Threat - External factors that can harm us. Generally not in our control. Example: Hacker, Earthquake, Fire, Malware, System Failure, Criminals and many other unknown factors.
Vulnerability - Internal weakness. Can be controlled. Example: Missing anti-virus, Weak Coding, Weak access control.
When threat and vulnerablility comes at same place it constitute a Risk.
Compliance Testing -
Testing of controls. Gather evidence of an organization's compliance with control procedures. Checks the presence of controls. Example: To verify configuration of router for controls; Review of system access rights; Review of firewall settings; Review compliance with password policy
Substantive Testing -
Testing of transactions. Gather evidence to evaluate the integrity of data, transactions, or other information. Checks the integrity of contents. Example: Test ending cash balance; Observe the period end counting of inventory; Physically match fixed assets with fixed asset records; Review of trial balance
- Compliance test will be performed first. Substantive testing will be next step
- Outcome/result of compliance test will form the basis for planning of substantive testing
- Attribute sampling (either control is present or not) will be useful when testing for compliance.
Audit Charter outlines the overall authority, scope and responsibilities of the audit function.
Audit charter should be approved by highest level of mgt., written document, and define roles and responsibilites of audit function.
Audit charter shouldn't be changed too often.
The result of risk management process is used for making security policy decisions.
Principles of COBIT-5
ME-HIS
M - Meeting Stakeholder's needs
E - End to end coverage
H - Holistic Approach
I - Integrated Framework
S - Separate governance from management
COBIT-5 provides required processes and enablers to support business through use of IT
COBIT-5 translates high level enterprise goals into manageable, specific, IT related goals and then mapping these to specific processes and practices.
COBIT-5 effectively supports alignment between enterprise needs and IT solutions and services.
Statistical Sampling - Probability of error can be objectiviely quantified; Each item has equal chance of selection
Non-statistical Sampling - Can't be objectively quantified; Sampling depends upon judgement of auditor
Attribute Sampling - Applied in compliance testing; Expressed in %. Example: 55% transactions are complied. (AC - Attribute Compliance)
Variable Sampling - Applied in substantive sampling; Expressed in monetary values, weight or some other measures. Example: Deviation of $ 2 from standard mean. (VS - Variable Substantive)
Stop or Go Sampling - Auditor believes that very few errors will be found. Prevents excessive sampling.
Discovery Sampling - When objective is to discover fraud or other irregularities
Confidence coefficient - A probability that sample are true representation of population. To have high confidence correlation, you need to select high sample size.
Strong internal control - confidence coefficient or sample size can be lower and vice versa.
Statistical sampling minimizes the detection risk.
Vulnerability - Internal weakness. Can be controlled. Example: Missing anti-virus, Weak Coding, Weak access control.
When threat and vulnerablility comes at same place it constitute a Risk.
Compliance Testing -
Testing of controls. Gather evidence of an organization's compliance with control procedures. Checks the presence of controls. Example: To verify configuration of router for controls; Review of system access rights; Review of firewall settings; Review compliance with password policy
Substantive Testing -
Testing of transactions. Gather evidence to evaluate the integrity of data, transactions, or other information. Checks the integrity of contents. Example: Test ending cash balance; Observe the period end counting of inventory; Physically match fixed assets with fixed asset records; Review of trial balance
- Compliance test will be performed first. Substantive testing will be next step
- Outcome/result of compliance test will form the basis for planning of substantive testing
- Attribute sampling (either control is present or not) will be useful when testing for compliance.
Audit Charter outlines the overall authority, scope and responsibilities of the audit function.
Audit charter should be approved by highest level of mgt., written document, and define roles and responsibilites of audit function.
Audit charter shouldn't be changed too often.
The result of risk management process is used for making security policy decisions.
Principles of COBIT-5
ME-HIS
M - Meeting Stakeholder's needs
E - End to end coverage
H - Holistic Approach
I - Integrated Framework
S - Separate governance from management
COBIT-5 provides required processes and enablers to support business through use of IT
COBIT-5 translates high level enterprise goals into manageable, specific, IT related goals and then mapping these to specific processes and practices.
COBIT-5 effectively supports alignment between enterprise needs and IT solutions and services.
Statistical Sampling - Probability of error can be objectiviely quantified; Each item has equal chance of selection
Non-statistical Sampling - Can't be objectively quantified; Sampling depends upon judgement of auditor
Attribute Sampling - Applied in compliance testing; Expressed in %. Example: 55% transactions are complied. (AC - Attribute Compliance)
Variable Sampling - Applied in substantive sampling; Expressed in monetary values, weight or some other measures. Example: Deviation of $ 2 from standard mean. (VS - Variable Substantive)
Stop or Go Sampling - Auditor believes that very few errors will be found. Prevents excessive sampling.
Discovery Sampling - When objective is to discover fraud or other irregularities
Confidence coefficient - A probability that sample are true representation of population. To have high confidence correlation, you need to select high sample size.
Strong internal control - confidence coefficient or sample size can be lower and vice versa.
Statistical sampling minimizes the detection risk.
No comments :
Post a Comment