Upload File

auditor’s guide to information systems auditing€¦ · information systems auditing richard e....

  • Home
  • Documents
  • Auditor’s Guide to Information Systems Auditing€¦ · Information Systems Auditing RICHARD E. CASCARINO John Wiley & Sons, Inc. ch00_FM_4768 1/8/07 2:42 PM Page iii. C1.jpg
30
Auditor’s Guide to Information Systems Auditing RICHARD E. CASCARINO John Wiley & Sons, Inc.

Upload: others

Post on 19-Oct-2020

7 views

Category:

Documents


1 download

Report

TRANSCRIPT

  • Auditor’sGuide to

    InformationSystemsAuditing

    RICHARD E. CASCARINO

    John Wiley & Sons, Inc.

    ch00_FM_4768 1/8/07 2:42 PM Page iii

    File AttachmentC1.jpg

  • ch00_FM_4768 1/8/07 2:42 PM Page ii

  • Auditor’sGuide to

    InformationSystems Auditing

    ch00_FM_4768 1/8/07 2:42 PM Page i

  • ch00_FM_4768 1/8/07 2:42 PM Page ii

  • Auditor’sGuide to

    InformationSystemsAuditing

    RICHARD E. CASCARINO

    John Wiley & Sons, Inc.

    ch00_FM_4768 1/8/07 2:42 PM Page iii

  • This book is printed on acid-free paper.

    Copyright © 2007 John Wiley & Sons, Inc. All rights reserved.

    Wiley Bicentennial Logo: Richard J. Pacifico.

    Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

    Published simultaneously in Canada.

    No part of this publication may be reproduced, stored in a retrieval system, or transmit-ted in any form or by any means, electronic, mechanical, photocopying, recording, scan-ning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United StatesCopyright Act, without either the prior written permission of the Publisher, or authoriza-tion through payment of the appropriate per-copy fee to the Copyright Clearance Center,Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or onthe web at www.copyright.com. Requests to the Publisher for permission should beaddressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street,Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions.

    Limit of Liability/Disclaimer of Warranty: While the publisher and author have used theirbest efforts in preparing this book, they make no representations or warranties withrespect to the accuracy or completeness of the contents of this book and specifically dis-claim any implied warranties of merchantability or fitness for a particular purpose. Nowarranty may be created or extended by sales representatives or written sales materials.The advice and strategies contained herein may not be suitable for your situation. Youshould consult with a professional where appropriate. Neither the publisher nor authorshall be liable for any loss of profit or any other commercial damages, including but notlimited to special, incidental, consequential, or other damages.

    For general information on our other products and services, or technical support, pleasecontact our Customer Care Department within the United States at 800-762-2974, out-side the United States at 317-572-3993 or fax 317-572-4002.

    Wiley also publishes its books in a variety of electronic formats. Some content that appearsin print may not be available in electronic books.

    For more information about Wiley products, visit our Web site at http://www.wiley.com.

    Library of Congress Cataloging-in-Publication DataCascarino, Richard.

    Auditor’s guide to information systems auditing / Richard E. Cascarino.p. cm.

    Includes index.ISBN: 978-0-470-00989-5 (cloth : alk. paper)

    1. Electronic data processing—Auditing. I. Title.QA76.9.A93C37 2007658’.0558—dc22

    2006033470Printed in the United States of America10 9 8 7 6 5 4 3 2 1

    ch00_FM_4768 1/8/07 2:42 PM Page iv

    www.wiley.com

  • v

    Dedication

    I wish to take this opportunity to dedicate this book to my wife Maxwho has, over the last 33 years, put up with my bad temper whenthe computer would not do what I programmed it to do; my egowhen it did eventually work; my despair when the system crashedagain and again, and my complacency when the problems weresolved.

    I would also like to thank those who molded my career over theyears, particularly Jim Leary for showing me what an IS managercould be and Scotch Duncan Anderson for showing me what an Inter-nal Auditor should be.

