The Basics of IT Audit: Purposes, Processes, and Practical Information
3.5/5
()
About this ebook
The Basics of IT Audit: Purposes, Processes, and Practical Information provides you with a thorough, yet concise overview of IT auditing. Packed with specific examples, this book gives insight into the auditing process and explains regulations and standards such as the ISO-27000, series program, CoBIT, ITIL, Sarbanes-Oxley, and HIPPA.
IT auditing occurs in some form in virtually every organization, private or public, large or small. The large number and wide variety of laws, regulations, policies, and industry standards that call for IT auditing make it hard for organizations to consistently and effectively prepare for, conduct, and respond to the results of audits, or to comply with audit requirements.
This guide provides you with all the necessary information if you're preparing for an IT audit, participating in an IT audit or responding to an IT audit.
- Provides a concise treatment of IT auditing, allowing you to prepare for, participate in, and respond to the results
- Discusses the pros and cons of doing internal and external IT audits, including the benefits and potential drawbacks of each
- Covers the basics of complex regulations and standards, such as Sarbanes-Oxley, SEC (public companies), HIPAA, and FFIEC
- Includes most methods and frameworks, including GAAS, COSO, COBIT, ITIL, ISO (27000), and FISCAM
Stephen D. Gantz
Stephen Gantz (CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO) is an information security and IT consultant with over 20 years of experience in security and privacy management, enterprise architecture, systems development and integration, and strategic planning. He currently holds an executive position with a health information technology services firm primarily serving federal and state government customers. He is also an Associate Professor of Information Assurance in the Graduate School at University of Maryland University College. He maintains a security-focused website and blog at http://www.securityarchitecture.com. Steve’s security and privacy expertise spans program management, security architecture, policy development and enforcement, risk assessment, and regulatory compliance with major legislation such as FISMA, HIPAA, and the Privacy Act. His industry experience includes health, financial services, higher education, consumer products, and manufacturing, but since 2000 his work has focused on security and other information resources management functions in federal government agencies. His prior work history includes completing projects for government clients including the Departments of Defense, Labor, and Health and Human Services, Office of Management and Budget, Federal Deposit Insurance Corporation, U.S. Postal Service, and U.S. Senate. Steve holds a master’s degree in public policy from the Kennedy School of Government at Harvard University, and also earned his bachelor’s degree from Harvard. He is nearing completion of the Doctor of Management program at UMUC, where his dissertation focuses on trust and distrust in networks and inter-organizational relationships. Steve currently resides in Arlington, Virginia with his wife Reneé and children Henry, Claire, and Gillian.
Related to The Basics of IT Audit
Related ebooks
CISA Certified Information Systems Auditor Study Guide Rating: 5 out of 5 stars5/5CISA Certified Information Systems Auditor All-in-One Exam Guide, Third Edition Rating: 5 out of 5 stars5/5IS Auditor - Process of Auditing: Information Systems Auditor, #1 Rating: 0 out of 5 stars0 ratingsRisk Management Framework: A Lab-Based Approach to Securing Information Systems Rating: 2 out of 5 stars2/5Governance and Internal Controls for Cutting Edge IT Rating: 0 out of 5 stars0 ratingsSecurity Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 4 out of 5 stars4/5FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security Rating: 0 out of 5 stars0 ratingsInformation Risk Management: A practitioner's guide Rating: 5 out of 5 stars5/5Hardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization Rating: 0 out of 5 stars0 ratingsGovernance of IT: An executive guide to ISO/IEC 38500 Rating: 0 out of 5 stars0 ratingsInformation Security Management Principles Rating: 3 out of 5 stars3/5We Need To Talk: 52 Weeks To Better Cyber-Security Rating: 0 out of 5 stars0 ratingsBuilding an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsThe Psychology of Information Security: Resolving conflicts between security compliance and human behaviour Rating: 5 out of 5 stars5/5Information Security Auditor: Careers in information security Rating: 0 out of 5 stars0 ratingsFundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5Auditing Information Systems and Controls: The Only Thing Worse Than No Control Is the Illusion of Control Rating: 0 out of 5 stars0 ratingsAuditing Information Systems: Enhancing Performance of the Enterprise Rating: 0 out of 5 stars0 ratingsAuditor's Guide to IT Auditing Rating: 5 out of 5 stars5/5Information Systems Auditing: The IS Audit Follow-up Process Rating: 2 out of 5 stars2/5CISA Exam-Testing Concept-Knowledge of Risk Assessment Rating: 3 out of 5 stars3/5CISA A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsGovernance of Enterprise IT based on COBIT 5: A Management Guide Rating: 5 out of 5 stars5/5IT Audit A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCISA Exam-Testing Concept-Classification of Information Assets (Domain-5) Rating: 3 out of 5 stars3/5CISA Exam-Testing Concept-Backup Schemes (Full/Differential/Incremental) (Domain-4) Rating: 5 out of 5 stars5/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis Rating: 0 out of 5 stars0 ratingsInformation Systems Auditing: The IS Audit Testing Process Rating: 1 out of 5 stars1/5Risk-Based Internal Audit Rating: 5 out of 5 stars5/5
