Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson focuses on implementing audit standards. IS auditors are able to rely on well-established industry standards. This lesson discusses two types of standards:
Parent Class with Broad Application across a Wide Variety of Industries
Industry specific with a limited scope
This lesson also covers IASCA IS Audit Standards. [toggle_content title="Transcript"] So now let's talk about implementing audit standards. One way to think about this is that if the standard is already in-use, it's widely accepted in the industry, then that makes the job of the auditor easier, because they don't have to come up with anything on their own. They can simply follow what's already considered acceptable, or even required, by their particular industry and simply make sure that they follow that standard correctly, making their job easier. So where do these standards get created? Or how do they get created? These are questions that you might come up with. Some of the standards that you'll need to learn a little bit about in order to pass the exam are the ISO standards. 27-002, regarding security management. Or if you're familiar with the NIST Special Publications, the 800-53 document has basically a catalogue of all of the security controls that you might see in any given environment. Another NIST Special Pub, 800-26, details, guidance for doing self-assessments. Speaking of the NIST documents, the organization does have quite a few useful documents for providing guidance on various different aspects of managing an IT environment. Some of the audit standards are industry specific. So whether your industry is healthcare or financial or IT in general, you might choose different standards because of that. We already mentioned FFIEC and HIPAA earlier as being examples of this industry standard, or type of industry standard. We also have auditing standards to think about. So we can do a compliance test to check to make sure that something is compliant and then there is a substantive test to make sure that the claim of a finding has integrity and was correctly determined. So some of the standards to think about here: we have the American Institute of Certified Public Accountants: AICPA. International Federation of Accountants: IFAC. There's the Financial Accounting Standards Board: FASB. Statement and Auditing Standards: SAS and then there's the International Financial Reporting Standards: IFRS, which kind of replaces the gap or GAAP, generally accepted accounting principles. GAAP had some problems when certain investigations and audits were being performed. Certain information was misrepresented so the IFRS is considered a more desirable replacement for that. We talked about COSO a little bit earlier. So this is for global commerce; the international standard to help with your internal framework for managing those types of information systems. Then we have the US Public Company Accounting Oversight Board: PCAOB, so this deals with the SEC, the Security Exchange Commission. They've got some other standards here, the AS 1, AS 2, three, four and five. So this ties in with Sarbanes-Oxley, which also relates to J-SOX and A-SOX for the Japanese and European versions of Sarbanes-Oxley. Then we have OACD: so another international standard to promote business and transparency and auditability of those transactions. And then ISO. All the different member governments that are part of the organization can provide their own input, and that way you have another international standard for various things like the format of a CD-ROM drive or CD-ROM. We have NIST; National Institute for Standards and Technology. They work with different organizations, like British Standards. Their ideas are used in lots of different products and industries in order to get the best practices for managing a particular technology item, or providing special publications for managing an IT environment. They've got quite a broad array of work that they do. Then we have FISMA. We talked about this a little bit earlier. This is an organization that tries to ensure that all government agencies are doing some annual reporting on the compliance of their information systems as it relates to the security controls. So making sure your systems are compliant and are being monitored is part of the goal here. We have ISACA themselves, with your CISA certification - Their code of ethics and their own guidance. Also the IT Governance Institute, ITGI. ISACA's also involved in creating COBIT; your Control Objectives for Information and Related Technology. So, more guidelines which help you with your information systems management, making sure that you've got the right security controls in-place that you can measure them, that you can monitor them, and provide adequate reporting to the various stakeholders. Then we have the Basel Accord standard. So Basel III is based on the pillar three and this is related to reducing risk in the banking sector. So, there are a lot of different standards to think about. You only need to know a little bit about each one. Not a tremendous level of detail is required, but it is helpful. So we'll look at the ISACA audit standards. There's quite a few of these, starting off with the audit charter. So 'defining the responsibility, the authority and accountability of the audit function'. It's a good foundational thing to have into place. Then we move on to independence, and I talked about this, making sure that our auditors are independent, free from conflict of interests, free from bias. The third item that they conduct themselves in a professional, ethical manner, adhering to the code of ethics, and, of course, staying within the law. The fourth item is making sure that they have some professional competency, that they've been properly trained. Maybe that they've earned some certifications, such as a CISA. And also, that they are continuing their education so that they don't get left behind as the industry changes over time. Then we have the planning of audits. And, of course, we know that when the audit is properly planned it's more likely to succeed within the given timeline and budget. And that should also produce more