eBook - ePub
The Basics of IT Audit
Purposes, Processes, and Practical Information
Stephen D. Gantz
This is a test
- 270 páginas
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
The Basics of IT Audit
Purposes, Processes, and Practical Information
Stephen D. Gantz
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
The Basics of IT Audit: Purposes, Processes, and Practical Information provides you with a thorough, yet concise overview of IT auditing. Packed with specific examples, this book gives insight into the auditing process and explains regulations and standards such as the ISO-27000, series program, CoBIT, ITIL, Sarbanes-Oxley, and HIPPA.
IT auditing occurs in some form in virtually every organization, private or public, large or small. The large number and wide variety of laws, regulations, policies, and industry standards that call for IT auditing make it hard for organizations to consistently and effectively prepare for, conduct, and respond to the results of audits, or to comply with audit requirements.
This guide provides you with all the necessary information if you're preparing for an IT audit, participating in an IT audit or responding to an IT audit.
- Provides a concise treatment of IT auditing, allowing you to prepare for, participate in, and respond to the results
- Discusses the pros and cons of doing internal and external IT audits, including the benefits and potential drawbacks of each
- Covers the basics of complex regulations and standards, such as Sarbanes-Oxley, SEC (public companies), HIPAA, and FFIEC
- Includes most methods and frameworks, including GAAS, COSO, COBIT, ITIL, ISO (27000), and FISCAM
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es The Basics of IT Audit un PDF/ePUB en línea?
Sí, puedes acceder a The Basics of IT Audit de Stephen D. Gantz en formato PDF o ePUB, así como a otros libros populares de Computer Science y Cyber Security. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
Categoría
Computer ScienceCategoría
Cyber SecurityChapter 1
IT Audit Fundamentals
This chapter gives a broad overview of IT auditing, explaining what auditing is, why auditing is performed, the subjects of audits, and who conducts audits, and defining key terms and concepts referenced throughout the book. It seeks to answer the basic questions someone new to IT auditing would ask—the who, what, when, where, and why—and subsequently sets up more detailed chapters that go into more depth as to how auditing is done. This chapter distinguishes between internal and external auditing in terms of the purposes, rationale, and requirements for each and carries this distinction through to the types of organizations and auditors involved. It also describes the various career paths and professional development activities associated with developing IT auditors.
Key Words
IT audit; auditors; information assurance; governance
Information in this chapter
• What is Auditing?
• Why Audit?
• Who Gets Audited?
• Who Does Auditing?
Dependence on information technology (IT) is a characteristic common to virtually all modern organizations. Organizations rely on information and the processes and enabling technology needed to use and effectively manage information. This reliance characterizes public and private sector organizations, regardless of mission, industry, geographic location, or organization type. IT is critical to organizational success, operating efficiency, competitiveness, and even survival, making imperative the need for organizations to ensure the correct and effective use of IT. In this context, it is important that resources are efficiently allocated, that IT functions at a sufficient level of performance and quality to effectively support the business, and that information assets are adequately secured consistent with the risk tolerance of the organization. Such assets must also be governed effectively, meaning that they operate as intended, work correctly, and function in a way that complies with applicable regulations and standards. IT auditing can help organizations achieve all of these objectives.
Auditing IT differs in significant ways from auditing financial records, general operations, or business processes. Each of these auditing disciplines, however, shares a common foundation of auditing principles, standards of practice, and high-level processes and activities. IT auditing is also a component of other major types of auditing, as illustrated conceptually in Figure 1.1. To the extent that financial and accounting practices in audited organizations use IT, financial audits must address technology-based controls and their contribution to effectively supporting internal financial controls. Operational audits examine the effectiveness of one or more business processes or organizational functions and the efficient use of resources in support of organizational goals and objectives. Information systems and other technology represent key resources often included in the scope of operational audits. Quality audits apply to many aspects of organizations, including business processes or other operational focus areas, IT management, and information security programs and practices. A common set of auditing standards, principles, and practices informs these types of auditing, centered as they are on an organization’s internal controls. IT auditing, however, exhibits a greater breadth and variety than financial, operational, or quality auditing alone in the sense that it not only represents an element of other major types of audits but also comprises many different approaches, subject matter areas, and perspectives corresponding to the nature of an organization’s IT environment, governance model, and audit objectives.
Figure 1.1 IT auditing has much in common with other types of audit and overlaps in many respects with financial, operational, and quality audit practices.
What is IT auditing?
An audit is often defined as an independent examination, inspection, or review. While the term applies to evaluations of many different subjects, the most frequent usage is with respect to examining an organization’s financial statements or accounts. In contrast to conventional dictionary definitions and sources focused on the accounting connotation of audit, definitions used by broad-scope audit standards bodies and in IT auditing contexts neither constrain nor presume the subject to which an audit applies. For example, the International Organization for Standardization (ISO) guidelines on auditing use the term audit to mean a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled” [1] and the Information Technology Infrastructure Library (ITIL) glossary defines audit as “formal inspection and verification to check whether a standard or set of guidelines is being followed, that records are accurate, or that efficiency and effectiveness targets are being met [2].” Such general interpretations are well suited to IT auditing, which comprises a wide range of standards, requirements, and other audit criteria corresponding to processes, systems, technologies, or entire organizations subject to IT audits.
