This unit covers audit evidence testing. There are two types: - Compliance: this is to discover the absence of presence of something - Substantive: uses formulas to obtain information Participants also learn how to record test results and talks about two types of evidence: - Sufficient - Contradictory Audits can detect illegal acts in an organization and participants learn how to handle reporting any findings that are discovered within an audit. [toggle_content title="Transcript"] Okay, so we're moving onto the end of the here where we think about conducting the audit by testing the evidence. So we have to think about whether we're doing compliance testing or substantive testing, in this case. Compliance testing means that we're trying to find the absence or the presence of something. If something is there, then it may constitute compliance. If it's not there, it may be non-compliant, in the simplest sense. So we think about sampling attributes. Different types of evidence have certain attributes. It could be the time it was generated, the actual volume of the evidence, who created it, how it was used and so on. So we're trying to look whether the attribute is there or not there; present or non-present. Then we have the idea of stop and go sampling. Notice this is when we expect very few errors to be generated. So you can do some sampling, stop the sampling, do some more sampling, stop. This is where you can gather some samples, maybe do some initial testing with those and then gather some more data and do some more testing. So that might be more suitable for the particular type of data that's being collected. Then we have discovery sampling. This means that you're looking at every single bit of data, 100% sampling rate, to look for fraud in general. So if you've got a million financial transactions and you think there's a handful that might be fraudulent, you'd have to investigate every single one in order to uncover the ones that might indicate suspicious behavior. Then we have to think about the precision of the sampling or the expected error rate. depending on the method being used and the data type being sampled, there could be some expectation of errors happening. There needs to be a good understanding of what the allowable amount of error is so as not to effect the outcome of the sampling exercise. Now, if we think about substantive testing; this is a little bit different. We have variable sampling, so we can equate this to using dollar values or weighting; assigning more value to certain things than others. So maybe you've got a way to scale up or down the values that you're sampling because you're using the appropriate methods or formulas to do this. So in this case if you had a very large volume of data you might be able to gather some small portion and then pro-rate that evidence to scale it up to the size of the original data set. We have non-stratified mean estimation: so the mean is the average. If it's non-stratified, it means that we're looking at the entire population of data; the entire subject population. If it is stratified, then we're talking about calculating averages by groups where we've got a way to subdivide the entire population and that provides the strata, and that gives different results, but it's used in cases where that makes most sense. As an auditor, you'll need to know the difference, when the time comes, between using a stratified or non-stratified approach. Last we have the difference estimation. So we're looking for differences between something that was discovered or observed against what was actually to be expected to be found. So if there's a value that was anticipated but it looks different when we actually do the test, then we have to analyze what that difference is. You're looking for the deltas, effectively. So I mentioned about the expected error rate. What ends up being done is a calculation to say 'what is the tolerable error rate?' This is, again, a statistical consideration. And this could be something like, 'We're able to tolerate three errors out of a million samples and that is the precision that's required for this particular case.' or maybe it's a percentage. So 'we think that the value is this, plus or minus 1%.' That's the idea that we're trying to get out here. So the auditor decides, using their judgment and whatever evidence they were able to gather, what the tolerable error rate might be. And, of course, that needs to be documented so that it's well understood when the report gets produced that there was some allowance for error. Then we think about recording our test results. The concept of a noteworthy achievement would be something worth documenting. This means that something is being done very well. It's above average in the way that it's being performed: whether it's a process or some generation of information, and that's a good thing to put in the report because it gives the auditee some idea that they're doing something right. we can have the concept of conformity. This means that the auditee says that, 'These are what we want to do. These are our objectives,' and the analysis of the testing shows that they are conforming to what their objectives are. And, again, a positive result. Then we move on to something that causes concern. This means that there potentially are problems that might need to be addressed in the future because of something that was discovered. There's some irregularity, or something that's not quite right that the observations prove that this is something that