IS Standards, Guidelines and Procedures for Auditing and Control ...

More documents

Recommendations

Info

G11 Effect of Pervasive IS Controls continued• System implementation• Security administration• Back-up procedures2.2.3 Weak management and monitoring of IS (i.e., weak pervasive IS controls) should alert the IS auditor to the possibility of ahigh risk that the controls designed to operate at the detailed level may be ineffective.2.3 Detailed IS Controls2.3.1 The term detailed IS controls is defined in the glossary. They are made up of application controls plus those general controlsnot included in pervasive IS controls. In the COBIT framework, detailed IS controls are the controls over the acquisition,implementation, delivery and support of IS systems and services. Examples include controls over:• Implementation of software packages• System security parameters• Disaster recovery planning• Data input validation• Exception report production• Locking of user accounts after invalid attempts to access them.Application controls are a subset of detailed IS controls. Data input validation for example, is both a detailed IS control and anapplication control. Installing and accrediting systems (AI5) is a detailed IS control, but not an application control.2.3.2 The relationships among IS controls are shown in the following outline:IS Controls General controls-Pervasive IS controls-Detailed IS controls Application controlsIn addition, the IS auditor should consider the effect of non-IS controls on the scope and audit procedures.2.4 Interaction of Pervasive and Detailed IS Controls2.4.1 The COBIT framework divides IS control processes into four domains:• Plan and Organise• Acquire and Implement• Deliver and Support• Monitor and Evaluate2.4.2 The effectiveness of the controls in the Acquire and Implement (AI) and Deliver and Support (DS) domains is influenced bythe effectiveness of the controls operated in the Plan and Organise (PO) and Monitor and Evaluate (M) domains. Inadequateplanning, organisation and monitoring by management imply that controls over acquisition, implementation and servicedelivery and support will be ineffective. Conversely, strong planning, organisation and monitoring can identify and correctineffective controls over acquisition, implementation and service delivery and support.2.4.3 For example, effective detailed IS controls over the process “Acquire and Maintain Application Software” (COBIT processreference AI2) are affected by the adequacy of the pervasive IS controls over processes including:• “Define a Strategic IT Plan” (COBIT process reference PO1)• “Manage Projects” (COBIT process reference PO10)• “Manage Quality” (COBIT process reference PO11)• “Monitor the Processes” (COBIT process reference M1)2.4.4 An audit of an application system acquisition should include the identification of the effect of the IS strategy, the projectmanagement approach, quality management and the approach to monitoring. Where, for example, project management isinadequate, the IS auditor should consider:• Planning additional work to provide assurance that the specific project being audited is being effectively managed• Reporting weaknesses in pervasive IS controls to management2.4.5 A further example is that effective detailed IS controls over the process “Ensure Systems Security” (COBIT process referenceDS5) are affected by the adequacy of pervasive IS controls over processes including:• “Define the IT Organisation and Relationships” (COBIT process reference PO4)• “Communicate Management Aims and Direction” (COBIT process reference PO6)• “Assess Risks” (COBIT process reference PO9)• “Monitor the Processes” (COBIT process reference M1)38
G11 Effect of Pervasive IS Controls continued2.4.6 An audit of the adequacy of security parameters in a system, for example UNIX, Windows NT, RACF, should includeconsideration of management’s security policies (PO6), allocation of security responsibilities (PO4), risk assessmentprocedures (PO9) and procedures for monitoring compliance with its security policies (M1). Even where the parameters donot comply with the IS auditor’s view of “best practice”, they may be evaluated as adequate in the light of the risk identified bymanagement and the management policies which direct how that level of risk should be addressed. Any auditrecommendations for improvement should then be directed at the risk management or policies, as well as the detailedparameters