What You Will Learn
1. Introduction to IT Audit
- audit objectives and requirements
- role of IT within the organization
- management and security risks in an automated environment
- what is a control?
- internal control defined
- processes and control points
- physical space vs. logical space
- identifying control points
2. Planning the IT Audit
- definition of internal audit
- objectives of an IT audit
- IT audit strategies
- what is an application
- application vs. general controls
- IT audit control reviews
- IT control categories
- the audit deliverable
- building the audit team
3. Auditing Organizations and Standards
- maintaining audit objectivity
- what is a standard?
- AICPA and SAS
- GAO and other certification organizations
- The Institute of Internal Auditors (IIA)
- The Treadway Commission
- COSO Integrated Framework
- ISACA and the IT Governance Institute
- COBIT®: Control Objectives for Information and Related Technology
- ISO 27002 security standard
4. Information Technology Basics
- identifying and categorizing key control points in today’s IT environment
- fundamentals of computer hardware architecture and CPU operation
- two different classes of computers
- software, programming, and processing
- distributed systems and client/server technology
- network connectivity and security basics
- IT system maintenance, patch management, and security
- IT technology audit strategies
5. Internet and Web Technology
- organization and operation of the Internet
- risks to Internet connections and applications
- insider abuses of Internet services
- network perimeter security: firewalls and more
- Web application risks and safeguards
- Internet and Web audit strategies
6 Shared General and Application Controls
- logical security
-- data classification
-- logical access controls: system access
- encryption: information access
-- remote access, PCs, and mobile devices
-- information security management
- change management
-- change management objectives
-- program change control
-- patch management
-- software licensing
- business continuity/disaster recovery
-- BCP/DRP defined
-- business impact analysis (BIA)
-- disaster recovery strategy
-- maintaining the plan
- system development technologies
-- SDLC, RAD, ERP purchases
-- Internal Audit involvement
-- audit strategy
7. Database Technology and Controls
- managing information
-- the program-centric model
-- program-centric audit concerns
-- the data-centric model
- what is a database?
- database terminology
- database management systems (DBMS)
- types of databases
- database audit concerns
8. Infrastructure General Controls
- operations controls
-- IT operations
-- operating system controls
-- system utilities
-- system software controls: a review
- physical security
- environmental controls
9. Business Application Transactions
- objectives of an application audit
- what is a transaction?
- transaction-based application auditing
- transaction life cycle
- application risk assessment factors
- establishing audit priorities
10. Top-Down Risk-Based Planning
- planning the application audit
- top-down, risk-based planning
- defining the business environment
- determining the application’s technical environment
- performing a business information risk assessment
- identifying key transactions
- developing a key transaction process flow
- evaluating and testing application controls
11. Data Input and Processing Models
- comparing pros/cons of input and processing models
- batch input/batch processing
- on-line input/batch processing
- on-line input/on-line processing
- real-time input/real-time processing
12. Application Controls
- business applications
- information objectives
- COSO: application controls
- business application auditing
- application transaction life cycle
- transaction origination
- logical security
- completeness and accuracy of input
- completeness and accuracy of processing
- completeness and accuracy of output
- output retention and disposal
- data file controls
- user review, balancing, reconciliation
- end-user documentation
- training
- segregation of duties
- business continuity planning
- Sarbanes-Oxley application control requirements
13. Testing Application Controls
- testing automated and manual controls
- testing alternatives
- testing sample size
- sampling terminology
- negative assurance testing
- types of audit evidence
- functional/substantive testing
- computer assisted audit techniques (CAATs)
- data analysis: planning and data verification
- Sarbanes-Oxley: testing requirements and examples
14. Documenting Application Controls
- evaluating and documenting internal controls
- internal control questionnaires
- narratives
- flowcharts / process flows
- control matrix
15. End-User Computing
- growth of end user computing
- end user computing risks
- general IT control risks
- change control risks
- purchased applications risks
- spreadsheets: typical errors
- spreadsheet risk factors
- practical steps for evaluating spreadsheet controls
