IT Audit, Control, and Security
John Wiley & Sons Inc (Verlag)
978-0-471-40676-1 (ISBN)
When it comes to computer security, the role of auditors today has never been more crucial. Auditors must ensure that all computers, in particular those dealing with e-business, are secure. The only source for information on the combined areas of computer audit, control, and security, the IT Audit, Control, and Security describes the types of internal controls, security, and integrity procedures that management must build into its automated systems. This very timely book provides auditors with the guidance they need to ensure that their systems are secure from both internal and external threats.
Robert R. Moeller (Evanston, IL), CPA, CISA, PMP, CISSP, is the founder of Compliance and control Systems Associates, a consulting firm that specialized in internal audit and project management with a strong understanding of information systems, corporate governance and security. He has over 30 years of experience in internal auditing, ranging from launching new internal audit functions in several companies to serving as audit director for a Fortune 50 corporation. He held positions with Grant Thornton (National Director of Computer Auditing) and Sears Roebuck (Audit Director). A frequently published author and professional speaker, Moeller provides insights into many of the new rules impacting internal auditors today as well as the challenges audit committees face when dealing with Sarbanes-Oxley, internal controls, and their internal auditors. Moeller is the former president of the Institute of Internal Auditor's Chicago chapter and has served on the IIA's International Advanced Technology Committee. He is also the former chair of the AICPA's Computer Audit Subcommittee.
Introduction xiii
PART ONE: AUDITING INTERNAL CONTROLS IN AN IT ENVIRONMENT 1
Chapter 1: SOx and the COSO Internal Controls Framework 3
Roles and Responsibilities of IT Auditors 4
Importance of Effective Internal Controls and COSO 6
COSO Internal Control Systems Monitoring Guidance 21
Sarbanes-Oxley Act 22
Wrapping It Up: COSO Internal Controls and SOx 31
Notes 31
Chapter 2: Using CobiT to Perform IT Audits 32
Introduction to CobiT 33
CobiT Framework 35
Using CobiT to Assess Internal Controls 39
Using CobiT in a SOx Environment 51
CobiT Assurance Framework Guidance 54
CobiT in Perspective 55
Notes 55
Chapter 3: IIA and ISACA Standards for the Professional Practice of Internal Auditing 57
Internal Auditing’s International Professional Practice Standards 58
Content of the IPPF and the IIA International Standards 61
Strongly Recommended IIA Standards Guidance 75
ISACA IT Auditing Standards Overview 76
Codes of Ethics: The IIA and ISACA 79
Notes 81
Chapter 4: Understanding Risk Management Through COSO ERM 82
Risk Management Fundamentals 83
Quantitative Risk Analysis Techniques 92
IIA and ISACA Risk Management Internal Audit Guidance 94
COSO ERM: Enterprise Risk Management 97
IT Audit Risk and COSO ERM 113
Notes 115
Chapter 5: Performing Effective IT Audits 117
IT Audit and the Enterprise Internal Audit Function 118
Organizing and Planning IT Audits 122
Developing and Preparing Audit Programs 127
Gathering Audit Evidence and Testing Results 132
Workpapers and Reporting IT Audit Results 142
Preparing Effective IT Audits 148
Notes 149
PART TWO: AUDITING IT GENERAL CONTROLS 151
Chapter 6: General Controls in Today’s IT Environments 153
Importance of IT General Controls 154
IT Governance General Controls 157
IT Management General Controls 158
IT Technical Environment General Controls 174
Note 174
Chapter 7: Infrastructure Controls and ITIL Service
Management Best Practices 175
ITIL Service Management Best Practices 176
ITIL’s Service Strategies Component 179
ITIL Service Design 181
ITIL Service Transition Management Processes 189
ITIL Service Operation Processes 194
Service Delivery Best Practices 198
