Information system audit and assurance

Half Tilte
Copyright
Title Page
Foreword
Preface
Acknowledgements
Contents
Chapter 1: Information System Audit and Assurance An Overview
	Introduction
	Assurance Services
	Need for Assurance
	Characteristics of Assurance Services
	Types of Assurance Services
	Evolution of Information System Audit
	The Information System—Lifecycle in the Organization
	The Knowledge Requirement of an IS Auditor
	The Source of Such Skill
	Certified Information System Auditor (CISA)
	Benefits of IS Audit for an Organization
	Changing Role of Information System Auditors and the Relevance of COBIT
	Effect of Technology on an Auditor
	Introduction to COBIT
	IT Governance and Auditors
	Summary
	Review Questions
	Multiple Choice Questions
	Discussion and Research Questions
	Exercises
	Case Study: To Audit or Not to Audit
Chapter 2: Internal Control and Information System Audit
	Control
	Control Framework as Described in COBIT
	Internal Control
	Preventive Control
	Detective Control
	Corrective Control
	Compensatory Control
	Information System Control Procedures
	Internal Control and Information System Audit
	Audit Evidence
	Sampling
	Computer Assisted Audit Tools and Techniques (CAATTs)
	Standards of Internal Control
	Internal Control Framework for Banking Sector
	Summary
	Review Questions
	Multiple Choice Questions
	Discussions and Research Questions
	Exercises
	Case Study: Who Controls Banking?
Chapter 3: Conducting Information System Audit
	Audit Charter and Engagement Letter
	A Typical IS Audit Charter
	Standards, Practices and Guidelines
	Audit Planning
	Risk Assessment
	Information Gathering Techniques
	Vulnerability
	System Security Testing
	Development of Security Requirements Checklist
	Conducting IS Audit for Banks
	The Road Map for setting up Information System Audit Framework for the Bank
	Summary
	Review Questions
	Multiple Choice Questions
	Discussions and Research Questions
	Exercises
Chapter 4: Management Control Review
	Management Control
	Planning
	Information System Management Architecture
	Setting up of an Information Technology Framework for a Banking Organization
	IT Management Framework
	Role of the Auditor in Evaluating the Planning Process
	Organizing
	Procedure
	Human Resources Policies and Procedures, Relating to the Information System
	Hiring
	Promotion of Personnel
	Personnel Training
	Cross-training or Staff Backup
	Employee Job Performance Evaluation
	Job Change and Termination
	Outsourcing Practices
	Organization of Information System Area
	Leading
	Controlling
	Critical Success Factor (CSF)
	Key Goal Indicator (KGI)
	Key Performance Indicator (KPI)
	Auditing Management Control on the Information System
	Summary
	Review Questions
	Multiple Choice Questions
	Discussions and Research Questions
	Exercises
Chapter 5: Application Control Review
	Application System
	The Application System
	Types of Application System
	Web-based Applications—Thin Clients
	Thick Clients
	The Importance of the Application System
	Application Control
	Subsystem Factoring of the Application System
	Keystroke Dynamics
	Biometric System
	Terminal Restriction
	Temporal Restriction
	Usage Control
	Audit Trail Control of the Boundary Subsystem
	Operational Audit Trail of the Boundary Subsystem
	Existence Control of the Boundary Subsystem
	Input Subsystem
	Field Level Input Control
	Record Level Input Control
	Batch Level Input Control
	Data-entry Screen Design
	Audit Trail Control
	Processing Controls
	Other Output Controls
	Overall Controls
	Application Control and COBIT
	Auditing Application Control
	Substantive Tests
	Testing the Application System
	Testing Application Control
	Concurrent Processing Methodologies
	Conversion Audit
	Summary
	Review Questions
	Multiple Choice Questions
	Discussions and Research Questions
	Exercises
Chapter 6: Network Security and Control
	Network—A Tool for Sharing Resources
	Network Classification
	Network Topology
	A Brief Look at the Open System Interconnect (OSI) Model
	Network Cabling
	Network Devices
	The IP Network
	Threats to the Network
	Controls to Counter the Threats to Network Security
	Router Controls
	Firewall Controls
	Internal Security
	IDS
	Auditing Network
	A Sample Checklist for Network Audit
	Summary
	Review Questions
	Multiple Choice Questions
	Discussions and Research Questions
	Exercises
Chapter 7: Internet Banking - Risks and Controls
	Internet Banking—A Multiple-delivery Channel
	Introduction to Web Technology
	Hierarchy of ISPs
	Issues Related to Web Technology
	Java and Java Beans
	ActiveX and Active Desktop
	Client Server vs. Web
	Delegation of Authority
	Active Content Problems
	Authorization
	Active Content Solutions
	Types of Internet Banking
	Features of Internet Banking
	Generic Architecture
	Internet Banking in a Distributed Environment
	Internet Banking in a Centralized Environment
