You are previewing Auditor's Guide to IT Auditing, Second Edition.
O'Reilly logo
Auditor's Guide to IT Auditing, Second Edition

Book Description

Step-by-step guide to successful implementation and control of IT systems—including the Cloud

Many auditors are unfamiliar with the techniques they need to know to efficiently and effectively determine whether information systems are adequately protected. Now in a Second Edition, Auditor's Guide to IT Auditing presents an easy, practical guide for auditors that can be applied to all computing environments.

  • Follows the approach used by the Information System Audit and Control Association's model curriculum, making this book a practical approach to IS auditing

  • Serves as an excellent study guide for those preparing for the CISA and CISM exams

  • Includes discussion of risk evaluation methodologies, new regulations, SOX, privacy, banking, IT governance, CobiT, outsourcing, network management, and the Cloud

  • As networks and enterprise resource planning systems bring resources together, and as increasing privacy violations threaten more organization, information systems integrity becomes more important than ever. Auditor's Guide to IT Auditing, Second Edition empowers auditors to effectively gauge the adequacy and effectiveness of information systems controls.

    Table of Contents

    1. Cover
    2. Series
    3. Title Page
    4. Copyright
    5. Dedication
    6. Preface
      1. CONTROLS IN MODERN COMPUTER SYSTEMS
      2. OVERALL FRAMEWORK
    7. Part I: IT Audit Process
      1. Chapter 1: Technology and Audit
        1. TECHNOLOGY AND AUDIT
        2. BATCH AND ONLINE SYSTEMS
        3. ELECTRONIC DATA INTERCHANGE
        4. ELECTRONIC BUSINESS
        5. CLOUD COMPUTING
      2. Chapter 2: IT Audit Function Knowledge
        1. INFORMATION TECHNOLOGY AUDITING
        2. WHAT IS MANAGEMENT?
        3. MANAGEMENT PROCESS
        4. UNDERSTANDING THE ORGANIZATION’S BUSINESS
        5. ESTABLISHING THE NEEDS
        6. IDENTIFYING KEY ACTIVITIES
        7. ESTABLISH PERFORMANCE OBJECTIVES
        8. DECIDE THE CONTROL STRATEGIES
        9. IMPLEMENT AND MONITOR THE CONTROLS
        10. EXECUTIVE MANAGEMENT’S RESPONSIBILITY AND CORPORATE GOVERNANCE
        11. AUDIT ROLE
        12. CONCEPTUAL FOUNDATION
        13. PROFESSIONALISM WITHIN THE IT AUDITING FUNCTION
        14. RELATIONSHIP OF INTERNAL IT AUDIT TO THE EXTERNAL AUDITOR
        15. RELATIONSHIP OF IT AUDIT TO OTHER COMPANY AUDIT ACTIVITIES
        16. AUDIT CHARTER
        17. CHARTER CONTENT
        18. OUTSOURCING THE IT AUDIT ACTIVITY
        19. REGULATION, CONTROL, AND STANDARDS
      3. Chapter 3: It Risk and Fundamental Auditing Concepts
        1. COMPUTER RISKS AND EXPOSURES
        2. EFFECT OF RISK
        3. AUDIT AND RISK
        4. AUDIT EVIDENCE
        5. CONDUCTING AN IT RISK-ASSESSMENT PROCESS
        6. NIST SP 800 30 FRAMEWORK
        7. ISO 27005
        8. THE “CASCARINO CUBE”
        9. RELIABILITY OF AUDIT EVIDENCE
        10. AUDIT EVIDENCE PROCEDURES
