What You Will Learn
1. Integrating IT Risks into the Internal Audit Process
- integrated auditing resources
- control ownership
- IT risk assessment
- defining integrated auditing
- integrated IT and enterprise control focus
- integrated audit risk focus
- using COSO
- IT control categories
- enterprise risk coverage
- integrated auditing best practices

2. Auditing Business Application Systems
- application audit objectives
- what is a transaction?
- transaction risk analysis
- transaction life cycle

3. Top-Down Risk Based Planning
- planning the application audit
- defining the business environment
- determining the application’s technical environment
- performing a business information risk assessment
- identifying key transactions
- developing a key transaction process flow
- evaluating application controls

4. Auditing Application Controls
- embedded vs. configurable application controls
- transaction origination and authorization
- completeness and accuracy of input
- error handling
- interface balancing
- completeness and accuracy of processing
- completeness and accuracy of output
- output retention and disposal
- end-user computing

5. Testing and Documenting Application Controls
- testing automated and manual controls
- testing alternatives
- determining sample size
- computer assisted audit tools
- data analysis
- documenting business application processes
- internal control questionnaires (ICQ)
- narratives
- flowcharts and process flows
- risk-control matrix

6. User Access Controls
- fraud risk studies
- information security management
- information classification
- access control components
- authentication
- password risks and controls
- tokens, smart cards, biometrics
- authorizations
- conflict matrix
- managing privileged authority
- managing user accounts audit trail
- security monitoring and administration
- single-sign on (SSO)
- distributed client server applications
- remote access
- sensitive data on mobile workstations and devices
- terminations and transfers
- social engineering

7. Change Management
- change management risks
- interpreting and compiling source code
- change management process
- change requests
- testing changes
- implementation approval
- program migration
- contingency plans
- system documentation
- executable and source code integrity
- emergency changes
- changes to vendor supplied source code
- library control software
- distributed systems
- version control
- change management audit steps

8. Disaster Recovery and Business Continuity Planning
- disaster recovery planning (DRP)
- business continuity planning (BCP)
- business impact analysis (BIA)
- recovery point objectives (RPO)
- recovery time objectives (RTO)
- application recovery priority
- continuity plans and procedures
- off-site data storage
- auditing DRP and BCP

9. Database Management Systems
- relational databases
- database terminology
- DBMS risks and controls
- database recovery
- DBMS audit steps

10. Operating Systems
- types of operating system software
- operating system risks
- operating system integrity controls
- privileged access security controls
- software parameters
- patch management
- operating system audit steps

11. Auditing Outsourced IT Operations
- outsourcing risks
- offshore outsourcing risks
- ensuring strong contractual agreements
- right to audit
- SAS-70 reports
- relationship monitoring
- audit focus areas