did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9780849320323

Information Technology Control and Audit, Second Edition

by ; ; ;
  • ISBN13:

    9780849320323

  • ISBN10:

    0849320321

  • Edition: 2nd
  • Format: Hardcover
  • Copyright: 2004-03-29
  • Publisher: Auerbach Pub
  • View Upgraded Edition
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $93.95

Summary

Information Technology Control and Audit, Second Edition is an excellent introductory textbook for IT auditing. It covers a wide range of topics in the field including the audit process, the legal environment of IT auditing, security and privacy, and much more.This textbook first examines the foundation of IT audit and control, discussing what IT auditing involves and the guidance provided by organizations in dealing with control and auditability issues. It then analyzes the process of audit and review, explores IT governance and control, and discusses the CobiT framework and steps that align IT decisions with business strategy. This volume examines project management processes that ensure that projects are controlled from inception through integration.It continues by addressing auditing IT acquisition and implementation, describing risks and controls as related to the life cycle of application systems. It highlights the purchase and installation of new systems, as well as change management. The next section examines the auditing of IT operations in both standalone and global environments, covering types of IT operation, issues related to specific platforms, risk and control assessment, and audit methods and support tools.The textbook concludes with a review of emerging issues, providing undergraduate and graduate students with a thorough overview of a topic critical to organizational security and integrity.

Table of Contents

ABOUT THE AUTHORS xxix
FOREWORD AND ACKNOWLEDGMENT xxxiii
PART I A FOUNDATION FOR IT AUDIT AND CONTROL 1(114)
Chapter 1 Information Technology Environment: Why Are Controls and Audit Important?
3(26)
IT Today and Tomorrow
5(2)
Information Integrity, Reliability, and Validity: Their Importance in Today's Global Business Environment
7(2)
Legal Issues Impacting IT
9(1)
Federal Financial Integrity Legislation
10(1)
Federal Security Legislation
11(3)
The Computer Fraud and Abuse Act (CFAA)
11(1)
The Computer Security Act of 1987
12(1)
The Homeland Security Act of 2002 (Inclusion of the Cyber Security Enhancement Act)
13(1)
Privacy on the Information Superhighway
14(1)
Private Information Available for the Taking
14(1)
Privacy Legislation and the Federal Government Privacy Act
15(3)
Electronic Communications Privacy Act
16(1)
Communications Decency Act of 1995
17(1)
Health Insurance Portability and Accountability Act - 1996
18(1)
Current Legislative Activities: Security, Privacy, and Audit
18(2)
Control and Audit: A Global Concern
20(1)
E-Commerce and Electronic Funds Transfer
21(1)
Future of Electronic Payment Systems
21(1)
Conclusion
22(1)
Review Questions
23(3)
Multiple Choice
23(3)
Exercises
26(1)
Answers to Multiple Choice Questions
26(1)
References
26(3)
Chapter 2 Audit and Review: Its Role in Information Technology
29(30)
The Need for the IT Audit Function
30(1)
Auditing Concerns
31(1)
he Reviewers of Information System Policies, Procedures, Standards, and Their Applications
32(1)
What Are the Policies and Procedures of Management?
32(1)
Auditors Have Standards of Practice
33(1)
Auditors Must Have Independence
34(1)
The Practice of Continuous Reassessment
35(1)
High Ethical Standards
36(1)
The Auditor: Knowledge, Skills, and Abilities
37(1)
Broadest Experiences
38(3)
Supplemental Skills
41(1)
Trial and Error
42(1)
Objective and Context
42(1)
The Role of the IT Auditor
43(1)
The IT Auditor as Counselor
44(1)
The IT Auditor as Partner of Senior Management
45(1)
Types of Auditors and Their Duties, Functions, and Responsibilities
45(2)
The Internal Audit Function
46(1)
The External Auditor
46(1)
Legal Implications
47(1)
Management Responsibilities Today
48(1)
Risk Assessment
48(3)
Three Perspectives on Risk
49(2)
The Guardians
49(1)
The Gatekeepers
50(1)
Application of Risk Assessment
51(1)
Participation in Corporate IT Audit Planning
51(1)
The Organization's Responsibility in Developing IT Audit Skills
52(1)
Conclusion
53(1)
Chapter Review Test
54(3)
Multiple Choice
54(2)
Exercises
56(1)
Answers to Multiple Choice Questions
56(6)
Notes
56(1)
References
57(2)
Chapter 3 The Audit Process in an Information Technology Environment
59(34)
IT Auditing: What Is it?
