IT Audit, Control, and Security

Robert R. Moeller (Evanston, IL), CPA, CISA, PMP, CISSP, is the founder of Compliance and control Systems Associates, a consulting firm that specialized in internal audit and project management with a strong understanding of information systems, corporate governance and security. He has over 30 years of experience in internal auditing, ranging from launching new internal audit functions in several companies to serving as audit director for a Fortune 50 corporation. He held positions with Grant Thornton (National Director of Computer Auditing) and Sears Roebuck (Audit Director). A frequently published author and professional speaker, Moeller provides insights into many of the new rules impacting internal auditors today as well as the challenges audit committees face when dealing with Sarbanes-Oxley, internal controls, and their internal auditors. Moeller is the former president of the Institute of Internal Auditor's Chicago chapter and has served on the IIA's International Advanced Technology Committee. He is also the former chair of the AICPA's Computer Audit Subcommittee.

• Introduction xiiiPART ONE: AUDITING INTERNAL CONTROLS IN AN IT ENVIRONMENT 1Chapter 1: SOx and the COSO Internal Controls Framework 3Roles and Responsibilities of IT Auditors 4Importance of Effective Internal Controls and COSO 6COSO Internal Control Systems Monitoring Guidance 21Sarbanes-Oxley Act 22Wrapping It Up: COSO Internal Controls and SOx 31Notes 31Chapter 2: Using CobiT to Perform IT Audits 32Introduction to CobiT 33CobiT Framework 35Using CobiT to Assess Internal Controls 39Using CobiT in a SOx Environment 51CobiT Assurance Framework Guidance 54CobiT in Perspective 55Notes 55Chapter 3: IIA and ISACA Standards for the Professional Practice of Internal Auditing 57Internal Auditing’s International Professional Practice Standards 58Content of the IPPF and the IIA International Standards 61Strongly Recommended IIA Standards Guidance 75ISACA IT Auditing Standards Overview 76Codes of Ethics: The IIA and ISACA 79Notes 81Chapter 4: Understanding Risk Management Through COSO ERM 82Risk Management Fundamentals 83Quantitative Risk Analysis Techniques 92IIA and ISACA Risk Management Internal Audit Guidance 94COSO ERM: Enterprise Risk Management 97IT Audit Risk and COSO ERM 113Notes 115Chapter 5: Performing Effective IT Audits 117IT Audit and the Enterprise Internal Audit Function 118Organizing and Planning IT Audits 122Developing and Preparing Audit Programs 127Gathering Audit Evidence and Testing Results 132Workpapers and Reporting IT Audit Results 142Preparing Effective IT Audits 148Notes 149PART TWO: AUDITING IT GENERAL CONTROLS 151Chapter 6: General Controls in Today’s IT Environments 153Importance of IT General Controls 154IT Governance General Controls 157IT Management General Controls 158IT Technical Environment General Controls 174Note 174Chapter 7: Infrastructure Controls and ITIL ServiceManagement Best Practices 175ITIL Service Management Best Practices 176ITIL’s Service Strategies Component 179ITIL Service Design 181ITIL Service Transition Management Processes 189ITIL Service Operation Processes 194Service Delivery Best Practices 198Auditing IT Infrastructure Management 199Note 200Chapter 8: Systems Software and IT Operations General Controls 201IT Operating System Fundamentals 202Features of a Computer Operating System 206Other Systems Software Tools 209Chapter 9: Evolving Control Issues: Wireless Networks, Cloud Computing, and Virtualization 214Understanding and Auditing IT Wireless Networks 215Understanding Cloud Computing 220Storage Management Virtualization 225PART THREE: AUDITING AND TESTING IT APPLICATION CONTROLS 227Chapter 10: Selecting, Testing, and Auditing IT Applications 229IT Application Control Elements 230Selecting Applications for IT Audit Reviews 239Performing an Applications Controls Review: Preliminary Steps 242Completing the IT Applications Controls Audit 249Application Review Case Study: Client-Server Budgeting System 255Auditing Applications under Development 258Importance of Reviewing IT Application Controls 266Notes 266Chapter 11: Software Engineering and CMMi 267Software Engineering Concepts 267CMMi: Capability Maturity Model for Integration 269CMMi Benefits 280IT Audit, Internal Control, and CMMi 281Note 282Chapter 12: Auditing Service-Oriented Architectures and Record Management Processes 283Service-Oriented Computing and Service-Driven Applications 284IT Auditing in SOA Environments 294Electronic Records Management Internal Control Issues and Risks 300IT Audits of Electronic Records Management Processes 301Notes 303Chapter 13: Computer-Assisted Audit Tools and Techniques 304Understanding Computer-Assisted Audit Tools and Techniques 305Determining the Need for CAATTs 308CAATT Software Tools 311Steps to Building Effective CAATTs 326Importance of CAATTs for Audit Evidence Gathering 327Chapter 14: Continuous Assurance Auditing, OLAP, and XBRL 329Implementing Continuous Assurance Auditing 330Benefits of Continuous Assurance Auditing Tools 338Data Warehouses, Data Mining, and OLAP 339XBRL: The Internet-Based Extensible Markup Language 