Cisa 2020 Domain 1 Presentation -- Day 1

  • Uploaded by: Rajesh Satam
  • 0
  • 0
  • March 2021
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Cisa 2020 Domain 1 Presentation -- Day 1 as PDF for free.

More details

  • Words: 3,873
  • Pages: 41
Loading documents preview...
Cybercert Consultants

CISA 2020 Bootc amp Rajesh Satam (Principal Consultant) MSc - IT , CISA, ISO 27001 LA, ITIL(F), COBIT(F), CPCL

Domain 1

This domain represents 21 percent of the CISA exam Modern PowerPoint Presentation designed (approximately 32 questions). Part A: Planning Modern PowerPoint Presentation designed 1. IS Audit Standards, Guidelines and Codes of Ethics 2. Business Processes 3. Types of Controls 4. Risk-based Audit Planning 5. Types of Audits and Assessments Audit planning Part B: Execution Modern PowerPoint Presentation designed Effect f laws and regulations in Audit planning 1. Audit Project Management 2. Sampling Methodology Modern PowerPoint Presentationand designed Business process applications controls 3. Audit Evidence Collection Techniques 4. Data Analytics Modern PowerPoint Presentation designed 5. Reporting and Communication Techniques 6. Quality Assurance and Improvement of the Audit Process Copyrights Cybercert Consultants

Domain 1 Introduction IS audit is the formal examination and/or testing of information systems to determine whether:  Information systems are in compliance with applicable laws, regulations, contracts and/or industry guidelines.  Information systems and related processes comply with governance criteria and related and relevant policies and procedures.  IS data and information have appropriate levels of confidentiality, integrity and availability.  IS operations are being accomplished efficiently and effectiveness targets are being met.

Copyrights Cybercert Consultants

Domain 1 IS Audit standards , guidelines and code of ethics What are Polices , Standards, Guidelines and Procedures  Policies are high-level documents that represent the corporate philosophy of an organization.  Procedures are documented, defined steps for achieving policy objectives. They must be derived from the parent policy and must implement the spirit (intent) of the policy statement.  Standards are specific mandatory controls.  Guidelines are recommendations and best practices.

Domain 1 1.1IS Audit standards , guidelines and code of ethics ISACA members and certification holders shall:  Support the implementation of, and encourage compliance with, appropriate standards.  Perform their duties with objectivity, due diligence and professional care.  Serve in the interest of stakeholders in a lawful manner.  Maintain the privacy and confidentiality of information.  Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence.  Inform appropriate parties of the results of work performed, including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.  Support the professional education of stakeholders.

Domain 1 1.2 Audit Charter  Its an high level document.  Since it is an high level document it is approved by highest authority that is board of directors and Audit committee If it exists.  Since it is an high level document approved by board of directors changes are done only after significant change in business or threat scenario (not frequently).  Since changes are not done frequently it describe the overall authority, scope, and responsibilities of the audit function.  Overall an IS audit charter establishes the role of the information systems audit function.  Audit Charter differs from an engagement letter which is more focused on a particular audit exercise that is sought to be initiated in an organization with a specific objective in mind.  If IS audit services are provided by an external firm, the scope and objectives of these services should be documented in a formal contract or statement of work between the contracting organization and the service provider.

Domain 1 Audit Charter Questions ABC Corp needs to update its audit charter so what should an organization's IS audit charter specify : A. B. C. D.

short- and long-term plans for IS audit engagements. objectives and scope of IS audit engagements. detailed training plan for the IS audit staff. role of the IS audit function.

Domain 1 Audit Charter Questions ABC Corp needs to update its audit charter so what should an organization's IS audit charter specify : A. B. C. D.

short- and long-term plans for IS audit engagements. objectives and scope of IS audit engagements. detailed training plan for the IS audit staff. role of the IS audit function.

Overall an IS audit charter establishes the role of the information systems audit function

Domain 1 Audit Charter Questions An audit charter should: A. be dynamic and change often to coincide with the changing nature of technology and the audit profession. B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. C. document the audit procedures designed to achieve the planned audit objectives. D. outline the overall authority, scope and responsibilities of the audit function.