Security For You
Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Practical Ethical Hacking from Scratch Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Hacking For Dummies Rating: 4 out of 5 stars4/5Game Console Hacking: Xbox, PlayStation, Nintendo, Game Boy, Atari and Sega Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Hacking for Beginners: Mastery Guide to Learn and Practice the Basics of Computer and Cyber Security Rating: 0 out of 5 stars0 ratingsUltimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Amazon Web Services (AWS) Interview Questions and Answers Rating: 5 out of 5 stars5/5How to Hack Like a GOD: Master the secrets of hacking through real-life hacking scenarios Rating: 4 out of 5 stars4/5CompTIA Security+ Certification Study Guide, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsPractical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Security+ Boot Camp Study Guide Rating: 5 out of 5 stars5/5Codes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5
Reviews for The Basics of IT Audit
2 ratings0 reviews
Book preview
The Basics of IT Audit - Stephen D. Gantz
1
IT Audit Fundamentals
This chapter gives a broad overview of IT auditing, explaining what auditing is, why auditing is performed, the subjects of audits, and who conducts audits, and defining key terms and concepts referenced throughout the book. It seeks to answer the basic questions someone new to IT auditing would ask—the who, what, when, where, and why—and subsequently sets up more detailed chapters that go into more depth as to how auditing is done. This chapter distinguishes between internal and external auditing in terms of the purposes, rationale, and requirements for each and carries this distinction through to the types of organizations and auditors involved. It also describes the various career paths and professional development activities associated with developing IT auditors.
Key Words
IT audit; auditors; information assurance; governance
Information in this chapter
• What is Auditing?
• Why Audit?
• Who Gets Audited?
• Who Does Auditing?
Dependence on information technology (IT) is a characteristic common to virtually all modern organizations. Organizations rely on information and the processes and enabling technology needed to use and effectively manage information. This reliance characterizes public and private sector organizations, regardless of mission, industry, geographic location, or organization type. IT is critical to organizational success, operating efficiency, competitiveness, and even survival, making imperative the need for organizations to ensure the correct and effective use of IT. In this context, it is important that resources are efficiently allocated, that IT functions at a sufficient level of performance and quality to effectively support the business, and that information assets are adequately secured consistent with the risk tolerance of the organization. Such assets must also be governed effectively, meaning that they operate as intended, work correctly, and function in a way that complies with applicable regulations and standards. IT auditing can help organizations achieve all of these objectives.
Auditing IT differs in significant ways from auditing financial records, general operations, or business processes. Each of these auditing disciplines, however, shares a common foundation of auditing principles, standards of practice, and high-level processes and activities. IT auditing is also a component of other major types of auditing, as illustrated conceptually in Figure 1.1. To the extent that financial and accounting practices in audited organizations use IT, financial audits must address technology-based controls and their contribution to effectively supporting internal financial controls. Operational audits examine the effectiveness of one or more business processes or organizational functions and the efficient use of resources in support of organizational goals and objectives. Information systems and other technology represent key resources often included in the scope of operational audits. Quality audits apply to many aspects of organizations, including business processes or other operational focus areas, IT management, and information security programs and practices. A common set of auditing standards, principles, and practices informs these types of auditing, centered as they are on an organization’s internal controls. IT auditing, however, exhibits a greater breadth and variety than financial, operational, or quality auditing alone in the sense that it not only represents an element of other major types of audits but also comprises many different approaches, subject matter areas, and perspectives corresponding to the nature of an organization’s IT environment, governance model, and audit