    ch00_FM_4768 1/8/07 2:42 PM Page v

  • ch00_FM_4768 1/8/07 2:42 PM Page vi

  • vii

    Contents

    PREFACE xixABOUT THE CD xxxiii

    PART IIS Audit Process 1

    CHAPTER 1Technology and Audit 3Technology and Audit 4Batch and On-Line Systems 9

    CHAPTER 2IS Audit Function Knowledge 24Information Systems Auditing 24What Is Management? 25Management Process 25Understanding the Organization’s Business 26Establishing the Needs 26Identifying Key Activities 26Establish Performance Objectives 27Decide The Control Strategies 27Implement and Monitor the Controls 27Executive Management’s Responsibility and Corporate Governance 28Audit Role 28Conceptual Foundation 29Professionalism within the IS Auditing Function 29Relationship of Internal IS Audit to the External Auditor 30Relationship of IS Audit to Other Company Audit Activities 30Audit Charter 30Charter Content 31Outsourcing the IS Audit Activity 31Regulation, Control, and Standards 32

    ch00_FM_4768 1/8/07 2:42 PM Page vii

  • CHAPTER 3IS Risk and Fundamental Auditing Concepts 33Computer Risks and Exposures 33Effect of Risk 35Audit and Risk 37Audit Evidence 39Reliability of Audit Evidence 39Audit Evidence Procedures 40Responsibilities for Fraud Detection and Prevention 41

    CHAPTER 4Standards and Guidelines for IS Auditing 43IIA Standards 43Code of Ethics 44Advisory 46Aids 46Standards for the Professional Performance of Internal Auditing 47ISACA Standards 47ISACA Code of Ethics 49COSO: Internal Control Standards 49BS 7799 and ISO 17799: IT Security 51NIST 53BSI Baselines 54

    CHAPTER 5Internal Controls Concepts Knowledge 57Internal Controls 57Cost/Benefit Considerations 59Internal Control Objectives 59Types Of Internal Controls 61Systems of Internal Control 62Elements of Internal Control 63Manual and Automated Systems 64Control Procedures 65Application Controls 65Control Objectives and Risks 66General Control Objectives 67Data and Transactions Objectives 67Program Control Objectives 68Corporate IT Governance 69

    CHAPTER 6Risk Management of the IS Function 75Nature of Risk 75Auditing in General 76

    viii Contents

    ch00_FM_4768 1/8/07 2:42 PM Page viii

  • Elements of Risk Analysis 78Defining the Audit Universe 79Computer System Threats 81Risk Management 83

    CHAPTER 7Audit Planning Process 88Benefits of an Audit Plan 88Structure of the Plan 93Types of Audit 96

    CHAPTER 8Audit Management 98Planning 98Audit Mission 99IS Audit Mission 99Organization of the Function 100Staffing 101IS Audit as a Support Function 103Planning 103Business Information Systems 104Integrated IS Auditor vs Integrated IS Audit 104Auditees as Part of the Audit Team 106Application Audit Tools 107Advanced Systems 107Specialist Auditor 107IS Audit Quality Assurance 108

    CHAPTER 9Audit Evidence Process 109Audit Evidence 109Audit Evidence Procedures 109Criteria for Success 110Statistical Sampling 112Why Sample? 112Judgmental (or Non-Statistical) Sampling 113Statistical Approach 114Sampling Risk 114Assessing Sampling Risk 116Planning a Sampling Application 116Calculating Sample Size 119Quantitative Methods 122Project Scheduling Techniques 125Simulations 127Computer Assisted Audit Solutions 128

    Contents ix

    ch00_FM_4768 1/8/07 2:42 PM Page ix

  • Generalized Audit Software 129Application and Industry-Related Audit Software 130Customized Audit Software 130Information Retrieval Software 131Utilities 131On-Line Inquiry 131Conventional Programming Languages 131Microcomputer-Based Software 132Test Transaction Techniques 132

    CHAPTER 10Audit Reporting Follow-up 134Audit Reporting 134Interim Reporting 135Closing Conferences 135Written Reports 135Clear Writing Techniques 136Preparing To Write 138Basic Audit Report 139Executive Summary 140Detailed Findings 140Polishing the Report 142Distributing the Report 142Follow-Up Reporting 143Types of Follow-Up Action 144

    PART IIInformation Systems/Information Technology Governance 145

    CHAPTER 11Management 147IS Infrastructures 147Project-Based Functions 148Quality Control 154Operations and Production 155Technical Services 156Performance Measurement and Reporting 156Measurement Implementation 158

    CHAPTER 12Strategic Planning 164Strategic Management Process 164Strategic Drivers 165New Audit Revolution 166

    x Contents

    ch00_FM_4768 1/8/07 2:42 PM Page x

  • Leveraging IS 166Business Process Re-Engineering Motivation 167IS as an Enabler of Re-Engineering 168Dangers of Change 168System Models 169Information Resource Management 170Strategic Planning for IS 171Decision Support Systems 173Steering Committees 174Strategic Focus 174Auditing Strategic Planning 175Design the Audit Procedures 176

    CHAPTER 13Management Issues 177Privacy 179Copyrights, Trademarks, and Patents 180Ethical Issues 181Corporate Codes of Conduct 182IT Governance 184Sarbanes-Oxley Act 186Housekeeping 186

