Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson covers knowledge statements which is in Domain 1. Knowledge statements are used to measure and assess risk and therefore, be able to manage it. This lesson emphasizes having a strong methodology and steps to produce a strong final result. [toggle_content title="Transcript"] I've got a few different screens of these. They don't all fit on one page. So we start off with the ISACA standards. So they've got their own IT audit and assurance standards. They've got their code of ethics, which I mentioned a little bit earlier. This is important because ISACA standards are complementary to those that already exist in the auditing field. So knowing how their standards dovetail with what's already expected from you is good. This also will help you with the exam because you will be tested on various aspects of these standards and your understanding of them. Also you need to know about risk assessment. That goes without saying that you're looking at various different components, different details to assess risk. As the old saying goes, it's difficult to manage something unless you can measure it, right? So we have to think about how risk is measured in order to assess how to manage it. And of course the people at the top of the organization at the top tier, if you will, they are in a position where they decide what the risk tolerance actually is. So there's a lot of interplay here between detecting the risk, finding a way to measure it and then deciding whether it's acceptable risk or not. And we'll get into more detail about that a little bit later in the course. What about number three here? Knowledge of control objectives: So control objectives are basically speaking to the idea that the different security controls that are used in an information system or financial system need to be understood. We need to understand the expected behavior of the controls, their planned inputs for those controls and the expected output of those controls. Once you know those three items, then you can evaluate whether the control's working correctly. And once it's known whether it's working correctly then you can move on to something else or make recommendations for some type of improvement. Number four: knowledge of the audit planning and project management methodologies. So this is a good way to think about the bigger picture right? So if we're thinking about information systems auditing, you better have a good handling on managing a project that may be very large may be sprawling, and knowing that the minutiae of it, managing that project, needs to fit in with the other goals of the auditing process, so that you can make sure that you spend the appropriate level effort to get the job done and properly define the stope for the project at-hand. We move on to number five. Knowing your fundamental business processes so this is an important thing to think about. If you don't understand how payroll works or how your billing and receiving systems work, how your different electronic transactions take place on your systems, then it's going to be difficult to understand whether these mechanisms are working correctly or that the controls that protect these mechanisms are operating correctly. So having some fundamental base-line knowledge of the business logic of your organization is what we're getting at here. Alright, so onto our second set of knowledge statements for domain 1. We can't skip over the fact that you need some knowledge of laws and regulations. So this applies to the way that the organization operates. It also applies to what you do with findings that are discovered during an audit. If you're collecting evidence, if there was a crime committed, for instance and you're collecting forensic data that is going to be used in an investigation, then knowing the proper way to handle that is an important thing to think about. You wouldn't want to be in a situation where the information was collected or handled or transferred to somebody else improperly because now the investigation may fall apart. The prosecution of someone who committed wrongdoing may not be possible because of breaking the chain of evidence. So, when we're collecting evidence we have to think about how the data is analyzed, who gets interviewed, how to properly preserve the chain of custody, using the proper paperwork, the proper methodology. These things are obviously most important when there is evidence of criminal wrongdoing and we need to preserve all that information in order to prosecute. The auditor is serving a very important role in this case by gathering all of this data and being able to present it to someone who needs it for doing their job. So having excellent knowledge of the evidence collection methodologies is really what we're getting at here. What about sampling methodologies? This is relating to how an auditor would decide in a vast sea of data what kind of information to look at, what kind of information to sample and what frequency, what volume of data is required in order to get a representative sample for that particular operation. The techniques and methodologies would vary, of course, depending on what kind of data is being sampled. If you're looking at financial transactions versus transactions that happen with a database, or security controls for our firewall, then you've got different perspectives to think about so you would adjust your techniques accordingly. Then we have to think about how the reporting of the information will actually take place. It's expected that when you're working as an auditor that there may be some communication problems occasionally with some people. It may be such that the auditee, the person being audited, or the system, or the person responsible for the system being audited, is not very cooperative. Maybe the audit process is stressful for them and causing them to not be on their best behavior. So the auditor needs to be able to keep things professional and be able to help the process move along smoothly, to keep everyone that's involved in the process from getting, you know, upset or otherwise being uncooperative. So it takes a general hand sometimes to move things along and to keep everyone on their best behavior so we can get the job done and everybody can go home with a smile on their face. So number ten here is making sure that we have expert knowledge of different types of frameworks for assurances of quality. And this can go in a lot of different directions. There are several different frameworks that we'll talk about in this course that describe the best way to go about doing something. So having a methodology with well-defined tasks and steps tries to ensure that you'll get to the end result in a predictable fashion without missing anything and making sure that you also inspect everything that's required. [/toggle_content]