Del 583 - Wiley Corporate F&A

Auditor's Guide to IT Auditing, + Software Demo

Inbunden, Engelska, 2012

Av Richard E. Cascarino, Richard E Cascarino

979 kr

Beställningsvara. Skickas inom 5-8 vardagar

Fri frakt för medlemmar vid köp för minst 249 kr.

Step-by-step guide to successful implementation and control of IT systems—including the Cloud Many auditors are unfamiliar with the techniques they need to know to efficiently and effectively determine whether information systems are adequately protected. Now in a Second Edition, Auditor's Guide to IT Auditing presents an easy, practical guide for auditors that can be applied to all computing environments. Follows the approach used by the Information System Audit and Control Association's model curriculum, making this book a practical approach to IS auditingServes as an excellent study guide for those preparing for the CISA and CISM examsIncludes discussion of risk evaluation methodologies, new regulations, SOX, privacy, banking, IT governance, CobiT, outsourcing, network management, and the CloudIncludes a link to an education version of IDEA--Data Analysis SoftwareAs networks and enterprise resource planning systems bring resources together, and as increasing privacy violations threaten more organization, information systems integrity becomes more important than ever. Auditor's Guide to IT Auditing, Second Edition empowers auditors to effectively gauge the adequacy and effectiveness of information systems controls.

Produktinformation

Utgivningsdatum2012-04-10
Mått175 x 257 x 38 mm
Vikt953 g
FormatInbunden
SpråkEngelska
SerieWiley Corporate F&A
Antal sidor464
Upplaga2
FörlagJohn Wiley & Sons Inc
ISBN9781118147610

Tillhör följande kategorier

Ledarskapsböcker inom Ekonomi och ledarskap
Redovisning inom Ekonomi och ledarskap
Affärsapplikationer inom Data och it

RICHARD E. CASCARINO, MBA, CIA, CISA, CISM, is a consultant and lecturer with over thirty years' experience in internal, forensic, risk, and computer auditing. He is Managing Director of Richard Cascarino & Associates, a successful audit training and consultancy company. For the last twenty-five years, they have been providing consultancy and professional development services to clients throughout the southern African region as well as Europe, the Middle East, and the United States. He is a past president of the Institute of Internal Auditors South Africa (IIA SA), was the founding Regional Director of the Southern African Region of the IIA Inc., and is a member of both the Information Systems Audit and Control Association and the Association of Certified Fraud Examiners.