346Newer Technologies, the Continuous Close, and IT Audit 351Notes 351PART FOUR: IMPORTANCE OF IT GOVERNANCE 353Chapter 15: IT Controls and the Audit Committee 355Role of the Audit Committee for IT Auditors 356Audit Committee Approval of Internal Audit Plans and Budgets 357Audit Committee Briefings on IT Audit Issues 359Audit Committee Review and Action on Significant IT Audit Findings 360IT Audit and the Audit Committee 362Chapter 16: Val IT, Portfolio Management, and Project Management 363Val IT: Enhancing the Value of IT Investments 364IT Systems Portfolio and Program Management 371Project Management for IT Auditors 374Notes 383Chapter 17: Compliance with IT-Related Laws and Regulations 384Computer Fraud and Abuse Act 386Computer Security Act of 1987 387Gramm-Leach-Bliley Act 390HIPAA: Healthcare and Much More 395Other Personal Privacy and Security Legislative Requirements 403IT-Related Laws, Regulations, and Audit Standards 404Chapter 18: Understanding and Reviewing Compliance with ISO Standards 407Background and Importance of ISO Standards in a World of Global Commerce 408ISO Standards Overview 410ISO 19011 Quality Management Systems Auditing 419ISO Standards and IT Auditors 421Notes 421Chapter 19: Controls to Establish an Effective IT Security Environment 422Generally Accepted Security Standards 423Effective IT Perimeter Security 429Establishing an Effective, Enterprise-Wide Security Strategy 430Best Practices for IT Audit and Security 432Notes 433Chapter 20: Cybersecurity and Privacy Controls 434IT Network Security Fundamentals 435IT Systems Privacy Concerns 443PCI-DSS Fundamentals 446Auditing IT Security and Privacy 447Security and Privacy in the Internal Audit Department 448Notes 453Chapter 21: IT Fraud Detection and Prevention 454Understanding and Recognizing Fraud in an IT Environment 455Red Flags: Fraud Detection Signs for IT and Other Internal Auditors 456Public Accounting’s Role in Fraud Detection 461IIA Standards and ISACA Materials for Detecting and Investigating Fraud 462IT Audit Fraud Risk Assessments 464IT Audit Fraud Investigations 467IT Fraud Prevention Processes 468Fraud Detection and the IT Auditor 471Notes 471Chapter 22: Identity and Access Management 472Importance of Identity and Access Management 473Identity Management Processes 474Separation of Duties Identify Management Controls 477Access Management Provisioning 478Authentication and Authorization 479Auditing Identity and Access Management Processes 481Note 485Chapter 23: Establishing Effective IT Disaster Recovery Processes 486IT Disaster and Business Continuity Planning Today 487Building and Auditing an IT Disaster Recovery Plan 489Building the IT Disaster Recovery Plan 497Disaster Recovery Planning and Service Level Agreements 503Newer Disaster Recovery Plan Technologies: Data Mirroring Techniques 505Auditing Business Continuity Plans 506Disaster Recovery and Business Continuity Planning Going Forward 508Notes 508Chapter 24: Electronic Archiving and Data Retention 509Elements of a Successful Electronic Records Management Process 510Electronic Documentation Standards 516Implementing Electronic IT Data Archiving 517Auditing Electronic Document Retention and Archival Processes 519Chapter 25: Business Continuity Management, BS 25999, and ISO 27001 521IT Business Continuity Management Planning Needs Today 522BS 25999 Good Practice Guidelines 524Auditing BCM Processes 540Linking the BCM with Other Standards and Processes 543Notes 543Chapter 26: Auditing Telecommunications and IT Communications Networks 544Network Security Concepts 545Effective IT Network Security Controls 549Auditing a VPN Installation 555Note 557Chapter 27: Change and Patch Management Controls 558IT Change Management Processes 559Auditing IT Change and Patch Management Controls 573Notes 576Chapter 28: Six Sigma and Lean Technologies 577Six Sigma Background and Concepts 578Implementing Six Sigma 580Lean Six Sigma 587Notes 590Chapter 29: Building an Effective IT Internal Audit Function 591Establishing an IT Internal Audit Function 592Internal Audit Charter: An Important IT Audit Authorization 593Role of the Chief Audit Executive 595IT Audit Specialists 596IT Audit Managers and Supervisors 598Internal and IT Audit Policies and Procedures 599Organizing an Effective IT Audit Function 601Importance of a Strong IT Audit Function 604Note 605Chapter 30: Professional Certifications: CISA, CIA, and More 606Certified Information Systems Auditor Credentials 607Certified Information Security Manager Credentials 609Certificate in the Governance of Enterprise IT 611Certified Internal Auditor Responsibilities and Requirements 612Beyond the CIA: Other IIA Certifications 623CISSP Information Systems Security Professional Certification 628Certified Fraud Examiner Certification 628ASQ Internal Audit Certifications 629Other Internal Auditor Certifications 630Note 631Chapter 31: Quality Assurance Auditing and ASQ Standards 632Duties and Responsibilities of Quality Auditors 633Role of the Quality Auditor 635Performing ASQ Quality Audits 638Quality Assurance Reviews of IT Audit Functions 641Future Directions for Quality Assurance Auditing 647Notes 648Index 649