The Process of Auditing Information Systems
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi. Welcome back to
00:00
Certified Information Systems Auditor.
00:00
We are now going to start domain 1,
00:00
the process of auditing information systems.
00:00
First, let's just take a quick look at
00:00
the domain learning objectives and the task statements.
00:00
We won't go through these in any great detail here,
00:00
but each of domain will start
00:00
with the formal learning objectives
00:00
that the ISACA certification requires.
00:00
Use this as a reference when you're studying for
00:00
your exam just to make sure that
00:00
you are covering everything that you need to cover.
00:00
Management of the IS Audit Function.
00:00
In this lesson, we'll be looking at
00:00
how you'll be managing audits within the enterprise.
00:00
We'll be looking at auditing and
00:00
technology and the relationship to it,
00:00
and just a little bit about on the laws and
00:00
regulations that will be
00:00
governing the profession of auditing.
00:00
First up, audits need to be managed.
00:00
Basically, it is a management function and it's
00:00
an important function for the organization to be
00:00
able to determine if they are actually functioning
00:00
correctly and if they are
00:00
meeting all their business goals and objectives.
00:00
This is done through primarily the Audit Charter.
00:00
The Audit Charter is at
00:00
the very top of the enterprise level,
00:00
and it basically gives the authority for
00:00
the auditors to do what they need to
00:00
do within the organization.
00:00
This is usually pretty much just a statement
00:00
from senior management
00:00
indicating that we have
00:00
an auditing team or an auditing function,
00:00
and this is what we expect to undertake
00:00
from that auditing function.
00:00
Out of the Audit Charter will be
00:00
developed the Audit Program.
00:00
This will basically fit each organization individually,
00:00
depending upon what systems or what industries,
00:00
or some areas that you're working in,
00:00
this will determine the actual program of audits,
00:00
whether you do them on a monthly basis,
00:00
you have external reporting requirements
00:00
or you're governed by some legislation.
00:00
Then that will lead into
00:00
the lower level for strategic audit planning.
00:00
You need to know exactly when you need
00:00
to do your audits and you need to
00:00
position them accurately so that you can get
00:00
the best information for the business.
00:00
Audits within the organization.
00:00
First off, we start with goals and objectives.
00:00
We need to obviously
00:00
understand exactly what we're wanting to achieve from
00:00
the audit and what
00:00
the objectives of each individual audit needs to be.
00:00
That basically feeds into the business processes.
00:00
What business processes do we need to
00:00
support the goals and objectives of that audit program?
00:00
Now if we go down to the further level then we look
00:00
at the actual technology and controls.
00:00
This is translating the goals and
00:00
objectives from business processes into
00:00
actual controls that can be applied
00:00
to the information systems.
00:00
For example, password access,
00:00
privilege, restrictions, and those things.
00:00
Then finally, we get to
00:00
the actual audit itself where all of that is
00:00
basically gathered up and
00:00
managed within an audit function in itself.
00:00
Now, as the name would indicate, within CISA,
00:00
Certified Information Systems Auditor,
00:00
this is a technology-based function.
00:00
While your discipline is primarily auditing, of course,
00:00
it does still require some understanding of
00:00
the technology that you're going to be auditing.
00:00
No one is going to expect you as a CISA to be
00:00
able to build a network or build a server,
00:00
but you'd certainly need to know how these things fit
00:00
together and work at the very highest level.
00:00
Primarily you need to maintain some technical competence.
00:00
Now, exactly what that is very much would
00:00
depend upon the nature of
00:00
the business that you're working in.
00:00
Certainly somebody who is dealing with
00:00
Windows-based enterprise systems will need
00:00
a different set of competencies to somebody who was
00:00
auditing IBM mainframes, for example.
00:00
That's responsibility to maintain your certification.
00:00
From that you can basically look at
00:00
undertaking things such as
00:00
ISACA training and conferences.
00:00
As a member of ISACA,
00:00
you'll get access to a range of materials and a range of
00:00
webinars and various conference offerings
00:00
which can use to support that.
00:00
Certainly university courses are key example here and
00:00
they can support both business
00:00
of auditing plus the technology.
00:00
There are a number of training webinars.
00:00
Also, if you have an ISACA chapter in your local area,
00:00
you can go along to attend
00:00
meetings and that will also count towards
00:00
basically maintaining your certification and
00:00
maintaining your currency within the technology field.
00:00
Of course, there's numerous security conferences
00:00
around the world and online.
00:00
Laws and regulations.
00:00
As a Certified Information Systems Auditor,
00:00
you will need to be familiar
00:00
with the laws and regulations that
00:00
are applicable to your particular industry area.
00:00
There are a number of different legislations,
00:00
both national, international, local,
00:00
that may have an impact upon what you need
00:00
to do and how you need to perform your auditing tasks,
00:00
and also the requirements of who you need to report to.
00:00
Other regulations that we basically look at
00:00
are primarily we look at the security,
00:00
the integrity, and the privacy areas.
00:00
In other words, security of the organization,
00:00
security of the findings,
00:00
the integrity as an auditor,
00:00
integrity of what you're actually doing,
00:00
and the process that you're reporting,
00:00
and privacy laws will come into
00:00
play very much in this field as well.
00:00
Computer security and privacy.
00:00
This is obviously a key thing as an auditor.
00:00
A lot of this will vary depending
00:00
upon the jurisdictions that you are working in.
00:00
But you'd be looking at things such as computer trespass,
00:00
protection of sensitive information,
00:00
the collection and use of information,
00:00
which is certainly key and that evolves around
00:00
the privacy and rights to hold the information,
00:00
and particularly prevalent if
00:00
you're in a jurisdiction that
00:00
is governed by the JDPR from the European Union.
00:00
There's a number of different areas here,
00:00
and each of those will certainly come into play within
00:00
the areas of computer security and
00:00
privacy that you'll have as an auditor experience.
00:00
What is applicable? In essence,
00:00
the best answer I can give you
00:00
is to seek guidance from legal counsel.
00:00
In the particular industry that you're in,
00:00
you will have no doubt
00:00
organizational legal resources that will
00:00
determine exactly what laws,
00:00
computer privacy, regulations that you need to adhere to.
00:00
Obviously depending upon your industry,
00:00
some of these should be relatively clear
00:00
and often very industry specific.
00:00
Well, I could easily go through many,
00:00
many slides covering a whole range of different laws,
00:00
regulations, industry requirements, etc,
00:00
we just would be running out of time.
00:00
What I would suggest as just a bit of homework,
00:00
if you are particularly in
00:00
an industry that has regulations,
00:00
try and find out what you
00:00
as an auditor will need to be following
00:00
and what guidelines exist for your own personal industry.
00:00
We've basically covered just a couple of items here.
00:00
How to manage audits
00:00
in an enterprise at a very high level and will
00:00
obviously be drilling down further
00:00
in the lessons coming up.
00:00
Relevant technology issues that you as a CISA will face,
00:00
the laws and regulations,
00:00
and ultimately that you are not
00:00
alone and that often cases,
00:00
you are just an auditor and
00:00
you are certainly not legal counsel.
00:00
So it's often important to seek guidance from
00:00
the right areas if you are unsure.
00:00
Thanks for listening, and
00:00
I will see you in the next lesson.
Up Next
