Transcription
Module 2: Information SystemsAssurance Services2.0 OverviewCA A.Rafeq1
Modules of the DISA CourseNo.Name of ModuleWeightage (%)1Primer on Information Technology, IS Infrastructure andEmerging Technologies182Information Systems Assurance Services123Governance and Management of Enterprise InformationTechnology, Risk Management and Compliance Reviews124Protection of Information Systems Infrastructure andInformation Assets185Systems Development: Acquisition, Maintenance andImplementation.126Business Applications Software Audit127Business Continuity ManagementProject report6102
Structure of materialBackground MaterialContents as per module. Each of the module has 3 sections. Section 1: Overview Section 2: Contents Section 3: AppendixDISA 2.0 Course DVD The Reading material for the DISA 2.0 course includes a DVD whichis comprehensive collection of educational material Includes Background Material, Reference Material, e-Lectures,PowerPoint Presentations, Podcasts/MP3 Files and Self-AssessmentQuiz.3
Benefits of DISA 2.0 Course DVD Designed to be supplementary to backgroundmaterial. Useful for self-learning Training aideDISA candidates are strongly advised to usethis for studying for the ISA course.4
Section 1: Overview Detailed Table of Contents Module objective Task statements: Outline what DISAs will learn to do Knowledge statements: Oriented towards providing knowledge for specifictasks. Task and knowledge mapping statement: Provide relationship between each task to one/moreknowledge statement. Knowledge reference guide: Provides content reference from the chapters for eachof the knowledge statement/areas.5
Section 2 and 3 Section 2: Contents Provides content as per the chapter. Each of the chapter/parts has the learning objectivesfollowed by topics which are covered in brief or detailas required. At the end of each chapter, there are samplequestions followed by answers and explanations. References Section 3: Appendix Provides appendices which has checklist/templates asreferenced in the material6
Salient features of ISA Course 2.0Learning ObjectivesTask StatementsKnowledge StatementsRelationship between Task and knowledge statementsKnowledge Statement Reference GuideOrganisation of Chapters7
ObjectivesProvide IS assuranceorIT Enabled servicesandperform effective auditsin acomputerised environmentby usingrelevant standards, guidelines,frameworks and best practices.8
Learning ObjectivesProvide assurance or consultingservicesin the areas ofGovernance, Risk Management,Security, Controls and complianceby usingrelevant standards, guidelines,frameworks and best practices.9
Task Statements10
Task Statements 12.1 Develop and implement appropriate risk-based approach as perscope and objective of the assignment.2.2 Adapt and use relevant IT assurance standards, guidelines,frameworks and best practices.2.3 Plan assurance or consulting assignments covering specific stepssuch as: responding to request for proposal from client, submittingproposal, scoping of audit objectives, performing audit, evaluatefindings and reporting, covering the complete life cycle of theassignment.11
Task Statements 22.4 Document understanding of the enterprise technologydeployment, IT organisation structure, technology environmentincluding control architecture so as to analyse and assess IT risks.2.5 Perform assurance or consulting services covering the completeassurance life cycle including scoping, risk assessment, audit planning,audit program, audit procedures, using audit tools, performing auditas per audit objectives, obtaining and evaluating audit evidenceidentifying key areas of weaknesses, reporting findings, obtainingmanagement response and follow up of implementation.12
Task Statements 32.6 Use Computer Assisted Audit Techniques, tools and riskassessment techniques including sampling, data analysis, BusinessIntelligence and Business Analytics.2.7 Distinguish between IS Assurance assignments and auditingin a computerised environment and use the relevant frameworksand best practices for compliance and assurance assignments.2.8 Communicate/Report findings in specific format usingstandards/best practices as required.13
Task Statements 32.9 Conduct follow-up reviews or prepare status reports to ensureappropriate actions have been taken by management in a timely manner.2.10 Distinguish key steps and processes of Cyber Frauds investigationand Cyber Forensics.2.11 Create IS Assurance or consulting function in an enterprise/withinCA office by identifying key enablers and resources including identifyingrequired personnel with required competencies and skill sets.14
Knowledge Statements15