Preface xviiPart I: IT Audit Process 1Chapter 1: Technology and Audit 3Technology and Audit 4Batch and Online Systems 8Electronic Data Interchange 20Electronic Business 21Cloud Computing 22Chapter 2: IT Audit Function Knowledge 25Information Technology Auditing 25What Is Management? 26Management Process 26Understanding the Organization’s Business 27Establishing the Needs 27Identifying Key Activities 27Establish Performance Objectives 27Decide the Control Strategies 27Implement and Monitor the Controls 28Executive Management’s Responsibility and Corporate Governance 28Audit Role 28Conceptual Foundation 29Professionalism within the IT Auditing Function 29Relationship of Internal IT Audit to the External Auditor 30Relationship of IT Audit to Other Company Audit Activities 30Audit Charter 30Charter Content 30Outsourcing the IT Audit Activity 31Regulation, Control, and Standards 31Chapter 3: IT Risk and Fundamental Auditing Concepts 33Computer Risks and Exposures 33Effect of Risk 35Audit and Risk 36Audit Evidence 37Conducting an IT Risk-Assessment Process 38NIST SP 800 30 Framework 38ISO 27005 39The “Cascarino Cube” 39Reliability of Audit Evidence 44Audit Evidence Procedures 45Responsibilities for Fraud Detection and Prevention 46Notes 46Chapter 4: Standards and Guidelines for IT Auditing 47IIA Standards 47Code of Ethics 48Advisory 48Aids 48Standards for the Professional Performance of Internal Auditing 48ISACA Standards 49ISACA Code of Ethics 50COSO: Internal Control Standards 50BS 7799 and ISO 17799: IT Security 52NIST 53BSI Baselines 54Note 55Chapter 5: Internal Controls Concepts Knowledge 57Internal Controls 57Cost/Benefit Considerations 59Internal Control Objectives 59Types of Internal Controls 60Systems of Internal Control 61Elements of Internal Control 61Manual and Automated Systems 62Control Procedures 63Application Controls 63Control Objectives and Risks 64General Control Objectives 64Data and Transactions Objectives 64Program Control Objectives 66Corporate IT Governance 66COSO and Information Technology 68Governance Frameworks 70Notes 71Chapter 6: Risk Management of the IT Function 73Nature of Risk 73Risk-Analysis Software 74Auditing in General 75Elements of Risk Analysis 77Defining the Audit Universe 77Computer System Threats 79Risk Management 80Notes 83Chapter 7: Audit Planning Process 85Benefits of an Audit Plan 85Structure of the Plan 89Types of Audit 91Chapter 8: Audit Management 93Planning 93Audit Mission 94IT Audit Mission 94Organization of the Function 95Staffing 95IT Audit as a Support Function 97Planning 97Business Information Systems 98Integrated IT Auditor versus Integrated IT Audit 98Auditees as Part of the Audit Team 100Application Audit Tools 100Advanced Systems 100Specialist Auditor 101IT Audit Quality Assurance 101Chapter 9: Audit Evidence Process 103Audit Evidence 103Audit Evidence Procedures 103Criteria for Success 104Statistical Sampling 105Why Sample? 106Judgmental (or Non-Statistical) Sampling 106Statistical Approach 107Sampling Risk 107Assessing Sampling Risk 108Planning a Sampling Application 109Calculating Sample Size 111Quantitative Methods 111Project-Scheduling Techniques 116Simulations 117Computer-Assisted Audit Solutions 118Generalized Audit Software 118Application and Industry-Related Audit Software 119Customized Audit Software 120Information-Retrieval Software 120Utilities 120On-Line Inquiry 120Conventional Programming Languages 120Microcomputer-Based Software 121Test Transaction Techniques 121Chapter 10: Audit Reporting Follow-up 123Audit Reporting 123Interim Reporting 124Closing Conferences 124Written Reports 124Clear Writing Techniques 125Preparing to Write 126Basic Audit Report 127Executive Summary 127Detailed Findings 128Polishing the Report 129Distributing the Report 129Follow-up Reporting 129Types of Follow-up Action 130Part II: Information Technology Governance 131Chapter 11: Management 133IT Infrastructures 133Project-Based Functions 134Quality Control 138Operations and Production 139Technical Services 140Performance Measurement and Reporting 140Measurement Implementation 141Notes 145Chapter 12: Strategic Planning 147Strategic Management Process 147Strategic Drivers 148New Audit Revolution 149Leveraging IT 149Business Process Re-Engineering Motivation 150IT as an Enabler of Re-Engineering 151Dangers of Change 152System Models 152Information Resource Management 153Strategic Planning for IT 153Decision Support Systems 155Steering Committees 156Strategic Focus 156Auditing Strategic Planning 156Design the Audit Procedures 158Note 158Chapter 13: Management Issues 159Privacy 161Copyrights, Trademarks, and Patents 162Ethical Issues 162Corporate Codes of Conduct 163IT Governance 164Sarbanes-Oxley Act 166Payment Card Industry Data Security Standards 166Housekeeping 167Notes 167Chapter 14: Support Tools and Frameworks 169General Frameworks 169COSO: Internal Control Standards 172Other Standards 173Governance Frameworks 176Note 178Chapter 15: Governance Techniques 179Change Control 179Problem Management 181Auditing Change Control 181Operational Reviews 182Performance Measurement 182ISO 9000 Reviews 184Part III: Systems and Infrastructure Lifecycle Management 185Chapter 16: Information Systems Planning 187Stakeholders 187Operations 188Systems Development 189Technical Support 189Other System Users 191Segregation of Duties 191Personnel Practices 192Object-Oriented Systems Analysis 194Enterprise Resource Planning 194Cloud Computing 195Notes 197Chapter 17: Information Management and Usage 199What Are Advanced Systems? 