CISA DOMAIN 1 (Part 2 – THE PROCESS ONAUDITING INFORMATION SYSTEMS

PART 2
4. Internal Controls: These are usually policies, procedures, and organizational structures that are used to reduce the risk to the organization.
The effective implementation of an internal control system is the responsibility of the board.
Remember: The CISA question on internal controls should be answered by the top management (BoD CEO, CIO, CISO, etc.) based on the available options. Classification of internal control:
Preventive Controls
Detective controls
Corrective controls

Remember that the CISA question will be scenario-based. This means that the candidate must have a good understanding of all three controls. Preventive Controls: These internal controls are used to prevent an event from happening that could affect the achievement of organizational goals. These are some examples of preventive controls activities:
Background checks for employees
Training for employees and certifications
Access to asset storage areas protected by password
Physical locks for inventory warehouses
Security camera systems
Segregation of duties (i.e. Recording, authorization, custody are all handled separately
Detective controls: These are used to determine when preventive measures have not been effective in preventing errors or irregularities, especially in relation to asset protection. These are some examples of detective control activities:
Bank reconciliations
control totals
Physical inventory counts
Reconciliation of the general ledgers and the detailed subsidiary ledgers
Internal audit functions
Corrective controls: If a problem is identified by detective control activities, corrective control activities should examine the issue and create a plan to prevent it from happening again. Corrective control activities include:
Data backups can be used in the event of a fire, flood, or other disaster to recover lost data
Data validity tests may be required to verify data inputs if the amounts are not within a reasonable range.
Insurance can be used to replace stolen or damaged assets
Management variance reports can be used to highlight variances between budget and actual in order to take corrective action.
To prevent future mistakes and irregularities, training and operations manuals may be revised
5. ISACA develops COBIT
A comprehensive framework to assist enterprises in achieving their goals for the governance and management enterprise IT (GEIT).
COBIT 5 is based on 7 enablers and 5 principles
5 Principles 7 Enablers1. Meeting the needs of shareholders1. Frameworks, Policies, and Principles End-to-End coverage2. Processes3. Holistic Approach3. Organizational Structures Integrated Framework4. Culture, ethics and behavior5. Management and separate governance Information 6. Services, Infrastructure, and Applications 7. People, Skills, and Competencies (Note: A CISA candidate won’t be asked to identify the COBIT process, COBIT domains, or the set IT processes in each. Candidates should be able to identify the frameworks, their purpose, and why they are used in enterprises.
6. Auditing based on risk
The following should be the audit approach:
Step 1: Gather all information available and plan through review prior year’s audit results, financial information, and inherent risk assessments
Step 2: Understanding existing internal controls through analysis of control procedures, detection risks assessment
Step 3 – Perform compliance tests by identifying key controls that will be tested
Step 4 – Perform substantive testing through test of account balances and analytical procedures
Step 5 – End the audit &#

Related Posts

Drive Letters

By Val Bakh 2.4.1 Drive letters (part 1)Disk drives can be referred to using alphabet letters. Drives A and C were used commonly for floppy disk drives….

Drive Letters (Part 2)

By Val Bakh 2.4.2 Drive letters (part 2) In the first part, we covered the basics of drive letter assignment and the changes that Windows Vista has…

Activation Part 2

2.2.2 A product code in an answer file. Let’s say you have a WIM image of Windows 7 Enterprise and a Multiple Activation Key (MAK). How do…

Activation Part 1

By Val Bakh2.2 Activation 2.2.1 Volume activation Every Windows 7 installation must be activated. It is a legal requirement to ensure that the operating system is properly…

Microsoft Vista Tips and Tricks

By Val Bakh 1. Vista 1.1. Boot architecture All Windows versions that are designed for business, starting with Windows NT include built-in support to multiboot configurations. Multiple…

Multicloud Storage Service Spans AWS Microsoft Azure Nimble Storage Inc. has today launched a beta offering that claims to be the only enterprise-grade multicloud block store service for Amazon Web Services Inc. (AWS), and Microsoft Azure public cloud. The product is called Nimble Cloud Volumes, and its enterprise-grade availability as well as data services can be used to help organizations move new types enterprise apps to the cloud. Nimble Storage believes that the first wave cloud apps will be mostly content-centric, native Web and mobile apps. They lack enterprise-friendly features like data durability and data services such as snapshots, and the ability to share the same volumes with multiple hosts. The next wave of cloud applications comprises traditional transactional-centric workloads — like transactional databases — moving to the public cloud space, with stringent storage requirements. The company stated that NCV flash-based storage could provide enterprise functionality, opening up new frontiers. It also offers other benefits, such as the elimination of cloud vendor lock-in, better data reliability, and uninterrupted data access. Ajay Singh, a senior executive at AWS, stated that the NCV service delivers flash storage volumes or block storage to AWS EC2 instances and Azure Virtual machines. It offers significant advantages over native cloud block storage services such as Amazon EBS and Azure Disk Volumes. The company highlighted the following three main benefits of the new NCV service:

Data mobility between public clouds or on-premises datacenters is easy without large data egress fees. Global visibility and predictive analytics allow for information such as usage history,…