predictable results when audits are repeated at some point in the future. Moving on to S6, we have performance of the audit work itself. Making sure that the auditor is supervised correctly, that they are given access to the information that they need in order to form their conclusions, and that they produce the proper documentation of their activities. That feeds into S7 which is audit reporting. So they've got to show what they've found, making sure that they've got all of the proper legal protections in-place, perhaps the non-disclosure agreement or other protections so that anything the auditor discovers is properly protected because their reputation's on the line and the organization's reputation may be affected if that is not done properly. Then we have follow-up activities. I mentioned this a little while ago as a way for the auditor to revisit certain items, certain findings to see if they've been corrected. This could take various different forms. It could be something that's done on a regular basis, '30 days to fix your problems and I'll come back and we'll talk again.' Or it could be something that's much more critical where you might get a week to fix the problems. So it just depends on the situation. Anything that's considered irregular or illegal, so standard number nine. All that needs to be identified and reported on. This might apply to financial transactions. It might apply to mishandling of funds. It could be all over the board, actually. Then we move to standard number 10, IT governance. So making sure that there is proper policies procedures and standards in-place, designated by the top tier of the organization, to govern the lower tiers. Making sure that that's done properly and that there's consequences for violations of those types of policies. Then we move on to standard 11: using a risk analysis in planning your audit. This makes a lot of sense that you would do some sort of risk analysis as part of an audit. It could be done before, during and after, depending on what kind of audit's being performed. And this is trying to get some kind of return on investment for the actual time the auditor is spending, and the money that the organization is spending. So they know that if it's going to take 90 days to do all of the audit activities and it's going to entail certain expenses certain considerations for downtime, or staff scheduling, and these different factors, all of those should be worth it at the end of a activity, because now you can produce the risk analysis that shows that everything is fine, or we've got problems that need to be fixed. Moving on to standard number 12: audit materiality. So this means that the auditor has to provide some type of evidence to prove what they're saying. They can't just produce a list of findings and expect everyone to take their word for it. They have to be able to show, through either interviewing examining, or testing different aspects of an organization's infrastructure, what was found, how they determined this, and what might need to be done in order to correct the issues. Standard 13: using the work of other people. This makes sense. As I mentioned earlier, there might be some areas that the auditor is not competent to operate in, so they might have to use other people to do some of that work. Or it's possible that some work has already been done and the auditor can use it as-is without having to redo that work, because it's something that hasn't changed since it was last audited. Or it was done so recently that it's not likely to have changed. So, in some cases, re-use makes sense and it saves time and money. And the last item here is proper audit evidence. Standard number 14. So, similar to the audit materiality, the evidence shows in this case, that it was gathered correctly, that there's a proper chain of custody, in some cases, if there's an investigation going on, that all the evidence was identified and labelled correctly, and basically that the methodology for handling this evidence was followed to the letter. If there's inconsistencies or irregularities in the way that the evidence is handled, then that might affect the assurance that the audit is intended to provide. Okay, a couple more to go. We have standard 15: the effective IT controls. So this goes back to things like NIST, Special Pub 800-53, or 53a. 53 is the controls catalogue for IT systems. 53a deals with the assessment of those controls. So you can't learn if the controls are effective until you can assess it. Again, I mentioned planned inputs, expected behaviors, and planned outputs. If you understand those three things about each control that's being investigated, then that would indicate a complete understanding of what the control's supposed to do, what it looks like when it's working what it looks like when it's not working. And then last we have electronic commerce controls. Showing that, in the case of using payment card industry standards, or other electronic transactions, that there is a thorough understanding of how the mechanism works what the security controls are and how it can be best measured and tested for effectiveness. Alright, so some regulations exist regarding best practices. This is another useful thing to consider since best practices are quite variable, depending on the industry that you're in and depending on the particular area of focus that you're looking at when you're doing some kind of an audit. So things that are recommended are considered discretionary. That makes sense. It's not enforced, but it's suggested that you do this. So something you should do as opposed to something you must do, which is more of what we're talking about when we're dealing with mandatory regulations. So it's a best practice, but if it's mandatory then that means it's required and you must do it. It seems like a fine difference between the two, but as long as you remember that recommended is discretionary and required is mandatory, something we should do, something we must do, so these would be examples of things that are required. Sarbanes-Oxley, GLBA. Basel III, HIPAA, FISMA, those are not considered optional for organizations operating in those different areas. [/toggle_content]