themselves.3. PLANNING3.1 Approach to Relevant Pervasive IS Controls3.1.1 The IS Auditing Guideline G15 Planning states that the IS auditor should perform a preliminary assessment of control over thefunction being audited. This preliminary assessment should include identifying and evaluating relevant pervasive IS controls. Thetesting of pervasive IS controls may take place on a different cycle to the specific IS audit being performed since by theirnature they cover many different aspects of IS usage. The IS auditor should therefore consider whether any previous auditwork in this area could be relied upon to identify and evaluate these controls.3.1.2 Where audit work indicates that pervasive IS controls are unsatisfactory, the IS auditor should consider the effect of thisfinding on the planned approach to achieving the audit objective:• Strong pervasive IS controls can contribute to the assurance which may be obtained by an IS auditor in relation todetailed IS controls• Weak pervasive IS controls may undermine strong detailed IS controls or exacerbate weaknesses at the detailed level3.2 Sufficient Audit Procedures3.2.1 Where pervasive IS controls have a significant potential effect on the audit objective, it is not sufficient to plan to audit only thedetailed controls. Where it is not possible or practical to audit the pervasive IS controls, this restriction of scope should bereported.3.2.2 The IS auditor should plan to test the relevant pervasive IS controls where this will contribute to achieving the audit objective.3.3 Relevant Controls3.3.1 Relevant pervasive IS controls are those which have an effect on the specific audit objectives for the assignment. For example,where the audit objective is to report on the controls around changes to a specific program library, pervasive IS controls relating tosecurity policies (PO6) will be relevant, but pervasive IS controls relating to determination of the technological direction (PO3) maynot be relevant.3.3.2 In planning the audit, the IS auditor should identify which of the total population of pervasive IS controls have an effect on thespecific audit objectives, and should plan to include these in the audit scope. COBIT’s control objectives for the “Plan andOrganise” and “Monitor and Evaluate” domains may help the IS auditor to identify relevant pervasive IS controls.3.4 Audit Evidence3.4.1 Pervasive IS controls may not necessarily be documented, but the IS auditor should plan to obtain audit evidence thatrelevant controls are operating effectively. Potential tests are outlined in the Performance of Audit Work section.3.5 Approach to Relevant Detailed IS Controls3.5.1 Where IS audit work indicates that pervasive IS controls are satisfactory, the IS auditor should consider reducing the level oftesting planned for detailed IS controls, since the audit evidence of strong pervasive IS controls will contribute to theassurance which may be obtained by an IS auditor in relation to detailed IS controls.3.5.2 Where IS audit work indicates that pervasive IS controls are not satisfactory, the IS auditor should carry out sufficient testingof detailed IS controls to provide audit evidence that they are working effectively in spite of weaknesses in the relevantpervasive IS controls.4. PERFORMANCE OFAUDIT WORK4.1. Testing Pervasive IS Controls4.1.1 The IS auditor should carry out sufficient testing to provide assurance that relevant pervasive IS controls were operatingeffectively in the audit period or at a specific point in time. Test procedures which may be appropriate include:• Observation• Corroborative inquiries• Review of relevant documentation (policies, standards, meeting minutes, etc.)• Re-performance (using CAATs, for example)4.1.2 If the testing of the relevant pervasive IS controls indicates that they are satisfactory, the IS auditor should proceed with theplanned audit of the detailed IS controls which are directly applicable to the audit objective. The level of such testing may beless than would be appropriate if the pervasive IS controls were not operating satisfactorily.39
Page 1: IS Standards, Guidelines and Proced
Page 4 and 5: Code of Professional EthicsThe Info
Page 6 and 7: IS Auditing Standards OverviewIssue
Page 8 and 9: IS Auditing StandardsIssued by Info
Page 10 and 11: 03 The IS auditor should plan the i
Page 12 and 13: information provided, appropriate t
Page 14 and 15: Operative Date14 This ISACA standar
Page 16 and 17: IS Auditing GuidelinesG1 Using the