Knowledge Statements 12.1 Relevant IT assurance standards, guidelines, frameworks and bestpractices as per scope and objective of the assignment.2.2 Statements of auditing relating to auditing in a computerisedenvironment.2.3 Different aspects of IS Audit process - audit charter, audit planning,audit universe, risk-based audit approach, IS Audit standards, guidelines,regulations, procedures and audit reporting.2.4 Role and responsibilities of IS Audit function/department and keyenablers.16
Knowledge Statements 22.5 Documenting enterprise, technology deployment,organisation structure, technology environment includingcontrol architecture so as to analyse and assess Risks.2.6 Audit Risk management strategy and approach2.7 Assurance or consulting services including scoping, riskassessment, audit planning, audit program, audit procedures,using audit tools, analysis and reporting.17
Knowledge Statements 32.8 IS Audit process cycle from scoping toreporting2.9 Defining Audit scope and objectives2.10 Preparing request for proposal fromclient, submitting proposal18
Knowledge Statements 42.11 Audit documentation, obtaining and evaluating audit evidence2.12 Analysis of evidence, Risk Rating of findings/Controlweaknesses, reporting findings, obtaining management response andfollow up of implementation.2.13 Types of Internal control and related risks19
Knowledge Statements 52.14 Analytical procedures, compliance testing andsubstantive testing2.15 Types of IT enabled services, IS Assuranceassignments and auditing in a computerisedenvironment and using the relevant processes and bestpractices for compliance and assurance assignments20
Knowledge Statements 62.16 Cyber Frauds investigation and cybercrimes,specific process relating to Cyber Forensics.2.17 Audit tools and techniques including CAAT, toolsand risk assessment techniques including data analysis,Business Intelligence, sampling, Automation of ISAssurance, etc.21
Knowledge Statements 72.18 Using best practices frameworks suchCOBIT, ISO etc.2.19 Key provisions of Information TechnologyAct and Rules and impact on IS Assurance.2.20 Follow up review22
Relation of Task and KnowledgeStatements23
Task and Knowledge Statements MappingTask Statement2.1 Develop and implement appropriate risk-basedapproach as per scope and objective of theassignment.Knowledge Statement2.1.Relevant IT assurance standards,guidelines, frameworks and best practices as perscope and objective of the assignment.2.3.Different aspects of IS Audit process audit charter, audit planning, audit universe, riskbased audit approach, IS Audit standards, guidelines,regulations, procedures and audit reporting.2.6.Audit risk management strategy andapproach2.7.Assurance or consulting servicesincluding scoping, risk assessment, audit planning,audit program, audit procedures, using audit tools,analysis and reporting.2.18.Using best practices frameworks suchCOBIT2.19.Key provisions of InformationTechnology Act and Rules and impact on ISAssurance.2.20.Follow up review24
Task and Knowledge Statements MappingTask Statement2.2 Adapt and use relevant ITassurance standards, guidelines,frameworks and best practices.Knowledge Statement2.5.Documenting enterprise,technology deployment,organisation structure, technologyenvironment including controlarchitecture so as to analyses andassess Risks.2.7.Assurance or consultingservices including scoping, riskassessment, audit planning, auditprogram, audit procedures, usingaudit tools, analysis and reporting.2.18 Using Best practices such asCOBIT, ISO, etc.2.19 Key provisions of IT Act andRules and impact on IS Assurance25
Task and Knowledge Statements MappingTask Statement2.3. Plan assurance or consulting assignmentscovering specific steps such as: responding torequest for proposal from client, submittingproposal, scoping of audit objectives, performingaudit, evaluate findings and reporting, covering thecomplete life cycle of the assignment.Knowledge Statement2.3.Different aspects of IS Audit process audit charter, audit planning, audit universe, riskbased audit approach, IS Audit standards, guidelines,regulations, procedures and audit reporting.2.4.Role and responsibilities of IS Auditfunction/department and key enablers.2.6.Audit risk management strategy andapproach2.7.Assurance or consulting servicesincluding scoping, risk assessment, audit planning,audit program, audit procedures, using audit tools,analysis and reporting.2.8.reporting2.9.IS Audit process cycle from scoping toDefining audit scope and objectives26
Task and Knowledge Statements MappingTask Statement2.4.Documentunderstanding of theenterprise, technologydeployment, organisationstructure, technologyenvironment includingcontrol architecture so as toanalyze and assess Risks.Knowledge Statement2.5.Documentingenterprise, technologydeployment, organisationstructure, technologyenvironment includingcontrol architecture so as toanalyze and assess Risks.2.17. Types of Internalcontrol and related risks27
