Understanding and Conducting Information Systems Auditing

Understanding and Conducting Information Systems Auditing
Copyright
Contents
Preface
Acknowledgments
Part One: Conducting an Information Systems Audit
Chapter 1: Overview of Systems Audit
Information Systems Audit
Information Systems Auditor
Legal Requirements of an Information Systems Audit
Systems Environment and Information Systems Audit
Information Systems Assets
Classification of Controls
General Controls
Application Controls
Objective-Based Control Classification
The Impact of Computers on Information
The Impact of Computers on Auditing
Information Systems Audit Coverage
Chapter 2: Hardware Security Issues
Hardware Security Objective
Asset Classification and Control
Physical Equipment Placement and Protection
Power Supplies
Cabling Security
Physical Access and Service Disruption
Other Concerns
Information Systems Facilities
Peripheral Devices and Storage Media
Management of Peripheral Devices
Management of Removable Computer Media
Client-Server Architecture
Authentication Devices
Hardware Acquisition
Hardware Maintenance
Management of Obsolescence
Disposal of Equipment
Problem Management
Change Management
Network and Communication Issues
Policy on Use of Network and Network Services
Enforced Path
User Authentication for External Connections
Node Authentication
Segregation of Networks
Network Connection Control
Network Routing Control
Security of Network Services
Other Network Controls
Network Integrity
Network Equipment
Change Control Procedure
Network Monitoring
Protection during Transmission
Network Availability
Wireless Network Considerations
Chapter 3: Software Security Issues
Overview of Types of Software
System Software
Operating Software
Memory Resident Programs
Utility Programs
Application Software
Communication Software
Database Management Systems
Elements of Software Security
Access Control
Operational Controls
Protection against Malicious Software
Information Backup
Operator's Log
Control Issues during Installation and Maintenance
Preimplementation Issues
Postimplementation Issues
Licensing Issues
Problem and Change Management
Chapter 4: Information Systems Audit Requirements
Risk Analysis
Threats, Vulnerability, Exposure, Likelihood, and Attack
Information Systems Control Objectives
Information Systems Audit Objectives
System Effectiveness and Efficiency
Information Systems Abuse
Asset Safeguarding Objective and Process
Evidence Collection and Evaluation
Techniques of Audit Evidence Collection
Categories of Audit Evidence
Logs and Audit Trails as Evidence
Audit Trails
System Logs
Chapter 5: Conducting an Information Systems Audit
Audit Program
Audit Checklists
Resource Planning
Consistency
Audit Plan
Engagement Letter
Background Overview
Materiality Level
Techniques Used for Information Systems Planning
Audit Procedures and Approaches
System Understanding and Review
Compliance Reviews and Tests
Substantive Reviews and Tests
Audit Tools and Techniques
Testing Computer Application Program Controls
Selecting/Monitoring Data Processing Transactions
Data Verification
Analyzing Application Programs
Other Tools and Techniques
Sampling Techniques
Audit Questionnaire
Audit Documentation
Audit Report
Auditing Approaches
Auditing around the Computer
Auditing with the Computer
Auditing through the Computer
Sample Audit Work-Planning Memo
Audit Objectives and Scope
Audit Process
Testing Techniques
Audit Team Assignment
Activities and Deliverables
Sample Audit Work Process Flow
Chapter 6: Risk-Based Systems Audit
Conducting a Risk-Based Information Systems Audit
Risk Assessment
Risk Matrix
Risk and Audit Sample Determination
Sample Selection
Audit Risk Assessment
Audit Process and Audit Risk
Populating a Risk Matrix
Risk Management Strategy
Chapter 7: Business Continuity and Disaster Recovery Plan
Business Continuity and Disaster Recovery Process
Business Impact Analysis
Impact Analysis
Requirements for Recovery
Incident Response Plan
Disaster Recovery Plan
Types of Disaster Recovery Plans
Emergency Preparedness Audit Checklist
Business Continuity Strategies
Business Resumption Plan Audit Checklist
Recovery Procedures Testing Checklist
Plan Maintenance Checklist
Vital Records Retention Checklist
Forms and Documents
Alternative Site Procedure
Communication Resources
Contingency Log
Contingency Plan Contact Information
Documentation List
Emergency Procedures
External Support Agreement
Hardware Inventory
Information Asset Usage Procedure
Layout Inventory
Software Inventory
Team Staffing and Tasks
Vendor Contact List
Chapter 8: Auditing in the E-Commerce Environment
Introduction
Objectives of an Information Systems Audit in the E-Commerce Environment
General Overview
Auditing E-Commerce Functions
Preliminary Review
Implementation
Policies and Procedures
Administration
Accounting and Processing
Legal and Regulatory Matters
Internet Security Administration
E-Commerce Policies and Procedures Review
Impact of E-Commerce on Internal Control
Chapter 9: Security Testing
Cybersecurity
Cybercrimes
What Is Vulnerable to Attack?
How Cyberattacks Occur
What Is Vulnerability Analysis?
Steps of Vulnerability Analysis
Types of Vulnerability
Conducting a Vulnerability Analysis
Cyberforensics
Digital Evidence
Presenting Digital Evidence in a Court of Law
Acceptability Tests
Chapter 10: Case Study: Conducting an Information Systems Audit
Important Security Issues in Banks
User Access Management
User Registration
Authentication of Users
Password Management System
Limiting Sign-On Attempts
Unattended Terminals
Information Access Restriction
Use of System Utilities
Limitation of Connection Time
Warning
External Users
Audit Trails
Fault Logging
Logging and Reviewing of Events
Implementing an Information Systems Audit at a Bank Branch
Special Considerations in a Core Banking System
Migration Controls
Day-End Controls
Control over Periodical/Mass-Runs (System Generated Transactions)
Control over Inter-SOL Transactions
Control over Proxy/Parking Transactions
Mapping of Accounts
Application Control Review
Database and System Administration
Firewalls
Help Desk
Information Security
Logs of Activity
Departure from Normal Patterns
Management Practices
Operational Activities
Part Two: Information Systems Auditing Checklists
Chapter 11: ISecGrade Auditing Framework
Introduction
Licensing and Limitations
Methodology
Domains
Grading Structure
Selection of Checklist
Format of Audit Report
Using the Audit Report Format
Chapter 12: ISecGrade Checklists
Checklist Structure
Information Systems Audit Checklists
Chapter 13: Session Quiz
Chapter 1: Overview of Systems Audit
Chapter 2: Hardware Security Issues
Chapter 3: Software Security Issues
Chapter 4: Information Systems Audit Requirements
Chapter 5: Conducting an Information Systems Audit
Chapter 6: Risk-Based Systems Audit
Chapter 7: Business Continuity and Disaster Recovery Plan
Chapter 8: Auditing in the E-Commerce Environment
Chapter 9: Security Testing
About the Authors
About the Website
Index