        11. RESPONSIBILITIES FOR FRAUD DETECTION AND PREVENTION
        12. NOTES
      4. Chapter 4: Standards and Guidelines for IT Auditing
        1. IIA STANDARDS
        2. CODE OF ETHICS
        3. ADVISORY
        4. AIDS
        5. STANDARDS FOR THE PROFESSIONAL PERFORMANCE OF INTERNAL AUDITING
        6. ISACA STANDARDS
        7. ISACA CODE OF ETHICS
        8. COSO: INTERNAL CONTROL STANDARDS
        9. BS 7799 AND ISO 17799: IT SECURITY
        10. NIST
        11. BSI BASELINES
        12. NOTE
      5. Chapter 5: Internal Controls Concepts Knowledge
        1. INTERNAL CONTROLS
        2. COST/BENEFIT CONSIDERATIONS
        3. INTERNAL CONTROL OBJECTIVES
        4. TYPES OF INTERNAL CONTROLS
        5. SYSTEMS OF INTERNAL CONTROL
        6. ELEMENTS OF INTERNAL CONTROL
        7. MANUAL AND AUTOMATED SYSTEMS
        8. CONTROL PROCEDURES
        9. APPLICATION CONTROLS
        10. CONTROL OBJECTIVES AND RISKS
        11. GENERAL CONTROL OBJECTIVES
        12. DATA AND TRANSACTIONS OBJECTIVES
        13. PROGRAM CONTROL OBJECTIVES
        14. CORPORATE IT GOVERNANCE
        15. COSO AND INFORMATION TECHNOLOGY
        16. GOVERNANCE FRAMEWORKS
        17. NOTES
      6. Chapter 6: Risk Management of the IT Function
        1. NATURE OF RISK
        2. RISK-ANALYSIS SOFTWARE
        3. AUDITING IN GENERAL
        4. ELEMENTS OF RISK ANALYSIS
        5. DEFINING THE AUDIT UNIVERSE
        6. COMPUTER SYSTEM THREATS
        7. RISK MANAGEMENT
        8. NOTES
      7. Chapter 7: Audit Planning Process
        1. BENEFITS OF AN AUDIT PLAN
        2. STRUCTURE OF THE PLAN
        3. TYPES OF AUDIT
      8. Chapter 8: Audit Management
        1. PLANNING
        2. AUDIT MISSION
        3. IT AUDIT MISSION
        4. ORGANIZATION OF THE FUNCTION
        5. STAFFING
        6. IT AUDIT AS A SUPPORT FUNCTION
        7. PLANNING
        8. BUSINESS INFORMATION SYSTEMS
        9. INTEGRATED IT AUDITOR VERSUS INTEGRATED IT AUDIT
        10. AUDITEES AS PART OF THE AUDIT TEAM
        11. APPLICATION AUDIT TOOLS
        12. ADVANCED SYSTEMS
        13. SPECIALIST AUDITOR
        14. IT AUDIT QUALITY ASSURANCE
      9. Chapter 9: Audit Evidence Process
        1. AUDIT EVIDENCE
        2. AUDIT EVIDENCE PROCEDURES
        3. CRITERIA FOR SUCCESS
        4. STATISTICAL SAMPLING
        5. WHY SAMPLE?
        6. JUDGMENTAL (OR NON-STATISTICAL) SAMPLING
        7. STATISTICAL APPROACH
        8. SAMPLING RISK
        9. ASSESSING SAMPLING RISK
        10. PLANNING A SAMPLING APPLICATION
        11. CALCULATING SAMPLE SIZE
        12. QUANTITATIVE METHODS
        13. PROJECT-SCHEDULING TECHNIQUES
        14. SIMULATIONS
        15. COMPUTER-ASSISTED AUDIT SOLUTIONS
        16. GENERALIZED AUDIT SOFTWARE
        17. APPLICATION AND INDUSTRY-RELATED AUDIT SOFTWARE
        18. CUSTOMIZED AUDIT SOFTWARE
        19. INFORMATION-RETRIEVAL SOFTWARE
        20. UTILITIES
        21. ON-LINE INQUIRY
        22. CONVENTIONAL PROGRAMMING LANGUAGES
        23. MICROCOMPUTER-BASED SOFTWARE
        24. TEST TRANSACTION TECHNIQUES
      10. Chapter 10: Audit Reporting Follow-up
