南審培訓錄音2007chap1_第1頁
南審培訓錄音2007chap1_第2頁
南審培訓錄音2007chap1_第3頁
南審培訓錄音2007chap1_第4頁
南審培訓錄音2007chap1_第5頁
已閱讀5頁,還剩76頁未讀 繼續(xù)免費閱讀

下載本文檔

版權說明:本文檔由用戶提供并上傳,收益歸屬內容提供方,若內容存在侵權,請進行舉報或認領

文檔簡介

CISAReviewCourse

Chapter1

TheISAuditProcessProcessAreaOverviewIntroductionISACAstandardsandguidelinesforISauditingRiskanalysisInternalcontrolsPerforminganISauditControlselfassessmentEmergingchangesintheISauditprocessProcessAreaObjective

EnsurethattheCISAcandidate…

”HastheknowledgenecessarytoconductISauditsinaccordancewithgenerally-acceptedinformationsystemsauditstandardsandauditguidelinestoprovideastatementofassurancethattheorganization’sITandbusinesssystemsareadequatelycontrolled,monitoredandassessed"ProcessAreaSummary

AccordingtotheCertificationBoard,

thisProcessAreawillrepresentapproximately

10%

oftheCISAexamination

(approximately20questions).1.1IntroductionOrganizationoftheISAuditFunctionISAuditResourceManagementAuditPlanningShortandlongtermplanningIndividualassignmentplanningLawsandRegulations1.1IntroductionOrganizationoftheISAuditFunctionAuditCharter1.1IntroductionAuditResourceManagementISauditorsarelimitedresourcesAppropriateskillsandknowledgeConstraintsontheconductoftheauditProjectmanagementtechniques1.1IntroductionAuditPlanningAdequateplanningisanecessaryfirststepinperformingeffectiveITAuditsNeedtounderstandthegeneralbusinessenvironmentaswellastheassociatedbusinessandcontrolrisksAssessoperationalandcontrolrisksandidentifycontrolobjectivesduringauditplanning1.1IntroductionLawsandRegulationsRegulatoryrequirementsEstablishmentOrganization ResponsibilitiesCorrelationtofinancialand operationalauditfunctions1.1IntroductionLawsandRegulationsStepstodetermineanorganization’slevelofcompliancewithexternalrequirements:IdentifygovernmentorotherrelevantexternalrequirementsDocumentpertinentlawsandregulationsAssesswhetherthemanagementoftheorganizationandtheinformationsystemsfunctionhaveconsideredtherelevantexternalrequirementsinmakingplansandinsettingpolicies,standardsandprocedures.Reviewinternalinformationsystemsdepartment/function/activitydocumentsthataddressadherencetolawsapplicabletotheindustry.Determineadherencetoestablishedproceduresthataddresstheserequirements.1.2ISACAStandardsandGuidelinesforISAuditingISACACodeofProfessionalEthicsISACAStandardsforISAuditingISACAGuidelinesforISAuditing1.2ISACAStandardsandGuidelinesforISAuditing

TheAssociation’sCodeofProfessionalEthicsprovidesguidancefortheprofessionalandpersonalconductofmembersoftheAssociationand/orholdersoftheCISAdesignation.ISACACodeofProfessionalEthics1.2ISACAStandardsandGuidelinesforISAuditingInformISauditorsoftheminimumlevelofacceptableperformancerequiredtomeetprofessionalresponsibilitiessetoutintheISACACodeofProfessionalEthics.Informmanagementandotherinterestedpartiesoftheprofession’sexpectationsconcerningtheworkofpractitioners.

ObjectivesforISACA’sStandards1.2ISACAStandardsandGuidelinesforISAuditingStandardsGuidelinesProceduresFrameworkfortheISACA’sInformationSystemsAuditingStandards:1.2ISACAStandardsandGuidelinesforISAuditingS1-Auditcharter S2-IndependenceS3-ProfessionalEthicsandStandardsS4-Competence

ThestandardsapplicabletoISauditingare:1.2ISACAStandardsandGuidelinesforISAuditing

S5-PlanningS6-PerformanceofAuditWorkS7-ReportingS8-Follow-upactivities

ThestandardsapplicabletoISauditingare:Continued...1.2ISACAStandardsandGuidelinesforISAuditing

