MIS 5201-IT Audit Process

MIS 5201.001 – Mike Romeu

Week 09 – IT Audit Procedure: Planning and Evidence

This session is prerecorded. Please refer to the video links below.

There will be NO classroom or WebEx session this week.

Class VideoWeek 09 – IT Audit Procedure  Note: You may have to download the file to your computer to play the video

Class SlidesWeek 09 – IT Audit Procedure

Sample Audit ProgramCTI Backup and Restore Assurance Program r2

CISA Review Manual:

  • 1.5.8 Audit Programs
  • 1.5.11 Evidence
  • 1.6.2 Audit Documentation

Week 08 – Wrap Up

Class CaptureWeek 08 – Audit Procedures Video

Class SlidesWeek 08 – Audit Procedures

Audit Program Preparation ToolIS Auditing Tools and Techniques – Creating Audit Programs

In our last class I mentioned an assessment that you will perform as a final project for the class. The company involved is CortTech, Inc. (any similarity with an existing entity is pure conicidence). Here’s a bit of information regarding the company and its IT organization, and a copy of the company’s IT change management policy.

Company Info: CoreTech, Inc

CTI IT OrganizationCTI Org Chart

Change Management PolicyCTI Change Management Policy

Week 08 – Audit Procedures

We will dedicate this entire session to designing an audit procedure. We will use one of the most critical IT general controls: Change Management. In preparation for our class, I encourage you to read the following:

CISA Review Manual:

  • Chapter 3 – Information Systems Acquisition, Development and Implementation
    • 3.10.1 Change Management Overview, pages 215 – 218.
  • Chapter 4 – Information Systems Operations, Maintenance and Service Management
    • 4.2.7 Change Management Process, pages 260-261

COBIT 5 Enabling Processes:

  • BAI06 Change Management

Week 06 – Risks and Controls; A Deeper Dive

Quiz 1 Study Guide

CISA Review Manual:

  • Section 1.4 IS Controls. This includes all subsections except 1.4.4 COBIT 5.

Article for Discussion:

The underlying assumption of many articles and discussions regarding IS and General controls is that there is an IT organization (or function) that has a reasonable level of control over the IT assets (data, hardware, software, services…) of the enterprise. (You may want to also read Tommie Sincleton’s article “The Core of IT Auditing“). But things have changed significantly in the last few years.

Consider the following: mobile technology has blurred the lines between personal and work spaces; services offered by internal IT organizations are now easily procured on the cloud… usually without the need of IT intervention.

Question: What challenges do you think these present in terms of governance (IT governance) and risk optimization?


Week 05 – Wrap up

Class VideoWeek 05 – IT Risks and Controls

Class SlidesWeek 05 – IT Risk and Controls

Risk Assessment WorksheetRisk Assessment

This week we learned a few things about the concept of Risk and its relationship to audit and assurance. We learned that:

  1. Risk is expressed as the product of its impact that the probability of it occurring (R=IxP)
  2. Risk can be measured quantitatively and qualitatively, each having advantages and disadvantages
  3. The measure of Risk will always have some level of subjectivity.

We also learned about:

  • Inherent Risk
  • Residual Risk
  • Control Risk
  • Detection Risk
  • Sampling Risk… although this I mentioned in passing… we will get back to this when we talk about sampling.

For illustration purposes we went through a fairly simply exercise to quantify Risk using All World Airways as an example. We then used the same Risks and assessed them qualitatively.

We ended our session after a quick – very quick – introduction to Controls. Both Risk and Controls are very important so we will spend next week digging a little deeper into these.

Have a great week.

Week 04 – Wrap Up

Class Video: Not Available. We conducted this class entirely online and there was no video capture.

Class Slides and MindmapWeek 04-Laws Regs and Vendor Management.pptx

There are many factors to take into account to determine the scope of an audit assurance initiative. It requires

  • Identifying all the Stakeholders and their stake. These are what drive the engagement
  • Determining the objectives of the engagement based on internal and external environmental factors
  • Identifying the enablers in scope to obtain the most comprehensive scope for the assurance engagement

You will find more information Scoping in Section 2B, Chapter 3 – Determine Scope of the Assurance Initiative – of COBIT 5 for Assurance.

The link above is for the class slides and the mind map we drew during class. Mind mapping is a great way to break down a subject – scoping the assurance initiative – or ideas into smaller concepts or steps. It is a great tool for brainstorming. If you liked to tool I used – XMind – there’s a free version you can use. Google “mind mapping software” and you’ll get a few hits.

I’ll post reading assignments for our next class sometime tomorrow.


Week 03 – Discussion Question 3

The articles selected for this week are mostly focused on the soft skills required for our profession. After all, we are working with people, even thought we are IT Auditors. There are plenty of opinions regarding the so-called “Millennial” generation. This the generation you will most likely be working with as you mature in your career. How do you think the Audit and Assurance profession will benefit from their contributions?