2003 CISA Review Course

Chapter 7
Business Process Evaluation
and Risk Management

2003 ISACA
Chapter Overview

 Business Process Re-engineering and

Process Change Projects
 Risk Management
 IT Governance
 Application Controls
 Business Application Systems

2003 CISA Review Course Chapter 7 - page 2 © 2003 ISACA

Chapter Objective

Ensure that the CISA candidate…

“Has the knowledge necessary to evaluate
business systems and processes to ensure
that risks are managed in accordance with
the organization’s business objectives”

2003 CISA Review Course Chapter 7 - page 3 © 2003 ISACA

Chapter Summary

According to the CISA Certification

Board, this Area will represent
approximately 15% of the CISA
examination
(approximately 30 questions)

2003 CISA Review Course Chapter 7 - page 4 © 2003 ISACA

Business Process Re-engineering and
Process Change Projects
 Steps in a successful BPR

• Define the areas to be reviewed

• Develop a project plan
• Gain an understanding of the process
under review
• Redesign and streamline the process
• Implement and monitor the new process
• Establish a continuous improvement
process

2003 CISA Review Course Chapter 7 - page 5 © 2003 ISACA

Business Process Re-engineering and
Process Change Projects
 New results begin to emerge
• New business priorities
• Concentration on process
• New approaches to organizing and
motivating people
• New approaches to the use of technology
• Redefined roles for suppliers
• Redefined roles for clients and customers

2003 CISA Review Course Chapter 7 - page 6 © 2003 ISACA

Business Process Re-engineering and
Process Change Projects
 BPR methods and techniques
• Benchmarking process
Plan

Research

Observe

Analyze

Adapt

Improve
2003 CISA Review Course Chapter 7 - page 7 © 2003 ISACA
Business Process Re-engineering and
Process Change Projects
 BPR audit and evaluation techniques
• IS auditor must ensure:
Consistency with overall culture and strategic
plan of the organization

Minimization of negative impacts

Documentation of lessons to be learned after

change project

2003 CISA Review Course Chapter 7 - page 8 © 2003 ISACA

Risk Management

Risk management:
is the process of identifying vulnerabilities and
threats to an organization’s information
resources in achieving business objectives

A summary of this concept is shown in the

following equation:

Total risk = Threats x Vulnerability x Asset value

2003 CISA Review Course Chapter 7 - page 9 © 2003 ISACA

Risk Management
 Developing a risk management program
• Establish the purpose of the risk
management program
• Assign responsibility for the risk
management plan

2003 CISA Review Course Chapter 7 - page 10 © 2003 ISACA

Risk Management

 Risk management process

• Identification and classification of
information resources or assets
• Assess threats and vulnerabilities and
the likelihood of their occurrence
• Result of threat/impact

2003 CISA Review Course Chapter 7 - page 11 © 2003 ISACA

IT Governance

 IT governance encompasses:
• Information systems
• Technology
• Communications

2003 CISA Review Course Chapter 7 - page 12 © 2003 ISACA

IT Governance

 Standard balance IT scorecard

• Process management evaluation technique
 Standard balance IT scorecard includes:
• Mission
• Strategy
• Measures

2003 CISA Review Course Chapter 7 - page 13 © 2003 ISACA

Application Controls

 Application controls include methods for

ensuring that:
• Only complete, accurate and valid data are
entered and updated in a computer system
• Processing accomplishes the correct task
• Processing results meet expectations
• Data are maintained

2003 CISA Review Course Chapter 7 - page 14 © 2003 ISACA

Application Controls

 Input/origination controls

• Input authorization
• Batch controls and balancing
• Error reporting and handling
• Batch integrity of online or database
systems

2003 CISA Review Course Chapter 7 - page 15 © 2003 ISACA

Application Controls
 Input/origination controls
• Data Validation and Editing
 Sequence check
 Limit check
 Range check
 Parity check
 Validity check
 Reasonable check
 Table look-ups
 Existence check
 Key verification
 Check digit
 Completeness check
 Duplicate check
 Logical relationship check
2003 CISA Review Course Chapter 7 - page 16 © 2003 ISACA
Application Controls

 Input/origination controls
• Processing control procedures

 Manual recalculation
 Editing
 Run-to-run totals
 Programmed controls
 Etc.

