Week 1:

Define and explain key internal control concepts. (Generally)

Explain and differentiate business and IT processes, recognizing that IS services are delivered through ongoing IT processes

and business functions are accomplished in business processes where processes are the focus of internal controls.

List internal control categories based on several facets. Provide illustrative examples of controls in each category.

More fully explain the purposes of and integrated nature of internal control systems.

Identify one or more examples of how each of the COSO principles are embodied in internal control processes.

Week 2:

Identify and explain several types of IT audits: In support of financial audit, Compliance audits, SOC audits, agreed-upon

procedures

List and spell out acronyms for standards setting bodies and standards/frameworks including PCAOB, SEC, SOX act of 2002,

FASB, GAAP, GAAS, AICPA, GLBA, FERPA, HIPAA identifying specific area of coverage

Explain the role of the SEC and PCAOB in oversight of audits including audits of internal control

Explain assertions, attestation, and auditing as they relate to IT control audits

Explain the importance of IUC (information used in controls) assessments and provide contemporaneous examples for

control situations

Define and differentiate governance and management, explain the Plan, Build, Run, Monitor "virtuous cycle" and the

governance cycle - Plan, Do, Check, Correct

Spell out and define PII

List, define, and categorize examples of types of controls

o Preventive, Detective, Corrective

o ITGC vs application vs. governance controls

Explain what it means for a control to be designated a compensating control

Differentiate Automatic and Manual controls; provide examples including mixed examples where parts of a control are

automatic and part manual; explain why automatic controls are generally preferred but not always feasible.

Week 3:

IS RISK

Explain the relationship between and differentiate technical and business risk

Articulate the difference between IS risk and audit risk

Understand cost/benefit tradeoffs for risk mitigation

Formulate quantitative risk assessments (likelihood * exposure)

Identify residual risks as a function of inherent risk after the effect of mitigation

Explain how insuring a risk contrasts works as compared to other controls

Explain risks as both directly negative outcomes and forgone benefits

Quantify risk using non-dollar scales for severity and non-percentage scales for likelihood

List for options for addressing risk with examples (control, transfer, avoid, accept)

AUDIT RISK:

Explain, with examples, the three components of audit risk IR, CR, and DR

Explain how both control design and operation impact control risk

Identify the role of Tolerable Exception Rate (TER) in estimating CR

Understand that TER is related to but not the same as CR because CR results from the cumulative effect of multiple control

activities

Understand that because a sample may not exactly represent a population, observed exceptions in a sample of less than

100% will need to be below the TER

Understand that sampling is only one way to test controls

Explain that auditors do not impact IR the estimate it

Explain that auditors do not impact CR, they estimate and verify it

Compute Risk of Material Misstatement (RMM) as IR * CR

Explain that DR is set based on desired AR and estimated RMM

Explain that DR is achieved by designing appropriate audit procedures

Apply the relationships between RMM and DR to achieve AR (e.g., more audit testing to obtain lower DR when RMM is

higher)

Explain how compensating controls may allow target DR (and associated substantive testing) to remain unchanged even

when a control deficiency is found

Explain why some audits are done based on CR estimates or 1 (no effective controls)

Understand that internal control testing may be done to meet regulation or compliance requirements

Week 4:

List elements included in the three IS Audit Phases as listed in FISCAM

Explain reasons why it is common practice and advantageous to have a multi-year audit plan

Explain and differentiate audit objectives and procedures with examples

Explain how audit criteria form the basis for sufficient and appropriate audit evidence

Recall that understanding of underlying business and IS processes is needed to plan and execute an audit

List, with examples, categories of subject matter risk as presented in ITAF 1202

Explain several salient points about fraud risk as it relates to auditing

List elements required in an audit report as per ITAF

Explain why it is important that guidelines are provided in ITAF regarding audit follow up activities