Information technology audits: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors

91 pages

English

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Information technology audits: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors , livre ebook

Emereo Publishing - Kevin Roebuck

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

91 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

The Knowledge Solution. Stop Searching, Stand Out and Pay Off. The #1 ALL ENCOMPASSING Guide to Information technology audits.

An Important Message for ANYONE who wants to learn about Information technology audits Quickly and Easily...

""Here's Your Chance To Skip The Struggle and Master Information technology audits, With the Least Amount of Effort, In 2 Days Or Less...""

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

Get the edge, learn EVERYTHING you need to know about Information technology audits, and ace any discussion, proposal and implementation with the ultimate book - guaranteed to give you the education that you need, faster than you ever dreamed possible!

The information in this book can show you how to be an expert in the field of Information technology audits.

Are you looking to learn more about Information technology audits? You're about to discover the most spectacular gold mine of Information technology audits materials ever created, this book is a unique collection to help you become a master of Information technology audits.

This book is your ultimate resource for Information technology audits. Here you will find the most up-to-date information, analysis, background and everything you need to know.

In easy to read chapters, with extensive references and links to get you to know all there is to know about Information technology audits right away. A quick look inside: Information technology audit, Information technology audit process, ACL (software company), Certified Information Systems Auditor, COBIT, Code audit, David Coderre, Computer forensics, Computer fraud, Computer Fraud and Abuse Act, Computer-aided audit tools, Continuous controls monitoring, Datacenter star audit, Enterprise risk management, History of information technology auditing, Host protected area, Information security audit, Erik Laykin, Mobile device forensics, National Information Infrastructure Protection Act, SekChek Classic, SekChek Local, Statement on Auditing Standards No. 99: Consideration of Fraud ...and Much, Much More!

This book explains in-depth the real drivers and workings of Information technology audits. It reduces the risk of your technology, time and resources investment decisions by enabling you to compare your understanding of Information technology audits with the objectivity of experienced professionals - Grab your copy now, while you still can.

Sujets

Computers

Informatique

General officer

General

Informations

Publié par	Emereo Publishing
Date de parution	24 octobre 2012
Nombre de lectures	2
EAN13	9781743380093
Langue	English
Poids de l'ouvrage	3 Mo

Informations légales : prix de location à la page 0,1598€. Cette information est donnée uniquement à titre indicatif conformément à la législation en vigueur.

Extrait

Topic relevant selected content from the highest rated entries, typeset, printed and shipped.

Combine the advantages of up-to-date and in-depth knowledge with the con-venience of printed books.

A portion of the proceeds of each book will be donated to the Wikimedia Foundation to support their mission: to empower and engage people around the world to collect and develop educational content under a free license or in the public domain, and to disseminate it eectively and globally.

e content within this book was generated collaboratively by volunteers. Please be advised that nothing found here has necessarily been reviewed by people with the expertise required to provide you with complete, accurate or reliable information. Some information in this book maybe misleading or simply wrong. e publisher does not guarantee the validity of the infor-mation found here. If you need specic advice (for example, medical, legal, nancial, or risk management) please seek a professional who is licensed or knowledgeable in that area.

Sources, licenses and contributors of the articles and images are listed in the section entitled “References”. Parts of the books may be licensed under the GNU Free Documentation License. A copy of this license is included in the section entitled “GNU Free Documentation License”

All used third-party trademarks belong to their respective owners.

Contents

Articles Information technology audit Information technology audit process ACL (software company) Certified Information Systems Auditor COBIT Code audit David Coderre Computer forensics

Computer fraud Computer Fraud and Abuse Act Computer-aided audit tools Continuous controls monitoring Datacenter star audit Enterprise risk management History of information technology auditing Host protected area Information security audit Erik Laykin Mobile device forensics National Information Infrastructure Protection Act SekChek Classic SekChek Local Statement on Auditing Standards No. 99: Consideration of Fraud

References Article Sources and Contributors Image Sources, Licenses and Contributors

Article Licenses License

1 4 12 14 20 22 24 25 29 31 35 39 40 46 53 55 58 64 66 73 77 80 83

86 88

Information technology audit

Aninformation technology audit, orinformation systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. IT audits are also known as "automated data processing (ADP) audits" and "computer audits". They were formerly called "electronic data processing (EDP) audits".

Purpose An IT audit is different from a financial statement audit. While a financial audit's purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight.

Types of IT audits Various authorities have created differing taxonomies to distinguish the various types of IT audits. Goodman & [1] Lawless state that there are three specific systematic approaches to carry out an IT audit: Technological innovation process audit. This audit constructs a risk profile for existing and new projects. The audit will assess the length and depth of the company's experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product, organization and industry structure. Innovative comparison audit. This audit is an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products. Technological position audit: This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging". Others describe the spectrum of IT audits with five categories of audits: Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions. Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development. Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers. And some lump all IT audits as being one of only two type: "general control review" audits or "application control review" audits.

