Details

<p>Preface xvii</p> <p><b>Part I: IT Audit Process 1</b></p> <p><b>Chapter 1: Technology and Audit 3</b></p> <p>Technology and Audit 4</p> <p>Batch and Online Systems 8</p> <p>Electronic Data Interchange 20</p> <p>Electronic Business 21</p> <p>Cloud Computing 22</p> <p><b>Chapter 2: IT Audit Function Knowledge 25</b></p> <p>Information Technology Auditing 25</p> <p>What Is Management? 26</p> <p>Management Process 26</p> <p>Understanding the Organization’s Business 27</p> <p>Establishing the Needs 27</p> <p>Identifying Key Activities 27</p> <p>Establish Performance Objectives 27</p> <p>Decide the Control Strategies 27</p> <p>Implement and Monitor the Controls 28</p> <p>Executive Management’s Responsibility and Corporate Governance 28</p> <p>Audit Role 28</p> <p>Conceptual Foundation 29</p> <p>Professionalism within the IT Auditing Function 29</p> <p>Relationship of Internal IT Audit to the External Auditor 30</p> <p>Relationship of IT Audit to Other Company Audit Activities 30</p> <p>Audit Charter 30</p> <p>Charter Content 30</p> <p>Outsourcing the IT Audit Activity 31</p> <p>Regulation, Control, and Standards 31</p> <p><b>Chapter 3: IT Risk and Fundamental Auditing Concepts 33</b></p> <p>Computer Risks and Exposures 33</p> <p>Effect of Risk 35</p> <p>Audit and Risk 36</p> <p>Audit Evidence 37</p> <p>Conducting an IT Risk-Assessment Process 38</p> <p>NIST SP 800 30 Framework 38</p> <p>ISO 27005 39</p> <p>The “Cascarino Cube” 39</p> <p>Reliability of Audit Evidence 44</p> <p>Audit Evidence Procedures 45</p> <p>Responsibilities for Fraud Detection and Prevention 46</p> <p>Notes 46</p> <p><b>Chapter 4: Standards and Guidelines for IT Auditing 47</b></p> <p>IIA Standards 47</p> <p>Code of Ethics 48</p> <p>Advisory 48</p> <p>Aids 48</p> <p>Standards for the Professional Performance of Internal Auditing 48</p> <p>ISACA Standards 49</p> <p>ISACA Code of Ethics 50</p> <p>COSO: Internal Control Standards 50</p> <p>BS 7799 and ISO 17799: IT Security 52</p> <p>NIST 53</p> <p>BSI Baselines 54</p> <p>Note 55</p> <p><b>Chapter 5: Internal Controls Concepts Knowledge 57</b></p> <p>Internal Controls 57</p> <p>Cost/Benefit Considerations 59</p> <p>Internal Control Objectives 59</p> <p>Types of Internal Controls 60</p> <p>Systems of Internal Control 61</p> <p>Elements of Internal Control 61</p> <p>Manual and Automated Systems 62</p> <p>Control Procedures 63</p> <p>Application Controls 63</p> <p>Control Objectives and Risks 64</p> <p>General Control Objectives 64</p> <p>Data and Transactions Objectives 64</p> <p>Program Control Objectives 66</p> <p>Corporate IT Governance 66</p> <p>COSO and Information Technology 68</p> <p>Governance Frameworks 70</p> <p>Notes 71</p> <p><b>Chapter 6: Risk Management of the IT Function 73</b></p> <p>Nature of Risk 73</p> <p>Risk-Analysis Software 74</p> <p>Auditing in General 75</p> <p>Elements of Risk Analysis 77</p> <p>Defining the Audit Universe 77</p> <p>Computer System Threats 79</p> <p>Risk Management 80</p> <p>Notes 83</p> <p><b>Chapter 7: Audit Planning Process 85</b></p> <p>Benefits of an Audit Plan 85</p> <p>Structure of the Plan 89</p> <p>Types of Audit 91</p> <p><b>Chapter 8: Audit Management 93</b></p> <p>Planning 93</p> <p>Audit Mission 94</p> <p>IT Audit Mission 94</p> <p>Organization of the Function 95</p> <p>Staffing 95</p> <p>IT Audit as a Support Function 97</p> <p>Planning 97</p> <p>Business Information Systems 98</p> <p>Integrated IT Auditor versus Integrated IT Audit 98</p> <p>Auditees as Part of the Audit Team 100</p> <p>Application Audit Tools 100</p> <p>Advanced Systems 100</p> <p>Specialist Auditor 101</p> <p>IT Audit Quality Assurance 101</p> <p><b>Chapter 9: Audit Evidence Process 103</b></p> <p>Audit Evidence 103</p> <p>Audit Evidence Procedures 103</p> <p>Criteria for Success 104</p> <p>Statistical Sampling 105</p> <p>Why Sample? 