Auditor’s Guide to Information Systems Auditing

Auditor’s Guide to Information Systems Auditing

by Richard E. Cascarino
Released March 2007
Publisher(s): Wiley
ISBN: 9780470009895

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Praise for Auditor's Guide to Information Systems Auditing

"Auditor's Guide to Information Systems Auditing is the most comprehensive book about auditing that I have ever seen. There is something in this book for everyone. New auditors will find this book to be their bible-reading it will enable them to learn what the role of auditors really is and will convey to them what they must know, understand, and look for when performing audits. For experiencedauditors, this book will serve as a reality check to determine whether they are examining the right issues and whether they are being sufficiently comprehensive in their focus. Richard Cascarino has done a superb job."
—E. Eugene Schultz, PhD, CISSP, CISM Chief Technology Officer and Chief Information Security Officer, High Tower Software

A step-by-step guide tosuccessful implementation and control of information systems

More and more, auditors are being called upon to assess the risks and evaluate the controls over computer information systems in all types of organizations. However, many auditors are unfamiliar with the techniques they need to know to efficiently and effectively determine whether information systems are adequately protected. Auditor's Guide to Information Systems Auditing presents an easy, practical guide for auditors that can be applied to all computing environments.

As networks and enterprise resource planning systems bring resources together, and as increasing privacy violations threaten more organization, information systems integrity becomes more important than ever. With a complimentary student'sversion of the IDEA Data Analysis Software CD, Auditor's Guide to Information Systems Auditing empowers auditors to effectively gauge the adequacy and effectiveness of information systems controls.