Information technology audit

A number of IT Audit professionals from the Information Assurance realm consider there to be three fundamental types of controls regardless of the type of audit to be performed, especially in the IT realm. Many frameworks and standards try to break controls into different disciplines or arenas, terming them“Security Controls“,”Access Controls“,“IA Controls”in an effort to define the types of controls involved. At a more fundamental level, these controls can be shown to consist of three types of fundamental controls: Protective/Preventative Controls, Detective Controls and Reactive/Corrective Controls.

IT Audit Process [2] The following are basic steps in performing the Information Technology Audit Process: 1. Planning 2. Studying and Evaluating Controls 3. Testing and Evaluating Controls 4. Reporting 5. Follow-up

Security Auditing information security is a vital part of any IT audit and is often understood to be the primary purpose of an IT Audit. The broad scope of auditing information security includes such topics as data centers (the physical security [3] of data centers and the logical security of databases, servers and network infrastructure components), networks and application security. Like most technical realms, these topics are always evolving; IT auditors must constantly continue to expand their knowledge and understanding of the systems and environment& pursuit in system company. Several training and certification organizations have evolved. Currently, the major certifying bodies, in the field, are [4] the Institute of Internal Auditors (IIA), the SANS Institute (specifically, the audit specific branch of SANS and [5] [6] GIAC) and ISACA. While CPAs and other traditional auditors can be engaged for IT Audits, organizations are well advised to require that individuals with some type of IT specific audit certification are employed when validating the controls surrounding IT systems.

History of IT Auditing The concept of IT auditing was formed in the mid-1960s. Since that time, IT auditing has gone through numerous changes, largely due to advances in technology and the incorporation of technology into business.

Audit Personnel

Qualifications The CISM and CAP credentials are the two newest security auditing credentials, offered by the ISACA and ISC2, respectively. Strictly speaking, only the CISA or GSNA title would sufficiently demonstrate competences regarding both information technology and audit aspects with the CISA being more audit focused and the GSNA being more [7] information technology focused. Outside of the US, various credentials exist. For example, the Netherlands has theREcredential (as granted by the [8] NOREA [Dutch site] IT-auditors' association), which among others requires a post-graduate IT-audit education from an accredited university, subscription to a Code of Ethics, and adherence to strict continuous education requirements.

Information technology audit

Professional certifications

Certified Information System Auditor (CISA) Certified in Risk and Information Systems Control (CRISC) Certified Internal Auditor (CIA) Certification and Accreditation Professional (CAP) Certified Computer Professional (CCP) Certified Information Privacy Professional (CIPP) Certified Information Systems Security Professional (CISSP) Certified Information Security Manager (CISM) Certified Public Accountant (CPA) Certified Internal Controls Auditor (CICA) Forensics Certified Public Accountant (FCPA) Certified Fraud Examiner (CFE) Chartered Accountant (CA) Chartered Certified Accountant (CCA) [9] GIAC Certified System & Network Auditor (GSNA) Certified Information Technology Professional (CITP), to certify, auditors should have 3 years experience.

Emerging Issues There are also new audits being imposed by various standard boards which are required to be performed, depending upon the audited organization, which will affect IT and ensure that IT departments are performing certain functions and controls appropriately to be considered compliant. An example of such an audit is the newly minted SSAE 16 [10] .

References [1] Richard A. Goodman; Richard Arthur Goodman; Michael W. Lawless (1994).Technology and strategy: conceptual models and diagnostics (http://books.google.com/books?id=GIRdX9hIL1EC).OxfordUniversityPressUS.ISBNa9780195079494..RetrievedMay9,2010. [2] http://www.theiia.org/bookstore/product/it-auditing-an-adaptive-process-1263.cfm [3] "Advanced System, Network and Perimeter Auditing" (http:/ /www.sans.org/security-training/ auditing-networks-perimeters-and-systems-6-mid). . [4] "Institute of Internal Auditors" (http:/ /www.theiia.org). . [5] "The SANS Technology Institute" (http:/ /www.sans.org). . [6] "ISACA" (http://www.isaca.org). . [7] Hoelzer, David (1999-2009).Audit Principles, Risk Assessment & Effective ReportingS.SNAserP.a.23.sp[8] http://www.norea.nl [9] "GIAC GSNA Information" (http:/ /www.giac.org/certifications/audit/gsna.php). . [10] http://www.ssae-16.com