59(1)
The Audit Process
60(1)
The Situation and the Problem - from EFCA to Enron
61(1)
Audit Standards
62(2)
Similarities
63(1)
Differences
63(1)
The Importance of Audit Independence
64(1)
Past and Current Accounting and Auditing Pronouncements
65(1)
AICPA Pronouncements - from the Beginning to Now
65(2)
Other Standards
67(2)
Financial Auditing
69(1)
Generally Accepted Accounting Principles (GAAP)
69(1)
Generally Accepted Auditing Standards (GAAS)
69(1)
General Standards
69(1)
Field Work Standards
70(1)
Reporting Standards
70(1)
Planning the Audit
70(1)
Using the Plan to Identify Problems
71(1)
Organizing the Audit
72(1)
Preliminary Review
72(1)
General Data Gathering
73(1)
Identifying Financial Application Areas
74(1)
Preparing an Audit Plan
74(1)
Field Work and Implementing Audit Methodology
74(1)
Audit Tools and Techniques
75(1)
Flowcharting as an Analysis Tool
76(6)
Understanding How Computers Process Data
77(1)
Identifying Documents and Their Flow through the System
78(2)
Defining Critical Data
80(1)
Developing Audit Data Flow Diagrams
80(1)
Evaluating the Quality of System Documentation
80(1)
Assessing Controls over Documents
81(1)
Determining the Effectiveness of Processing under Computer Programs
81(1)
Evaluating the Usefulness of Reports
81(1)
Appropriateness of Flowcharting Techniques
82(1)
Validation of Work Performed
83(1)
Using Personal Computing Technology
84(1)
The Audit Report and Follow-Up
85(2)
Post-Audit
87(1)
Conclusion
87(1)
Chapter Review Questions
88(4)
Multiple Choice
89(1)
Exercises
90(1)
Multiple Choice Answers
91(1)
References
92(1)
Chapter 4 Auditing Information Technology Using Computer-Assisted Audit Tools and Techniques
93(22)
Auditor Productivity Tools
94(3)
Audit Planning and Tracking
95(1)
Documentation and Presentations
95(1)
Communication
95(1)
Data Management
96(1)
Resource Management
96(1)
Groupware
97(1)
Using CAATs in the Audit Process
97(2)
Technical Skills and Tools
99(10)
Generalized Audit Software
99(1)
Application Testing
99(1)
Designing Tests of Controls
99(1)
Data Analysis
100(1)
Compliance Testing
100(1)
Continuous Monitoring
100(1)
Application Controls
101(2)
Spreadsheet Controls
101(1)
Database Controls
102(1)
Audit Functions
103(4)
Items of Audit Interest
103(1)
Audit Mathematics
103(2)
Data Analysis
105(1)
System Validation
106(1)
Sampling
107(4)
Random Attribute Sampling
107(1)
Variable Sampling Techniques
108(1)
Computer Forensics: Methods and Techniques
109(2)
Conclusion
111(1)
Chapter Review Questions
111(3)
Multiple Choice
112(1)
Exercises
113(1)
Answers to Multiple Choice Questions
114(1)
References
114(1)
PART II AUDITING IT PLANNING AND ORGANIZATION 115(96)
Chapter 5 IT Strategy and Standards
121(20)
Architecture and Standards
123(2)
Policies and Procedures
124(1)
Audit Involvement
124(1)
An Example of Standards: Technology Risk Management Regulations
125(2)
Where Does Technology Risk Management Belong?
127(2)
The Strategy: An Effective Technology Risk Management Program
129(7)
Example: Importance of Business Strategy in Customer Relationship Management
131(1)
Focus on Technology
132(1)
Resistance to Change
133(1)
Barriers to User Adoption
134(2)
Conclusion
136(1)
Review Questions
136(2)
Multiple Choice Questions
136(2)
Exercises
138(1)
Multiple Choice
138(1)
References
138(3)
Chapter 6 Planning and Controlling
141(20)
Governance Processes
141(1)
Demand Management
141(2)
Project Initiation
143(1)
Technical Review
143(1)
Procurement and Vendor Management
143(1)
Strategic Sourcing and Vendor Management
144(1)
Resource Management and Service Management
144(3)
Financial Management and Budgeting
147(1)
Operating Budget
147(1)
Chargeback
147(1)
Advantages
147(1)
Disadvantages
147(1)
Capital Budgeting
148(1)
The Importance of Project Planning and Control in the Systems Development Life Cycle (SDLC)
148(3)
Project Planning and Control: E-Commerce Security as a Strategic and Structural Problem
151(1)
Information Security Management Systems (ISMS)
152(1)
The Planning and Control Approach to E-Commerce Security Management
152(3)
Strategic Aspect
152(1)
Organizational Aspect
153(1)
Technical Aspect
153(1)
Financial Aspect
154(1)
Legal Aspect
154(1)
Conclusion
155(2)
Audit Involvement in Planning and Analysis
155(1)
Conception of the Plan
156(1)
Project Organization
156(1)
Review Questions
157(2)
Multiple Choice Questions
157(2)
Exercises