Table of contents

  1. Copyright
    1. Dedication
  2. Preface
    1. Controls in Modern Computer Systems
    2. Overall Framework
      1. Part I—IS Audit Process
      2. Part II—Information Systems/Information Technology Governance
      3. Part III—Systems and Infrastructure Lifecycle Management
      4. Part IV—Information Technology Service Delivery and Support
      5. Part V—Protection of Information Assets
      6. Part VI—Business Continuity and Disaster Recovery
      7. Part VII—Advanced IS Auditing
  3. About The CD
  4. I. IS Audit Process
    1. 1. Technology and Audit
      1. Technology and Audit
        1. Some Computing Jargon
          1. Hardware
          2. Storage
          3. Communications
          4. Input
          5. Output
          6. Control
          7. People
          8. Data
      2. Batch and On-Line Systems
        1. Batch versus On-line
        2. Database Management Systems
          1. Definition of Terms
            1. Conceptual Level of Database Design
            2. Principals of Data Structures
            3. Database Structuring Approaches
            4. Data Dictionary/Directory Systems
          2. Who Looks After the Database System?
        3. Database Administrator
          1. Database Recovery
          2. Auditing Databases
          3. Documentation of the Database Environment
          4. Administration and Coordination Functions
          5. Operational Controls for the Database Environment
          6. Impact of Database on Completeness and Accuracy Issues
          7. Controlling Initial Database Content
    2. 2. IS Audit Function Knowledge
      1. Information Systems Auditing
      2. What Is Management?
      3. Management Process
      4. Understanding the Organization’s Business
      5. Establishing the Needs
      6. Identifying Key Activities
      7. Establish Performance Objectives
      8. Decide The Control Strategies
      9. Implement and Monitor the Controls
      10. Executive Management’s Responsibility and Corporate Governance
      11. Audit Role
      12. Conceptual Foundation
      13. Professionalism within the IS Auditing Function
      14. Relationship of Internal IS Audit to the External Auditor
      15. Relationship of IS Audit to Other Company Audit Activities
      16. Audit Charter
      17. Charter Content
      18. Outsourcing the IS Audit Activity
      19. Regulation, Control, and Standards
    3. 3. IS Risk and Fundamental Auditing Concepts
      1. Computer Risks and Exposures
        1. Inherent Risk
        2. Control Risk
        3. Audit Risk
      2. Effect of Risk
      3. Audit and Risk
      4. Audit Evidence
      5. Reliability of Audit Evidence
      6. Audit Evidence Procedures
      7. Responsibilities for Fraud Detection and Prevention
      8. Endnotes
    4. 4. Standards and Guidelines for IS Auditing
      1. IIA Standards
      2. Code of Ethics
      3. Advisory
      4. Aids
      5. Standards for the Professional Performance of Internal Auditing
      6. ISACA Standards
      7. ISACA Code of Ethics
      8. COSO: Internal Control Standards
      9. BS 7799 and ISO 17799: IT Security
      10. NIST
      11. BSI Baselines
      12. Endnotes
    5. 5. Internal Controls Concepts Knowledge
      1. Internal Controls
      2. Cost/Benefit Considerations
      3. Internal Control Objectives
      4. Types Of Internal Controls
      5. Systems of Internal Control
      6. Elements of Internal Control
      7. Manual and Automated Systems
      8. Control Procedures
      9. Application Controls
      10. Control Objectives and Risks
      11. General Control Objectives
      12. Data and Transactions Objectives
      13. Program Control Objectives
      14. Corporate IT Governance
        1. COSO and Information Technology
      15. Endnotes
    6. 6. Risk Management of the IS Function
      1. Nature of Risk
      2. Auditing in General
      3. Elements of Risk Analysis
      4. Defining the Audit Universe
      5. Computer System Threats
        1. Users
        2. Management
        3. IS Staff
        4. IS Auditors
        5. Others
        6. External Threats
      6. Risk Management
        1. Risk-Based Audit Approach
        2. Risk Factors to Consider
        3. Risk-Based Auditing
      7. Endnotes
    7. 7. Audit Planning Process
      1. Benefits of an Audit Plan
        1. The Elements
      2. Structure of the Plan
        1. Preliminary Survey
        2. Internal Control Description and Analysis
        3. Expanded Tests
        4. Findings and Recommendations
        5. Report Production
        6. Following Up
        7. Audit Evaluation
      3. Types of Audit
    8. 8. Audit Management
      1. Planning
      2. Audit Mission
      3. IS Audit Mission
      4. Organization of the Function
      5. Staffing
      6. IS Audit as a Support Function
      7. Planning
      8. Business Information Systems
      9. Integrated IS Auditor vs Integrated IS Audit
        1. Integrated Auditor
        2. Integrated Audit
      10. Auditees as Part of the Audit Team
      11. Application Audit Tools
      12. Advanced Systems
      13. Specialist Auditor
      14. IS Audit Quality Assurance
    9. 9. Audit Evidence Process
      1. Audit Evidence
      2. Audit Evidence Procedures
      3. Criteria for Success
      4. Statistical Sampling
      5. Why Sample?
      6. Judgmental (or Non-Statistical) Sampling
      7. Statistical Approach
      8. Sampling Risk
      9. Assessing Sampling Risk
      10. Planning a Sampling Application