Domain 1 Audit Charter Questions An audit charter should: A. be dynamic and change often to coincide with the changing nature of technology and the audit profession. B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. C. document the audit procedures designed to achieve the planned audit objectives. D. outline the overall authority, scope and responsibilities of the audit function.

Domain 1 Audit Charter Questions In an Organization Audit charter is approved by A. B. C. D.

Board of directors or Audit Committee. Board of directors or Senior Management. Board of directors and Audit Committee. Senior Management and Audit Committee.

Domain 1 Audit Charter Questions In an Organization Audit charter is approved by A. B. C. D.

Board of directors or Audit Committee. Board of directors or Senior Management. Board of directors and Audit Committee. Senior Management and Audit Committee.

Domain 1 Audit Charter Questions Which of the following outlines the overall authority to perform an IS Audit. A. B. C. D.

The audit scope, with goals and objectives. A request from Management to perform an audit. The approved audit charter. The approved audit schedule

Domain 1 Audit Charter Questions Which of the following outlines the overall authority to perform an IS Audit. A. B. C. D.

The audit scope, with goals and objectives. A request from Management to perform an audit. The approved audit charter. The approved audit schedule

Domain 1 Management of IS Audit function  The IS audit function should be managed and led in a manner preserving audit independence and competence and should ensure value-added contributions to senior management in the efficient management of IT and achievement of business objectives.  An IS auditor must be technically competent, having the skills and knowledge necessary to perform audit work.

Domain 1 Management of IS Audit function Internal Audit function of ABC Corp should report to. A. Board of directors or Audit Committee. B. Senior Management and Audit Committee. C. Head of respective departments. D. CISO

Domain 1 Management of IS Audit function Internal Audit function of ABC Corp should report to. A. Board of directors or Audit Committee. B. Senior Management and Audit Committee. C. Head of respective departments. D. CISO

Domain 1 Management of IS Audit function A long-term IT employee with a strong technical background and broad managerial experience has applied for a Vacant position in the IS Audit department . Determining whether to hire this individual for this position should be Primarily based on the individual’s experience and. A. length of service because this will help insure technical competence. B. age , because training in audit techniques may be impractical. C. IT knowledge because this will bring enhanced credibility to the audit function. D. ability of an IS auditor , to be independent of existing IT relationships.

Domain 1 Management of IS Audit function A long-term IT employee with a strong technical background and broad managerial experience has applied for a Vacant position in the IS Audit department . Determining whether to hire this individual for this position should be Primarily based on the individual’s experience and. A. length of service because this will help insure technical competence. B. age , because training in audit techniques may be impractical. C. IT knowledge because this will bring enhanced credibility to the audit function. D. ability of an IS auditor , to be independent of existing IT relationships. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as change in personal relationships , financial interests and prior job assignments and responsibilities.

Domain 1 Audit Planning  Gain an understanding of the organization’s mission, objectives, purpose and processes, which include information and processing requirements such as availability, integrity, security, and business technology and information confidentiality.  Gain an understanding of the organization’s governance structure and practices related to the audit objectives.  Understand changes in the business environment of the auditee.  Review prior work papers.  Identify stated contents such as policies, standards and required guidelines, procedures, and organization structure.  Perform a risk analysis to help in designing the audit plan.  Set the audit scope and audit objectives.  Develop the audit approach or audit strategy.  Assign personnel resources to the audit.  Address engagement logistics.

Domain 1 Audit Planning STEP 1 Understand the Organization

STEP 2 Risk Assessment

STEP 2 Audit Universe

STEP 3 Audit Planning

Domain 1 Audit Planning Which of the following is the BEST factor for determining the extent of data collection during the planning phase of an IS compliance audit? A. Complexity of the organization's operation B. Findings and issues noted from the prior year C. Purpose, objective and scope of the audit D. Auditor's familiarity with the organization

Domain 1 Audit Planning Which of the following is the BEST factor for determining the extent of data collection during the planning phase of an IS compliance audit? A. Complexity of the organization's operation B. Findings and issues noted from the prior year C. Purpose, objective and scope of the audit D. Auditor's familiarity with the organization The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. The complexity of the organization's operation, prior issues and an auditor's familiarity with the organization are factors in the planning of an audit, but do not directly affect the determination of how much data to collect.