Task and Knowledge Statements MappingTask Statement2.5.Perform assurance or consultingservices covering the complete assurance life cycleincluding scoping, risk assessment, audit planning,audit program, audit procedures, using audit tools,performing audit as per audit objectives, obtainingand evaluating audit evidence identifying key areasof weaknesses, reporting findings, obtainingmanagement response and follow up ofimplementation.Knowledge Statement2.3.Different aspects of IS Audit process audit charter, audit planning, audit universe, riskbased audit approach, IS Audit standards, guidelines,regulations, procedures and audit reporting.2.4.Role and responsibilities of IS Auditfunction/department and key enablers.2.6.Audit risk management strategy andapproach2.7.Assurance or consulting servicesincluding scoping, risk assessment, audit planning,audit program, audit procedures, using audit tools,analysis and reporting.2.8.reporting2.9.IS Audit process cycle from scoping toDefining audit scope and objectives28
Task and Knowledge Statements MappingTask Statement2.6. Use ComputerAssisted Audit Techniques,tools and risk assessmenttechniques includingsampling, data analysis,Business Intelligence andBusiness Analytics.Knowledge Statement2.17 Audit tools andtechniques includingCAAT, tools and riskassessment techniquesincluding data analysis,Business Intelligence,sampling, Automation of ISAssurance, etc.29
Task and Knowledge Statements MappingTask Statement2.7. Distinguish between ISAssurance assignments andauditing in a computerizedenvironment and use therelevant processes and bestpractices for compliance andassurance assignments.Knowledge Statement2.2. Statements of auditingrelating to auditing in acomputerized environment.2.15 Types of IT enabledservices, IS Assuranceassignments and auditing in acomputerised environmentand using the relevantprocesses and best practicesfor compliance and assuranceassignments.30
Task and Knowledge Statements MappingTask StatementKnowledge Statement2.8 Communicate/Report findings 2.12 Analysis of evidence, riskin specific format using standards or rating of findings/controlbest practices as required.weaknesses, report findings,obtaining management response andfollow up of implementation2.9. Conduct follow-up reviews 2.20.or prepare status reports to ensureappropriate actions have been takenby management in a timely manner.Follow up review31
Task and Knowledge Statements MappingTask Statement2.10. Distinguish key steps andprocesses of Cyber Fraudsinvestigation and Cyber Forensics.Knowledge Statement2.14. Cyber Frauds investigationand specific process relating toCyber Forensics.2.15. Computer Assisted AuditTechniques, tools and riskassessment techniques includingdata analysis, Business Intelligence ,sampling, automation of ISAssurance, etc.32
Task and Knowledge Statements MappingTask Statement2.11 Create IS Assurance orconsulting function in anenterprise/within CA office byidentifying key enablers andresources including identifyingrequired personnel with requiredcompetencies and skill sets.Knowledge Statement2.3 Different aspects of IS Auditprocess - audit charter, auditplanning, audit universe, risk-basedaudit approach, IS Audit standards,guidelines, regulations, proceduresand audit reporting.2.15 Types of IT enabled services, ISAssurance assignments and auditingin a computerised environment andusing the relevant processes andbest practices for compliance andassurance assignments.2.18 Using best practicesframeworks such as COBIT, ISO, etc.33
Knowledge Statement Reference Guide34
2.1 Relevant IT assurance standards,guidelines, frameworks and best practices asper scope and objective of the assignment.Key ConceptsReferenceIT assurance standards, guidelines,frameworks and best practices2.835
2.2 Statements of auditing relating toauditing in a computerised environment.Key ConceptsStatements of auditing relating toauditing in a computerisedenvironment.Reference1.3, 1.4 and 2.836
2.3 Different aspects of IS Audit process - auditcharter, audit planning, audit universe, risk-basedaudit approach, IS Audit standards, guidelines,regulations, procedures and audit reporting.Key ConceptsReferenceIS Audit process - audit charter, 1.6,2.2, 2.3,audit planning, audit universe, 2.5, 2.7, 2.8,risk-based audit approach, IS 2.9 and 2.21Audit standards, guidelines,regulations, procedures andaudit reporting37
2.4 Role and responsibilities of IS Auditfunction/department and key enablers.Key ConceptsReferenceRole and responsibilities 1.9of IS Audit functions anddepartments38
2.5 Documenting enterprise, technologydeployment, organisation structure,technology environment including controlarchitecture so as to analyse and assess Risks.Key ConceptsReferenceDocumenting enterprise,technology deployment,organisation structure,technology environmentincluding controlarchitecture2.739