        1. Audit Objectives
        2. Population Characteristics
        3. Deviations from the Mean
      11. Calculating Sample Size
      12. Quantitative Methods
        1. Trend Analysis
        2. Chi-Square Tests
        3. Correlation Analysis
        4. Graphical Analysis
        5. Learning Curves
        6. Ratio and Regression Analysis
        7. Linear Programming
      13. Project Scheduling Techniques
        1. Program Evaluation Review Techniques
        2. Critical Path Method
        3. GANTT or Bar Charts
      14. Simulations
        1. Monte Carlo Simulations
        2. Game Theory
        3. Queuing Theory
      15. Computer Assisted Audit Solutions
      16. Generalized Audit Software
        1. CAATs Case Study
      17. Application and Industry-Related Audit Software
      18. Customized Audit Software
      19. Information Retrieval Software
      20. Utilities
      21. On-Line Inquiry
      22. Conventional Programming Languages
      23. Microcomputer-Based Software
      24. Test Transaction Techniques
    10. 10. Audit Reporting Follow-up
      1. Audit Reporting
      2. Interim Reporting
      3. Closing Conferences
      4. Written Reports
      5. Clear Writing Techniques
      6. Preparing To Write
      7. Basic Audit Report
      8. Executive Summary
      9. Detailed Findings
      10. Polishing the Report
      11. Distributing the Report
      12. Follow-Up Reporting
      13. Types of Follow-Up Action
  5. II. Information Systems/Information Technology Governance
    1. 11. Management
      1. IS Infrastructures
      2. Project-Based Functions
      3. Quality Control
      4. Operations and Production
      5. Technical Services
      6. Performance Measurement and Reporting
      7. Measurement Implementation
        1. Control Risks and Outsourcing
        2. Auditing IS Management
      8. Endnotes
    2. 12. Strategic Planning
      1. Strategic Management Process
      2. Strategic Drivers
      3. New Audit Revolution
      4. Leveraging IS
      5. Business Process Re-Engineering Motivation
      6. IS as an Enabler of Re-Engineering
      7. Dangers of Change
      8. System Models
      9. Information Resource Management
      10. Strategic Planning for IS
      11. Decision Support Systems
      12. Steering Committees
      13. Strategic Focus
      14. Auditing Strategic Planning
      15. Design the Audit Procedures
      16. Endnote
    3. 13. Management Issues
      1. Privacy
      2. Copyrights, Trademarks, and Patents
      3. Ethical Issues
      4. Corporate Codes of Conduct
      5. IT Governance
      6. Sarbanes-Oxley Act
      7. Housekeeping
      8. Endnotes
    4. 14. Support Tools and Frameworks
      1. General Frameworks
        1. Further Information
      2. COSO: Internal Control Standards
      3. Other Standards
        1. Security: BS 7799 and ISO 17799
        2. Service Management: ITIL®
        3. Project Management: PRINCE®
        4. Criteria of Control: CoCo
    5. 15. Governance Techniques
      1. Change Control
      2. Problem Management
      3. Auditing Change Control
      4. Operational Reviews
      5. Performance Measurement
      6. ISO 9000 Reviews
  6. III. Systems and Infrastructure Lifecycle Management
    1. 16. Information Systems Planning
      1. Stakeholders
      2. Operations
      3. Systems Development
      4. Technical Support
      5. Other System Users
      6. Segregation of Duties
      7. Personnel Practices
        1. Acquisition
        2. Staff Training
        3. Staff Retention
      8. Object-Oriented Systems Analysis
      9. Enterprise Resource Planning
      10. Endnote
    2. 17. Information Management and Usage
      1. What Are Advanced Systems?
        1. Measuring the Deliverables
      2. Service Delivery and Management
        1. Auditing Service Delivery and Management
        2. Configuration and Change Management
        3. Capacity Management
        4. Service Level Agreement Management
        5. Business Continuity Management
        6. Incident Management
        7. Auditing Information Management and Usage
      3. Computer Assisted Audit Tools and Techniques
      4. Endnotes
    3. 18. Development, Acquisition, and Maintenance of Information Systems
      1. Programming Computers
      2. Program Conversions
      3. System Failures
      4. Systems Development Exposures
      5. Systems Development Controls
      6. Systems Development Life Cycle Control: Control Objectives
      7. Micro-Based Systems
    4. 19. Impact of Information Technology on the Business Processes and Solutions
      1. Impact
      2. Continuous Monitoring
      3. Business Process Outsourcing
      4. E-Business
    5. 20. Software Development
      1. Developing a System
        1. Feasibility Study
        2. Outline Design
        3. Detailed Design
        4. Acquiring, Testing, and Implementation Planning
        5. Conversion Activities
        6. Installation
        7. Post-implementation Review
      2. Change Control
      3. Why Do Systems Fail?
      4. Auditor’s Role in Software Development
    6. 21. Audit and Control of Purchased Packages
      1. Information Systems Vendors
      2. Request For Information
      3. Requirements Definition
      4. Request For Proposal
      5. Installation
      6. Systems Maintenance
      7. Systems Maintenance Review
      8. Outsourcing
    7. 22. Audit Role in Feasibility Studies and Conversions
      1. Feasibility Success Factors
      2. Conversion Success Factors
