by simply using
all the appropriate standards tools and
techniques that you'll learn throughout
your study for the cisa exam now if you
take all three of these inherent risk
control risk and detection risk and
bring together into a cumulative risk
that is described as the overall audit
risk it's the summation of all the audit
risk groups for each control objective
that last part is
critical you usually identify risks per
control or per specific business
activity a specific business activity
has an inherent risk the specific
control for that specific activity have
a control risk the overall audit risk is
broken down for each control let's use
an e-commerce example let's say you have
an e-commerce website the inherent risk
is web attack such as SQL injection
you've put in place a specialized
application firewall that's designed to
prevent those attacks the control risk
is that that control may or may not
adequately prevent all of those attacks
the detection risk is that in the
process of doing an audit you may or may not have detected any gaps in the
not have detected any gaps in the control now if you put all that together
control now if you put all that together we have an overall audit risk for that
we have an overall audit risk for that specific control being the application
specific control being the application firewall that's there to help prevent a
firewall that's there to help prevent a tax on a very specific business process
tax on a very specific business process the e-commerce
transactions Gap analysis now this term has been used in marketing and other
has been used in marketing and other areas to mean something a little
areas to mean something a little different than what we mean here here we
different than what we mean here here we really have two issues we have a product
really have two issues we have a product Gap and a usage Gap let's start with
Gap and a usage Gap let's start with usage Gap in a usage Gap issue you have
usage Gap in a usage Gap issue you have a control that if used totally properly
a control that if used totally properly would be an adequate control but either
would be an adequate control but either the control is not implemented or the
the control is not implemented or the control is not properly configured or is
control is not properly configured or is not being properly used there is some
not being properly used there is some gap between the potential that control
gap between the potential that control has to mitigate risk and the actual use
has to mitigate risk and the actual use of the control now a product Gap is when
of the control now a product Gap is when there's some issue the product itself is
there's some issue the product itself is missing something it's unable to fully
missing something it's unable to fully meet your control needs that's actually
meet your control needs that's actually fairly common which is why most security
fairly common which is why most security situations require multiple controls to
situations require multiple controls to address specific
issues now when doing your risk-based audit there's some definitions you need
audit there's some definitions you need to have in mind Target of evaluation
to have in mind Target of evaluation this is the particular information
this is the particular information security deliverable the object for
security deliverable the object for which assurances are made what is it
which assurances are made what is it you're
you're testing Assurance activities are the
testing Assurance activities are the things you use to test the methods of
things you use to test the methods of testing we'll discuss those at length
testing we'll discuss those at length later on the security Target these are
later on the security Target these are the security specifications and
the security specifications and requirements that you use to test the
requirements that you use to test the target of evaluation put another way
target of evaluation put another way Assurance activities check a target of
Assurance activities check a target of evaluation to discover whether or not
evaluation to discover whether or not that Target of evaluation has met the
that Target of evaluation has met the security
security targets a security protection profile is
targets a security protection profile is similar to a security Target but it's
similar to a security Target but it's broader in scope it's not about a
broader in scope it's not about a specific
specific deliverable but it's more about General
deliverable but it's more about General Security needs of a given business or
group there are some risk-based audit definitions need to be familiar with
definitions need to be familiar with we've used some of these terms already
we've used some of these terms already and I believe you probably know what
and I believe you probably know what they mean but let's just make sure what
they mean but let's just make sure what is a control I think we addressed this
is a control I think we addressed this in earlier lessons but let's be clear
in earlier lessons but let's be clear again a control is anything meant to
again a control is anything meant to mitigate a risk now that can be
mitigate a risk now that can be technological things we mentioned
technological things we mentioned previously in application firewall
previously in application firewall that's a control antivirus sofware is a
that's a control antivirus sofware is a control intrusion detection systems
control intrusion detection systems that's a control but controls also
that's a control but controls also include processes any sort of
include processes any sort of educational program to train people in
educational program to train people in security that's a control any sort of
security that's a control any sort of process whereby supervisors double check
process whereby supervisors double check something that's a
something that's a control now an IT control objective is a
control now an IT control objective is a statement of what you want that control
statement of what you want that control to do exactly General statements like
to do exactly General statements like make things more secure stop attacks
make things more secure stop attacks those aren't useful a control objective
those aren't useful a control objective should be very
should be very specific risk is the chance that
specific risk is the chance that something will happen now we've looked
something will happen now we've looked at this definition in multiple different
