Time
8 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Description

This lesson focuses on implementing audit standards. IS auditors are able to rely on well-established industry standards. This lesson discusses two types of standards:

  • Parent Class with Broad Application across a Wide Variety of Industries
  • Industry specific with a limited scope

This lesson also covers IASCA IS Audit Standards. [toggle_content title="Transcript"] So now let's talk about implementing audit standards. One way to think about this is that if the standard is already in-use, it's widely accepted in the industry, then that makes the job of the auditor easier, because they don't have to come up with anything on their own. They can simply follow what's already considered acceptable, or even required, by their particular industry and simply make sure that they follow that standard correctly, making their job easier. So where do these standards get created? Or how do they get created? These are questions that you might come up with. Some of the standards that you'll need to learn a little bit about in order to pass the exam are the ISO standards. 27-002, regarding security management. Or if you're familiar with the NIST Special Publications, the 800-53 document has basically a catalogue of all of the security controls that you might see in any given environment. Another NIST Special Pub, 800-26, details, guidance for doing self-assessments. Speaking of the NIST documents, the organization does have quite a few useful documents for providing guidance on various different aspects of managing an IT environment. Some of the audit standards are industry specific. So whether your industry is healthcare or financial or IT in general, you might choose different standards because of that. We already mentioned FFIEC and HIPAA earlier as being examples of this industry standard, or type of industry standard. We also have auditing standards to think about. So we can do a compliance test to check to make sure that something is compliant and then there is a substantive test to make sure that the claim of a finding has integrity and was correctly determined. So some of the standards to think about here: we have the American Institute of Certified Public Accountants: AICPA. International Federation of Accountants: IFAC. There's the Financial Accounting Standards Board: FASB. Statement and Auditing Standards: SAS and then there's the International Financial Reporting Standards: IFRS, which kind of replaces the gap or GAAP, generally accepted accounting principles. GAAP had some problems when certain investigations and audits were being performed. Certain information was misrepresented so the IFRS is considered a more desirable replacement for that. We talked about COSO a little bit earlier. So this is for global commerce; the international standard to help with your internal framework for managing those types of information systems. Then we have the US Public Company Accounting Oversight Board: PCAOB, so this deals with the SEC, the Security Exchange Commission. They've got some other standards here, the AS 1, AS 2, three, four and five. So this ties in with Sarbanes-Oxley, which also relates to J-SOX and A-SOX for the Japanese and European versions of Sarbanes-Oxley. Then we have OACD: so another international standard to promote business and transparency and auditability of those transactions. And then ISO. All the different member governments that are part of the organization can provide their own input, and that way you have another international standard for various things like the format of a CD-ROM drive or CD-ROM. We have NIST; National Institute for Standards and Technology. They work with different organizations, like British Standards. Their ideas are used in lots of different products and industries in order to get the best practices for managing a particular technology item, or providing special publications for managing an IT environment. They've got quite a broad array of work that they do. Then we have FISMA. We talked about this a little bit earlier. This is an organization that tries to ensure that all government agencies are doing some annual reporting on the compliance of their information systems as it relates to the security controls. So making sure your systems are compliant and are being monitored is part of the goal here. We have ISACA themselves, with your CISA certification - Their code of ethics and their own guidance. Also the IT Governance Institute, ITGI. ISACA's also involved in creating COBIT; your Control Objectives for Information and Related Technology. So, more guidelines which help you with your information systems management, making sure that you've got the right security controls in-place that you can measure them, that you can monitor them, and provide adequate reporting to the various stakeholders. Then we have the Basel Accord standard. So Basel III is based on the pillar three and this is related to reducing risk in the banking sector. So, there are a lot of different standards to think about. You only need to know a little bit about each one. Not a tremendous level of detail is required, but it is helpful. So we'll look at the ISACA audit standards. There's quite a few of these, starting off with the audit charter. So 'defining the responsibility, the authority and accountability of the audit function'. It's a good foundational thing to have into place. Then we move on to independence, and I talked about this, making sure that our auditors are independent, free from conflict of interests, free from bias. The third item that they conduct themselves in a professional, ethical manner, adhering to the code of ethics, and, of course, staying within the law. The fourth item is making sure that they have some professional competency, that they've been properly trained. Maybe that they've earned some certifications, such as a CISA. And also, that they are continuing their education so that they don't get left behind as the industry changes over time. Then we have the planning of audits. And, of course, we know that when the audit is properly planned it's more likely to succeed within the given timeline and budget. And that should also produce more predictable results when audits are repeated at some point in the future. Moving on to S6, we have performance