Auditor's Guide to IT Auditing, + Software Demo


Many auditors are unfamiliar with the techniques they need toknow to efficiently and effectively determine whether your ITsystems are adequately protected. Now in a Second Edition,Auditor’s Guide to IT Auditing presents an easy, practicalguide for auditors that can be applied to all computingenvironments.

Presenting the computer auditing knowledge that today’smodern auditor requires significantly more than auditors ofyesteryear, Auditor’s Guide to IT Auditing, Second ...

See more details below
Hardcover (New Edition)
$73.32 price
(Save 26%)$100.00 List Price
Other sellers (Hardcover)
  • All (10) from $39.00   
  • New (7) from $57.74   
  • Used (3) from $39.00   
Auditor's Guide to IT Auditing

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$57.49 price
(Save 42%)$100.00 List Price


Many auditors are unfamiliar with the techniques they need toknow to efficiently and effectively determine whether your ITsystems are adequately protected. Now in a Second Edition,Auditor’s Guide to IT Auditing presents an easy, practicalguide for auditors that can be applied to all computingenvironments.

Presenting the computer auditing knowledge that today’smodern auditor requires significantly more than auditors ofyesteryear, Auditor’s Guide to IT Auditing, Second Editionserves as an excellent study guide for those preparing for the CISAand CISM exams. In addition, it provides you with a workingknowledge of the risks and control opportunities within aninformation processing (IP) environment, as well as how to auditthat environment.

Filled with realistic case studies that present a workableimplementation of the book’s principles and techniques, thisstep-by-step guide includes timely discussion of:

  • Risk evaluation methodologies
  • New regulations
  • The Sarbanes-Oxley Act
  • Privacy
  • Banking
  • IT governance
  • CobiT
  • Outsourcing
  • Network management
  • The Cloud

A reality check for every auditor to determine whether they areexamining the right issues and if they are sufficientlycomprehensive in their focus, Auditor’s Guide to IT Auditing,Second Edition offers thorough coverage for successful applicationand control of IT systems-including the Cloud-to empower you toeffectively gauge the adequacy and effectiveness of your ITcontrols.

Read More Show Less

Product Details

  • ISBN-13: 9781118147610
  • Publisher: Wiley
  • Publication date: 4/3/2012
  • Series: Wiley Corporate F&A Series, #583
  • Edition description: New Edition
  • Edition number: 2
  • Pages: 464
  • Sales rank: 1,536,617
  • Product dimensions: 7.20 (w) x 10.10 (h) x 1.70 (d)

Meet the Author

Richard E. Cascarino, MBA, CIA, CISA, CISM, is a consultantand lecturer with over thirty years’ experience in internal,forensic, risk, and computer auditing. He is Managing Director ofRichard Cascarino & Associates, a successful audit training andconsultancy company. For the last twenty-five years, they have beenproviding consultancy and professional development services toclients throughout the southern African region as well as Europe,the Middle East, and the United States. He is a past president fthe Institute of Internal Auditors South Africa (IIA SA), was thefounding Regional Director of the Southern African Region of theIIA Inc., and is a member of both the Information Systems Audit andControl Association and the Association of Certified FraudExaminers.