at this definition in multiple different ways throughout the preceding lessons
ways throughout the preceding lessons and you'll see it again throughout the
and you'll see it again throughout the course the idea of risk is that there is
course the idea of risk is that there is a probability that something negative
a probability that something negative will occur and will have some level of
will occur and will have some level of damage evidence we've not yet talked
damage evidence we've not yet talked about evidence is all about data
about evidence is all about data auditing is not an art it is a science
auditing is not an art it is a science and like any science it's based on
and like any science it's based on evidence you collect data to make
evidence you collect data to make determinations at the end of the day
determinations at the end of the day what an audit really comes down to is
what an audit really comes down to is looking at the risks of an organization
looking at the risks of an organization that's why we're talking about
that's why we're talking about risk-based
risk-based auditing examining the controls that are
auditing examining the controls that are put in place to mitigate those risks and
put in place to mitigate those risks and then Gathering evidence that will
then Gathering evidence that will determine factually whether or not those
determine factually whether or not those controls meet their control objectives
controls meet their control objectives or not it's as simple as that it all
or not it's as simple as that it all comes down to
comes down to evidence it governance is the entire
evidence it governance is the entire process of managing your information
process of managing your information systems now this is very important to
systems now this is very important to audit because specific issues in
audit because specific issues in governance can affect security for
governance can affect security for example what party is responsible for
example what party is responsible for which aspect of security who approves
which aspect of security who approves changes all of these things affect your
changes all of these things affect your it security and therefore they have to
it security and therefore they have to be addressed in your risk-based audit
be addressed in your risk-based audit that concludes knowledge statement 1.5
cisa knowledge statement 1.6 knowledge the applicable laws and
1.6 knowledge the applicable laws and regulations that affect the scope
regulations that affect the scope evidence collection and preservation and
evidence collection and preservation and frequency of an
frequency of an audit certainly that won't occur in
audit certainly that won't occur in every audit but if you routinely conduct
every audit but if you routinely conduct Information Systems audits it seems a
Information Systems audits it seems a guarantee that you will eventually
guarantee that you will eventually uncover fraud for this
uncover fraud for this reason fraud investigations are legal
reason fraud investigations are legal proced ings require the Integrity of
proced ings require the Integrity of evidence be maintained throughout its
evidence be maintained throughout its life cycle this is called chain of
life cycle this is called chain of custody and forensic evidence so for
custody and forensic evidence so for this reason your audit needs to be
this reason your audit needs to be conducted assuming there might be
conducted assuming there might be evidence of fraud or something criminal
evidence of fraud or something criminal that will have to be presented in a
that will have to be presented in a court proceeding put another way you
court proceeding put another way you need to handle your audit as if you were
need to handle your audit as if you were gathering evidence for court and make
gathering evidence for court and make sure you've maintained things like chain
sure you've maintained things like chain of custody now don't be too concerned
of custody now don't be too concerned about that at this point there are later
about that at this point there are later lessons and knowledge statements that
lessons and knowledge statements that will give you some general knowledge of
will give you some general knowledge of forensics the legal requirements include
forensics the legal requirements include laws regulations contractual agreements
laws regulations contractual agreements all these things can be placed on your
all these things can be placed on your audit or the audit management and audit
audit or the audit management and audit Personnel in any organization have to be
Personnel in any organization have to be aware of these external requirements for
aware of these external requirements for computer system practices and controls
computer system practices and controls how your data is processed transmitted
how your data is processed transmitted or stored there's a need to comply with
or stored there's a need to comply with lots of different laws and lots of
lots of different laws and lots of different legal requirements and that
different legal requirements and that has an impact on your audit now what we
has an impact on your audit now what we mean by all this is every industry is
mean by all this is every industry is affected by some
affected by some laws and in this lesson we will look at
laws and in this lesson we will look at a few laws from the United States now
a few laws from the United States now depending on where you are when you take
depending on where you are when you take the cisa usually the cisa exam will
the cisa usually the cisa exam will focus primarily on us laws because
focus primarily on us laws because that's where the largest number of cesa
that's where the largest number of cesa testers are at however they may throw in
testers are at however they may throw in a few local laws for European Union
a few local laws for European Union Canada and other regions so make sure
Canada and other regions so make sure you take the time to familiarize
you take the time to familiarize yourself with your local laws but back
yourself with your local laws but back to the actual audit no matter what
to the actual audit no matter what organization you're auditing there are
organization you're auditing there are some legal requirements there may be
some legal requirements there may be industry regulations that aren't laws
industry regulations that aren't laws but are really important for that
but are really important for that particular organization there may be
