Standard for Auditing Computer Applications: 2nd Edition (Paperback) book cover

Standard for Auditing Computer Applications

2nd Edition

By Martin A. Krist

Auerbach Publications

832 pages

Purchasing Options:$ = USD
Paperback: 9780849399831
pub: 1998-12-23
SAVE ~$133.00
$665.00
$532.00
x
Hardback: 9781138436930
pub: 2018-07-31
SAVE ~$39.00
$195.00
$156.00
x


FREE Standard Shipping!

Description

A Standard for Auditing Computer Applications is a dynamic new resource for evaluating all aspects of automated business systems and systems environments. At the heart of A Standard for Auditing Computer Applications system is a set of customizable workpapers that provide blow-by-blow coverage of all phases of the IT audit process for traditional mainframe, distributed processing, and client/server environments.

A Standard for Auditing Computer Applications was developed by Marty Krist, an acknowledged and respected expert in IT auditing. Drawing upon his more than twenty years of auditing experience with leading enterprise organizations, worldwide, Marty walks you step-by-step through the audit process for system environments and specific applications and utilities. He clearly spells out what you need to look for and where to look for it, and he provides expert advice and guidance on how to successfully address a problem when you find one.

When you order A Standard for Auditing Computer Applications, you receive a powerful package containing all the forms, checklists, and templates you'll ever need to conduct successful audits on an easy to use CD-ROM. Designed to function as a handy, on-the-job resource, the book follows a concise, quick-access format. It begins with an overview of the general issues inherent in any IT review. This is followed by a comprehensive review of the audit planning process. The remainder of the book provides you with detailed, point-by-point breakdowns along with proven tools for:

  • evaluating systems environments-covers all the bases, including IT administration, security, backup and recovery planning, systems development, and more

  • Evaluating existing controls for determining hardware and software reliability

  • Assessing the new system development process

  • Evaluating all aspects of individual applications, from I/O, processing and logical and physical security to documentation, training, and programmed procedures

  • Assessing specific applications and utilities, including e-mail, groupware, finance and accounting applications, CAD, R&D, production applications, and more
  • Table of Contents

    PART I OVERVIEW OF INTEGRATED AUDITING

    AUTOMATED APPLICATION REVIEW OVERVIEW

    WHAT INTEGRATED APPLICATION SYSTEMS ARE

    Proper Operation of the IT Department

    Developing Automated Applications

    Critical Information Technology Controls

    REVIEWING APPLICATION SYSTEMS

    The Audit Structure

    The Internal Auditors

    The Audit Manual

    Managing the Individual IT Audit

    IT Audit Procedures

    Application Development and Testing

    Documenting and Reporting Audit Work

    External Auditors

    ASSESSING IT AUDIT CAPABILITIES

    Who Should Perform the Self-Assessment?

