Information Technology Control and Audit

Information TechnologyControl and Audit

Third Edition

CRC_AU6550_FM.indd iCRC_AU6550_FM.indd i 10/10/2008 12:05:20 PM10/10/2008 12:05:20 PM

OTHER INFORMATION SECURITY BOOKS FROM AUERBACH

Architecting Secure Software SystemsAsoke K. Talukder and Manish Chaitanya ISBN: 978-1-4200-8784-0

Building an Effective Information Security Policy ArchitectureSandy BacikISBN: 978-1-4200-5905-2

CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant PerspectivesRon Collette, Michael Gentile and Skye Gentile ISBN: 978-1-4200-8910-3

Critical Infrastructure: Understanding Its Component Parts, Vulnerabilities, Operating Risks, and InterdependenciesTyson Macaulay ISBN: 978-1-4200-6835-1

Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second EditionAlbert Marcella, Jr. and Doug Menendez ISBN: 978-0-8493-8328-1

Digital Privacy: Theory, Technologies, and PracticesAlessandro Acquisti, Stefanos Gritzalis, Costos Lam-brinoudakis and Sabrina di Vimercati ISBN: 978-1-4200-5217-6

How to Achieve 27001 Certification: An Example of Applied Compliance ManagementSigurjon Thor Arnason and Keith D. Willett ISBN: 978-0-8493-3648-5

How to Complete a Risk Assessment in 5 Days or LessThomas R. PeltierISBN: 978-1-4200-6275-5

Information Assurance ArchitectureKeith D. Willett ISBN: 978-0-8493-8067-9

Information Security Management Handbook, Sixth EditionHarold F. Tipton and Micki Krause, Editors ISBN: 978-0-8493-7495-1

Information Technology Control and Audit, Third EditionSandra Senft and Frederick Gallegos ISBN: 978-1-4200-6550-3

Insider Computer Fraud: An In-depth Framework for Detecting and Defending against Insider IT AttacksKenneth BrancikISBN: 978-1-4200-4659-5

IT Auditing and Sarbanes-Oxley Compliance: Key Strategies for Business ImprovementDimitris N. ChorafasISBN: 978-1-4200-8617-1

Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the InternetKen Dunham and Jim Melnick ISBN: 978-1-4200-6903-7

Mechanics of User Identification and Authentication: Fundamentals of Identity ManagementDobromir Todorov ISBN: 978-1-4200-5219-0

Oracle Identity Management: Governance, Risk, and Compliance Architecture, Third EditionMarlin B. PohlmanISBN: 978-1-4200-7247-1

Profiling Hackers: The Science of Criminal Profiling as Applied to the World of HackingSilvio Ciappi and Stefania DucciISBN: 978-1-4200-8693-5

Security in an IPv6 EnvironmentDaniel Minoli and Jake KounsISBN: 978-1-4200-9229-5

Security Software Development: Assessing and Managing Security RisksDouglas A. Ashbaugh ISBN: 978-1-4200-6380-6

Software Deployment, Updating, and PatchingBill Stackpole and Patrick HanrionISBN: 978-0-8493-5800-5

Understanding and Applying Cryptography and Data SecurityAdam J. ElbirtISBN: 978-1-4200-6160-4

AUERBACH PUBLICATIONSwww.auerbach-publications.com

E-mail: [email protected]

CRC_AU6550_FM.indd iiCRC_AU6550_FM.indd ii 10/10/2008 12:05:21 PM10/10/2008 12:05:21 PM

Information TechnologyControl and Audit

Sandra Senft w Frederick Gallegos

Third Edition

CRC_AU6550_FM.indd iiiCRC_AU6550_FM.indd iii 10/10/2008 12:05:22 PM10/10/2008 12:05:22 PM

Auerbach PublicationsTaylor & Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742

2009 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government worksPrinted in the United States of America on acid-free paper10 9 8 7 6 5 4 3 2 1

International Standard Book Number-13: 978-1-4200-6550-3 (Hardcover)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the valid-ity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti-lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy-ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For orga-nizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.Visit the Taylor & Francis Web site athttp://www.taylorandfrancis.com

and the Auerbach Web site athttp://www.auerbach-publications.com

CRC_AU6550_FM.indd ivCRC_AU6550_FM.indd iv 10/10/2008 12:05:22 PM10/10/2008 12:05:22 PM

v

Contents

Preface ..............................................................................................................................xxixAcknowledgments ............................................................................................................xxxiAuthors .......................................................................................................................... xxxiii

PART I: A FOUNDATION FOR IT AUDIT AND CONTROL

1 Information Technology Environment: Why Are Controls and Audit Important? ...................................................................................................3IT Today and Tomorrow ................................................................................................... 5Information Integrity, Reliability, and Validity: Importance in Todays Global