159(1)
Answers to Multiple Choice Questions
159(1)
References
159(2)
Chapter 7 Project Management
161(22)
Project Management Process
161(2)
Project Management Body of Knowledge (PMBOK)™
163(8)
Project Management Framework
163(1)
Project Management
164(1)
Resource Management
165(1)
Program Management versus Project Management
165(1)
Project Planning
165(1)
Project Tracking and Oversight
165(1)
Project Management Tools
166(5)
The Auditor's Role in the Project Management Process
171(1)
Audit Risk Assessment
171(4)
Audit Plan
173(1)
Project Management Process Review
173(1)
Project Management
174(1)
Communication
174(1)
Recommendations
175(1)
Example of Project Management Checkpoints and Tools in a Telecom Project
175(4)
Combating User Resistance to Telecommunications Project Implementation: Involve the User
176(1)
Project Management Tools: Project Management Software
176(3)
Conclusion
179(1)
Review Questions
180(2)
Multiple Choice Questions
180(1)
Exercises
181(1)
Answers to Multiple Choice Questions
181(1)
References
182(1)
Chapter 8 Quality Management
183(28)
Software Development Standards
183(6)
Capability Maturity Model (CMM)
184(5)
How Maturity Correlates to Quality
189(1)
Raytheon's Example
189(1)
Approaches to Software Development
190(5)
Software Development Process
191(1)
Software Development Phases
191(10)
Analysis
192(1)
Design
193(1)
Construction
193(1)
Testing
193(1)
System Documentation
193(1)
Implementation
194(1)
Traditional Information Software Development
195(1)
Prototypes and Rapid Application Development (RAD)
196(1)
End-User Development (EUD)
197(1)
The Auditor's Role in the Development Process
198(2)
Risk Assessment
200(1)
Audit Plan
201(1)
Software Development Controls Review
201(1)
Software Development Life Cycle
201(3)
Analysis
202(1)
Design
202(1)
Construction
203(1)
Testing
203(1)
Documentation
204(1)
Implementation
204(1)
Post-Implementation
204(1)
Change Control
204(1)
Application Controls
204(1)
Auditing Quality Assurance
205(1)
Communication
205(1)
Recommendations
205(2)
Audit Report
207(1)
Conclusion
207(1)
Review Questions
208(2)
Multiple Choice Questions
208(1)
Exercises
209(1)
Answers to Multiple Choice Questions
210(1)
References
210(1)
PART III AUDITING IT ACQUISITION AND IMPLEMENTATION 211(94)
Chapter 9 Software Acquisition
215(22)
Software Acquisition Process
215(10)
Defining the Information and System Requirements
215(2)
Prototypes and Rapid Application Development (RAD)
216(1)
The Requirements Document
216(1)
Identifying Various Alternatives
217(2)
Off-the-Shelf Solutions
217(1)
Purchased Package
218(1)
Contracted Development
218(1)
Outsourcing a System from Another Organization
218(1)
Performing a Feasibility Analysis
219(1)
Conducting a Risk Analysis
220(1)
Defining Ergonomic Requirements
220(1)
Carrying Out the Selection Process
220(3)
Request for Information (RFI)
221(1)
Request for Bid (RFB)
221(1)
Request for Proposal (RFP)
221(1)
Evaluating Proposals
222(1)
Procuring the Selected Software
223(1)
Other Considerations for Software Contracts and Licenses
224(1)
Completing Final Acceptance
225(1)
Reviewing Software Acquisitions
225(6)
Alignment with the Company's Business and IT Strategy
226(1)
Definition of the Information Requirements
226(1)
Prototypes
226(1)
Feasibility Studies (Cost, Benefits, Etc.)
227(1)
Identification of Functionality, Operational, Acceptance, and Maintenance Requirements
228(1)
Conformity with Existing Information and System Architectures
228(1)
Adherence to Security and Control Requirements
229(1)
Knowledge of Available Solutions
229(1)
Understanding of the Related Acquisition and Implementation Methodologies
229(1)
Involvement and Buy-In from the User
230(1)
Supplier Requirements and Viability
230(1)
Other Resources for Help and Assistance
231(1)
Conclusion
232(1)
Review Questions
232(3)
Multiple Choice
233(2)
Exercises
235(1)
Answers to Multiple Choice Questions
235(1)
References
235(2)
Chapter 10 System Implementation
237(20)
The System Implementation Process
237(1)
Implementation Approach
238(3)
System Testing
238(1)
User Processes and Procedures
239(1)
Management Reports and Controls
240(1)
Problem Management/Reporting
240(1)
User Acceptance Testing
240(1)
Acceptance Team
241(1)
Agreed-Upon Requirements
241(1)
Management Approval
241(1)
Help Desk and Production Support Training and Readiness
241(4)
Data Conversion and Data Correction Processes
