Understanding and Conducting Information Systems Auditing

"This comprehensive book forms a basis for new auditors as well as experienced auditors working within an IT environment. Covering, as it does, such aspects as hardware and software security, the conducting of an information systems risk–based audit, as well as business continuity and disaster recovery planning, it acts as a reference manual as well as an instruction manual. Some of the focal areas such as security testing and vulnerability analysis are of particular benefit to the auditor, and the inclusion of ISecGrade Checklists makes this a must–have addition to any IT auditor′s library."

Richard Cascarino, MBA, CIA, CRMA, CFE, CISM

"Network security among organizations remains a major challenge in the evolution of the digital economy. If it were simply a technology issue the organizations could rely on IT engineers to deploy marvels of technological excellence. But ensuring continuous security is more than a mere technical matter. The authors, who are an extraordinary blend of accounting professionals with rich international experience and network security experts (CISA certified), have superbly deployed their own professional expertise to bring out a practical guide to organizational security in the digital economy. Like a master blender they have provided a rich interdisciplinary perspective with centrality of managerial responsibility. The central theme is that both technological design and managerial systems must continuously evolve in tandem. The book will be an invaluable guide for such organizations that are looking to enhance their management control systems and dynamically evolve along with technological change."

Anil Rawat, PhD, Director, Institute of Business Management & Technology; Director, International Academy for Knowledge, Innovation & Technology Management, Bangalore

"A balanced and practical book that covers all the key elements of information security. While it is an ideal reference for IS/IT managers, auditors, and chartered accountants, the book does not lose relevance for the practitioners of IS, and keeps up to the demands of business and industry by addressing current management and auditing techniques of information security. The templates available in the book are especially useful for quick, out–of–the–box implementation of an in–house or external IS audit. It′s a reference book, practitioner′s handbook, and a textbook on IS audit rolled into one!"

Mridul Banerjee, CISM, CRISC

"The authors provide an excellent overview of the information systems audit process, with an emphasis on today′s evolving newer technologies and issues, such as performing audits in an e–commerce environment and systems security testing. The book is particularly strong in providing good, precise definitions and the audit implications for many of the technology concepts such as routers, thin clients, or cloud computing that are frequently used by information system auditors but where accurate definitions are often difficult. This kind of information helps both information system auditing newcomers and experienced professionals.

In addition to a wide range of information systems auditing and risk–based materials, the book has a large section of detailed information systems audit checklists that can be tailored to many environments. The book is an excellent resource for the information systems audit professional."

Robert R. Moeller, CPA, CISA, CISSP, author of multiple books on internal auditing, risk management, and IT governance