        1. AUDIT REPORTING
        2. INTERIM REPORTING
        3. CLOSING CONFERENCES
        4. WRITTEN REPORTS
        5. CLEAR WRITING TECHNIQUES
        6. PREPARING TO WRITE
        7. BASIC AUDIT REPORT
        8. EXECUTIVE SUMMARY
        9. DETAILED FINDINGS
        10. POLISHING THE REPORT
        11. DISTRIBUTING THE REPORT
        12. FOLLOW-UP REPORTING
        13. TYPES OF FOLLOW-UP ACTION
    8. Part II: Information Technology Governance
      1. Chapter 11: Management
        1. IT INFRASTRUCTURES
        2. PROJECT-BASED FUNCTIONS
        3. QUALITY CONTROL
        4. OPERATIONS AND PRODUCTION
        5. TECHNICAL SERVICES
        6. PERFORMANCE MEASUREMENT AND REPORTING
        7. MEASUREMENT IMPLEMENTATION
        8. NOTES
      2. Chapter 12: Strategic Planning
        1. STRATEGIC MANAGEMENT PROCESS
        2. STRATEGIC DRIVERS
        3. NEW AUDIT REVOLUTION
        4. LEVERAGING IT
        5. BUSINESS PROCESS RE-ENGINEERING MOTIVATION
        6. IT AS AN ENABLER OF RE-ENGINEERING
        7. DANGERS OF CHANGE
        8. SYSTEM MODELS
        9. INFORMATION RESOURCE MANAGEMENT
        10. STRATEGIC PLANNING FOR IT
        11. DECISION SUPPORT SYSTEMS
        12. STEERING COMMITTEES
        13. STRATEGIC FOCUS
        14. AUDITING STRATEGIC PLANNING
        15. DESIGN THE AUDIT PROCEDURES
        16. NOTE
      3. Chapter 13: Management Issues
        1. PRIVACY
        2. COPYRIGHTS, TRADEMARKS, AND PATENTS
        3. ETHICAL ISSUES
        4. CORPORATE CODES OF CONDUCT
        5. IT GOVERNANCE
        6. SARBANES-OXLEY ACT
        7. PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS
        8. HOUSEKEEPING
        9. NOTES
      4. Chapter 14: Support Tools and Frameworks
        1. GENERAL FRAMEWORKS
        2. COSO: INTERNAL CONTROL STANDARDS
        3. OTHER STANDARDS
        4. GOVERNANCE FRAMEWORKS
        5. NOTE
      5. Chapter 15: Governance Techniques
        1. CHANGE CONTROL
        2. PROBLEM MANAGEMENT
        3. AUDITING CHANGE CONTROL
        4. OPERATIONAL REVIEWS
        5. PERFORMANCE MEASUREMENT
        6. ISO 9000 REVIEWS
    9. Part III: Systems and Infrastructure Lifecycle Management
      1. Chapter 16: Information Systems Planning
        1. STAKEHOLDERS
        2. OPERATIONS
        3. SYSTEMS DEVELOPMENT
        4. TECHNICAL SUPPORT
        5. OTHER SYSTEM USERS
        6. SEGREGATION OF DUTIES
        7. PERSONNEL PRACTICES
        8. OBJECT-ORIENTED SYSTEMS ANALYSIS
        9. ENTERPRISE RESOURCE PLANNING
        10. CLOUD COMPUTING
        11. NOTES
      2. Chapter 17: Information Management and Usage
        1. WHAT ARE ADVANCED SYSTEMS?
        2. SERVICE DELIVERY AND MANAGEMENT
        3. COMPUTER-ASSISTED AUDIT TOOLS AND TECHNIQUES
        4. NOTES
      3. Chapter 18: Development, Acquisition, and Maintenance of Information Systems
        1. PROGRAMMING COMPUTERS
        2. PROGRAM CONVERSIONS
        3. NO THANKS SYSTEMS DEVELOPMENT EXPOSURES
        4. SYSTEMS DEVELOPMENT CONTROLS
        5. SYSTEMS DEVELOPMENT LIFECYCLE CONTROL: CONTROL OBJECTIVES
        6. MICRO-BASED SYSTEMS