    Conducting the Self-Assessment

    Analysis and Reporting of Results

    PART II. DEVELOPING THE IT AUDIT PLAN

    OVERVIEW OF COMPUTER APPLICATIONS AUDIT PLANNING STANDARDS AND PROCESSES

    IT AUDIT PLANNING

    Overview of Standards for IT Audit Planning

    STRATEGIC IT AUDIT PLANNING

    THE ANNUAL IT AUDIT PLANNING PROCESS

    Step 1: Identify All Potential Reviews

    Step 2: Evaluate and Prioritize Possible Reviews

    Step 3: Setting Preliminary Scopes

    Step 4: Select and Schedule IT Audits

    Step 5: Merger Audit Plans

    SPECIFIC AUDIT PLANNING

    Step 1: Assign An Auditor-in-Charge

    Step 2: Perform Application Fact Gathering

    Step 3: Analyze Application Audit Risk

    Step 4: Develop and Rank Measurable Audit Objectives

    Step 5: Develop Administrative Plan

    Step 6: Write Audit Program

    PART III. ASSESSING GENERAL IT CONTROLS

    INFORMATION SYSTEMS ADMINISTRATION

    Strategic Planning

    Tactical Planning

    Information Technology Standard Setting

    PHYSICAL ACCESS SECURITY

    The Data Center

    Door Locks

    Windows

    Data Center Floor

    Alarm System

    Fire Suppression Systems

    The Detection of and Response to Unauthorized Activity

    LOGICAL ACCESS SECURITY

    User Identification

    End User Log-In Considerations

    SYSTEMS DEVELOPMENT PROCESS

    General Objectives

    Specific Objectives

    BACKUP AND RECOVERY

    Approaches to Making Backups

    Media Utilized to Make Backups

    Recovery Issues

    AUDITING THE MAINFRAME

    Planning the Audit

    Performing Fieldwork Procedures

    Auditing Specific Procedures by Audit Area

    Audit Finalization

    AUDITING THE MIDRANGE COMPUTER

    Planning the Audit

    Performing Fieldwork Procedures

    Auditing Specific Procedures by Audit Area

    Audit Finalization

    AUDITING THE NETWORK

    Planning the Audit

    Performing Fieldwork Procedures

    Auditing Specific Procedures by Audit Area

    Audit Finalization

    PART IV. PERFORMING A COMPLETE EVALUATION

    PERFORMING A BASIC EVALUATION

    PERFORMING A COMPLETE EVALUATION

    General Control Objectives

    Participants in the Systems Development Life Cycle

    INITIATION PHASE REVIEW

    Overview

    Initiation Phase Deliverables

    Auditing the Initiation Phase

    Setting the Scope for the SDLC Audit

    Customizing the Audit Objectives

    Detailed Audit Testing

    Audit Results and Reporting

    THE REQUIREMENTS DEFINITION PHASE REVIEW

    Overview

    Deliverables in the Requirements Definition Phase

    The Initial Audit Evaluation

    Adjusting Audit Objectives

    Detailed Audit Testing

    Audit Results and Reporting

    Confirming The Audit Strategy

    APPLICATION DEVELOPMENT PHASE

    Programming Phase Overview

    Programming Phase Deliverables

    The Initial Audit Assessment

    Conducting Interviews

    Setting The Audit Objectives

    Detailed Audit Testing

    The Audit Test

    Audit Results and Reporting

    Evaluating The Audit Strategy

    THE EVALUATION AND ACCEPTANCE PHASE

    Overview

    Initial Assessment of The Acceptance Phase

    Gathering and Verifying Information on The Phase Status

    Setting Objectives for the Audit

    Evaluation and Acceptance Phase Considerations

    Detailed Audit Testing

    Audit Results and Reporting

    Evaluating Audit Results and Plans

    PART V ASSESSING IMPLEMENTED SYSTEMS

    INITIAL REVIEW PROCEDURES

    Initial Review Procedures

    Review Existing Audit Files

    The Planning Meeting

    AUDIT EVIDENCE

    Initial Workpapers

    IDENTIFY APPLICATION RISKS

    The Meaning of Risk

    Stand Alone Risk

    Relative Risk

    Ensuring Success

    Identifying Application Risks

    Overcoming Obstacles to Success

    Assigning Materiality

    Computing a Risk Score

    DEVELOP A DETAILED PLAN

    Writing Measurable Audit Objectives

    Verifying the Completeness of Measurable Audit Objectives

    EVALUATE INTERNAL CONTROLS

    Document Segregation of Responsibilities

    Conduct an Internal Control Review

    Develop Internal Control Diagrams

    Test Internal Controls

    Evaluate Internal Control Effectiveness

    TEST DATA INTEGRITY

    Conduct a Data File Survey

    Create Data Test Plan

    Develop Test Tools

    Verify File Integrity

    Evaluate the Correctness of the Test Process

    Conduct Data Test

    Review Data Test Results

    CERTIFY COMPUTER SECURITY

    Collect Data

    Conduct Basic Evaluation

    Conduct Detailed Evaluation

    Prepare Report of Results

    ANALYZE AUDIT RESULTS

    Document Findings

    Analyze Findings

    Develop Recommendations

    Document Recommendations

    REVIEW AND REPORT AUDIT FINDINGS

    Create the Audit Report

    Review Report Reasonableness

    Review Readability of Report

    Prepare and Distribute Report

    REVIEW QUALITY CONTROL

    Conduct a Quality Control Review

    Conduct a Quality Assurance Review

    Improve the Application Audit Process

    WORKFLOW DIAGRAMMING

    Creating a Workflow Diagram

    Recommended Practices for Developing Workflow Diagrams

    PART VI APPENDICES

    WORKPAPERS

    I-3-1 Self Assessment Questionnaire: IT Environment

    I-3-2 Analysis Summary for I-3-1

    I-3-3 Self Assessment Questionnaire: SDLC Methodology

    I-3-4 Analysis Summary for I-3-3

    I-3-5 Self Assessment Questionnaire: Internal Audit Capabilities

    I-3-6 Analysis Summary for I-3-5

    I-3-7 Analysis Summary for I-3-2, I-3-4, and I-3-6

    II-5-1 Risk Assessment Model (100-Point System)