Domain 1 Audit Planning Which of the following is the MOST critical step to perform when planning an IS audit? A. Review findings from prior audits. B. Develop plans to conduct a physical security review of the data center facility. C. Review IS security policies and procedures. D. Perform a risk assessment.

Domain 1 Audit Planning Which of the following is the MOST critical step to perform when planning an IS audit? A. Review findings from prior audits. B. Develop plans to conduct a physical security review of the data center facility. C. Review IS security policies and procedures. D. Perform a risk assessment. Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IT Audit and Assurance Standard S11 (Use of Risk Assessment in Audit Planning). In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation. Detection risk (the risk that a material error is not detected by the IS auditor) is increased for the IS auditor if a risk assessment is not conducted. The review of findings from prior audits is a necessary part of the engagement, but this step is not as critical as conducting a risk assessment. A physical security review of the data center facility is important, but not as critical as performing a risk assessment. Reviewing IS security policies and procedures would normally be conducted during fieldwork, not planning.

Domain 1 Audit Planning An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase? A. Development of an audit program B. Review of the audit charter C. Identification of key information owners D. Performance of a risk assessment

Domain 1 Audit Planning An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase? A. Development of an audit program B. Review of the audit charter C. Identification of key information owners D. Performance of a risk assessment The results of the risk assessment are used for the input for the audit program. The audit charter is prepared when the audit department is established or as updates are needed. Creation of the audit charter is not related to the audit planning phase because it is part of the internal audit governance structure that provides independence for the function. A risk assessment must be performed prior to identifying key information owners. Key information owners are generally not directly involved during the planning process of an audit. A risk assessment should be performed to determine how internal audit resources should be allocated in order to ensure that all material items will be addressed.

Domain 1 Audit Planning An IS auditor is developing an audit plan for a repeat client. The IS auditor reviews the prior-year audit plan and finds that the previous plan was designed to review the company network and email systems, which were newly implemented last year, but the plan did not include reviewing the e-commerce web server. The company IT manager indicates that this year the organization prefers to focus the audit on a newly-implemented enterprise resource planning (ERP) application. How should the IS auditor respond? A. Audit the new ERP application as requested by the IT manager. B. Audit the e-commerce server since it was not audited last year. C. Determine the highest-risk systems and plan the audit based on the results. D. Audit both the e-commerce server and the ERP application.

Domain 1 Audit Planning An IS auditor is developing an audit plan for a repeat client. The IS auditor reviews the prior-year audit plan and finds that the previous plan was designed to review the company network and email systems, which were newly implemented last year, but the plan did not include reviewing the e-commerce web server. The company IT manager indicates that this year the organization prefers to focus the audit on a newly-implemented enterprise resource planning (ERP) application. How should the IS auditor respond? A. B. C. D.

Audit the new ERP application as requested by the IT manager. Audit the e-commerce server since it was not audited last year. Determine the highest-risk systems and plan the audit based on the results. Audit both the e-commerce server and the ERP application.

The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IT Audit and Assurance Standard S11 (Use of Risk Assessment in Audit Planning), Substandard S03, states that “The IS auditor should use an appropriate risk assessment technique or approach in developing the overall IS audit plan and in determining priorities for the effective allocation of IS audit resources.” The IS auditor should not rely on the prior-year audit plan since it may not have been designed to reflect a risk-based approach (the newest systems are not necessarily the systems with the highest risk). Auditing the new ERP application does not reflect a risk-based approach and thus is not the correct answer.

Domain 1 Audit Planning During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to: A. address audit objectives. B. collect sufficient evidence. C. specify appropriate tests. D. minimize audit resources.

Domain 1 Audit Planning During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to: A. address audit objectives. B. collect sufficient evidence. C. specify appropriate tests. D. minimize audit resources. ISACA IT audit and assurance standards require that an IS auditor plan the audit work to address the audit objectives. Choice B is incorrect because the IS auditor does not collect evidence in the planning stage of an audit. Choices C and D are incorrect because they are not the primary goals of audit planning. The activities described in choices B, C and D are all undertaken to address audit objectives and are thus secondary to choice A.

Domain 1 Audit Planning While planning an audit, an assessment of risk should be made to provide: A. reasonable assurance that the audit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work.