The definitions cited above also emphasize a characteristic that differentiates audits from other types of evaluations or assessments by referring to explicit criteria that provide the basis for comparison between what is expected or required in an organization and what is actually observed or demonstrated through evidence. Words like assessment, evaluation, and review are often used synonymously with the term audit and while it is certainly true that an audit is a type of evaluation, some specific characteristics of auditing distinguish it from concepts implied by the use of more general terms. An audit always has a baseline or standard of reference against which the subject of the audit is compared. An audit is not intended to check on the use of best practices or (with the possible exception of operational audits) to see if opportunities exist to improve or optimize processes or operational characteristics. Instead, there is a set standard providing a basis for comparison established prior to initiating the audit. Auditors compare the subjects of the audit—processes, systems, components, software, or organizations overall—explicitly to that predefined standard to determine if the subject satisfies the criteria. Audit determinations tend to be more binary than results of other types of assessments or evaluations, in the sense that a given item either meets or fails to meet applicable requirements—auditors often articulate audit findings in terms of controls’ conformity or nonconformity to criteria [1]. Audit findings identify deficiencies where what the auditor observes or discovered through analysis of audit evidence differs from what was expected or required such that the audit subject cannot satisfy a requirement. In contrast, a typical assessment might have a quantitative (i.e., score) or qualitative scale of ratings (e.g., poor, fair, good, excellent) and produce findings and recommendations for improvement in areas observed to be operating effectively or those considered deficient. Because auditors work from an established standard or set of criteria, IT audits using comprehensive or well thought-out requirements may be less subjective and more reliable than other types of evaluations or assessments.
It is impossible to overstate the importance of the baseline to an effective audit. In both external and internal audits, an auditor’s obligation is to fully understand the baseline and use that knowledge to accurately and objectively compare the subject of the audit to the criteria specified in the baseline. The use of formally specified audit criteria also means that an organization anticipating or undergoing an audit should not be surprised by the nature of the audit, what it covers, or what requirements the organization is expected to meet. External audits—especially those driven by regulatory mandates or certification standards—follow procedures and apply criteria that should be available and just as well known to organizations being audited as by the external auditors conducting the audits. Internal audits follow strategies, plans, and procedures dictated by the organization itself in its audit program, so internal auditors and the business units, system owners, project managers, operations staff, and personnel subject to or supporting audits should also be familiar with the audit criteria to be used.
Internal controls
External and internal IT audits share a common focus: the internal controls implemented and maintained by the organization being audited. Controls are a central element of IT management, defined and referenced through standards, guidance, methodologies, and frameworks addressing business processes; service delivery and management; information systems design, implementation, and operation; information security; and IT governance. Leading sources of IT governance and IT auditing guidance distinguish between internal control and internal controls. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as a process “designed to provide reasonable assurance regarding the achievement of objectives” including operational effectiveness and efficiency, reliable reporting, and legal and regulatory compliance. In this context, a control is “a policy or procedure that is part of internal control,” the result of policies and procedures designed to effect control [4]. The IT Governance Institute offers a definition consistent with COSO: “policies, plans and procedures, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected [5].” This makes for a somewhat circular and potentially confusing formulation in which internal controls are discrete elements applied within a management process of control in support of an organizational objective of establishing and maintaining control.
From the perspective of planning and performing IT audits, internal controls represent the substance of auditing activities, as the controls are the items that are examined, tested, analyzed, or otherwise evaluated. Organizations often implement large numbers of internal controls intended to achieve a wide variety of control objectives. Categorizing internal controls facilitates the documentation, tracking, and management of the diverse sets of controls present in many organizations. The prevalent control categorization schemes used in internal control frameworks, IT audit, and assessment guidance, and applicable legislation classify controls by purpose, by functional type, or both. Purpose-based categories include preventive, detective, and corrective controls, where organizations use preventive controls to try to keep unintended or undesirable events from occurring, detective controls to discover when such things have happened, and corrective controls to respond or recover after unwanted events occur. Controls are further separated by function into administrative, technical, and physical control types, as illustrated in Figure 1.2. Administrative controls include organizational policies, procedures, and p...
Índice
Estilos de citas para The Basics of IT Audit
APA 6 Citation
Gantz, S. (2013). The Basics of IT Audit ([edition unavailable]). Elsevier Science. Retrieved from https://www.perlego.com/book/1809332/the-basics-of-it-audit-purposes-processes-and-practical-information-pdf (Original work published 2013)
Chicago Citation
Gantz, Stephen. (2013) 2013. The Basics of IT Audit. [Edition unavailable]. Elsevier Science. https://www.perlego.com/book/1809332/the-basics-of-it-audit-purposes-processes-and-practical-information-pdf.
Harvard Citation
Gantz, S. (2013) The Basics of IT Audit. [edition unavailable]. Elsevier Science. Available at: https://www.perlego.com/book/1809332/the-basics-of-it-audit-purposes-processes-and-practical-information-pdf (Accessed: 15 October 2022).
MLA 7 Citation
Gantz, Stephen. The Basics of IT Audit. [edition unavailable]. Elsevier Science, 2013. Web. 15 Oct. 2022.