2.6 Audit Risk management strategy andapproachKey ConceptsReferenceAudit risk1.5, 1.7,management strategy 2.9 andand approach2.1240
2.7 Assurance or consulting services includingscoping, risk assessment, audit planning,audit program, audit procedures, using audittools, analysis and reporting.Key ConceptsReferenceChapter 1Assurance orconsulting services and 3 andappendix41
2.8 IS Audit process cycle from scoping toreportingKey ConceptsReferenceIS Audit processcycle2.2 to2.2342
2.9 Defining Audit scope and objectivesKey ConceptsReferenceAudit scope andobjectives2.2 and 2.443
2.10 Preparing request for proposal fromclient, submitting proposalKey ConceptsReferenceRFP andsubmittingproposal2.2.244
2.11 Audit documentation, obtaining andevaluating audit evidenceKey ConceptsReference2.16, 2.17,Auditdocumentation and 2.19 and2.20.audit evidence45
2.12 Analysis of evidence, Risk Rating offindings/Control weaknesses, reportingfindings, obtaining management responseand follow up of implementation.Key ConceptsAnalysis of evidence, riskrating, reporting findings,management response andfollow upReference2.16, 2.20 to2.23.46
2.13 Types of Internal control and relatedrisksKey ConceptsReferenceInternal controls and related 1.5 to 1.8 and2.9risks47
2.14 Analytical procedures, compliancetesting and substantive testingKey ConceptsReferenceAnalytical procedures, 2.12.4,compliance testing and 2.13 andsubstantive testing2.14.48
2.15 Types of IT enabled services, IS Assuranceassignments and auditing in a computerisedenvironment and using the relevant processes andbest practices for compliance and assuranceassignments.Key ConceptsReference2.15 Types of IT enabled services, ISAssurance assignments and auditing in acomputerised environment and using therelevant processes and best practices forcompliance and assurance assignments.Chapter 3 andappendix.49
2.16 Cyber Frauds investigation andcybercrimes, specific process relating toCyber ForensicsKey ConceptsReferenceCyber Fraudsinvestigation,cybercrimes and cyberForensics3.450
2.17 Audit tools and techniques including CAAT,tools and risk assessment techniques includingdata analysis, Business Intelligence, sampling,Automation of IS Assurance, etc.Key ConceptsReferenceAudit tools and techniques,2.12CAAT, tools and risk assessmenttechniques including dataanalysis, Business Intelligence,sampling, Automation of ISAssurance, etc.51
2.18 Using best practices frameworks suchCOBIT, ISO etc.Key ConceptsReferenceCOBIT, ISO2.7.4 and2.852
2.19 Key provisions ofInformation Technology Act and Rulesand impact on IS Assurance.Key ConceptsIT Act and impacton IS AssuranceReference2.7.453
2.20 Follow up reviewKey ConceptsFollow up reviewReference2.2354
Chapter 1: AgendaChapter 1: Concepts of IS Audit Concept of an Audit Concept of the IS Audit and Audit in a computerizedenvironment Concept of IT Risk Risk Based Auditing Audit Risk and Materiality Concept of Internal Control Organization of IS Audit Function55
Chapter 2: AgendaChapter 2 - THEIS Audit In PhasesPHASE 1:PlanPHASE 2:ExecutePHASE 3:Report56
Chapter 2: Agenda- Phase 1Settingup ofauditobjectives Preparing Request for Proposal fromclient for assurance services/IT Enabledservices and submitting proposal withkey deliverables. Audit Charter and Terms of Engagement Audit Scope Audit Planning Objectives of IS Controls57
Chapter 2: Agenda- Phase 1Understanding the Auditee EnvironmentRisk AssessmentRisk Assessment TechniquesIT Application Controls and typesIT General Controls and areas58
Chapter 2: Phase 2Creation Risk Control MatrixAudit Sampling, Data Analysis, Business IntelligenceAnalytical Review Procedures - CAAT ToolsSubstantive TestingCompliance Testing59
Chapter 2: Agenda: Phase 2Design and Operational effectivenessAudit Evidence - Methods of gathering Audit EvidenceTypes of Audit EvidencesEvidence PreservationAudit DocumentationUsing work of another Auditor and expert60
Chapter 2: Agenda: Phase 3Evaluation of strengths and weaknesses - Judging by materialityRisk RankingAudit Report Structure and contentsManagement Implementation of RecommendationsFollow up review61
Chapter 3: IT Enabled ServicesClassification of AuditsIT Enabled ServicesFraud: Fraud detection, cyber fraud investigationand cyber forensicsAppendix: checklists and other related material.62
SummaryLearning ObjectivesTask StatementsKnowledge StatementsRelationship between Task and knowledge statementsKnowledge Statement Reference GuideOrganisation of Chapters63
orgwww.ifac.org64
Thank you!Questions?Email: cit@icai.in65
2.7. Assurance or consulting services including scoping, risk assessment, audit planning, audit program, audit procedures, using audit tools, analysis and reporting. 2.18. Using best practices frameworks such COBIT 2.19. Key provisions of Information Technology Act and Rules and impact on IS Assurance. 2.20. Follow up review