particular organization there may be contractual agreements for example that
contractual agreements for example that entity has a contractual obligation with
entity has a contractual obligation with one of their clients to reach a certain
one of their clients to reach a certain level of information assurance you have
level of information assurance you have to be aware of all of these requirements
to be aware of all of these requirements legal Regulatory and contractual so that
legal Regulatory and contractual so that you can put those thoughts into your
you can put those thoughts into your audit and make sure your audit addresses
audit and make sure your audit addresses those
issues there are a few essential areas that are covered under this knowledge
that are covered under this knowledge statement let's begin with evidence now
statement let's begin with evidence now in previous lessons we've mentioned
in previous lessons we've mentioned evidence is important evidence is
evidence is important evidence is factual data speculation really is not
factual data speculation really is not important in an audit we're not
important in an audit we're not interested in guessing in supposing we
interested in guessing in supposing we need evidence that shows certain things
need evidence that shows certain things are or are not true in respect to Legal
are or are not true in respect to Legal regulatory contractual requirements
regulatory contractual requirements those usually relatively clear you need
those usually relatively clear you need evidence that the information systems
evidence that the information systems you're auditing the controls you're
you're auditing the controls you're auditing either do or do not meet those
auditing either do or do not meet those requirements now of course that requires
requirements now of course that requires you to have in-depth familiar with that
you to have in-depth familiar with that particular
particular requirement evidence goes hand in hand
requirement evidence goes hand in hand with audit documentation you need to
with audit documentation you need to have very thorough documentation of
have very thorough documentation of exactly what you audited how you audited
exactly what you audited how you audited and what your conclusions were based on
and what your conclusions were based on evidence to some degree some level of
evidence to some degree some level of continuous auditing is necessary that
continuous auditing is necessary that doesn't necessarily mean that a
doesn't necessarily mean that a professional cisa auditor comes out and
professional cisa auditor comes out and audits the organization continuously it
audits the organization continuously it may mean such a simple thing as internal
may mean such a simple thing as internal spot checks it may mean log
spot checks it may mean log examination it may mean automated
examination it may mean automated systems but something to ensure that not
systems but something to ensure that not only did the organization meet its legal
only did the organization meet its legal Regulatory and contractual requirements
Regulatory and contractual requirements today when you did the audit but that
today when you did the audit but that they're still meeting them next
they're still meeting them next month legal requirements are perhaps the
month legal requirements are perhaps the most important it is not the goal of the
most important it is not the goal of the cisa to make you an attorney and not all
cisa to make you an attorney and not all the major laws will be reviewed on the
the major laws will be reviewed on the cisa it's important for you to spend
cisa it's important for you to spend some time familiarizing yourself with
some time familiarizing yourself with appropriate law
appropriate law and that will be based on your legal
and that will be based on your legal jurisdiction your industry and facts of
jurisdiction your industry and facts of that nature but you do need to be aware
that nature but you do need to be aware there are legal requirements that do
there are legal requirements that do impact your
audit here's a few laws that are very important in the United States Hippa and
important in the United States Hippa and high-tech the health insurance
high-tech the health insurance portability and accountability Act of
portability and accountability Act of 1996 now that's a very lengthy law but
1996 now that's a very lengthy law but most important for auditing is it
most important for auditing is it identifies what is considered personal
identifies what is considered personal health information and how it has to be
health information and how it has to be handled this was augmented by the
handled this was augmented by the high-tech or health information
high-tech or health information technology for economic and clinical
technology for economic and clinical Health act which redefined what a breach
Health act which redefined what a breach is and gave stricter standards for
is and gave stricter standards for notifying people in case of a breach if
notifying people in case of a breach if you're auditing not just medical clinics
you're auditing not just medical clinics not just hospitals but medical billing
not just hospitals but medical billing companies health insurance companies
companies health insurance companies anything of that nature
anything of that nature then these two laws become very very
then these two laws become very very critical and again our goal is not to go
critical and again our goal is not to go in depth into every law but to briefly
in depth into every law but to briefly introduce you to a few of the most
introduce you to a few of the most important
ones sarban Oxley is strictly United States issue it does not affect other
States issue it does not affect other countries it is all about publicly
countries it is all about publicly traded companies so a privately held
traded companies so a privately held company does not have to adhere to
company does not have to adhere to sarbanes Oxley sarban Oxley was a rather
sarbanes Oxley sarban Oxley was a rather complex piece of legislation and it was
complex piece of legislation and it was meant to address some financial fraud
meant to address some financial fraud that had taken place in the early 2000s
that had taken place in the early 2000s most important for it is the publicly
most important for it is the publicly traded companies must keep electronic
traded companies must keep electronic records for 5 years the reason I point
records for 5 years the reason I point out this specific one is not so much
