The Basics of IT Audit: Purposes, Processes, and Practical Information
3.5/5
()
About this ebook
The Basics of IT Audit: Purposes, Processes, and Practical Information provides you with a thorough, yet concise overview of IT auditing. Packed with specific examples, this book gives insight into the auditing process and explains regulations and standards such as the ISO-27000, series program, CoBIT, ITIL, Sarbanes-Oxley, and HIPPA.
IT auditing occurs in some form in virtually every organization, private or public, large or small. The large number and wide variety of laws, regulations, policies, and industry standards that call for IT auditing make it hard for organizations to consistently and effectively prepare for, conduct, and respond to the results of audits, or to comply with audit requirements.
This guide provides you with all the necessary information if you're preparing for an IT audit, participating in an IT audit or responding to an IT audit.
- Provides a concise treatment of IT auditing, allowing you to prepare for, participate in, and respond to the results
- Discusses the pros and cons of doing internal and external IT audits, including the benefits and potential drawbacks of each
- Covers the basics of complex regulations and standards, such as Sarbanes-Oxley, SEC (public companies), HIPAA, and FFIEC
- Includes most methods and frameworks, including GAAS, COSO, COBIT, ITIL, ISO (27000), and FISCAM
Stephen D. Gantz
Stephen Gantz (CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO) is an information security and IT consultant with over 20 years of experience in security and privacy management, enterprise architecture, systems development and integration, and strategic planning. He currently holds an executive position with a health information technology services firm primarily serving federal and state government customers. He is also an Associate Professor of Information Assurance in the Graduate School at University of Maryland University College. He maintains a security-focused website and blog at http://www.securityarchitecture.com. Steve’s security and privacy expertise spans program management, security architecture, policy development and enforcement, risk assessment, and regulatory compliance with major legislation such as FISMA, HIPAA, and the Privacy Act. His industry experience includes health, financial services, higher education, consumer products, and manufacturing, but since 2000 his work has focused on security and other information resources management functions in federal government agencies. His prior work history includes completing projects for government clients including the Departments of Defense, Labor, and Health and Human Services, Office of Management and Budget, Federal Deposit Insurance Corporation, U.S. Postal Service, and U.S. Senate. Steve holds a master’s degree in public policy from the Kennedy School of Government at Harvard University, and also earned his bachelor’s degree from Harvard. He is nearing completion of the Doctor of Management program at UMUC, where his dissertation focuses on trust and distrust in networks and inter-organizational relationships. Steve currently resides in Arlington, Virginia with his wife Reneé and children Henry, Claire, and Gillian.
Related to The Basics of IT Audit
Related ebooks
CISA Certified Information Systems Auditor All-in-One Exam Guide, Third Edition Rating: 5 out of 5 stars5/5CISA Certified Information Systems Auditor Study Guide Rating: 5 out of 5 stars5/5IS Auditor - Process of Auditing: Information Systems Auditor, #1 Rating: 0 out of 5 stars0 ratingsInformation Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis Rating: 0 out of 5 stars0 ratingsSecurity Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 4 out of 5 stars4/5Governance and Internal Controls for Cutting Edge IT Rating: 0 out of 5 stars0 ratingsFISMA and the Risk Management Framework: The New Practice of Federal Cyber Security Rating: 0 out of 5 stars0 ratingsRisk Management Framework: A Lab-Based Approach to Securing Information Systems Rating: 2 out of 5 stars2/5Information Risk Management: A practitioner's guide Rating: 5 out of 5 stars5/5Governance of IT: An executive guide to ISO/IEC 38500 Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsInformation Security Management Principles Rating: 3 out of 5 stars3/5Building an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsInformation Security Auditor: Careers in information security Rating: 0 out of 5 stars0 ratingsBuilding a Practical Information Security Program Rating: 5 out of 5 stars5/5The Psychology of Information Security: Resolving conflicts between security compliance and human behaviour Rating: 5 out of 5 stars5/5Information Protection Playbook Rating: 0 out of 5 stars0 ratingsFundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5Auditing Information Systems: Enhancing Performance of the Enterprise Rating: 0 out of 5 stars0 ratingsGovernance of Enterprise IT based on COBIT 5: A Management Guide Rating: 5 out of 5 stars5/5Risk-Based Internal Audit Rating: 5 out of 5 stars5/5IT Audit A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsInformation Systems Auditing: The IS Audit Follow-up Process Rating: 2 out of 5 stars2/5The Complete Guide To Sarbanes-Oxley: Understanding How Sarbanes-Oxley Affects Your Business Rating: 0 out of 5 stars0 ratingsCISA A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsIT Audit A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsInformation Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5Auditor's Guide to IT Auditing Rating: 5 out of 5 stars5/5IT Risk Management Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsCOBIT 5 A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratings
Security For You
Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Codes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Hacking For Dummies Rating: 4 out of 5 stars4/5IAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratings(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide Rating: 3 out of 5 stars3/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5CompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Hacking : Guide to Computer Hacking and Penetration Testing Rating: 5 out of 5 stars5/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Hacking Essentials - The Beginner's Guide To Ethical Hacking And Penetration Testing Rating: 3 out of 5 stars3/5CompTIA Network+ Certification Study Guide: Exam N10-004: Exam N10-004 2E Rating: 4 out of 5 stars4/5How to Measure Anything in Cybersecurity Risk Rating: 4 out of 5 stars4/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5
Reviews for The Basics of IT Audit
2 ratings0 reviews
Book preview
The Basics of IT Audit - Stephen D. Gantz
1
IT Audit Fundamentals
This chapter gives a broad overview of IT auditing, explaining what auditing is, why auditing is performed, the subjects of audits, and who conducts audits, and defining key terms and concepts referenced throughout the book. It seeks to answer the basic questions someone new to IT auditing would ask—the who, what, when, where, and why—and subsequently sets up more detailed chapters that go into more depth as to how auditing is done. This chapter distinguishes between internal and external auditing in terms of the purposes, rationale, and requirements for each and carries this distinction through to the types of organizations and auditors involved. It also describes the various career paths and professional development activities associated with developing IT auditors.
Key Words
IT audit; auditors; information assurance; governance
Information in this chapter
• What is Auditing?
• Why Audit?
• Who Gets Audited?
• Who Does Auditing?
Dependence on information technology (IT) is a characteristic common to virtually all modern organizations. Organizations rely on information and the processes and enabling technology needed to use and effectively manage information. This reliance characterizes public and private sector organizations, regardless of mission, industry, geographic location, or organization type. IT is critical to organizational success, operating efficiency, competitiveness, and even survival, making imperative the need for organizations to ensure the correct and effective use of IT. In this context, it is important that resources are efficiently allocated, that IT functions at a sufficient level of performance and quality to effectively support the business, and that information assets are adequately secured consistent with the risk tolerance of the organization. Such assets must also be governed effectively, meaning that they operate as intended, work correctly, and function in a way that complies with applicable regulations and standards. IT auditing can help organizations achieve all of these objectives.
Auditing IT differs in significant ways from auditing financial records, general operations, or business processes. Each of these auditing disciplines, however, shares a common foundation of auditing principles, standards of practice, and high-level processes and activities. IT auditing is also a component of other major types of auditing, as illustrated conceptually in Figure 1.1. To the extent that financial and accounting practices in audited organizations use IT, financial audits must address technology-based controls and their contribution to effectively supporting internal financial controls. Operational audits examine the effectiveness of one or more business processes or organizational functions and the efficient use of resources in support of organizational goals and objectives. Information systems and other technology represent key resources often included in the scope of operational audits. Quality audits apply to many aspects of organizations, including business processes or other operational focus areas, IT management, and information security programs and practices. A common set of auditing standards, principles, and practices informs these types of auditing, centered as they are on an organization’s internal controls. IT auditing, however, exhibits a greater breadth and variety than financial, operational, or quality auditing alone in the sense that it not only represents an element of other major types of audits but also comprises many different approaches, subject matter areas, and perspectives corresponding to the nature of an organization’s IT environment, governance model, and audit