External links A career as Information Systems Auditor (http://www.networkmagazineindia.com/200312/securedview01. shtml), by Avinash Kadam (Network Magazine) IT Audit Careers guide (http://www.isrisk.net/information-technology-it-audit-computer-audit-careers-guide/) Federal Financial Institutions Examination Council (http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit. pdf) (FFIEC) Information Systems Audit & Control Association (http://www.isaca.org/) (ISACA) Open Security Architecture- Controls and patterns to secure IT systems (http://www.opensecurityarchitecture. org) American Institute of Certified Public Accountants (http://www.aicpa.org/) (AICPA)

Information technology audit

IT Services Library (http://www.itil-officialsite.com/home/home.asp) (ITIL)

Information technology audit process

Information technology audit process:

Generally Accepted Auditing Standards (GAAS)

In 1947, the American Institute of Certified Public Accountants (AICPA) adopted GAAS to establish standards for audits. The standards cover the following three categories: General Standards–relates to professional and technical competence, independence, and professional due care. Field Work Standards–relates to the planning of an audit, evaluation of internal control, and obtaining sufficient evidential matter upon which an opinion is based. Reporting Standards–relates to the compliance of all auditing standards and adequacy of disclosure of opinion in the audit reports. If an opinion cannot be reached, the auditor is required to explicitly state their assertions.

Information Technology Audit Process Overview The auditor must plan and conduct the audit to ensure their audit risk (the risk of reaching an incorrect conclusion based on the audit findings) will be limited to an acceptable level. To eliminate the possibility of assessing audit risk too low the auditor should perform the following steps: 1.Obtain an Understanding of the Organization and its Environment:The understanding of the organization and its environment is used to assess the risk of material misstatement/weakness and to set the scope of the audit. The auditor’s understanding should include information on the nature of the entity, management, governance, objectives and strategies, and business processes. 2.Identify Risks that May Result in Material Misstatements:The auditor must evaluate an organization’s business risks (threats to the organization’s ability to achieve its objectives). An organization’s business risks can arise or change due to new personnel, new or restructured information systems, corporate restructuring, and rapid growth to name a few. 3.Evaluate the Organization’s Response to those Risks:Once the auditor has evaluated the organization’s response to the assessed risks, the auditor should then obtain evidence of management’s actions toward those risks. The organization’s response (or lack thereof) to any business risks will impact the auditor’s assessed level of audit risk. 4.Assess the Risk of Material Misstatement:Based on the knowledge obtained in evaluating the organization’s responses to business risks, the auditor then assesses the risk of material misstatements and determines specific audit procedures that are necessary based on that risk assessment. 5.Evaluate Results and Issue Audit Report:At this level, the auditor should determine if the assessments of risks were appropriate and whether sufficient evidence was obtained. The auditor will issue either an unqualified or qualified audit report based on their findings.

Information technology audit process

Phases of an IT Audit The audit process can be broken down into the following audit phases:

Establish the Terms of the Engagement This will allow the auditor to set the scope and objectives of the relationship between the auditor and the organization. The engagement letter should address the responsibility (scope, independence, deliverables), authority (right of access to information), and accountability (auditees’rights, agreed completion date) of the auditor.

Preliminary Review This phase of the audit allows the auditor to gather organizational information as a basis for creating their audit plan. The preliminary review will identify an organization’s strategy and responsibilities for managing and controlling computer applications. An auditor can provide an in depth overview of an organization’s accounting system to establish which applications are financially significant at this phase. Obtaining general data about the company, identifying financial application areas, and preparing an audit plan can achieve this.

Establish Materiality and Assess Risks In order to plan the audit, a preliminary judgment about materiality and assessment of the client’s business risks are made to set the scope of the audit.

Plan the Audit Proper planning of the audit will ensure the audit is conducted in an effective and efficient manner. When developing the audit plan, the auditor should take into consideration the results of their understanding of the organization and the results of the risk assessment process.

Consider Internal Control To develop their understanding of internal controls, the auditor should consider information from previous audits, the assessment of inherent risk, judgments about materiality, and the complexity of the organization’s operations and systems. Once the auditor develops their understanding of an organization’s internal controls, they will be able to assess the level of their control risk (the risk a material weakness will not be prevented or detected by internal controls).

Perform Audit Procedures Audit procedures are developed based on the auditor’s understanding of the organization and its environment. A substantive audit approach is used when auditing an organization’s information system.

Issue the Audit Report Once audit procedures have been performed and results have been evaluated, the auditor will issue either an unqualified or qualified audit report based on their findings.

