Contents Preface Acknowledgments Part One: Conducting an Information Systems Audit Chapter One: Overview of Systems Audit Information Systems Audit Information Systems Auditor Legal Requirements of an Information Systems Audit Systems Environment and Information Systems Audit Information Systems Assets Classification of Controls The Impact of Computers on Information The Impact of Computers on Auditing Information Systems Audit Coverage Chapter Two: Hardware Security Issues Hardware Security Objective Peripheral Devices and Storage Media Client-Server Architecture Authentication Devices Hardware Acquisition Hardware Maintenance Management of Obsolescence Disposal of Equipment Problem Management Change Management Network and Communication Issues Chapter Three: Software Security Issues Overview of Types of Software Elements of Software Security Control Issues during Installation and Maintenance Licensing Issues Problem and Change Management Chapter Four: Information Systems Audit Requirements Risk Analysis Threats, Vulnerability, Exposure, Likelihood, and Attack Information Systems Control Objectives Information Systems Audit Objectives System Effectiveness and Efficiency Information Systems Abuse Asset Safeguarding Objective and Process Evidence Collection and Evaluation Logs and Audit Trails as Evidence Chapter Five: Conducting an Information Systems Audit Audit Program Audit Plan Audit Procedures and Approaches System Understanding and Review Compliance Reviews and Tests Substantive Reviews and Tests Audit Tools and Techniques Sampling Techniques Audit Questionnaire Audit Documentation Audit Report Auditing Approaches Sample Audit Work-Planning Memo Sample Audit Work Process Flow Chapter Six: Risk-Based Systems Audit Conducting a Risk-Based Information Systems Audit Risk Assessment Risk Matrix Risk and Audit Sample Determination Audit Risk Assessment Risk Management Strategy Chapter Seven: Business Continuity and Disaster Recovery Plan Business Continuity and Disaster Recovery Process Business Impact Analysis Incident Response Plan Disaster Recovery Plan Types of Disaster Recovery Plans Emergency Preparedness Audit Checklist Business Continuity Strategies Business Resumption Plan Audit Checklist Recovery Procedures Testing Checklist Plan Maintenance Checklist Vital Records Retention Checklist Forms and Documents Chapter Eight: Auditing in the E-Commerce Environment Introduction Objectives of an Information Systems Audit in the E-Commerce Environment General Overview Auditing E-Commerce Functions E-Commerce Policies and Procedures Review Impact of E-Commerce on Internal Control Chapter Nine: Security Testing Cybersecurity Cybercrimes What is Vulnerable to Attack? How Cyberattacks Occur What is Vulnerability Analysis? Cyberforensics Digital Evidence Chapter Ten: Case Study: Conducting an Information Systems Audit Important Security Issues in Banks Implementing an Information Systems Audit at a Bank Branch Special Considerations in a Core Banking System Part Two: Information Systems Auditing Checklists Chapter Eleven: ISecGrade Auditing Framework Introduction Licensing and Limitations Methodology Domains Grading Structure Selection of Checklist Format of Audit Report Using the Audit Report Format Chapter Twelve: ISecGrade Checklists Checklist Structure Information Systems Audit Checklists Chapter Thirteen: Session Quiz Chapter 1: Overview of Systems Audit Chapter 2: Hardware Security Issues Chapter 3: Software Security Issues Chapter 4: Information Systems Audit Requirements Chapter 5: Conducting an Information Systems Audit Chapter 6: Risk-Based Systems Audit Chapter 7: Business Continuity and Disaster Recovery Plan Chapter 8: Auditing in the E-Commerce Environment Chapter 9: Security Testing About the Authors About the Website Index Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding. The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management. Cover Image: © Olena Timashova/iStockphoto Cover Design: John Wiley & Sons, Inc. Copyright © 2013 by John Wiley & Sons Singapore Pte. Ltd. Published by John Wiley & Sons Singapore Pte. Ltd. 1 Fusionopolis Walk, #07-01, Solaris South Tower, Singapore 138628 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as expressly permitted by law, without either the prior written permission of the Publisher, or authorization through payment of the appropriate photocopy fee to the Copyright Clearance Center. Requests for permission should be addressed to the Publisher, John Wiley & Sons Singapore Pte. Ltd., 1 Fusionopolis Walk, #07-01, Solaris South Tower, Singapore 138628, tel: 65-6643-8000, fax: 65-6643-8008, e-mail: [email protected]. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Other Wiley Editorial Offices John Wiley & Sons, 111 River Street, Hoboken, NJ 07030, USA John Wiley & Sons, The Atrium, Southern Gate, Chichester, West Sussex, P019 8SQ, United Kingdom John Wiley & Sons (Canada) Ltd., 5353 Dundas Street West, Suite 400, Toronto, Ontario, M9B 6HB, Canada John Wiley & Sons Australia Ltd., 42 McDougall Street, Milton, Queensland 4064, Australia Wiley-VCH, Boschstrasse 12, D-69469 Weinheim, Germany Library of Congress Cataloging-in-Publication Data ISBN 978-1-118-34374-6 (Hardcover) ISBN 978-1-118-34375-3 (ePDF) ISBN 978-1-118-34376-0 (Mobi) ISBN 978-1-118-34377-7 (ePub)