An Introduction to IT Auditing

Transcript

1. An Introduction to IT Auditing Kelvin Wong Nov 14 2011

2. What the heck is this then? While a financial audit's

   purpose is to evaluate whether an organization is adhering to standard accounting practices, “ ” the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. From Wikipedia – Information technology audit Last updated November 14, 2011

3. Sounds abstract, what is it about? First things first, it

   is!

4. Sounds abstract, what is it about? First things first, it

   is! It can be about development decisions, technological adaptation, R&D, hardware acquisition, market processes, enterprise architecture, security, facilities, risk, business continuity, disaster recovery, planning, documentations... In short, it is about hardware, software, processes and regulations, people, standards and all in between!

5. Sounds abstract, what is it about? Second, why? To provide

   job opportunities

6. Sounds abstract, what is it about? Second, why? To provide

   job opportunities To ensure compliance for IT infrastructure for business development

7. A basic process – Defining scope of auditing – Preliminary

   review – Evaluating controls and assess risks – Planning an audit – Testing controls – Reporting – Follow-up

8. Some really crash 101 – Scope – Risk • Mitigation

   – Control • Role segregation • Physical access • Logical access rights – Audit trail – Objectivity

9. How to become one? – Professional certifications, with • CISA

   (by ISACA) • CISSP (by ISCC)

10. Some sample questions – The questions are extracted from sample

    questions of CISA Review Manual 2011. – For instance, for December 2011 examinations: • The Process of Auditing Information Systems • Governance and Management of IT • Information Systems Acquistion, Development and Implementation • Information System Operations, Maintenance and Support • Protection of Information Assets

11. Some sample questions (1) – An IS auditor suspects an

    incident is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST? A) Request that the system be shut down to preserve evidence. B) Report the incident to management. C) Ask for immediate suspension of the suspect accounts. D) Immediately investigate the source and nature of the incident.

12. Some sample questions (2) – An enterprise is developing a

    strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function? A) Advise on the adoption of application controls to the new database software. B) Provide future estimates of the licensing expenses to the project team. C) Recommend at the project planning meeting how to improve the efficiency of the migrations. D) Review the acceptance test case documentation before the tests are carried out.

13. Some sample questions (3) – An enterprise is evaluating the

    adoption of cloud computing and web virtualization instead of acquiring new IT infrastructure for a development environment. What is the IS auditor's GREATEST concern? A) Benchmarks with similar projects have not been considered. B) The security officer has not been consulted. C) The project's business case has not been established. D) The designed technical infrastructure does not consider hardware savings.

14. Some sample questions (4) – Corporate IS policy for a

    call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation? A) Have the current configuration approved by operations management. B) Ensure that there is an audit trail for all existing accounts. C) Implement individual user accounts for all staff. D) Amend the IS policy to allow shared accounts.

15. Some sample questions (5) – The MOST important point of

    consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: A) Does not exceed the existing IT budget. B) Is aligned with the investment strategy. C) Has been approved by the steering committee. D) Is aligned with the business plan.

16. Some sample questions (6) – An IS auditor observes that

    an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise's investment in software is protected, which of the following should be recommended by the IS auditor? A) Due diligence should be performed on the software vendor. B) A quarterly audit of the vendor facilities should be performed. C) There should be a source code escrow agreement in place. D) A high penalty clause should be included in the contract.

17. Some sample questions (7) – An IS auditor is reviewing

    an enterprise's system development testing policy. Which of the following statements concerning use of production data for testing would the IS auditor consider to be MOST appropriate? A) Senior IS and business management must approve use before production data can be utilized for testing. B) Production data can be used if they are copies to a secure testing environment. C) Production data can never be used. All test data must be developed and based on documented test cases. D) Production data can be used provided that confidentiality agreements in place.

18. Some sample questions (8) – An IS auditor finds out-of-range

    data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? A) Log all table update statements. B) Implement integrity constraints in the database. C) Implement before and after image reporting. D) Use tracing and tagging.

19. What it means to us? – ...