| |
| |
| A Foundation for It Audit and Control | |
| |
| |
| Information Technology Environment: Why Are Controls and Audit Important? | |
| |
| |
| IT Today and Tomorrow | |
| |
| |
| Information Integrity, Reliability, and Validity: Importance in Today's Global | |
| |
| |
| Business Environment | |
| |
| |
| Control and Audit: A Global Concern | |
| |
| |
| E-Commerce and Electronic Funds Transfer | |
| |
| |
| Future of Electronic Payment Systems | |
| |
| |
| Legal Issues Impacting IT | |
| |
| |
| Federal Financial Integrity Legislation | |
| |
| |
| Federal Security Legislation | |
| |
| |
| Privacy on the Information Superhighway | |
| |
| |
| Privacy Legislation and the Federal Government Privacy Act | |
| |
| |
| Security, Privacy, and Audit | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| The Legal Environment and Its Impact on Information Technology | |
| |
| |
| IT Crime Issues | |
| |
| |
| Protection against Computer Fraud | |
| |
| |
| Computer Fraud and Abuse Act | |
| |
| |
| Computer Abuse Amendments Act | |
| |
| |
| Remedies and Effectiveness | |
| |
| |
| Legislation Providing for Civil and Criminal Penalties | |
| |
| |
| Computer Security Act of 1987 | |
| |
| |
| Homeland Security Act of 2002 | |
| |
| |
| Privacy on the Information Superhighway | |
| |
| |
| National Strategy for Securing Cyberspace | |
| |
| |
| Methods That Provide for Protection of Information | |
| |
| |
| Web Copyright Law | |
| |
| |
| Privacy Legislation and the Federal Government Privacy Act | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Other Internet Sites | |
| |
| |
| Audit and Review: Their Role in Information Technology | |
| |
| |
| The Situation and the Problem | |
| |
| |
| Audit Standards | |
| |
| |
| Importance of Audit Independence | |
| |
| |
| Past and Current Accounting and Auditing Pronouncements | |
| |
| |
| AICPA Pronouncements: From the Beginning to Now | |
| |
| |
| Other Standards | |
| |
| |
| Financial Auditing | |
| |
| |
| Generally Accepted Accounting Principles | |
| |
| |
| Generally Accepted Auditing Standards | |
| |
| |
| IT Auditing: What Is It? | |
| |
| |
| Need for IT Audit Function | |
| |
| |
| Auditors Have Standards of Practice | |
| |
| |
| Auditors Must Have Independence | |
| |
| |
| High Ethical Standards | |
| |
| |
| Auditor: Knowledge, Skills, and Abilities | |
| |
| |
| Broadest Experiences | |
| |
| |
| Supplemental Skills | |
| |
| |
| Trial and Error | |
| |
| |
| Role of the IT Auditor | |
| |
| |
| Types of Auditors and Their Duties, Functions, and Responsibilities | |
| |
| |
| Legal Implications | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Audit Process in an Information Technology Environment | |
| |
| |
| Audit Universe | |
| |
| |
| Risk Assessment | |
| |
| |
| Audit Plan | |
| |
| |
| Developing an Audit Schedule | |
| |
| |
| Audit Budget | |
| |
| |
| Objective and Context | |
| |
| |
| Using the Plan to Identify Problems | |
| |
| |
| Audit Process | |
| |
| |
| Preliminary Review | |
| |
| |
| Preliminary Evaluation of Internal Controls | |
| |
| |
| Design Audit Procedures | |
| |
| |
| Fieldwork and Implementing Audit Methodology | |
| |
| |
| Validation of Work Performed | |
| |
| |
| Substantive Testing | |
| |
| |
| Documenting Results | |
| |
| |
| Communication Strategy | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Auditing IT Using Computer-Assisted Audit Tools and Techniques | |
| |
| |
| Auditor Productivity Tools | |
| |
| |
| Using Computer-Assisted Audit Tools in the Audit Process | |
| |
| |
| Flowcharting Techniques | |
| |
| |
| Flowcharting as an Analysis Tool | |
| |
| |
| Appropriateness of Flowcharting Techniques | |
| |
| |
| Computer-Assisted Audit Tools and Techniques for Application Reviews | |
| |
| |
| Computer-Assisted Audit Tools and Techniques for Operational Reviews | |
| |
| |
| Web Analysis Tools | |