106</p> <p>Judgmental (or Non-Statistical) Sampling 106</p> <p>Statistical Approach 107</p> <p>Sampling Risk 107</p> <p>Assessing Sampling Risk 108</p> <p>Planning a Sampling Application 109</p> <p>Calculating Sample Size 111</p> <p>Quantitative Methods 111</p> <p>Project-Scheduling Techniques 116</p> <p>Simulations 117</p> <p>Computer-Assisted Audit Solutions 118</p> <p>Generalized Audit Software 118</p> <p>Application and Industry-Related Audit Software 119</p> <p>Customized Audit Software 120</p> <p>Information-Retrieval Software 120</p> <p>Utilities 120</p> <p>On-Line Inquiry 120</p> <p>Conventional Programming Languages 120</p> <p>Microcomputer-Based Software 121</p> <p>Test Transaction Techniques 121</p> <p><b>Chapter 10: Audit Reporting Follow-up 123</b></p> <p>Audit Reporting 123</p> <p>Interim Reporting 124</p> <p>Closing Conferences 124</p> <p>Written Reports 124</p> <p>Clear Writing Techniques 125</p> <p>Preparing to Write 126</p> <p>Basic Audit Report 127</p> <p>Executive Summary 127</p> <p>Detailed Findings 128</p> <p>Polishing the Report 129</p> <p>Distributing the Report 129</p> <p>Follow-up Reporting 129</p> <p>Types of Follow-up Action 130</p> <p><b>Part II: Information Technology Governance 131</b></p> <p><b>Chapter 11: Management 133</b></p> <p>IT Infrastructures 133</p> <p>Project-Based Functions 134</p> <p>Quality Control 138</p> <p>Operations and Production 139</p> <p>Technical Services 140</p> <p>Performance Measurement and Reporting 140</p> <p>Measurement Implementation 141</p> <p>Notes 145</p> <p><b>Chapter 12: Strategic Planning 147</b></p> <p>Strategic Management Process 147</p> <p>Strategic Drivers 148</p> <p>New Audit Revolution 149</p> <p>Leveraging IT 149</p> <p>Business Process Re-Engineering Motivation 150</p> <p>IT as an Enabler of Re-Engineering 151</p> <p>Dangers of Change 152</p> <p>System Models 152</p> <p>Information Resource Management 153</p> <p>Strategic Planning for IT 153</p> <p>Decision Support Systems 155</p> <p>Steering Committees 156</p> <p>Strategic Focus 156</p> <p>Auditing Strategic Planning 156</p> <p>Design the Audit Procedures 158</p> <p>Note 158</p> <p><b>Chapter 13: Management Issues 159</b></p> <p>Privacy 161</p> <p>Copyrights, Trademarks, and Patents 162</p> <p>Ethical Issues 162</p> <p>Corporate Codes of Conduct 163</p> <p>IT Governance 164</p> <p>Sarbanes-Oxley Act 166</p> <p>Payment Card Industry Data Security Standards 166</p> <p>Housekeeping 167</p> <p>Notes 167</p> <p><b>Chapter 14: Support Tools and Frameworks 169</b></p> <p>General Frameworks 169</p> <p>COSO: Internal Control Standards 172</p> <p>Other Standards 173</p> <p>Governance Frameworks 176</p> <p>Note 178</p> <p><b>Chapter 15: Governance Techniques 179</b></p> <p>Change Control 179</p> <p>Problem Management 181</p> <p>Auditing Change Control 181</p> <p>Operational Reviews 182</p> <p>Performance Measurement 182</p> <p>ISO 9000 Reviews 184</p> <p><b>Part III: Systems and Infrastructure Lifecycle Management 185</b></p> <p><b>Chapter 16: Information Systems Planning 187</b></p> <p>Stakeholders 187</p> <p>Operations 188</p> <p>Systems Development 189</p> <p>Technical Support 189</p> <p>Other System Users 191</p> <p>Segregation of Duties 191</p> <p>Personnel Practices 192</p> <p>Object-Oriented Systems Analysis 194</p> <p>Enterprise Resource Planning 194</p> <p>Cloud Computing 195</p> <p>Notes 197</p> <p><b>Chapter 17: Information Management and Usage 199</b></p> <p>What Are Advanced Systems? 199</p> <p>Service Delivery and Management 201</p> <p>Computer-Assisted Audit Tools and Techniques 204</p> <p>Notes 205</p> <p><b>Chapter 18: Development, Acquisition, and Maintenance of Information Systems 207</b></p> <p>Programming Computers 207</p> <p>Program Conversions 209</p> <p>No Thanks Systems Development Exposures 209</p> <p>Systems Development Controls 210</p> <p>Systems Development Life Cycle Control: Control Objectives 210</p> <p>Micro-Based Systems 212</p> <p>Cloud Computing Applications 212</p> <p>Note 213</p> <p><b>Chapter 19: Impact of Information Technology on the Business Processes and Solutions 215</b></p> <p>Impact 215</p> <p>Continuous Monitoring 216</p> <p>Business Process Outsourcing 218</p> <p>E-Business 219</p> <p>Notes 220</p> <p><b>Chapter 20: Software Development 221</b></p> <p>Developing a System 221</p> <p>Change Control 225</p> <p>Why Do Systems Fail? 225</p> <p>Auditor’s Role in Software Development 227</p> <p><b>Chapter 21: Audit and Control of Purchased Packages and Services 229</b></p> <p>IT Vendors 230</p> <p>Request For Information 231</p> <p>Requirements Definition 231</p> <p>Request for Proposal 232</p> <p>Installation 233</p> <p>Systems Maintenance 233</p> <p>Systems Maintenance Review 234</p> <p>Outsourcing 234</p> <p>SAS 70 Reports 234</p> <p><b>Chapter 22: Audit Role in Feasibility Studies and Conversions 237</b></p> <p>Feasibility Success Factors 237</p> <p>Conversion Success Factors 240</p> <p><b>Chapter 23: Audit and Development of Application Controls 243</b></p> <p>What Are Systems? 