Contents
Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers professional and personal knowledge and understanding.
The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.
Cover Image: Olena Timashova/iStockphoto
Cover Design: John Wiley & Sons, Inc.
Copyright 2013 by John Wiley & Sons Singapore Pte. Ltd.
Published by John Wiley & Sons Singapore Pte. Ltd.
1 Fusionopolis Walk, #07-01, Solaris South Tower, Singapore 138628
All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as expressly permitted by law, without either the prior written permission of the Publisher, or authorization through payment of the appropriate photocopy fee to the Copyright Clearance Center. Requests for permission should be addressed to the Publisher, John Wiley & Sons Singapore Pte. Ltd., 1 Fusionopolis Walk, #07-01, Solaris South Tower, Singapore 138628, tel: 65-6643-8000, fax: 65-6643-8008, e-mail: .
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
Other Wiley Editorial Offices
John Wiley & Sons, 111 River Street, Hoboken, NJ 07030, USA
John Wiley & Sons, The Atrium, Southern Gate, Chichester, West Sussex, P019 8SQ, United Kingdom
John Wiley & Sons (Canada) Ltd., 5353 Dundas Street West, Suite 400, Toronto, Ontario, M9B 6HB, Canada
John Wiley & Sons Australia Ltd., 42 McDougall Street, Milton, Queensland 4064, Australia
Wiley-VCH, Boschstrasse 12, D-69469 Weinheim, Germany
Library of Congress Cataloging-in-Publication Data
ISBN 978-1-118-34374-6 (Hardcover)
ISBN 978-1-118-34375-3 (ePDF)
ISBN 978-1-118-34376-0 (Mobi)
ISBN 978-1-118-34377-7 (ePub)
Families that bind the world
Preface
THIS BOOK FOCUSES ON an information systems audit as a management control and not a technology-driven subject. Complete with resources to understand the subject, definitions of technical terms, ready checklists to conduct an information systems audit, and multiple-choice questions to review the level of understanding, the book is designed to be an indispensable resource for the information systems practitioner and aspirant alike. Readers will find enough resources for their audit needs, examination needs, and even continuing professional education requirements.
Increased dependence on information systems assets for performing critical functions of an organization has strengthened the need for using information systems audits as a control to ensure confidentiality, integrity, and availability of information systems resources. Major problems that an information systems auditor faces include apparent technology bias of the subject, lack of a standardized audit approach, and lack of availability of standardized checklists. In this book, we have attempted to address these problems by approaching the subject from the viewpoint of management control, providing readers with requisite knowledge resources, and making available an audit tool in the form of checklists.
Our approach to an information systems audit is essentially nontechnical in nature. We firmly believe that an information systems audit is a managerial control tool and use of technology is subordinate to it. We hold that attempts to consider an information systems audit as a technical control would make it an esoteric subject and be counterproductive in the long run. Technical tools are most useful for specific applications within the domains of an information systems audit, but may not be the primary focus. The primary focus should be to establish a framework of management control, and technology could be used wherever necessary to implement the control. An information systems auditor is free to seek the help of a technology specialist to examine specific controls, whenever such a need arises. The scope of the audit will determine the extent of use of technology-driven tools. For example, an audit of network security or website penetration testing definitely requires technical competence and appropriate tools. It must be clarified that we are not underestimating the importance and convenience of technology; we are merely assigning a specific role for it within the domain of an information systems audit.
The book is divided over two partsPart One focuses on the knowledge that all information systems auditors must have to be able to effectively conduct an information systems audit. This part will act as reference material for the aspiring information systems auditors who are preparing for a certifying examination. There are 10 chapters in this part, progressively building up the competence of conducting a real-life information systems audit. The chapters in Part One are the following:
Chapter 1: Overview of Systems Audit: This chapter will make readers aware of the challenges they are likely to face while conducting an information systems audit. The importance of such an audit is established in this chapter.
Chapter 2: Hardware Security Issues: This chapter identifies the security aspects of hardware and network assets that should be taken care of.
Chapter 3: Software Security Issues: This chapter sensitizes the reader about the critical aspect of software security.
Chapter 4: Information Systems Audit Requirements: This chapter develops understanding about the general scope of information systems audit, types of evidences, and areas of focus of an information systems auditor.
Chapter 5: Conducting an Information Systems Audit: This chapter discusses the process of conducting an information systems audit and provides an overview of an audit program, plan, and procedure, compliance and substantive testing, testing tools, and the process of reporting.
Chapter 6: Risk-Based Systems Audit: This chapter deals with the approach that an information systems auditor needs to adopt in situations where the auditee is exposed to various risks of different magnitude and also under situations of resource constraints.
Chapter 7: Business Continuity and Disaster Recovery Plan: This chapter provides the knowledge resource to understand and audit business continuity and disaster recovery systems of the auditee. A large number of useful forms have been provided in this chapter.
Chapter 8: Auditing in the E-Commerce Environment: This chapter identifies areas for additional focus required for auditing an e-commerce environment. The knowledge resource provided is equally applicable for auditing an e-banking environment.