    II-5-2 Risk Assessment Model (Weighted System)

    II-5-3 Risk Assessment Model (10-Point System)

    II-5-4 Risk Assessment Model (100-Point Total System)

    III-1 Generic Questionnaire

    III-2 Generic Program

    III-3 Generic Workpaper Set

    III-7-1 Complete Sample IT Security Policy

    III-11-1 Standard Business Continuity Planning Audit Program

    III-13-1 Midrange Questionnaire (AS/400)

    III-14-1 Network Questionnaire (Novell)

    A-1 Audit Assignment Interview Checklist

    A-2 Audit Success Criteria Worksheet

    A-3 Preliminary Conference Background Information Checklist

    A-4 Conference Preparation Checklist

    A-5 Post-Conference Background Information Cheklist

    A-6 Input Transactions Worksheet

    A-7 Data File Worksheet

    A-8 Output Report and User Worksheet

    A-9 User Satisfaction Questionnaire

    A-10 Data Flow Diagram

    A-11 Structural Risk Assessment

    A-12 Technical Risk Assessment

    A-13 Size Risk Assessment

    A-14 Risk Score Summary

    A-15 Risk Assessment Program

    A-16 Application Risk Worksheet

    A-17 Application Risk Worksheet (Blank)

    A-18 Application Risk Ranking

    A-19 File or Database Population Analysis

    A-20 Measurable Application Audit Objectives

    A-21 EDP Application Audit Plan

    A-22 Responsibility Conflict Matrix

    A-23 Data Origination Controls Questionnaire

    A-24 Data Input Controls Questionnaire

    A-25 Data Processing Controls Questionnaire

    A-26 Data Output Controls Questionnaire

    A-27 Data Flow Control Diagram

    A-28 Transaction Flow Control Diagram

    A-29 Responsibility Vulnerability Worksheet

    A-30 Transaction Vulnerability Worksheet

    A-31 Application Control Test Plan

    A-32 Designing the Control Test

    A-33 Testing Controls

    A-34 Evaluation of Tested Controls

    A-35 Computer File Survey

    A-36 Manual File Survey

    A-37 Data Audit Objective Test

    A-38 Test Tool Worksheet

    A-39 File Integrity Program

    A-40 File Integrity Proof Sheet

    A-41 Structural Test Program

    A-42 Functional Test Program

    A-43 Data Test Program

    A-44 Data Test Checklist

    A-45 Test Results Review

    A-46 Key Security Planning Questions

    A-47 Partition of Applications

    A-48 Security Requirements

    A-49 Risk Analysis

    A-50 Document Review Guide

    A-51 Planning the Interviews

    A-52 Interview Results

    A-53 Security Requirements Evaluation

    A-54 Methodology Review

    A-55 Detailed Review of Security Safeguards

    A-56 Security Certification Statement

    A-57 Detailed Evaluation Report

    A-58 Audit Finding Documentation

    A-59 Analysis of Finding

    A-60 Developing Recommendations

    A-61 Effective Data Processing Control Practices

    A-62 Audit Recommendation Worksheet

    A-63 Report Objectives Worksheet

    A-64 Audit-Report-Writing Program

    A-65 Report Reasonableness Checklist

    A-66 Report Readability Checklist

    A-67 Exit Conference Program

    A-68 Report Issuance and Follow-Up Program

    A-69 Computer Application Audit Quality Control Checklist

    A-70 Audit Performance Problem Worksheet (Blank)

    A-71 Audit Performance Problem Worksheet

    A-72 Audit Process Problem Cause Identification Worksheet

    A-73 Audit Process Improvement Recommendation Worksheet

    Subject Categories

    BISAC Subject Codes/Headings:
    COM032000
    COMPUTERS / Information Technology
    COM053000
    COMPUTERS / Security / General