Business Environment .............................................................................................. 6Control and Audit: A Global Concern ............................................................................... 8E-Commerce and Electronic Funds Transfer ..................................................................... 9Future of Electronic Payment Systems ............................................................................... 9Legal Issues Impacting IT .................................................................................................10Federal Financial Integrity Legislation ..............................................................................10Federal Security Legislation ..............................................................................................11

e Computer Fraud and Abuse Act........................................................................11 e Computer Security Act of 1987 ....................................................................... 12

Privacy on the Information Superhighway ....................................................................... 12Privacy Legislation and the Federal Government Privacy Act .......................................... 13

Electronic Communications Privacy Act .................................................................14Communications Decency Act of 1995 ...................................................................14Health Insurance Portability and Accountability Act of 1996 .................................14

Security, Privacy, and Audit ..............................................................................................15Conclusion ........................................................................................................................16Review Questions .............................................................................................................18

Multiple Choice Questions ......................................................................................18Exercises ..................................................................................................................19Answers to Multiple Choice Questions ....................................................................19

Further Readings ..............................................................................................................19

2 e Legal Environment and Its Impact on Information Technology.........................21IT Crime Issues ............................................................................................................... 22Protection against Computer Fraud ................................................................................. 23

CRC_AU6550_FM.indd vCRC_AU6550_FM.indd v 10/10/2008 12:05:22 PM10/10/2008 12:05:22 PM

vi Contents

e Computer Fraud and Abuse Act ............................................................................... 24Computer Abuse Amendments Act ...................................................................................25

SarbanesOxley Act (Public Law 107-204) ............................................................ 26Major Points from the SarbanesOxley Act of 2002 ................................... 27Criminal Intent ........................................................................................... 29Penalties and Requirements under Title VIII of the Act .............................. 30Penalties and Requirements under Title IX of the Act ................................. 30

Remedies and Eff ectiveness .............................................................................................. 30Legislation Providing for Civil and Criminal Penalties .....................................................31 e Computer Security Act of 1987..................................................................................33 e Homeland Security Act of 2002................................................................................ 34Privacy on the Information Superhighway ........................................................................35 e National Strategy for Securing Cyberspace ............................................................... 36Methods at Provide for Protection of Information ....................................................... 37 e Web Copyright Law .................................................................................................. 37Privacy Legislation and the Federal Government Privacy Act .......................................... 38

Electronic Communications Privacy Act ................................................................ 39Communications Decency Act of 1995 .................................................................. 40Encrypted Communications Privacy Act of 1996 ................................................... 40Health Insurance Portability and Accountability Act of 1996 ................................ 40

HIPAA Compliance .....................................................................................41Risk Assessment and Communications Act of 1997 ................................................41GrammLeachBliley Act of 1999 ..........................................................................41Internet Governance ................................................................................................41

Conclusion ....................................................................................................................... 42Review Questions ............................................................................................................ 43

Multiple Choice Questions ..................................................................................... 43Exercises ................................................................................................................. 44Answers to Multiple Choice Questions ....................................................................45

Notes ................................................................................................................................45Further Readings ..............................................................................................................45Other Internet Sites ......................................................................................................... 46

3 Audit and Review: Its Role in Information Technology.............................................47 e Situation and the Problem .........................................................................................47Audit Standards ............................................................................................................... 48

Similarities ..............................................................................................................49Diff erences .............................................................................................................. 49

e Importance of Audit Independence ........................................................................... 49Past and Current Accounting and Auditing Pronouncements .......................................... 50AICPA Pronouncements: From the Beginning to Now .................................................... 50Other Standards ...............................................................................................................52Financial Auditing ............................................................................................................53Generally Accepted Accounting Principles ....................................................................... 54Generally Accepted Auditing Standards .......................................................................... 54IT Auditing: What Is It? .................................................................................................. 54 e Need for the IT Audit Function .................................................................................55

CRC_AU6550_FM.indd viCRC_AU6550_FM.indd vi 10/10/2008 12:05:23 PM10/10/2008 12:05:23 PM

Contents vii

Auditors Have Standards of Practice ................................................................................ 57Auditors Must Have Independence .................................................................................. 57High Ethical Standards ................................................................................................... 58 e Auditor: Knowledge, Skills, and Abilities ...................................................................59Broadest Experiences ....................................................................................................... 60Supplemental Skills .......................................................................................................... 62Trial and Error ................................................................................................................. 63Role of the IT Auditor ..................................................................................................... 63IT Auditor as Counselor .................................................................................................. 64IT Auditor as Partner of Senior Management .................................................................. 64IT Auditor as Investigator .................................................................................................65Types of Auditors and eir Duties, Functions, and Responsibilities ............................... 66

e Internal Audit Function ................................................................................... 66 e External Auditor ...............................................................................................67