	Multi-layered Security Model
	Public Key Infrastructure (PKI)
	Digital Signature
	Basics of Penetration Testing
	Auditing Internet Banking
	Internet Banking Audit Checklist
	Outsourcing Issues
	Web Server Software
	Web Host
	Network Environment
	Summary
	Review Questions
	Multiple Choice Questions
	Discussions and Research Questions
	Exercises
Chapter 8: Operating System-Risks and Control
	Operating System (OS)
	Types of Operating Systems
	System Configurations
	OS Capabilities
	Functional Components of Operating System
	Operating System Services
	User Interface (UI)
	Access Controls
	Utility Software
	Hardening the OS
	OS Controls
	OS Security
	Consolidated Checklist
	Linux Security Checklist
	Checklist for Win2k
	Summary
	Review Questions
	Multiple Choice Questions
	Discussions and Research Questions
	Exercises
Chapter 9: Operational Control Review
	Operation Management—The IS Engine
	The Functional Areas of Computer Operation Management
	System Administration
	Network Administration
	Database Administration
	Control Requirements for Backup
	Archiving
	Off-site Backups
	Storage of Backups
	Backup Procedures
	Backup Techniques
	Backup Control in the Database Environment
	Management of IS Operation
	Controlling the Input/Output (IO) Function
	Auditing the Input/Output Operation
	Documentation and Program Library
	Audit Objective
	Control over Consumables
	Maintenance and Control, Related to Removable Storage Media
	Selection of Storage Media
	Audit Objective
	Technical Support and Help Desk
	Elements of SLA
	Auditing Help Desk and Technical Support
	Software Maintenance
	Quality Assurance
	Physical and Environmental Security
	Audit Objectives
	COBIT and Operational Control
	Operational Risk from a Banking Perspective
	What is Operational Risk Management (ORM)
	Why is Operational Risk Management Important
	How to Perform Operational Risk Management
	Provisioning for Operational Risks
	IS Audit Checklist for Operation Control
	Summary
	Review Questions
	Multiple Choice Questions
	Discussions and Research Questions
	Exercises
Chapter 10: Business Continuity and Disaster Recovery
	Introduction
	Need for Business Continuity and Disaster Recovery Planning
	What is a Disaster in an Information System?
	BCP vis-à-vis DRP
	BCP Process
	Data Backup/Storage
	Developing an Appropriate Disaster Recovery Strategy: A Case Study of a Banking Organization
	Business Impact Analysis (BIA)
	Functionality of CBS, with Internet Banking and ATM, as the Delivery Channels
	Core Banking Solution
	Internet Banking
	ATM Operation
	Auditing the BCP-DRP
	Summary
	Review Questions
	Multiple Choice Questions
	Discussions and Research Questions
	Exercises
Appendix A
	Standardized Checklist for Conducting Computer Audit
		1. Business Strategy
		2. Long-term IT Strategy
		3. Short-range IT Plans
		4. IS Security Policy
		5. Implementation of Security Policy
		6. IS Audit Guidelines
		7. Acquisition and Implementation of Packaged Software
		8. Development of Software: In-house and Outsourced
		9. Physical Access Controls
		10. Operating System Controls
		11. Application Systems Controls
		12. Database Controls
		13. Network Management
			Network Information Security
		14. Maintenance
		15. Internet Banking
Appendix B
	Internet Banking
		3. Review of Internet Banking
		4. Independence
		5. Competence
		6. Planning
		7. Performance of Internet Banking Review
		8. Reporting
		9. Effective Date
		Appendix
		COBIT Reference
		References
	010.010.020 Outsourcing of IS Activities to Other Organizations
		1. Background
		2. Audit Charter
		3. Planning
		4. Performance of Audit Work
		5. Reporting
		6. Follow Up Activities
		7. Effective Date
	020.020.010 Organizational Relationship and Independence
		1. Background
		2. Independence
		3. Planning
		4. Performance of Audit Work
		5. Reporting
		6. Effective Date
	050.010.040 Effect of Third Parties on an Organization’s IT Controls
		1. Background
		2. Role of Third-party Service Providers
		3. Effect on Controls
		4. Procedures to be Performed by the IS Auditor
		5. Risks Associated with Third-party Providers
		6. Contracts with Third-party Providers
		7. Review of Third-party Provider Controls
		8. Sub-contractors of Third Parties
		9. Reporting
		10. Effective Date
	060.020.020 Application Systems Review
		1. Background
		2. Planning
		3. Performance of Audit Work
		4. Reporting
		5. Effective Date
Appendix C
	A Model Information System Audit Checklist
	Organization and Administration
	Program Maintenance and System Development
	System Development
	Purchased Software
	Access to Data Files
	Access to Data
	Computer Processing
	Database
	Password and Other Online Controls
	Application Controls
	Output and Processing
	Viruses
	Internet
	Continuity of Operations
	References and Suggested Reading
	Books
	Reports and Other Publications
	Websites
Index