Information Technology Control and Audit

Frederick Gallegos, MBA, has expertise in IT Audit Education, IS Auditing, Security, and Control of Information Systems; Legal Environment of Information Systems; Local Area and Wide Area Network Security and Controls; Computer Ethics, Management Information Systems, Executive Support Systems, Internet as an Audit Resource. He has more than 35 years of teaching and practical experience in the field, published four books, and authored and coauthored more than 200 articles in the aforementioned subjects. He received his BS and MBA from the California State Polytechnic University, Pomona, California. He has a California Community College Instructor Credential. He taught for the Computer Information Systems Department, College of Business at California State Polytechnic University, Pomona, California, from 1976 to 1996 (part-time) and full-time from 1996 to 2006. After 30 years of teaching, he retired in September 2006 and received the lecturer emeritus status from the university in May 2007. In February 2008, he received the Computer Information Systems (CIS) Lifetime Achievement Award from the CIS Department at Cal Poly, Pomona, California. He continues to maintain contact and provides consulting services with his past undergraduate and graduate students and alumni of the CIS Department’s Information Assurance programs from the California State Polytechnic University, Pomona, California. Before teaching full-time at Cal Poly (1996–2006), Gallegos worked for GAO—Los Angeles Regional Office (1972–1996) and advanced within GAO to serve as manager, Management and Evaluator Support Group. He managed staff involved in Office Automation, Computer Audit Support, Computer Audit, Training, Human Resource Planning and Staffing, Technical Information Retrieval and Security/Facilities Management. He retired from GAO in 1996 with 26 years of federal and military service. He is a recipient of several service awards from GAO, EDP Audit, Control, and Security Newsletter (EDPACS), and ISACA that recognized his past contributions to the field and his efforts in the establishment of formal universities courses at his alma mater in IS Auditing, Control and Security at the undergraduate level in 1979 with the implementation of Association to Advance Collegiate Schools of Business (AACSB) accredited graduate-level Master of Science in Business Administration Degree program in IS Auditing since 1980. (The AACSB was founded in 1916 to accredit schools of business worldwide.) Gallegos has spoken widely on topics related to the IS Audit, Control, and Security field. Sandra Senft, MSBA-IS Audit, CISA, CIA, is an executive with more than 30 years of combined experience in auditing, financial management, insurance, and information technology (IT). During her career in IT, her responsibilities included finance, process improvement, project management, quality management, service management, sourcing, and vendor management.Sandra developed an extensive understanding of the IT and financial disciplines in her role as the global chief financial officer for Group IT within Zurich Financial Services in Zurich, Switzerland. Prior to that she was the Assistant Vice President for IT Support Services at Farmers Insurance in Los Angeles, CA. She was responsible for the Project Management Office, IT Finance, Quality Assurance, Sourcing and Vendor Management, Service Management, and Asset Management. During her career as an IS auditor and IS audit manager, she specialized in auditing systems development projects as well as general control audits of mainframe and distributed systems, information security, disaster recovery, and quality assurance. She was also responsible for defining and developing the audit risk methodology, audit methodology, automated audit workflow system, and training audit staff. She was a faculty member of California State Polytechnic University, Pomona, California, from 1997 to 2000, where she taught undergraduate and graduate courses in IT and IS auditing. She has also presented IS auditing topics at seminars, conferences, and CISA review courses specializing in systems development auditing. She has authored and coauthored several articles on IT controls and audit for Auerbach Publications. Sandra graduated from California State Polytechnic University, Pomona, California, with a Master of Science in business administration option in IS auditing and a Bachelor of Science in accounting. She is a non-practicing Certified Information Systems Auditor (CISA) and Certified Internal Auditor (CIA). She served as president, treasurer, director of research and academic relations, and spring conference chair for the Los Angeles Chapter of ISACA. Aleksandra Looho Davis, MSBA-IS Audit, CISA, CIA, CPA, has over 15 years of combined experience in auditing, financial management, insurance, and risk management. Currently, she is an IT Audit Principal at a leading insurance company in California. Throughout her career, Aleksandra has spearheaded several Compliance Programs, including SOX 404, and continues to incorporate improvements to ensure sustainability of the programs. She also consults on key company initiatives to help ensure that adequate controls are considered, provides audit and other consulting services, including Enterprise Risk Management (ERM), Business Continuity/Disaster Recovery (BC/DR), and Quality Assessment and Improvement Program (QAIP). Aleksandra also facilitates communication to help increase internal controls awareness and is a liaison to external auditors. Aleksandra graduated from California State Polytechnic University, Pomona, California, with a Master of Science in Business Administration option in IS Auditing. As a former past president of the Los Angeles Chapter of ISACA, Aleksandra has been an active chapter volunteer and supporter since she was in her graduate program. Her graduate paper on IS Audit Training Needs was awarded first prize at the ISACA LA Best Paper Contest. It was later published in the Issues in Information Systems, and accepted for presentation and publication at the International Association for Computer Information Systems (IACIS) Conference where it was selected by IACIS for the Best Research Paper Award. Aleksandra is a Certified Information Systems Auditor (CISA), Certified Internal Auditor (CIA), and Certified Public Accountant (CPA).

