This session is prerecorded. Please refer to the video links below.
There will be NO classroom or WebEx session this week.
Class Video: Week 09 – IT Audit Procedure-Planning and Evidence Note: You may have to download the file to your computer to play the video
Class Slides: Week 09 – IT Audit Procedure
Sample Audit Program: CTI Backup and Restore Assurance Program r2
CISA Review Manual:
- 1.5.8 Audit Programs
- 1.5.11 Evidence
- 1.6.2 Audit Documentation
Class Capture: Week 08 – Audit Procedures Video
Class Slides: Week 08 – Audit Procedures
Audit Program Preparation Tool: IS Auditing Tools and Techniques – Creating Audit Programs
In our last class I mentioned an assessment that you will perform as a final project for the class. The company involved is CortTech, Inc. (any similarity with an existing entity is pure conicidence). Here’s a bit of information regarding the company and its IT organization, and a copy of the company’s IT change management policy.
Company Info: CoreTech, Inc
CTI IT Organization: CTI Org Chart
Change Management Policy: CTI Change Management Policy
We will dedicate this entire session to designing an audit procedure. We will use one of the most critical IT general controls: Change Management. In preparation for our class, I encourage you to read the following:
CISA Review Manual:
- Chapter 3 – Information Systems Acquisition, Development and Implementation
- 3.10.1 Change Management Overview, pages 215 – 218.
- Chapter 4 – Information Systems Operations, Maintenance and Service Management
- 4.2.7 Change Management Process, pages 260-261
COBIT 5 Enabling Processes:
- BAI06 Change Management
Class Video: N/A – unfortunately the video for this session was corrupted
Class Slides: Week 07 – IT Audit Planning and Performance
Sample Audit Plans:
CISA Review Manual:
- Section 1.4 IS Controls. This includes all subsections except 1.4.4 COBIT 5.
Article for Discussion:
- “Preparing for Auditing New Risk, Part 1“, by Ed Gelbstein, Ph.D
The underlying assumption of many articles and discussions regarding IS and General controls is that there is an IT organization (or function) that has a reasonable level of control over the IT assets (data, hardware, software, services…) of the enterprise. (You may want to also read Tommie Sincleton’s article “The Core of IT Auditing“). But things have changed significantly in the last few years.
Consider the following: mobile technology has blurred the lines between personal and work spaces; services offered by internal IT organizations are now easily procured on the cloud… usually without the need of IT intervention.
Question: What challenges do you think these present in terms of governance (IT governance) and risk optimization?
Class Video: Week 05 – IT Risks and Controls
Class Slides: Week 05 – IT Risk and Controls
Risk Assessment Worksheet: Risk Assessment
This week we learned a few things about the concept of Risk and its relationship to audit and assurance. We learned that:
- Risk is expressed as the product of its impact that the probability of it occurring (R=IxP)
- Risk can be measured quantitatively and qualitatively, each having advantages and disadvantages
- The measure of Risk will always have some level of subjectivity.
We also learned about:
- Inherent Risk
- Residual Risk
- Control Risk
- Detection Risk
- Sampling Risk… although this I mentioned in passing… we will get back to this when we talk about sampling.
For illustration purposes we went through a fairly simply exercise to quantify Risk using All World Airways as an example. We then used the same Risks and assessed them qualitatively.
We ended our session after a quick – very quick – introduction to Controls. Both Risk and Controls are very important so we will spend next week digging a little deeper into these.
Have a great week.
Class Video: Not Available. We conducted this class entirely online and there was no video capture.
Class Slides and Mindmap: Week 04-Laws Regs and Vendor Management.pptx
There are many factors to take into account to determine the scope of an audit assurance initiative. It requires
- Identifying all the Stakeholders and their stake. These are what drive the engagement
- Determining the objectives of the engagement based on internal and external environmental factors
- Identifying the enablers in scope to obtain the most comprehensive scope for the assurance engagement
You will find more information Scoping in Section 2B, Chapter 3 – Determine Scope of the Assurance Initiative – of COBIT 5 for Assurance.
The link above is for the class slides and the mind map we drew during class. Mind mapping is a great way to break down a subject – scoping the assurance initiative – or ideas into smaller concepts or steps. It is a great tool for brainstorming. If you liked to tool I used – XMind – there’s a free version you can use. Google “mind mapping software” and you’ll get a few hits.
I’ll post reading assignments for our next class sometime tomorrow.
Technology changes at mind-boggling speeds, and it greatly affects businesses and enterprises. What do you consider to be more important, depth of knowledge in technology, or its impact on the enterprise?
The articles selected for this week are mostly focused on the soft skills required for our profession. After all, we are working with people, even thought we are IT Auditors. There are plenty of opinions regarding the so-called “Millennial” generation. This the generation you will most likely be working with as you mature in your career. How do you think the Audit and Assurance profession will benefit from their contributions?