Legal Implications ........................................................................................................... 68Conclusion ....................................................................................................................... 68Review Questions ............................................................................................................ 69

Multiple Choice Questions ..................................................................................... 69Exercises ................................................................................................................. 70Answers to Multiple Choice Questions ................................................................... 71

Notes ............................................................................................................................... 71Further Readings ............................................................................................................. 71

4 e Audit Process in an Information Technology Environment ................................75Audit Universe ................................................................................................................. 75Risk Assessment ................................................................................................................76Audit Plan ........................................................................................................................ 77Developing an Audit Schedule ......................................................................................... 78Audit Budget ................................................................................................................... 78

Budget Coordination .............................................................................................. 79Audit Preparation ................................................................................................... 79Audit Scope Objectives ........................................................................................... 79

Objective and Context ..................................................................................................... 79Using the Plan to Identify Problems ................................................................................ 80 e Audit Process .............................................................................................................81Preliminary Review ..........................................................................................................81

General Data Gathering ......................................................................................... 83Fact Gathering ........................................................................................................ 84

Preliminary Evaluation of Internal Controls .................................................................... 84Design Audit Procedures ................................................................................................. 84

Types of IT Audits .................................................................................................. 84Reviewing Information System Policies, Procedures, and Standards ....................... 84IT Audit Support of Financial Audits ......................................................................85Identifying Financial Application Areas ..................................................................85Auditing Financial Applications ..............................................................................85Management of IT and Enterprise Architecture ..................................................... 86Computerized Systems and Applications ................................................................ 86

CRC_AU6550_FM.indd viiCRC_AU6550_FM.indd vii 10/10/2008 12:05:23 PM10/10/2008 12:05:23 PM

viii Contents

Information Processing Facilities ............................................................................ 86Systems Development ............................................................................................. 87Client/Server, Telecommunications, Intranets, and Extranets ................................ 87

Fieldwork and Implementing Audit Methodology ........................................................... 87Test Controls .......................................................................................................... 88Final Evaluation of Internal Controls ..................................................................... 88

Validation of Work Performed ......................................................................................... 88Substantive Testing .......................................................................................................... 89Documenting Results ...................................................................................................... 90

Audit Findings ........................................................................................................ 90Analysis .................................................................................................................. 90Reexamination.........................................................................................................91

Standards .....................................................................................................91Facts .............................................................................................................91

Verifi cation ............................................................................................................. 92Cause ...................................................................................................................... 92Exposure and Materiality........................................................................................ 92Conclusions ............................................................................................................ 93Recommendations .................................................................................................. 93Working Papers ...................................................................................................... 93Audit Report ........................................................................................................... 94Follow Up of Audit Recommendations ................................................................... 94

Communication Strategy ................................................................................................. 94Conclusion ....................................................................................................................... 97Review Questions ............................................................................................................ 98

Multiple Choice Questions ..................................................................................... 98Exercises ................................................................................................................. 99Answers to Multiple Choice Questions ................................................................... 99

Further Readings ........................................................................................................... 100

5 Auditing Information Technology Using Computer-Assisted Audit Tools and Techniques .........................................................................................................101Auditor Productivity Tools..............................................................................................102

Audit Planning and Tracking ................................................................................102Documentation and Presentations .........................................................................103Communication ....................................................................................................103Data Management .................................................................................................103Resource Management...........................................................................................104Groupware .............................................................................................................104

Using Computer-Assisted Audit Tools in the Audit Process ............................................104Items of Audit Interest ...........................................................................................106Audit Mathematics ................................................................................................106Data Analysis .........................................................................................................106

Flowcharting Techniques ................................................................................................107Flowcharting as an Analysis Tool ....................................................................................109

Understanding How Computers Process Data .......................................................110Identifying Documents and eir Flow through the System .................................110

CRC_AU6550_FM.indd viiiCRC_AU6550_FM.indd viii 10/10/2008 12:05:23 PM10/10/2008 12:05:23 PM

Contents ix

Defi ning Critical Data ...........................................................................................111Developing Audit Data Flow Diagrams .................................................................112Evaluating the Quality of System Documentation .................................................112Assessing Controls over Documents ......................................................................112Determining the Eff ectiveness of Processing under Computer Programs ...............113Evaluating the Usefulness of Reports .....................................................................113

Appropriateness of Flowcharting Techniques ..................................................................113Sampling ...............................................................................................................114

Random Attribute Sampling ...................................................................... 115Variable Sampling Techniques....................................................................116System Validation .......................................................................................116

Computer-Assisted Audit Tools and Techniques for Application Reviews .......................116Generalized Audit Software ...................................................................................116Application Testing ................................................................................................117Designing Tests of Controls ...................................................................................117Data Analysis .........................................................................................................118Compliance Testing ...............................................................................................118Application Controls .............................................................................................118

