What is Audit/definition and explain each segment.
CISA Definition for Audit
Systematic process by which a qualified, competent, independentteam or person objectively obtains and evaluates evidenceregarding assertions about a processfor the purpose of forming an opinion about and reportingon the degree to which the assertion is implemented.
Definition for Audit — Notes
Qualified, Competent: You have qualifications for this. If specialty job: you are expert.
Independent: You are not tied to the organization, are not close friends with anyone in it, do not attend parties.
Objectively obtains and evaluates evidence:Conclusions are based on real facts, which are proven
Assertions about a process: You are checking standards, policies, processes that are to be followed.
Form an opinion about and report: From your expertise and facts, you will provide a realistic, accurate view
Define is Audit (procedure)
Audit Engagement Procedure — Notes
The first step is to learn about the subject area. Do your homework to learn about the company and the specific processes, independent of putting an audit plan together.
How do things work?: Then “Evaluate whether controls are effective” is to logically evaluate if all concerns have good controls. This may mean building a table with threats versus controls.
The two bars with processes inside indicate that the inside (yellow) processes can be done in parallel.
In this case, some of the activities may be performed, and some may not (they are optional).
The darker blue audit processes represent the planning and reporting stages.
What Inherent, Control & Detection Risks exist on the IT side?
Inherent: Hacker, Virus
Control: A firewall or IDS does not detect an attack
Detection: An IS auditor does not recognize that some backup tapes are improperly done.
Audit Engagement Risk Analysis
Inherent Risks: (Risks organization is predisposed to)
Data Breach: Student grades, disabilities,
Hacking University is an open system, with no limitations on installed software and BYOD (Bring your own device) devices. Student homework must be protected.
Control Risks: (Risk that a control has vulnerability(s))
Insufficient Firewall/IPS Res Restrictions While much of the university network is open, critical databases must be in a secure zone with a high level of restrictive access.
Detection Risk: (Risks of auditor not detecting a problem)
Hacker within Confidential Zone: This audit may not detect an infiltrated (penetrated) Confidential Zone or critical vulnerability.