S9-IrregularitiesandIllegalActsS10-ITgovernanceS11-UseofRiskAssessmentinAuditPlanning

ThestandardsapplicabletoISauditingare:Continued...1.2ISACAStandardsandGuidelinesforISAuditingS1-AuditCharterResponsibility,AuthorityandAccountability1.2ISACAStandardsandGuidelinesforISAuditingS2-IndependenceProfessionalIndependenceOrganizationalRelationship1.2ISACAStandardsandGuidelinesforISAuditingS3-ProfessionalEthicsandStandardsCodeofProfessionalEthicsDueProfessionalCare1.2ISACAStandardsandGuidelinesforISAuditingS4-CompetenceSkillsandKnowledgeContinuingProfessionalEducation1.2ISACAStandardsandGuidelinesforISAuditing

S5-PlanningAuditPlanning1.2ISACAStandardsandGuidelinesforISAuditingS6-PerformanceofAuditWorkSupervisionEvidence1.2ISACAStandardsandGuidelinesforISAuditingS7-ReportingReportContentandForm1.2ISACAStandardsandGuidelinesforISAuditingS8-Follow-upActivitiesReviewpreviousrelevantfindingsReviewpreviousconclusionsandmendations1.2ISACAStandardsandGuidelinesforISAuditingS9-IrregularitiesandIllegalActs

1.2ISACAStandardsandGuidelinesforISAuditingS10-ITgovernance

1.2ISACAStandardsandGuidelinesforISAuditingS11-UseofRiskAssessmentinAuditPlanning

1.2ISACAStandardsandGuidelinesforISAuditingConsidertheguidelinesindetermininghowtoimplementtheabovementionedstandards.Useprofessionaljudgementinapplyingthem.Beabletojustifyanydeparture.

TheISauditorshould:1.3RiskAnalysis

“Thepotentialthatagiventhreatwillexploitvulnerabilitiesofanassetorgroupofassetstocauselossordamagetotheassets.Theimpactorrelativeseverityoftheriskisproportionaltothebusinessvalueoftheloss/damageandtotheestimatedfrequencyofthethreat.”1.3RiskAnalysisThreatsto,andvulnerabilitiesof,processesand/orassets(includingbothphysicalandinformationassets)ImpactonassetsbasedonthreatsandvulnerabilitiesProbabilitiesofthreats(combinationofthelikelihoodandfrequencyofoccurrence)1.4InternalControlsDefinitionofInternalControlInternalcontrolisaprocessputinplacebytheboardofdirectors,seniormanagementandalllevelsofpersonneltoprovidereasonableassurancethatanorganization'sobjectiveswillbeachieved.1.4InternalControlsControlsPreventiveDetectiveCorrective1.4InternalControlsInternalControlObjectivesISControlObjectivesCobiTGeneralControlProceduresISControlProceduresControlClassifications1.4InternalControlsInternalControlObjectivesInternalcontrolsystemcomponentsInternalaccountingcontrolsOperationalcontrolsAdministrativecontrolsRelevantissues1.4InternalControlsISControlObjectives1.4InternalControlsCOBITITcontrolobjectivesandstandardsofgoodpractice34high-levelcontrolobjectivesExamples1.4InternalControlsGeneralControlProcedures1.4InternalControlsISControlProceduresControlproceduresincludepoliciesandpracticesestablishedbymanagementtoprovidereasonableassurancethatspecificobjectiveswillbeachieved1.4InternalControlsISControlProcedurescanbecategorizedintothefollowingareas:GeneralorganizationcontrolproceduresAccesstodataandprogramsSystemdevelopmentmethodologiesDataprocessingoperationsSystemsprogrammingandtechnicalsupportfunctionsDataprocessingqualityassuranceprocedures1.5PerforminganISAudit

DefinitionofauditingSystematicprocessbywhichacompetent,independentpersonobjectivelyobtainsandevaluatesevidenceregardingassertionsaboutaneconomicentityoreventforthepurposeofforminganopinionaboutandreportingonthedegreetowhichtheassertionconformstoanidentifiedsetofstandards.

