Auditor's Guide to IT Auditing -- Contents -- Preface -- PART I: IT AUDIT PROCESS -- Chapter 1: Technology and Audit -- Technology and Audit -- Batch and Online Systems -- Electronic Data Interchange -- Electronic Business -- Cloud Computing -- Chapter 2: IT Audit Function Knowledge -- Information Technology Auditing -- What Is Management? -- Management Process -- Understanding the Organization's Business -- Establishing the Needs -- Identifying Key Activities -- Establish Performance Objectives -- Decide the Control Strategies -- Implement and Monitor the Controls -- Executive Management's Responsibility and Corporate Governance -- Audit Role -- Conceptual Foundation -- Professionalism within the IT Auditing Function -- Relationship of Internal IT Audit to the External Auditor -- Relationship of IT Audit to Other Company Audit Activities -- Audit Charter -- Charter Content -- Outsourcing the IT Audit Activity -- Regulation, Control, and Standards -- Chapter 3: IT Risk and Fundamental Auditing Concepts -- Computer Risks and Exposures -- Effect of Risk -- Audit and Risk -- Audit Evidence -- Conducting an IT Risk-Assessment Process -- NIST SP 800 30 Framework -- ISO 27005 -- The "Cascarino Cube" -- Reliability of Audit Evidence -- Audit Evidence Procedures -- Responsibilities for Fraud Detection and Prevention -- Notes -- Chapter 4: Standards and Guidelines for IT Auditing -- IIA Standards -- Code of Ethics -- Advisory -- Aids -- Standards for the Professional Performance of Internal Auditing -- ISACA Standards -- ISACA Code of Ethics -- COSO: Internal Control Standards -- BS 7799 and ISO 17799: IT Security -- NIST -- BSI Baselines -- Note -- Chapter 5: Internal Controls Concepts Knowledge -- Internal Controls -- Cost/Benefit Considerations -- Internal Control Objectives -- Types of Internal Controls -- Systems of Internal Control.

Elements of Internal Control -- Manual and Automated Systems -- Control Procedures -- Application Controls -- Control Objectives and Risks -- General Control Objectives -- Data and Transactions Objectives -- Program Control Objectives -- Corporate IT Governance -- COSO and Information Technology -- Governance Frameworks -- Notes -- Chapter 6: Risk Management of the IT Function -- Nature of Risk -- Risk-Analysis Software -- Auditing in General -- Elements of Risk Analysis -- Defining the Audit Universe -- Computer System Threats -- Risk Management -- Notes -- Chapter 7: Audit Planning Process -- Benefits of an Audit Plan -- Structure of the Plan -- Types of Audit -- Chapter 8: Audit Management -- Planning -- Audit Mission -- IT Audit Mission -- Organization of the Function -- Staffing -- IT Audit as a Support Function -- Planning -- Business Information Systems -- Integrated IT Auditor versus Integrated IT Audit -- Auditees as Part of the Audit Team -- Application Audit Tools -- Advanced Systems -- Specialist Auditor -- IT Audit Quality Assurance -- Chapter 9: Audit Evidence Process -- Audit Evidence -- Audit Evidence Procedures -- Criteria for Success -- Statistical Sampling -- Why Sample? -- Judgmental (or Non-Statistical) Sampling -- Statistical Approach -- Sampling Risk -- Assessing Sampling Risk -- Planning a Sampling Application -- Calculating Sample Size -- Quantitative Methods -- Project-Scheduling Techniques -- Simulations -- Computer-Assisted Audit Solutions -- Generalized Audit Software -- Application and Industry-Related Audit Software -- Customized Audit Software -- Information-Retrieval Software -- Utilities -- On-Line Inquiry -- Conventional Programming Languages -- Microcomputer-Based Software -- Test Transaction Techniques -- Chapter 10: Audit Reporting Follow-up -- Audit Reporting -- Interim Reporting -- Closing Conferences.