Auditing IT Infrastructure Management 199
Note 200
Chapter 8: Systems Software and IT Operations General Controls 201
IT Operating System Fundamentals 202
Features of a Computer Operating System 206
Other Systems Software Tools 209
Chapter 9: Evolving Control Issues: Wireless Networks, Cloud Computing, and Virtualization 214
Understanding and Auditing IT Wireless Networks 215
Understanding Cloud Computing 220
Storage Management Virtualization 225
PART THREE: AUDITING AND TESTING IT APPLICATION CONTROLS 227
Chapter 10: Selecting, Testing, and Auditing IT Applications 229
IT Application Control Elements 230
Selecting Applications for IT Audit Reviews 239
Performing an Applications Controls Review: Preliminary Steps 242
Completing the IT Applications Controls Audit 249
Application Review Case Study: Client-Server Budgeting System 255
Auditing Applications under Development 258
Importance of Reviewing IT Application Controls 266
Notes 266
Chapter 11: Software Engineering and CMMi 267
Software Engineering Concepts 267
CMMi: Capability Maturity Model for Integration 269
CMMi Benefits 280
IT Audit, Internal Control, and CMMi 281
Note 282
Chapter 12: Auditing Service-Oriented Architectures and Record Management Processes 283
Service-Oriented Computing and Service-Driven Applications 284
IT Auditing in SOA Environments 294
Electronic Records Management Internal Control Issues and Risks 300
IT Audits of Electronic Records Management Processes 301
Notes 303
Chapter 13: Computer-Assisted Audit Tools and Techniques 304
Understanding Computer-Assisted Audit Tools and Techniques 305
Determining the Need for CAATTs 308
CAATT Software Tools 311
Steps to Building Effective CAATTs 326
Importance of CAATTs for Audit Evidence Gathering 327
Chapter 14: Continuous Assurance Auditing, OLAP, and XBRL 329
Implementing Continuous Assurance Auditing 330
Benefits of Continuous Assurance Auditing Tools 338
Data Warehouses, Data Mining, and OLAP 339
XBRL: The Internet-Based Extensible Markup Language 346
Newer Technologies, the Continuous Close, and IT Audit 351
Notes 351
PART FOUR: IMPORTANCE OF IT GOVERNANCE 353
Chapter 15: IT Controls and the Audit Committee 355
Role of the Audit Committee for IT Auditors 356
Audit Committee Approval of Internal Audit Plans and Budgets 357
Audit Committee Briefings on IT Audit Issues 359
Audit Committee Review and Action on Significant IT Audit Findings 360
IT Audit and the Audit Committee 362
Chapter 16: Val IT, Portfolio Management, and Project Management 363
Val IT: Enhancing the Value of IT Investments 364
IT Systems Portfolio and Program Management 371
Project Management for IT Auditors 374
Notes 383
Chapter 17: Compliance with IT-Related Laws and Regulations 384
Computer Fraud and Abuse Act 386
Computer Security Act of 1987 387
Gramm-Leach-Bliley Act 390
HIPAA: Healthcare and Much More 395
Other Personal Privacy and Security Legislative Requirements 403
IT-Related Laws, Regulations, and Audit Standards 404
Chapter 18: Understanding and Reviewing Compliance with ISO Standards 407
Background and Importance of ISO Standards in a World of Global Commerce 408
ISO Standards Overview 410
ISO 19011 Quality Management Systems Auditing 419
ISO Standards and IT Auditors 421
Notes 421
Chapter 19: Controls to Establish an Effective IT Security Environment 422
Generally Accepted Security Standards 423
Effective IT Perimeter Security 429
Establishing an Effective, Enterprise-Wide Security Strategy 430
Best Practices for IT Audit and Security 432
Notes 433
Chapter 20: Cybersecurity and Privacy Controls 434
IT Network Security Fundamentals 435
IT Systems Privacy Concerns 443
PCI-DSS Fundamentals 446
Auditing IT Security and Privacy 447
Security and Privacy in the Internal Audit Department 448
Notes 453
Chapter 21: IT Fraud Detection and Prevention 454
Understanding and Recognizing Fraud in an IT Environment 455
