IT Audit, Control, and Security

When it comes to computer security, the role of auditors today has never been more crucial. Auditors must ensure that all computers, in particular those dealing with e-business, are secure. The only source for information on the combined areas of computer audit, control, and security, the IT Audit, Control, and Security describes the types of internal controls, security, and integrity procedures that management must build into its automated systems. This very timely book provides auditors with the guidance they need to ensure that their systems are secure from both internal and external threats.

Table of Contents:
Introduction xiii PART ONE: AUDITING INTERNAL CONTROLS IN AN IT ENVIRONMENT 1 Chapter 1: SOx and the COSO Internal Controls Framework 3 Roles and Responsibilities of IT Auditors 4 Importance of Effective Internal Controls and COSO 6 COSO Internal Control Systems Monitoring Guidance 21 Sarbanes-Oxley Act 22 Wrapping It Up: COSO Internal Controls and SOx 31 Notes 31 Chapter 2: Using CobiT to Perform IT Audits 32 Introduction to CobiT 33 CobiT Framework 35 Using CobiT to Assess Internal Controls 39 Using CobiT in a SOx Environment 51 CobiT Assurance Framework Guidance 54 CobiT in Perspective 55 Notes 55 Chapter 3: IIA and ISACA Standards for the Professional Practice of Internal Auditing 57 Internal Auditing’s International Professional Practice Standards 58 Content of the IPPF and the IIA International Standards 61 Strongly Recommended IIA Standards Guidance 75 ISACA IT Auditing Standards Overview 76 Codes of Ethics: The IIA and ISACA 79 Notes 81 Chapter 4: Understanding Risk Management Through COSO ERM 82 Risk Management Fundamentals 83 Quantitative Risk Analysis Techniques 92 IIA and ISACA Risk Management Internal Audit Guidance 94 COSO ERM: Enterprise Risk Management 97 IT Audit Risk and COSO ERM 113 Notes 115 Chapter 5: Performing Effective IT Audits 117 IT Audit and the Enterprise Internal Audit Function 118 Organizing and Planning IT Audits 122 Developing and Preparing Audit Programs 127 Gathering Audit Evidence and Testing Results 132 Workpapers and Reporting IT Audit Results 142 Preparing Effective IT Audits 148 Notes 149 PART TWO: AUDITING IT GENERAL CONTROLS 151 Chapter 6: General Controls in Today’s IT Environments 153 Importance of IT General Controls 154 IT Governance General Controls 157 IT Management General Controls 158 IT Technical Environment General Controls 174 Note 174 Chapter 7: Infrastructure Controls and ITIL Service Management Best Practices 175 ITIL Service Management Best Practices 176 ITIL’s Service Strategies Component 179 ITIL Service Design 181 ITIL Service Transition Management Processes 189 ITIL Service Operation Processes 194 Service Delivery Best Practices 198 Auditing IT Infrastructure Management 199 Note 200 Chapter 8: Systems Software and IT Operations General Controls 201 IT Operating System Fundamentals 202 Features of a Computer Operating System 206 Other Systems Software Tools 209 Chapter 9: Evolving Control Issues: Wireless Networks, Cloud Computing, and Virtualization 214 Understanding and Auditing IT Wireless Networks 215 Understanding Cloud Computing 220 Storage Management Virtualization 225 PART THREE: AUDITING AND TESTING IT APPLICATION CONTROLS 227 Chapter 10: Selecting, Testing, and Auditing IT Applications 229 IT Application Control Elements 230 Selecting Applications for IT Audit Reviews 239 Performing an Applications Controls Review: Preliminary Steps 242 Completing the IT Applications Controls Audit 249 Application Review Case Study: Client-Server Budgeting System 255 Auditing Applications under Development 258 Importance of Reviewing IT Application Controls 266 Notes 266 Chapter 11: Software Engineering and CMMi 267 Software Engineering Concepts 267 CMMi: Capability Maturity Model for Integration 269 CMMi Benefits 280 IT Audit, Internal Control, and CMMi 281 Note 282 Chapter 12: Auditing Service-Oriented Architectures and Record Management Processes 283 Service-Oriented Computing and Service-Driven Applications 284 IT Auditing in SOA Environments 294 Electronic Records Management Internal Control Issues and Risks 300 IT Audits of Electronic Records Management Processes 301 Notes 303 Chapter 13: Computer-Assisted Audit Tools and Techniques 304 Understanding Computer-Assisted Audit Tools and Techniques 305 Determining the Need for CAATTs 308 CAATT Software Tools 311 Steps to Building Effective CAATTs 326 Importance of CAATTs for Audit Evidence Gathering 327 Chapter 14: Continuous Assurance Auditing, OLAP, and XBRL 329 Implementing Continuous Assurance Auditing 330 Benefits of Continuous Assurance Auditing Tools 338 Data Warehouses, Data Mining, and OLAP 339 XBRL: The Internet-Based Extensible Markup Language 346 Newer Technologies, the Continuous Close, and IT Audit 351 Notes 351 PART FOUR: IMPORTANCE OF IT GOVERNANCE 353 Chapter 15: IT Controls and the Audit Committee 355 Role of the Audit Committee for IT Auditors 356 Audit Committee Approval of Internal