1.5PerforminganISAudit

Classificationofaudits:FinancialAuditsOperationalAuditsIntegratedAuditsAdministrativeAuditsInformationSystemsAudits1.5PerforminganISAudit

DefinitionofISauditing

ISauditingistheprocessofcollectingandevaluatingevidencetodeterminewhetherinformationsystemsandITenvironmentsadequatelysafeguardassets,maintaindataandsystemintegrity,providerelevantandreliableinformation,achieveorganizationalgoalseffectively,consumeresourcesefficiently,andhaveineffectinternalcontrolsthatprovidereasonableassurancethatoperationalandcontrolobjectiveswillbemet.1.5PerforminganISAuditGeneralAuditProceduresObtainingandrecordinganunderstandingofauditarea/subjectRiskassessmentandgeneralauditplanDetailedauditplanningPreliminaryreviewofauditarea/subjectEvaluatingauditarea/subjectCompliancetesting(testofcontrols)SubstantivetestingReportingFollow-up1.5PerforminganISAuditControlobjectivesAuditObjectivesDifferencebetweencontrolandauditobjectives1.5PerforminganISAuditAuditMethodology/StrategyStatementofscopeStatementofauditobjectivesStatementofworkprogramTypicalAuditPhases1.5PerforminganISAuditMateriality-anexpressionoftherelativesignificanceorimportanceofaparticularmatterinthecontextoftheorganisationasawhole.重要性-是指被審計單位會計報表中錯報或漏報的嚴重程度,這一程度在特定環(huán)境下可能影響會計報表使用者的判斷或決策。思考題在一次財務審計中,重要性水平確定為100000元,因此,余額小于100000元以下的賬戶不用檢查.1.5PerforminganISAuditRisk-basedapproachFocusesonthebusinessfromamanagementperspectiveEmphasisonknowledgeofthebusinessandtechnologyFocusesonassessingtheeffectivenessofa“combination”ofcontrolsLinkagebetweenriskassessmentandtestingfocusingoncontrolobjectives.1.5PerforminganISAudit

Auditriskcanbecategorizedas:

InherentRiskControlRiskDetectionRiskOverallAuditRiskRiskAssessmentTechniquesEnablesmanagementtoeffectivelyallocatelimitedauditresources.Ensuresthatrelevantinformationhasbeenobtained.Establishesabasisforeffectivelymanagingtheauditdepartment.Providesasummaryofhowtheindividualauditsubjectisrelatedtotheoverallorganizationandtobusinessplans.1.5PerforminganISAudit1.5PerforminganISAuditRelationshipbetweenSubstantiveandCompliancetestsCorrelationbetweenthelevelofinternalcontrolsandSubstantiveTestingRequired1.5PerforminganISAudit

Evidence–Itisarequirementthattheauditor’sconclusionsmustbebasedonsufficient,competentevidence.IndependenceoftheprovideroftheevidenceQualificationoftheindividualprovidingtheinformationorevidenceObjectivityoftheevidence1.5PerforminganISAuditTechniquesforgatheringevidence:ReviewISorganizationstructuresReviewISpolicies,proceduresandstandardsReviewISdocumentationInterviewappropriatepersonnelObserveprocessesandemployeeperformance.1.5PerforminganISAuditSamplingGeneralapproachestoauditsampling:StatisticalsamplingNon-statisticalsamplingMethodsofSamplingusedbyauditors:AttributesamplingVariablesampling1.5PerforminganISAuditSampling(Continued…)AttributesamplingAttributesamplingStop-or-gosamplingDiscoverysamplingVariableSampling:StratifiedmeanperunitUnstratifiedmeanperunitDifferenceestimationStatisticalsamplingterms:ConfidentcoefficientLevelofriskPrecisionExpectederrorrateSamplemeanSamplestandarddeviationTolerableerrorratePopulationstandarddeviationKeystepsinchoosingasample1.5PerforminganISAuditComputer-assistedAuditTechniquesCAATSareasignificanttoolsforISauditorstogatherinformationindependently.Includes:Generalizedauditsoftware(ACL,IDEA,etc.)UtilitysoftwareTestdataApplicationsoftwareforcontinuousonlineauditsAuditexpertsystems1.5PerforminganISAuditComputer-assistedAuditTechniquesNeedforCAATsEvidencecollectionFunctionalCapabilitiesFunctionssupportedAreasofconcern1.5PerforminganISAuditComputer-assistedAuditTechniquesExamplesofCAATsusedtocollectevidenceContinuousOnlineAuditApproach1.5PerforminganISAuditComputer-AssistedAuditTechniquesAdvantagesofCAATsCost/benefitsofCAATs1.5PerforminganISAuditComputer-assistedAuditTechniquesDevelopmentofCAATsDocumentationretentionAccesstoproductiondataDatamanipulation1.5PerforminganISAuditEvaluationofstrengthsandweaknessesAssesevidenceEvaluateoverallcontrolstructureEvaluatecontrolobjectivesAssesscontrolstrengthenandweaknesses