| |
| |
| Web Analysis Software as an Audit Tool | |
| |
| |
| Computer Forensics | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Managing IT Audit | |
| |
| |
| IT Auditor Career Development and Planning | |
| |
| |
| Establishing a Career Development Plan | |
| |
| |
| Evaluating IT Audit Quality | |
| |
| |
| Terms of Assessment | |
| |
| |
| IT Audit and Auditor Assessment Form | |
| |
| |
| Criteria for Assessing the Audit | |
| |
| |
| Criteria for Assessing the Auditor | |
| |
| |
| Applying the Concept | |
| |
| |
| Evaluation of IT Audit Performance | |
| |
| |
| What Is a Best Practice? | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| IT Auditing in the New Millennium | |
| |
| |
| IT Auditing Trends | |
| |
| |
| New Dimension: Information Assurance | |
| |
| |
| IT Audit: The Profession | |
| |
| |
| A Common Body of Knowledge | |
| |
| |
| Certification | |
| |
| |
| Continuing Education | |
| |
| |
| A Code of Ethics and Professional Standards | |
| |
| |
| Educational Curricula | |
| |
| |
| New Trends in Developing IT Auditors and Education | |
| |
| |
| Career Opportunities in the Twenty-First Century | |
| |
| |
| Public Accounting | |
| |
| |
| Private Industry | |
| |
| |
| Management Consulting | |
| |
| |
| Government | |
| |
| |
| Role of the IT Auditor in IT Governance | |
| |
| |
| IT Auditor as Counselor | |
| |
| |
| IT Auditor as Partner of Senior Management | |
| |
| |
| Educating the Next Generation on IT Audit and Control Opportunities | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Auditing It Planning and Organization | |
| |
| |
| IT Governance | |
| |
| |
| IT Processes | |
| |
| |
| Enterprise Risk Management | |
| |
| |
| Regulatory Compliance and Internal Controls | |
| |
| |
| Performance Measurement | |
| |
| |
| Metrics and Management | |
| |
| |
| Metric Reporting | |
| |
| |
| Independent Assurance | |
| |
| |
| Participation in IT Audit Planning | |
| |
| |
| Control Framework | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Strategy and Standards | |
| |
| |
| IT Processes | |
| |
| |
| Strategic Planning | |
| |
| |
| IT Steering Committee | |
| |
| |
| Portfolio Management | |
| |
| |
| Demand Management | |
| |
| |
| Project Initiation | |
| |
| |
| Technical Review | |
| |
| |
| Architecture and Standards | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Risk Management | |
| |
| |
| IT Processes | |
| |
| |
| Technology Risk Management | |
| |
| |
| An Example of Standards: Technology Risk Management | |
| |
| |
| Regulations | |
| |
| |
| Where Does Technology Risk Management Belong? | |
| |
| |
| IT Insurance Risk | |
| |
| |
| How to Determine IT Insurance Coverage | |
| |
| |
| Available Guidance | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Process and Quality Management | |
| |
| |
| IT Processes | |
| |
| |
| Roles and Responsibilities | |
| |
| |
| Separation of Duties | |
| |
| |
| Resource Management | |
| |
| |
| Managing Quality | |
| |
| |
| Quality Management Standards | |
| |
| |
| How Maturity Correlates to Quality | |
| |
| |
| IT Process Framework | |
| |
| |
| Auditing Policies and Procedures | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Financial Management | |
| |
| |
| IT Processes | |
| |
| |
| Financial Management Framework | |
| |
| |
| Investment Approval Process | |
| |
| |
| Project Pricing | |
| |
| |
| Realizing the Benefits from IT Investments | |
| |
| |
| Financial Planning | |
| |
| |
| Identify and Allocate Costs | |
| |
| |
| Determining Charging Method | |
| |
| |
| Structure of U.S. Guidance | |
| |
| |
| IT Asset Management | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| It Acquisition and Implementation | |
| |
| |
| IT Project Management | |
| |
| |
| IT Processes | |
| |
| |
| Project Management Body of Knowledge | |
| |
| |
| Auditor's Role in the Project Management Process | |
| |
| |
