AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

Transcription

1 AUD105-2nd Edition Auditor s Guide to IT - 20 hours Objectives More and more, auditors are being called upon to assess the risks and evaluate the controls over computer information systems in all types of organizations. However, many auditors are unfamiliar with the techniques they need to know to efficiently and effectively determine whether information systems are adequately protected. Auditor's Guide to IT Auditing presents an easy, practical guide for auditors that can be applied to all computing environments. As networks and enterprise resource planning systems bring resources together, and as increasing privacy violations threaten more organization, information systems integrity becomes more important than ever. With a complimentary student's version of the IDEA Data Analysis Software CD, Auditor's Guide to IT Auditing empowers auditors to effectively gauge the adequacy and effectiveness of information systems controls. CHAPTER 1 Technology and Audit Course Outline After completing Chapter 1, you should comprehend the following: 1. Technology and Audit 2. Batch and On-Line Systems 3. Electronic Data Interchange 4. Electronic Business 5. Cloud Computing

2 CHAPTER 2 IS Audit Function Knowledge After completing Chapter 2, you should comprehend the following: 1. Information Systems Auditing 2. What Is Management? 3. Management Process 4. Understanding the Organization s Business 5. Establishing the Needs 6. Identifying Key Activities 7. Establish Performance Objectives 8. Decide the Control Strategies 9. Implement and Monitor the Controls 10. Executive Management s Responsibility and Corporate Governance 11. Audit Role 12. Conceptual Foundation 13. Professionalism within the IS Auditing Function 14. Relationship of Internal IS Audit to the External Auditor 15. Relationship of IS Audit to Other Company Audit Activities 16. Audit Charter 17. Charter Content 18. Outsourcing the IS Audit Activity 19. Regulation, Control, and Standards CHAPTER 3 IS Risk and Fundamental Auditing Concepts After completing Chapter 3, you should comprehend the following: 1. Computer Risks and Exposures 2. Effect of Risk 3. Audit and Risk 4. Audit Evidence 5. Conducting an IT Risk Assessment Process 6. NIST SP Framework 7. ISO The "Cascarino Cube" 9. Reliability of Audit Evidence 10. Audit Evidence Procedures 11. Responsibilities for Fraud Detection and Prevention CHAPTER 4 Standards and Guidelines for IS Auditing

3 After completing Chapter 4, you should comprehend the following: 1. IIA Standards 2. Code of Ethics 3. Advisory 4. Aids 5. Standards for the Professional Performance of Internal Auditing 6. ISACA Standards 7. ISACA Code of Ethics 8. COSO: Internal Control Standards 9. BS 7799 and ISO 17799: IT Security 10. NIST 11. BSI Baselines CHAPTER 5 Internal Controls Concepts Knowledge After completing Chapter 5, you should comprehend the following: 1. Internal Controls 2. Cost/Benefit Considerations 3. Internal Control Objectives 4. Types Of Internal Controls 5. Systems of Internal Control 6. Elements of Internal Control 7. Manual and Automated Systems 8. Control Procedures 9. Application Controls 10. Control Objectives and Risks 11. General Control Objectives 12. Data and Transactions Objectives 13. Program Control Objectives 14. Corporate IT Governance 15. COSO and Information Technology 16. Governance Frameworks CHAPTER 6 Risk Management of the IS Function After completing Chapter 6, you should comprehend the following: 1. Nature of Risk 2. Risk Analysis Softward 3. Auditing in General

4 4. Elements of Risk Analysis 5. Defining the Audit Universe 6. Computer System Threats 7. Risk Management CHAPTER 7 Audit Planning Process After completing Chapter 7, you should comprehend the following: 1. Benefits of an Audit Plan 2. Structure of the Plan 3. Types of Audit CHAPTER 8 Audit Management After completing Chapter 8, you should comprehend the following: 1. Planning 2. Audit Mission 3. IS Audit Mission 4. Organization of the Function 5. Staffing 6. IT Audit as a Support Function 7. Planning 8. Business Information Systems 9. Integrated IT Auditor vs Integrated IT Audit 10. Auditees as Part of the Audit Team 11. Application Audit Tools 12. Advanced Systems 13. Specialist Auditor 14. IS Audit Quality Assurance CHAPTER 9 Audit Evidence Process After completing Chapter 9, you should comprehend the following: 1. Audit Evidence 2. Audit Evidence Procedures 3. Criteria for Success 4. Statistical Sampling 5. Why Sample?

