 Hi there, my name is Ken Mayer. I'm going to be your instructor through this entire course on the CISA. Now, I've been working in the field of IT, since the very early 80s. And over that time, I've worked a lot of different corporations, a lot of consulting work, consulting work, full-time work. I've received my certifications through Novell, through Microsoft, through Cisco, through Juniper, through CompTIA, through, you know, just kind of goes on and on and on with all sorts of certifications and different equipment, different vendors, different circumstances. And all of that has really led into getting a good understanding about a lot of the different areas that we have in the world of information technology. A lot of things I can share with you as I get you ready to take this course and to get prepared for your exam. Now, this module is designed to cover the domain that is called the Process of Auditing Information Systems. Now, this module is going to focus on the process of auditing your information systems to make sure that you're covering the entire practice of IS auditing. That would be all the procedures, making sure you have a thorough methodology designed to let the auditing team be able to perform an audit on any given IT area and do so in a professional manner. Now, the objective of this particular domain, this module, is to ensure that you have the knowledge necessary to provide these audit services that are in accordance with the IT audit standards and designed to assist the organization with protecting and controlling their information systems. Now, there are several tasks that we're going to see as we go through this module. Number one, you're going to work at learning how to develop and implement a risk-based IT audit strategy. One that's in compliance with the IT audit standards to cover all of the key areas. The second one is you're going to be able to plan specific audits to determine whether the information systems are protected, controlled, and to be able to provide value to the organization through the use of this audit. We also want to make sure that we can conduct audits in accordance with the IT audit standards to achieve planned objectives and to report audit findings and make recommendations to the key stakeholders. And finally, we want to be able to see how to conduct follow-ups and prepare the status reports to ensure that the appropriate actions have been taken by management in a timely manner. Now, what's important to know is we're not going to tell you step-by-step every single thing you should go through in the process of auditing, but rather we are creating a framework and guidelines. There's actually a series of guidelines, standards, and procedures that you can follow and use to be able to implement your audit plan that's going to be in accordance to whatever contracts you have with the organization that you're doing the audit on. This lesson is designed to talk about management's role of the audit function. Now, if you think about management, I am talking about management of the auditing team, not necessarily the upper management of the organization that's being audited. Now, when we look at it from the management perspective, the auditing should be managed and led in a manner that makes sure that all of the tasks that you are chartered to do are performed and accomplished by that audit team. In fact, management should make sure the auditors maintain independence during this function as well as maintaining their competence in the auditing process. Now, we'll talk later about them having the competence in what they are auditing, but right now it's important that they understand really what is involved in conducting an actual audit. And as those guidelines and procedures change, they need to be up to date in their competence about that process. The audit function should have something that's value-added as a contribution that the senior management can use. In other words, senior management needs this information to be able to, number one, understand where risks are and what they might be able to do to mitigate some of their risks or to have an assurance that the controls they have in place are doing the job that they're supposed to do. And a lot of this goes to some high-level types of certifications to maintain laws and regulations. So yeah, there's a lot of value-added contributions that senior management will get as the results of the audit. And of course, the audit function should also achieve the business objectives. And again, those objectives I talked about could be to maintain certain types of regulatory laws or certifications that are required by the company to do their business. Now, when we look at the organization of the IS audit function, we know that the audit services can be what we call external or internal. Now, internal means that the audit should be established by a contractor, a charter, and have the approval of senior management. Now, this can be an internal audit. It can function as an independent group. And remember, that is important. The auditor should function independently as they're going through this process. The audit committee integrated within a financial and operational audit can provide IT-related control assurance to the financial or management auditors. So those are types of internal-based audit services. Now, the external types would be audit services that are provided by an outside firm, meaning not people that are employed by the company. Now, the scope and objectives of these services should be listed in some very formal contracts between the organization and the external audit team. In fact, I like to tell people that when they go in to do these auditing, that depending on what they're doing, this contract and these permissions that they have, these agreements that we have that said what we can do, are their get-out-of-jail-free cards. Because if you think about it, as you're going through some of the auditing requirements, you might find weaknesses. And in the attempt to test those weaknesses, may come across information that might be of kind of high-level top-secret information that the organization doesn't want to get out. And if you were just kind of doing your audit, and you said, ooh, let's check on this control over here, and you go after and check on something that you're not under contract to even be looking at, that's where you have problems, right? So it's kind of a fine line between auditing sometimes and some people might think of hacking into systems, right? It's important that you remember just to keep in accordance with your contract and it should very specifically spell out what it is that you're auditing and that's part of that agreement that we have, especially with an external firm. Now, whether we're doing either internal or external auditing, there should be an independence of that auditing team, as I talked about. I don't want them to necessarily, you know, I guess I look at it this way. You know, in