Information Technology Control and Audit

The new edition of a bestseller, Information Technology Control and Audit, Fourth Edition provides a comprehensive and up-to-date overview of IT governance, controls, auditing applications, systems development, and operations. Aligned to and supporting the Control Objectives for Information and Related Technology (COBIT), it examines emerging trends and defines recent advances in technology that impact IT controls and audits—including cloud computing, web-based applications, and server virtualization. Filled with exercises, review questions, section summaries, and references for further reading, this updated and revised edition promotes the mastery of the concepts and practical implementation of controls needed to manage information technology resources effectively well into the future. Illustrating the complete IT audit process, the text: Considers the legal environment and its impact on the IT field—including IT crime issues and protection against fraud Explains how to determine risk management objectives Covers IT project management and describes the auditor’s role in the process Examines advanced topics such as virtual infrastructure security, enterprise resource planning, web application risks and controls, and cloud and mobile computing security Includes review questions, multiple-choice questions with answers, exercises, and resources for further reading in each chapter This resource-rich text includes appendices with IT audit cases, professional standards, sample audit programs, bibliography of selected publications for IT auditors, and a glossary. It also considers IT auditor career development and planning and explains how to establish a career development plan. Mapping the requirements for information systems auditor certification, this text is an ideal resource for those preparing for the Certified Information Systems Auditor (CISA) and Certified in the Governance of Enterprise IT (CGEIT) exams. Instructor's guide and PowerPoint® slides available upon qualified course adoption.

A FOUNDATION FOR IT AUDIT AND CONTROLInformation Technology Environment: Why Are Controls and Audit Important?IT Today and TomorrowInformation Integrity, Reliability, and Validity: Importance in Today’s GlobalBusiness EnvironmentControl and Audit: A Global ConcernE-Commerce and Electronic Funds TransferFuture of Electronic Payment SystemsLegal Issues Impacting ITFederal Financial Integrity LegislationFederal Security LegislationPrivacy on the Information SuperhighwayPrivacy Legislation and the Federal Government Privacy ActSecurity, Privacy, and AuditConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther ReadingThe Legal Environment and Its Impact on Information TechnologyIT Crime IssuesProtection against Computer FraudComputer Fraud and Abuse ActComputer Abuse Amendments ActRemedies and EffectivenessLegislation Providing for Civil and Criminal PenaltiesComputer Security Act of 1987Homeland Security Act of 2002Privacy on the Information SuperhighwayNational Strategy for Securing CyberspaceMethods That Provide for Protection of InformationWeb Copyright LawPrivacy Legislation and the Federal Government Privacy ActConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther ReadingOther Internet Sites Audit and Review: Their Role in Information TechnologyThe Situation and the ProblemAudit StandardsImportance of Audit IndependencePast and Current Accounting and Auditing PronouncementsAICPA Pronouncements: From the Beginning to NowOther StandardsFinancial AuditingGenerally Accepted Accounting PrinciplesGenerally Accepted Auditing StandardsIT Auditing: What Is It?Need for IT Audit FunctionAuditors Have Standards of PracticeAuditors Must Have IndependenceHigh Ethical StandardsAuditor: Knowledge, Skills, and AbilitiesBroadest ExperiencesSupplemental SkillsTrial and ErrorRole of the IT AuditorTypes of Auditors and Their Duties, Functions, and ResponsibilitiesLegal ImplicationsConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther Reading Audit Process in an Information Technology EnvironmentAudit UniverseRisk AssessmentAudit PlanDeveloping an Audit ScheduleAudit BudgetObjective and ContextUsing the Plan to Identify ProblemsAudit ProcessPreliminary ReviewPreliminary Evaluation of Internal ControlsDesign Audit ProceduresFieldwork and Implementing Audit MethodologyValidation of Work PerformedSubstantive TestingDocumenting ResultsCommunication StrategyConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther ReadingAuditing IT Using Computer-Assisted Audit Tools and TechniquesAuditor Productivity ToolsUsing Computer-Assisted Audit Tools in the Audit ProcessFlowcharting TechniquesFlowcharting as an Analysis ToolAppropriateness of Flowcharting TechniquesComputer-Assisted Audit Tools and