A Standard for Auditing Computer Applications: An All-New Edition
(Publisher: CRC Press LLC)
Author(s): Marty Krist, CPA, CISA, CIA, Manager, Financial Systems W. R. Grace & Co.
ISBN: 0849399831
Publication Date: / /

Introduction

Part I—Overview of Integrated Auditing
AUTOMATED APPLICATION REVIEW OVERVIEW
Section 1—What Integrated Application Systems Are
PROPER OPERATION OF THE IT DEPARTMENT
DEVELOPING AUTOMATED APPLICATIONS
CRITICAL INFORMATION TECHNOLOGY CONTROLS
Section 2—Reviewing Application Systems
THE AUDIT STRUCTURE
THE INTERNAL AUDITORS
THE AUDIT MANUAL
MANAGING THE INDIVIDUAL IT AUDIT
IT AUDIT PROCEDURES
APPLICATION DEVELOPMENT AND TESTING
DOCUMENTING AND REPORTING AUDIT WORK
EXTERNAL AUDITORS
Section 3—Assessing IT Audit Capabilities
WHO SHOULD PERFORM THE SELF-ASSESSMENT?
CONDUCTING THE SELF-ASSESSMENT
ANALYSIS AND REPORTING OF RESULTS
Task 1: Post Self-Assessment Results to Analysis Worksheets
Task 2: Perform Preliminary Analysis
Task 3: Formulate Final Recommendations

Part II—Developing the IT Audit Plan
OVERVIEW OF COMPUTER APPLICATIONS AUDIT PLANNING STANDARDS AND PROCESSES
Section 4—IT Audit Planning
OVERVIEW OF STANDARDS FOR IT AUDIT PLANNING
Section 5—Strategic IT Audit Planning
THE ANNUAL IT AUDIT PLANNING PROCESS
STEP 1: IDENTIFY ALL POTENTIAL REVIEWS
STEP 2: EVALUATE AND PRIORITIZE POSSIBLE REVIEWS
STEP 3: SETTING PRELIMINARY SCOPES
STEP 4: SELECT AND SCHEDULE IT AUDITS
STEP 5: MERGER AUDIT PLANS
Section 6—Specific Audit Planning
STEP 1: ASSIGN AN AUDITOR-IN-CHARGE
STEP 2: PERFORM APPLICATION FACT-GATHERING
STEP 3: ANALYZE APPLICATION AUDIT RISK
Task 1: Document Audit Risks
Task 2: Perform an Analysis of the Audit Risk
Task 3: Define Specific Risk Concerns
STEP 4: DEVELOP AND RANK MEASURABLE AUDIT OBJECTIVES
Task 1: Define Audit Objectives
Task 2: Define the Priority for Each Audit Objective
STEP 5: DEVELOP ADMINISTRATIVE PLAN
STEP 6: WRITE AUDIT PROGRAM

Part III—Assessing General IT Controls
Section 7—Information Systems Administration
STRATEGIC PLANNING
TACTICAL PLANNING
INFORMATION TECHNOLOGY STANDARD SETTING
CLASS CODE/INSTALLATION SIZE
SPECIFIC SECURITY PROVISIONS
Section 8—Physical Access Security
THE DATA CENTER
DOOR LOCKS
WINDOWS
DATA CENTER FLOOR
ALARM SYSTEM
FIRE SUPPRESSION SYSTEMS
THE DETECTION OF AND RESPONSE TO UNAUTHORIZED ACTIVITY
Section 9—Logical Access Security
USER IDENTIFICATION
END-USER LOG-IN CONSIDERATIONS
Section 10—Systems Development Process
GENERAL OBJECTIVES
SPECIFIC OBJECTIVES
Section 11—Backup and Recovery
APPROACHES TO MAKING BACKUPS
MEDIA UTILIZED TO MAKE BACKUPS
RECOVERY ISSUES
Section 12—Auditing the Mainframe
PLANNING THE AUDIT
Contacting the Auditee
Preliminary Office Planning Before Fieldwork
PERFORMING FIELDWORK PROCEDURES
AUDITING SPECIFIC PROCEDURES BY AUDIT AREA
IT Administration
Physical Security
Logical Security
Change Management
Backup, Recovery, and Contingency Planning
AUDIT FINALIZATION
I. Planning the audit
II. Performing field procedures
III. Specific procedures by audit area
IV.
V. Audit Finalization
Section 13—Auditing the Midrange Computer
PLANNING THE AUDIT
PERFORMING FIELDWORK PROCEDURES
AUDITING SPECIFIC PROCEDURES BY AUDIT AREA
AUDIT FINALIZATION
Section 14—Auditing the Network
PLANNING THE AUDIT
Contacting the Auditee
Preliminary Office Planning Before Fieldwork
PERFORMING FIELDWORK PROCEDURES
AUDITING SPECIFIC PROCEDURES BY AUDIT AREA
IT Administration
Physical Security
Logical Security
Change Management
Backup, Recovery, and Contingency Planning
AUDIT FINALIZATION
INTRODUCTION
ASSUMPTIONS
INSTRUCTIONS
GENERAL INFORMATION ITEMS
TABLE OF CONTENTS