    CHAPTER 14Support Tools and Frameworks 188General Frameworks 188COSO: Internal Control Standards 192Other Standards 193

    CHAPTER 15Governance Techniques 196Change Control 196Problem Management 198Auditing Change Control 199Operational Reviews 199Performance Measurement 200ISO 9000 Reviews 201

    PART IIISystems and Infrastructure Lifecycle Management 205

    CHAPTER 16Information Systems Planning 207

    Contents xi

    ch00_FM_4768 1/8/07 2:42 PM Page xi

  • Stakeholders 207Operations 208Systems Development 209Technical Support 210Other System Users 212Segregation of Duties 212Personnel Practices 214Object-Oriented Systems Analysis 215Enterprise Resource Planning 216

    CHAPTER 17Information Management and Usage 218What Are Advanced Systems? 218Service Delivery and Management 221

    CHAPTER 18Development, Acquisition, and Maintenance of Information Systems 227Programming Computers 227Program Conversions 229System Failures 229Systems Development Exposures 232Systems Development Controls 233Systems Development Life Cycle Control: Control Objectives 233Micro-Based Systems 235

    CHAPTER 19Impact of Information Technology on the Business Processes and Solutions 236Impact 236Continuous Monitoring 237Business Process Outsourcing 238E-Business 239

    CHAPTER 20Software Development 241Developing a System 241Change Control 245Why Do Systems Fail? 247Auditor’s Role in Software Development 249

    CHAPTER 21Audit and Control of Purchased Packages 251Information Systems Vendors 252Request For Information 253Requirements Definition 254Request For Proposal 255

    xii Contents

    ch00_FM_4768 1/8/07 2:42 PM Page xii

  • Installation 256Systems Maintenance 257Systems Maintenance Review 257Outsourcing 258

    CHAPTER 22Audit Role in Feasibility Studies and Conversions 259Feasibility Success Factors 259Conversion Success Factors 263

    CHAPTER 23Audit and Development of Application Controls 264What Are Systems? 264Classifying Systems 265Controlling Systems 266Control Stages 266System Models 266Information Resource Management 267Control Objectives of Business Systems 268General Control Objectives 269CAATS and their Role in Business Systems Auditing 271Common Problems 274Audit Procedures 274CAAT Use in Non-Computerized Areas 275Designing an Appropriate Audit Program 275

    PART IVInformation Technology Service Delivery and Support 277

    CHAPTER 24Technical Infrastructure 279Auditing the Technical Infrastructure 282Computer Operations Controls 284Operations Exposures 285Operations Controls 286Personnel Controls 286Supervisory Controls 286Operations Audits 287

    CHAPTER 25Service Center Management 289Continuity Management and Disaster Recovery 289Managing Service Center Change 293

    Contents xiii

    ch00_FM_4768 1/8/07 2:42 PM Page xiii

  • PART VProtection of Information Assets 295

    CHAPTER 26Information Assets Security Management 297What Is Information Systems Security? 297Control Techniques 300Workstation Security 301Physical Security 301Logical Security 301User Authentication 302Communications Security 302Encryption 302How Encryption Works 303Encryption Weaknesses 304Potential Encryption 305Data Integrity 305Double Public Key Encryption 306Steganography 307Information Security Policy 308

    CHAPTER 27Logical Information Technology Security 310Computer Operating Systems 310Tailoring the Operating System 311Auditing the Operating System 312Security 313Criteria 314Security Systems: Resource Access Control Facility 314Auditing RACF 315Access Control Facility 2 316Top Secret 317User Authentication 318Bypass Mechanisms 319

    CHAPTER 28Applied Information Technology Security 321Communications and Network Security 321Network Protection 323Hardening the Operating Environment 324Client Server and Other Environments 325Firewalls and Other Protection Resources 326Intrusion Detection Systems 329

    xiv Contents

    ch00_FM_4768 1/8/07 2:42 PM Page xiv

  • Contents xv

    CHAPTER 29Physical and Environmental Security 330Control Mechanisms 332Implementing the Controls 336

    PART VIBusiness Continuity and Disaster Recovery 337

    CHAPTER 30Protection of the Information Technology Architecture and Assets: Disaster RecoveryPlanning 339Risk Reassessment 341Disaster—Before and After 341Consequences of Disruption 343Where to Start 344Testing the Plan 345Auditing the Plan 346