Techniques for Application ReviewsComputer-Assisted Audit Tools and Techniques for Operational ReviewsWeb Analysis ToolsWeb Analysis Software as an Audit ToolComputer ForensicsConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther ReadingManaging IT AuditIT Auditor Career Development and PlanningEstablishing a Career Development PlanEvaluating IT Audit QualityTerms of AssessmentIT Audit and Auditor Assessment FormCriteria for Assessing the AuditCriteria for Assessing the AuditorApplying the ConceptEvaluation of IT Audit PerformanceWhat Is a Best Practice?ConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther ReadingIT Auditing in the New MillenniumIT Auditing TrendsNew Dimension: Information AssuranceIT Audit: The ProfessionA Common Body of KnowledgeCertificationContinuing EducationA Code of Ethics and Professional StandardsEducational CurriculaNew Trends in Developing IT Auditors and EducationCareer Opportunities in the Twenty-First CenturyPublic AccountingPrivate IndustryManagement ConsultingGovernmentRole of the IT Auditor in IT GovernanceIT Auditor as CounselorIT Auditor as Partner of Senior ManagementEducating the Next Generation on IT Audit and Control OpportunitiesConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther ReadingAUDITING IT PLANNING AND ORGANIZATIONIT GovernanceIT ProcessesEnterprise Risk ManagementRegulatory Compliance and Internal ControlsPerformance MeasurementMetrics and ManagementMetric ReportingIndependent AssuranceParticipation in IT Audit PlanningControl FrameworkConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther ReadingStrategy and StandardsIT ProcessesStrategic PlanningIT Steering CommitteePortfolio ManagementDemand ManagementProject InitiationTechnical ReviewArchitecture and StandardsConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther ReadingRisk ManagementIT ProcessesTechnology Risk ManagementAn Example of Standards: Technology Risk ManagementRegulationsWhere Does Technology Risk Management Belong?IT Insurance RiskHow to Determine IT Insurance CoverageAvailable GuidanceConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther Reading Process and Quality ManagementIT ProcessesRoles and ResponsibilitiesSeparation of DutiesResource ManagementManaging QualityQuality Management StandardsHow Maturity Correlates to QualityIT Process FrameworkAuditing Policies and ProceduresConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther ReadingFinancial ManagementIT ProcessesFinancial Management FrameworkInvestment Approval ProcessProject PricingRealizing the Benefits from IT InvestmentsFinancial PlanningIdentify and Allocate CostsDetermining Charging MethodStructure of U.S. GuidanceIT Asset Management ConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther Reading IT ACQUISITION AND IMPLEMENTATIONIT Project ManagementIT ProcessesProject Management Body of KnowledgeAuditor’s Role in the Project Management ProcessExample of Project Management Checkpoints and Tools in a Telecom ProjectConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther ReadingSoftware Development and ImplementationIT ProcessesApproaches to Software DevelopmentSoftware Development ProcessPrototypes and Rapid Application DevelopmentEnd-User DevelopmentTraditional Information Software DevelopmentSystem Implementation ProcessHelp Desk and Production Support Training and ReadinessAuditor’s Role in the Development ProcessRisk AssessmentAudit PlanSoftware Development Controls ReviewSoftware Development Life CycleConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther Reading IT SourcingIT ProcessesSourcing StrategySoftware Acquisition ProcessPrototypes and Rapid Application DevelopmentThe Requirements DocumentOff-the-Shelf SolutionsPurchased PackageContracted DevelopmentOutsourcing a System from Another OrganizationRequest for InformationRequest for BidRequest for ProposalEvaluating ProposalsProcurement and Supplier ManagementIT Contract IssuesStrategic Sourcing and Supplier ManagementAuditing Software AcquisitionsPrototypesOther Resources for Help and AssistanceConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther Reading Application Controls and MaintenanceIT ProcessesApplication RisksElectronic Data Interchange Application RisksApplication ControlsWeb-Based Application, Risks, and ControlsDocumentation RequirementsApplication Software Life CycleApplication MaintenanceCorrective MaintenanceAdaptive MaintenancePerfective MaintenanceConclusionReview QuestionsMultiple-Choice QuestionsExercisesAnswers to Multiple-Choice QuestionsFurther Reading Change ManagementIT ProcessesChange ManagementIm