2003 CISA Review Course Chapter 7 - page 17 © 2003 ISACA

Application Controls

 Input/origination controls
• Data file control procedures
 Before and after image reporting
 Maintenance error reporting and handling
 Source documentation retention
 internal and external labeling
 Correct version usage, data file security controls
 One-for-one checking, transaction log
 File updating and maintenance authorization
 Parity checking

2003 CISA Review Course Chapter 7 - page 18 © 2003 ISACA

Application Controls

 Input/origination controls
• Output controls
 Logging and storage of negotiable, sensitive
and critical forms in a secure place
 Computer generation of negotiable
instruments, forms and signatures
 Report distribution, balancing and
reconciling
 Output error handling,
 Output report retention
 Verification of receipt of reports

2003 CISA Review Course Chapter 7 - page 19 © 2003 ISACA

Application Controls

 Review application system

documentation
 Analyze the flow of transactions
through the system
 Prepare a risk assessment model to
analyze the application’s controls

2003 CISA Review Course Chapter 7 - page 20 © 2003 ISACA

Application Controls

 Observe and test users performing

procedures
• Separation of duties
• Authorization of input
• Balancing
• Error control and correction
• Distribution of reports
• Review and test access authorizations and
capabilities

2003 CISA Review Course Chapter 7 - page 21 © 2003 ISACA

Application Controls

 Data integrity testing

• Test data integrity
 Domain integrity
 Relational integrity
 Entity integrity
 Referential integrity

2003 CISA Review Course Chapter 7 - page 22 © 2003 ISACA

Application Controls

 Data integrity testing

• Data integrity in on-line transaction
processing systems

 Atomicity
 Consistency
 Isolation
 Durability

2003 CISA Review Course Chapter 7 - page 23 © 2003 ISACA

Application Controls

 Test application systems

• Analyzing computer application programs
 Snapshot
 Mapping
 Tracing & tagging

2003 CISA Review Course Chapter 7 - page 24 © 2003 ISACA

 Application Controls

 Test application systems

• Analyzing computer application controls
 Test data/deck
 Base case system evaluation
 Parallel operation
 Integrated testing facility
 Parallel simulation

2003 CISA Review Course Chapter 7 - page 25 © 2003 ISACA

 Application Controls

 Test application systems

• Select & monitor data processing
transactions
 Transaction selection programs
 Embedded audit data collection
 Extended records

2003 CISA Review Course Chapter 7 - page 26 © 2003 ISACA

 Application Controls
 Test application systems
• Continuous on-line auditing
• On-line auditing techniques
 Systems control audit review file and
embedded audit modules (SCARF/EAM)
 Snapshots
 Audit hooks
 Integrated test facilities (ITF)
 Continuous and intermittent simulation (CIS)

2003 CISA Review Course Chapter 7 - page 27 © 2003 ISACA

Business Application
Systems
 Electronic commerce
 E-commerce models
• Business-to-customer
• Business-to-business
• Business-to-employee
• Business-to-government
• Customer-to-government
• Exchange-to-exchange

2003 CISA Review Course Chapter 7 - page 28 © 2003 ISACA

Business Application
Systems
 E-commerce architectures
 E-commerce risks
• Confidentiality
• Integrity
• Availability
• Authentication and non-repudiation
• Power shift to customers

2003 CISA Review Course Chapter 7 - page 29 © 2003 ISACA

Business Application
Systems
 E-commerce requirements
• Top-level commitment
• Business process reconfiguration
• Links to legacy systems

2003 CISA Review Course Chapter 7 - page 30 © 2003 ISACA

Business Application
Systems
 E-commerce audit and control issues (best
practices)
• Security mechanisms and procedures
• Firewall mechanisms
• Unique and positive identification
• Digital signatures
• PKI infrastructure
 Certificate authority
 Registration authority
 Certification revocation list
 Certification practice statement
2003 CISA Review Course Chapter 7 - page 31 © 2003 ISACA
Business Application
Systems
 E-commerce audit and control issues (best
practice) (continued)
• Change control procedures
• Logs of e-commerce applications
• Methods and procedures to recognize security
breaches
• Features to reconstruct the activity performed by
the application
• Disclosure procedures
• Means to ensure confidentiality
• Mechanisms to protect e-commerce
• Continuity plan
• Audit programs
2003 CISA Review Course Chapter 7 - page 32 © 2003 ISACA
Business Application
Systems
 Electronic Data Interchange (EDI)
• General requirements
 System software
 Application systems
• Traditional EDI
 Communications handler
 EDI interface
 EDI translator
 Application interface
 Application system