1.5PerforminganISAuditJudgingMaterialityofFindingsMaterialityisakeyissueAssessmentrequiresjudgmentofthepotentialeffectofthefindingifcorrectiveactionisnottaken.1.5PerforminganISAudit

CommunicatingAuditResultsAuditreportstructureandcontentsExitinterviewPresentationtechniquesExecutivesummaryVisualpresentation1.5PerforminganISAudit1.5PerforminganISAuditManagementActionstoImplementmendationsAuditingisanongoingprocessTimingoffollow-upAuditDocumentationConstrainsontheConductoftheAuditProjectManagementTechniquesDevelopadetailedplanReportprojectactivityagainsttheplanAdjusttheplanandtakecorrectiveaction,asrequired1.5.17AuditDocumentation1.6ControlSelf-AssessmentBenefitsofCSADisadvantagesofCSAAuditorRoleinCSATechnologyDriversforCSATraditionalvs.CSAApproach1.7EmergingChangesintheISAuditProcessAutomatedWorkPapersIntegratedAuditingContinuousAuditing1.8 Chapter1CaseStudy1.8.1CaseStudyScenario

1.8.2CaseStudyQuestions

Chapter1:GlossaryAdministrativecontrolsAttributesamplingAuditriskCompliancetestingCAATControlriskEmbeddedauditmodulesMaterialityChapter1:Questions1.AnISauditor,performingareviewofanapplication’scontrols,discoversaweaknessinsystemsoftware,whichcouldmateriallyimpacttheapplication.TheISauditorshould:A.ignorethesecontrolweaknessesasasystemsoftwarereviewisbeyondthescopeofthisreview.B.conductadetailedsystemsoftwarereviewandreportthecontrolweaknesses.C.includeinthereportastatementthattheauditwaslimitedtoareviewoftheapplication’scontrols.D.reviewthesystemsoftwarecontrolsasrelevantandmendadetailedsystemsoftwarereview.Chapter1:Questions2.AnISauditor’sindependencewouldMOSTlikelybequestionedif:A.theclienthasagreedtothescopeoftheaudit.B.ISmanagementhashadinputintotheschedulingoftheaudit.C.theclientwillhavefinalauthorityonthecontentsoftheauditreport.D.theaudithasbeenrequestedbythemanagementoftheareatotheaudited.Chapter1:Questions3.WhichofthefollowingistheMOSTappropriateauditevaluationtechniquetoprovideassurancethatadequatedatabackupsexisttoallowtimelyrecoveryofsystemoperationsfollowingservicedisruptions?A.Stop-or-gosamplingB.InterviewpersonnelandreviewinformationsystemsorganizationstructureC.ReviewapplicabledocumentedproceduresandobservetheprocessD.UseanyautomatedtoolChapter1:Questions4.TheISdepartmenthasbeenrequestedbyexecutivemanagementtoreviewsystemsoftwareaccesscontrols.TheISauditdepartmentdoesnothaveonstaffanyonewithknowledgeinthisarea.Theyshould:A.performtheauditandacknowledgeinthereportalackofexpertise.B.conducttheauditwiththeassistanceofthesystemsoftwaremanager.C.obtaintraininginsystemsoftwareandthenperformtheaudit.D.conducttheassignmentbylearningon-the-job.Chapter1:Questions5.Theobjectiveof

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
  • 4. 未經(jīng)權益所有人同意不得將文件中的內容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內容本身不做任何修改或編輯,并不能對任何下載內容負責。
  • 6. 下載文件中如有侵權或不適當內容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

最新文檔

評論

0/150

提交評論