    CHAPTER 31Insurance 349Self-Insurance 353

    PART VIIAdvanced IS Auditing 355

    CHAPTER 32Auditing E-commerce Systems 357E-Commerce and Electronic Data Interchange: What Is It? 357Opportunities and Threats 358Risk Factors 362Threat List 363Security Technology 363“Layer” Concept 363Authentication 364Encryption 364Trading Partner Agreements 366Risks and Controls within EDI and E-Commerce 366Nonrepudiation 367E-Commerce and Auditability 368Compliance Auditing 369E-Commerce Audit Approach 370

    ch00_FM_4768 1/8/07 2:42 PM Page xv

  • Audit Tools and Techniques 371Auditing Security Control Structures 372Computer Assisted Audit Techniques 372

    CHAPTER 33Auditing UNIX /Linux 374History 374Security and Control in a UNIX/Linux System 377Architecture 377UNIX Security 378Services 379Daemons 380Auditing UNIX 380Scrutiny of Logs 381Audit Tools in the Public Domain 381UNIX passwd File 382Auditing UNIX Passwords 383

    CHAPTER 34Auditing Windows 385History 385NT and Its Derivatives 386Auditing Windows 23 388Password Protection 389File Sharing 390Security Checklist 391

    CHAPTER 35Foiling the System Hackers 393

    CHAPTER 36Investigating Information Technology Fraud 397Pre-Incident Preparation 399Detection of Incidents 401Initial Response 401Forensic Backups 403Investigation 404Network Monitoring 404Identity Theft 405

    xvi Contents

    ch00_FM_4768 1/8/07 2:42 PM Page xvi

  • APPENDICES

    APPENDIX A Ethics and Standards for the IS Auditor 407ISACA Code of Professional Ethics 407Relationship of Standards to Guidelines and Procedures 408

    APPENDIX B Audit Program for Application Systems Auditing 410

    APPENDIX C Logical Access Control Audit Program 432

    APPENDIX D Audit Program for Auditing UNIX /Linux Environments 446

    APPENDIX E Audit Program for Auditing Windows XP/2000 Environments 454

    Index 463

    Contents xvii

    ch00_FM_4768 1/8/07 2:42 PM Page xvii

  • ch00_FM_4768 1/8/07 2:42 PM Page xviii

  • xix

    Preface

    In today’s business environment, computers are continuing the rev-olution started in the 1950s. Size and capacity of the equipmentgrows on an exponential curve, with the reduction in cost and sizeensuring that organizations take advantage of this to develop moreeffective and responsive systems, which allow them to seek to gaincompetitive advantage by interfacing more closely with their cus-tomers.

    Net technologies such as electronic data interchange (EDI), elec-tronic funds transfers (EFTs), and E-commerce have fundamentallychanged the nature of business itself and, as a result, organizationshave become more computer dependent. The radical changes to busi-ness are matched only by their impact on society.

    It has become impossible for today’s enterprises of any size and inany market sector to exist without computers to assist with their fun-damental business operations. Even the old adage that “we canalways go back to manual operations” is today a fallacy. The natureof today’s business environment obviates that option. Even the small-est businesses have found that the advent of personal computers (PCs)with increased capabilities and processing speed, while at the sametime reduced pricing and sophisticated PC software, has revolution-ized the concept of what a small business is.

    In order for organizations to take full advantage of the new facil-ities that computers can offer, it is important that their systems can becontrolled and are dependable. They require that their auditors con-firm that this is the case. The modern auditor therefore requires sig-nificantly more knowledge of computers and computer auditing thandid auditors of earlier years.

    ch00_FM_4768 1/8/07 2:42 PM Page xix

  • CONTROLS IN MODERN COMPUTER SYSTEMS

    The introduction of the computer has brought fundamental changesto the ways organizations process data. Computer systems:

    ■ Are frequently much more complex than manual systems, thelarger systems at least requiring a number of highly skilled com-puter technicians to develop and maintain them.

    ■ Process large volumes of data at high speed, and can transmit dataeffectively instantaneously over extreme distances, commonlybetween continents.

    ■ Hold data in electronic form, which, without the appropriatetools and techniques, is often more complex for the auditor toaccess than paper records. In addition, modern systems havereduced the volumes of printed outputs by the incorporation ofon-line access and on-line inquiry facilities. Indeed, many modernEDI-type systems have no paper audit trail whatsoever.

