Information technology audit: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors

85 pages

English

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Information technology audit: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors , livre ebook

Emereo Publishing - Kevin Roebuck

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

85 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

IT audits are also known as ""automated data processing (ADP) audits"" and ""computer audits"". They were formerly called ""electronic data processing (EDP) audits"".

This book is your ultimate resource for Information technology audit. Here you will find the most up-to-date information, analysis, background and everything you need to know.

In easy to read chapters, with extensive references and links to get you to know all there is to know about Information technology audit right away, covering: Information technology audit, ACL (software company), COBIT, Code audit, David Coderre, Computer Aided Audit Tools, Computer forensics, Computer fraud, Computer Fraud and Abuse Act, Continuous controls monitoring, Datacenter star audit, Enterprise risk management, History of information technology auditing, Host protected area, Information security audit, Information technology audit process, Erik Laykin, Mobile device forensics, National Information Infrastructure Protection Act, SekChek Classic, SekChek Local, Statement on Auditing Standards No. 99: Consideration of Fraud

This book explains in-depth the real drivers and workings of Information technology audit. It reduces the risk of your technology, time and resources investment decisions by enabling you to compare your understanding of Information technology audit with the objectivity of experienced professionals.

Sujets

Computers

Informatique

General officer

General

Informations

Publié par	Emereo Publishing
Date de parution	24 octobre 2012
Nombre de lectures	0
EAN13	9781743331385
Langue	English
Poids de l'ouvrage	3 Mo

Informations légales : prix de location à la page 0,1598€. Cette information est donnée uniquement à titre indicatif conformément à la législation en vigueur.

Extrait

Topic relevant selected content from the highest rated entries, typeset, printed and shipped.

Combine the advantages of up-to-date and in-depth knowledge with the convenience of printed books.

A portion of the proceeds of each book will be donated to the Wikimedia Foundation to support their mission: to empower and engage people around the world to collect and develop educational content under a free license or in the public domain, and to disseminate it effectively and globally.

The content within this book was generated collaboratively by volunteers. Please be advised that nothing found here has necessarily been reviewed by people with the expertise required to provide you with complete, accurate or reliable information. Some information in this book maybe misleading or simply wrong. The publisher does not guarantee the validity of the information found here. If you need speciîc advice (for example, medical, legal, înancial, or risk management) please seek a professional who is licensed or knowledgeable in that area.

Sources, licenses and contributors of the articles and images are listed in the section entitled “References”. Parts of the books may be licensed under the GNU Free Documentation License. A copy of this license is included in the section entitled “GNU Free Documentation License”

All used third-party trademarks belong to their respective owners.

Contents

Articles Information technology audit ACL (software company) COBIT Code audit David Coderre Computer Aided Audit Tools Computer forensics Computer fraud

Computer Fraud and Abuse Act Continuous controls monitoring Datacenter star audit Enterprise risk management History of information technology auditing Host protected area Information security audit Information technology audit process Erik Laykin Mobile device forensics National Information Infrastructure Protection Act SekChek Classic SekChek Local Statement on Auditing Standards No. 99: Consideration of Fraud

References Article Sources and Contributors Image Sources, Licenses and Contributors

Article Licenses License

1 4 6 8 9 11 16 20 22 25 25 31 38 41 44 50 58 60 67 71 74 77

80 82

Information technology audit

Aninformation technology audit, orinformation systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. IT audits are also known as "automated data processing (ADP) audits" and "computer audits". They were formerly called "electronic data processing (EDP) audits".

Purpose An IT audit is different from a financial statement audit. While a financial audit's purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight.

Types of IT audits Various authorities have created differing taxonomies to distinguish the various types of IT audits. Goodman & [1] Lawless state that there are three specific systematic approaches to carry out an IT audit: •Technological innovation process audit. This audit constructs a risk profile for existing and new projects. The audit will assess the length and depth of the company's experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product, organization and industry structure. •Innovative comparison audit. This audit is an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products. •Technological position audit: This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging". Others describe the spectrum of IT audits with five categories of audits: •Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. •Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions. •Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development. •Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. •Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers. And some lump all IT audits as being one of only two type: "general control review" audits or "application control review" audits.

Information technology audit

A number of IT Audit professionals from the Information Assurance realm consider there to be three fundamental types of controls regardless of the type of audit to be performed, especially in the IT realm. Many frameworks and standards try to break controls into different disciplines or arenas, terming them“Security Controls“,”Access Controls“,“IA Controls”in an effort to define the types of controls involved. At a more fundamental level, these controls can be shown to consist of three types of fundamental controls: Protective/Preventative Controls, Detective Controls and Reactive/Corrective Controls.

