Mike Romeu
Week 14 – Final Review
Study Guide: MIS 5201 Final Study Guide 2017
The final exam will be available from May 1 (evening) through May 8.
Best of luck with your finals and have a great summer. You all deserve it.
Sincerely, Prof. Mike Romeu
Week 13 – Reporting, Follow-Up and CSA
I am including an audit report from 2012 where the auditor is presenting the results of his assessment on IT’s system development life cycle (SDLC) ant the project management framework designed by the Project Management Office (PMO).
Please exercise judgement with this document.
Audit Report: SDLC Audit Review – Report
Class Video: Reporting, Follow-Up and CSA Video
Class Slides: Week 13 – Reporting and Follow-Up
Week 12 – More Sampling and Testing
Class Video: More Sampling and Testing Video
Class Slides: Week 12 – Sampling and Testing
Week 11 – Sampling and Testing
Class Video: Week 11 – Sampling and Testing Video
Class Slides: Week 11 – Sampling and Testing
Week 10- Wrap Up
This session was all about Audit Sampling – “the application of an Audit Procedure to less than 100% of the target population, for the purpose of drawing general conclusions about the entire population based on the characteristics detected in the sample“.
We learned about two types of Sampling approaches
- Statistical – good for when you need to consider sampling risk, confidence level, and precision but costly and complex.
- Non-Statistical – good because its flexibility, its greater reliance on auditor’s experience and judgement, and it allows reasonable reliability at a reasonable cost. Unfortunately the results are not statistically valid, they have a greater chance of resulting in wrong sample sizes, and do not provide an objective measure of sampling risk.
To illustrate a few points we evaluated an access management control with the intent of assessing compliance with approval requirements. We selected a sample of 103 new access or change to existing access requests, out of a population of 650. Testing the sample yielded 4 requests that were granted without proper approval (i.e. they failed the tests). Four (4) deviations out of a randomly selected sample of 103 exceeded our deviation rate tolerance of 6% demonstrating how the control was not working as intended.
We will revisit the subject of Sampling again next week running through a few more examples during our first half of our class. The second half will be dedicated to testing.
You will find a link to a video recording of this week’s session – including additional information regarding our project – and a copy of the slides. I also included a copy of the sampling tables we used during class.
Class Video: Week 10 – Sampling
Class Slides:Week 10 – Sampling
Statistical Sample Size for Test of Control – to determine sample size (95% confidence interval)
Statistical Sampling Results Evaluation Table for Test of Controls – to evaluate the results from testing samples.
Week 09 – IT Audit Procedure: Planning and Evidence
This session is prerecorded. Please refer to the video links below.
There will be NO classroom or WebEx session this week.
Class Video: Week 09 – IT Audit Procedure-Planning and Evidence Note: You may have to download the file to your computer to play the video
Class Slides: Week 09 – IT Audit Procedure
Sample Audit Program: CTI Backup and Restore Assurance Program r2
CISA Review Manual:
- 1.5.8 Audit Programs
- 1.5.11 Evidence
- 1.6.2 Audit Documentation
Week 08 – Wrap Up
Class Capture: Week 08 – Audit Procedures Video
Class Slides: Week 08 – Audit Procedures
Audit Program Preparation Tool: IS Auditing Tools and Techniques – Creating Audit Programs
In our last class I mentioned an assessment that you will perform as a final project for the class. The company involved is CortTech, Inc. (any similarity with an existing entity is pure conicidence). Here’s a bit of information regarding the company and its IT organization, and a copy of the company’s IT change management policy.
Company Info: CoreTech, Inc
CTI IT Organization: CTI Org Chart
Change Management Policy: CTI Change Management Policy
Week 08 – Audit Procedures
We will dedicate this entire session to designing an audit procedure. We will use one of the most critical IT general controls: Change Management. In preparation for our class, I encourage you to read the following:
CISA Review Manual:
- Chapter 3 – Information Systems Acquisition, Development and Implementation
- 3.10.1 Change Management Overview, pages 215 – 218.
- Chapter 4 – Information Systems Operations, Maintenance and Service Management
- 4.2.7 Change Management Process, pages 260-261
COBIT 5 Enabling Processes:
- BAI06 Change Management
Week 07 – Audit Planning and Performance
Class Video: N/A – unfortunately the video for this session was corrupted
Class Slides: Week 07 – IT Audit Planning and Performance
Sample Audit Plans:
Week 06 – Wrap Up
Class Video: Week 06 – IT Risks and Controls – A Deeper Dive
Class Slides: Week 06 – IT Risk and Controls – A Deeper Dive
IS Controls: Examples
Backup and Restore Procedure: CareTech Backup and Restore SOP