Table Of ContentThe Basics of IT Audit
This page intentionally left blank
The Basics of IT Audit
Purposes, Processes, and
Practical Information
Stephen D. Gantz
Technical Editor
Steve Maske
AMSTERDAM • BOSTON • HEIDELBERG • LONDON
NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Syngress is an imprint of Elsevier
Acquiring Editor: Steve Elliot
Editorial Project Manager: Benjamin Rearick
Project Manager: Malathi Samayan
Designer: Matthew Limbert
Syngress is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
© 2014 Elsevier Inc. All rights reserved
No part of this publication may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, recording, or any information storage and retrieval system,
without permission in writing from the publisher. Details on how to seek permission, further
information about the Publisher’s permissions policies and our arrangements with organizations
such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our
website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the
Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience
broaden our understanding, changes in research methods or professional practices, may become
necessary. Practitioners and researchers must always rely on their own experience and knowledge
in evaluating and using any information or methods described here in. In using such information or
methods they should be mindful of their own safety and the safety of others, including parties for
whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume
any liability for any injury and/or damage to persons or property as a matter of products liability,
negligence or otherwise, or from any use or operation of any methods, products, instructions, or
ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Gantz, Stephen D.
The basics of IT audit: purposes, processes, and practical information / Stephen D. Gantz.
pages cm
Includes bibliographical references and index.
ISBN 978-0-12-417159-6 (pbk.)
1. Information technology—Auditing. 2. Computer security.
3. Computer networks--Security measures. I. Title.
T58.5.G37 2013
004.068'1--dc23
2013036148
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library
For information on all Syngress publications,
visit our website at store.elsevier.com/Syngress
ISBN: 978-0-12-417159-6
Printed and bound in the United States of America
14 15 16 13 12 11 10 9 8 7 6 5 4 3 2 1
Dedicated to my wife Reneé, my son Henry, and my daughters Claire and Gillian,
without whose support and forbearance I would not have been able to devote the
necessary time and energy into this project.
This page intentionally left blank
Contents
Acknowledgments ...................................................................................................xiii
About the Author ......................................................................................................xv
About the Technical Editor ....................................................................................xvii
Trademarks ..............................................................................................................xix
Introduction .............................................................................................................xxi
CHAPTER 1 IT Audit Fundamentals ..................................................1
What is IT auditing? .......................................................................2
Internal controls ..........................................................................4
What to audit ...............................................................................6
IT audit characteristics ................................................................8
Why audit? ......................................................................................8
Who gets audited? ...........................................................................9
Who does IT auditing? ..................................................................10
External auditors .......................................................................11
Internal auditors ........................................................................13
IT auditor development paths ...................................................14
Relevant source material ...............................................................17
Summary .......................................................................................18
References .....................................................................................18
CHAPTER 2 Auditing in Context ......................................................21
IT governance ...............................................................................22
The role of IT audit in governance ...........................................24
Risk management ..........................................................................25
Risk management components .................................................28
The role of IT audit in risk management ..................................29
Compliance and certification ........................................................30
Managing compliance and certification ....................................31
The role of IT audit in compliance and certification ................33
Quality management and quality assurance .................................34
The role of IT audit in quality management .............................37
Information security management ................................................37
The role of IT audit in information security management ........39
Relevant source material ...............................................................40
Summary .......................................................................................41
References .....................................................................................41
vii
viii Contents
CHAPTER 3 Internal Auditing..........................................................45
Internal audit as an organizational capability ...............................46
Independence and objectivity ...................................................47
Establishing the IT audit program ............................................48
Benefits of internal IT auditing .....................................................56
Internal audit challenges ...............................................................57
Internal auditors ............................................................................58
Relevant source material ...............................................................59
Summary .......................................................................................60
References .....................................................................................60
CHAPTER 4 External Auditing .........................................................63
Operational aspects of external audits ..........................................64
Roles and responsibilities for external auditing ........................66
Independence in external auditing ............................................68
Organizational participation in external audits .........................70
External IT audit drivers and rationale .........................................71
External audit benefits ..................................................................73
Advantages compared to internal audits ...................................74
External audit challenges ..............................................................74
External auditors ...........................................................................76
Relevant source material ...............................................................80
Summary .......................................................................................81
References .....................................................................................81
CHAPTER 5 Types of Audits ............................................................83
Financial audits .............................................................................85
Cost accounting ........................................................................86
Programmatic audits .................................................................87
Operational audits .........................................................................87
Operational audits of internal controls .....................................89
Audits of policies, processes, and procedures ..........................89
Program or project-focused operational audits .........................91
Certification audits ........................................................................91
Service management .................................................................92
Security management ................................................................93
Quality management .................................................................94
Compliance audits ........................................................................94
Legal compliance ......................................................................96
Compliance with industry standards .........................................97
Commercial standards ..............................................................97
Contents ix
IT-specific audits ...........................................................................98
IT process maturity ...................................................................98
Provision of IT services ............................................................99
Information systems controls ..................................................100
Relevant source material .............................................................102
Summary .....................................................................................102
References ...................................................................................103
CHAPTER 6 IT Audit Components .................................................105
Establishing the scope of IT audits .............................................105
Developing and maintaining the audit universe ......................107
Governance, risk, and compliance drivers ..............................108
Audit strategy and prioritization .............................................109
Types of controls .........................................................................109
Control categorization.............................................................110
Organizational controls ...........................................................111
Auditing different IT assets ........................................................112
IT component decomposition .................................................114
Auditing procedural controls or processes .................................119
IT operations ...........................................................................120
Program and project management ..........................................121
System development life cycle ...............................................122
Relevant source material .............................................................126
References ...................................................................................127
CHAPTER 7 IT Audit Drivers..........................................................129
Laws and regulations ..................................................................130
Securities industry laws and regulations .................................131
European Council Directive 2006/43/EC ...............................133
Health industry-specific laws ..................................................133
Security and privacy laws .......................................................135
State security and privacy laws ...............................................138
Government sector laws ..........................................................139
Certification standards ................................................................141
Quality certification ................................................................142
Information security ................................................................143
Service management ...............................................................144
Operational effectiveness ............................................................144
Quality assurance and continuous improvement ........................145
Relevant source material .............................................................145
Summary .....................................................................................146
References ...................................................................................146