of the audit work itself. Making sure that the auditor is supervised correctly, that they are given access to the information that they need in order to form their conclusions, and that they produce the proper documentation of their activities. That feeds into S7 which is audit reporting. So they've got to show what they've found, making sure that they've got all of the proper legal protections in-place, perhaps the non-disclosure agreement or other protections so that anything the auditor discovers is properly protected because their reputation's on the line and the organization's reputation may be affected if that is not done properly. Then we have follow-up activities. I mentioned this a little while ago as a way for the auditor to revisit certain items, certain findings to see if they've been corrected. This could take various different forms. It could be something that's done on a regular basis, '30 days to fix your problems and I'll come back and we'll talk again.' Or it could be something that's much more critical where you might get a week to fix the problems. So it just depends on the situation. Anything that's considered irregular or illegal, so standard number nine. All that needs to be identified and reported on. This might apply to financial transactions. It might apply to mishandling of funds. It could be all over the board, actually. Then we move to standard number 10, IT governance. So making sure that there is proper policies procedures and standards in-place, designated by the top tier of the organization, to govern the lower tiers. Making sure that that's done properly and that there's consequences for violations of those types of policies. Then we move on to standard 11: using a risk analysis in planning your audit. This makes a lot of sense that you would do some sort of risk analysis as part of an audit. It could be done before, during and after, depending on what kind of audit's being performed. And this is trying to get some kind of return on investment for the actual time the auditor is spending, and the money that the organization is spending. So they know that if it's going to take 90 days to do all of the audit activities and it's going to entail certain expenses certain considerations for downtime, or staff scheduling, and these different factors, all of those should be worth it at the end of a activity, because now you can produce the risk analysis that shows that everything is fine, or we've got problems that need to be fixed. Moving on to standard number 12: audit materiality. So this means that the auditor has to provide some type of evidence to prove what they're saying. They can't just produce a list of findings and expect everyone to take their word for it. They have to be able to show, through either interviewing examining, or testing different aspects of an organization's infrastructure, what was found, how they determined this, and what might need to be done in order to correct the issues. Standard 13: using the work of other people. This makes sense. As I mentioned earlier, there might be some areas that the auditor is not competent to operate in, so they might have to use other people to do some of that work. Or it's possible that some work has already been done and the auditor can use it as-is without having to redo that work, because it's something that hasn't changed since it was last audited. Or it was done so recently that it's not likely to have changed. So, in some cases, re-use makes sense and it saves time and money. And the last item here is proper audit evidence. Standard number 14. So, similar to the audit materiality, the evidence shows in this case, that it was gathered correctly, that there's a proper chain of custody, in some cases, if there's an investigation going on, that all the evidence was identified and labelled correctly, and basically that the methodology for handling this evidence was followed to the letter. If there's inconsistencies or irregularities in the way that the evidence is handled, then that might affect the assurance that the audit is intended to provide. Okay, a couple more to go. We have standard 15: the effective IT controls. So this goes back to things like NIST, Special Pub 800-53, or 53a. 53 is the controls catalogue for IT systems. 53a deals with the assessment of those controls. So you can't learn if the controls are effective until you can assess it. Again, I mentioned planned inputs, expected behaviors, and planned outputs. If you understand those three things about each control that's being investigated, then that would indicate a complete understanding of what the control's supposed to do, what it looks like when it's working what it looks like when it's not working. And then last we have electronic commerce controls. Showing that, in the case of using payment card industry standards, or other electronic transactions, that there is a thorough understanding of how the mechanism works what the security controls are and how it can be best measured and tested for effectiveness. Alright, so some regulations exist regarding best practices. This is another useful thing to consider since best practices are quite variable, depending on the industry that you're in and depending on the particular area of focus that you're looking at when you're doing some kind of an audit. So things that are recommended are considered discretionary. That makes sense. It's not enforced, but it's suggested that you do this. So something you should do as opposed to something you must do, which is more of what we're talking about when we're dealing with mandatory regulations. So it's a best practice, but if it's mandatory then that means it's required and you must do it. It seems like a fine difference between the two, but as long as you remember that recommended is discretionary and required is mandatory, something we should do, something we must do, so these would be examples of things that are required. Sarbanes-Oxley, GLBA. Basel III, HIPAA, FISMA, those are not considered optional for organizations operating in those different areas. [/toggle_content]

Video Transcription

00:04
All right, so now let's talk about implementing audit standards. One way to think about this is that if the standard is already in use,
00:13
it's widely accepted in the industry
00:15
that makes the job of the auditor easier.
