IT Audit, Control, and Security
When it comes to computer security, the role of auditors today has never been more crucial. Auditors must ensure that all computers, in particular those dealing with e-business, are secure. The only source for information on the combined areas of computer audit, control, and security, the IT Audit, Control, and Security describes the types of internal controls, security, and integrity procedures that management must build into its automated systems. This very timely book provides auditors with the guidance they need to ensure that their systems are secure from both internal and external threats.
Introduction. Part One Auditing Internal Controls in an IT Environment. Chapter 1 SOx and the COSO Internal Controls Framework. Roles and Responsibilities of IT Auditors. Importance of Effective Internal Controls and COSO. COSO Internal Control Systems Monitoring Guidance. Sarbanes-Oxley Act. Wrapping It Up: COSO Internal Controls and Sox. Notes. Chapter 2 Using CobiT to Perform IT Audits. Introduction to CobiT. CobiT Framework. Using CobiT to Assess Internal Controls. Using CobiT in a SOx Environment. CobiT Assurance Framework Guidance. CobiT in Perspective. Notes. Chapter 3 IIA and ISACA Standards for the Professional Practice of Internal Auditing. Internal Auditing's International Professional Practice Standards. Content of the IPPF and the IIA International Standards. Strongly Recommended IIA Standards Guidance. ISACA IT Auditing Standards Overview. Codes of Ethics: The IIA and ISACA. Notes. Chapter 4 Understanding Risk Management Through COSO ERM. Risk Management Fundamentals. Quantitative Risk Analysis Techniques. IIA and ISACA Risk Management Internal Audit Guidance. COSO ERM: Enterprise Risk Management. IT Audit Risk and COSO ERM. Notes. Chapter 5 Performing Effective IT Audits. IT Audit and the Enterprise Internal Audit Function. Organizing and Planning IT Audits. Developing and Preparing Audit Programs. Gathering Audit Evidence and Testing Results. Workpapers and Reporting IT Audit Results. Preparing Effective IT Audits. Notes. Part Two Auditing IT General Controls. Chapter 6 General Controls in Today's IT Environments. Importance of IT General Controls. IT Governance General Controls. IT Management General Controls. IT Technical Environment General Controls. Notes. Chapter 7 Infrastructure Controls and ITIL Service Management Best Practices. ITIL Service Management Best Practices. ITIL's Service Strategies Component. ITIL Service Design. ITIL Service Transition Management Processes. ITIL Service Operation Processes. Service Delivery Best Practices. Auditing IT Infrastructure Management. Notes. Chapter 8 Systems Software and IT Operations General Controls. IT Operating System Fundamentals. Features of a Computer Operating System. Other Systems Software Tools. Notes. Chapter 9 Evolving Control Issues: Wireless Networks, Cloud Computing, and Virtualization. Understanding and Auditing IT Wireless Networks. Understanding Cloud Computing. Storage Management Virtualization. Notes. Part Three Auditing and Testing IT Application Controls. Chapter 10 Selecting, Testing, and Auditing IT Applications. IT Application Control Elements. Selecting Applications for IT Audit Reviews. Performing an Applications Controls Reviews: Preliminary Steps. Completing the IT Applications Controls Audit. Application Review Case Study: Client-Server Budgeting System. Auditing Applications Under Development. Importance of Reviewing IT Applicatio Controls. Notes. Chapter 11 Software Engineering and CMMi. Software Engineering Concepts. CMMi: Capability Maturity Model for Integration. CMMi Benefits. IT Audit, Internal Control, and CMMi. Notes. Chapter 12 Auditing Service-Oriented Architectures and Record Management Processes. Service-Oriented Computing and Service-Driven Applications. IT Auditing in SOA Environments. Electronic Records Management Internal Control Issues and Risks. IT Audits of Electronic Records Management Processes. Notes. Chapter 13 Computer-Assisted Audit Tools and Techniques. Understanding Computer-Assisted Audit Tools and Techniques. Determining the Need for CAATTs. CAATT Software Tools. Steps to Building Effective CAATTs. Importance of CAATTs for Audit Evidence Gathering. Notes. Chapter 14 Continuous Assurance Auditing, OLAP and XBRL. Implementing Continuous Assurance Auditing. Benefits of Continuous Assurance Auditing Tools. Data Warehouses, Data Mining, and OLAP. XBRL: The Internet-Based Extensible Marking Language. Newer Technologies, the Continuous Close, and IT audit. Notes. Part Four Importance of IT Governance. Chapter 15 IT Controls and the Audit Committee. Role of the Audit Committee for IT Auditors. Audit Committee Approval of Internal Audit Plans and Budgets. Audit Committee Briefings on IT Audit Issues. Audit Committee Review and Action on Significant IT Audit Findings. IT Audit and the Audit Committee. Chapter 16 Val IT, Portfolio Management, and Project Management. Val IT: Enhancing the Value of IT Investments. IT Systems Portfolio and Program Management. Project Management for IT Auditors. Notes. Chapter 17 Compliance with IT-Related Laws and Regulations. Computer Fraud and Abuse Act. Computer Security