242(1)
Operational Procedures and Readiness
243(1)
IT Disaster/Continuity Plans
244(1)
Security
244(1)
Case Example: GMA Business Overview and Profile
245(5)
IT Solutions for GMA
246(1)
Major E-Commerce Security Implementation Issues at GMA
247(4)
Awareness Assessment
247(2)
Implementing Risk Analysis and Controls at GMA
249(1)
Summary
250(1)
Conclusion
251(1)
Review Questions
251(3)
Multiple Choice
252(2)
Exercises
254(1)
Answers to Multiple Choice Questions
254(1)
References
254(3)
Chapter 11 Application Risks and Controls
257(28)
Application Risks
257(5)
Weak Security
258(1)
Unauthorized Access or Changes to Data or Programs
258(1)
Unauthorized Remote Access
259(1)
Inaccurate Information
259(1)
Erroneous or Falsified Data Input
259(1)
Misuse by Authorized End Users
259(1)
Incomplete Processing
260(1)
Duplicate Transaction Processing
260(1)
Untimely Processing
260(1)
Communications System Failure
260(1)
Inadequate Testing
260(1)
Inadequate Training
260(1)
Inadequate Support
261(1)
Insufficient Documentation
262(1)
End-User Computing (EUC) Application Risks
262(6)
Inefficient Use of Resources
264(1)
Incompatible Systems
264(1)
Redundant Systems
264(1)
Ineffective Implementations
265(1)
Absence of Segregation of Duties
265(1)
Incomplete System Analysis
265(1)
Unauthorized Access to Data or Programs
265(1)
Copyright Violations
266(1)
The Destruction of Information by Computer Viruses
267(1)
Electronic Data Interchange (EDI) Application Risks
268(2)
Implications of Risks in an EDI System
270(1)
Application Controls
270(7)
Input Controls
271(1)
Interfaces
271(1)
Authenticity
271(1)
Accuracy
272(1)
Processing Controls
272(1)
Completeness
273(1)
Error Correction
274(1)
Output Controls
275(1)
Reconciliation
275(1)
Distribution
275(1)
Retention
276(1)
Functional Testing and Acceptance
276(1)
Management Approval
276(1)
Documentation Requirements
277(1)
Application Software Life Cycle
277(1)
System Development Methodology
277(1)
User Interface
278(1)
Application Maintenance
278(2)
Application Maintenance: Defined
278(1)
Corrective Maintenance
278(1)
Adaptive Maintenance
279(1)
Perfective Maintenance
279(1)
Measuring Risk for Application Maintenance
279(1)
Conclusion
280(1)
Chapter Review Questions
281(3)
Multiple Choice
281(2)
Exercises
283(1)
Answers to Multiple Choice Questions
284(1)
References
284(1)
Chapter 12 Change Management
285(20)
Vulnerabilities in Software Development and Change Control
285(1)
Software Configuration Management
286(1)
IT Change Management
287(1)
Change Management System
287(1)
Change Request Process
287(2)
Impact Assessment
289(3)
Controls over Changes
292(1)
Emergency Change Process
292(1)
Revisions to Documentation and Procedures
292(1)
Authorized Maintenance
293(1)
Software Release Policy
293(1)
Software Distribution Process
294(1)
Change Management Example
295(3)
Objectives
295(1)
Scope
296(1)
Change Management Boards or Committees
296(1)
Criteria for Approving Changes
297(1)
Post-Implementation
298(1)
Organizational Change Management
298(1)
Organizational Culture Defined
298(2)
Managing Organizational Change Management
299(1)
Conclusion
300(1)
Review Questions
301(3)
Multiple Choice
301(2)
Exercises
303(1)
Answers to Multiple Choice Questions
303(1)
References
304(1)
PART IV AUDITING IT OPERATIONS: FROM STANDALONE TO GLOBAL 305(174)
Chapter 13 IT Operations Environments: Complexities and Control Issues
307(28)
The Virtual Environment
308(3)
Areas of Control and Risk Issues
310(1)
IT Operations Issues in Network Installation
311(3)
Types of WANs
314(1)
Elements of WANs
315(3)
Access Methods
315(1)
Connective Devices
315(1)
Bridges
315(1)
Routers
315(1)
Protocols
315(1)
Network Services
316(1)
Frame Relay Network Services
316(1)
Asynchronous Transfer Mode Network Services
317(1)
The Network Management System
317(1)
Network Topologies
317(1)
Star Topology
317(1)
Ring Topology
317(1)
Bus Topology
318(1)
Mesh Topology
318(1)
Hybrid Topology
318(1)
Tools for Network Monitoring
318(2)
Protocol Analyzers
318(1)
WAN Protocol Analyzers
319(1)
Network Monitors
319(1)
Network Management Software
319(1)
General Statistical Tools
320(1)
Hybrids
320(1)
The Internet, Intranet, and Extranet
320(9)
Personal Accounts
323(1)
Commercial Gateways
324(1)
Commercial Services
324(1)
LAN Security Issues: Wired versus Wireless
324(1)
What Can Be Done to the Wired LANs?