Audit Plans and Budgets 357 Audit Committee Briefings on IT Audit Issues 359 Audit Committee Review and Action on Significant IT Audit Findings 360 IT Audit and the Audit Committee 362 Chapter 16: Val IT, Portfolio Management, and Project Management 363 Val IT: Enhancing the Value of IT Investments 364 IT Systems Portfolio and Program Management 371 Project Management for IT Auditors 374 Notes 383 Chapter 17: Compliance with IT-Related Laws and Regulations 384 Computer Fraud and Abuse Act 386 Computer Security Act of 1987 387 Gramm-Leach-Bliley Act 390 HIPAA: Healthcare and Much More 395 Other Personal Privacy and Security Legislative Requirements 403 IT-Related Laws, Regulations, and Audit Standards 404 Chapter 18: Understanding and Reviewing Compliance with ISO Standards 407 Background and Importance of ISO Standards in a World of Global Commerce 408 ISO Standards Overview 410 ISO 19011 Quality Management Systems Auditing 419 ISO Standards and IT Auditors 421 Notes 421 Chapter 19: Controls to Establish an Effective IT Security Environment 422 Generally Accepted Security Standards 423 Effective IT Perimeter Security 429 Establishing an Effective, Enterprise-Wide Security Strategy 430 Best Practices for IT Audit and Security 432 Notes 433 Chapter 20: Cybersecurity and Privacy Controls 434 IT Network Security Fundamentals 435 IT Systems Privacy Concerns 443 PCI-DSS Fundamentals 446 Auditing IT Security and Privacy 447 Security and Privacy in the Internal Audit Department 448 Notes 453 Chapter 21: IT Fraud Detection and Prevention 454 Understanding and Recognizing Fraud in an IT Environment 455 Red Flags: Fraud Detection Signs for IT and Other Internal Auditors 456 Public Accounting’s Role in Fraud Detection 461 IIA Standards and ISACA Materials for Detecting and Investigating Fraud 462 IT Audit Fraud Risk Assessments 464 IT Audit Fraud Investigations 467 IT Fraud Prevention Processes 468 Fraud Detection and the IT Auditor 471 Notes 471 Chapter 22: Identity and Access Management 472 Importance of Identity and Access Management 473 Identity Management Processes 474 Separation of Duties Identify Management Controls 477 Access Management Provisioning 478 Authentication and Authorization 479 Auditing Identity and Access Management Processes 481 Note 485 Chapter 23: Establishing Effective IT Disaster Recovery Processes 486 IT Disaster and Business Continuity Planning Today 487 Building and Auditing an IT Disaster Recovery Plan 489 Building the IT Disaster Recovery Plan 497 Disaster Recovery Planning and Service Level Agreements 503 Newer Disaster Recovery Plan Technologies: Data Mirroring Techniques 505 Auditing Business Continuity Plans 506 Disaster Recovery and Business Continuity Planning Going Forward 508 Notes 508 Chapter 24: Electronic Archiving and Data Retention 509 Elements of a Successful Electronic Records Management Process 510 Electronic Documentation Standards 516 Implementing Electronic IT Data Archiving 517 Auditing Electronic Document Retention and Archival Processes 519 Chapter 25: Business Continuity Management, BS 25999, and ISO 27001 521 IT Business Continuity Management Planning Needs Today 522 BS 25999 Good Practice Guidelines 524 Auditing BCM Processes 540 Linking the BCM with Other Standards and Processes 543 Notes 543 Chapter 26: Auditing Telecommunications and IT Communications Networks 544 Network Security Concepts 545 Effective IT Network Security Controls 549 Auditing a VPN Installation 555 Note 557 Chapter 27: Change and Patch Management Controls 558 IT Change Management Processes 559 Auditing IT Change and Patch Management Controls 573 Notes 576 Chapter 28: Six Sigma and Lean Technologies 577 Six Sigma Background and Concepts 578 Implementing Six Sigma 580 Lean Six Sigma 587 Notes 590 Chapter 29: Building an Effective IT Internal Audit Function 591 Establishing an IT Internal Audit Function 592 Internal Audit Charter: An Important IT Audit Authorization 593 Role of the Chief Audit Executive 595 IT Audit Specialists 596 IT Audit Managers and Supervisors 598 Internal and IT Audit Policies and Procedures 599 Organizing an Effective IT Audit Function 601 Importance of a Strong IT Audit Function 604 Note 605 Chapter 30: Professional Certifications: CISA, CIA, and More 606 Certified Information Systems Auditor Credentials 607 Certified Information Security Manager Credentials 609 Certificate in the Governance of Enterprise IT 611 Certified Internal Auditor Responsibilities and Requirements 612 Beyond the CIA: Other IIA Certifications 623 CISSP Information Systems Security Professional Certification 628 Certified Fraud Examiner Certification 628 ASQ Internal Audit Certifications 629 Other Internal Auditor Certifications 630 Note 631 Chapter 31: Quality Assurance Auditing and ASQ Standards 632 Duties and Responsibilities of Quality Auditors 633 Role of the Quality Auditor 635 Performing ASQ Quality Audits 638 Quality Assurance Reviews of IT Audit Functions 641 Future Directions for Quality Assurance Auditing 647 Notes 648 Index 649