Part IV—Performing a Complete Evaluation
Section 15—Performing a Basic Evaluation
Section 16—Performing a Complete Evaluation
GENERAL CONTROL OBJECTIVES
PARTICIPANTS IN THE SYSTEMS DEVELOPMENT LIFE CYCLE
Section 17—Initiation Phase Review
OVERVIEW
INITIATION PHASE DELIVERABLES
AUDITING THE INITIATION PHASE
SETTING THE SCOPE FOR THE SDLC AUDIT
CUSTOMIZING THE AUDIT OBJECTIVES
DETAILED AUDIT TESTING
AUDIT RESULTS AND REPORTING
Section 18—The Requirements Definition Phase Review
OVERVIEW
DELIVERABLES IN THE REQUIREMENTS DEFINITION PHASE
THE INITIAL AUDIT EVALUATION
ADJUSTING AUDIT OBJECTIVES
DETAILED AUDIT TESTING
AUDIT RESULTS AND REPORTING
CONFIRMING THE AUDIT STRATEGY
Section 19—Application Development Phase
PROGRAMMING PHASE OVERVIEW
PROGRAMMING PHASE DELIVERABLES
THE INITIAL AUDIT ASSESSMENT
CONDUCTING INTERVIEWS
SETTING THE AUDIT OBJECTIVES
DETAILED AUDIT TESTING
THE AUDIT TEST
AUDIT RESULTS AND REPORTING
EVALUATING THE AUDIT STRATEGY
Section 20—The Evaluation and Acceptance Phase
OVERVIEW
INITIAL ASSESSMENT OF THE ACCEPTANCE PHASE
GATHERING AND VERIFYING INFORMATION ON THE PHASE STATUS
SETTING OBJECTIVES FOR THE AUDIT
EVALUATION AND ACCEPTANCE PHASE CONSIDERATIONS
DETAILED AUDIT TESTING
AUDIT RESULTS AND REPORTING
EVALUATING AUDIT RESULTS AND PLANS

Part V—Assessing Implemented Systems
Section 21—Initial Review Procedures
INITIAL REVIEW PROCEDURES
REVIEW EXISTING AUDIT FILES
THE PLANNING MEETING
Section 22—Audit Evidence
INITIAL WORKPAPERS
Section 23—Identify Application Risks
THE MEANING OF RISK
STAND-ALONE RISK
RELATIVE RISK
ENSURING SUCCESS
IDENTIFYING APPLICATION RISKS
OVERCOMING OBSTACLES TO SUCCESS
ASSIGNING MATERIALITY
COMPUTING A RISK SCORE
Section 24—Develop a Detailed Plan
WRITING MEASURABLE AUDIT OBJECTIVES
VERIFYING THE COMPLETENESS OF MEASURABLE AUDIT OBJECTIVES
Section 25—Evaluate Internal Controls
DOCUMENT SEGREGATION OF RESPONSIBILITIES
CONDUCT AN INTERNAL CONTROL REVIEW
DEVELOP INTERNAL CONTROL DIAGRAMS
TEST INTERNAL CONTROLS
EVALUATE INTERNAL CONTROL EFFECTIVENESS
Section 26—Test Data Integrity
CONDUCT A DATA FILE SURVEY
CREATE DATA TEST PLAN
DEVELOP TEST TOOLS
VERIFY FILE INTEGRITY
EVALUATE THE CORRECTNESS OF THE TEST PROCESS
CONDUCT DATA TEST
REVIEW DATA TEST RESULTS
Section 27—Certify Computer Security
CERTIFICATION TASKS
Security Safeguard Evaluation Versus IT Audit
Plan Security Tests
COLLECT DATA
CONDUCT BASIC EVALUATION
CONDUCT DETAILED EVALUATION
PREPARE REPORT OF RESULTS
Section 28—Analyze Audit Results
DOCUMENT FINDINGS
ANALYZE FINDINGS
DEVELOP RECOMMENDATIONS
DOCUMENT RECOMMENDATIONS
Section 29—Review and Report Audit Findings
CREATE THE AUDIT REPORT
REVIEW REPORT REASONABLENESS
REVIEW READABILITY OF REPORT
PREPARE AND DISTRIBUTE REPORT
Section 30—Review Quality Control
CONDUCT A QUALITY CONTROL REVIEW
CONDUCT A QUALITY ASSURANCE REVIEW
IMPROVE THE APPLICATION AUDIT PROCESS
Section 31—Workflow Diagramming
CREATING A WORKFLOW DIAGRAM
RECOMMENDED PRACTICES FOR DEVELOPING WORKFLOW DIAGRAMS
Appendix A