Spreadsheet Controls ..................................................................................118Database Controls ......................................................................................119

Computer-Assisted Audit Tools and Techniques for Operational Reviews ......................119Webmetrics ....................................................................................................................123Webmetrics as an Audit Tool ......................................................................................... 124Computer Forensics ........................................................................................................125Conclusion ......................................................................................................................125Review Questions ...........................................................................................................125

Multiple Choice Questions ................................................................................... 126Exercises ............................................................................................................... 127Answers to Multiple Choice Questions ................................................................. 127


6 Managing IT Audit ..................................................................................................129IT Auditor Career Development and Planning ...............................................................129Establishing a Career Development Plan ....................................................................... 130

Career Path Planning Needs Management Support .............................................. 130Knowledge, Skills, and Abilities ............................................................................131Performance Assessment ........................................................................................132Performance Counseling/Feedback........................................................................133Training .................................................................................................................133Professional Development ..................................................................................... 134

Evaluating IT Audit Quality .......................................................................................... 136Terms of Assessment .......................................................................................................137 e IT Audit and Auditor Assessment Form ...................................................................137Criteria for Assessing the Audit .......................................................................................141Criteria for Assessing the Auditor ...................................................................................141Applying the Concept .....................................................................................................142Evaluation of IT Audit Performance ...............................................................................142

CRC_AU6550_FM.indd ixCRC_AU6550_FM.indd ix 10/10/2008 12:05:23 PM10/10/2008 12:05:23 PM

x Contents

What Is a Best Practice? ..................................................................................................143Why Is It Important to Learn about Best Practices? ..............................................143Overview of Best Practices in IT Audit Planning ..................................................143Research ................................................................................................................144Benchmarking .......................................................................................................145Planning Memo .....................................................................................................145Budget Coordination .............................................................................................146Risk Analysis .........................................................................................................146Kick-Off Meeting ..................................................................................................148Staff Mentoring .....................................................................................................148Coaching ...............................................................................................................148Lunch Meetings .....................................................................................................149Understand Requirements .....................................................................................149

Conclusion ......................................................................................................................149Review Questions ...........................................................................................................150

Multiple Choice Questions .................................................................................... 151Exercises ................................................................................................................152Answers to Multiple Choice Questions ..................................................................152

Further Readings ............................................................................................................152

7 IT Auditing in the New Millennium ........................................................................155IT Auditing Trends .........................................................................................................156 e New Dimension: Information Assurance .................................................................158IT Audit: e Profession .................................................................................................159A Common Body of Knowledge .....................................................................................159Certifi cation ...................................................................................................................159Continuing Education ....................................................................................................160A Code of Ethics and Professional Standards ..................................................................160Educational Curricula.....................................................................................................160New Trends in Developing IT Auditors and Education ..................................................162Career Opportunities in the Twenty-First Century .........................................................169Public Accounting ..........................................................................................................169Private Industry ..............................................................................................................169Management Consulting ................................................................................................170Government ....................................................................................................................170 e Role of the IT Auditor in IT Governance ................................................................170 e IT Auditor as Counselor ..........................................................................................172 e IT Auditor as Partner of Senior Management ..........................................................172Educating the Next Generation on IT Audit and Control

Opportunities ........................................................................................................172Conclusion ......................................................................................................................173Review Questions ...........................................................................................................173

Multiple Choice Questions ....................................................................................174Exercises ...............................................................................................................175Answers to Multiple Choice Questions ..................................................................175


CRC_AU6550_FM.indd xCRC_AU6550_FM.indd x 10/10/2008 12:05:23 PM10/10/2008 12:05:23 PM

Contents xi

PART II: AUDITING IT PLANNING AND ORGANIZATIONChapters 8 through 12 ....................................................................................................177

8 IT Governance ..........................................................................................................181IT Processes ....................................................................................................................182Enterprise Risk Management ..........................................................................................183

What Is Enterprise Risk Management? ..................................................................184Enterprise Risk Management .................................................................................184

Organizational Oversight ...........................................................................184Magnitude of Problem ...............................................................................186Increasing Business Risks ...........................................................................186Regulatory Issues ........................................................................................186Market Factors ...........................................................................................188Corporate Governance ...............................................................................188Best Practice ...............................................................................................189

Future of Enterprise Risk Management .................................................................189Regulatory Compliance and Internal Controls ...............................................................191Performance Measurement .............................................................................................191

Balanced Scorecard ................................................................................................192Metrics and Management ...............................................................................................192Metric Reporting ............................................................................................................195Management Responsibilities Today ...............................................................................196Independent Assurance ...................................................................................................196Conclusion ......................................................................................................................197Review Questions ...........................................................................................................198

