What You Will Learn
1. Introduction to IT Audit
- audit objectives and requirements
- role of IT within the organization
- management and security risks in an automated environment
- what is a control?
- internal control defined
- processes and control points
- physical space vs. logical space
- identifying control points

2. Planning the IT Audit
- definition of internal audit
- objectives of an IT audit
- IT audit strategies
- what is an application
- application vs. general controls
- IT audit control reviews
- IT control categories
- the audit deliverable
- building the audit team

3. Auditing Organizations and Standards
- maintaining audit objectivity
- what is a standard?
- AICPA and SAS
- GAO and other certification organizations
- The Institute of Internal Auditors (IIA)
- The Treadway Commission
- COSO Integrated Framework
- ISACA and the IT Governance Institute
- COBIT®: Control Objectives for Information and Related Technology
- ISO 27002 security standard

4. IT Governance and Controls
- what is IT governance?
- information security governance
- IT policies and procedures
- separation of duties and outsourcing
- governance and control

5. Information Technology Basics
- identifying and categorizing key control points in today’s IT environment
- fundamentals of computer hardware architecture and CPU operation
- two different classes of computers
- software, programming, and processing
- distributed systems and client/server technology
- network connectivity and security basics
- IT system maintenance, patch management, and security
- IT technology audit strategies

6. Internet and Web Technology
- organization and operation of the Internet
- risks to Internet connections and applications
- insider abuses of Internet services
- network perimeter security: firewalls and more
- Web application risks and safeguards
- Internet and Web audit strategies

7. Shared General and Application Controls
- logical security
-- data classification
-- logical access controls: system access
- encryption: information access
-- remote access, PCs, and mobile devices
-- information security management
- change management
-- change management objectives
-- program change control
-- patch management
-- software licensing
- business continuity/disaster recovery
-- BCP/DRP defined
-- business impact analysis (BIA)
-- disaster recovery strategy
-- maintaining the plan
- system development technologies
-- SDLC, RAD, ERP purchases
-- Internal Audit involvement
-- audit strategy

8. Application Controls
- what is an application?
- business application risks
- application auditing
- transactions: the audit focus
- transaction life cycle controls
- end-user computing
- data warehouses
- the future of applications

9. Database Technology and Controls
- managing information
-- the program-centric model
-- program-centric audit concerns
-- the data-centric model
- what is a database?
- database terminology
- database management systems (DBMS)
- types of databases
- database audit concerns

10. Infrastructure General Controls
- operations controls
-- IT operations
-- operating system controls
-- system utilities
-- system software controls: a review
- physical security
- environmental controls