2003 CISA Review Course Chapter 7 - page 33 © 2003 ISACA

Business Application
Systems
 Electronic Data Interchange (EDI)
(continued)
• Web based EDI
Internet-through-Internet
Ability to attract new partners
New security products
Improvements in the x.12 EDI formatting
standard

2003 CISA Review Course Chapter 7 - page 34 © 2003 ISACA

Business Application
Systems
 Electronic Data Interchange (EDI)
• EDI risks
 Unauthorized access to electronic transactions
 Deletion or manipulation of transactions
 Loss of duplication of EDI transmission
 Improper distribution of EDI transactions while
in the possession of the third parties

2003 CISA Review Course Chapter 7 - page 35 © 2003 ISACA

Business Application
Systems
 Electronic Data Interchange (EDI)
• Controls - receipt of inbound transactions
Encryption techniques
Edit checks
• Controls - outbound transactions
• Auditing EDI
Internet encryption
 Perform edit checks
 Perform additional computerized checking
 Ensure that each inbound transaction is logged on
receipt
 Use control totals on receipt of transactions
2003 CISA Review Course Chapter 7 - page 37 © 2003 ISACA
Business Application
Systems
 Electronic mail
 E-mail security

 Digital signatures

2003 CISA Review Course Chapter 7 - page 38 © 2003 ISACA

Business Application
Systems

 Point of Sale Systems (POS)

 Integrated manufacturing systems

 Electronic funds transfer

 Integrated customer file

2003 CISA Review Course Chapter 7 - page 39 © 2003 ISACA

Business Application
Systems
 Office automation
 Automatic Teller Machine (ATM)
 Cooperative processing systems
 Voice response ordering systems
 Purchase accounting system
• Accounts payable processing
• Goods received processing
• Order processing
2003 CISA Review Course Chapter 7 - page 40 © 2003 ISACA
Business Application
Systems
 Image processing
• Planning
• Audit
• Redesign of workflow
• Scanning devices
• Software security
• Training

2003 CISA Review Course Chapter 7 - page 41 © 2003 ISACA

Business Application Systems

 Artificial Intelligence (AI) and expert

systems
• Knowledge base
• Inference engine
• Knowledge interface
• Data interface

2003 CISA Review Course Chapter 7 - page 42 © 2003 ISACA

Business Application Systems
 Data warehouse
• Characteristics
Subject oriented
Integrated
Time-variant
Non-volatile
• Composed of:
 Data sources
 Data extraction and transformation from data
sources
 Target database
 End user data access
2003 CISA Review Course Chapter 7 - page 43 © 2003 ISACA
Business Application Systems
 Decision Support Systems (DSS)
• Efficiency vs. effectiveness
• Decision focus
• DSS frameworks
• Design and development
• Implementation and use
• Risk factors
• Implementation strategies
• Assessment & evaluation
• DSS trends
2003 CISA Review Course Chapter 7 - page 44 © 2003 ISACA
Chapter 7: Glossary

 Alpha
 Application program
 Artificial intelligence
 Bar code
 Benchmark
 Electronic data interchange
 Hash total
 Redundancy check
 Table look-ups
2003 CISA Review Course Chapter 7 - page 45 © 2003 ISACA
Chapter 7: Recap

 Group discussion
 Questions

2003 CISA Review Course Chapter 7 - page 46 © 2003 ISACA

Chapter 7: Questions

1. IT governance ensures that an

organization aligns its IT strategy with:

A. enterprise objectives.
B. IT objectives.
C. audit objectives.
D. finance objectives.

2003 CISA Review Course Chapter 7 - page 47 © 2003 ISACA

Chapter 7: Questions

2. A validation which ensures that input data

are matched to predetermined reasonable
limits or occurrence rates, is known as:

A. reasonableness check.
B. validity check.
C. existence check.
D. limit check.

2003 CISA Review Course Chapter 7 - page 48 © 2003 ISACA

Chapter 7: Questions

3. Which of the following would be classified

as a corrective control?