Multiple Choice Questions ....................................................................................198Exercises ................................................................................................................199Answers to Multiple Choice Questions ..................................................................199

Notes ..............................................................................................................................199Further Readings ........................................................................................................... 200

9 Strategy and Standards ............................................................................................203IT Processes ................................................................................................................... 203Strategic Planning .......................................................................................................... 204IT Steering Committee .................................................................................................. 205

Communication ................................................................................................... 206Operational Planning ........................................................................................... 206

Portfolio Management ................................................................................................... 207Demand Management ................................................................................................... 207Project Initiation ............................................................................................................ 208Technical Review ........................................................................................................... 208Architecture and Standards............................................................................................ 209

Enterprise Architecture ......................................................................................... 209Business Architecture.............................................................................................211Application Architecture ........................................................................................211Information Architecture .......................................................................................212Infrastructure Architecture ....................................................................................212

CRC_AU6550_FM.indd xiCRC_AU6550_FM.indd xi 10/10/2008 12:05:23 PM10/10/2008 12:05:23 PM

xii Contents

e Architecture Function .....................................................................................212Technology Standards ...........................................................................................213

An Example of Standards: Technology Risk Management Regulations ..........................213Where Does Technology Risk Management Belong? ......................................................214 e Strategy: An Eff ective Technology Risk Management Program ...............................215

Example: Importance of Business Strategy in Customer Relationship Management ..............................................................................................217

Focus on Technology .............................................................................................217Resistance to Change .............................................................................................218Barriers to User Adoption ......................................................................................219

Participation in IT Audit Planning .................................................................................221Conclusion ..................................................................................................................... 222Review Questions .......................................................................................................... 223



10 Risk Management .....................................................................................................227IT Processes ................................................................................................................... 227Risk Assessment ............................................................................................................. 227

ree Perspectives on Risk .................................................................................... 228 e Guardians ........................................................................................... 229 e Gatekeepers ........................................................................................ 229

Application of Risk Assessment ............................................................................ 230Risk Management ................................................................................................. 230Determination of Objectives ..................................................................................231IT Risk Identifi cation ............................................................................................231IT Risk Assessment Tools and Techniques ............................................................ 232IT Risk Evaluation ............................................................................................... 232IT Risk Management.............................................................................................233

IT Insurance Risk ...........................................................................................................235Problems Addressed ...............................................................................................235Insurance Requirements ........................................................................................235

How to Determine IT Insurance Coverage .................................................................... 237Reduction and Retention of Risks ........................................................................ 238

Available Guidance ........................................................................................................ 239U.S. National Institute of Standards and Technology ........................................... 240Government Accountability Offi ce ....................................................................... 240American Institute of Certifi ed Public Accountants ............................................. 244Information Systems Audit and Control Association ............................................ 244Institute of Internal Auditors .................................................................................245Committee of Sponsoring Organizations of the Treadway

Commission ..............................................................................................245Conclusion ..................................................................................................................... 246Review Questions .......................................................................................................... 246

Multiple Choice Questions ................................................................................... 246

CRC_AU6550_FM.indd xiiCRC_AU6550_FM.indd xii 10/10/2008 12:05:24 PM10/10/2008 12:05:24 PM

Contents xiii

Exercises ................................................................................................................247Answers to Multiple Choice Questions ................................................................. 248


11 Process and Quality Management ............................................................................251IT Processes ....................................................................................................................252

Organizational Structure .......................................................................................252Centralized .................................................................................................253Decentralized .............................................................................................253Combination of Centralized and Decentralized .........................................253Shared Services ...........................................................................................253Coordinating Management ....................................................................... 254

Roles and Responsibilities .............................................................................................. 254IT Management Responsibilities .......................................................................... 254User Management Responsibilities ....................................................................... 254

Separation of Duties .......................................................................................................255Resource Management ....................................................................................................255Manage Quality ..............................................................................................................256Quality Management Standards .....................................................................................257

Capability Maturity Model Integration .................................................................258Software Engineering Institute ..............................................................................259

How Maturity Correlates to Quality ..............................................................................259International Standards Organization 9000 ..........................................................259

ISO 9000 .................................................................................................. 263Getting Started: ISO 9000 ........................................................................ 263

Principal emes of an ISO 9000 Review ............................................................ 264IT Process Framework ....................................................................................................265

Policies and Procedures ..........................................................................................265Comparing Processes and Procedures ................................................................... 266

Auditing Policies and Procedures ................................................................................... 267Conclusion ..................................................................................................................... 268Review Questions .......................................................................................................... 268

Multiple Choice Questions ................................................................................... 268Exercises ................................................................................................................270Answers to Multiple Choice Questions ..................................................................270

Notes ..............................................................................................................................270Further Readings ............................................................................................................270