00:18
They don't have to
00:20
come up with anything on their own. They can
00:23
simply follow what's already considered acceptable or even required
00:28
by their particular industry
00:30
and simply make sure that they follow that standard correctly,
00:35
making their job easier.
00:36
So where do these standards get created,
00:39
or how do they get created? These are questions that you might
00:42
come up with
00:44
some of the uh standards that you'll need to learn a little bit about
00:49
in order to pass the exam. Are the ice oh standards
00:52
27,002
00:55
regarding security management
00:57
or if you're familiar with the NIST Special Publications,
01:00
the 853 document has
01:03
basically a catalog of all the security controls that you might see in any given environment.
01:11
Another special pub, 800-26
01:17
details guidance for doing self assessments.
01:22
On speaking of the NIST documents, they
01:25
the organization does have quite a few
01:27
useful documents for
01:30
providing guidance on various different
01:34
aspects of managing an I t. An environment.
01:37
Some of the audit standards are industry specific.
01:42
So whether you're industries, healthcare or financial or i t. In general,
01:46
you might choose different
01:48
standards. Because of that,
01:49
I already mentioned af f i E. C and hip hop earlier as being examples of this
01:57
industry standard
01:59
or a type of industry standard.
02:00
We also have auditing standards to think about so we can do a compliance test
02:05
to check to make sure that something is compliant. And then there is a substantive test
02:10
to make sure that
02:13
the, ah, the claim of
02:15
finding as integrity it was correctly determined. So some some of the standards to think about here we have
02:22
the American Institute of Certified Public Accountant C I C. P a
02:27
International Federation of Accountants. I fac, I have to say. See,
02:30
there's a Financial Accounting Standards Board F A s B
02:35
Stephen auditing standards. That's a yes. Then there's the international financial reporting standards. I F. R s,
02:43
which kind of replaces the Gap, or G, a P generally accepted accounting principles.
02:50
G. A P had some problems,
02:52
uh,
02:53
when certain investigations and on audits were being performed,
02:59
certain information was misrepresented. So the eye, if Iris is considered a more desirable replacement
03:06
for that
03:07
we talked about CO. So a little bit earlier.
03:09
So this is for global commerce International standard
03:15
to help with your internal framework from Angie,
03:19
those types of information systems.
03:22
And we have the U. S. Public Company Accounting Oversight Board, PC A or B.
03:28
So those deals with the SEC, the Security Exchange Commission,
03:31
they've got some smother standards here. The *** one asked you
03:36
34 and five.
03:38
So this ties in with Sarbanes Oxley, which also relates to J socks and he socks for the Japanese and European versions of Sarbanes Oxley.
03:51
And we have always CD
03:53
so another international standard
03:57
to promote business
03:59
and transparency, audit ability of those transactions.
04:03
And then I So
04:06
all the different member governments, governments that
04:11
are part of the organization can
04:13
provide their own input. And that way you have another international standard for various things,
04:18
like the format of a seedy Ron drive our CD room. We have missed
04:25
National Institute of Standards and Technology. They
04:28
I work with
04:29
different organizations like British standards,
04:33
but their ideas are used in lots of different products and industries
04:39
in order to get the best practices for managing ah, particular
04:45
technology item
04:46
or providing special publications
04:48
for magic and I g environment.
