Upload
rameshbabu
View
216
Download
0
Embed Size (px)
Citation preview
8/9/2019 CISA Notes
1/3
1. Gramm leach Bliley Act is for regulation ofi2. Federal information security management act is for regulation ofii3. HIPAA Health Information portability and Accountability act4. Fair and Accurate credit transaction act iii5. What is used as reference point to ensure organizational complianceiv6. Policy and Standards are mandatory, whereas guideline is discretionary7. Policy->Standard->guideline->procedure8. Information obtained by IS Auditor has to be maintained with privacy and confidentiality except
forv
9. Relationship between CISA Auditor and Organization should be vi10.An advice by IS auditor to organization on design decision, detailed specification or remediation
of organization isvii
11.PCAOB AS-1, SAS-1,SAS-37 and SAS-74 talks aboutviii12.Two types of audit are ix13.CISA IS Audit Standards
a. S1 Audit Charterb. S2 Independencec. S3- Professional ethics and standards of coded. S4 Professional competencee. S5- Planningf. S6- Performance of Audit workg. S7-Audit reportingh. S8-Followup activitiesi. S9-Irregularities and Illegal actsj. S10-IT Governancek. S11- Use of Risk analysis in Audit planning
14. IS Audit standards types or phases (for remembering purpose only)a. Requirements and Eligibility (AIPP)
i. Audit charterii. Independence
iii. Professional ethics and standards of codeiv. Professional competence
b. Planning (P)i. Planning
c. Execution and closure (PAWAR FACT)i. Performance of Audit Workii. Audit Reporting
iii. Followup Activitiesd. M anagement (III URAAP)
i. Irregularities and Illegal Actsii. IT Governance
iii. Use of Risk Analysis in Audit planning
8/9/2019 CISA Notes
2/3
15. Is followup a responsibility of Audit or he is authorized only to do auditx16. If the word should appears in a statement in regulation, it meansxi17.The only difference between Internal and external auditor is xii18.Act 906 under SOX - xiii19.Act 302 under Sox - xiv20.SOX is essentially a xv21.Effectiveness and efficiency of operational practices is verified by xvi22.The Audit that verifies whether appropriate policies and procedures are in place and if they are
implemented is calledxvii
23.Maintaining audit report is responsibility of client24.What is discovery requests?xviii25.To plan for an audit, the auditor should question in following topics to understand the business
requirement. They arexix
26. Identifying restrictions on scope is part of audit pre-planning27.Four type of risk responses are
a. Accept the riskb. Mitigatec. Transferd. Avoid
28.Materiality refers to xx29.Sampling and non sampling risk are xxi30.Non sampling risks are associated with xxii31.Audit risk does not include risks ofxxiii32.Residual risk is one that xxiv33.During planning phase, what type of risks should Auditor should be concerned with xxv34.SAS-70 focus on xxvi35.To audit a service provider, what is required?xxvii36.
iFinancials transaction
iiGovernment
iiiCredit processing
ivStandards
vDisclosure to Legal authoritities
viIndependent. i.e auditor should not be professionally, personally or organizationally related (For external
auditors)
viiViolation of auditor independence
viiiAuditor independence
ixixCompliance (against a standard) and substansive (against a claim)
xAuditor is also responsible for followups
xiIt is a recommended or discretionary . For required and mandatory it will be shall
xiiAuditor independence
xiiiManagement attests to integrity of financials and indicate that no hidden or questionable transaction exists
8/9/2019 CISA Notes
3/3
xiv
management attests that full disclosure of the internal controls has been made to the audit committee, and that
no deficiencies or weaknesses were withheldxv
Disclosure lawxvi
SAS-70xvii
Administrative auditxviii
Asking for necessary documentation from the client during planning phasexix
Knowledge of Business, Strategic objectives, Financial objective ROI), operational objectives (Internal Control)xx
Evidence that is significant and could change the outcomexxi
Detection riskxxii
Inappropriate use of procedures or inconsistent proceduresxxiii
Technology, business or operational (BTO)xxiv
Remains after all mitigation efforts are performed
xxvIDC Inherent, Detection and control
xxviAvoiding multiple organization auditing the service provider
xxviiClients original outsource contract should have included a provision for the right to audit along with service
level agreement. It must clearly state if SAS-70 is acceptable or individual audit is required.