12 Financial Management .............................................................................................273IT Processes ................................................................................................................... 273Financial Management Framework ................................................................................274Investment Approval Process ..........................................................................................274Project Pricing ................................................................................................................275Realizing the Benefi ts from IT Investments ....................................................................276Financial Planning ..........................................................................................................276

Operating Budget ................................................................................................. 277Capital Budget ...................................................................................................... 277Track against Budget ............................................................................................ 278

CRC_AU6550_FM.indd xiiiCRC_AU6550_FM.indd xiii 10/10/2008 12:05:24 PM10/10/2008 12:05:24 PM

xiv Contents

Identify and Allocate Costs ............................................................................................ 278Developing a Pricing Model ................................................................................. 279

Transfer Pricing ..............................................................................................................281Determining Charging Method ......................................................................................281

Direct-Charge Method ......................................................................................... 282Indirect-Charge Method ....................................................................................... 282Allocations under Indirect-Charge Method .......................................................... 282Determining Arms Length Price .......................................................................... 282Cost Contribution Arrangements ......................................................................... 282

Structure of U.S. Guidance ............................................................................................ 283Pricing of Services ................................................................................................ 283Benefi t Test ........................................................................................................... 283Integral Services and Nonintegral Services ........................................................... 283Determining the Pricing for Integral Services ....................................................... 284Determining the Pricing for Nonintegral Services ................................................ 284Documentation Requirements .............................................................................. 285Implementing a Pricing Model ............................................................................. 285Maintaining a Pricing Model ................................................................................ 286Measuring Consumption ...................................................................................... 287

IT Asset Management .................................................................................................... 287Benefi ts of IT Asset Management ......................................................................... 288Tools.... ................................................................................................................. 289Understanding and Managing Costs .................................................................... 289Refreshing Technology ......................................................................................... 290Standardizing Technology .................................................................................... 290Consolidating Infrastructure ................................................................................ 290Managing Demand and Service Levels ..................................................................291Standardizing Governance and Processes .............................................................291

Conclusion ......................................................................................................................291Review Questions .......................................................................................................... 292



PART III IT ACQUISITION AND IMPLEMENTATIONChapters 13 through 17 ................................................................................................. 297

13 IT Project Management ............................................................................................301IT Processes ................................................................................................................... 302

Program Management .......................................................................................... 302Program Management versus Project Management .............................................. 302Project Management ............................................................................................ 303

Project Management Body of Knowledge ...................................................................... 304Project Management Framework .......................................................................... 304Project Management ............................................................................................. 305Resource Management.......................................................................................... 305

CRC_AU6550_FM.indd xivCRC_AU6550_FM.indd xiv 10/10/2008 12:05:24 PM10/10/2008 12:05:24 PM

Contents xv

Project Planning ................................................................................................... 306Project Tracking and Oversight ............................................................................ 307Project Management Tools ................................................................................... 307

e Auditors Role in the Project Management Process.................................................. 309Audit Risk Assessment ...........................................................................................312Audit Plan .............................................................................................................312Project Management Process Review .....................................................................312Project Management ..............................................................................................313Communication ....................................................................................................314

Recommendations ..........................................................................................................314Example of Project Management Checkpoints and Tools in a Telecom Project ..............314

Combating User Resistance to Telecommunications Project Implementation: Involve the User .........................................................................................315

Project Management Tools: Project Management Software ...................................316 e Importance of Project Planning and Control in the Systems Development

Life Cycle...............................................................................................................318Conclusion ......................................................................................................................319

Audit Involvement in Planning and Analysis ........................................................ 320Conception of the Plan ......................................................................................... 320Project Organization ..............................................................................................321




14 Software Development and Implementation ............................................................325IT Processes ....................................................................................................................325Approaches to Software Development ............................................................................325Software Development Process .......................................................................................327Prototypes and Rapid Application Development ............................................................327End-User Development ...................................................................................................327Traditional Information Software Development ............................................................ 328

Software Development Phases ...............................................................................329Analysis............ .......................................................................................... 330Design.............. .......................................................................................... 330Construction .............................................................................................330Testing..................... ................................................................................... 330System Documentation ..............................................................................331Implementation ..........................................................................................332

e System Implementation Process ...............................................................................333Implementation Approach .................................................................................... 334System Testing ...................................................................................................... 334User Processes and Procedures .............................................................................. 334Management Reports and Controls .......................................................................335Problem Management/Reporting ..........................................................................335

CRC_AU6550_FM.indd xvCRC_AU6550_FM.indd xv 10/10/2008 12:05:24 PM10/10/2008 12:05:24 PM

xvi Contents

User Acceptance Testing ........................................................................................335Acceptance Team ...................................................................................... 336Agreed-Upon Requirements ...................................................................... 336Management Approval .............................................................................. 336