out this specific one is not so much that you have to memorize this for the
that you have to memorize this for the test but it gives us a great example of
test but it gives us a great example of how we take a legal requirement and that
how we take a legal requirement and that gives us a very clear control objective
gives us a very clear control objective and it's very easy to audit if there are
and it's very easy to audit if there are electronic records that don't go back 5
electronic records that don't go back 5 years there needs to be an explanation
years there needs to be an explanation or an understanding because you're
or an understanding because you're legally required to keep
legally required to keep them now the PCI DSS or payment card
them now the PCI DSS or payment card industry data stand security standards
industry data stand security standards that's an extensive set of documents
that's an extensive set of documents that could take an entire course in and
that could take an entire course in and of themselves the cisa does not ask you
of themselves the cisa does not ask you to be a PCI DSS expert but B basically
to be a PCI DSS expert but B basically any organization that processes credit
any organization that processes credit cards will to some level have to comply
cards will to some level have to comply with PCI DSS now notice these are
with PCI DSS now notice these are standards in the industry it's not a law
standards in the industry it's not a law it's the Visa Mastercard Discover
it's the Visa Mastercard Discover American Express companies saying look
American Express companies saying look if you're going to process and handle
if you're going to process and handle credit card data you have to do these
credit card data you have to do these things and that applies in many many
things and that applies in many many countries in fact anywhere that you're
countries in fact anywhere that you're processing credit cards PCI DSS comes
processing credit cards PCI DSS comes into play so anytime you're auditing a
into play so anytime you're auditing a company that processes credit card
company that processes credit card information you need to be familiar with
information you need to be familiar with PCI DSS and incorporate that in your
PCI DSS and incorporate that in your audit now these are just examples of
audit now these are just examples of legal and regulatory requirements an
legal and regulatory requirements an exhaustive list would be humongous
exhaustive list would be humongous depending on where you live and your
depending on where you live and your industry there can be any number of
industry there can be any number of legal and regulatory requirements you
legal and regulatory requirements you don't have to memorize them all but be
don't have to memorize them all but be generally familiar with them
here's another set of standards that the test will not ask you to memorize I'm
test will not ask you to memorize I'm just giving you an example of all the
just giving you an example of all the industry standards out there for
industry standards out there for cryptography there are a number of ISO
cryptography there are a number of ISO standards used around the world you see
standards used around the world you see a brief description of each here digital
a brief description of each here digital signatures how to handle Cipher
signatures how to handle Cipher algorithms hash functions how to manage
algorithms hash functions how to manage Keys data processing the point is very
Keys data processing the point is very clearly it can become overwhelming the
clearly it can become overwhelming the number of regulations the number of
number of regulations the number of standards that you need to be familiar
standards that you need to be familiar with the good news is you don't have to
with the good news is you don't have to be an expert in these areas cisa does
be an expert in these areas cisa does not assume that you're an expert in
not assume that you're an expert in cryptography by any means it just
cryptography by any means it just assumes that you know which standards to
assumes that you know which standards to refer to when conducting an audit if
refer to when conducting an audit if cryptography for example is a part of
cryptography for example is a part of the business activity and you need to
the business activity and you need to refer to some standards to see if they
refer to some standards to see if they meet control objectives and these are
meet control objectives and these are just here exemplary you don't have to
just here exemplary you don't have to commit these to
memory when you're doing a report there are some Basics first of all obviously
are some Basics first of all obviously who are you auditing the
who are you auditing the organization who should receive a copy
organization who should receive a copy of this audit and are there restrictions
of this audit and are there restrictions should this audit not be forwarded can
should this audit not be forwarded can it be forwarded to certain people
it be forwarded to certain people basically these are demographic issues
basically these are demographic issues who's being audited who gets to know
who's being audited who gets to know about the audit then the scope what was
about the audit then the scope what was the scope of your audit what did you
the scope of your audit what did you audit now I personally this is not on
audit now I personally this is not on the cisa this is just my personal
the cisa this is just my personal practice I also like to identify
practice I also like to identify anything that was omitted if I conduct
anything that was omitted if I conduct an audit and certain items were not
an audit and certain items were not audited I want to point that out these
audited I want to point that out these were not audited and here's why but for
were not audited and here's why but for the test you need to know your scope
the test you need to know your scope your objectives what were you trying to
your objectives what were you trying to accomplish the period of coverage I
accomplish the period of coverage I audited for a certain period of time and
audited for a certain period of time and that should be sufficient for 6 months
that should be sufficient for 6 months or 12 months or however long you think
or 12 months or however long you think the nature of the audit was it automated
the nature of the audit was it automated was it a team did it involve penetration