324(1)
Physical Security: Site Control and Management
324(1)
User Authentication
325(1)
Eavesdropping Countermeasures
325(1)
Why WLANs Are More Secure
325(1)
Spread-Spectrum Technology
325(1)
Station Authentication
326(1)
Physical Security
326(1)
Network Management Control Issues
327(1)
Importance of National Information Infrastructure
328(1)
Conclusion
329(1)
Questions
330(2)
Multiple Choice
330(2)
Exercises
332(1)
Answers to Multiple Choice Questions
332(1)
References
332(3)
Chapter 14 Operational Control Issues
335(28)
Organizational Policy and Organization Controls
335(1)
Data Files and Program Controls
336(1)
Backup/Restart and Disaster Recovery Controls
337(1)
Physical Security and Access Controls
337(1)
Environmental Controls
338(2)
COBIT Operational Controls
340(1)
Comparing COBIT and General Controls for Operational Auditing
340(5)
Problem Management Auditing
345(1)
Problem Management Auditing in Action Overview
345(2)
Purpose
346(1)
Scope
346(1)
Objectives
346(1)
Key Success Factors
347(1)
Introduction to Data Center Reviews
347(1)
Data Center Audit Program
348(2)
A. Administration of IT Activities
348(1)
Audit Steps
348(1)
B. Operating Systems Software and Data
349(1)
Audit Steps
349(1)
C. Computer Operations/Business Resumption
349(1)
Audit Steps
349(1)
D. Security Administration
350(1)
Audit Steps
350(1)
Software and Data Security Controls
350(2)
Physical and Environmental Controls Management
350(1)
Data Access Management
351(1)
Policy and Procedures Documentation
351(1)
Data and Software Backup Management
351(1)
Other Management Controls
351(1)
The Call Center (CC) Concept
352(2)
New Audit Responsibilities
354(1)
Developing Audit Software in the CC
354(1)
Auditing the CC
355(4)
The System Development Life Cycle
356(1)
Data Integrity
357(1)
Data Security
357(1)
Physical Security and Recovery Procedures
358(1)
Computer Resources
358(1)
Department Standards
358(1)
Conclusion
359(1)
Review Questions
359(3)
Multiple Choice
360(1)
Exercises
361(1)
Answers to Multiple Choice Questions
362(1)
References
362(1)
Chapter 15 Assessing Risk in IT Operations
363(46)
Risk Assessment
363(1)
Available Guidance
363(7)
U.S. National Institute of Standards and Technology (NIST)
364(1)
Government Accounting Office (GAO)
364(1)
American Institute of Certified Public Accountants (AICPA)
365(4)
Information Systems Audit and Control Association (ISACA)
369(1)
Institute of Internal Auditors (IIA)
369(1)
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
370(1)
Introduction to ERM/ORM
370(9)
What Is ERM/ORM?
371(1)
Enterprise/Operational Risk Management
371(1)
Why ERM/ORM?
371(6)
Organizational Oversight
371(2)
Magnitude of Problem
373(1)
Increasing Business Risks
373(1)
Regulatory Issues
373(2)
Market Factors
375(1)
Corporate Governance
376(1)
Best Practice
376(1)
Concluding Thoughts on ERM/ORM
377(2)
Web and Java Risk Issues
379(1)
Perceived Risks
379(1)
Internet Security
380(12)
Security Tools and Technologies
380(1)
Encryption Technologies
380(1)
Security Policies and Procedures
381(1)
Internet Firewalls
382(2)
Internet Firewall Configurations - Bastion Host
384(1)
Choke Router/Screened Host
384(1)
Firewalls in a Partitioned Network
385(1)
Practical Web Security Solutions
386(2)
A Backdoor Connection
386(1)
A Network Firewall
387(1)
A Pseudo Firewall
387(1)
Java Risk Issues
388(2)
World Wide Web and Java Risk Conclusions
390(2)
IT Insurance Risk
392(8)
Problems Addressed
392(1)
Insurance Requirements
392(2)
Reduction and Retention of Risks
394(1)
Risk:Management
394(2)
Determination of Objectives
396(1)
IT Risk Identification
396(1)
IT Risk Assessment Tools and Techniques
397(1)
IT Risk Evaluation
398(1)
IT Risk Management
398(2)
How to Determine IT Insurance Coverage
400(2)
Conclusion
402(1)
Chapter Review Questions
403(2)
Multiple Choice
403(2)
Exercises
405(1)
Answers to Multiple Choice Questions
405(1)
Notes
405(1)
References
405(4)
Chapter 16 Audit Methods and Techniques for Operations
409(30)
Auditing Contingency and Disaster Recovery Planning
410(2)
Audit of Disaster Recovery Planning Steps
410(3)
Written Disaster Recovery Plan
411(1)
Mission Statement for Disaster Recovery Plan
411(1)
Disaster Recovery Plan Tests and Drill
412(1)
Auditing DBMS Recovery
412(1)
Importance of DBMS Recovery
413(7)
The Recovery Process
414(1)
Transaction Properties
414(1)
Causes of DBMS Failure
415(1)
Database Users
416(2)
Database Administrator
416(1)
Applications and Systems Programmers
417(1)
Web Designers and Developers
417(1)
End Users
417(1)
Backup and Recovery of the Data Warehouse
418(1)
Data Warehouse Integrity Check List
419(1)
Trends in Data Warehousing
419(1)
Auditing Data Communications
420(2)
Data Communications Controls
422(3)
LAN Audit and Security Issues: Wired versus Wireless
425(7)
What Can Be Done to the Wired LANs?
