Information Technology Control and Audit: 4th Edition (e-Book) book cover

Information Technology Control and Audit

4th Edition

By Sandra Senft, Frederick Gallegos, Aleksandra Davis

Auerbach Publications

776 pages | 127 B/W Illus.

Purchasing Options:$ = USD
eBook (VitalSource) : 9781466515499
pub: 2012-08-23
from $28.98


FREE Standard Shipping!

Description

The new edition of a bestseller, Information Technology Control and Audit, Fourth Edition provides a comprehensive and up-to-date overview of IT governance, controls, auditing applications, systems development, and operations. Aligned to and supporting the Control Objectives for Information and Related Technology (COBIT), it examines emerging trends and defines recent advances in technology that impact IT controls and audits—including cloud computing, web-based applications, and server virtualization.

Filled with exercises, review questions, section summaries, and references for further reading, this updated and revised edition promotes the mastery of the concepts and practical implementation of controls needed to manage information technology resources effectively well into the future. Illustrating the complete IT audit process, the text:

  • Considers the legal environment and its impact on the IT field—including IT crime issues and protection against fraud
  • Explains how to determine risk management objectives
  • Covers IT project management and describes the auditor’s role in the process
  • Examines advanced topics such as virtual infrastructure security, enterprise resource planning, web application risks and controls, and cloud and mobile computing security
  • Includes review questions, multiple-choice questions with answers, exercises, and resources for further reading in each chapter

This resource-rich text includes appendices with IT audit cases, professional standards, sample audit programs, bibliography of selected publications for IT auditors, and a glossary. It also considers IT auditor career development and planning and explains how to establish a career development plan. Mapping the requirements for information systems auditor certification, this text is an ideal resource for those preparing for the Certified Information Systems Auditor (CISA) and Certified in the Governance of Enterprise IT (CGEIT) exams.

Instructor's guide and PowerPoint® slides available upon qualified course adoption.

Reviews

Information Technology Control and Audit, Fourth Edition is one of a handful of books I think of as a must have reference book on every CIO’s bookshelf or in the IT department library. … certainly a tremendous reference resource for CIO’s, IT managers of all types and IT auditors who need to be able to crack open a book when dealing with an issue of governance or best practice ideas on setting up IT controls for IT acquisitions. The reasons this book is such a strong reference in those situations is that it aligns to the Control Objectives for Information and Related Technology (COBIT) framework. Which for many people find COBIT to be a better framework than ITIL when designing controls for compliance and doing audit work…. Now I know a lot of CIO’s and senior IT managers might be a bit skeptical that this is a book they should dig into when they have questions or need ideas. But you will find much more credible information in this one book, faster, than you ever will searching for it online.

—The Higher Ed CIO

Read the full review at: http://blog.thehigheredcio.com/2012/10/09/book-review-information-technology-control-and-audit-fourth-edition/#ixzz2TaAb6hMh

Praise for Its Bestselling Predecessor:

I've been extremely pleased with the textbook. It is the only IT Audit textbook that is representative of how IT auditors actually scope and perform their work. The layout of the book follows the most logical learning progression for a new IT auditor, starting with the understanding of general IT controls prior to teaching application controls. Many other textbooks I reviewed did not follow this logical progression and I found students not fully understanding how application controls are reliant upon the general controls. Information and Technology Control and Audit lays out the logical control reliance to afford students the ability to understand this concept. This has given my students a head start in their respective IT audit roles … .

—Rick Savarese, CISA, Vice President of Information Technology and CSO at ECFMG; MIS/Accounting Professor, University of Delaware

Prior to becoming a professor I worked for Ernst & Young as a Senior Manager in the Information Technology Audit area for 8 years. I have found this text to be an invaluable asset in teaching my IT Audit classes for the past 5 years. The chapter contents, illustrations, cases, and appendices bring the real world into my classroom making my students ready for their first Information Technology Audit interview and job!