5 6. Judgmental (or Non-Statistical) Sampling 7. Statistical Approach 8. Sampling Risk 9. Assessing Sampling Risk 10. Planning a Sampling Application 11. Calculating Sample Size 12. Quantitative Methods 13. Project Scheduling Techniques 14. Simulations 15. Computer Assisted Audit Solutions 16. Generalized Audit Software 17. Application and Industry-Related Audit Software 18. Customized Audit Software 19. Information Retrieval Software 20. Utilities 21. On-Line Inquiry 22. Conventional Programming Languages 23. Microcomputer-Based Software 24. Test Transaction Techniques CHAPTER 10 Audit Reporting Follow-up After completing Chapter 10, you should comprehend the following: 1. Audit Reporting 2. Interim Reporting 3. Closing Conferences 4. Written Reports 5. Clear Writing Techniques 6. Preparing To Write 7. Basic Audit Report 8. Executive Summary 9. Detailed Findings 10. Polishing the Report 11. Distributing the Report 12. Follow-Up Reporting 13. Types of Follow-Up Action CHAPTER 11 Management After completing Chapter 11, you should comprehend the following:

6 1. IT Infrastructures 2. Project-Based Functions 3. Quality Control 4. Operations and Production 5. Technical Services 6. Performance Measurement and Reporting 7. Measurement Implementation CHAPTER 12 - Strategic Planning After completing Chapter 12, you should comprehend the following: 1. Strategic Management Process 2. Strategic Drivers 3. New Audit Revolution 4. Leveraging IT 5. Business Process Re-Engineering Motivation 6. IT as an Enabler of Re-Engineering 7. Dangers of Change 8. System Models 9. Information Resource Management 10. Strategic Planning for IT 11. Decision Support Systems 12. Steering Committees 13. Strategic Focus 14. Auditing Strategic Planning 15. Design the Audit Procedures CHAPTER 13 - Management Issues After completing Chapter 13, you should comprehend the following: 1. Privacy 2. Copyrights, Trademarks, and Patents 3. Ethical Issues 4. Corporate Codes of Conduct 5. IT Governance 6. Sarbanes-Oxley Act 7. Payment Card Industry Data Security Standards 8. Housekeeping

7 CHAPTER 14 - Support Tools and Frameworks After completing Chapter 14, you should comprehend the following: 1. General Frameworks 2. COSO: Internal Control Standards 3. Other Standards 4. Governance Frameworks CHAPTER 15 - Governance Techniques After completing Chapter 15, you should comprehend the following: 1. Change Control 2. Problem Management 3. Auditing Change Control 4. Operational Reviews 5. Performance Measurement 6. ISO 9000 Reviews CHAPTER 16 - Information Systems Planning After completing Chapter 16, you should comprehend the following: 1. Stakeholders 2. Operations 3. Systems Development 4. Technical Support 5. Other System Users 6. Segregation of Duties 7. Personnel Practices 8. Object-Oriented Systems Analysis 9. Enterprise Resource Planning 10. Cloud Computing CHAPTER 17 - Information Management and Usage After completing Chapter 17, you should comprehend the following: 1. What Are Advanced Systems? 2. Service Delivery and Management

8 3. Computer Assisted Audit Tools and Techniques CHAPTER 18 - Development, Acquisition, and Maintenance of Information Systems After completing Chapter 18, you should comprehend the following: 1. Programming Computers 2. Program Conversions 3. No Thanks Systems Development Exposures 4. Systems Development Controls 5. Systems Development Life Cycle Control: Control Objectives 6. Micro-Based Systems 7. Cloud Computing Applications CHAPTER 19- Impact of Information Technology on the Business Processes and Solutions After completing Chapter 19, you should comprehend the following: 1. Impact 2. Continuous Monitoring 3. Business Process Outsourcing 4. E-Business CHAPTER 20 - Software Development After completing Chapter 20, you should comprehend the following: 1. Developing a System 2. Change Control 3. Why Do Systems Fail? 4. Auditor's Role in Software Development CHAPTER 21 - Audit and Control of Purchased Packages After completing Chapter 21, you should comprehend the following: 1. IT Vendors 2. Request For Information

