Rights Contact Login For More Details
- Wiley
More About This Title Understanding and Conducting Information Systems Auditing
English
The increased dependence on information system resources for performing key activities within organizations has made system audits essential for ensuring the confidentiality, integrity, and availability of information system resources. One of the biggest challenges faced by auditors is the lack of a standardized approach and relevant checklist. Understanding and Conducting Information Systems Auditing brings together resources with audit tools and techniques to solve this problem.
Featuring examples that are globally applicable and covering all major standards, the book takes a non-technical approach to the subject and presents information systems as a management tool with practical applications. It explains in detail how to conduct information systems audits and provides all the tools and checklists needed to do so. In addition, it also introduces the concept of information security grading, to help readers to implement practical changes and solutions in their organizations.
- Includes everything needed to perform information systems audits
- Organized into two sections—the first designed to help readers develop the understanding necessary for conducting information systems audits and the second providing checklists for audits
- Features examples designed to appeal to a global audience
Taking a non-technical approach that makes it accessible to readers of all backgrounds, Understanding and Conducting Information Systems Auditing is an essential resource for anyone auditing information systems.
English
VEENA HINGARH is Joint Director of the South Asian Management Technologies Foundation, a center for research, training, and application in the areas of finance and risk management, which provides training in areas including IS auditing, enterprise risk management, and risk modeling. Winner of numerous merit-based awards during her career, Hingarh's major areas of focus are IFRS and IS. She speaks frequently at conferences and platforms throughout Asia and the Middle East. Hingarh is a Chartered Accountant from the Institute of Chartered Accountants of India (ICAI), Certified Company Secretary of the Institute of Company Secretaries of India (ICSI), and Certified Information System Auditor (CISA) from ISACA (USA).
ARIF AHMED is a professor at and Director of the South Asian Management Technologies Foundation as well as a Chartered Accountant from the Institute of Chartered Accountants of India (ICAI). He is an Information Security Management System Lead Auditor for the British Standards Institution. Ahmed's areas of focus are finance and risk management, and he has over two decades of postqualification experience in training and strategic consulting. He has been interviewed and quoted throughout the media and has spoken at various seminars and institutions, including the Institute of Chartered Accountants of India, XLRI, and the Institute of Company Secretaries of India.
English
Preface xi
Acknowledgments xv
PART ONE: CONDUCTING AN INFORMATION SYSTEMS AUDIT 1
Chapter 1: Overview of Systems Audit 3
Information Systems Audit 3
Information Systems Auditor 4
Legal Requirements of an Information Systems Audit 4
Systems Environment and Information Systems Audit 7
Information System Assets 8
Classification of Controls 9
The Impact of Computers on Information 12
The Impact of Computers on Auditing 14
Information Systems Audit Coverage 15
Chapter 2: Hardware Security Issues 17
Hardware Security Objective 17
Peripheral Devices and Storage Media 22
Client-Server Architecture 23
Authentication Devices 24
Hardware Acquisition 24
Hardware Maintenance 26
Management of Obsolescence 27
Disposal of Equipment 28
Problem Management 29
Change Management 30
Network and Communication Issues 31
Chapter 3: Software Security Issues 41
Overview of Types of Software 41
Elements of Software Security 47
Control Issues during Installation and Maintenance 53
Licensing Issues 55
Problem and Change Management 56
Chapter 4: Information Systems Audit Requirements 59
Risk Analysis 59
Threats, Vulnerability, Exposure, Likelihood, and Attack 61
Information Systems Control Objectives 61
Information Systems Audit Objectives 62
System Effectiveness and Effi ciency 63
Information Systems Abuse 63
Asset Safeguarding Objective and Process 64
Evidence Collection and Evaluation 65
Logs and Audit Trails as Evidence 67
Chapter 5: Conducting an Information Systems Audit 71
Audit Program 71
Audit Plan 72
Audit Procedures and Approaches 75
System Understanding and Review 77
Compliance Reviews and Tests 77
Substantive Reviews and Tests 80
Audit Tools and Techniques 81
Sampling Techniques 84
Audit Questionnaire 85
Audit Documentation 86
Audit Report 87
Auditing Approaches 89
Sample Audit Work-Planning Memo 91
Sample Audit Work Process Flow 93
Chapter 6: Risk-Based Systems Audit 101
Conducting a Risk-Based Information Systems Audit 101
Risk Assessment 104
Risk Matrix 105
Risk and Audit Sample Determination 107
Audit Risk Assessment 109
Risk Management Strategy 112
Chapter 7: Business Continuity and Disaster Recovery Plan 115
Business Continuity and Disaster Recovery Process 115
Business Impact Analysis 116
Incident Response Plan 118
Disaster Recovery Plan 119
Types of Disaster Recovery Plans 120
Emergency Preparedness Audit Checklist 121
Business Continuity Strategies 122
Business Resumption Plan Audit Checklist 123
Recovery Procedures Testing Checklist 126
Plan Maintenance Checklist 126
Vital Records Retention Checklist 127
Forms and Documents 128
Chapter 8: Auditing in the E-Commerce Environment 147
Introduction 147
Objectives of an Information Systems Audit in the E-Commerce Environment 148
General Overview 149
Auditing E-Commerce Functions 150
E-Commerce Policies and Procedures Review 155
Impact of E-Commerce on Internal Control 155
Chapter 9: Security Testing 159
Cybersecurity 159
Cybercrimes 160
What Is Vulnerable to Attack? 162
How Cyberattacks Occur 162
What Is Vulnerability Analysis? 165
Cyberforensics 168
Digital Evidence 170
Chapter 10: Case Study: Conducting an Information Systems Audit 173
Important Security Issues in Banks 174
Implementing an Information Systems Audit at a Bank Branch 180
Special Considerations in a Core Banking System 185
PART TWO: INFORMATION SYSTEMS AUDITING CHECKLISTS 197
Chapter 11: ISecGrade Auditing Framework 199
Introduction 199
Licensing and Limitations 200
Methodology 200
Domains 200
Grading Structure 202
Selection of Checklist 203
Format of Audit Report 206
Using the Audit Report Format 207
Chapter 12: ISecGrade Checklists 209
Checklist Structure 209
Information Systems Audit Checklists 210
Chapter 13: Session Quiz 281
Chapter 1: Overview of Systems Audit 281
Chapter 2: Hardware Security Issues 284
Chapter 3: Software Security Issues 286
Chapter 4: Information Systems Audit Requirements 288
Chapter 5: Conducting an Information Systems Audit 290
Chapter 6: Risk-Based Systems Audit 293
Chapter 7: Business Continuity and Disaster Recovery Plan 294
Chapter 8: Auditing in an E-Commerce Environment 296
Chapter 9: Security Testing 297
About the Authors 299
About the Website 301
Index 303