—Professor Edward Moskal, Computer & Information Sciences Department, Saint Peter's College

I currently teach a class on IT auditing and I have been using Sandra Senft and Frederick Gallegos' Information Technology Control and Audit textbook in my classroom since the Fall of 2009. In my experience, I have found that students have benefitted greatly from the book; I have been able to incorporate many of the topics from the book in my classroom discussions. The book provides a solid foundation in terms of the evolution of IT auditing, including many current drivers such as the changing regulatory and compliance landscape. The book then delves into the process of performing an IT audit, including the use of clear references to our audit standards. Students are then introduced to many technical IT audit topics such as application development, information security and IT operations and support. Throughout, the authors do a nice job of referencing COBIT and other IT risk and control frameworks. Overall, the book is an excellent resource for individuals interested in learning about the profession of IT auditing and compliance.

—Jim Enstrom, Adjunct Professor/Lecturer, DePaul University

Table of Contents

A FOUNDATION FOR IT AUDIT AND CONTROL

Information Technology Environment: Why Are Controls and Audit Important?

IT Today and Tomorrow

Information Integrity, Reliability, and Validity: Importance in Today’s Global

Business Environment

Control and Audit: A Global Concern

E-Commerce and Electronic Funds Transfer

Future of Electronic Payment Systems

Legal Issues Impacting IT

Federal Financial Integrity Legislation

Federal Security Legislation

Privacy on the Information Superhighway

Privacy Legislation and the Federal Government Privacy Act

Security, Privacy, and Audit

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

The Legal Environment and Its Impact on Information Technology

IT Crime Issues

Protection against Computer Fraud

Computer Fraud and Abuse Act

Computer Abuse Amendments Act

Remedies and Effectiveness

Legislation Providing for Civil and Criminal Penalties

Computer Security Act of 1987

Homeland Security Act of 2002

Privacy on the Information Superhighway

National Strategy for Securing Cyberspace

Methods That Provide for Protection of Information

Web Copyright Law

Privacy Legislation and the Federal Government Privacy Act

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Other Internet Sites

Audit and Review: Their Role in Information Technology

The Situation and the Problem

Audit Standards

Importance of Audit Independence

Past and Current Accounting and Auditing Pronouncements

AICPA Pronouncements: From the Beginning to Now

Other Standards

Financial Auditing

Generally Accepted Accounting Principles

Generally Accepted Auditing Standards

IT Auditing: What Is It?

Need for IT Audit Function

Auditors Have Standards of Practice

Auditors Must Have Independence

High Ethical Standards

Auditor: Knowledge, Skills, and Abilities

Broadest Experiences

Supplemental Skills

Trial and Error

Role of the IT Auditor

Types of Auditors and Their Duties, Functions, and Responsibilities

Legal Implications

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Audit Process in an Information Technology Environment

Audit Universe

Risk Assessment

Audit Plan

Developing an Audit Schedule

Audit Budget

Objective and Context

Using the Plan to Identify Problems

Audit Process

Preliminary Review

Preliminary Evaluation of Internal Controls

Design Audit Procedures

Fieldwork and Implementing Audit Methodology

Validation of Work Performed

Substantive Testing

Documenting Results

Communication Strategy

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Auditing IT Using Computer-Assisted Audit Tools and Techniques

Auditor Productivity Tools

Using Computer-Assisted Audit Tools in the Audit Process

Flowcharting Techniques

Flowcharting as an Analysis Tool

Appropriateness of Flowcharting Techniques

Computer-Assisted Audit Tools and Techniques for Application Reviews

Computer-Assisted Audit Tools and Techniques for Operational Reviews

Web Analysis Tools

Web Analysis Software as an Audit Tool

Computer Forensics

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Managing IT Audit

IT Auditor Career Development and Planning

Establishing a Career Development Plan

Evaluating IT Audit Quality

Terms of Assessment

IT Audit and Auditor Assessment Form

Criteria for Assessing the Audit

Criteria for Assessing the Auditor

Applying the Concept

Evaluation of IT Audit Performance

What Is a Best Practice?