Domain 1 Audit Planning While planning an audit, an assessment of risk should be made to provide: A. reasonable assurance that the audit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work. ISACA IT Audit and Assurance Guideline G15 on planning the IS audit states that, “An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems.” Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.

Domain 1 Audit Planning Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit? A. To establish adequate staffing requirements to complete the IS audit B. To provide reasonable assurance that all material items will be addressed C. To determine the knowledge required to perform the IS audit D. To develop the audit program and procedures to perform the IS audit

Domain 1 Audit Planning Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit? A. To establish adequate staffing requirements to complete the IS audit B. To provide reasonable assurance that all material items will be addressed C. To determine the knowledge required to perform the IS audit D. To develop the audit program and procedures to perform the IS audit A. A risk assessment does not directly influence staffing requirements. B. A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is important as well. C. A risk assessment does not identify the knowledge required to perform an IS audit. D. A risk assessment does not result in the development of the audit program and procedures.

Domain 1 Audit Planning Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan? A. B. C. D.

Prioritize the identified risk. Define the audit universe. Identify the critical controls. Determine the testing approach.

Domain 1 Audit Planning Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan? A. B. C. D.

Prioritize the identified risk. Define the audit universe. Identify the critical controls. Determine the testing approach.

A. Once the audit universe is defined, the auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe. B. In a risk-based audit approach, the auditor identifies risk to the organization based on the nature of the business. In order to plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix. C. The controls that help in mitigating high-risk areas are generally critical controls and their effectiveness provides assurance on mitigation of risk. However, this cannot be done unless the types of risk are ranked. D. The testing approach is based on the risk ranking.

Domain 1 Audit Planning In planning an audit, the MOST critical step is the identification of the: A. B. C. D.

areas of high risk. skill sets of the audit staff. test steps in the audit. time allotted for the audit.

When designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. The skill sets of the audit staff should have been considered before deciding and selecting the audit. Test steps for the audit are not as critical as identifying the areas of risk, and the time allotted for an audit is determined by the areas to be audited, which are primarily selected based on the identification of risk.

Domain 1 Effect of laws and regulations on IS Audit planning. Each organization, regardless of its size or the industry within which it operates, will need to comply with a number of governmental and external requirements related to IS practices and controls and the manner in which data are used, stored and secured. Special attention should be given to these issues in industries that are closely regulated. Management at all levels should be aware of the external requirements relevant to the goals and plans of the organization, and to the responsibilities and activities of the information services department/function/activity. An IS auditor would perform the following steps to determine an organization’s level of compliance with external requirements.  Identify those government or other relevant external requirements  Document applicable laws and regulations.  Assess whether the management of the organization and the IT function have considered the relevant external requirements in making plans and in setting policies, standards and procedures, as well as business application features.  Review internal IT department/function/activity documents that address adherence to laws applicable to the industry.

Domain 1 Effect of laws and regulations on IS Audit planning. The effect of which of the following should have priority in planning the scope and objectives of an IS audit? A. B. C. D.

Applicable statutory requirements Applicable corporate standards Applicable industry best practices Organizational policies and procedures

Domain 1 Effect of laws and regulations on IS Audit planning. The effect of which of the following should have priority in planning the scope and objectives of an IS audit? A. B. C. D.

Applicable statutory requirements Applicable corporate standards Applicable industry best practices Organizational policies and procedures

A. The effect of applicable statutory requirements must be factored in while planning an IS audit—the IS auditor has no options in this respect because there can be no limitation of scope in respect to statutory requirements. B. Statutory requirements always take priority over corporate standards. C. Industry best practices help plan an audit; however, best practices are not mandatory and can be deviated from to meet organization objectives. D. Organizational policies and procedures are important, but statutory requirements always take priority.

Related Documents

Presentation 1
January 2021 2
Presentation 1
February 2021 1
1.-day-2-mockboards.docx
January 2021 2
Presentation 2 1
February 2021 1
3.-day-1-mockboards
January 2021 0

More Documents from "Stefani Ann Cabalza"

Astm
January 2021 2
Aci Design Handbook
January 2021 0
Audit Manual
January 2021 0
New Daaata
February 2021 0