A Standard for Auditing Computer Applications: An All-New Edition
(Publisher: CRC Press LLC)
Author(s): Marty Krist, CPA, CISA, CIA, Manager, Financial Systems W. R. Grace & Co.
ISBN: 0849399831
Publication Date: / /
- Introduction
- Part IOverview of Integrated Auditing
- AUTOMATED APPLICATION REVIEW OVERVIEW
- Section 1What Integrated Application Systems Are
- PROPER OPERATION OF THE IT DEPARTMENT
- DEVELOPING AUTOMATED APPLICATIONS
- CRITICAL INFORMATION TECHNOLOGY CONTROLS
- Section 2Reviewing Application Systems
- THE AUDIT STRUCTURE
- THE INTERNAL AUDITORS
- THE AUDIT MANUAL
- MANAGING THE INDIVIDUAL IT AUDIT
- IT AUDIT PROCEDURES
- APPLICATION DEVELOPMENT AND TESTING
- DOCUMENTING AND REPORTING AUDIT WORK
- EXTERNAL AUDITORS
- Section 3Assessing IT Audit Capabilities
- WHO SHOULD PERFORM THE SELF-ASSESSMENT?
- CONDUCTING THE SELF-ASSESSMENT
- ANALYSIS AND REPORTING OF RESULTS
- Task 1: Post Self-Assessment Results to Analysis Worksheets
- Task 2: Perform Preliminary Analysis
- Task 3: Formulate Final Recommendations
Part IIDeveloping the IT Audit Plan
- OVERVIEW OF COMPUTER APPLICATIONS AUDIT PLANNING STANDARDS AND PROCESSES
Section 4IT Audit Planning
- OVERVIEW OF STANDARDS FOR IT AUDIT PLANNING
Section 5Strategic IT Audit Planning
- THE ANNUAL IT AUDIT PLANNING PROCESS
- STEP 1: IDENTIFY ALL POTENTIAL REVIEWS
- STEP 2: EVALUATE AND PRIORITIZE POSSIBLE REVIEWS
- STEP 3: SETTING PRELIMINARY SCOPES
- STEP 4: SELECT AND SCHEDULE IT AUDITS
- STEP 5: MERGER AUDIT PLANS
Section 6Specific Audit Planning
- STEP 1: ASSIGN AN AUDITOR-IN-CHARGE
- STEP 2: PERFORM APPLICATION FACT-GATHERING
- STEP 3: ANALYZE APPLICATION AUDIT RISK
- Task 1: Document Audit Risks
- Task 2: Perform an Analysis of the Audit Risk
- Task 3: Define Specific Risk Concerns
- STEP 4: DEVELOP AND RANK MEASURABLE AUDIT OBJECTIVES
- Task 1: Define Audit Objectives
- Task 2: Define the Priority for Each Audit Objective
- STEP 5: DEVELOP ADMINISTRATIVE PLAN
- STEP 6: WRITE AUDIT PROGRAM
Part IIIAssessing General IT Controls
- Section 7Information Systems Administration
- STRATEGIC PLANNING
- TACTICAL PLANNING
- INFORMATION TECHNOLOGY STANDARD SETTING
- CLASS CODE/INSTALLATION SIZE
- SPECIFIC SECURITY PROVISIONS
- Section 8Physical Access Security
- THE DATA CENTER
- DOOR LOCKS
- WINDOWS
- DATA CENTER FLOOR
- ALARM SYSTEM
- FIRE SUPPRESSION SYSTEMS
- THE DETECTION OF AND RESPONSE TO UNAUTHORIZED ACTIVITY
- Section 9Logical Access Security
- USER IDENTIFICATION
- END-USER LOG-IN CONSIDERATIONS
- Section 10Systems Development Process
- GENERAL OBJECTIVES
- SPECIFIC OBJECTIVES
- Section 11Backup and Recovery
- APPROACHES TO MAKING BACKUPS
- MEDIA UTILIZED TO MAKE BACKUPS
- RECOVERY ISSUES
- Section 12Auditing the Mainframe
- PLANNING THE AUDIT
- Contacting the Auditee
- Preliminary Office Planning Before Fieldwork
- PERFORMING FIELDWORK PROCEDURES
- AUDITING SPECIFIC PROCEDURES BY AUDIT AREA
- IT Administration
- Physical Security
- Logical Security
- Change Management
- Backup, Recovery, and Contingency Planning
- AUDIT FINALIZATION
- I. Planning the audit
- II. Performing field procedures
- III. Specific procedures by audit area
- IV.