Planning the Audit IS Standard 050 (Planning) states,“The IT auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards.” One of the first tasks an auditor must do when planning the audit is to develop aworking budget. The IT audit manager must know the capabilities of the audit staff assigned to the project. In addition to budgeted time needed to

Information technology audit process

perform the audit, the IT audit manager should also budget time needed to train the audit staff (if needed) and allow time for any error correction purposes. While planning the audit, the auditor decides what level of audit risk (the risk of reaching an incorrect conclusion based on the audit findings) he or she is willing to accept. The more effective and extensive the audit work is, the less the risk that a weakness will go undetected and the auditor will issue an inappropriate report. Audit risk is dependent on the auditors assessed levels of inherent risk (the susceptibility of an audit area to error which could be material, assuming there are no related internal controls), control risk (the risk a material weakness will not be prevented or detected by internal controls), and detection risk (the risk substantive tests will not detect an error which could be material). These risks are determined when the auditor performs a risk assessment of the organization. Additionally, in order to evaluate whether an IT audit has been successful, the auditor must first identify the intended scope and objectives of the audit to test management’s assertions on their information systems. To meet the audit objectives, and to ensure that audit resources will be used efficiently, the auditor will need to establish levels of materiality. The auditor should consider both qualitative and quantitative aspects in determining materiality. An assessment of risk should be made to provide reasonable assurance that all material items will be adequately covered during the audit work. This assessment should identify areas with relatively high risk of existence of material problems.

Materiality In assessing materiality, the IT auditor should consider: The aggregate level of error acceptable to management, the IT auditor, and appropriate regulatory agencies. The potential for the cumulative effect of small errors or weaknesses to become material. While establishing materiality, the auditor may audit non-financial items such as physical access controls, logical access controls, and systems for personnel management, manufacturing control, design, quality control, and password generation. While planning the audit work to meet the audit objectives, the auditor should identify relevant control objectives and determine, based on materiality, which controls should be examined. Internal control objectives are placed by management and identifies what the management strives to achieve through their internal controls. Where financial transactions are not processed, the following identifies some measures the auditor should consider when assessing materiality: Criticality of the business processes supported by the system or operation. Cost of the system or operation (hardware, software, third-party services) Potential cost of errors. Number of accesses/transactions/inquiries processed per period. Penalties for failure to comply with legal and contractual requirements.

Risk Assessment A risk is any event or action, generated internally or externally, which prevents an organization from achieving its goals and/or objectives. Risks affect control objectives in the areas of data integrity and accuracy, timeliness of the information for decision making, ability to access the system, and confidentiality/privacy of information, to name a few. Risk assessment allows the auditor to determine the scope of the audit and assess the level of audit risk and error risk (the risk of errors occurring in the area being audited). Additionally, risk assessment will aid in planning decisions such as: The nature, extent, and timing of audit procedures. The areas or business functions to be audited. The amount of time and resources to be allocated to an audit.

Information technology audit process

Documentation of Risk Assessment Once the assessed level of risk has been determined, the auditor should document the following in their work papers: A description of the risk assessment technique used. The identification of significant risks. The risks the audit is going to address. The audit evidence used to support the IS audito’rs assessment of risk.

The Audit Plan The audit plan details the audit objectives and steps the auditor must take to ensure all of the important issues in the audit are covered. The audit plan includes: The audito’rs understanding of the client. Potential audit risks. A basic framework for how the audit resources (budgeted audit hours) are to be allocated throughout the audit. Audit procedures to be performed. The objective of the audit plan is to assist the auditor in conducting an effective and efficient audit.

Planning Memo A planning memo outlines for the auditee the tone and course of action the IT audit manager plans to take. The memo outlines for the auditee the areas within the audit the auditor is planning to spend most of their time, and it gives the auditee the opportunity to voice any concerns.

Evaluation of Internal Controls COSO defines internal control as,“a process, influenced by an entity’s board of directors, management, and other personnel, that is designed to provide reasonable assurance in the effectiveness and efficiency of operations, reliability of financial reporting, and the compliance of applicable laws and regulations”. The auditor evaluates the organization’s control structure by understanding the organization’s five interrelated control components. They include: 1.Control EnvironmentProvides the foundation for the other components. Encompasses such factors as management’s philosophy and operating style. 2.Risk AssessmentConsists of risk identification and analysis. 3.Control ActivitiesConsists of the policies and procedures that ensure employees carry out management’s directions. Types of control activities an organization must implement are preventative controls (controls intended to stop an error from occurring), detective controls (controls intended to detect if an error has occurred), and mitigating controls (control activities that can mitigate the risks associated with a key control not operating effectively). 4.Information and CommunicationEnsures the organization obtains pertinent information, and then communicates it throughout the organization. 5.MonitoringReviewing the output generated by control activities and conducting special evaluations. In addition to understanding the organization’s control components, the auditor must also evaluate the organization’s General and Application controls. there are three audit risk componenets which are control risk, detection risk and inherent risk.