Step-by-step guide to successful implementation and control of IT systems—including the Cloud
Many auditors are unfamiliar with the techniques they need to know to efficiently and effectively determine whether information systems are adequately protected. Now in a Second Edition, Auditor’s Guide to IT Auditing presents an easy, practical guide for auditors that can be applied to all computing environments.
- Follows the approach used by the Information System Audit and Control Association’s model curriculum, making this book a practical approach to IS auditing
- Serves as an excellent study guide for those preparing for the CISA and CISM exams
- Includes discussion of risk evaluation methodologies, new regulations, SOX, privacy, banking, IT governance, Cobi T, outsourcing, network management, and the Cloud
- Includes a link to an education version of IDEA–Data Analysis Software
As networks and enterprise resource planning systems bring resources together, and as increasing privacy violations threaten more organization, information systems integrity becomes more important than ever. Auditor’s Guide to IT Auditing, Second Edition empowers auditors to effectively gauge the adequacy and effectiveness of information systems controls.
Cuprins
Preface xvii
Part I: IT Audit Process 1
Chapter 1: Technology and Audit 3
Technology and Audit 4
Batch and Online Systems 8
Electronic Data Interchange 20
Electronic Business 21
Cloud Computing 22
Chapter 2: IT Audit Function Knowledge 25
Information Technology Auditing 25
What Is Management? 26
Management Process 26
Understanding the Organization’s Business 27
Establishing the Needs 27
Identifying Key Activities 27
Establish Performance Objectives 27
Decide the Control Strategies 27
Implement and Monitor the Controls 28
Executive Management’s Responsibility and Corporate Governance 28
Audit Role 28
Conceptual Foundation 29
Professionalism within the IT Auditing Function 29
Relationship of Internal IT Audit to the External Auditor 30
Relationship of IT Audit to Other Company Audit Activities 30
Audit Charter 30
Charter Content 30
Outsourcing the IT Audit Activity 31
Regulation, Control, and Standards 31
Chapter 3: IT Risk and Fundamental Auditing Concepts 33
Computer Risks and Exposures 33
Effect of Risk 35
Audit and Risk 36
Audit Evidence 37
Conducting an IT Risk-Assessment Process 38
NIST SP 800 30 Framework 38
ISO 27005 39
The “Cascarino Cube” 39
Reliability of Audit Evidence 44
Audit Evidence Procedures 45
Responsibilities for Fraud Detection and Prevention 46
Notes 46
Chapter 4: Standards and Guidelines for IT Auditing 47
IIA Standards 47
Code of Ethics 48
Advisory 48
Aids 48
Standards for the Professional Performance of Internal Auditing 48
ISACA Standards 49
ISACA Code of Ethics 50
COSO: Internal Control Standards 50
BS 7799 and ISO 17799: IT Security 52
NIST 53
BSI Baselines 54
Note 55
Chapter 5: Internal Controls Concepts Knowledge 57
Internal Controls 57
Cost/Benefit Considerations 59
Internal Control Objectives 59
Types of Internal Controls 60
Systems of Internal Control 61
Elements of Internal Control 61
Manual and Automated Systems 62
Control Procedures 63
Application Controls 63
Control Objectives and Risks 64
General Control Objectives 64
Data and Transactions Objectives 64
Program Control Objectives 66
Corporate IT Governance 66
COSO and Information Technology 68
Governance Frameworks 70
Notes 71
Chapter 6: Risk Management of the IT Function 73
Nature of Risk 73
Risk-Analysis Software 74
Auditing in General 75
Elements of Risk Analysis 77
Defining the Audit Universe 77
Computer System Threats 79
Risk Management 80
Notes 83
Chapter 7: Audit Planning Process 85
Benefits of an Audit Plan 85
Structure of the Plan 89
Types of Audit 91
Chapter 8: Audit Management 93
Planning 93
Audit Mission 94
IT Audit Mission 94
Organization of the Function 95
Staffing 95
IT Audit as a Support Function 97
Planning 97
Business Information Systems 98
Integrated IT Auditor versus Integrated IT Audit 98
Auditees as Part of the Audit Team 100
Application Audit Tools 100
Advanced Systems 100
Specialist Auditor 101
IT Audit Quality Assurance 101
Chapter 9: Audit Evidence Process 103
Audit Evidence 103
Audit Evidence Procedures 103
Criteria for Success 104
Statistical Sampling 105
Why Sample? 106
Judgmental (or Non-Statistical) Sampling 106
Statistical Approach 107
Sampling Risk 107
Assessing Sampling Risk 108