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

IT Auditing in the New Millennium

IT Auditing Trends

New Dimension: Information Assurance

IT Audit: The Profession

A Common Body of Knowledge

Certification

Continuing Education

A Code of Ethics and Professional Standards

Educational Curricula

New Trends in Developing IT Auditors and Education

Career Opportunities in the Twenty-First Century

Public Accounting

Private Industry

Management Consulting

Government

Role of the IT Auditor in IT Governance

IT Auditor as Counselor

IT Auditor as Partner of Senior Management

Educating the Next Generation on IT Audit and Control Opportunities

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

AUDITING IT PLANNING AND ORGANIZATION

IT Governance

IT Processes

Enterprise Risk Management

Regulatory Compliance and Internal Controls

Performance Measurement

Metrics and Management

Metric Reporting

Independent Assurance

Participation in IT Audit Planning

Control Framework

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Strategy and Standards

IT Processes

Strategic Planning

IT Steering Committee

Portfolio Management

Demand Management

Project Initiation

Technical Review

Architecture and Standards

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Risk Management

IT Processes

Technology Risk Management

An Example of Standards: Technology Risk Management

Regulations

Where Does Technology Risk Management Belong?

IT Insurance Risk

How to Determine IT Insurance Coverage

Available Guidance

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Process and Quality Management

IT Processes

Roles and Responsibilities

Separation of Duties

Resource Management

Managing Quality

Quality Management Standards

How Maturity Correlates to Quality

IT Process Framework

Auditing Policies and Procedures

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Financial Management

IT Processes

Financial Management Framework

Investment Approval Process

Project Pricing

Realizing the Benefits from IT Investments

Financial Planning

Identify and Allocate Costs

Determining Charging Method

Structure of U.S. Guidance

IT Asset Management

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

IT ACQUISITION AND IMPLEMENTATION

IT Project Management

IT Processes

Project Management Body of Knowledge

Auditor’s Role in the Project Management Process

Example of Project Management Checkpoints and Tools in a Telecom Project

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Software Development and Implementation

IT Processes

Approaches to Software Development

Software Development Process

Prototypes and Rapid Application Development

End-User Development

Traditional Information Software Development

System Implementation Process

Help Desk and Production Support Training and Readiness

Auditor’s Role in the Development Process

Risk Assessment

Audit Plan

Software Development Controls Review

Software Development Life Cycle

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

IT Sourcing

IT Processes

Sourcing Strategy

Software Acquisition Process

Prototypes and Rapid Application Development

The Requirements Document

Off-the-Shelf Solutions

Purchased Package

Contracted Development

Outsourcing a System from Another Organization

Request for Information

Request for Bid

Request for Proposal

Evaluating Proposals

Procurement and Supplier Management

IT Contract Issues

Strategic Sourcing and Supplier Management

Auditing Software Acquisitions

Prototypes

Other Resources for Help and Assistance

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Application Controls and Maintenance

IT Processes

Application Risks

Electronic Data Interchange Application Risks

Application Controls

Web-Based Application, Risks, and Controls

Documentation Requirements

Application Software Life Cycle

Application Maintenance

Corrective Maintenance

Adaptive Maintenance

Perfective Maintenance

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Change Management

IT Processes

Change Management

Importance of Change Control

Change Control

Change Management System

Change Request Process

Impact Assessment

Controls over Changes

Emergency Change Process

Revisions to Documentation and Procedures

Authorized Maintenance

Software Release Policy

Software Distribution Process

Change Management Tools

Change Management Procedures

Configuration Management

Organizational Change Management

Organizational Culture Defined

Audit Involvement

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

IT DELIVERY AND SUPPORT

Service Management

IT Processes

Information Technology Infrastructure Library

Implementing IT Service Management

Review Services and Requirements

Define IT Services

Service-Level Agreements

Service Design and Pricing

Processes to Engage Services

Roles and Responsibilities

Ongoing Service Management

Service Management of Third Parties

Evolution of Standards

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Service Desk and Problem Management