Read More Show Less

Table of Contents

Preface xvii


Chapter 1: Technology and Audit 3

Technology and Audit 4

Batch and Online Systems 8

Electronic Data Interchange 20

Electronic Business 21

Cloud Computing 22

Chapter 2: IT Audit Function Knowledge 25

Information Technology Auditing 25

What Is Management? 26

Management Process 26

Understanding the Organization’s Business 27

Establishing the Needs 27

Identifying Key Activities 27

Establish Performance Objectives 27

Decide the Control Strategies 27

Implement and Monitor the Controls 28

Executive Management’s Responsibility and CorporateGovernance 28

Audit Role 28

Conceptual Foundation 29

Professionalism within the IT Auditing Function 29

Relationship of Internal IT Audit to the External Auditor 30

Relationship of IT Audit to Other Company Audit Activities30

Audit Charter 30

Charter Content 30

Outsourcing the IT Audit Activity 31

Regulation, Control, and Standards 31

Chapter 3: IT Risk and Fundamental Auditing Concepts33

Computer Risks and Exposures 33

Effect of Risk 35

Audit and Risk 36

Audit Evidence 37

Conducting an IT Risk-Assessment Process 38

NIST SP 800 30 Framework 38

ISO 27005 39

The “Cascarino Cube” 39

Reliability of Audit Evidence 44

Audit Evidence Procedures 45

Responsibilities for Fraud Detection and Prevention 46

Notes 46

Chapter 4: Standards and Guidelines for IT Auditing47

IIA Standards 47

Code of Ethics 48

Advisory 48

Aids 48

Standards for the Professional Performance of Internal Auditing48

ISACA Standards 49

ISACA Code of Ethics 50

COSO: Internal Control Standards 50

BS 7799 and ISO 17799: IT Security 52


BSI Baselines 54

Note 55

Chapter 5: Internal Controls Concepts Knowledge 57

Internal Controls 57

Cost/Benefit Considerations 59

Internal Control Objectives 59

Types of Internal Controls 60

Systems of Internal Control 61

Elements of Internal Control 61

Manual and Automated Systems 62

Control Procedures 63

Application Controls 63

Control Objectives and Risks 64

General Control Objectives 64

Data and Transactions Objectives 64

Program Control Objectives 66

Corporate IT Governance 66

COSO and Information Technology 68

Governance Frameworks 70

Notes 71

Chapter 6: Risk Management of the IT Function 73

Nature of Risk 73

Risk-Analysis Software 74

Auditing in General 75

Elements of Risk Analysis 77

Defining the Audit Universe 77

Computer System Threats 79

Risk Management 80

Notes 83

Chapter 7: Audit Planning Process 85

Benefits of an Audit Plan 85

Structure of the Plan 89

Types of Audit 91

Chapter 8: Audit Management 93

Planning 93

Audit Mission 94

IT Audit Mission 94

Organization of the Function 95

Staffing 95

IT Audit as a Support Function 97

Planning 97

Business Information Systems 98

Integrated IT Auditor versus Integrated IT Audit 98

Auditees as Part of the Audit Team 100

Application Audit Tools 100

Advanced Systems 100

Specialist Auditor 101

IT Audit Quality Assurance 101

Chapter 9: Audit Evidence Process 103

Audit Evidence 103

Audit Evidence Procedures 103

Criteria for Success 104

Statistical Sampling 105

Why Sample? 106

Judgmental (or Non-Statistical) Sampling 106

Statistical Approach 107

Sampling Risk 107

Assessing Sampling Risk 108

Planning a Sampling Application 109

Calculating Sample Size 111

Quantitative Methods 111

Project-Scheduling Techniques 116

Simulations 117

Computer-Assisted Audit Solutions 118

Generalized Audit Software 118

Application and Industry-Related Audit Software 119

Customized Audit Software 120

Information-Retrieval Software 120

Utilities 120

On-Line Inquiry 120

Conventional Programming Languages 120

Microcomputer-Based Software 121

Test Transaction Techniques 121

Chapter 10: Audit Reporting Follow-up 123

Audit Reporting 123

Interim Reporting 124

Closing Conferences 124

Written Reports 124

Clear Writing Techniques 125

Preparing to Write 126

Basic Audit Report 127

Executive Summary 127

Detailed Findings 128

Polishing the Report 129

Distributing the Report 129

Follow-up Reporting 129

Types of Follow-up Action 130


Chapter 11: Management 133

IT Infrastructures 133

Project-Based Functions 134

Quality Control 138

Operations and Production 139

Technical Services 140

Performance Measurement and Reporting 140

Measurement Implementation 141

Notes 145

Chapter 12: Strategic Planning 147

Strategic Management Process 147

Strategic Drivers 148

New Audit Revolution 149

Leveraging IT 149

Business Process Re-Engineering Motivation 150

IT as an Enabler of Re-Engineering 151

Dangers of Change 152

System Models 152

Information Resource Management 153

Strategic Planning for IT 153

Decision Support Systems 155

Steering Committees 156

Strategic Focus 156

Auditing Strategic Planning 156

Design the Audit Procedures 158

Note 158

Chapter 13: Management Issues 159

Privacy 161

Copyrights, Trademarks, and Patents 162

Ethical Issues 162

Corporate Codes of Conduct 163

IT Governance 164

Sarbanes-Oxley Act 166

Payment Card Industry Data Security Standards 166

Housekeeping 167

Notes 167

Chapter 14: Support Tools and Frameworks 169

General Frameworks 169

COSO: Internal Control Standards 172

Other Standards 173

Governance Frameworks 176

Note 178

Chapter 15: Governance Techniques 179

Change Control 179

Problem Management 181

Auditing Change Control 181

Operational Reviews 182

Performance Measurement 182

ISO 9000 Reviews 184


Chapter 16: Information Systems Planning 187

Stakeholders 187

Operations 188

Systems Development 189

Technical Support 189

Other System Users 191

Segregation of Duties 191

Personnel Practices 192

Object-Oriented Systems Analysis 194

Enterprise Resource Planning 194

Cloud Computing 195

Notes 197

Chapter 17: Information Management and Usage 199

What Are Advanced Systems? 199

Service Delivery and Management 201

Computer-Assisted Audit Tools and Techniques 204

Notes 205

Chapter 18: Development, Acquisition, and Maintenance ofInformation Systems 207

Programming Computers 207

Program Conversions 209

No Thanks Systems Development Exposures 209

Systems Development Controls 210

Systems Development Life Cycle Control: Control Objectives210

Micro-Based Systems 212

Cloud Computing Applications 212

Note 213

Chapter 19: Impact of Information Technology on the BusinessProcesses and Solutions 215