IT Audit Process [2] The following are basic steps in performing the Information Technology Audit Process: 1. Planning 2. Studying and Evaluating Controls 3. Testing and Evaluating Controls 4. Reporting 5. Follow-up

Security Auditing information security is a vital part of any IT audit and is often understood to be the primary purpose of an IT Audit. The broad scope of auditing information security includes such topics as data centers (the physical security [3] of data centers and the logical security of databases, servers and network infrastructure components), networks and application security. Like most technical realms, these topics are always evolving; IT auditors must constantly continue to expand their knowledge and understanding of the systems and environment& pursuit in system company. Several training and certification organizations have evolved. Currently, the major certifying bodies, in the field, are [4] the Institute of Internal Auditors (IIA), the SANS Institute (specifically, the audit specific branch of SANS and [5] [6] GIAC) and ISACA. While CPAs and other traditional auditors can be engaged for IT Audits, organizations are well advised to require that individuals with some type of IT specific audit certification are employed when validating the controls surrounding IT systems.

History of IT Auditing The concept of IT auditing was formed in the mid-1960s. Since that time, IT auditing has gone through numerous changes, largely due to advances in technology and the incorporation of technology into business.

Audit Personnel

Qualifications The CISM and CAP credentials are the two newest security auditing credentials, offered by the ISACA and ISC2, respectively. Strictly speaking, only the CISA or GSNA title would sufficiently demonstrate competences regarding both information technology and audit aspects with the CISA being more audit focused and the GSNA being more [7] information technology focused. Outside of the US, various credentials exist. For example, the Netherlands has theREcredential (as granted by the [8] NOREA [Dutch site] IT-auditors' association), which among others requires a post-graduate IT-audit education from an accredited university, subscription to a Code of Ethics, and adherence to strict continuous education requirements.

Information technology audit

Professional certifications • Certified Information System Auditor (CISA) • Certified Internal Auditor (CIA) • Certification and Accreditation Professional (CAP) • Certified Computer Professional (CCP) • Certified Information Privacy Professional (CIPP) • Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) • Certified Public Accountant (CPA) • Chartered Accountant (CA) • Chartered Certified Accountant (CCA) [9] • GIAC Certified System & Network Auditor (GSNA) • Certified Information Technology Professional (CITP), to certify, auditors should have 3 years experience.

Emerging Issues

There are also new audits being imposed by various standard boards which are required to be performed, depending upon the audited organization, which will affect IT and ensure that IT departments are performing certain functions and controls appropriately to be considered compliant. An example of such an audit is the newly minted SSAE 16 [10] .

References [1] Richard A. Goodman; Richard Arthur Goodman; Michael W. Lawless (1994).Technology and strategy: conceptual models and diagnostics (http://books.google.com/books?id=GIRdX9hIL1EC). Oxford University Press US. ISBN 9780195079494. . Retrieved May 9, 2010. [2] http://www.theiia.org/bookstore/product/it-auditing-an-adaptive-process-1263.cfm [3] "Advanced System, Network and Perimeter Auditing" (http://www.sans.org/security-training/ auditing-networks-perimeters-and-systems-6-mid). . [4] "Institute of Internal Auditors" (http://www.theiia.org). . [5] "The SANS Technology Institute" (http://www.sans.org). . [6] "ISACA" (http://www.isaca.org). . [7] Hoelzer, David (1999-2009).Audit Principles, Risk Assessment & Effective Reporting. SANS Press. p. 32. [8] http://www.norea.nl [9] "GIAC GSNA Information" (http://www.giac.org/certifications/audit/gsna.php). . [10] http://www.ssae-16.com

External links • A career as Information Systems Auditor (http://www.networkmagazineindia.com/200312/securedview01. shtml), by Avinash Kadam (Network Magazine) • Federal Financial Institutions Examination Council (http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit. pdf) (FFIEC) • Information Systems Audit & Control Association (http://www.isaca.org/) (ISACA) • Open Security Architecture- Controls and patterns to secure IT systems (http://www.opensecurityarchitecture. org) • American Institute of Certified Public Accountants (http://www.aicpa.org/) (AICPA) • IT Services Library (http://www.itil-officialsite.com/home/home.asp) (ITIL)

ACL (software company)

Type

Industry

Founded

Headquarters

Key people

Products

Website

Private

Computer software Consulting CAATTS Continuous auditing Continuous monitoring

1987

ACL Services Ltd.

Vancouver, British Columbia, Canada

Harald Will, President and CEO

ACL AuditExchange, AX Exception, AX Link, AX Datasource, ACL Desktop, Continuous Controls Monitoring

[1] www.acl.com

[2] ACL. It is "the mostServices Ltd. is a company providing audit analytics and continuous monitoring software widely used data extraction and analysis product" and "the most widely used product for fraud detection and [3] prevention" used in audit profession .