04:50
I've got quite a quite a broad array of
04:54
of work that they dio
04:57
that we have phys Mom, we talked about this a little bit earlier.
05:00
This is an organization that tries to
05:02
ensure that all government agencies are doing some annual reporting
05:06
on the compliance of their information systems as it relates to the security controls.
05:13
So making sure your systems are compliant
05:15
and are being monitored
05:18
is the part of the goal here.
05:21
And we have a soccer themselves
05:25
with your C i s a certification, their code of ethics and their own guidance.
05:30
Also, the Aichi Governance Institute I t g I. My sock is also involved in creating co bit your control objectives for information and related technology.
05:40
So more guidelines
05:43
which help you with your information systems management,
05:46
making sure that you've got the right security controls in place.
05:48
You could measure them that you can monitor them
05:51
and provide adequate reporting
05:55
to the various stakeholders.
05:57
Then we have the basic record standard.
06:00
So basil, three is based on the Pillar three,
06:05
and this is related to reducing risk in the banking sector.
06:11
So a lot of different standards to think about
06:14
you only need to know a little bit about each one.
06:16
Not a not a tremendous level of details required, but it is helpful. So we'll look at the Saka audit standards.
06:24
It's quite a few of these
06:26
starting off of the audit charter,
06:30
so defining the responsibility, the authority
06:32
and accountability of the audit function.
06:35
Good foundational thing to have in the place.
06:40
Then we move on to independence.
06:42
I talked about this, making sure that our auditors are independent, free from conflict of interest, free from bias.
06:47
Ah, third item that the
06:50
conduct themselves in a professional ethical manner,
06:55
adhering to the code of ethics.
06:57
Of course, staying within the law,
07:00
The fourth item is making sure that they have
07:01
some professional competency.
07:04
They've been properly trained. Maybe that they've earned some certifications such as a C I. S A
07:11
and also that they are continuing their education
07:15
so that they don't get left behind as the industry changes over time.
07:19
Then we have the planning of audits
07:24
and of course we know that
07:26
when the audit is properly planned, it's more likely to succeed within the given timeline and budget
07:32
and that that
07:34
should also produce more
07:36
predictable results when audits are repeated at some point, the future
07:42
moving on to ask six We have the performance of the out of work itself,
07:46
making sure that the auditor is
07:47
supervise correctly.
07:49
They are given access to the information that they need in order to form their conclusions,
07:56
and that they produce
07:58
the proper documentation of their activities.
08:01
That kind of feeds into a seven, which is on it reporting.
08:07
So they've got to, uh, show what they found,
08:09
making sure that they've got all of the proper legal protections in place,
08:15
perhaps a nondisclosure agreement
08:18
or other protections, so that anything the auditor discovers
08:22
eyes properly protected
08:24
because their reputations on the line and the organization's reputation may be affected. If that
08:31
eyes not done properly,
08:33
then we have follow up activities. I mentioned this little while ago
08:37
as a a way for the auditor to revisit
08:41
certain items, certain findings to see if they've been corrected.
08:46
This could take
08:48
of various different forms.
08:50
It could be something that's
08:52
done on A you know, a regular basis of 30 days to fix your problems. I'll come back and we'll talk again,
08:58
or could be something that's much more critical where you might get, you know, a week to fix the problems.
09:03
So it just depends on the situation,
09:07
anything that's that's considered irregular or illegal.
09:11
So standard number nine
09:15
all that needs to be identified and reported on
09:18
this might apply to financial transactions that might apply to mishandling of funds could be all over the board, actually, that we moved to Standard number 10 I t. Governance.
09:31
So making sure that there's proper policies, procedures
09:35
and standards in place
09:39
designated by the top tier of the organization to govern the lower tiers,
09:43
making sure that
09:46
that that's done properly and that there's consequences for violations of those types of policies they move on to standard 11
09:54
using a risk analysis in planning your audit.
09:58
This makes a lot of sense
10:00
that you would do some sort of risk analysis as part of an audit.