Planning a Sampling Application 109
Calculating Sample Size 111
Quantitative Methods 111
Project-Scheduling Techniques 116
Simulations 117
Computer-Assisted Audit Solutions 118
Generalized Audit Software 118
Application and Industry-Related Audit Software 119
Customized Audit Software 120
Information-Retrieval Software 120
Utilities 120
On-Line Inquiry 120
Conventional Programming Languages 120
Microcomputer-Based Software 121
Test Transaction Techniques 121
Chapter 10: Audit Reporting Follow-up 123
Audit Reporting 123
Interim Reporting 124
Closing Conferences 124
Written Reports 124
Clear Writing Techniques 125
Preparing to Write 126
Basic Audit Report 127
Executive Summary 127
Detailed Findings 128
Polishing the Report 129
Distributing the Report 129
Follow-up Reporting 129
Types of Follow-up Action 130
Part II: Information Technology Governance 131
Chapter 11: Management 133
IT Infrastructures 133
Project-Based Functions 134
Quality Control 138
Operations and Production 139
Technical Services 140
Performance Measurement and Reporting 140
Measurement Implementation 141
Notes 145
Chapter 12: Strategic Planning 147
Strategic Management Process 147
Strategic Drivers 148
New Audit Revolution 149
Leveraging IT 149
Business Process Re-Engineering Motivation 150
IT as an Enabler of Re-Engineering 151
Dangers of Change 152
System Models 152
Information Resource Management 153
Strategic Planning for IT 153
Decision Support Systems 155
Steering Committees 156
Strategic Focus 156
Auditing Strategic Planning 156
Design the Audit Procedures 158
Note 158
Chapter 13: Management Issues 159
Privacy 161
Copyrights, Trademarks, and Patents 162
Ethical Issues 162
Corporate Codes of Conduct 163
IT Governance 164
Sarbanes-Oxley Act 166
Payment Card Industry Data Security Standards 166
Housekeeping 167
Notes 167
Chapter 14: Support Tools and Frameworks 169
General Frameworks 169
COSO: Internal Control Standards 172
Other Standards 173
Governance Frameworks 176
Note 178
Chapter 15: Governance Techniques 179
Change Control 179
Problem Management 181
Auditing Change Control 181
Operational Reviews 182
Performance Measurement 182
ISO 9000 Reviews 184
Part III: Systems and Infrastructure Lifecycle Management 185
Chapter 16: Information Systems Planning 187
Stakeholders 187
Operations 188
Systems Development 189
Technical Support 189
Other System Users 191
Segregation of Duties 191
Personnel Practices 192
Object-Oriented Systems Analysis 194
Enterprise Resource Planning 194
Cloud Computing 195
Notes 197
Chapter 17: Information Management and Usage 199
What Are Advanced Systems? 199
Service Delivery and Management 201
Computer-Assisted Audit Tools and Techniques 204
Notes 205
Chapter 18: Development, Acquisition, and Maintenance of Information Systems 207
Programming Computers 207
Program Conversions 209
No Thanks Systems Development Exposures 209
Systems Development Controls 210
Systems Development Life Cycle Control: Control Objectives 210
Micro-Based Systems 212
Cloud Computing Applications 212
Note 213
Chapter 19: Impact of Information Technology on the Business Processes and Solutions 215
Impact 215
Continuous Monitoring 216
Business Process Outsourcing 218
E-Business 219
Notes 220
Chapter 20: Software Development 221
Developing a System 221
Change Control 225
Why Do Systems Fail? 225
Auditor’s Role in Software Development 227
Chapter 21: Audit and Control of Purchased Packages and Services 229
IT Vendors 230
Request For Information 231
Requirements Definition 231
Request for Proposal 232
Installation 233
Systems Maintenance 233
Systems Maintenance Review 234
Outsourcing 234
SAS 70 Reports 234
Chapter 22: Audit Role in Feasibility Studies and Conversions 237
Feasibility Success Factors 237
Conversion Success Factors 240
Chapter 23: Audit and Development of Application Controls 243
What Are Systems? 243
Classifying Systems 244
Controlling Systems 244
Control Stages 245
Control Objectives of Business Systems 245
General Control Objectives 246
CAATs and Their Role in Business Systems Auditing 247
Common Problems 249
Audit Procedures 250
CAAT Use in Non-Computerized Areas 250
Designing an Appropriate Audit Program 250
Part IV: Information Technology Service Delivery and Support 253
Chapter 24: Technical Infrastructure 255
Auditing the Technical Infrastructure 257
Infrastructure Changes 259
Computer Operations Controls 260
Operations Exposures 261
Operations Controls 261