    ■ Process data with much less manual intervention than manualsystems. In fact large parts of sophisticated systems now processdata with no manual intervention at all. In the past, the main jus-tification for computerization was frequently to reduce the num-ber of staff required to operate the business. With moderndecision support and integrated systems, this is becoming a real-ity not at the clerical level, but at the decision-making and con-trol level. This can have the effect that the fundamental businesscontrols previously relied upon by the auditor, such as segrega-tion of duties or management authorization, may no longer becarried out as previously and must be audited in a different man-ner. In computer systems, the user profile of the member of staffas defined within the system’s access rights will generally controlthe division of duties while managerial authorities are, in manycases, built into systems themselves.

    ■ Process consistently in accordance with their programs providingthe computer has been programmed correctly and change controlis effective.

    ■ In large minicomputer and mainframe systems, there is a signifi-cant concentration of risk in locating the organization’s informa-tion resource in one format although not necessarily in one place.Organizations then become totally reliant on their computer sys-

    xx Preface

    ch00_FM_4768 1/8/07 2:42 PM Page xx

  • tem and must be able to recover from failure or the destructionof their computer system swiftly and with minimal businessdisruption.

    ■ Are often subject to different legal constraints and burdens ofproof than manual systems.

    These changes brought about by computerization can greatlyincrease the opportunity for auditors to deliver a quality service byconcentrating the risk and allowing the auditors to correspondinglyconcentrate their efforts. For example, harnessing the power of thecomputer to analyze large volumes of data in the way the auditorrequires is commonly now the only practical way of analyzing cor-porate data, and this was not only impractical but also impossiblewhile data was spread around the organization in a myriad of forms.

    In addition, the use of computer systems with built-in pro-grammed procedures permit the auditor to adopt a systems approachto auditing in that the controls within the computer system process ina more consistent manner than a manual system. In manual systemsthe quality of the control procedure can change on a day-by-daybasis, depending on the quality of the staff and their consistency ofworking. This can result in the auditor having to undertake a sub-stantial amount of checking of transactions, to confirm transactionshave processed correctly.

    Controls within computer systems are commonly classified in twomain subdivisions:

    1. General controls. The controls governing the environment inwhich the computer system is developed, maintained, and oper-ated, and within which the application controls operate. Thesecontrols include the systems development standards operated bythe organization, the controls that apply to the operation of thecomputer installation, and those governing the functioning ofsystems software. They have a pervasive effect on all applicationsystems.

    2. Application controls. The controls, both manual and computer-ized, within the business application to ensure that data isprocessed completely, accurately, and in a timely manner. Appli-cation controls are typically specific to the business applicationand include:

    Preface xxi

    ch00_FM_4768 1/8/07 2:42 PM Page xxi

  • ■ Input controls such as data validation and batching■ Run-to-run controls to check file totals at key stages in process-

    ing, and controls over output

    Ultimately, the auditor’s job is to determine if the application sys-tems function as intended, the integrity, accuracy, and completenessof the data is well controlled, and report any significant discrepan-cies. The integrity of the data relies on the adequacy of the applica-tion controls. However, application controls are totally dependent onthe integrity of the general controls over the environment withinwhich the application is developed and run.

    In the past, the auditor has often assumed a considerable degreeof reliance on controls around the computer, that is, in the applica-tion controls. This is sometimes referred to as auditing “around” thecomputer, because the auditor concentrates on the input and outputfrom the computer, rather than what happens in the computer.

    This has never been truly justified but has become, over recentyears, a lethal assumption.

    With the spread of on-line and real-time working, and of theincreasing capacity of fixed disks, all of the organization’s data iscommonly permanently loaded on the computer system and accessi-ble from a variety of places, with only systems software controls pre-venting access to the data. This system is increasing in technicalcomplexity and the ability to utilize any implemented weaknesses isalso growing.

    It is critical that the auditor is assured of the integrity of the com-puter operational environment within which the applications systemsfunction. This means that the auditor must become knowledgeable inthe facilities provided in key systems software in the organizationbeing audited.

    This book is designed for those who need to gain a practicalworking knowledge of the risks and control opportunities within anIT environment, and the auditing of that environment. Readers whowill find the text particularly useful include professionals and stu-dents within the fields of:

    ■ IT security■ IT audit■ Internal audit

    xxii Preface

    ch00_FM_4768 1/8/07 2:42 PM Page xxii

  • ■ External audit■ Management information systems■ General business management

    Overall, this book contains the information required by anyonewho is, or expects to be, accountable to management for the success-ful implementation and control of information systems.

    It is intended that the text within this book forms the foundationfor learning experience, as well as being your reference manual andstudent text. The emphasis is therefore on both the principles andtechniques as well as the practical implementation through the use ofrealistic case studies.

