Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson covers the necessary tools for the exam. Examinees need to make sure they know the following:
- Purpose, policies, standards, guidelines and procedures
- ISACA standards
- The general purpose of the audit and the role of the auditor
- Audit versus non audit roles
- The importance of IS auditor independence
This lesson offers a small review of topics covered in previous lessons in the module. [toggle_content title="Transcript"] Alright, so we're getting to the end of module 1. What I'd like to do here is talk about some of the essential items that you need to learn for the exam. We've covered all of these earlier in the module, but this is a good review and an excellent time for the learner to decide whether they need to go back and spend more time digging a little deeper on these different topics. So we covered policies, standards, guidelines and procedures. Remember, a policy is something that is mandatory. A standard is something that you follow for best practices reasons. It could be an industry standard, could be an internal standard, a personal standard. And then guidelines are something that's discretionary. It's something you should do, as opposed to a policy, which is something you must do. And then we have procedures, which are step-by-step instructions for achieving some goal. Speaking of standards, we have the ISACA standards. We covered that in detail. I believe there's 16 different components to the ISACA standard for professional conduct and ethics. So make sure you spend a little bit of time looking at that. Then we have coverage of what the purpose of an audit is. It's supposed to uncover inconsistencies. It's supposed to uncover fraud. It's supposed to discover inadequate protections, inadequate security controls, or inadequate documentation. There are a lot of different areas that can be addressed by a successful audit. Then we have to think about what an audit role is versus a non-audit role. You have auditors and then you have everyone else. So that's the two sides of that coin. We also talked about why auditors need to be independent. They need to be free from conflict of interest, or the appearance of conflict of interest. They need to be able to have an unbiased objective opinion being formed by the evidence that they gather, and not being influenced by their relationship with the auditee or the organization itself. Mandatory and discretionary language: much like the difference between a policy and a guideline, if your language says, 'Something shall be done,' that tells you that it's mandatory. If it says that it should be done, that's more like a guideline and it's therefore discretionary. You could make this a little bit different and say that mandatory is something you must do and discretionary is something you should do. If that makes a little more sense, you can use that kind of language. We also talked about the different types of audits: financial audits, operational audits, such as SAS 70, or an integrated audit where you're blending different components of financial and operational, such as SAS 94. Then we have compliance audits, looking for deviations from a standard configuration or a standard way of doing things. We have administrative audits and audits of information systems themselves. So knowing a little bit about each of those and what the differences are is key to getting some easy points on the exam when you see those types of questions. Then we have to remember about auditor confidentiality. Auditors are expected to keep the information they discover private, confidential. Non-disclosure agreements and other legal mechanisms are always put in-place so that both parties are protected and there's an expectation that the auditors will function at the highest levels of integrity and not share information that they learn or try to use it for their own personal gain. Since the information that auditors uncover is very sensitive and potentially damaging to the organization if it gets in the wrong hands, we talked a little bit about why we need to protect that information, and why it needs to be examined in an isolated area, if possible, why interviews should be done with discretion so that prying eyes and listening ears cannot over-hear or eavesdrop on sensitive conversations. The last item with this is having a good archive of your documents. So the auditor should be able to go back to that archive whenever it's needed. There should never be an excuse to say that you don't have some information that was gathered during an audit. That should be very carefully organized and preserved for that purpose. Standard terms of reference. This was mentioned where we talked about using a standard terminology, or a lexicon, so that when someone says something was there or was not there, or you had a lack of available time, or someone was unavailable for you for an interview, the terminology used to describe those different situations should be consistent and should be agreed upon by the auditee and the auditor so that there's no chance of confusion down the road. I talked a little bit about the evidence rule. So evidence that gets collected needs to be verified and confirmed and properly gathered to support the investigation, if needed. Making sure you have the proper chain of custody being detailed as evidence moves around from one person to another. The last two items here, the auditor has to decide who to interview, with a reasonable expectation for how much time might be available for people of different levels within the organization. The higher up you are, the more valuable your time is and the less time you have available for doing things like interviews. So that needs to be understood at the onset. And then, lastly, the auditor needs to understand the structure of the organization. Having a really good ORG chart with appropriate level of detail is critical here. So that the auditor can understand who they need to talk to and who's in-charge, who has the appropriate level of authority to give them the information that they need. Alright, so go over these exam essentials and your next task would be to go through all of the review questions for chapter 1. Alright, see you in module 2. Thank you. [/toggle_content]