Personnel Controls 261
Supervisory Controls 262
Information Security 262
Operations Audits 263
Notes 264
Chapter 25: Service-Center Management 265
Private Sector Preparedness (PS Prep) 266
Continuity Management and Disaster Recovery 266
Managing Service-Center Change 269
Notes 269
Part V: Protection of Information Assets 271
Chapter 26: Information Assets Security Management 273
What Is Information Systems Security? 273
Control Techniques 276
Workstation Security 276
Physical Security 276
Logical Security 277
User Authentication 277
Communications Security 277
Encryption 277
How Encryption Works 278
Encryption Weaknesses 279
Potential Encryption 280
Data Integrity 280
Double Public Key Encryption 281
Steganography 281
Information Security Policy 282
Notes 282
Chapter 27: Logical Information Technology Security 283
Computer Operating Systems 283
Tailoring the Operating System 284
Auditing the Operating System 285
Security 286
Criteria 286
Security Systems: Resource Access Control Facility 287
Auditing RACF 288
Access Control Facility 2 289
Top Secret 290
User Authentication 291
Bypass Mechanisms 293
Security Testing Methodologies 293
Notes 295
Chapter 28: Applied Information Technology Security 297
Communications and Network Security 297
Network Protection 298
Hardening the Operating Environment 300
Client Server and Other Environments 301
Firewalls and Other Protection Resources 301
Intrusion-Detection Systems 303
Note 304
Chapter 29: Physical and Environmental Security 305
Control Mechanisms 306
Implementing the Controls 310
Part VI: Business Continuity and Disaster Recovery 311
Chapter 30: Protection of the Information Technology Architecture and Assets: Disaster-Recovery Planning 313
Risk Reassessment 314
Disaster—Before and After 315
Consequences of Disruption 317
Where to Start 317
Testing the Plan 319
Auditing the Plan 320
Chapter 31: Displacement Control 323
Insurance 323
Self-Insurance 327
Part VII: Advanced It Auditing 329
Chapter 32: Auditing E-commerce Systems 331
E-Commerce and Electronic Data Interchange: What Is It? 331
Opportunities and Threats 332
Risk Factors 335
Threat List 335
Security Technology 336
“Layer” Concept 336
Authentication 336
Encryption 337
Trading Partner Agreements 338
Risks and Controls within EDI and E-Commerce 338
E-Commerce and Auditability 340
Compliance Auditing 340
E-Commerce Audit Approach 341
Audit Tools and Techniques 341
Auditing Security Control Structures 342
Computer-Assisted Audit Techniques 343
Notes 343
Chapter 33: Auditing UNIX/Linux 345
History 345
Security and Control in a UNIX/Linux System 347
Architecture 348
UNIX Security 348
Services 349
Daemons 350
Auditing UNIX 350
Scrutiny of Logs 351
Audit Tools in the Public Domain 351
UNIX Password File 352
Auditing UNIX Passwords 353
Chapter 34: Auditing Windows VISTA and Windows 7 355
History 355
NT and Its Derivatives 356
Auditing Windows Vista/Windows 7 357
Password Protection 358
VISTA/Windows 7 359
Security Checklist 359
Chapter 35: Foiling the System Hackers 361
Chapter 36: Preventing and Investigating Information Technology Fraud 367
Preventing Fraud 367
Investgation 369
Identity Theft 376
Note 376
Appendix A Ethics and Standards for the IS Auditor 377
ISACA Code of Professional Ethics 377
Relationship of Standards to Guidelines and Procedures 378
Appendix B Audit Program for Application Systems Auditing 379
Appendix C Logical Access Control Audit Program 393
Appendix D Audit Program for Auditing UNIX/Linux Environments 401
Appendix E Audit Program for Auditing Windows VISTA and Windows 7 Environments 407
About the Author 415
About the Website 417
Index 419
Despre autor
RICHARD E. CASCARINO, MBA, CIA, CISA, CISM, is a consultant and lecturer with over thirty years’ experience in internal, forensic, risk, and computer auditing. He is Managing Director of Richard Cascarino & Associates, a successful audit training and consultancy company. For the last twenty-five years, they have been providing consultancy and professional development services to clients throughout the southern African region as well as Europe, the Middle East, and the United States. He is a past president of the Institute of Internal Auditors South Africa (IIA SA), was the founding Regional Director of the Southern African Region of the IIA Inc., and is a member of both the Information Systems Audit and Control Association and the Association of Certified Fraud Examiners.