Auditor's Guide to Information System Auditing / Edition 1

Auditor's Guide to Information System Auditing / Edition 1

by Richard E. Cascarino, Richard Cascarino

It has become impossible for today's enterprises of any size and in any market sector to exist without computers to assist with their fundamental business operations. The modern auditor, therefore, requires significantly more knowledge of computers and computer auditing than did auditors of earlier years. In order for organizations to take full advantage of the… See more details below


It has become impossible for today's enterprises of any size and in any market sector to exist without computers to assist with their fundamental business operations. The modern auditor, therefore, requires significantly more knowledge of computers and computer auditing than did auditors of earlier years. In order for organizations to take full advantage of the opportunities that computers can offer, their systems must be controlled and dependable.

Written for those who need to gain apractical working knowledge of the risks and control opportunities within an information processing (IP) environment, as well as the auditing of that environment, Auditor's Guide to Information Systems Auditing includes a complementary student's version of the IDEA Data Analysis Software CD and is particularly useful for professionals andstudents within the fields of:

  • IT security
  • IT audit
  • Internal audit
  • External audit
  • Management information systems
  • General business management

Emphasizing the practical implementation of principles and techniques through the use of realistic case studies, Auditor's Guide to Information Systems Auditing follows the approach used by the Information System Audit and Control Association's modelcurriculum and is an excellent study guide for those preparing for the CISA and CISM exams.

This invaluable reference manual is filled with relevant information helpful to those accountable to management for the successful implementation and control of information systems and covers a wide range of topics, serving as an indispensable introductory reference to IT auditing.

Read More

Product Details

Publication date:
Edition description:
Older Edition
Product dimensions:
6.44(w) x 8.96(h) x 1.36(d)

Table of Contents



PART I. IS Audit Process.

CHAPTER 1. Technology and Audit.

Technology and Audit.

Batch and On-Line Systems.

CHAPTER 2. IS Audit Function Knowledge.

Information Systems Auditing.

What Is Management?

Management Process.

Understanding the Organization’s Business.

Establishing the Needs.

Identifying Key Activities.

Establish Performance Objectives.

Decide The Control Strategies.

Implement and Monitor the Controls.

Executive Management’s Responsibility and Corporate Governance.

Audit Role.

Conceptual Foundation.

Professionalism within the IS Auditing Function.

Relationship of Internal IS Audit to the External Auditor.

Relationship of IS Audit to Other Company Audit Activities.

Audit Charter.

Charter Content.

Outsourcing the IS Audit Activity.

Regulation, Control, and Standards.

CHAPTER 3. IS Risk and Fundamental Auditing Concepts.

Computer Risks and Exposures.

Effect of Risk.

Audit and Risk.

Audit Evidence.

Reliability of Audit Evidence.

Audit Evidence Procedures.

Responsibilities for Fraud Detection and Prevention.

CHAPTER 4. Standards and Guidelines for IS Auditing.

IIA Standards.

Code of Ethics.



Standards for the Professional Performance of Internal Auditing.

ISACA Standards.

ISACA Code of Ethics.

COSO: Internal Control Standards.

BS 7799 and ISO 17799: IT Security.


BSI Baselines.

CHAPTER 5. Internal Controls Concepts Knowledge.

Internal Controls.

Cost/Benefit Considerations.

Internal Control Objectives.

Types Of Internal Controls.

Systems of Internal Control.

Elements of Internal Control.

Manual and Automated Systems.

Control Procedures.

Application Controls.

Control Objectives and Risks.

General Control Objectives.

Data and Transactions Objectives.

Program Control Objectives.

Corporate IT Governance.

CHAPTER 6. Risk Management of the IS Function.

Nature of Risk.

Auditing in General.

Elements of Risk Analysis.

Defining the Audit Universe.

Computer System Threats.

Risk Management.

CHAPTER 7. Audit Planning Process.

Benefits of an Audit Plan.

Structure of the Plan.

Types of Audit.