IT Processes

Training

Service Desk

Incident and Problem Management

Case Example: Acme Computing Services Business

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Security and Service Continuity

IT Processes

Information Systems Security

Security Threats and Risks

Security Standards

Information Security Controls

Information Custodian Responsibilities

User Responsibilities

Third-Party Responsibilities

Information Classification Designations

Contingency and Disaster Recovery Planning

Written Disaster Recovery Plan

Mission Statement for Disaster Recovery Plan

Disaster Recovery Plan Tests and Drill

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

System Management

IT Processes

Systems Software

Systems Maintenance

Database Technology

Database Management Systems Recovery

Capacity Management

Server Virtualization

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Operations Management

IT Processes

Operational Maturity

Operating Policy and Procedures

Data Files and Program Controls

Physical Security and Access Controls

Environmental Controls

Output Controls

Data Communications Controls

Data Center Reviews

Software and Data Security Controls

Physical and Environmental Controls Management

Data Access Management

Policy and Procedures Documentation

Data and Software Backup Management

Other Management Controls

End-User Computing

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Tools for Network Monitoring

The Internet, Intranet, and Extranet

ADVANCED TOPICS

Virtual Environment

Virtual Environment

Cloud Computing

Mobile Computing

IT Operations Issues in Network Installation

Types of WANs

Elements of WANs

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Virtual Infrastructure Security and Risks

Information Flows in the Current Marketplace

Interconnected Systems and E-Commerce

Battleground: The Internet

Tools

Exploiting the TCP/IP Holes

Recommendation to IT Auditors, Security, and IT Professionals

Intranet/Extranet Security

Wireless Technology

Identity Theft

Conclusions

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Internet References

Virtual Application Security and Risks

E-Commerce Application Security as a Strategic and Structural Problem

Information Security Management Systems

A Planning and Control Approach to E-Commerce Security Management

Web Application Risks

Internet Security

Case Example: GMA Business Overview and Profile

Mobile Computing Security

Conclusion

Review Questions

Multiple-Choice Questions

Exercises

Answers to Multiple-Choice Questions

Further Reading

Enterprise Resource Planning

ERP Solutions

Benefits of ERP Solutions

Key Risks of ERP Solutions

Implementing ERP Systems

ERP Data Warehouse

Appendices:

Information Technology Audit Cases

Bibliography of Selected Publications for Information Technology Auditors

Professional Standards That Apply to Information Technology (Audit, Security, and Privacy Issues)

Glossary

Sample Audit Programs

Index

About the Authors

Frederick Gallegos, MBA, has expertise in IT Audit Education, IS Auditing, Security, and Control of Information Systems; Legal Environment of Information Systems; Local Area and Wide Area Network Security and Controls; Computer Ethics, Management Information Systems, Executive Support Systems, Internet as an Audit Resource. He has more than 35 years of teaching and practical experience in the field, published four books, and authored and coauthored more than 200 articles in the aforementioned subjects. He received his BS and MBA from the California State Polytechnic University, Pomona, California. He has a California Community College Instructor Credential. He taught for the Computer Information Systems Department, College of Business at California State Polytechnic University, Pomona, California, from 1976 to 1996 (part-time) and full-time from 1996 to 2006. After 30 years of teaching, he retired in September 2006 and received the lecturer emeritus status from the university in May 2007. In February 2008, he received the Computer Information Systems (CIS) Lifetime Achievement Award from the CIS Department at Cal Poly, Pomona, California. He continues to maintain contact and provides consulting services with his past undergraduate and graduate students and alumni of the CIS Department’s Information Assurance programs from the California State Polytechnic University, Pomona, California.