243</p> <p>Classifying Systems 244</p> <p>Controlling Systems 244</p> <p>Control Stages 245</p> <p>Control Objectives of Business Systems 245</p> <p>General Control Objectives 246</p> <p>CAATs and Their Role in Business Systems Auditing 247</p> <p>Common Problems 249</p> <p>Audit Procedures 250</p> <p>CAAT Use in Non-Computerized Areas 250</p> <p>Designing an Appropriate Audit Program 250</p> <p><b>Part IV: Information Technology Service Delivery and Support 253</b></p> <p><b>Chapter 24: Technical Infrastructure 255</b></p> <p>Auditing the Technical Infrastructure 257</p> <p>Infrastructure Changes 259</p> <p>Computer Operations Controls 260</p> <p>Operations Exposures 261</p> <p>Operations Controls 261</p> <p>Personnel Controls 261</p> <p>Supervisory Controls 262</p> <p>Information Security 262</p> <p>Operations Audits 263</p> <p>Notes 264</p> <p><b>Chapter 25: Service-Center Management 265</b></p> <p>Private Sector Preparedness (PS Prep) 266</p> <p>Continuity Management and Disaster Recovery 266</p> <p>Managing Service-Center Change 269</p> <p>Notes 269</p> <p><b>Part V: Protection of Information Assets 271</b></p> <p><b>Chapter 26: Information Assets Security Management 273</b></p> <p>What Is Information Systems Security? 273</p> <p>Control Techniques 276</p> <p>Workstation Security 276</p> <p>Physical Security 276</p> <p>Logical Security 277</p> <p>User Authentication 277</p> <p>Communications Security 277</p> <p>Encryption 277</p> <p>How Encryption Works 278</p> <p>Encryption Weaknesses 279</p> <p>Potential Encryption 280</p> <p>Data Integrity 280</p> <p>Double Public Key Encryption 281</p> <p>Steganography 281</p> <p>Information Security Policy 282</p> <p>Notes 282</p> <p><b>Chapter 27: Logical Information Technology Security 283</b></p> <p>Computer Operating Systems 283</p> <p>Tailoring the Operating System 284</p> <p>Auditing the Operating System 285</p> <p>Security 286</p> <p>Criteria 286</p> <p>Security Systems: Resource Access Control Facility 287</p> <p>Auditing RACF 288</p> <p>Access Control Facility 2 289</p> <p>Top Secret 290</p> <p>User Authentication 291</p> <p>Bypass Mechanisms 293</p> <p>Security Testing Methodologies 293</p> <p>Notes 295</p> <p><b>Chapter 28: Applied Information Technology Security 297</b></p> <p>Communications and Network Security 297</p> <p>Network Protection 298</p> <p>Hardening the Operating Environment 300</p> <p>Client Server and Other Environments 301</p> <p>Firewalls and Other Protection Resources 301</p> <p>Intrusion-Detection Systems 303</p> <p>Note 304</p> <p><b>Chapter 29: Physical and Environmental Security 305</b></p> <p>Control Mechanisms 306</p> <p>Implementing the Controls 310</p> <p><b>Part VI: Business Continuity and Disaster Recovery 311</b></p> <p><b>Chapter 30: Protection of the Information Technology Architecture and Assets: Disaster-Recovery Planning 313</b></p> <p>Risk Reassessment 314</p> <p>Disaster—Before and After 315</p> <p>Consequences of Disruption 317</p> <p>Where to Start 317</p> <p>Testing the Plan 319</p> <p>Auditing the Plan 320</p> <p><b>Chapter 31: Displacement Control 323</b></p> <p>Insurance 323</p> <p>Self-Insurance 327</p> <p><b>Part VII: Advanced It Auditing 329</b></p> <p><b>Chapter 32: Auditing E-commerce Systems 331</b></p> <p>E-Commerce and Electronic Data Interchange: What Is It? 331</p> <p>Opportunities and Threats 332</p> <p>Risk Factors 335</p> <p>Threat List 335</p> <p>Security Technology 336</p> <p>“Layer” Concept 336</p> <p>Authentication 336</p> <p>Encryption 337</p> <p>Trading