426(1)
Physical Security: Site Control and Management
426(1)
User Authentication
426(1)
Eavesdropping Countermeasures
426(1)
For Wireless: Key Audit and Security Checkpoints
427(1)
Control Concerns with IEEE 802.11 Wired Equivalent Privacy (WEP) Protocol
427(1)
Station Authentication
427(1)
Physical Security
427(1)
IEEE 802.11i Robust Security Network Standard
428(1)
Auditing End-User Computing
428(1)
Preliminary Audit Planning
428(1)
Defining the Audit Methodology
429(1)
Defining the Scope and Content of the Audit
429(1)
The Audit Plan
429(1)
Reviewing the EUC Group's Procedures and Objectives
430(1)
Evaluating the EUC Groups' Effectiveness by Reviewing Their Documentation
431(1)
Audit Testing
431(1)
The Audit Report
432(1)
Conclusion
432(1)
Chapter Review Questions
433(3)
Multiple Choice
434(1)
Exercises
435(1)
Answers to Multiple Choice Questions
435(1)
References
436(3)
Chapter 17 Using Tools and Techniques in IT Operation Reviews
439(40)
Computer-Assisted Audit Tools and Techniques for Operational Reviews
440(3)
Systems Maintenance
443(1)
Definition of Systems Maintenance
443(1)
Change Control
444(5)
Points of Change Origination and Initiation
445(3)
Approval Points
448(1)
Changes to Documentation
448(1)
Review Points
449(1)
Reviewing Operating Systems
449(3)
Types and Uses of System Software
451(1)
Reliance on Systems Software
452(2)
Controlling Access to Systems Software
454(1)
Controlling Changes to System Software
455(1)
SAP Implementation and Control Issues
455(8)
Understanding the Corporate Culture
455(1)
Understood and Complete Process Changes
456(1)
Communication: Never Enough!
456(1)
Management Support
456(1)
SAP Project Manager Competence
457(1)
The Team
457(1)
Project Methodology: It Is Important
458(1)
Training
458(1)
Commit to the Change
458(1)
Establishing Security and Controls
459(1)
Security Features of the Basis Component
459(1)
Summary of Access Control
460(1)
Administrative Controls
460(1)
Accountability
460(1)
Access Control
461(1)
Confidentiality, Integrity, and Security Management
461(1)
EDI and Internet Security
462(1)
The ISO 9001 Review
463(1)
CRBE (Formerly Known as CTQA)
463(1)
SEI
463(1)
ISO 9000
464(1)
Getting Started: ISO 9000
464(3)
E-Q-NET
465(1)
More about NSAI
465(1)
Principal Themes of an ISO 9000 Review
466(1)
Computer Forensics
467(1)
WebMetrics: An Introduction
468(2)
WebMetrics as an Audit Tool
470(1)
Overview
470(1)
Conclusion
471(1)
Review Questions
472(3)
Multiple Choice
473(2)
Exercises
475(1)
Multiple Choice Answers
475(1)
References
475(4)
PART V EMERGING ISSUES IN IT AUDIT 479(150)
Chapter 18 The Legal Environment and Its Impact on Information Technology: From IT Crime Law to IT Contract Law to Netlaw
483(42)
IT Crime Issues
484(2)
Protection against Computer Fraud
486(1)
The Computer Fraud and Abuse Act (CFAA)
487(2)
Computer Abuse Amendments Act
489(6)
Sarbanes-Oxley Act (Public Law 107-204)
489(16)
Major Points from the Sarbanes-Oxley Act of 2002
491(3)
Criminal Intent
494(1)
Penalties and Requirements under Title VIII of the Act
495(1)
Penalties and Requirements under Title IX of the Act
495(1)
Remedies and Effectiveness
495(2)
Legislation Providing for Civil and Criminal Penalties
497(1)
The Computer Security Act of 1987
498(2)
The Homeland Security Act of 2002
500(2)
IT Contract Issues
502(3)
Netlaw: Privacy on the Information Superhighway
505(3)
Private Information Available for the Taking
505(3)
The National Strategy for Securing Cyberspace
508(3)
Methods that Provide for Protection of Information
511(1)
The Web Copyright Law
511(1)
Privacy Legislation and the Federal Government Privacy Act