A. Contingency planning
B. Procedures for transaction authorization
C. Use of access control software
D. Echo controls in telecommunications

2003 CISA Review Course Chapter 7 - page 49 © 2003 ISACA

Chapter 7: Questions

4. Which of the following procedures should be

implemented to help ensure the completeness of
inbound transactions via electronic data
interchange (EDI)?

A. Segment counts built into the transaction set trailer

B. A log of the number of messages received, periodically
verified with the transaction originator
C. An electronic audit trail for accountability and tracking
D. Matching acknowledgement transactions received to the
log of EDI messages sent

2003 CISA Review Course Chapter 7 - page 50 © 2003 ISACA

Chapter 7: Questions

5. A utility is available to update critical tables

in case of data inconsistency. This utility
can be executed at the OS prompt or as one
of menu options in an application. The BEST
control to mitigate the risk of unauthorized
manipulation of data is to:

A. delete the utility software and install it as and

when required.
B. provide access to utility on a need-to-use basis.
C. provide access to utility to user management
D. define access so that the utility can be only
executed in menu option.
2003 CISA Review Course Chapter 7 - page 51 © 2003 ISACA
Chapter 7: Questions

6. When conducting a review of business process

re-engineering, an IS auditor found that a key
preventive control had been removed. In this
case, the IS auditor should:
A. inform management of the finding and determine if
management is willing to accept the potential
material risk of not having that preventing control.
B. determine if a detective control has replaced the
preventive control during the process and if so, not
report the removal of the preventive control.
C. recommend that this and all control procedures that
existed before the process was reengineered be
included in the new process.
D. develop a continuous audit approach to monitor the
effects of the removal of the preventive control.

2003 CISA Review Course Chapter 7 - page 52 © 2003 ISACA

Chapter 7: Questions

7. Which of the following is an output control

objective?

A. Maintenance of accurate batch registers

B. Completeness of batch processing
C. Appropriate accounting for rejections and
exceptions
D. Authorization of file updates

2003 CISA Review Course Chapter 7 - page 53 © 2003 ISACA

Chapter 7: Questions

8. In a system that records all receivables for

a company, the receivables are posted on
a daily basis. Which of the following
would ensure that receivables balances
are unaltered between postings?

A. Range checks
B. Record counts
C. Sequence checking
D. Run-to-run control totals

2003 CISA Review Course Chapter 7 - page 54 © 2003 ISACA

Chapter 7: Questions

9. Which of the following is the MOST

important issue to the IS auditor in a
business process re-engineering (BPR)
project would be?

A. The loss of middle management, which often is

a result of a BPR project
B. That controls are usually given low priority in a
BPR project
C. The considerable negative impact that
information protection could have on BPR
D. The risk of failure due to the large size of the
task usually undertaken in a BPR project.
2003 CISA Review Course Chapter 7 - page 55 © 2003 ISACA
Chapter 7: Questions

10. In order to meet pre-defined criteria,

which of the following continuous audit
techniques would BEST identify
transactions to audit?

A. Systems Control Audit Review File and

Embedded Audit Modules (SCARF/EAM)
B. Continuous and Intermittent Simulation (CIS)
C. Integrated Test Facilities (ITF)
D. Audit hooks

2003 CISA Review Course Chapter 7 - page 56 © 2003 ISACA

 Thank you for participating in the
CISA Review Course. We would
welcome your comments and/or
suggestions. Your feedback is
invaluable to our efforts to fully
serve the profession and future
CISA Examination Registrants.

2003 CISA Review Course Chapter 7 - page 57 © 2003 ISACA

 Please send your comments to:
Manager – Certification Study Program and
Educational Development
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA

or FAX to: Manager – CISA Certification Study

Program and Educational Development
+847.253.1443

or email to: efernandez@isaca.org

2003 CISA Review Course Chapter 7 - page 58 © 2003 ISACA