auditing, let's say, a bank type of situation, if I'm working for the bank manager and the results of my auditing could embarrass that bank manager, there might be some sort of pressure on me from the person responsible for my job to keep some of that information quiet and secret. And I don't want that kind of pressure. I want to make sure there is true independence so that when I go in there, I'm doing an objective job knowing that the results I'm going to report on them fairly and honestly, accurately and not have to worry about the potential of another person putting that undue influence to kind of hide things or to sugarcoat the results. So we want that true independence and we can achieve that internally. It's just a matter of who we select as a part of our team. Anyway, we know that they should be independent and, of course, their goal is to report to the higher levels of management. Now, one of the things we have to look at in managing audits is our resource management. Now, technology changes and it's important that as management, we ensure that the auditors are up to date with their skill sets. I kind of hinted at that already. That means that there's going to be required training that should be directed to new auditing techniques and training into their updates of the knowledge of technology. The ISACA, which I'm just going to pronounce it, the ASACA standards require that the auditing team be technically competent in what they do and that makes sense to me, right? Because how can I adequately audit something? I have no clue how it operates. And so we want to make sure we actually know what it is that we're auditing as far as the technology so that we can adequately be able to say if it's functioning the way it should. Now, management should consider the auditor's skills and knowledge when they plan the audit. In other words, you need to know what that person is capable of doing so that you can plan to put them in the right location to do the right part of the auditing plan. Now, when we talk about audit planning, we have to look at that it has both short and long-term goals. Now, your short-term goals should take into account the issues that are going to be covered, say throughout the next year. Now, your long-term auditing goals are going to take into account issues that are going to regard about changes to the organization's IT strategic direction. And we see this happening all the time, especially when we're looking at future purchases or future needs as far as what the IT organization might, part of the organization might be needing. There may be a plan to bring in a whole new vendor's worth of equipment, new firewall capabilities, new voiceover IP or something that we're seeing is going to be in the long-term effect. So that's kind of where we're looking at beyond the current year at the short-term level. All right, both your long and short-term issues should be reviewed, at least annually, to make sure that what your audit planning had at the time you created these short-term and long-term plans that they still match the direction that the business is going. Some of the other planning considerations, of course, would be to do periodic risk assessments. And again, we're talking about the planning of when to do the audits. You should have plans in place to do the audits if you have a change in technology. Again, that could be maybe bringing in a new vendor firewall or upgrading to the latest and greatest Windows Server technology. When that happens, we're going to have to have changes or have plans to do audits to make sure that these changes in technology are meeting whatever our standards are. Of course, laws change, regulatory requirements, new ones might be coming out, changes to existing ones. I remember when I first saw HIPAA, it was contained within one binder as far as when we talked about privacy issues for patients. And now it's like three or four binders in size. And so as those requirements change, we should have plans to do audits to make sure that we are staying within those requirements. And of course, there might be, like I said, new system implementations or upgrades that we're going to work with future technologies that we might not even know about right now when we're making our plans for auditing. So that means that we have kind of this idea that as we see new technologies coming in, we're going to have to have plans to include those into our audits. And we need to also plan around our resource limitations. And again, some of the resources, if we look at the auditors themselves as our resource, they might not have the training they need for these new technologies or these changes. And so we want to plan for that as well so that we can make sure when we're ready to do the audit that we have the resources available or if we have to look at an external type of resource to be able to perform these audits. Part of your audit planning should be about the information gathering. Now, what do we need? Well, first of all, we need information about the environment that we're auditing. I just don't want to walk in blind to an organization and start poking around at different things saying, oh, I wonder what this does. I want to know how it all works. At least I don't need to have the in-depth, complete design, but I have to have a good understanding of the environment. As an example, I worked with a bank that has several data centers across the country. And it's important for me to understand how they are related to each other. What was the purpose of all the data centers? Obviously, it was for high availability that if they had one in the Midwest, one in the Southwest, and one in the West Coast. Their goals, of course, were to be able to survive anything going wrong with one city, complete devastation of a building through fire or natural disaster. They wanted to have enough distance so they weren't even on the same power grids. So if I walk in to start an audit, it'd be kind of good if I had that understanding of that big environment so I understood how they all work together. I also want to make sure we know and gather the information about the business practices and the functions that are relating to the audit. We should have the information, the documentation on the type of information systems and technologies that are used to support the business. As well as all of the regulatory requirements that are covering that particular business. Now, when we look at the ASACA's IS auditing standards, they do require that the auditor address the audit objectives and to comply with professional auditing standards. That is kind of what we're about here is to make sure that we have standards in place so that we are able to conduct these professional audits rather than just taking a guess or a stab at what I think I should be looking at. Now, the auditor should have basically a plan that considers the objectives of the organization and see how those are relevant to what's being audited in the technology