    OVERALL FRAMEWORK

    Within the book the terms Information Technology (IT) and Infor-mation Systems (IS) are both used because both are in common useto mean virtually identical functions. The book is split into eight sec-tions, namely:

    Part I—IS Audit Process

    This part covers the introduction to the technology and auditinginvolved with the modern computer systems. It seeks to establishcommon frames of reference for all IT students by establishing a base-line of technological understanding as well as an understanding ofrisks, control objectives, and standards, all concepts essential to theaudit function. Internal control concepts and the planning and man-agement of the audit process in order to obtain the appropriate evi-dence of the achievement of the control objectives is explained as isthe audit reporting process.

    Chapter 1 covers the basics of technology and audit. The chapteris intended to give readers an understanding of the technology in usein business as well as knowledge of the jargon and its meaning. Itcovers the components of control within an IT environment andexplains who the main players are and what their role is within thisenvironment.

    Preface xxiii

    ch00_FM_4768 1/8/07 2:42 PM Page xxiii

  • Chapter 2 looks at the laws and regulations governing IS Auditand the nature and role of the audit charter. It reviews the varyingnature of audit and the demand for audits as well as the need for con-trol and audit of computer-based IS. The types of audit and auditorand range of services to be provided is reviewed together with thestandards and codes of ethics of both the Institute of Internal Audi-tors (IIA) and the standards specified by the Information SystemsAudit and Control Association (ISACA).

    Chapter 3 explores the concepts of materiality within the IS Auditfunction and contracts materiality as it is commonly applied to finan-cial statement audit such as those performed by independent externalauditors. In this context, the quality and types of evidence required tomeet the definitions of sufficiency, reliability, and relevancy is exam-ined. The risks involved in examining evidence to arrive at an auditconclusion is reviewed as are the need to maintain the independenceand objectivity of the auditor and the auditor’s responsibility forfraud detection in both an IT and non-IT setting.

    Chapter 4 explores in detail the ISACA Code of ProfessionalEthics and the current ISACA IS Auditing Standards and GuidelinesStandards as well as the IIA Code of Ethics, Standards for the Pro-fessional Practice of Internal Auditing and Practice Advisories. Inaddition, standards and guidelines other than the ISACA and IIAmodels are explored.

    Chapter 5 introduces the concepts of corporate governance withparticular attention to the implications within an IT environment andthe impact on IS Auditors. Criteria of Control (COCO), Committeeof Sponsoring Organizations of the Treadway Commission (COSO),King, Sarbanes-Oxley Act of 2002, and other recent legislativeimpacts are examined together with the structuring of controls toachieve conformity to these structures. Control classifications areexamined in detail together with both general and application con-trols. Particular attention is paid to COBIT (Control Objectives forInformation and Related Technology) from both a structural and rel-evance perspective.

    Chapter 6 introduces the concept of computer risks and expo-sures and includes the development of an understanding of the majortypes of risks faced by the IT function including the sources of suchrisk as well as the causes. It also emphasizes management’s role inadopting a risk position, which itself necessitates a knowledge of the

    xxiv Preface

    ch00_FM_4768 1/8/07 2:42 PM Page xxiv

  • acceptable management responses to computer risks. One of the mostfundamental influencing factors in IT auditing is the issue of corpo-rate risk. This chapter examines risk and its nature within the corpo-rate environment and looks at the internal audit need for theappropriate risk analysis to enable risk-based auditing as an inte-grated approach. This includes the effect of computer risks, the com-mon risk factors, and the elements required to complete a computerrisk analysis

    Chapter 7 examines the Audit Planning Process at both a strate-gic and tactical level. The use of risk-based auditing and risk assess-ment methods and standards are covered. The preliminary evaluationof internal controls via the appropriate information gathering andcontrol evaluation techniques as a fundamental component of theaudit plan and the design of the audit plan to achieve a variety ofaudit scopes is detailed.

    Chapter 8 looks at audit management and its resource allocationand prioritization in the planning and execution of assignments. Themanagement of IS Audit quality through techniques such as peerreviews and best practice identification is explored. The humanaspects of management in the forms of career development and careerpath planning, performance assessment, counselling, and feedback aswell as professional development through certifications, professionalinvolvement, and training (both internal and external) are reviewed.

    Chapter 9 exposes the fundamental audit evidence process andthe gathering of evidence that may be deemed to be sufficient, reli-able, relevant, and useful. Evidence gathering techniques such asobservation, inquiry, interviewing, and testing are examined and thetechniques of compliance versus substantive testing are contrasted.The complex area of statistical and nonstatistical sampling techniquesand the design and selection of samples and evaluation of sampleresults is examined. The essential techniques of computer assistedaudit techniques (CAATs) are covered and a case study using the soft-ware provided is detailed.