was it a team did it involve penetration testing as well as auditing or
testing as well as auditing or vulnerability scanning what
vulnerability scanning what happened the timing and extent of the
happened the timing and extent of the audit how in- depth was it timing is
audit how in- depth was it timing is important because auditing at different
important because auditing at different times may give different results for
times may give different results for example if you're auditing retail credit
example if you're auditing retail credit card transactions in a heavy holiday
card transactions in a heavy holiday season you may get different results
season you may get different results than you would at a different
than you would at a different time my favorite part is findings
time my favorite part is findings conclusions recommendations followup
conclusions recommendations followup reservations or qualifications what this
reservations or qualifications what this means is first of all what did you find
means is first of all what did you find what did your audit discover next what
what did your audit discover next what do you conclude from
do you conclude from that probably the most important thing
that probably the most important thing is what are your
is what are your recommendations if a particular control
recommendations if a particular control you found to be inadequate how do you
you found to be inadequate how do you recommend they fix it it's not enough
recommend they fix it it's not enough for an auditor to look at an
for an auditor to look at an organization and say this specific it
organization and say this specific it control does not meet control objectives
control does not meet control objectives you need to tell them how they can
you need to tell them how they can Rectify that
Rectify that situation what if you found something
situation what if you found something did meet control objectives do you have
did meet control objectives do you have any reservations or qualifications for
any reservations or qualifications for example this might be a place to state
example this might be a place to state that yes this particular control does
that yes this particular control does meet the control objectives but that in
meet the control objectives but that in your opinion those control objectives
your opinion those control objectives may not adequately account for certain
may not adequately account for certain risks now you should should put this in
risks now you should should put this in some sort of organization grouping them
some sort of organization grouping them by materiality or by the intended
by materiality or by the intended recipient or by the business group or by
recipient or by the business group or by the particular control those sorts of
the particular control those sorts of things some sort of organization you
things some sort of organization you also have to mention any faults you
also have to mention any faults you found in any constructive
found in any constructive Corrections normally your report will
Corrections normally your report will either be very large starting with an
either be very large starting with an executive summary or the report will
executive summary or the report will essentially tell your findings and then
essentially tell your findings and then there will be appendices that have the
there will be appendices that have the evidence to support your results
evidence to support your results either way there has to be some way for
either way there has to be some way for the AUD audit recipient to refer to your
the AUD audit recipient to refer to your evidence it's not appropriate for you to
evidence it's not appropriate for you to say because I said so you have to show
say because I said so you have to show the evidence now often times executives
the evidence now often times executives are not going to take the time to read
are not going to take the time to read all your evidence Executives May simply
all your evidence Executives May simply read your conclusions but the evidence
read your conclusions but the evidence needs to be available should they desire
needs to be available should they desire to look at it of course your overall
to look at it of course your overall findings conclusion and your opinion and
findings conclusion and your opinion and always signed and dated
one tool that the cisa occasionally will bring up is the balance scorecard this
bring up is the balance scorecard this is a way of looking at an organization
is a way of looking at an organization that was originally designed as a
that was originally designed as a Performance Management tool so it wasn't
Performance Management tool so it wasn't really designed for audits it was used
really designed for audits it was used to track execution of
to track execution of activities basically it's looking at
activities basically it's looking at here is an objective how is that
here is an objective how is that objective me
objective me sort of a scorecard that's the name now
sort of a scorecard that's the name now you can use this to measure controls
you can use this to measure controls their performance against an expected
their performance against an expected value and you can look at things from
value and you can look at things from four perspectives Financial perspective
four perspectives Financial perspective how much did it cost was there a return
how much did it cost was there a return on investment was money lost customer
on investment was money lost customer perspective sometimes security controls
perspective sometimes security controls can be so honorous that they negatively
can be so honorous that they negatively impact customer experience well that
impact customer experience well that should be involved in your audit report
should be involved in your audit report internal processes did the controls
internal processes did the controls affect internal processes in a positive
affect internal processes in a positive or negative way and then finally
or negative way and then finally Innovation or learning have you learned
Innovation or learning have you learned something from measuring this control
something from measuring this control now again the balance scorecard was not
now again the balance scorecard was not originally meant for auditing but it can
originally meant for auditing but it can be applied to the auditing
be applied to the auditing situation that concludes knowledge
situation that concludes knowledge statement
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