Help Desk and Production Support Training and Readiness ......................................... 336Data Conversion and Data Correction Processes ...................................................337Operational Procedures and Readiness ..................................................................337IT Disaster/Continuity Plans .................................................................................338Security .................................................................................................................338

e Auditors Role in the Development Process ..............................................................339Risk Assessment ............................................................................................................. 340Audit Plan ...................................................................................................................... 341Software Development Controls Review ........................................................................ 341Software Development Life Cycle .................................................................................. 342

Analysis ................................................................................................................ 342Design........ ........................................................................................................... 342Construction ........................................................................................................ 343Testing ..................................................................................................................343Documentation .................................................................................................... 343Implementation .................................................................................................... 343Postimplementation ..............................................................................................344Change Control .................................................................................................... 344Application Controls ............................................................................................ 344Communication ................................................................................................... 344Recommendations ................................................................................................344Audit Report ..........................................................................................................345




15 IT Sourcing ..............................................................................................................351IT Processes ....................................................................................................................351Sourcing Strategy ............................................................................................................351Software Acquisition Process ..........................................................................................352

Defi ning the Information and System Requirements .............................................353Prototypes and Rapid Application Development ............................................................353 e Requirements Document .........................................................................................354

Identifying Various Alternatives ............................................................................354Off -the-Shelf Solutions ...................................................................................................354Purchased Package ..........................................................................................................355Contracted Development ................................................................................................355Outsourcing a System from Another Organization .........................................................355

Performing a Feasibility Analysis ...........................................................................356Conducting a Risk Analysis ...................................................................................356

CRC_AU6550_FM.indd xviCRC_AU6550_FM.indd xvi 10/10/2008 12:05:24 PM10/10/2008 12:05:24 PM

Contents xvii

Defi ning Ergonomic Requirements .......................................................................357Carrying Out the Selection Process .......................................................................357

Request for Information..................................................................................................357Request for Bid ...............................................................................................................357Request for Proposal .......................................................................................................357Evaluating Proposals .......................................................................................................358Procurement and Supplier Management .........................................................................359

Procuring the Selected Software ............................................................................359Other Considerations for Software Contracts and Licenses ...................................361Completing Final Acceptance ................................................................................361

IT Contract Issues ......................................................................................................... 362Strategic Sourcing and Supplier Management ................................................................ 364

Audit Involvement .................................................................................................365Auditing Software Acquisitions ......................................................................................365

Alignment with the Companys Business and IT Strategy .................................... 366Defi nition of the Information Requirements ........................................................ 366

Prototypes ...................................................................................................................... 366Feasibility Studies (Cost, Benefi ts, Etc.) ................................................................ 366Identifi cation of Functionality, Operational, Acceptance, and Maintenance

Requirements .............................................................................................367Conformity with Existing Information and System Architectures .........................367Adherence to Security and Control Requirements ................................................ 368Knowledge of Available Solutions ......................................................................... 368Understanding of the Related Acquisition and Implementation Methodologies ..... 368Involvement and Buy-In from the User ................................................................. 369Supplier Requirements and Viability .................................................................... 369Audit Involvement ................................................................................................ 369

Other Resources for Help and Assistance .......................................................................370Conclusion ......................................................................................................................370Review Questions ...........................................................................................................371



16 Application Controls and Maintenance ...................................................................375IT Processes ....................................................................................................................375Application Risks ............................................................................................................375

Weak Security........................................................................................................376Unauthorized Access or Changes to Data or Programs ......................................... 377Unauthorized Remote Access ............................................................................... 377Inaccurate Information ......................................................................................... 377Erroneous or Falsifi ed Data Input ......................................................................... 377Misuse by Authorized End Users ...........................................................................378Incomplete Processing ...........................................................................................378Duplicate Transaction Processing ..........................................................................378Untimely Processing ..............................................................................................378

CRC_AU6550_FM.indd xviiCRC_AU6550_FM.indd xvii 10/10/2008 12:05:24 PM10/10/2008 12:05:24 PM

xviii Contents

Communications System Failure ...........................................................................378Inadequate Testing ................................................................................................378Inadequate Training ..............................................................................................378Inadequate Support ...............................................................................................379Insuffi cient Documentation ...................................................................................379

End-User Computing Application Risks .........................................................................379Ineffi cient Use of Resources .................................................................................. 380Incompatible Systems ............................................................................................381Redundant Systems ...............................................................................................381Ineff ective Implementations ...................................................................................381Absence of Segregation of Duties .......................................................................... 382Incomplete System Analysis .................................................................................. 382Unauthorized Access to Data or Programs ............................................................ 382Copyright Violations ............................................................................................ 382 e Destruction of Information by Computer Viruses ......................................... 383

Electronic Data Interchange Application Risks .............................................................. 384Implications of Risks in an Electronic Data Interchange System ...........................385

