ebook img

The Basics of IT Audit: Purposes, Processes, and Practical Information (Basics (Syngress)) PDF

271 Pages·2013·5.377 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The Basics of IT Audit: Purposes, Processes, and Practical Information (Basics (Syngress))

The Basics of IT Audit This page intentionally left blank The Basics of IT Audit Purposes, Processes, and Practical Information Stephen D. Gantz Technical Editor Steve Maske AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an imprint of Elsevier Acquiring Editor: Steve Elliot Editorial Project Manager: Benjamin Rearick Project Manager: Malathi Samayan Designer: Matthew Limbert Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA © 2014 Elsevier Inc. All rights reserved No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described here in. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Gantz, Stephen D. The basics of IT audit: purposes, processes, and practical information / Stephen D. Gantz. pages cm Includes bibliographical references and index. ISBN 978-0-12-417159-6 (pbk.) 1. Information technology—Auditing. 2. Computer security. 3. Computer networks--Security measures. I. Title. T58.5.G37 2013 004.068'1--dc23 2013036148 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library For information on all Syngress publications, visit our website at store.elsevier.com/Syngress ISBN: 978-0-12-417159-6 Printed and bound in the United States of America 14 15 16 13 12 11 10 9 8 7 6 5 4 3 2 1 Dedicated to my wife Reneé, my son Henry, and my daughters Claire and Gillian, without whose support and forbearance I would not have been able to devote the necessary time and energy into this project. This page intentionally left blank Contents Acknowledgments ...................................................................................................xiii About the Author ......................................................................................................xv About the Technical Editor ....................................................................................xvii Trademarks ..............................................................................................................xix Introduction .............................................................................................................xxi CHAPTER 1 IT Audit Fundamentals ..................................................1 What is IT auditing? .......................................................................2 Internal controls ..........................................................................4 What to audit ...............................................................................6 IT audit characteristics ................................................................8 Why audit? ......................................................................................8 Who gets audited? ...........................................................................9 Who does IT auditing? ..................................................................10 External auditors .......................................................................11 Internal auditors ........................................................................13 IT auditor development paths ...................................................14 Relevant source material ...............................................................17 Summary .......................................................................................18 References .....................................................................................18 CHAPTER 2 Auditing in Context ......................................................21 IT governance ...............................................................................22 The role of IT audit in governance ...........................................24 Risk management ..........................................................................25 Risk management components .................................................28 The role of IT audit in risk management ..................................29 Compliance and certification ........................................................30 Managing compliance and certification ....................................31 The role of IT audit in compliance and certification ................33 Quality management and quality assurance .................................34 The role of IT audit in quality management .............................37 Information security management ................................................37 The role of IT audit in information security management ........39 Relevant source material ...............................................................40 Summary .......................................................................................41 References .....................................................................................41 vii viii Contents CHAPTER 3 Internal Auditing..........................................................45 Internal audit as an organizational capability ...............................46 Independence and objectivity ...................................................47 Establishing the IT audit program ............................................48 Benefits of internal IT auditing .....................................................56 Internal audit challenges ...............................................................57 Internal auditors ............................................................................58 Relevant source material ...............................................................59 Summary .......................................................................................60 References .....................................................................................60 CHAPTER 4 External Auditing .........................................................63 Operational aspects of external audits ..........................................64 Roles and responsibilities for external auditing ........................66 Independence in external auditing ............................................68 Organizational participation in external audits .........................70 External IT audit drivers and rationale .........................................71 External audit benefits ..................................................................73 Advantages compared to internal audits ...................................74 External audit challenges ..............................................................74 External auditors ...........................................................................76 Relevant source material ...............................................................80 Summary .......................................................................................81 References .....................................................................................81 CHAPTER 5 Types of Audits ............................................................83 Financial audits .............................................................................85 Cost accounting ........................................................................86 Programmatic audits .................................................................87 Operational audits .........................................................................87 Operational audits of internal controls .....................................89 Audits of policies, processes, and procedures ..........................89 Program or project-focused operational audits .........................91 Certification audits ........................................................................91 Service management .................................................................92 Security management ................................................................93 Quality management .................................................................94 Compliance audits ........................................................................94 Legal compliance ......................................................................96 Compliance with industry standards .........................................97 Commercial standards ..............................................................97 Contents ix IT-specific audits ...........................................................................98 IT process maturity ...................................................................98 Provision of IT services ............................................................99 Information systems controls ..................................................100 Relevant source material .............................................................102 Summary .....................................................................................102 References ...................................................................................103 CHAPTER 6 IT Audit Components .................................................105 Establishing the scope of IT audits .............................................105 Developing and maintaining the audit universe ......................107 Governance, risk, and compliance drivers ..............................108 Audit strategy and prioritization .............................................109 Types of controls .........................................................................109 Control categorization.............................................................110 Organizational controls ...........................................................111 Auditing different IT assets ........................................................112 IT component decomposition .................................................114 Auditing procedural controls or processes .................................119 IT operations ...........................................................................120 Program and project management ..........................................121 System development life cycle ...............................................122 Relevant source material .............................................................126 References ...................................................................................127 CHAPTER 7 IT Audit Drivers..........................................................129 Laws and regulations ..................................................................130 Securities industry laws and regulations .................................131 European Council Directive 2006/43/EC ...............................133 Health industry-specific laws ..................................................133 Security and privacy laws .......................................................135 State security and privacy laws ...............................................138 Government sector laws ..........................................................139 Certification standards ................................................................141 Quality certification ................................................................142 Information security ................................................................143 Service management ...............................................................144 Operational effectiveness ............................................................144 Quality assurance and continuous improvement ........................145 Relevant source material .............................................................145 Summary .....................................................................................146 References ...................................................................................146

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.