CHAPTER 8. Audit Management.


Audit Mission.

IS Audit Mission.

Organization of the Function.


IS Audit as a Support Function.


Business Information Systems.

Integrated IS Auditor vs Integrated IS Audit.

Auditees as Part of the Audit Team.

Application Audit Tools.

Advanced Systems.

Specialist Auditor.

IS Audit Quality Assurance.

CHAPTER 9. Audit Evidence Process.

Audit Evidence.

Audit Evidence Procedures.

Criteria for Success.

Statistical Sampling.

Why Sample?

Judgmental (or Non-Statistical) Sampling.

Statistical Approach.

Sampling Risk.

Assessing Sampling Risk.

Planning a Sampling Application.

Calculating Sample Size.

Quantitative Methods.

Project Scheduling Techniques.


Computer Assisted Audit Solutions.

Generalized Audit Software.

Application and Industry-Related Audit Software.

Customized Audit Software.

Information Retrieval Software.


On-Line Inquiry.

Conventional Programming Languages.

Microcomputer-Based Software.

Test Transaction Techniques.

CHAPTER 10. Audit Reporting Follow-up.

Audit Reporting.

Interim Reporting.

Closing Conferences.

Written Reports.

Clear Writing Techniques.

Preparing To Write.

Basic Audit Report.

Executive Summary.

Detailed Findings.

Polishing the Report.

Distributing the Report.

Follow-Up Reporting.

Types of Follow-Up Action.

PART II. Information Systems/Information Technology Governance.

CHAPTER 11. Management.

IS Infrastructures.

Project-Based Functions.

Quality Control.

Operations and Production.

Technical Services.

Performance Measurement and Reporting.

Measurement Implementation.

CHAPTER 12. Strategic Planning.

Strategic Management Process.

Strategic Drivers.

New Audit Revolution.

Leveraging IS.

Business Process Re-Engineering Motivation.

IS as an Enabler of Re-Engineering.

Dangers of Change.

System Models.

Information Resource Management.

Strategic Planning for IS.

Decision Support Systems.

Steering Committees.

Strategic Focus.

Auditing Strategic Planning.

Design the Audit Procedures.

CHAPTER 13. Management Issues.


Copyrights, Trademarks, and Patents.

Ethical Issues.

Corporate Codes of Conduct.

IT Governance.

Sarbanes-Oxley Act.


CHAPTER 14. Support Tools and Frameworks.

General Frameworks.

COSO: Internal Control Standards.

Other Standards.

CHAPTER 15. Governance Techniques.

Change Control.

Problem Management.

Auditing Change Control.

Operational Reviews.

Performance Measurement.

ISO 9000 Reviews.

PART III. Systems and Infrastructure Lifecycle Management.

CHAPTER 16. Information Systems Planning.



Systems Development.

Technical Support.

Other System Users.

Segregation of Duties.

Personnel Practices.

Object-Oriented Systems Analysis.

Enterprise Resource Planning.

CHAPTER 17. Information Management and Usage.

What Are Advanced Systems?

Service Delivery and Management.

CHAPTER 18. Development, Acquisition, and Maintenance of Information Systems.

Programming Computers.

Program Conversions.

System Failures.

Systems Development Exposures.

Systems Development Controls.

Systems Development Life Cycle Control: Control Objectives.

Micro-Based Systems.

CHAPTER 19. Impact of Information Technology on the Business Processes and Solutions.


Continuous Monitoring.

Business Process Outsourcing.


CHAPTER 20. Software Development.

Developing a System.

Change Control.

Why Do Systems Fail?

Auditor's Role in Software Development.

CHAPTER 21. Audit and Control of Purchased Packages.

Information Systems Vendors.

Request For Information.

Requirements Definition.

Request For Proposal.


Systems Maintenance.

Systems Maintenance Review.


CHAPTER 22. Audit Role in Feasibility Studies and Conversions.

Feasibility Success Factors.

Conversion Success Factors.