| Example of Project Management Checkpoints and Tools in a Telecom Project | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Software Development and Implementation | |
| |
| |
| IT Processes | |
| |
| |
| Approaches to Software Development | |
| |
| |
| Software Development Process | |
| |
| |
| Prototypes and Rapid Application Development | |
| |
| |
| End-User Development | |
| |
| |
| Traditional Information Software Development | |
| |
| |
| System Implementation Process | |
| |
| |
| Help Desk and Production Support Training and Readiness | |
| |
| |
| Auditor's Role in the Development Process | |
| |
| |
| Risk Assessment | |
| |
| |
| Audit Plan | |
| |
| |
| Software Development Controls Review | |
| |
| |
| Software Development Life Cycle | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| IT Sourcing | |
| |
| |
| IT Processes | |
| |
| |
| Sourcing Strategy | |
| |
| |
| Software Acquisition Process | |
| |
| |
| Prototypes and Rapid Application Development | |
| |
| |
| The Requirements Document | |
| |
| |
| Off-the-Shelf Solutions | |
| |
| |
| Purchased Package | |
| |
| |
| Contracted Development | |
| |
| |
| Outsourcing a System from Another Organization | |
| |
| |
| Request for Information | |
| |
| |
| Request for Bid | |
| |
| |
| Request for Proposal | |
| |
| |
| Evaluating Proposals | |
| |
| |
| Procurement and Supplier Management | |
| |
| |
| IT Contract Issues | |
| |
| |
| Strategic Sourcing and Supplier Management | |
| |
| |
| Auditing Software Acquisitions | |
| |
| |
| Prototypes | |
| |
| |
| Other Resources for Help and Assistance | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Application Controls and Maintenance | |
| |
| |
| IT Processes | |
| |
| |
| Application Risks | |
| |
| |
| Electronic Data Interchange Application Risks | |
| |
| |
| Application Controls | |
| |
| |
| Web-Based Application, Risks, and Controls | |
| |
| |
| Documentation Requirements | |
| |
| |
| Application Software Life Cycle | |
| |
| |
| Application Maintenance | |
| |
| |
| Corrective Maintenance | |
| |
| |
| Adaptive Maintenance | |
| |
| |
| Perfective Maintenance | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Change Management | |
| |
| |
| IT Processes | |
| |
| |
| Change Management | |
| |
| |
| Importance of Change Control | |
| |
| |
| Change Control | |
| |
| |
| Change Management System | |
| |
| |
| Change Request Process | |
| |
| |
| Impact Assessment | |
| |
| |
| Controls over Changes | |
| |
| |
| Emergency Change Process | |
| |
| |
| Revisions to Documentation and Procedures | |
| |
| |
| Authorized Maintenance | |
| |
| |
| Software Release Policy | |
| |
| |
| Software Distribution Process | |
| |
| |
| Change Management Tools | |
| |
| |
| Change Management Procedures | |
| |
| |
| Configuration Management | |
| |
| |
| Organizational Change Management | |
| |
| |
| Organizational Culture Defined | |
| |
| |
| Audit Involvement | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| It Delivery and Support | |
| |
| |
| Service Management | |
| |
| |
| IT Processes | |
| |
| |
| Information Technology Infrastructure Library | |
| |
| |
| Implementing IT Service Management | |
| |
| |
| Review Services and Requirements | |
| |
| |
| Define IT Services | |
| |
| |
| Service-Level Agreements | |
| |
| |
| Service Design and Pricing | |
| |
| |
| Processes to Engage Services | |
| |
| |
| Roles and Responsibilities | |
| |
| |
| Ongoing Service Management | |
| |
| |
| Service Management of Third Parties | |
| |
| |
| Evolution of Standards | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Service Desk and Problem Management | |
| |
| |
| IT Processes | |
| |
| |
| Training | |
| |
| |
| Service Desk | |
| |
| |
| Incident and Problem Management | |
| |
| |
| Case Example: Acme Computing Services Business | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Security and Service Continuity | |