9 3. Requirements Definition 4. Request For Proposal 5. Installation 6. Systems Maintenance 7. Systems Maintenance Review 8. Outsourcing 9. SAS 70 Reports CHAPTER 22 - Audit Role in Feasibility Studies and Conversions After completing Chapter 22, you should comprehend the following: 1. Feasibility Success Factors 2. Conversion Success Factors CHAPTER 23 - Audit and Development of Application Controls After completing Chapter 23, you should comprehend the following: 1. What Are Systems? 2. Classifying Systems 3. Controlling Systems 4. Control Stages 5. Control Objectives of Business Systems 6. General Control Objectives 7. CAATS and their Role in Business Systems Auditing 8. Common Problems 9. Audit Procedures 10. CAAT Use in Non-Computerized Areas 11. Designing an Appropriate Audit Program CHAPTER 24 - Technical Infrastructure After completing Chapter 24, you should comprehend the following: 1. Auditing the Technical Infrastructure 2. Infrastructure Changes 3. Computer Operations Controls 4. Operations Exposures 5. Operations Controls 6. Personnel Controls

10 7. Supervisory Controls 8. Information Security 9. Operations Audits CHAPTER 25 - Service Center Management After completing Chapter 25, you should comprehend the following: 1. Private Sector Preparedness (PS Prep) 2. Continuity Management and Disaster Recovery 3. Managing Service Center Change CHAPTER 26 - Information Assets Security Management After completing Chapter 26, you should comprehend the following: 1. What Is Information Systems Security? 2. Control Techniques 3. Workstation Security 4. Physical Security 5. Logical Security 6. User Authentication 7. Communications Security 8. Encryption 9. How Encryption Works 10. Encryption Weaknesses 11. Potential Encryption 12. Data Integrity 13. Double Public Key Encryption 14. Steganography 15. Information Security Policy CHAPTER 27 - Logical Information Technology Security After completing Chapter 27, you should comprehend the following: 1. Computer Operating Systems 2. Tailoring the Operating System 3. Auditing the Operating System 4. Security 5. Criteria

11 6. Security Systems: Resource Access Control Facility 7. Auditing RACF 8. Access Control Facility 2 9. Top Secret 10. User Authentication 11. Bypass Mechanisms 12. Security Testing Methodologies CHAPTER 28 - Applied Information Technology Security After completing Chapter 28, you should comprehend the following: 1. Communications and Network Security 2. Network Protection 3. Hardening the Operating Environment 4. Client Server and Other Environments 5. Firewalls and Other Protection Resources 6. Intrusion Detection Systems CHAPTER 29 - Physical and Environmental Security After completing Chapter 29, you should comprehend the following: 1. Control Mechanisms 2. Implementing the Controls CHAPTER 30 - Protection of the Information Technology Architecture and Assets: Disaster Recovery Planning After completing Chapter 30, you should comprehend the following: 1. Risk Reassessment 2. Disaster Before and After 3. Consequences of Disruption 4. Where to Start 5. Testing the Plan 6. Auditing the Plan CHAPTER 31 Insurance

12 After completing Chapter 31, you should comprehend the following: 1. Insurance 2. Self-Insurance CHAPTER 32 - Auditing E-commerce Systems After completing Chapter 32, you should comprehend the following: 1. E-Commerce and Electronic Data Interchange: What Is It? 2. Opportunities and Threats 3. Risk Factors 4. Threat List 5. Security Technology 6. "Layer" Concept 7. Authentication 8. Encryption 9. Trading Partner Agreements 10. Risks and Controls within EDI and E-Commerce 11. E-Commerce and Auditability 12. Compliance Auditing 13. E-Commerce Audit Approach 14. Audit Tools and Techniques 15. Auditing Security Control Structures 16. Computer Assisted Audit Techniques CHAPTER 33 - Auditing UNIX/Linux After completing Chapter 33, you should comprehend the following: 1. History 2. Security and Control in a UNIX/Linux System 3. Architecture 4. UNIX Security 5. Services 6. Daemons 7. Auditing UNIX 8. Scrutiny of Logs 9. Audit Tools in the Public Domain 10. UNIX password File 11. Auditing UNIX Passwords

13 CHAPTER 34 - Auditing Windows After completing Chapter 34, you should comprehend the following: 1. History 2. NT and Its Derivatives 3. Auditing Windows Vista/Windows 7 4. Password Protection 5. VISTA/Windows 7 6. Security Checklist CHAPTER 35 - Foiling the System Hackers After completing Chapter 35, you should comprehend the following: 1. Foiling the system hackers CHAPTER 36 - Investigating Information Technology Fraud After completing Chapter 36, you should comprehend the following: 1. Preventing Fraud 2. Investigation 3. Identity Theft