needs to be looked at a little bit more deeply. Then we have the concept of non-conformity. So this means that something is in violation: some evidence gets produced that says, 'This is a problem that needs to be corrected.' So some analysis and some effort needs to be put forth by management to fix something that was discovered. Then we generate the findings from the audit. Thinking about first the sufficiency of the evidence: do we have enough data? Have we sampled enough data points to correctly formulate the opinions that are being offered? Again, this plays into the purpose of the audit and the scope of the audit. If the scope of the audit is very large then the sufficiency of evidence would correspondingly be large as well. We also have to consider contradictory evidence. This means that evidence was discovered that seems to contradict what was expected. It could be that the auditor made a mistake, or it could be that there's a problem in the environment which would be a non-conformity situation, and therefore the auditor was doing the correct procedure, they were doing their job correctly, but something was discovered, now actions need to be taken in order to resolve that issue. Now we think about irregularities and illegal acts. Fraud is a pretty self-explanatory concept. If you're doing something to gain an advantage, breaking the rules, breaking the law, then that constitutes fraud. You're deceiving someone in order to gain something for yourself. Theft is also pretty straightforward. Any time you're taking something, a resource, or an object, or an asset that doesn't belong to you, that's the definition of theft. Suppression is also important. If you're trying to hide information to evade discovery, then that constitutes suppression. That would definitely be something good to uncover because that could lead to other things that are maybe fraud or theft-related. What about racketeering? This is a pattern of fraudulent behavior. Then we have regulatory violations, again pretty self-explanatory. You're breaking the law. You're violating regulations that pertain to your industry or pertain to you as an individual. So, detecting these types of events and categorizing them correctly is what we're after here. There could be indications of illegal activity. Questionable payments, so if you're looking at financial transactions and you see payments to government officials, payments for unspecified services, something that looks fishy about it, something suspicious that might be worth further investigation. Then we have poor record keeping; unsatisfactory record control. This means that documents might not be correct or complete or possibly have been falsified or forged. These are important things to discover, since that could lead to discovering other things like fraud and theft. What about unsatisfactory explanations? This could be interesting to discover where you've got very large transactions; maybe transactions that happened at the beginning or at the very end or reporting periods. So their timeline seems suspicious relative to transactions of that type that happened throughout the normal fiscal year. Then there could be other things that are questionable about the organization itself. Maybe someone that works in a position that doesn't pay very well all of a sudden shows up in a brand-new expensive car. or they go on lavish vacations. So their behavior, their spending habits, may indicate that there's some theft or fraud going on somewhere. So what happens when illegal activity is discovered? What should the response be? It could be that you need to go and look again at all of the information that was gathered and just double-check what you have in order to see if you arrive at that same conclusion a second time. You don't want to cry wolf, basically, and say that, 'I found something illegal,' but maybe when you are asked to provide the proof, your theory falls apart. So it's important to remain skeptical, maybe give someone the benefit of the doubt until there's conclusive proof that something is wrong. If you discover a problem, you might have to go above the level of management where the problem exists to let someone know the problem has actually been discovered. So if your lower level manager is suspected of committing fraud, you might have to go to his boss in order to report it or to report a suspicion of fraud. That way you're escaping a conflict at the same level where the fraud took place, or potentially took place. If there's problems with internal controls or governance, then you have to go to the very highest level possible within the organization to report the finding. It could be, of course, that the person at the very highest level is committing fraud as well. In that case, you'd have to confer with legal counsel before doing anything like informing law enforcement. You wouldn't want to get mixed up in a situation where you're committing slander or defamation of character because you say someone committed a crime and that was done improperly so now there's complications. Of course, the auditor should never be party to the suspected activity that goes without saying. But it's important to consider that since situations could happen where the auditor gets caught up in a scenario. So it's always good to remain on the right side of the law and keep your eyes and ears open for anything that seems to be out of place. [/toggle_content]
Certified Information System Auditor (CISA)
In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.