Frederick Gallegos, MBA, has expertise in IT Audit Education, IS Auditing, Security, and Control of Information Systems; Legal Environment of Information Systems; Local Area and Wide Area Network Security and Controls; Computer Ethics, Management Information Systems, Executive Support Systems, Internet as an Audit Resource. He has more than 35 years of teaching and practical experience in the field, published four books, and authored and coauthored more than 200 articles in the aforementioned subjects. He received his BS and MBA from the California State Polytechnic University, Pomona, California. He has a California Community College Instructor Credential. He taught for the Computer Information Systems Department, College of Business at California State Polytechnic University, Pomona, California, from 1976 to 1996 (part-time) and full-time from 1996 to 2006. After 30 years of teaching, he retired in September 2006 and received the lecturer emeritus status from the university in May 2007. In February 2008, he received the Computer Information Systems (CIS) Lifetime Achievement Award from the CIS Department at Cal Poly, Pomona, California. He continues to maintain contact and provides consulting services with his past undergraduate and graduate students and alumni of the CIS Department’s Information Assurance programs from the California State Polytechnic University, Pomona, California. Before teaching full-time at Cal Poly (1996–2006), Gallegos worked for GAO—Los Angeles Regional Office (1972–1996) and advanced within GAO to serve as manager, Management and Evaluator Support Group. He managed staff involved in Office Automation, Computer Audit Support, Computer Audit, Training, Human Resource Planning and Staffing, Technical Information Retrieval and Security/Facilities Management. He retired from GAO in 1996 with 26 years of federal and military service. He is a recipient of several service awards from GAO, EDP Audit, Control, and Security Newsletter (EDPACS), and ISACA that recognized his past contributions to the field and his efforts in the establishment of formal universities courses at his alma mater in IS Auditing, Control and Security at the undergraduate level in 1979 with the implementation of Association to Advance Collegiate Schools of Business (AACSB) accredited graduate-level Master of Science in Business Administration Degree program in IS Auditing since 1980. (The AACSB was founded in 1916 to accredit schools of business worldwide.) Gallegos has spoken widely on topics related to the IS Audit, Control, and Security field. Sandra Senft, MSBA-IS Audit, CISA, CIA, is an executive with more than 30 years of combined experience in auditing, financial management, insurance, and information technology (IT). During her career in IT, her responsibilities included finance, process improvement, project management, quality management, service management, sourcing, and vendor management.Sandra developed an extensive understanding of the IT and financial disciplines in her role as the global chief financial officer for Group IT within Zurich Financial Services in Zurich, Switzerland. Prior to that she was the Assistant Vice President for IT Support Services at Farmers Insurance in Los Angeles, CA. She was responsible for the Project Management Office, IT Finance, Quality Assurance, Sourcing and Vendor Management, Service Management, and Asset Management. During her career as an IS auditor and IS audit manager, she specialized in auditing systems development projects as well as general control audits of mainframe and distributed systems, information security, disaster recovery, and quality assurance. She was also responsible for defining and developing the audit risk methodology, audit methodology, automated audit workflow system, and training audit staff. She was a faculty member of California State Polytechnic University, Pomona, California, from 1997 to 2000, where she taught undergraduate and graduate courses in IT and IS auditing. She has also presented IS auditing topics at seminars, conferences, and CISA review courses specializing in systems development auditing. She has authored and coauthored several articles on IT controls and audit for Auerbach Publications. Sandra graduated from California State Polytechnic University, Pomona, California, with a Master of Science in business administration option in IS auditing and a Bachelor of Science in accounting. She is a non-practicing Certified Information Systems Auditor (CISA) and Certified Internal Auditor (CIA). She served as president, treasurer, director of research and academic relations, and spring conference chair for the Los Angeles Chapter of ISACA. Aleksandra Looho Davis, MSBA-IS Audit, CISA, CIA, CPA, has over 15 years of combined experience in auditing, financial management, insurance, and risk management. Currently, she is an IT Audit Principal at a leading insurance company in California. Throughout her career, Aleksandra has spearheaded