| |
| |
| IT Processes | |
| |
| |
| Information Systems Security | |
| |
| |
| Security Threats and Risks | |
| |
| |
| Security Standards | |
| |
| |
| Information Security Controls | |
| |
| |
| Information Custodian Responsibilities | |
| |
| |
| User Responsibilities | |
| |
| |
| Third-Party Responsibilities | |
| |
| |
| Information Classification Designations | |
| |
| |
| Contingency and Disaster Recovery Planning | |
| |
| |
| Written Disaster Recovery Plan | |
| |
| |
| Mission Statement for Disaster Recovery Plan | |
| |
| |
| Disaster Recovery Plan Tests and Drill | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| System Management | |
| |
| |
| IT Processes | |
| |
| |
| Systems Software | |
| |
| |
| Systems Maintenance | |
| |
| |
| Database Technology | |
| |
| |
| Database Management Systems Recovery | |
| |
| |
| Capacity Management | |
| |
| |
| Server Virtualization | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Operations Management | |
| |
| |
| IT Processes | |
| |
| |
| Operational Maturity | |
| |
| |
| Operating Policy and Procedures | |
| |
| |
| Data Files and Program Controls | |
| |
| |
| Physical Security and Access Controls | |
| |
| |
| Environmental Controls | |
| |
| |
| Output Controls | |
| |
| |
| Data Communications Controls | |
| |
| |
| Data Center Reviews | |
| |
| |
| Software and Data Security Controls | |
| |
| |
| Physical and Environmental Controls Management | |
| |
| |
| Data Access Management | |
| |
| |
| Policy and Procedures Documentation | |
| |
| |
| Data and Software Backup Management | |
| |
| |
| Other Management Controls | |
| |
| |
| End-User Computing | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Tools for Network Monitoring | |
| |
| |
| The Internet, Intranet, and Extranet | |
| |
| |
| Advanced Topics | |
| |
| |
| Virtual Environment | |
| |
| |
| Virtual Environment | |
| |
| |
| Cloud Computing | |
| |
| |
| Mobile Computing | |
| |
| |
| IT Operations Issues in Network Installation | |
| |
| |
| Types of WANs | |
| |
| |
| Elements of WANs | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Virtual Infrastructure Security and Risks | |
| |
| |
| Information Flows in the Current Marketplace | |
| |
| |
| Interconnected Systems and E-Commerce | |
| |
| |
| Battleground: The Internet | |
| |
| |
| Tools | |
| |
| |
| Exploiting the TCP/IP Holes | |
| |
| |
| Recommendation to IT Auditors, Security, and IT Professionals | |
| |
| |
| Intranet/Extranet Security | |
| |
| |
| Wireless Technology | |
| |
| |
| Identity Theft | |
| |
| |
| Conclusions | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Internet References | |
| |
| |
| Virtual Application Security and Risks | |
| |
| |
| E-Commerce Application Security as a Strategic and Structural Problem | |
| |
| |
| Information Security Management Systems | |
| |
| |
| A Planning and Control Approach to E-Commerce Security Management | |
| |
| |
| Web Application Risks | |
| |
| |
| Internet Security | |
| |
| |
| Case Example: GMA Business Overview and Profile | |
| |
| |
| Mobile Computing Security | |
| |
| |
| Conclusion | |
| |
| |
| Review Questions | |
| |
| |
| Multiple-Choice Questions | |
| |
| |
| Exercises | |
| |
| |
| Answers to Multiple-Choice Questions | |
| |
| |
| Further Reading | |
| |
| |
| Enterprise Resource Planning | |
| |
| |
| ERP Solutions | |
| |
| |
| Benefits of ERP Solutions | |
| |
| |
| Key Risks of ERP Solutions | |
| |
| |
| Implementing ERP Systems | |
| |
| |
| ERP Data Warehouse | |
| |
| |
| Appendices | |
| |
| |
| Information Technology Audit Cases | |
| |
| |
| Bibliography of Selected Publications for Information Technology Auditors | |
| |
| |
| Professional Standards That Apply to Information Technology (Audit, Security, and Privacy Issues) | |
| |
| |
| Glossary | |
| |
| |
| Sample Audit Programs | |
| |
| |
| Index | |