Written Reports -- Clear Writing Techniques -- Preparing to Write -- Basic Audit Report -- Executive Summary -- Detailed Findings -- Polishing the Report -- Distributing the Report -- Follow-up Reporting -- Types of Follow-up Action -- PART II: INFORMATION TECHNOLOGY GOVERNANCE -- Chapter 11: Management -- IT Infrastructures -- Project-Based Functions -- Quality Control -- Operations and Production -- Technical Services -- Performance Measurement and Reporting -- Measurement Implementation -- Notes -- Chapter 12: Strategic Planning -- Strategic Management Process -- Strategic Drivers -- New Audit Revolution -- Leveraging IT -- Business Process Re-Engineering Motivation -- IT as an Enabler of Re-Engineering -- Dangers of Change -- System Models -- Information Resource Management -- Strategic Planning for IT -- Decision Support Systems -- Steering Committees -- Strategic Focus -- Auditing Strategic Planning -- Design the Audit Procedures -- Note -- Chapter 13: Management Issues -- Privacy -- Copyrights, Trademarks, and Patents -- Ethical Issues -- Corporate Codes of Conduct -- IT Governance -- Sarbanes-Oxley Act -- Payment Card Industry Data Security Standards -- Housekeeping -- Notes -- Chapter 14: Support Tools and Frameworks -- General Frameworks -- COSO: Internal Control Standards -- Other Standards -- Governance Frameworks -- Note -- Chapter 15: Governance Techniques -- Change Control -- Problem Management -- Auditing Change Control -- Operational Reviews -- Performance Measurement -- ISO 9000 Reviews -- PART III: SYSTEMS AND INFRASTRUCTURE LIFECYCLE MANAGEMENT -- Chapter 16: Information Systems Planning -- Stakeholders -- Operations -- Systems Development -- Technical Support -- Other System Users -- Segregation of Duties -- Personnel Practices -- Object-Oriented Systems Analysis -- Enterprise Resource Planning -- Cloud Computing -- Notes.

Chapter 17: Information Management and Usage -- What Are Advanced Systems? -- Service Delivery and Management -- Computer-Assisted Audit Tools and Techniques -- Notes -- Chapter 18: Development, Acquisition, and Maintenance of Information Systems -- Programming Computers -- Program Conversions -- No Thanks Systems Development Exposures -- Systems Development Controls -- Systems Development Life Cycle Control: Control Objectives -- Micro-Based Systems -- Cloud Computing Applications -- Note -- Chapter 19: Impact of Information Technology on the Business Processes and Solutions -- Impact -- Continuous Monitoring -- Business Process Outsourcing -- E-Business -- Notes -- Chapter 20: Software Development -- Developing a System -- Change Control -- Why Do Systems Fail? -- Auditor's Role in Software Development -- Chapter 21: Audit and Control of Purchased Packages and Services -- IT Vendors -- Request For Information -- Requirements Definition -- Request for Proposal -- Installation -- Systems Maintenance -- Systems Maintenance Review -- Outsourcing -- SAS 70 Reports -- Chapter 22: Audit Role in Feasibility Studies and Conversions -- Feasibility Success Factors -- Conversion Success Factors -- Chapter 23: Audit and Development of Application Controls -- What Are Systems? -- Classifying Systems -- Controlling Systems -- Control Stages -- Control Objectives of Business Systems -- General Control Objectives -- CAATs and Their Role in Business Systems Auditing -- Common Problems -- Audit Procedures -- CAAT Use in Non-Computerized Areas -- Designing an Appropriate Audit Program -- PART IV: INFORMATION TECHNOLOGY SERVICE DELIVERY AND SUPPORT -- Chapter 24: Technical Infrastructure -- Auditing the Technical Infrastructure -- Infrastructure Changes -- Computer Operations Controls -- Operations Exposures -- Operations Controls -- Personnel Controls.

Supervisory Controls -- Information Security -- Operations Audits -- Notes -- Chapter 25: Service-Center Management -- Private Sector Preparedness (PS Prep) -- Continuity Management and Disaster Recovery -- Managing Service-Center Change -- Notes -- PART V: PROTECTION OF INFORMATION ASSETS -- Chapter 26: Information Assets Security Management -- What Is Information Systems Security? -- Control Techniques -- Workstation Security -- Physical Security -- Logical Security -- User Authentication -- Communications Security -- Encryption -- How Encryption Works -- Encryption Weaknesses -- Potential Encryption -- Data Integrity -- Double Public Key Encryption -- Steganography -- Information Security Policy -- Notes -- Chapter 27: Logical Information Technology Security -- Computer Operating Systems -- Tailoring the Operating System -- Auditing the Operating System -- Security -- Criteria -- Security Systems: Resource Access Control Facility -- Auditing RACF -- Access Control Facility 2 -- Top Secret -- User Authentication -- Bypass Mechanisms -- Security Testing Methodologies -- Notes -- Chapter 28: Applied Information Technology Security -- Communications and Network Security -- Network Protection -- Hardening the Operating Environment -- Client Server and Other Environments -- Firewalls and Other Protection Resources -- Intrusion-Detection Systems -- Note -- Chapter 29: Physical and Environmental Security -- Control Mechanisms -- Implementing the Controls -- PART VI: BUSINESS CONTINUITY AND DISASTER RECOVERY -- Chapter 30: Protection of the Information Technology Architecture and Assets: Disaster-Recovery Planning -- Risk Reassessment -- Disaster-Before and After -- Consequences of Disruption -- Where to Start -- Testing the Plan -- Auditing the Plan -- Chapter 31: Displacement Control -- Insurance -- Self- Insurance -- PART VII: ADVANCED IT AUDITING.

Chapter 32: Auditing E-commerce Systems.