Page 18 and 19: G2 Audit Evidence Requirement1. BAC
Page 20 and 21: G3 Use of Computer Assisted Audit T
Page 22 and 23: G3 Use of Computer Assisted Audit T
Page 24 and 25: G4 Outsourcing of IS Activities to
Page 26 and 27: G5 Audit Charter continued2.3.2 The
Page 28 and 29: G6 Materiality Concepts for Auditin
Page 30 and 31: G8 Audit Documentation1. BACKGROUND
Page 32 and 33: • Organisational characteristics;
Page 34 and 35: G10 Audit Sampling1. BACKGROUND1.1
Page 36 and 37: G10 Audit Sampling continued2.5.2 A
Page 40 and 41: G11 Effect of Pervasive IS Controls
Page 42 and 43: G12 Organisational Relationship and
Page 44 and 45: G13 Use of Risk Assessment in Audit
Page 46 and 47: G14 Application Systems Review1. BA
Page 48 and 49: G15 Planning1.` BACKGROUND1.1 Linka
Page 50 and 51: G16 Effect of Third Parties on an O
Page 52 and 53: G16 Effect of Third Parties on an O
Page 54 and 55: G17 Effect of Nonaudit Role on the
Page 56 and 57: G17 Effect of Nonaudit Role on the
Page 58 and 59: G18 IT Governance continued4.1.3 Th
Page 60 and 61: G18 IT Governance continued• Info
Page 62 and 63: G19 Irregularities and Illegal Acts
Page 64 and 65: G19 Irregularities and Illegal Acts
Page 66 and 67: G20 Reporting continued2.1.1 The pu
Page 68 and 69: G20 Reporting continued• Statemen
Page 70 and 71: G21 Enterprise Resource Planning (E
Page 78 and 79: G22 Business-to-consumer (B2C) E-co
Page 86 and 87: G23 System Development Life Cycle (
Page 88 and 89:
G23 System Development Life Cycle (
Page 90 and 91:
G24 Internet Banking continued• I
Page 92 and 93:
G24 Internet Banking continued6.1.2
Page 94 and 95:
G24 Internet Banking continued7.2.4
Page 96 and 97:
G24 Internet Banking continuedREFER
Page 98 and 99:
G25 Review of Virtual Private Netwo
Page 100 and 101:
3.6 Operating Risk3.6.1 Risks such
Page 102 and 103:
• Highlight the risks and issues
Page 104 and 105:
G26 Business Process Reengineering
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
G27 Mobile Computing1. BACKGROUND1.
Page 112 and 113:
G27 Mobile Computing continued• N
Page 114 and 115:
G28 Computer Forensics1. BACKGROUND
Page 116 and 117:
G28 Computer Forensics continued•
Page 118 and 119:
G28 Computer Forensics continued7.2
Page 120 and 121:
G29 Post-implementation Review1. BA
Page 122 and 123:
G29 Post-implementation Review cont
Page 124 and 125:
G29 Post-implementation Review cont
Page 126 and 127:
G30 Competence continued1.4.6 This
Page 128 and 129:
G30 Competence conntinued4. RECORDS
Page 130 and 131:
G31 Privacy continued1.6 Definition
Page 132 and 133:
G31 Privacy continued■■■Secur
Page 134 and 135:
G31 Privacy continued■■■■
Page 136 and 137:
IS Auditing ProceduresIS Risk Asses
Page 138 and 139:
IS Risk Assessment Measurement Proc
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Digital Signature and Key Managemen
Page 152 and 153:
SpecificTechnicalAspect of a CAOper
Page 154 and 155:
Intrusion Detection Procedure P3 co
Page 156 and 157:
Intrusion Detection Systems (IDS) R
Page 158 and 159:
ReportingSuggested ProceduresReport
Page 160 and 161:
Suggested Procedures for Preventing
Page 162 and 163:
Suggested Procedures for Preventing
Page 164 and 165:
Control Risk Self-assessment Proced
Page 166 and 167:
Page 168 and 169:
Facilitatedworkshop usingthe proces
Page 170 and 171:
Page 172 and 173:
Firewalls Procedure P6 continued2.1
Page 174 and 175:
Page 176 and 177:
Firewalls Procedure P6 continued•
Page 178 and 179:
Page 180 and 181:
Stateful inspection/dynamic packetf
Page 182 and 183:
Suggested ProceduresConfirm network
Page 184 and 185:
Firewalls Procedure P6 continuedHar
Page 186 and 187:
Irregularities and Illegal Acts Pro
Page 188 and 189:
AnalyticalproceduresDutiesApplicati
Page 190 and 191:
Irregularities and Illegal Acts Pro
Page 192 and 193:
Security Assessment-Penetration Tes
Page 194 and 195:
Security Assessment-Penetration Tes
Page 196 and 197:
InternetPenetrationTestingSuggested
Page 198 and 199:
InternalPenetrationTestingcontinued
Page 200 and 201:
WebApplicationcontinuedReportSugges
Page 202 and 203:
Evaluation of Management Control Ov
Page 204 and 205:
Evaluation of Management Control Ov
Page 206 and 207:
Aspects ofEncryptionOrganisationalm
Page 208 and 209:
IS Control Professionals StandardsI
Page 210:
ISACA Standards Documents CommentsI
show all

IS Standards, Guidelines and Procedures for Auditing and Control ...

Create successful ePaper yourself

Delete template?

Save as template?