    8. 23. Audit and Development of Application Controls
      1. What Are Systems?
      2. Classifying Systems
      3. Controlling Systems
      4. Control Stages
      5. System Models
      6. Information Resource Management
      7. Control Objectives of Business Systems
      8. General Control Objectives
      9. CAATS and their Role in Business Systems Auditing
      10. Common Problems
      11. Audit Procedures
      12. CAAT Use in Non-Computerized Areas
      13. Designing an Appropriate Audit Program
  7. IV. Information Technology Service Delivery and Support
    1. 24. Technical Infrastructure
      1. Auditing the Technical Infrastructure
      2. Computer Operations Controls
      3. Operations Exposures
      4. Operations Controls
      5. Personnel Controls
      6. Supervisory Controls
      7. Operations Audits
      8. Endnotes
    2. 25. Service Center Management
      1. Continuity Management and Disaster Recovery
      2. Managing Service Center Change
  8. V. Protection of Information Assets
    1. 26. Information Assets Security Management
      1. What Is Information Systems Security?
      2. Control Techniques
      3. Workstation Security
      4. Physical Security
      5. Logical Security
      6. User Authentication
      7. Communications Security
      8. Encryption
      9. How Encryption Works
      10. Encryption Weaknesses
      11. Potential Encryption
      12. Data Integrity
      13. Double Public Key Encryption
      14. Steganography
      15. Information Security Policy
      16. Endnotes
    2. 27. Logical Information Technology Security
      1. Computer Operating Systems
      2. Tailoring the Operating System
      3. Auditing the Operating System
      4. Security
      5. Criteria
      6. Security Systems: Resource Access Control Facility
      7. Auditing RACF
      8. Access Control Facility 2
      9. Top Secret
      10. User Authentication
      11. Bypass Mechanisms
    3. 28. Applied Information Technology Security
      1. Communications and Network Security
      2. Network Protection
      3. Hardening the Operating Environment
      4. Client Server and Other Environments
      5. Firewalls and Other Protection Resources
        1. Digital Signatures
        2. Digital Certificates
      6. Intrusion Detection Systems
      7. Endnote
    4. 29. Physical and Environmental Security
      1. Control Mechanisms
        1. Physical Access Control
        2. Environmental Controls
        3. Physical Environmental Controls
        4. Building Collapse
      2. Implementing the Controls
  9. VI. Business Continuity and Disaster Recovery
    1. 30. Protection of the Information Technology Architecture and Assets: Disaster Recovery Planning
      1. Risk Reassessment
      2. Disaster—Before and After
      3. Consequences of Disruption
      4. Where to Start
      5. Testing the Plan
      6. Auditing the Plan
    2. 31. Insurance
      1. Self-Insurance
  10. VII. Advanced IS Auditing
    1. 32. Auditing E-commerce Systems
      1. E-Commerce and Electronic Data Interchange: What Is It?
      2. Opportunities and Threats
        1. Fraud in E-commerce
        2. Loss of Privacy/Confidentiality
        3. Lack of Authentication
        4. Corruption of Data
        5. Business Interruption
        6. Electronic Payments
      3. Risk Factors
      4. Threat List
      5. Security Technology
      6. “Layer” Concept
      7. Authentication
      8. Encryption
      9. Trading Partner Agreements
      10. Risks and Controls within EDI and E-Commerce
        1. Authenticity
      11. Nonrepudiation
        1. Timing
        2. Data Integrity
        3. Interception of Data
        4. Identity Theft
      12. E-Commerce and Auditability
      13. Compliance Auditing
      14. E-Commerce Audit Approach
      15. Audit Tools and Techniques
      16. Auditing Security Control Structures
      17. Computer Assisted Audit Techniques
      18. Endnotes
    2. 33. Auditing UNIX/Linux
      1. History
      2. Security and Control in a UNIX/Linux System
      3. Architecture
      4. UNIX Security
      5. Services
      6. Daemons
      7. Auditing UNIX
      8. Scrutiny of Logs
      9. Audit Tools in the Public Domain
      10. UNIX passwd File
      11. Auditing UNIX Passwords
    3. 34. Auditing Windows
      1. History
      2. NT and Its Derivatives
      3. Auditing Windows 2000
      4. Password Protection
      5. File Sharing
      6. Security Checklist
      7. Endnote
    4. 35. Foiling the System Hackers
    5. 36. Investigating Information Technology Fraud
      1. Pre-Incident Preparation
      2. Detection of Incidents
      3. Initial Response
      4. Forensic Backups
      5. Investigation
      6. Network Monitoring
      7. Identity Theft
      8. Endnote
  11. Appendices
    1. A. Ethics and Standards for the IS Auditor[*]
      1. ISACA Code of Professional Ethics
      2. Relationship of Standards to Guidelines and Procedures
        1. Codification
        2. Use
        3. Electronic Copies
        4. Glossary
      3. Endnote
    2. B. Audit Program for Application Systems Auditing
      1. General Audit Programs for Application Systems
    3. C. Logical Access Control Audit Program
    4. D. Audit Program for Auditing UNIX/Linux Environments
    5. E. Audit Program for Auditing Windows XP/2000 Environments

Product information

  • Title: Auditor’s Guide to Information Systems Auditing
  • Author(s): Richard E. Cascarino
  • Release date: March 2007
  • Publisher(s): Wiley
  • ISBN: 9780470009895