Before teaching full-time at Cal Poly (1996–2006), Gallegos worked for GAO—Los Angeles Regional Office (1972–1996) and advanced within GAO to serve as manager, Management and Evaluator Support Group. He managed staff involved in Office Automation, Computer Audit Support, Computer Audit, Training, Human Resource Planning and Staffing, Technical Information Retrieval and Security/Facilities Management. He retired from GAO in 1996 with 26 years of federal and military service. He is a recipient of several service awards from GAO, EDP Audit, Control, and Security Newsletter (EDPACS), and ISACA that recognized his past contributions to the field and his efforts in the establishment of formal universities courses at his alma mater in IS Auditing, Control and Security at the undergraduate level in 1979 with the implementation of Association to Advance Collegiate Schools of Business (AACSB) accredited graduate-level Master of Science in Business Administration Degree program in IS Auditing since 1980. (The AACSB was founded in 1916 to accredit schools of business worldwide.) Gallegos has spoken widely on topics related to the IS Audit, Control, and Security field.

Sandra Senft, MSBA-IS Audit, CISA, CIA, is an executive with more than 30 years of combined experience in auditing, financial management, insurance, and information technology (IT). During her career in IT, her responsibilities included finance, process improvement, project management, quality management, service management, sourcing, and vendor management.Sandra developed an extensive understanding of the IT and financial disciplines in her role as the global chief financial officer for Group IT within Zurich Financial Services in Zurich, Switzerland. Prior to that she was the Assistant Vice President for IT Support Services at Farmers Insurance in Los Angeles, CA. She was responsible for the Project Management Office, IT Finance, Quality Assurance, Sourcing and Vendor Management, Service Management, and Asset Management.

During her career as an IS auditor and IS audit manager, she specialized in auditing systems development projects as well as general control audits of mainframe and distributed systems, information security, disaster recovery, and quality assurance. She was also responsible for defining and developing the audit risk methodology, audit methodology, automated audit workflow system, and training audit staff. She was a faculty member of California State Polytechnic University, Pomona, California, from 1997 to 2000, where she taught undergraduate and graduate courses in IT and IS auditing. She has also presented IS auditing topics at seminars, conferences, and CISA review courses specializing in systems development auditing. She has authored and coauthored several articles on IT controls and audit for Auerbach Publications.

Sandra graduated from California State Polytechnic University, Pomona, California, with a Master of Science in business administration option in IS auditing and a Bachelor of Science in accounting. She is a non-practicing Certified Information Systems Auditor (CISA) and Certified Internal Auditor (CIA). She served as president, treasurer, director of research and academic relations, and spring conference chair for the Los Angeles Chapter of ISACA.

Aleksandra Looho Davis, MSBA-IS Audit, CISA, CIA, CPA, has over 15 years of combined experience in auditing, financial management, insurance, and risk management. Currently, she is an IT Audit Principal at a leading insurance company in California. Throughout her career, Aleksandra has spearheaded several Compliance Programs, including SOX 404, and continues to incorporate improvements to ensure sustainability of the programs. She also consults on key company initiatives to help ensure that adequate controls are considered, provides audit and other consulting services, including Enterprise Risk Management (ERM), Business Continuity/Disaster Recovery (BC/DR), and Quality Assessment and Improvement Program (QAIP). Aleksandra also facilitates communication to help increase internal controls awareness and is a liaison to external auditors.

Aleksandra graduated from California State Polytechnic University, Pomona, California, with a Master of Science in Business Administration option in IS Auditing. As a former past president of the Los Angeles Chapter of ISACA, Aleksandra has been an active chapter volunteer and supporter since she was in her graduate program. Her graduate paper on IS Audit Training Needs was awarded first prize at the ISACA LA Best Paper Contest. It was later published in the Issues in Information Systems, and accepted for presentation and publication at the International Association for Computer Information Systems (IACIS) Conference where it was selected by IACIS for the Best Research Paper Award. Aleksandra is a Certified Information Systems Auditor (CISA), Certified Internal Auditor (CIA), and Certified Public Accountant (CPA).

Subject Categories

BISAC Subject Codes/Headings:
COM032000
COMPUTERS / Information Technology
COM053000
COMPUTERS / Security / General