Act of 1987. Gramm – Leach – Bliley Act. HIPAA: Healthcare and Much More. Other Personal Privacy and Security Legislative Requirements. IT-Related Laws, Regulations, and Audit Standards. Chapter 18 Understanding and Reviewing Compliance with ISO Standards. Background and Importance of ISO Standards in a Global Commerce World. ISO Standards Overview. ISO 19011 Quality Management Systems Auditing. ISO Standards and IT Auditors. Notes. Chapter 19 IT Security Environment CONTROLS. Generally Accepted Security Standards. Effective IT Perimeter Security. Establishing an Effective, Enterprise-Wide Security Strategy. Best Practices for It Audit and Security. Notes. Chapter 20 Cyber-Security and Privacy Controls. IT Network Security Fundamentals. IT Systems Privacy Concerns. PCI-DSS Fundamentals. Auditing IT Security and Privacy. Security and Privacy in the IT Audit Department. Notes. Chapter 21 IT Fraud Detection and Prevention. Understanding and Recognizing Fraud in an IT Environment. Red Flags: Fraud Detection Signs for IT and other Internal Auditors. Public Accounting's Role in Fraud Detection. IIA Standards and ISACA Materials for Detecting and Investigating Fraud. IT Audit Fraud Risk Assessments. IT Audit Fraud Investigations. IT Fraud Prevention Processes. Fraud Detection and the IT Auditor. Notes. Chapter 22 Identity and Access Management. Importance of Identity and Access Management. Identity Management Processes. Separation of Duties Identify Management Controls. Access Management Provisioning. Authentication and Authorization. Auditing Identity and Access Management Processes. Notes. Chapter 23 Establishing Effective IT Disaster Recovery Processes. IT Disaster and Business Continuity Planning Today. Building and Auditing an IT Disaster Recovery Plan. Building the IT Disaster Recovery Plan. Disaster Recovery Planning and Service Level Agreements. Newer Disaster Recovery Plan Technologies: Data Mirroring Techniques. Auditing Business Continuity Plans. Disaster Recovery and Business Continuity Planning Going Forward. Notes. Chapter 24 Electronic Archiving and Data Retention. Elements of a Successful Electronic Records Management Process. Electronic Documentation Standards. Implementing Electronic IT Data Archiving. Auditing Electronic Document Retention and Archival Processes. Notes. Chapter 25 Business Continuity Management and BS 25999. IT Business Continuity Management Planning Needs Today. BS 25999 Good Practice Guidelines. Auditing BCM Processes. Linking the BCM with Other Standards and Processes. Notes. Chapter 26 Auditing Telecommunications and IT Communications Networks. Network Security Concepts. Effective IT Network Security Controls. Auditing a VPN Installation. Notes. Chapter 27 Change and Patch Management Controls. IT Change Management Processes. Auditing IT Change and Patch Management Controls. Notes. Chapter 28 Six Sigma and Lean Technologies. Six Sigma Background and Concepts. Implementing Six Sigma. Lean Six Sigma. Notes. Chapter 29 Building an Effective IT Internal Audit Function. Establishing an IT Internal Audit Function. Internal Audit Charter: An Important IT Audit Authorization. Role of the Chief Audit Executive. IT Audit Specialists. IT Audit Managers and Supervisors. Internal and IT Audit Policies and Procedures. Organizing an Effective IT Audit Function. Importance of a Strong IT Audit Function. Notes. Chapter 30 Professional Certifications: CISA, CIA, and More. Certified Information Systems Auditor Credentials. Certified Information Security Manager Credentials. Certificate in the Governance of
Certified Internal Auditor Responsibilities and Requirements.
Beyond the CIA: Other IIA Certifications.
CISSP Information Systems Security Professional Certification.
Certified Fraud Examiner Certification..
ASQ Internal Audit Certifications.
Other Internal Auditor Certifications.
Chapter 31 Quality Assurance Auditing and ASQ Standards.
Duties and Responsibilities of Quality Auditors.
Role of the Quality Auditor.
Performing ASQ Quality Audits.
Quality Assurance Reviews of IT Audit Functions.
Future Directions for Quality Assurance Auditing.
About the Author.
Robert R. Moeller (Evanston, IL), CPA, CISA, PMP, CISSP, is the founder of Compliance and control Systems Associates, a consulting firm that specialized in internal audit and project management with a strong understanding of information systems, corporate governance and security. He has over 30 years of experience in internal auditing, ranging from launching new internal audit functions in several companies to serving as audit director for a Fortune 50 corporation. He held positions with Grant Thornton (National Director of Computer Auditing) and Sears Roebuck (Audit Director). A frequently published author and professional speaker, Moeller provides insights into many of the new rules impacting internal auditors today as well as the challenges audit committees face when dealing with Sarbanes-Oxley, internal controls, and their internal auditors. Moeller is the former president of the Institute of Internal Auditor's Chicago chapter and has served on the IIA's International Advanced Technology Committee. He is also the former chair of the AICPA's Computer Audit Subcommittee.