512(4)
Electronic Communications Privacy Act
513(2)
Communications Decency Act of 1995
515(1)
Encrypted Communications Privacy Act of 1996
515(1)
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
515(1)
HIPAA Compliance
516(1)
Risk Assessment and Communications Act of 1997
516(1)
Risk Gramm-Leach-Bliley Act of 1999
516(1)
Current Pending Bills and Other Legislative Material
516(2)
Internet Governance
518(1)
Conclusion
518(1)
Review Questions
519(3)
Multiple Choice
520(2)
Exercises
522(1)
Answers to Multiple Choice Questions
522(12)
Notes
522(1)
References
522(1)
Other Internet Sites
523(2)
Chapter 19 Security and Privacy of Information Technology: From the Individual to the Extranet/Intranet/Internet
525(42)
Information Systems Security and Privacy in 1998
526(1)
Information Systems Security and Privacy Today
527(4)
Interconnected Systems and Electronic Commerce: Global Issues
531(1)
International Organization for Standardization and ISO 17799
531(2)
The Battleground: The Internet
533(1)
The Tools
534(7)
Scanners
534(1)
Password Crackers
535(1)
Trojan Horse
536(2)
Sniffers
538(1)
Destructive Devices
538(2)
E-Mail Bombs and Worms
539(1)
Flash Bombs and War Scripts
540(1)
Denial-of-Service Attacks
540(1)
Viruses
540(1)
Exploiting the TCP/IP Holes
541(3)
IP Spoofing
543(1)
Recommendation to IT Auditors, Security, and IT Professionals
544(1)
Intranet Definition and Components
545(3)
Intranet Benefits and Obstacles
546(1)
Current Intranet Trends
547(1)
Intranet/Extranet Security
548(6)
Technology Tactics Used to Protect Networks
549(2)
Management Tactics
551(1)
Network Security Products
552(2)
A New Challenge: Wireless Technology
554(3)
Identity Theft
555(2)
The Future of Intranets and Other Networks
557(1)
Conclusions
557(4)
Review Questions
561(3)
Multiple Choice
562(1)
Exercises
563(1)
Answers to Multiple Choice Questions
564(5)
Notes
564(1)
References
564(2)
Internet References
566(1)
Chapter 20 IT Auditing: Career Planning and Development, Evaluating Audit Quality, and Best Practices
567(38)
IT Auditor Career Development and Planning
568(1)
Establishing a Career Development Plan
569(7)
Career Path Planning Needs Management Support
569(1)
Knowledge, Skills, and Abilities
570(1)
Performance Assessment
571(1)
Performance Counseling/Feedback
572(1)
Training
572(2)
Professional Development
574(2)
Evaluating IT Audit Quality
576(1)
Scope and Objectives of an IT Audit
577(1)
Computerized Systems and Applications
577(1)
Information Processing Facilities
577(1)
Systems Development
577(1)
Management of IT and Enterprise Architecture
577(1)
Client/Server, Telecommunications, Intranets, and Extranets
578(1)
The IT Auditor's Role
578(1)
Terms of Assessment
578(1)
The IT Audit and Auditor Assessment Form
579(3)
IT Audit Areas
582(3)
Audit Preparation
582(1)
Audit Objectives
582(1)
Fact Gathering
582(1)
Audit Program
582(1)
Audit Tests
583(1)
Use of Audit Tools
583(1)
Conclusions
583(1)
Findings
583(1)
Recommendations
583(1)
The Audit Report
584(1)
Working Papers
584(1)
Relations with the Auditee
584(1)
Relations with Audit Management
584(1)
Follow-Up of Audit Recommendations
584(1)
Criteria for Assessing the Audit
585(1)
Completeness
585(1)
Pertinence
585(1)
Accuracy
585(1)
Appropriate Conclusions, Findings, and Recommendations
586(1)
Follow-Up of Findings and Recommendations
586(1)
Criteria for Assessing the Auditor
586(1)
Metrics and Management
586(2)
Implementation of Measurements
588(1)
Applying the Concept
589(1)
Evaluation of IT Audit Performance
589(1)
What Is a Best Practice?
590(8)
Why Is It Important to Learn about Best Practices?