infrastructure. That plan should include an understanding of the organization's IT architecture and their technological direction that they're going to go. Again, going back to looking at the future, what is the ideas that they have as far as where they see their business in a year, in a couple of years, and which direction are they going. That's part of what I talked about with the information gathering. We use that information as a foundation for the actual audit planning. Now, the guidelines that we use that an IS auditor should follow are things like reviewing the background information such as industry publications or annual reports. They should look at prior audit reports to see what issues were brought up in the audits that were done before this one. Understanding the business and IT long-term plans is a very important part of this. We need to remember that IT and IS is not the center of the business. We're there to support the business. If this business makes widgets, the purpose of IT and IS is to help support that business to make widgets, because that's how they make their money. We need to make sure we understand what the business needs are and what those long-term plans are. That means we should be talking with managers to learn about the business issues. We should be researching the specific regulations that apply. Every organization has some type of regulation or certification that would cover the type of business that they're in. Obviously, we heard of regulations such as Sarbanes-Oxley and HIPAA and many of those. It's important that you understand what those regulations are, how they apply to that organization, because that's a part of what your goal is or your plan for the audit is to make sure that you're within those regulations. You should know if any of the IT functions are outsourced. For instance, it's not uncommon for some companies, especially smaller ones, to have an outsourced web presence or outsourced email types of presences. What else is outsourced? Do they have contractors, consultants that come in to do specific high-end types of implementations of maybe third-party applications that they've bought and purchased and are using in that company? You should have generally, as a guideline, a walk through the entire facility of the organization. It's kind of like the idea of having the plans about how the entire organization is laid out and how it is functioning. Now, as a part of what we look at in the management and the planning process of our auditing, we have to remember that there are those laws and regulations that are going to apply to almost every organization. They could be in compliance to government rules or maybe other external requirements, maybe contracts they have with some of their other, not competitors, but companies that they're working with. As an example, I know that one company that did credit card processing, they managed the little boxes where you swipe your cards. Every time they go to another bank and say, we'd like to be able to process your cards, they would go through an audit to make sure that the credit card processing met the level and requirements that banks' responsibility. The bank would say, okay, we have this type of regulation. We have these requirements of security and if we're going to work together, you need to be able to meet those standards and so it could be, like I said, external requirements, something that's related to the computer system practices. Now, a lot of these, as you look at these different regulations, often are going to include information about how data should be processed, transmitted and stored. Even duration of storage in some organizations, they're required to keep email for at least seven years. Special considerations should be given on the issues for the highly regulated industries. These considerations should include all of the countries in which the organization operates. Now, that's an important statement. Imagine if you're an internet service provider and you, of course, have laws and regulations you have to follow as an ISP within the United States, but if you also are working with customers in other countries, you have to also make sure you're in compliance with their set of laws and regulations. And when you consider how many countries are still in the developing stages, especially catching up in the internet technology, those are things that could be constantly undergoing change. So you need to make sure that you are, again, back to something I said already, knowledgeable about the laws and regulations that you have those skills that understanding is a part of the information gathering and you use it in the audit planning. All right, what are some of the other effects of the laws and regulations? Well, privacy issues. As an auditor, you need to take into account any of the requirements of privacy laws and regulations. As an example, the Safe Harbor in Organization for Economic Cooperation and Development, what they call the OECD, and by the way, there's a lot of alphabet soup throughout the auditing process, right? Lots and lots of acronyms. Anyway, they have the guidelines that govern privacy and trans-border flows of personal data. So again, we need to understand what those regulations are, how they apply to that organization, if at all. Now some of the regulations that you should consider could be things like the establishment and organization of regulatory requirements, the responsibilities that are assigned to the organizations, any financial, operational, and other IT audit functions that would fall underneath those regulations. Now there are two major areas of concerns when we're talking about these regulations. One, of course, is the legal requirements for us, the people doing the auditing, the auditors. There are laws and regulations and contractual agreements that we have to follow under. There's also legal requirements for the auditee. That would be requirements for their systems, as we said, their data management reporting. And those two areas are going to impact the scope and objectives of the audit. Again, if you think about examples, Sarbanes-Oxley and HIPAA are perfect examples of regulations that do affect how we are going to conduct the audit and the requirements that the auditee has to undertake. Now we can look at some steps that you should follow as the IS auditor to determine the organization's level of compliance. One of them is identification of requirements that are dealing with things like electronic data, like personal information, copyrights and e-commerce information, computer system practices and controls, and how they store information. You should also be looking at the documentation of the applicable laws and regulations, determining if the organization is planned to support those regulatory requirements, make sure you know if the organization has addressed any adherence to the applicable laws, and if there are established procedures that they use to follow those requirements.