Products ACL, formerly known as Audit Command Language, is a data extraction and analysis software used for fraud detection and prevention. By sampling large data sets, ACL is used to find irregularities or patterns in transactions that could indicate control weaknesses or fraud.

ACL Certified Data Analyst (ACDA) ACL offers a certification as an ACL Certified Data Analyst. This certification indicates that the user has met a certain level of skill expertise with ACL and data analytical concepts.

External links [4] • ACL Home Page [5] • Institute of Internal Auditors Survey (pdf) [6] • 2009 IT Audit Benchmarking Study (The Institute of Internal Auditors) [7] • An Ebook on ACL

ACL User Group [8] • Texas User Group [9] • Virginia User Group

ACL (software company)

References [1] http://www.ACL.com/ [2] http://www.acl.com/company/ [3] http://www.theiia.org/intAuditor/free-feature/2009/august/software-trend-spotting/ [4] http://www.acl.com/ [5] http://www.acl.com/pdfs/IIA_Survey_Summary.pdf [6] http://www.theiia.org/download.cfm?file=4974 [7] http://www.scribd.com/ChandraLearns-To-ACL/d/23847207/ [8] http://www.texasacl.com/ [9] http://www.vaacl.com/ • 2009 IT Audit Benchmarking Study (The Institute of Internal Auditors) (http://www.theiia.org/download. cfm?file=4974) • Continuous Controls Monitoring: A Case Study with Talecris (Rutgers University Business School) (http:// www.acl.com/pdfs/Audit_Research_Rutgers_Talecris.pdf) • U.S. Military Looks to Better Control Costs with Business Analytics, Better BI (Smarter Technology) (http:// www.smartertechnology.com/c/a/Smarter-Strategies/ US-Military-Looks-to-Better-Control-Costs-with-Business-Analytics-Better-BI/) • Your Internal Audit's Vital Signs (Business Finance Magazine) (http://businessfinancemag.com/article/ your-internal-audits-vital-signs-1116) • Doing the Internal Audit-Management Dance (CFO.com) (http://www.cfo.com/article.cfm/14453909/1/ c_14453926?f=home_todayinfinance) • Monitoring the Monitors (Treasury & Risk Magazine) (http://www.treasuryandrisk.com/Issues/2009/ November-2009/Pages/Monitoring-the-Monitors.aspx) • Internal Audit: The Continuous Conundrum (CFO Magazine) (http://www.cfo.com/article.cfm/14440838/ c_14440953?f=hometodayinfinance) • Software Trend Spotting (Internal Auditor) (http://www.theiia.org/intAuditor/free-feature/2009/august/ software-trend-spotting/) • The 24/7 Audit (CFO Magazine) (http://www.cfo.com/article.cfm/13983436/c_14020916) • Monitoring Matters (Business Finance Magazine) (http://businessfinancemag.com/article/ monitoring-matters-0714?page=0,0) • ACL wins best application of technology at BCTIA's annual Technology Impact Awards (TechVibes) (http:// www.techvibes.com/blog/sierra-wireless-picks-up-top-awards-at-tias) • ACL Products and Services List (http://osoolarabia.com/ acl-products-solutions-support-services-and-training-in-oman-from-osool-arabia/)

COBIT

COBITis a framework created by ISACA for information technology (IT) management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.

Overview COBIT was first released in 1996, the current version, COBIT 4.1 was published in 2007 and is currently being [1] updated (COBIT 5 ). Its mission is“to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business [2] managers, IT professionals and assurance professionals.”. COBIT defines 34 generic processes to manage IT. Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model. The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes.

COBIT Framework The framework provides good practices across a domain and process framework. The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners. The process focus of COBIT is illustrated by a process model that subdivides IT into four domains (Plan and Organize, Acquire and Implement, Deliver and Support and Monitor and Evaluate) and 34 processes in line with the responsibility areas of plan, build, run and monitor. COBIT is focused on what is required to achieve adequate management and control of IT, and is positioned at a high level. It has been aligned and harmonized with other, more detailed, IT standards and good practices as COSO, ITIL, ISO 27000, CMMI, TOGAF and PMBOK. COBIT acts as an integrator of these different guidance materials, summarizing key objectives under one umbrella framework that link the good practice models with governance and business requirements.

Releases COBIT has had four major releases: • In 1996, the first edition of COBIT was released. • In 1998, the second edition added "Management Guidelines". • In 2000, the third edition was released. • In 2003, an on-line version became available. • In December 2005, the fourth edition was initially released. • In May 2007, the current 4.1 revision was released.