        7. CLOUD COMPUTING APPLICATIONS
        8. NOTE
      4. Chapter 19: Impact of Information Technology on the Business Processes and Solutions
        1. IMPACT
        2. CONTINUOUS MONITORING
        3. BUSINESS PROCESS OUTSOURCING
        4. E-BUSINESS
        5. NOTES
      5. Chapter 20: Software Development
        1. DEVELOPING A SYSTEM
        2. CHANGE CONTROL
        3. WHY DO SYSTEMS FAIL?
        4. AUDITOR’S ROLE IN SOFTWARE DEVELOPMENT
      6. Chapter 21: Audit and Control of Purchased Packages and Services
        1. IT VENDORS
        2. REQUEST FOR INFORMATION
        3. REQUIREMENTS DEFINITION
        4. REQUEST FOR PROPOSAL
        5. INSTALLATION
        6. SYSTEMS MAINTENANCE
        7. SYSTEMS MAINTENANCE REVIEW
        8. OUTSOURCING
        9. SAS 70 REPORTS
      7. Chapter 22: Audit Role in Feasibility Studies and Conversions
        1. FEASIBILITY SUCCESS FACTORS
        2. CONVERSION SUCCESS FACTORS
      8. Chapter 23: Audit and Development of Application Controls
        1. WHAT ARE SYSTEMS?
        2. CLASSIFYING SYSTEMS
        3. CONTROLLING SYSTEMS
        4. CONTROL STAGES
        5. CONTROL OBJECTIVES OF BUSINESS SYSTEMS
        6. GENERAL CONTROL OBJECTIVES
        7. CAATS AND THEIR ROLE IN BUSINESS SYSTEMS AUDITING
        8. COMMON PROBLEMS
        9. AUDIT PROCEDURES
        10. CAAT USE IN NON-COMPUTERIZED AREAS
        11. DESIGNING AN APPROPRIATE AUDIT PROGRAM
    10. Part IV: Information Technology Service Delivery and Support
      1. Chapter 24: Technical Infrastructure
        1. AUDITING THE TECHNICAL INFRASTRUCTURE
        2. INFRASTRUCTURE CHANGES
        3. COMPUTER OPERATIONS CONTROLS
        4. OPERATIONS EXPOSURES
        5. OPERATIONS CONTROLS
        6. PERSONNEL CONTROLS
        7. SUPERVISORY CONTROLS
        8. INFORMATION SECURITY
        9. OPERATIONS AUDITS
        10. NOTES
      2. Chapter 25: Service-Center Management
        1. PRIVATE SECTOR PREPAREDNESS (PS PREP)
        2. CONTINUITY MANAGEMENT AND DISASTER RECOVERY
        3. MANAGING SERVICE-CENTER CHANGE
        4. NOTES
    11. Part V: Protection of Information Assets
      1. Chapter 26: Information Assets Security Management
        1. WHAT IS INFORMATION SYSTEMS SECURITY?
        2. CONTROL TECHNIQUES
        3. WORKSTATION SECURITY
        4. PHYSICAL SECURITY
        5. LOGICAL SECURITY
        6. USER AUTHENTICATION
        7. COMMUNICATIONS SECURITY
        8. ENCRYPTION
        9. HOW ENCRYPTION WORKS
        10. ENCRYPTION WEAKNESSES
        11. POTENTIAL ENCRYPTION
        12. DATA INTEGRITY
        13. DOUBLE PUBLIC KEY ENCRYPTION
        14. STEGANOGRAPHY
        15. INFORMATION SECURITY POLICY
        16. NOTES
      2. Chapter 27: Logical Information Technology Security
        1. COMPUTER OPERATING SYSTEMS
        2. TAILORING THE OPERATING SYSTEM
        3. AUDITING THE OPERATING SYSTEM
        4. SECURITY
        5. CRITERIA
        6. SECURITY SYSTEMS: RESOURCE ACCESS CONTROL FACILITY
        7. AUDITING RACF
        8. ACCESS CONTROL FACILITY 2
        9. TOP SECRET