Application Controls ...................................................................................................... 386Input Controls ...................................................................................................... 386User Interface ....................................................................................................... 387Interfaces .............................................................................................................. 387Authenticity ..........................................................................................................387Accuracy ...............................................................................................................387Processing Controls .............................................................................................. 388Completeness ........................................................................................................388Error Correction ................................................................................................... 390Output Controls ................................................................................................... 390Reconciliation .......................................................................................................390Distribution ...........................................................................................................391Retention ...............................................................................................................391Functional Testing and Acceptance Testing ...........................................................391Management Approval ..........................................................................................391

Documentation Requirements ....................................................................................... 392Application Software Life Cycle ..................................................................................... 392Application Maintenance ............................................................................................... 392

Application Maintenance: Defi ned ....................................................................... 392Corrective Maintenance ..................................................................................................393Adaptive Maintenance ....................................................................................................393Perfective Maintenance ...................................................................................................393

Measuring Risk for Application Maintenance ...................................................... 394Audit Involvement ................................................................................................ 394

Conclusion ..................................................................................................................... 394Review Questions ...........................................................................................................395



CRC_AU6550_FM.indd xviiiCRC_AU6550_FM.indd xviii 10/10/2008 12:05:24 PM10/10/2008 12:05:24 PM

Contents xix

17 Change Management ................................................................................................399IT Processes ................................................................................................................... 399Change Control ............................................................................................................. 399

Points of Change Origination and Initiation ........................................................ 402Approval Points .................................................................................................... 403Changes to Documentation .................................................................................. 404Review Points ....................................................................................................... 404

Vulnerabilities in Software Development and Change Control ...................................... 405Software Confi guration Management ............................................................................ 406IT Change Management ................................................................................................ 408Change Management System ......................................................................................... 408Change Request Process ................................................................................................ 408Impact Assessment ..........................................................................................................410Controls over Changes ....................................................................................................411Emergency Change Process ............................................................................................411Revisions to Documentation and Procedures ..................................................................411Authorized Maintenance ................................................................................................412Software Release Policy ...................................................................................................412Software Distribution Process .........................................................................................412Change Management Example .......................................................................................413

Objectives ..............................................................................................................413Scope .....................................................................................................................414Change Management Boards or Committees ........................................................414Criteria for Approving Changes .............................................................................415Postimplementation ...............................................................................................416

Organizational Change Management .............................................................................416Organizational Culture Defi ned .....................................................................................416

Managing Organizational Change ........................................................................417Audit Involvement ..........................................................................................................418Conclusion ......................................................................................................................419Review Questions .......................................................................................................... 420

Multiple Choice Questions ................................................................................... 420Exercises ................................................................................................................421Answers to Multiple Choice Questions ................................................................. 422


PART IV: IT DELIVERY AND SUPPORTCOBIT Operational Controls ......................................................................................... 425

Comparing COBIT and General Controls for Operational Auditing ..................... 425Chapters 18 through 22 ................................................................................................. 425

18 Service Management ................................................................................................429Introduction .................................................................................................................. 429IT Processes ................................................................................................................... 429Information Technology Infrastructure Library ............................................................ 429Implementing IT Service Management ...........................................................................431Review Services and Requirements .................................................................................431

CRC_AU6550_FM.indd xixCRC_AU6550_FM.indd xix 10/10/2008 12:05:25 PM10/10/2008 12:05:25 PM

xx Contents

Defi ne IT Services ......................................................................................................... 432Service-Level Agreements .............................................................................................. 432

Types of Service-Level Agreements ....................................................................... 433Customer Service-Level Agreement ...................................................................... 433Operating-Level Agreement .................................................................................. 433Supplier Service-Level Agreements ....................................................................... 434

Service Design and Pricing ............................................................................................ 434Processes to Engage Services .......................................................................................... 436Roles and Responsibilities .............................................................................................. 436

IT Roles and Responsibilities ................................................................................ 436Relationship Management ............................................................................................. 436Service Management ...................................................................................................... 437Financial Management .................................................................................................. 437Supplier Management .................................................................................................... 437Service Delivery ............................................................................................................. 437Change Management ..................................................................................................... 438Problem Management .................................................................................................... 438Service Desk .................................................................................................................. 438Security Administration................................................................................................. 439

Customer Roles and Responsibilities .................................................................... 439Communication ............................................................................................................ 439Service Delivery and Monitoring ................................................................................... 439

Service Measurement ............................................................................................ 440What to Measure .................................................................................................. 440How to Measure ................................................................................................... 441

Service Management Tools ............................................................................................ 442Customer Satisfaction Surveys ....................................................................................... 442Benchmarking ................................................................................................

Date post:	08-Dec-2016
Category:	Documents
Upload:	dangtu
View:	225 times
Download:	5 times