Front Cover -- The Basics of IT Audit -- Copyright Page -- Contents -- Acknowledgments -- About the Author -- About the Technical Editor -- Trademarks -- Introduction -- Information in this chapter: -- Introduction to IT auditing -- Purpose and rationale -- Intended use -- Key audiences -- Structure and content -- 1 IT Audit Fundamentals -- What is IT auditing? -- Internal controls -- What to audit -- IT audit characteristics -- Why audit? -- Who gets audited? -- Who does IT auditing? -- External auditors -- Internal auditors -- IT auditor development paths -- Relevant source material -- Summary -- References -- 2 Auditing in Context -- IT governance -- The role of IT audit in governance -- Risk management -- Risk management components -- The role of IT audit in risk management -- Compliance and certification -- Managing compliance and certification -- The role of IT audit in compliance and certification -- Quality management and quality assurance -- The role of IT audit in quality management -- Information security management -- The role of IT audit in information security management -- Relevant source material -- Summary -- References -- 3 Internal Auditing -- Internal audit as an organizational capability -- Independence and objectivity -- Establishing the IT audit program -- Internal audit program charter -- Internal audit program responsibilities -- Benefits of internal IT auditing -- Internal audit challenges -- Internal auditors -- Relevant source material -- Summary -- References -- 4 External Auditing -- Operational aspects of external audits -- Roles and responsibilities for external auditing -- Independence in external auditing -- Organizational participation in external audits -- External IT audit drivers and rationale -- External audit benefits -- Advantages compared to internal audits -- Regulatory auditors.

Certifying organizations -- External audit challenges -- External auditors -- Relevant source material -- Summary -- References -- 5 Types of Audits -- Financial audits -- Cost accounting -- Programmatic audits -- Operational audits -- Operational audits of internal controls -- Audits of policies, processes, and procedures -- Program or project-focused operational audits -- Certification audits -- Service management -- Security management -- Quality management -- Compliance audits -- Legal compliance -- Compliance with industry standards -- Commercial standards -- IT-specific audits -- IT process maturity -- Provision of IT services -- Information systems controls -- Relevant source material -- Summary -- References -- 6 IT Audit Components -- Establishing the scope of IT audits -- Developing and maintaining the audit universe -- Governance, risk, and compliance drivers -- Audit strategy and prioritization -- Types of controls -- Control categorization -- Organizational controls -- Auditing different IT assets -- IT component decomposition -- Systems and applications -- Databases -- Operating systems -- Hardware -- Networks -- Storage -- Data centers -- Virtualized environments -- Interfaces -- Auditing procedural controls or processes -- IT operations -- Program and project management -- System development life cycle -- Concept -- Development -- Production -- Utilization -- Support -- Retirement -- Relevant source material -- References -- 7 IT Audit Drivers -- Laws and regulations -- Securities industry laws and regulations -- Securities and Exchange Commission laws and regulations -- Sarbanes-Oxley Act of 2002 -- European Council Directive 2006/43/EC -- Graham-Leach-Bliley Act -- Health industry-specific laws -- Health Insurance Portability and Accountability Act -- Health Information Technology for Economic and Clinical Health Act.

International health data privacy protection laws -- Security and privacy laws -- European Council Directive 95/46/EC -- Computer Fraud and Abuse Act -- Electronic Communications Privacy Act -- State security and privacy laws -- Government sector laws -- Federal Information Security Management Act -- The Privacy Act -- Certification standards -- Quality certification -- Information security -- Service management -- Operational effectiveness -- Quality assurance and continuous improvement -- Relevant source material -- Summary -- References -- 8 IT Audit Processes -- Audit planning -- Audit preparation -- Resource allocation -- Preliminary data gathering -- Audit procedures and protocols -- Planning internal and external audits -- Audit performance -- Evidence collection -- Analysis of evidence -- Reporting findings -- Using information in audit reports -- Responding to audit results -- Process life cycles and methodologies -- Relevant source material -- Summary -- References -- 9 Methodologies and Frameworks -- Audit-specific methodologies and frameworks -- Generally Accepted Auditing Standards -- International Standards on Auditing -- Committee of Sponsoring Organizations integrated framework -- International Professional Practices Framework -- International Organization for Standardization -- IT governance and management frameworks -- Control Objectives for Business and Related Information Technology -- Information Technology Infrastructure Library -- International Organization for Standardization -- Government-focused audit methodologies -- Federal Information System Controls Audit Manual -- International Standards of Supreme Audit Institutions -- Security control assessment frameworks -- ISO/IEC 27000 series -- NIST security control assessment guidance -- Relevant source material -- Summary -- References.

10 Audit-Related Organizations, Standards, and Certifications -- National and international perspectives -- Generally Accepted Auditing Standards -- Auditing for legal or regulatory compliance -- Audit-focused standards and certification organizations -- American Institute of Certified Public Accountants -- Audit standards -- AICPA certifications -- Institute of Internal Auditors -- Audit standards -- Certifications -- International Organisation of Supreme Audit Institutions -- Audit standards -- International Federation of Accountants -- Audit standards -- Information Systems Audit and Control Association -- Audit standards -- Certifications -- International Organization for Standardization -- Audit standards -- Government Accountability Office -- Audit standards -- Auditors' oversight bodies -- Audit standards -- Organizations offering standards, guidance, or certifications relevant to IT auditing -- SANS Institute -- Certifications -- Software Engineering Institute -- Institute of Electrical and Electronics Engineers -- International Information Systems Security Certification Consortium -- Certifications -- American Society for Quality -- Certifications -- Open Web Application Security Project -- Other standards and certifications -- Computer forensics and penetration testing -- Relevant source material -- Summary -- References -- References -- Acronyms -- Acronyms and abbreviations -- Index.