591(1)
Overview of Best Practices in IT Audit Planning
591(1)
Research
592(1)
Benchmarking
593(1)
Planning Memo
593(1)
Budget Coordination
594(1)
Risk Analysis
594(1)
Kick-Off Meeting
595(2)
Staff Mentoring
597(1)
Coaching
597(1)
Lunch Meetings
597(1)
Understand Requirements
598(1)
Conclusion
598(1)
Review Questions
599(2)
Multiple Choice
600(1)
Exercises
601(4)
Answers to Multiple Choice Questions
602(1)
References
602(3)
Chapter 21 IT Auditing in the New Millennium
605(24)
IT Auditing Trends
606(2)
The New Dimension: Information Assurances
608(2)
IT Audit: The Profession
610(1)
A Common Body of Knowledge
610(1)
Certification
611(1)
Continuing Education
611(1)
A Code of Ethics and Professional Standards
612(1)
Educational Curricula
612(1)
New Trends in Developing IT Auditors and Education
613(6)
Career Opportunities in the 21st Century
619(1)
Public Accounting
620(1)
Private Industry
620(1)
Management Consulting
620(1)
Government
621(1)
The Role of the IT Auditor in IT Governance
621(2)
The IT Auditor as Counselor
623(1)
The IT Auditor as Partner of Senior Management
623(1)
Educating the Next Generation on IT Audit and Control Opportunities
624(1)
Conclusion
624(1)
Review Questions
625(2)
Multiple Choice
625(2)
Exercises
627(1)
Answers to Multiple Choice Questions
627(1)
References
627(2)
PART VI APPENDICES 629(194)
Appendix I Information Technology Audit Cases
631(8)
Computer-Assisted Audit Cases
631(8)
Case 1: Wooback City
631(1)
Part 1
631(1)
Part 2
631(1)
Case 2: Ready or Not Auto Insurance
632(1)
Case 3: Holt Valley Hospital Services, Inc
632(1)
Case 4: Acme Insurance Corporation
633(1)
Controls
633(1)
Case 5: OnTheRise Corporation
633(1)
Case 6: Wedco Electronics
633(1)
Case 7: Amazon Industries
634(1)
Legal Issues
635(1)
Case 8: OhMY Corporation
635(1)
Case 9: Ideal Financial
635(1)
Security Issues
636(1)
Case 10: Real-Wire
636(3)
Required
637(2)
Appendix II Bibliography of Selected Publications for Information Technology Auditors
639(28)
Government Publications
639(10)
Department of Justice of the United States
639(2)
General Accounting Office of the United States (GAO)
641(4)
National Institute of Standards and Technology (NIST)
645(3)
National Technical Information Service (NTIS)
648(1)
Publications Available from Professional Association
649(9)
American Institute of Certified Public Accountants (AICPA)
649(1)
Association for Computing Machinery
650(1)
The Canadian Institute of Chartered Accountants (CICA)
651(1)
The Information Systems Audit and Control Association & Foundation (ISACA)
651(4)
The Institute of Internal Auditors (IIA)
655(1)
International Federation for Information Processing
656(1)
International Federation of Accountants (IFAC)
657(1)
Quality Assurance Institute
657(1)
Other Publications
658(9)
Best Practices in Information Technology
658(1)
Computer Hardware and Software
658(1)
Computer, Network, and Information Security
659(1)
Enterprise Resource Planning (ERP) Systems
659(1)
Information Technology and Accounting Systems
660(1)
The Internet, E-Commerce, and Web Security
661(1)
IT Auditing and Control Systems
662(1)
Privacy of Information
663(1)
Quality Assurance
664(1)
Risk Management
665(2)
Appendix III Professional Standards That Apply to Information Technology (Audit, Security, and Privacy Issues)
667(80)
American Institute of Certified Public Accountants (AICPA)
667(18)
Information Source
668(1)
Authoritative Guide
668(17)
The Institute of Internal Auditors (IIA)
685(18)
Information Source
686(1)
Authoritative Guide
686(4)
Information Systems Audit and Control Association (ISACA)
690(1)
Authoritative Guide
690(13)
The Canadian Institute of Chartered Accountants (CICA)
703(1)
Information Source
704(1)
Authoritative Guide
704(1)
International Federation of Accountants (IFAC)
704(6)
Information Source
708(1)
Authoritative Guides
708(2)
Information System Security Association (ISSA)
710(1)
Information Source
711(1)
Authoritative Guide
711(1)
Society for Information Management (SIM)
711(1)
Information Source
711(1)
Authoritative Guide
712(1)
Association of Information Technology Professionals (AITP)
712(1)
Information Source
712(1)
Authoritative Guide
712(1)
Information Executive
712(1)
The Nanosecond
713(1)
International Federation for Information Processing (IFIP)
713(1)
Information Source
713(1)
Authoritative Guide
713(1)
IFIP Technical Committee (TC) and Working Group (WG) - Aims and Scopes
713(1)
Association for Computing Machinery (ACM)
714(11)
Information Source
714(7)
Authoritative Guide
721(4)
Editor-in-Chief: Carl Cargill, SunSoft (A division of Sun Microsystems)
721(4)
The Institute of Chartered Accountants in Australia (ICAA)
725(1)
Information Source
725(1)
Authoritative Guide
725(1)
National Institute of Standards and Technology (NIST)
725(11)
Information Source
730(1)
Authoritative Guide
730(6)
General Accounting Office (GAO)
736(1)
Information Source
737(1)
Authoritative Guide
737(1)
International Organization of Supreme Audit Institutions (INTOSAI)
737(62)
Information Source
744(1)
Authoritative Guide
744(1)
Auditing Standards
744(1)
Guidelines for Internal Control Standards
744(3)
Appendix IV Glossary
747(52)
Appendix V Sample Audit Programs
799(24)
Audit Program for Systems Maintenance
799(2)
ISO 9001 Review: Conclusion and Documents
801(1)
Lessons Learned - 9001 Review
802(1)
Conclusion
803(7)
Unisys Quality Policy
805(5)
UTOP Seven Quality Beliefs
805(1)
Orange County Quality System
805(5)
Audit Program for Operating System Security Evaluation
810(13)
Initial Checklist
810(13)
Index 823

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program