10:03
It could be done
10:05
before, during and after, depending on what kind of audits being performed,
10:09
and this is trying to get some kind of return on investment for the actual time the auditor is spending
10:18
and the the money that the organization is spending.
10:20
So they know that
10:22
if it's gonna take 90 days to do all the audit activities
10:26
and it's gonna entail certain expenses,
10:31
certain considerations for downtime or
10:35
staff scheduling and these different factors, although should be worth it
10:41
at the end of activity. Because now you can produce
10:45
the risk analysis that shows
10:46
that everything is fine or we've got problems that need to be fixed,
10:52
moving on to standard number 12 on it. Materiality.
10:56
So this means that
10:58
the auditor it has to provide some type of evidence to prove what they're saying.
11:03
They can't just
11:05
produce a list of findings and expect everyone to take their word for it. They have to be able to show
11:13
through either interviewing, examining our testing different
11:16
different aspects of an organization's infrastructure,
11:20
Uh, what was found, how they determine this and what might need to be done in order to
11:26
correct the issues. Standard 13. Using the work of other people,
11:31
this makes sense. As I mentioned earlier, there might be,
11:35
uh, some areas of the auditor is not competent to to operate in,
11:41
so they might have to use other people to do some of that work.
11:43
Or it's possible that some work has already been done
11:46
and the auditor can use it as is without having to redo that work,
11:52
because it's something that hasn't changed since it was last audited, or it's
11:58
it was done so recently that its not likely to have changed.
12:01
So in some cases, reuse makes sense, and it saves time and money.
12:07
In the last item here is
12:09
proper audit evidence Standard number 14
12:15
so similar to the auto materiality. The evidence shows that this case that it was gathered correctly that there's a proper chain of custody in some cases, if there's an investigation going on
12:28
that there's a,
12:30
uh,
12:31
all the all the evidence was identified and labeled correctly,
12:33
and basically that the methodology for handling this evidence was followed to the letter.
12:39
If there's inconsistencies or irregularities in the way that the evidence is handled
12:43
than that might affect
12:46
the
12:48
the assurance that the audit is intended to provide
12:50
All right, a couple more to go.
12:52
We have standard 15 the effect of I t controls.
12:56
So this goes back to things like, Ah, honest special. Probably 853
13:03
or 53 A
13:05
53 is that controls catalog for I T Systems 53 a. Deals with the assessment of those controls
13:13
so you can't learn if the controls effective until you can assess it
13:18
again. I mentioned planned inputs, expected behaviors and planned outputs.
13:24
Do you understand those three things about each control that's being investigated?
13:28
Then that would indicate a complete understanding
13:33
of what the control supposed to do,
13:35
what it looks like when it's working, what it looks like when it's not working
13:41
and then last. We have electronic commerce controls
13:45
showing that
13:46
in the case of using payment card industry standards or other electronic transactions,
13:54
there is
13:54
a thorough understanding of
13:56
oh,
13:58
how the mechanism works, what the security controls are and how we can be best,
14:03
uh, measure and tested for effectiveness. All right, so some regulations exist regarding best practices.
14:13
This is another useful thing to consider,
14:16
since best practices are,
14:18
uh,
14:20
quite variable, depending on the industry that you're really depending on the
14:24
particular area focus that you're looking at when you're doing some kind of an audit.
14:30
So things that are recommended are considered discretionary. That makes sense.
14:33
It's not enforced.
14:37
But it's suggested that you do this so something you should do
14:43
as opposed to something you must do,
14:45
which is more what we're talking about when we're dealing with
14:48
mandatory regulations.
14:52
So it's a best practice. But if it's mandatory, then that means it's required and you must do. It seems like a fine difference between the two.
15:00
As long as you remember
15:01
that recommended his discretionary and requires mandatory
15:07
something, we should do something we must do.
15:11
So these will be examples of things that are required. Sarbanes Oxley G L B A.
15:16
Basil three
15:18
Hip hop fisma
15:20
Those were not considered optional for organizations operating in those different areas.

Up Next

Certified Information System Auditor (CISA)

In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor