| |
| |
A Foundation for It Audit and Control | |
| |
| |
Information Technology Environment: Why Are Controls and Audit Important? | |
| |
| |
IT Today and Tomorrow | |
| |
| |
Information Integrity, Reliability, and Validity: Importance in Today's Global | |
| |
| |
Business Environment | |
| |
| |
Control and Audit: A Global Concern | |
| |
| |
E-Commerce and Electronic Funds Transfer | |
| |
| |
Future of Electronic Payment Systems | |
| |
| |
Legal Issues Impacting IT | |
| |
| |
Federal Financial Integrity Legislation | |
| |
| |
Federal Security Legislation | |
| |
| |
Privacy on the Information Superhighway | |
| |
| |
Privacy Legislation and the Federal Government Privacy Act | |
| |
| |
Security, Privacy, and Audit | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
The Legal Environment and Its Impact on Information Technology | |
| |
| |
IT Crime Issues | |
| |
| |
Protection against Computer Fraud | |
| |
| |
Computer Fraud and Abuse Act | |
| |
| |
Computer Abuse Amendments Act | |
| |
| |
Remedies and Effectiveness | |
| |
| |
Legislation Providing for Civil and Criminal Penalties | |
| |
| |
Computer Security Act of 1987 | |
| |
| |
Homeland Security Act of 2002 | |
| |
| |
Privacy on the Information Superhighway | |
| |
| |
National Strategy for Securing Cyberspace | |
| |
| |
Methods That Provide for Protection of Information | |
| |
| |
Web Copyright Law | |
| |
| |
Privacy Legislation and the Federal Government Privacy Act | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Other Internet Sites | |
| |
| |
Audit and Review: Their Role in Information Technology | |
| |
| |
The Situation and the Problem | |
| |
| |
Audit Standards | |
| |
| |
Importance of Audit Independence | |
| |
| |
Past and Current Accounting and Auditing Pronouncements | |
| |
| |
AICPA Pronouncements: From the Beginning to Now | |
| |
| |
Other Standards | |
| |
| |
Financial Auditing | |
| |
| |
Generally Accepted Accounting Principles | |
| |
| |
Generally Accepted Auditing Standards | |
| |
| |
IT Auditing: What Is It? | |
| |
| |
Need for IT Audit Function | |
| |
| |
Auditors Have Standards of Practice | |
| |
| |
Auditors Must Have Independence | |
| |
| |
High Ethical Standards | |
| |
| |
Auditor: Knowledge, Skills, and Abilities | |
| |
| |
Broadest Experiences | |
| |
| |
Supplemental Skills | |
| |
| |
Trial and Error | |
| |
| |
Role of the IT Auditor | |
| |
| |
Types of Auditors and Their Duties, Functions, and Responsibilities | |
| |
| |
Legal Implications | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Audit Process in an Information Technology Environment | |
| |
| |
Audit Universe | |
| |
| |
Risk Assessment | |
| |
| |
Audit Plan | |
| |
| |
Developing an Audit Schedule | |
| |
| |
Audit Budget | |
| |
| |
Objective and Context | |
| |
| |
Using the Plan to Identify Problems | |
| |
| |
Audit Process | |
| |
| |
Preliminary Review | |
| |
| |
Preliminary Evaluation of Internal Controls | |
| |
| |
Design Audit Procedures | |
| |
| |
Fieldwork and Implementing Audit Methodology | |
| |
| |
Validation of Work Performed | |
| |
| |
Substantive Testing | |
| |
| |
Documenting Results | |
| |
| |
Communication Strategy | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Auditing IT Using Computer-Assisted Audit Tools and Techniques | |
| |
| |
Auditor Productivity Tools | |
| |
| |
Using Computer-Assisted Audit Tools in the Audit Process | |
| |
| |
Flowcharting Techniques | |
| |
| |
Flowcharting as an Analysis Tool | |
| |
| |
Appropriateness of Flowcharting Techniques | |
| |
| |
Computer-Assisted Audit Tools and Techniques for Application Reviews | |
| |
| |
Computer-Assisted Audit Tools and Techniques for Operational Reviews | |
| |
| |
Web Analysis Tools | |
| |
| |
Web Analysis Software as an Audit Tool | |
| |
| |
Computer Forensics | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Managing IT Audit | |
| |
| |
IT Auditor Career Development and Planning | |
| |
| |
Establishing a Career Development Plan | |
| |
| |
Evaluating IT Audit Quality | |
| |
| |
Terms of Assessment | |
| |
| |
IT Audit and Auditor Assessment Form | |
| |
| |
Criteria for Assessing the Audit | |
| |
| |
Criteria for Assessing the Auditor | |
| |
| |
Applying the Concept | |
| |
| |
Evaluation of IT Audit Performance | |
| |
| |
What Is a Best Practice? | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
IT Auditing in the New Millennium | |
| |
| |
IT Auditing Trends | |
| |
| |
New Dimension: Information Assurance | |
| |
| |
IT Audit: The Profession | |
| |
| |
A Common Body of Knowledge | |
| |
| |
Certification | |
| |
| |
Continuing Education | |
| |
| |
A Code of Ethics and Professional Standards | |
| |
| |
Educational Curricula | |
| |
| |
New Trends in Developing IT Auditors and Education | |
| |
| |
Career Opportunities in the Twenty-First Century | |
| |
| |
Public Accounting | |
| |
| |
Private Industry | |
| |
| |
Management Consulting | |
| |
| |
Government | |
| |
| |
Role of the IT Auditor in IT Governance | |
| |
| |
IT Auditor as Counselor | |
| |
| |
IT Auditor as Partner of Senior Management | |
| |
| |
Educating the Next Generation on IT Audit and Control Opportunities | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Auditing It Planning and Organization | |
| |
| |
IT Governance | |
| |
| |
IT Processes | |
| |
| |
Enterprise Risk Management | |
| |
| |
Regulatory Compliance and Internal Controls | |
| |
| |
Performance Measurement | |
| |
| |
Metrics and Management | |
| |
| |
Metric Reporting | |
| |
| |
Independent Assurance | |
| |
| |
Participation in IT Audit Planning | |
| |
| |
Control Framework | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Strategy and Standards | |
| |
| |
IT Processes | |
| |
| |
Strategic Planning | |
| |
| |
IT Steering Committee | |
| |
| |
Portfolio Management | |
| |
| |
Demand Management | |
| |
| |
Project Initiation | |
| |
| |
Technical Review | |
| |
| |
Architecture and Standards | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Risk Management | |
| |
| |
IT Processes | |
| |
| |
Technology Risk Management | |
| |
| |
An Example of Standards: Technology Risk Management | |
| |
| |
Regulations | |
| |
| |
Where Does Technology Risk Management Belong? | |
| |
| |
IT Insurance Risk | |
| |
| |
How to Determine IT Insurance Coverage | |
| |
| |
Available Guidance | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Process and Quality Management | |
| |
| |
IT Processes | |
| |
| |
Roles and Responsibilities | |
| |
| |
Separation of Duties | |
| |
| |
Resource Management | |
| |
| |
Managing Quality | |
| |
| |
Quality Management Standards | |
| |
| |
How Maturity Correlates to Quality | |
| |
| |
IT Process Framework | |
| |
| |
Auditing Policies and Procedures | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Financial Management | |
| |
| |
IT Processes | |
| |
| |
Financial Management Framework | |
| |
| |
Investment Approval Process | |
| |
| |
Project Pricing | |
| |
| |
Realizing the Benefits from IT Investments | |
| |
| |
Financial Planning | |
| |
| |
Identify and Allocate Costs | |
| |
| |
Determining Charging Method | |
| |
| |
Structure of U.S. Guidance | |
| |
| |
IT Asset Management | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
It Acquisition and Implementation | |
| |
| |
IT Project Management | |
| |
| |
IT Processes | |
| |
| |
Project Management Body of Knowledge | |
| |
| |
Auditor's Role in the Project Management Process | |
| |
| |
Example of Project Management Checkpoints and Tools in a Telecom Project | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Software Development and Implementation | |
| |
| |
IT Processes | |
| |
| |
Approaches to Software Development | |
| |
| |
Software Development Process | |
| |
| |
Prototypes and Rapid Application Development | |
| |
| |
End-User Development | |
| |
| |
Traditional Information Software Development | |
| |
| |
System Implementation Process | |
| |
| |
Help Desk and Production Support Training and Readiness | |
| |
| |
Auditor's Role in the Development Process | |
| |
| |
Risk Assessment | |
| |
| |
Audit Plan | |
| |
| |
Software Development Controls Review | |
| |
| |
Software Development Life Cycle | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
IT Sourcing | |
| |
| |
IT Processes | |
| |
| |
Sourcing Strategy | |
| |
| |
Software Acquisition Process | |
| |
| |
Prototypes and Rapid Application Development | |
| |
| |
The Requirements Document | |
| |
| |
Off-the-Shelf Solutions | |
| |
| |
Purchased Package | |
| |
| |
Contracted Development | |
| |
| |
Outsourcing a System from Another Organization | |
| |
| |
Request for Information | |
| |
| |
Request for Bid | |
| |
| |
Request for Proposal | |
| |
| |
Evaluating Proposals | |
| |
| |
Procurement and Supplier Management | |
| |
| |
IT Contract Issues | |
| |
| |
Strategic Sourcing and Supplier Management | |
| |
| |
Auditing Software Acquisitions | |
| |
| |
Prototypes | |
| |
| |
Other Resources for Help and Assistance | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Application Controls and Maintenance | |
| |
| |
IT Processes | |
| |
| |
Application Risks | |
| |
| |
Electronic Data Interchange Application Risks | |
| |
| |
Application Controls | |
| |
| |
Web-Based Application, Risks, and Controls | |
| |
| |
Documentation Requirements | |
| |
| |
Application Software Life Cycle | |
| |
| |
Application Maintenance | |
| |
| |
Corrective Maintenance | |
| |
| |
Adaptive Maintenance | |
| |
| |
Perfective Maintenance | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Change Management | |
| |
| |
IT Processes | |
| |
| |
Change Management | |
| |
| |
Importance of Change Control | |
| |
| |
Change Control | |
| |
| |
Change Management System | |
| |
| |
Change Request Process | |
| |
| |
Impact Assessment | |
| |
| |
Controls over Changes | |
| |
| |
Emergency Change Process | |
| |
| |
Revisions to Documentation and Procedures | |
| |
| |
Authorized Maintenance | |
| |
| |
Software Release Policy | |
| |
| |
Software Distribution Process | |
| |
| |
Change Management Tools | |
| |
| |
Change Management Procedures | |
| |
| |
Configuration Management | |
| |
| |
Organizational Change Management | |
| |
| |
Organizational Culture Defined | |
| |
| |
Audit Involvement | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
It Delivery and Support | |
| |
| |
Service Management | |
| |
| |
IT Processes | |
| |
| |
Information Technology Infrastructure Library | |
| |
| |
Implementing IT Service Management | |
| |
| |
Review Services and Requirements | |
| |
| |
Define IT Services | |
| |
| |
Service-Level Agreements | |
| |
| |
Service Design and Pricing | |
| |
| |
Processes to Engage Services | |
| |
| |
Roles and Responsibilities | |
| |
| |
Ongoing Service Management | |
| |
| |
Service Management of Third Parties | |
| |
| |
Evolution of Standards | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Service Desk and Problem Management | |
| |
| |
IT Processes | |
| |
| |
Training | |
| |
| |
Service Desk | |
| |
| |
Incident and Problem Management | |
| |
| |
Case Example: Acme Computing Services Business | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Security and Service Continuity | |
| |
| |
IT Processes | |
| |
| |
Information Systems Security | |
| |
| |
Security Threats and Risks | |
| |
| |
Security Standards | |
| |
| |
Information Security Controls | |
| |
| |
Information Custodian Responsibilities | |
| |
| |
User Responsibilities | |
| |
| |
Third-Party Responsibilities | |
| |
| |
Information Classification Designations | |
| |
| |
Contingency and Disaster Recovery Planning | |
| |
| |
Written Disaster Recovery Plan | |
| |
| |
Mission Statement for Disaster Recovery Plan | |
| |
| |
Disaster Recovery Plan Tests and Drill | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
System Management | |
| |
| |
IT Processes | |
| |
| |
Systems Software | |
| |
| |
Systems Maintenance | |
| |
| |
Database Technology | |
| |
| |
Database Management Systems Recovery | |
| |
| |
Capacity Management | |
| |
| |
Server Virtualization | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Operations Management | |
| |
| |
IT Processes | |
| |
| |
Operational Maturity | |
| |
| |
Operating Policy and Procedures | |
| |
| |
Data Files and Program Controls | |
| |
| |
Physical Security and Access Controls | |
| |
| |
Environmental Controls | |
| |
| |
Output Controls | |
| |
| |
Data Communications Controls | |
| |
| |
Data Center Reviews | |
| |
| |
Software and Data Security Controls | |
| |
| |
Physical and Environmental Controls Management | |
| |
| |
Data Access Management | |
| |
| |
Policy and Procedures Documentation | |
| |
| |
Data and Software Backup Management | |
| |
| |
Other Management Controls | |
| |
| |
End-User Computing | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Tools for Network Monitoring | |
| |
| |
The Internet, Intranet, and Extranet | |
| |
| |
Advanced Topics | |
| |
| |
Virtual Environment | |
| |
| |
Virtual Environment | |
| |
| |
Cloud Computing | |
| |
| |
Mobile Computing | |
| |
| |
IT Operations Issues in Network Installation | |
| |
| |
Types of WANs | |
| |
| |
Elements of WANs | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Virtual Infrastructure Security and Risks | |
| |
| |
Information Flows in the Current Marketplace | |
| |
| |
Interconnected Systems and E-Commerce | |
| |
| |
Battleground: The Internet | |
| |
| |
Tools | |
| |
| |
Exploiting the TCP/IP Holes | |
| |
| |
Recommendation to IT Auditors, Security, and IT Professionals | |
| |
| |
Intranet/Extranet Security | |
| |
| |
Wireless Technology | |
| |
| |
Identity Theft | |
| |
| |
Conclusions | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Internet References | |
| |
| |
Virtual Application Security and Risks | |
| |
| |
E-Commerce Application Security as a Strategic and Structural Problem | |
| |
| |
Information Security Management Systems | |
| |
| |
A Planning and Control Approach to E-Commerce Security Management | |
| |
| |
Web Application Risks | |
| |
| |
Internet Security | |
| |
| |
Case Example: GMA Business Overview and Profile | |
| |
| |
Mobile Computing Security | |
| |
| |
Conclusion | |
| |
| |
Review Questions | |
| |
| |
Multiple-Choice Questions | |
| |
| |
Exercises | |
| |
| |
Answers to Multiple-Choice Questions | |
| |
| |
Further Reading | |
| |
| |
Enterprise Resource Planning | |
| |
| |
ERP Solutions | |
| |
| |
Benefits of ERP Solutions | |
| |
| |
Key Risks of ERP Solutions | |
| |
| |
Implementing ERP Systems | |
| |
| |
ERP Data Warehouse | |
| |
| |
Appendices | |
| |
| |
Information Technology Audit Cases | |
| |
| |
Bibliography of Selected Publications for Information Technology Auditors | |
| |
| |
Professional Standards That Apply to Information Technology (Audit, Security, and Privacy Issues) | |
| |
| |
Glossary | |
| |
| |
Sample Audit Programs | |
| |
| |
Index | |