Impact 215

Continuous Monitoring 216

Business Process Outsourcing 218

E-Business 219

Notes 220

Chapter 20: Software Development 221

Developing a System 221

Change Control 225

Why Do Systems Fail? 225

Auditor’s Role in Software Development 227

Chapter 21: Audit and Control of Purchased Packages andServices 229

IT Vendors 230

Request For Information 231

Requirements Definition 231

Request for Proposal 232

Installation 233

Systems Maintenance 233

Systems Maintenance Review 234

Outsourcing 234

SAS 70 Reports 234

Chapter 22: Audit Role in Feasibility Studies and Conversions237

Feasibility Success Factors 237

Conversion Success Factors 240

Chapter 23: Audit and Development of Application Controls243

What Are Systems? 243

Classifying Systems 244

Controlling Systems 244

Control Stages 245

Control Objectives of Business Systems 245

General Control Objectives 246

CAATs and Their Role in Business Systems Auditing 247

Common Problems 249

Audit Procedures 250

CAAT Use in Non-Computerized Areas 250

Designing an Appropriate Audit Program 250


Chapter 24: Technical Infrastructure 255

Auditing the Technical Infrastructure 257

Infrastructure Changes 259

Computer Operations Controls 260

Operations Exposures 261

Operations Controls 261

Personnel Controls 261

Supervisory Controls 262

Information Security 262

Operations Audits 263

Notes 264

Chapter 25: Service-Center Management 265

Private Sector Preparedness (PS Prep) 266

Continuity Management and Disaster Recovery 266

Managing Service-Center Change 269

Notes 269


Chapter 26: Information Assets Security Management273

What Is Information Systems Security? 273

Control Techniques 276

Workstation Security 276

Physical Security 276

Logical Security 277

User Authentication 277

Communications Security 277

Encryption 277

How Encryption Works 278

Encryption Weaknesses 279

Potential Encryption 280

Data Integrity 280

Double Public Key Encryption 281

Steganography 281

Information Security Policy 282

Notes 282

Chapter 27: Logical Information Technology Security283

Computer Operating Systems 283

Tailoring the Operating System 284

Auditing the Operating System 285

Security 286

Criteria 286

Security Systems: Resource Access Control Facility 287

Auditing RACF 288

Access Control Facility 2 289

Top Secret 290

User Authentication 291

Bypass Mechanisms 293

Security Testing Methodologies 293

Notes 295

Chapter 28: Applied Information Technology Security297

Communications and Network Security 297

Network Protection 298

Hardening the Operating Environment 300

Client Server and Other Environments 301

Firewalls and Other Protection Resources 301

Intrusion-Detection Systems 303

Note 304

Chapter 29: Physical and Environmental Security 305

Control Mechanisms 306

Implementing the Controls 310


Chapter 30: Protection of the Information TechnologyArchitecture and Assets: Disaster-Recovery Planning 313

Risk Reassessment 314

Disaster—Before and After 315

Consequences of Disruption 317

Where to Start 317

Testing the Plan 319

Auditing the Plan 320

Chapter 31: Displacement Control 323

Insurance 323

Self- Insurance 327


Chapter 32: Auditing E-commerce Systems 331

E-Commerce and Electronic Data Interchange: What Is It? 331

Opportunities and Threats 332

Risk Factors 335

Threat List 335

Security Technology 336

“Layer” Concept 336

Authentication 336

Encryption 337

Trading Partner Agreements 338

Risks and Controls within EDI and E-Commerce 338

E-Commerce and Auditability 340

Compliance Auditing 340

E-Commerce Audit Approach 341

Audit Tools and Techniques 341

Auditing Security Control Structures 342

Computer-Assisted Audit Techniques 343

Notes 343

Chapter 33: Auditing UNIX/Linux 345

History 345

Security and Control in a UNIX/Linux System 347

Architecture 348

UNIX Security 348

Services 349

Daemons 350

Auditing UNIX 350

Scrutiny of Logs 351

Audit Tools in the Public Domain 351

UNIX Password File 352

Auditing UNIX Passwords 353

Chapter 34: Auditing Windows VISTA and Windows 7 355

History 355

NT and Its Derivatives 356

Auditing Windows Vista/Windows 7 357

Password Protection 358

VISTA/Windows 7 359

Security Checklist 359

Chapter 35: Foiling the System Hackers 361

Chapter 36: Preventing and Investigating InformationTechnology Fraud 367

Preventing Fraud 367

Investgation 369

Identity Theft 376

Note 376

Appendix A Ethics and Standards for the IS Auditor377

ISACA Code of Professional Ethics 377

Relationship of Standards to Guidelines and Procedures 378

Appendix B Audit Program for Application Systems Auditing379

Appendix C Logical Access Control Audit Program 393

Appendix D Audit Program for Auditing UNIX/Linux Environments401

Appendix E Audit Program for Auditing Windows VISTA andWindows 7 Environments 407

About the Author 415

About the Website 417

Index 419

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)