A FOUNDATION FOR IT AUDIT AND CONTROL

Information Technology Environment: Why Are Controls and Audit Important?
IT Today and Tomorrow
Information Integrity, Reliability, and Validity: Importance in Today’s Global
Business Environment
Control and Audit: A Global Concern
E-Commerce and Electronic Funds Transfer
Future of Electronic Payment Systems
Legal Issues Impacting IT
Federal Financial Integrity Legislation
Federal Security Legislation
Privacy on the Information Superhighway
Privacy Legislation and the Federal Government Privacy Act
Security, Privacy, and Audit
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading

The Legal Environment and Its Impact on Information Technology
IT Crime Issues
Protection against Computer Fraud
Computer Fraud and Abuse Act
Computer Abuse Amendments Act
Remedies and Effectiveness
Legislation Providing for Civil and Criminal Penalties
Computer Security Act of 1987
Homeland Security Act of 2002
Privacy on the Information Superhighway
National Strategy for Securing Cyberspace
Methods That Provide for Protection of Information
Web Copyright Law
Privacy Legislation and the Federal Government Privacy Act
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading
Other Internet Sites





Audit and Review: Their Role in Information Technology
The Situation and the Problem
Audit Standards
Importance of Audit Independence
Past and Current Accounting and Auditing Pronouncements
AICPA Pronouncements: From the Beginning to Now
Other Standards
Financial Auditing
Generally Accepted Accounting Principles
Generally Accepted Auditing Standards
IT Auditing: What Is It?
Need for IT Audit Function
Auditors Have Standards of Practice
Auditors Must Have Independence
High Ethical Standards
Auditor: Knowledge, Skills, and Abilities
Broadest Experiences
Supplemental Skills
Trial and Error
Role of the IT Auditor
Types of Auditors and Their Duties, Functions, and Responsibilities
Legal Implications
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





Audit Process in an Information Technology Environment
Audit Universe
Risk Assessment
Audit Plan
Developing an Audit Schedule
Audit Budget
Objective and Context
Using the Plan to Identify Problems
Audit Process
Preliminary Review
Preliminary Evaluation of Internal Controls
Design Audit Procedures
Fieldwork and Implementing Audit Methodology
Validation of Work Performed
Substantive Testing
Documenting Results
Communication Strategy
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading

Auditing IT Using Computer-Assisted Audit Tools and Techniques
Auditor Productivity Tools
Using Computer-Assisted Audit Tools in the Audit Process
Flowcharting Techniques
Flowcharting as an Analysis Tool
Appropriateness of Flowcharting Techniques
Computer-Assisted Audit Tools and Techniques for Application Reviews
Computer-Assisted Audit Tools and Techniques for Operational Reviews
Web Analysis Tools
Web Analysis Software as an Audit Tool
Computer Forensics
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading

Managing IT Audit
IT Auditor Career Development and Planning
Establishing a Career Development Plan
Evaluating IT Audit Quality
Terms of Assessment
IT Audit and Auditor Assessment Form
Criteria for Assessing the Audit
Criteria for Assessing the Auditor
Applying the Concept
Evaluation of IT Audit Performance
What Is a Best Practice?
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading

IT Auditing in the New Millennium
IT Auditing Trends
New Dimension: Information Assurance
IT Audit: The Profession
A Common Body of Knowledge
Certification
Continuing Education
A Code of Ethics and Professional Standards
Educational Curricula
New Trends in Developing IT Auditors and Education
Career Opportunities in the Twenty-First Century
Public Accounting
Private Industry
Management Consulting
Government
Role of the IT Auditor in IT Governance
IT Auditor as Counselor
IT Auditor as Partner of Senior Management
Educating the Next Generation on IT Audit and Control Opportunities
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading

AUDITING IT PLANNING AND ORGANIZATION

IT Governance
IT Processes
Enterprise Risk Management
Regulatory Compliance and Internal Controls
Performance Measurement
Metrics and Management
Metric Reporting
Independent Assurance
Participation in IT Audit Planning
Control Framework
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading

Strategy and Standards
IT Processes
Strategic Planning
IT Steering Committee
Portfolio Management
Demand Management
Project Initiation
Technical Review
Architecture and Standards
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading

Risk Management
IT Processes
Technology Risk Management
An Example of Standards: Technology Risk Management
Regulations
Where Does Technology Risk Management Belong?
IT Insurance Risk
How to Determine IT Insurance Coverage
Available Guidance
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





Process and Quality Management
IT Processes
Roles and Responsibilities
Separation of Duties
Resource Management
Managing Quality
Quality Management Standards
How Maturity Correlates to Quality
IT Process Framework
Auditing Policies and Procedures
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading

Financial Management
IT Processes
Financial Management Framework
Investment Approval Process
Project Pricing
Realizing the Benefits from IT Investments
Financial Planning
Identify and Allocate Costs
Determining Charging Method
Structure of U.S. Guidance
IT Asset Management
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





IT ACQUISITION AND IMPLEMENTATION

IT Project Management
IT Processes
Project Management Body of Knowledge
Auditor’s Role in the Project Management Process
Example of Project Management Checkpoints and Tools in a Telecom Project
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading

Software Development and Implementation
IT Processes
Approaches to Software Development
Software Development Process
Prototypes and Rapid Application Development
End-User Development
Traditional Information Software Development
System Implementation Process
Help Desk and Production Support Training and Readiness
Auditor’s Role in the Development Process
Risk Assessment
Audit Plan
Software Development Controls Review
Software Development Life Cycle
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





IT Sourcing
IT Processes
Sourcing Strategy
Software Acquisition Process
Prototypes and Rapid Application Development
The Requirements Document
Off-the-Shelf Solutions
Purchased Package
Contracted Development
Outsourcing a System from Another Organization
Request for Information
Request for Bid
Request for Proposal
Evaluating Proposals
Procurement and Supplier Management
IT Contract Issues
Strategic Sourcing and Supplier Management
Auditing Software Acquisitions
Prototypes
Other Resources for Help and Assistance
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





Application Controls and Maintenance
IT Processes
Application Risks
Electronic Data Interchange Application Risks
Application Controls
Web-Based Application, Risks, and Controls
Documentation Requirements
Application Software Life Cycle
Application Maintenance
Corrective Maintenance
Adaptive Maintenance
Perfective Maintenance
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





Change Management
IT Processes
Change Management
Importance of Change Control
Change Control
Change Management System
Change Request Process
Impact Assessment
Controls over Changes
Emergency Change Process
Revisions to Documentation and Procedures
Authorized Maintenance
Software Release Policy
Software Distribution Process
Change Management Tools
Change Management Procedures
Configuration Management
Organizational Change Management
Organizational Culture Defined
Audit Involvement
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





IT DELIVERY AND SUPPORT

Service Management
IT Processes
Information Technology Infrastructure Library
Implementing IT Service Management
Review Services and Requirements
Define IT Services
Service-Level Agreements
Service Design and Pricing
Processes to Engage Services
Roles and Responsibilities
Ongoing Service Management
Service Management of Third Parties
Evolution of Standards
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading

Service Desk and Problem Management
IT Processes
Training
Service Desk
Incident and Problem Management
Case Example: Acme Computing Services Business
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





Security and Service Continuity
IT Processes
Information Systems Security
Security Threats and Risks
Security Standards
Information Security Controls
Information Custodian Responsibilities
User Responsibilities
Third-Party Responsibilities
Information Classification Designations
Contingency and Disaster Recovery Planning
Written Disaster Recovery Plan
Mission Statement for Disaster Recovery Plan
Disaster Recovery Plan Tests and Drill
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





System Management
IT Processes
Systems Software
Systems Maintenance
Database Technology
Database Management Systems Recovery
Capacity Management
Server Virtualization
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





Operations Management
IT Processes
Operational Maturity
Operating Policy and Procedures
Data Files and Program Controls
Physical Security and Access Controls
Environmental Controls
Output Controls
Data Communications Controls
Data Center Reviews
Software and Data Security Controls
Physical and Environmental Controls Management
Data Access Management
Policy and Procedures Documentation
Data and Software Backup Management
Other Management Controls
End-User Computing
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading
Tools for Network Monitoring
The Internet, Intranet, and Extranet





ADVANCED TOPICS

Virtual Environment
Virtual Environment
Cloud Computing
Mobile Computing
IT Operations Issues in Network Installation
Types of WANs
Elements of WANs
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





Virtual Infrastructure Security and Risks
Information Flows in the Current Marketplace
Interconnected Systems and E-Commerce
Battleground: The Internet
Tools
Exploiting the TCP/IP Holes
Recommendation to IT Auditors, Security, and IT Professionals
Intranet/Extranet Security
Wireless Technology
Identity Theft
Conclusions
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading
Internet References

Virtual Application Security and Risks
E-Commerce Application Security as a Strategic and Structural Problem
Information Security Management Systems
A Planning and Control Approach to E-Commerce Security Management
Web Application Risks
Internet Security
Case Example: GMA Business Overview and Profile
Mobile Computing Security
Conclusion
Review Questions
Multiple-Choice Questions
Exercises
Answers to Multiple-Choice Questions
Further Reading





Enterprise Resource Planning
ERP Solutions
Benefits of ERP Solutions
Key Risks of ERP Solutions
Implementing ERP Systems
ERP Data Warehouse





Appendices:
Information Technology Audit Cases
Bibliography of Selected Publications for Information Technology Auditors
Professional Standards That Apply to Information Technology (Audit, Security, and Privacy Issues)
Glossary
Sample Audit Programs

Index