    Chapter 10 covers audit reporting and follow-up. The form andcontent of an audit report are detailed and its purpose, structure,content, and style as dictated by the desired effect on its intendedrecipient for a variety of types of opinion are considered as well asthe follow-up to determine management’s actions to implementrecommendations.

    Preface xxv

    ch00_FM_4768 1/8/07 2:42 PM Page xxv

  • Part II—Information Systems/Information TechnologyGovernance

    This part details the processes involved in planning and managing theIS function and the management issues faced in a modern IS depart-ment. The techniques used by management and the support tools andframeworks are examined with respect to the need for control withinthe processes.

    Chapter 11 covers IT project management, risk managementincluding economic, social, cultural, and technology risk managementas well as software quality control management, the management ofIT infrastructure, alternative IT architectures and configuration, andthe management of IT delivery (operations) and support (mainte-nance). Performance measurement and reporting and the IT balancedscorecard are also covered as are the use of outsourcing, the imple-mentation of IT quality assurance, and the sociotechnical and culturalapproach to management.

    Chapter 12 examines IS/IT strategic planning and looks at com-petitive strategies and business intelligence and their link to corporatestrategy. These, in turn, influence the development of strategic infor-mation systems frameworks and applications. Strategic planning alsoincludes the management of IT human resources, employee policies,agreements, contracts, segregation of duties within IT, and the imple-mentation of effective IS/IT training and education.

    Chapter 13 looks at the broader IS/IT management issues includ-ing the legal issues relating to the introduction of IT to the enterprise,intellectual property issues in cyberspace: trademarks, copyrights,patents as well as ethical issues, rights to privacy, and the implemen-tation of effective IT governance.

    Chapter 14 introduces the need for support tools and frame-works such as COBIT: Management Guidelines, a framework forIT/IS managers and COBIT: Audit’s Use in Support of the BusinessSupport Cycle. International standards and good practices such asISOI7799, ITIL, privacy standards, COSO, COCO, Cadbury, King,and Sarbanes-Oxley also play a vital role in ensuring the appropri-ate governance.

    Chapter 15 covers the need for, and use of, techniques such aschange control reviews, operational reviews, and ISO 9000 reviews.

    xxvi Preface

    ch00_FM_4768 1/8/07 2:42 PM Page xxvi

  • Part III—Systems and Infrastructure LifecycleManagement

    IT is essential to an organization only in so far as it can effectivelyassist in the achievement of the business objectives. This means thatthe business application systems need to be appropriate to the busi-ness needs and meet the objectives of the users in an effective and effi-cient manner. Part VI explores the manner in which applicationsystems are planned, acquired externally or developed internally andultimately implemented and maintained. In all cases such systemshave an objective of being auditable in addition to the other uniquebusiness objectives. This part also examines the variety of roles thatthe auditor could be called on to undertake and the circumstances andcontrols appropriate to each.

    Chapter 16 covers the IS planning and managing components andincludes developing an understanding of stakeholders and theirrequirements together with IS planning methods such as system inves-tigation, process integration/reengineering opportunities, risk evalu-ation, cost-benefit analysis, risk assessment, object-oriented systemsanalysis, and design. Enterprise Resource Planning (ERP) software tofacilitate enterprise applications integration is reviewed.

    Chapter 17 covers the areas of information management andusage monitoring. Measurement criteria such as evaluating servicelevel performance against service level agreements, quality of service,availability, response time, security and controls, processing integrity,and privacy are examined. The analysis, evaluation, and design infor-mation together with data and application architecture are evaluatedas tools for the auditor.

    Chapter 18 investigates the development, acquisition, and main-tenance of information systems through Information Systems projectmanagement involving the planning, organization, human resourcedeployment, project control, monitoring, and execution of the pro-ject plan. The traditional methods for the system development lifecycle (SDLC) (analysis, evaluation, and design of an entity’s SDLCphases and tasks) are examined as are alternative approaches for sys-tem development such as the use of software packages, prototyping,business process reengineering, or computer aided software engineer-ing (CASE). In addition system maintenance and change control pro-

    Preface xxvii

    ch00_FM_4768 1/8/07 2:42 PM Page xxvii

  • cedures for system changes together with tools to assess risk and con-trol issues and to aid the analysis and evaluation of project charac-teristics and risks are discussed.

    Chapter 19 examines the impact of IT on the business processesand solutions, Business process outsourcing (BPO) and applicationsof e-business issues and trends.