199Service Delivery and Management 201Computer-Assisted Audit Tools and Techniques 204Notes 205Chapter 18: Development, Acquisition, and Maintenance of Information Systems 207Programming Computers 207Program Conversions 209No Thanks Systems Development Exposures 209Systems Development Controls 210Systems Development Life Cycle Control: Control Objectives 210Micro-Based Systems 212Cloud Computing Applications 212Note 213Chapter 19: Impact of Information Technology on the Business Processes and Solutions 215Impact 215Continuous Monitoring 216Business Process Outsourcing 218E-Business 219Notes 220Chapter 20: Software Development 221Developing a System 221Change Control 225Why Do Systems Fail? 225Auditor’s Role in Software Development 227Chapter 21: Audit and Control of Purchased Packages and Services 229IT Vendors 230Request For Information 231Requirements Definition 231Request for Proposal 232Installation 233Systems Maintenance 233Systems Maintenance Review 234Outsourcing 234SAS 70 Reports 234Chapter 22: Audit Role in Feasibility Studies and Conversions 237Feasibility Success Factors 237Conversion Success Factors 240Chapter 23: Audit and Development of Application Controls 243What Are Systems? 243Classifying Systems 244Controlling Systems 244Control Stages 245Control Objectives of Business Systems 245General Control Objectives 246CAATs and Their Role in Business Systems Auditing 247Common Problems 249Audit Procedures 250CAAT Use in Non-Computerized Areas 250Designing an Appropriate Audit Program 250Part IV: Information Technology Service Delivery and Support 253Chapter 24: Technical Infrastructure 255Auditing the Technical Infrastructure 257Infrastructure Changes 259Computer Operations Controls 260Operations Exposures 261Operations Controls 261Personnel Controls 261Supervisory Controls 262Information Security 262Operations Audits 263Notes 264Chapter 25: Service-Center Management 265Private Sector Preparedness (PS Prep) 266Continuity Management and Disaster Recovery 266Managing Service-Center Change 269Notes 269Part V: Protection of Information Assets 271Chapter 26: Information Assets Security Management 273What Is Information Systems Security? 273Control Techniques 276Workstation Security 276Physical Security 276Logical Security 277User Authentication 277Communications Security 277Encryption 277How Encryption Works 278Encryption Weaknesses 279Potential Encryption 280Data Integrity 280Double Public Key Encryption 281Steganography 281Information Security Policy 282Notes 282Chapter 27: Logical Information Technology Security 283Computer Operating Systems 283Tailoring the Operating System 284Auditing the Operating System 285Security 286Criteria 286Security Systems: Resource Access Control Facility 287Auditing RACF 288Access Control Facility 2 289Top Secret 290User Authentication 291Bypass Mechanisms 293Security Testing Methodologies 293Notes 295Chapter 28: Applied Information Technology Security 297Communications and Network Security 297Network Protection 298Hardening the Operating Environment 300Client Server and Other Environments 301Firewalls and Other Protection Resources 301Intrusion-Detection Systems 303Note 304Chapter 29: Physical and Environmental Security 305Control Mechanisms 306Implementing the Controls 310Part VI: Business Continuity and Disaster Recovery 311Chapter 30: Protection of the Information Technology Architecture and Assets: Disaster-Recovery Planning 313Risk Reassessment 314Disaster—Before and After 315Consequences of Disruption 317Where to Start 317Testing the Plan 319Auditing the Plan 320Chapter 31: Displacement Control 323Insurance 323Self-Insurance 327Part VII: Advanced It Auditing 329Chapter 32: Auditing E-commerce Systems 331E-Commerce and Electronic Data Interchange: What Is It? 331Opportunities and Threats 332Risk Factors 335Threat List 335Security Technology 336“Layer” Concept 336Authentication 336Encryption 337Trading Partner Agreements 338Risks and Controls within EDI and E-Commerce 338E-Commerce and Auditability 340Compliance Auditing 340E-Commerce Audit Approach 341Audit Tools and Techniques 341Auditing Security Control Structures 342Computer-Assisted Audit Techniques 343Notes 343Chapter 33: Auditing UNIX/Linux 345History 345Security and Control in a UNIX/Linux System 347Architecture 348UNIX Security 348Services 349Daemons 350Auditing UNIX 350Scrutiny of Logs 351Audit Tools in the Public Domain 351UNIX Password File 352Auditing UNIX Passwords 353Chapter 34: Auditing Windows VISTA and Windows 7 355History 355NT and Its Derivatives 356Auditing Windows Vista/Windows 7 357Password Protection 358VISTA/Windows 7 359Security Checklist 359Chapter 35: Foiling the System Hackers 361Chapter 36: Preventing and Investigating Information Technology Fraud 367Preventing Fraud 367Investgation 369Identity Theft 376Note 376Appendix A Ethics and Standards for the IS Auditor 377ISACA Code of Professional Ethics 377Relationship of Standards to Guidelines and Procedures 378Appendix B Audit Program for Application Systems Auditing 379Appendix C Logical Access Control Audit Program 393Appendix D Audit Program for Auditing UNIX/Linux Environments 401Appendix E Audit Program for Auditing Windows VISTA and Windows 7 Environments 407About the Author 415About the Website 417Index 419