Red Flags: Fraud Detection Signs for IT and Other Internal Auditors 456
Public Accounting’s Role in Fraud Detection 461
IIA Standards and ISACA Materials for Detecting and Investigating Fraud 462
IT Audit Fraud Risk Assessments 464
IT Audit Fraud Investigations 467
IT Fraud Prevention Processes 468
Fraud Detection and the IT Auditor 471
Notes 471
Chapter 22: Identity and Access Management 472
Importance of Identity and Access Management 473
Identity Management Processes 474
Separation of Duties Identify Management Controls 477
Access Management Provisioning 478
Authentication and Authorization 479
Auditing Identity and Access Management Processes 481
Note 485
Chapter 23: Establishing Effective IT Disaster Recovery Processes 486
IT Disaster and Business Continuity Planning Today 487
Building and Auditing an IT Disaster Recovery Plan 489
Building the IT Disaster Recovery Plan 497
Disaster Recovery Planning and Service Level Agreements 503
Newer Disaster Recovery Plan Technologies: Data Mirroring Techniques 505
Auditing Business Continuity Plans 506
Disaster Recovery and Business Continuity Planning Going Forward 508
Notes 508
Chapter 24: Electronic Archiving and Data Retention 509
Elements of a Successful Electronic Records Management Process 510
Electronic Documentation Standards 516
Implementing Electronic IT Data Archiving 517
Auditing Electronic Document Retention and Archival Processes 519
Chapter 25: Business Continuity Management, BS 25999, and ISO 27001 521
IT Business Continuity Management Planning Needs Today 522
BS 25999 Good Practice Guidelines 524
Auditing BCM Processes 540
Linking the BCM with Other Standards and Processes 543
Notes 543
Chapter 26: Auditing Telecommunications and IT Communications Networks 544
Network Security Concepts 545
Effective IT Network Security Controls 549
Auditing a VPN Installation 555
Note 557
Chapter 27: Change and Patch Management Controls 558
IT Change Management Processes 559
Auditing IT Change and Patch Management Controls 573
Notes 576
Chapter 28: Six Sigma and Lean Technologies 577
Six Sigma Background and Concepts 578
Implementing Six Sigma 580
Lean Six Sigma 587
Notes 590
Chapter 29: Building an Effective IT Internal Audit Function 591
Establishing an IT Internal Audit Function 592
Internal Audit Charter: An Important IT Audit Authorization 593
Role of the Chief Audit Executive 595
IT Audit Specialists 596
IT Audit Managers and Supervisors 598
Internal and IT Audit Policies and Procedures 599
Organizing an Effective IT Audit Function 601
Importance of a Strong IT Audit Function 604
Note 605
Chapter 30: Professional Certifications: CISA, CIA, and More 606
Certified Information Systems Auditor Credentials 607
Certified Information Security Manager Credentials 609
Certificate in the Governance of Enterprise IT 611
Certified Internal Auditor Responsibilities and Requirements 612
Beyond the CIA: Other IIA Certifications 623
CISSP Information Systems Security Professional Certification 628
Certified Fraud Examiner Certification 628
ASQ Internal Audit Certifications 629
Other Internal Auditor Certifications 630
Note 631
Chapter 31: Quality Assurance Auditing and ASQ Standards 632
Duties and Responsibilities of Quality Auditors 633
Role of the Quality Auditor 635
Performing ASQ Quality Audits 638
Quality Assurance Reviews of IT Audit Functions 641
Future Directions for Quality Assurance Auditing 647
Notes 648
Index 649
Erscheint lt. Verlag | 19.11.2010 |
---|---|
Reihe/Serie | Wiley Corporate F&A |
Zusatzinfo | Exhibits: 197 B&W, 0 Color |
Verlagsort | New York |
Sprache | englisch |
Maße | 183 x 257 mm |
Gewicht | 1361 g |
Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
Wirtschaft ► Betriebswirtschaft / Management ► Rechnungswesen / Bilanzen | |
ISBN-10 | 0-471-40676-7 / 0471406767 |
ISBN-13 | 978-0-471-40676-1 / 9780471406761 |
Zustand | Neuware |
Haben Sie eine Frage zum Produkt? |
aus dem Bereich