Preface xi

Acknowledgments xv

PART ONE: CONDUCTING AN INFORMATION SYSTEMS AUDIT 1

Chapter 1: Overview of Systems Audit 3

Information Systems Audit 3

Information Systems Auditor 4

Legal Requirements of an Information Systems Audit 4

Systems Environment and Information Systems Audit 7

Information System Assets 8

Classification of Controls 9

The Impact of Computers on Information 12

The Impact of Computers on Auditing 14

Information Systems Audit Coverage 15

Chapter 2: Hardware Security Issues 17

Hardware Security Objective 17

Peripheral Devices and Storage Media 22

Client–Server Architecture 23

Authentication Devices 24

Hardware Acquisition 24

Hardware Maintenance 26

Management of Obsolescence 27

Disposal of Equipment 28

Problem Management 29

Change Management 30

Network and Communication Issues 31

Chapter 3: Software Security Issues 41

Overview of Types of Software 41

Elements of Software Security 47

Control Issues during Installation and Maintenance 53

Licensing Issues 55

Problem and Change Management 56

Chapter 4: Information Systems Audit Requirements 59

Risk Analysis 59

Threats, Vulnerability, Exposure, Likelihood, and Attack 61

Information Systems Control Objectives 61

Information Systems Audit Objectives 62

System Effectiveness and Effi ciency 63

Information Systems Abuse 63

Asset Safeguarding Objective and Process 64

Evidence Collection and Evaluation 65

Logs and Audit Trails as Evidence 67

Chapter 5: Conducting an Information Systems Audit 71

Audit Program 71

Audit Plan 72

Audit Procedures and Approaches 75

System Understanding and Review 77

Compliance Reviews and Tests 77

Substantive Reviews and Tests 80

Audit Tools and Techniques 81

Sampling Techniques 84

Audit Questionnaire 85

Audit Documentation 86

Audit Report 87

Auditing Approaches 89

Sample Audit Work–Planning Memo 91

Sample Audit Work Process Flow 93

Chapter 6: Risk–Based Systems Audit 101

Conducting a Risk–Based Information Systems Audit 101

Risk Assessment 104

Risk Matrix 105

Risk and Audit Sample Determination 107

Audit Risk Assessment 109

Risk Management Strategy 112

Chapter 7: Business Continuity and Disaster Recovery Plan 115

Business Continuity and Disaster Recovery Process 115

Business Impact Analysis 116

Incident Response Plan 118

Disaster Recovery Plan 119

Types of Disaster Recovery Plans 120

Emergency Preparedness Audit Checklist 121

Business Continuity Strategies 122

Business Resumption Plan Audit Checklist 123

Recovery Procedures Testing Checklist 126

Plan Maintenance Checklist 126

Vital Records Retention Checklist 127

Forms and Documents 128

Chapter 8: Auditing in the E–Commerce Environment 147

Introduction 147

Objectives of an Information Systems Audit in the E–Commerce Environment 148

General Overview 149

Auditing E–Commerce Functions 150

E–Commerce Policies and Procedures Review 155

Impact of E–Commerce on Internal Control 155

Chapter 9: Security Testing 159

Cybersecurity 159

Cybercrimes 160

What Is Vulnerable to Attack? 162

How Cyberattacks Occur 162

What Is Vulnerability Analysis? 165

Cyberforensics 168

Digital Evidence 170

Chapter 10: Case Study: Conducting an Information Systems Audit 173

Important Security Issues in Banks 174

Implementing an Information Systems Audit at a Bank Branch 180

Special Considerations in a Core Banking System 185

PART TWO: INFORMATION SYSTEMS AUDITING CHECKLISTS 197

Chapter 11: ISecGrade Auditing Framework 199

Introduction 199

Licensing and Limitations 200

Methodology 200

Domains 200

Grading Structure 202

Selection of Checklist 203

Format of Audit Report 206

Using the Audit Report Format 207

Chapter 12: ISecGrade Checklists 209

Checklist Structure 209

Information Systems Audit Checklists 210

Chapter 13: Session Quiz 281

Chapter 1: Overview of Systems Audit 281

Chapter 2: Hardware Security Issues 284

Chapter 3: Software Security Issues 286

Chapter 4: Information Systems Audit Requirements 288

Chapter 5: Conducting an Information Systems Audit 290

Chapter 6: Risk–Based Systems Audit 293

Chapter 7: Business Continuity and Disaster Recovery Plan 294

Chapter 8: Auditing in an E–Commerce Environment 296

Chapter 9: Security Testing 297

About the Authors 299

About the Website 301

Index 303

VEENA HINGARH is Joint Director of the South Asian Management Technologies Foundation, a center for research, training, and application in the areas of finance and risk management, which provides training in areas including IS auditing, enterprise risk management, and risk modeling. Winner of numerous merit–based awards during her career, Hingarh′s major areas of focus are IFRS and IS. She speaks frequently at conferences and platforms throughout Asia and the Middle East. Hingarh is a Chartered Accountant from the Institute of Chartered Accountants of India (ICAI), Certified Company Secretary of the Institute of Company Secretaries of India (ICSI), and Certified Information System Auditor (CISA) from ISACA (USA).

ARIF AHMED is a professor at and Director of the South Asian Management Technologies Foundation as well as a Chartered Accountant from the Institute of Chartered Accountants of India (ICAI). He is an Information Security Management System Lead Auditor for the British Standards Institution. Ahmed′s areas of focus are finance and risk management, and he has over two decades of postqualification experience in training and strategic consulting. He has been interviewed and quoted throughout the media and has spoken at various seminars and institutions, including the Institute of Chartered Accountants of India, XLRI, and the Institute of Company Secretaries of India.