CHAPTER 23. Audit and Development of Application Controls.

What Are Systems?

Classifying Systems.

Controlling Systems.

Control Stages.

System Models.

Information Resource Management.

Control Objectives of Business Systems.

General Control Objectives.

CAATS and their Role in Business Systems Auditing.

Common Problems.

Audit Procedures.

CAAT Use in Non-Computerized Areas.

Designing an Appropriate Audit Program.

PART IV. Information Technology Service Delivery and Support.

CHAPTER 24. Technical Infrastructure.

Auditing the Technical Infrastructure.

Computer Operations Controls.

Operations Exposures.

Operations Controls.

Personnel Controls.

Supervisory Controls.

Operations Audits.

CHAPTER 25. Service Center Management.

Continuity Management and Disaster Recovery.

Managing Service Center Change.

PART V. Protection of Information Assets.

CHAPTER 26. Information Assets Security Management.

What Is Information Systems Security?

Control Techniques.

Workstation Security.

Physical Security.

Logical Security.

User Authentication.

Communications Security.


How Encryption Works.

Encryption Weaknesses.

Potential Encryption.

Data Integrity.

Double Public Key Encryption.


Information Security Policy.

CHAPTER 27. Logical Information Technology Security.

Computer Operating Systems.

Tailoring the Operating System.

Auditing the Operating System.



Security Systems: Resource Access Control Facility.

Auditing RACF.

Access Control Facility 2.

Top Secret.

User Authentication.

Bypass Mechanisms.

CHAPTER 28. Applied Information Technology Security.

Communications and Network Security.

Network Protection.

Hardening the Operating Environment.

Client Server and Other Environments.

Firewalls and Other Protection Resources.

Intrusion Detection Systems.

CHAPTER 29. Physical and Environmental Security.

Control Mechanisms.

Implementing the Controls.

PART VI. Business Continuity and Disaster Recovery.

CHAPTER 30. Protection of the Information Technology Architecture and Assets: Disaster Recovery Planning.

Risk Reassessment.

Disaster—Before and After.

Consequences of Disruption.

Where to Start.

Testing the Plan.

Auditing the Plan.

CHAPTER 31. Insurance.


PART VII. Advanced IS Auditing.

CHAPTER 32. Auditing E-commerce Systems.

E-Commerce and Electronic Data Interchange: What Is It?

Opportunities and Threats.

Risk Factors.

Threat List.

Security Technology.

"Layer" Concept.



Trading Partner Agreements.

Risks and Controls within EDI and E-Commerce.


E-Commerce and Auditability.

Compliance Auditing.

E-Commerce Audit Approach.

Audit Tools and Techniques.

Auditing Security Control Structures.

Computer Assisted Audit Techniques.

CHAPTER 33. Auditing UNIX/Linux.


Security and Control in a UNIX/Linux System.


UNIX Security.



Auditing UNIX.

Scrutiny of Logs.

Audit Tools in the Public Domain.

UNIX passwd File.

Auditing UNIX Passwords.

CHAPTER 34. Auditing Windows.


NT and Its Derivatives.

Auditing Windows 23.

Password Protection.

File Sharing.

Security Checklist.

CHAPTER 35. Foiling the System Hackers.

CHAPTER 36. Investigating Information Technology Fraud.

Pre-Incident Preparation.

Detection of Incidents.

Initial Response.

Forensic Backups.


Network Monitoring.

Identity Theft.


APPENDIX A Ethics and Standards for the IS Auditor.

ISACA Code of Professional Ethics.

Relationship of Standards to Guidelines and Procedures.

APPENDIX B Audit Program for Application Systems Auditing.

APPENDIX C Logical Access Control Audit Program.

APPENDIX D Audit Program for Auditing UNIX/Linux Environments.

APPENDIX E Audit Program for Auditing Windows XP/2000 Environments.


Read More

Customer Reviews

Average Review:

Write a Review

and post it to your social network


Most Helpful Customer Reviews

See all customer reviews >