        10. USER AUTHENTICATION
        11. BYPASS MECHANISMS
        12. SECURITY TESTING METHODOLOGIES
        13. NOTES
      3. Chapter 28: Applied Information Technology Security
        1. COMMUNICATIONS AND NETWORK SECURITY
        2. NETWORK PROTECTION
        3. HARDENING THE OPERATING ENVIRONMENT
        4. CLIENT SERVER AND OTHER ENVIRONMENTS
        5. FIREWALLS AND OTHER PROTECTION RESOURCES
        6. INTRUSION-DETECTION SYSTEMS
        7. NOTE
      4. Chapter 29: Physical and Environmental Security
        1. CONTROL MECHANISMS
        2. IMPLEMENTING THE CONTROLS
    12. Part VI: Business Continuity and Disaster Recovery
      1. Chapter 30: Protection of the Information Technology Architecture and Assets: Disaster-Recovery Planning
        1. RISK REASSESSMENT
        2. DISASTER—BEFORE AND AFTER
        3. CONSEQUENCES OF DISRUPTION
        4. WHERE TO START
        5. TESTING THE PLAN
        6. AUDITING THE PLAN
      2. Chapter 31: Displacement Control
        1. INSURANCE
        2. SELF-INSURANCE
    13. Part VII: Advanced IT Auditing
      1. Chapter 32: Auditing E-commerce Systems
        1. E-COMMERCE AND ELECTRONIC DATA INTERCHANGE: WHAT IS IT?
        2. OPPORTUNITIES AND THREATS
        3. RISK FACTORS
        4. THREAT LIST
        5. SECURITY TECHNOLOGY
        6. “LAYER” CONCEPT
        7. AUTHENTICATION
        8. ENCRYPTION
        9. TRADING PARTNER AGREEMENTS
        10. RISKS AND CONTROLS WITHIN EDI AND E-COMMERCE
        11. E-COMMERCE AND AUDITABILITY
        12. COMPLIANCE AUDITING
        13. E-COMMERCE AUDIT APPROACH
        14. AUDIT TOOLS AND TECHNIQUES
        15. AUDITING SECURITY CONTROL STRUCTURES
        16. COMPUTER-ASSISTED AUDIT TECHNIQUES
        17. NOTES
      2. Chapter 33: Auditing UNIX/Linux
        1. HISTORY
        2. SECURITY AND CONTROL IN A UNIX/LINUX SYSTEM
        3. ARCHITECTURE
        4. UNIX SECURITY
        5. SERVICES
        6. DAEMONS
        7. AUDITING UNIX
        8. SCRUTINY OF LOGS
        9. AUDIT TOOLS IN THE PUBLIC DOMAIN
        10. UNIX PASSWORD FILE
        11. AUDITING UNIX PASSWORDS
      3. Chapter 34: Auditing Windows VISTA and Windows 7
        1. HISTORY
        2. NT AND ITS DERIVATIVES
        3. AUDITING WINDOWS VISTA/WINDOWS 7
        4. PASSWORD PROTECTION
        5. VISTA/WINDOWS 7
        6. SECURITY CHECKLIST
      4. Chapter 35: Foiling the System Hackers
      5. Chapter 36: Preventing and Investigating Information Technology Fraud
        1. PREVENTING FRAUD
        2. INVESTGATION
        3. IDENTITY THEFT
        4. NOTE
    14. Appendix A: Ethics and Standards for the IS Auditor
      1. ISACA CODE OF PROFESSIONAL ETHICS
      2. RELATIONSHIP OF STANDARDS TO GUIDELINES AND PROCEDURES
    15. Appendix B: Audit Program for Application Systems Auditing
    16. Appendix C: Logical Access-Control Audit Program
    17. Appendix D: Audit Program for Auditing UNIX/Linux Environments
    18. Appendix E: Audit Program for Auditing Windows VISTA and Windows 7 Environments
    19. About the Author
    20. About the Website
    21. Index