Partner Agreements 338</p> <p>Risks and Controls within EDI and E-Commerce 338</p> <p>E-Commerce and Auditability 340</p> <p>Compliance Auditing 340</p> <p>E-Commerce Audit Approach 341</p> <p>Audit Tools and Techniques 341</p> <p>Auditing Security Control Structures 342</p> <p>Computer-Assisted Audit Techniques 343</p> <p>Notes 343</p> <p><b>Chapter 33: Auditing UNIX/Linux 345</b></p> <p>History 345</p> <p>Security and Control in a UNIX/Linux System 347</p> <p>Architecture 348</p> <p>UNIX Security 348</p> <p>Services 349</p> <p>Daemons 350</p> <p>Auditing UNIX 350</p> <p>Scrutiny of Logs 351</p> <p>Audit Tools in the Public Domain 351</p> <p>UNIX Password File 352</p> <p>Auditing UNIX Passwords 353</p> <p><b>Chapter 34: Auditing Windows VISTA and Windows 7 355</b></p> <p>History 355</p> <p>NT and Its Derivatives 356</p> <p>Auditing Windows Vista/Windows 7 357</p> <p>Password Protection 358</p> <p>VISTA/Windows 7 359</p> <p>Security Checklist 359</p> <p><b>Chapter 35: Foiling the System Hackers 361</b></p> <p><b>Chapter 36: Preventing and Investigating Information Technology Fraud 367</b></p> <p>Preventing Fraud 367</p> <p>Investgation 369</p> <p>Identity Theft 376</p> <p>Note 376</p> <p><b>Appendix A Ethics and Standards for the IS Auditor 377</b></p> <p>ISACA Code of Professional Ethics 377</p> <p>Relationship of Standards to Guidelines and Procedures 378</p> <p><b>Appendix B Audit Program for Application Systems Auditing 379</b></p> <p><b>Appendix C Logical Access Control Audit Program 393</b></p> <p><b>Appendix D Audit Program for Auditing UNIX/Linux Environments 401</b></p> <p><b>Appendix E Audit Program for Auditing Windows VISTA and Windows 7 Environments 407</b></p> <p>About the Author 415</p> <p>About the Website 417</p> <p>Index 419</p>

<p><b>RICHARD E. CASCARINO, MBA, CIA, CISA, CISM,</b> is a consultant and lecturer with over thirty years' experience in internal, forensic, risk, and computer auditing. He is Managing Director of Richard Cascarino & Associates, a successful audit training and consultancy company. For the last twenty-five years, they have been providing consultancy and professional development services to clients throughout the southern African region as well as Europe, the Middle East, and the United States. He is a past president of the Institute of Internal Auditors South Africa (IIA SA), was the founding Regional Director of the Southern African Region of the IIA Inc., and is a member of both the Information Systems Audit and Control Association and the Association of Certified Fraud Examiners.

<p>Many auditors are unfamiliar with the techniques they need to know to efficiently and effectively determine whether your IT systems are adequately protected. Now in a Second Edition, Auditor's Guide to IT Auditing presents an easy, practical guide for auditors that can be applied to all computing environments. <p>Presenting the computer auditing knowledge that today's modern auditor requires significantly more than auditors of yesteryear, Auditor's Guide to IT Auditing, Second Edition serves as an excellent study guide for those preparing for the CISA and CISM exams. In addition, it provides you with a working knowledge of the risks and control opportunities within an information processing (IP) environment, as well as how to audit that environment. <p>Filled with realistic case studies that present a workable implementation of the book's principles and techniques, this step-by-step guide includes timely discussion of: <ul> <li>Risk evaluation methodologies</li> <li>New regulations</li> <li>The Sarbanes-Oxley Act</li> <li>Privacy</li> <li>Banking</li> <li>IT governance</li> <li>CobiT</li> <li>Outsourcing</li> <li>Network management</li> <li>The Cloud</li> </ul> <p>A reality check for every auditor to determine whether they are examining the right issues and if they are sufficiently comprehensive in their focus, Auditor's Guide to IT Auditing, Second Edition offers thorough coverage for successful application and control of IT systems—including the Cloud—to empower you to effectively gauge the adequacy and effectiveness of your IT controls.

US