    Chapter 20 looks at the software development design processitself and covers the separation of specification and implementationin programming, requirements specification methodologies, and tech-nical process design. In addition database creation and manipulation,principles of good screen and report design, and program languagealignment are covered.

    Chapter 21 looks at the audit and control of purchased packagesto introduce readers to those elements critical to the decision taken tomake or buy software. This includes a knowledge of the systemsdevelopment process and an understanding of the user’s role in train-ing required so that the outsource decision on the factors surround-ing it may be made to best effect.

    Chapter 22 looks at the auditor’s role in feasibility studies andconversions. These are perhaps the most critical areas of systemsimplementation and audit involvement should be compulsory.

    Chapter 23 looks at the audit and development of application-level controls including input/origination controls, processing controlprocedures, output controls, application system documentation, andthe appropriate use of audit trails.

    Part IV—Information Technology Service Delivery andSupport

    This part examines the technical infrastructure in a variety of envi-ronments and the influence the infrastructure has on the managementand control procedures required to attain the business objectives. Thenature and methodologies of service center management are exposedfor discussion.

    Chapter 24 examines the complex area of the IS/IT technicalinfrastructure (planning, implementation and operational practices).IT architecture/standards over hardware including mainframe, mini-

    xxviii Preface

    ch00_FM_4768 1/8/07 2:42 PM Page xxviii


Auditing Information Systems

Chapter 17 Information Systems Auditing and Assurance

Review of Expert Systems in Auditing - USC Marshall · expert systems in EDP Auditing, External . AUditing: Academic Systems, External Auditing: Commercial Systems, Governmental Auditing

Intosai - Auditing Systems Development

COMPUTER INFORMATION SYSTEMS · COMPUTER INFORMATION SYSTEMS ... BBA in Information Systems ... Information Technology Auditing

Information Systems Auditing (ISMT 350) week #2

ADM 4346 Accounting Information Systems Auditing

Cases in Strategic-Systems Auditing

INTERNAL AUDITING VERNMENT - Government … · INTERNAL AUDITING VERNMENT ... auditing of EDP systems, and the auditing of grant programs. ... of the four general advantages:

Chapter 13 Auditing Information Technology Presentation Outline I.Concepts in Information Systems Auditing II.Auditing Technology for Information Systems

Security Auditing on Modern Operating Systems

En ISO 19011-2011_Guidelines for Auditing Management Systems

Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22

Internal Auditing 101 - ACUIA · Internal Auditing 101 ... statements auditing, internal management auditing, information systems auditing, and investigations. Audit working papers

Review of Expert Systems in Auditing · Review of Expert Systems in Auditing . Daniel E. O'Leary and Paul R. Watkins . ... The first reports of expert systems in auditing were almost

Auditing Organizations Through a Strategic-Systems Lens

Auditing Networks, Perimeters and Systems

Auditing Health and Safety Management Systems

Review of Expert Systems in Auditing

Security Part 1: Auditing Operating Systems and Networks

Information Systems Auditing Standards, Guidelines, · PDF fileInformation Systems Auditing Standards, Guidelines, Best ... which has permitted one person to ... Information Systems

Auditing Operating Systems and Networks - JOHNtheCPA

Chap 8 – INFORMATION SYSTEMS AUDITING STANDARDS, GUIDELINES, · PDF filechap 8 – information systems auditing standards, guidelines, best practices _____ introduction

Environmental Auditing and Improvement · Guidelines for Auditing Audit Procedures - Auditing of Environmental Management Systems and Quality Management System Purpose: Establishes

Auditing Sales Systems

IT Systems and Auditing

Auditing and Hardening Unix Systems - Bedrock Securitybedrocksecurity.com/ISC2_Seminar_Oct_05_-_Auditing_and_Hardenin… · Auditing and Hardening Unix Systems Using CIS benchmarks

SUSTAINABILITY IN INFORMATION SYSTEMS AUDITING

Auditing Application Systems - SF ISACA · Auditing Application Systems Maria Shaw 22 September 2003. Controls Framework (COBIT Definition) • Quality • Cost • Delivery • Effectiveness

Information Systems Auditing Tools & Techniques

Value-added auditing for global systems effectiveness · PDF fileGlobal Performance Auditing 1 of 14 Global Performance Auditing Value-added auditing for global systems effectiveness

Auditing Process-based Quality Management Systemsasq.org/public/auditing-qms-p1.pdf · Auditing Process-based Quality Management Systems ... quality management system . ... Quality

Embedded - SAI Systems Auditing

Auditing Process-based Quality Management Systems

Romeo Cascarino - Bassoon Sonata