- V. Audit Finalization
- Section 13Auditing the Midrange Computer
- PLANNING THE AUDIT
- PERFORMING FIELDWORK PROCEDURES
- AUDITING SPECIFIC PROCEDURES BY AUDIT AREA
- AUDIT FINALIZATION
- Section 14Auditing the Network
- PLANNING THE AUDIT
- Contacting the Auditee
- Preliminary Office Planning Before Fieldwork
- PERFORMING FIELDWORK PROCEDURES
- AUDITING SPECIFIC PROCEDURES BY AUDIT AREA
- IT Administration
- Physical Security
- Logical Security
- Change Management
- Backup, Recovery, and Contingency Planning
- AUDIT FINALIZATION
- INTRODUCTION
- ASSUMPTIONS
- INSTRUCTIONS
- GENERAL INFORMATION ITEMS
- TABLE OF CONTENTS
Part IVPerforming a Complete Evaluation
- Section 15Performing a Basic Evaluation
- Section 16Performing a Complete Evaluation
- GENERAL CONTROL OBJECTIVES
- PARTICIPANTS IN THE SYSTEMS DEVELOPMENT LIFE CYCLE
- Section 17Initiation Phase Review
- OVERVIEW
- INITIATION PHASE DELIVERABLES
- AUDITING THE INITIATION PHASE
- SETTING THE SCOPE FOR THE SDLC AUDIT
- CUSTOMIZING THE AUDIT OBJECTIVES
- DETAILED AUDIT TESTING
- AUDIT RESULTS AND REPORTING
- Section 18The Requirements Definition Phase Review
- OVERVIEW
- DELIVERABLES IN THE REQUIREMENTS DEFINITION PHASE
- THE INITIAL AUDIT EVALUATION
- ADJUSTING AUDIT OBJECTIVES
- DETAILED AUDIT TESTING
- AUDIT RESULTS AND REPORTING
- CONFIRMING THE AUDIT STRATEGY
- Section 19Application Development Phase
- PROGRAMMING PHASE OVERVIEW
- PROGRAMMING PHASE DELIVERABLES
- THE INITIAL AUDIT ASSESSMENT
- CONDUCTING INTERVIEWS
- SETTING THE AUDIT OBJECTIVES
- DETAILED AUDIT TESTING
- THE AUDIT TEST
- AUDIT RESULTS AND REPORTING
- EVALUATING THE AUDIT STRATEGY
- Section 20The Evaluation and Acceptance Phase
- OVERVIEW
- INITIAL ASSESSMENT OF THE ACCEPTANCE PHASE
- GATHERING AND VERIFYING INFORMATION ON THE PHASE STATUS
- SETTING OBJECTIVES FOR THE AUDIT
- EVALUATION AND ACCEPTANCE PHASE CONSIDERATIONS
- DETAILED AUDIT TESTING
- AUDIT RESULTS AND REPORTING
- EVALUATING AUDIT RESULTS AND PLANS
Part VAssessing Implemented Systems
- Section 21Initial Review Procedures
- INITIAL REVIEW PROCEDURES
- REVIEW EXISTING AUDIT FILES
- THE PLANNING MEETING
- Section 22Audit Evidence
- INITIAL WORKPAPERS
- Section 23Identify Application Risks
- THE MEANING OF RISK
- STAND-ALONE RISK
- RELATIVE RISK
- ENSURING SUCCESS
- IDENTIFYING APPLICATION RISKS
- OVERCOMING OBSTACLES TO SUCCESS
- ASSIGNING MATERIALITY
- COMPUTING A RISK SCORE
- Section 24Develop a Detailed Plan
- WRITING MEASURABLE AUDIT OBJECTIVES
- VERIFYING THE COMPLETENESS OF MEASURABLE AUDIT OBJECTIVES
- Section 25Evaluate Internal Controls
- DOCUMENT SEGREGATION OF RESPONSIBILITIES
- CONDUCT AN INTERNAL CONTROL REVIEW
- DEVELOP INTERNAL CONTROL DIAGRAMS
- TEST INTERNAL CONTROLS
- EVALUATE INTERNAL CONTROL EFFECTIVENESS
- Section 26Test Data Integrity
- CONDUCT A DATA FILE SURVEY
- CREATE DATA TEST PLAN
- DEVELOP TEST TOOLS
- VERIFY FILE INTEGRITY
- EVALUATE THE CORRECTNESS OF THE TEST PROCESS
- CONDUCT DATA TEST
- REVIEW DATA TEST RESULTS
- Section 27Certify Computer Security
- CERTIFICATION TASKS
- Security Safeguard Evaluation Versus IT Audit
- Plan Security Tests
- COLLECT DATA
- CONDUCT BASIC EVALUATION
- CONDUCT DETAILED EVALUATION
- PREPARE REPORT OF RESULTS
- Section 28Analyze Audit Results
- DOCUMENT FINDINGS
- ANALYZE FINDINGS
- DEVELOP RECOMMENDATIONS
- DOCUMENT RECOMMENDATIONS
- Section 29Review and Report Audit Findings
- CREATE THE AUDIT REPORT
- REVIEW REPORT REASONABLENESS
- REVIEW READABILITY OF REPORT
- PREPARE AND DISTRIBUTE REPORT
- Section 30Review Quality Control
- CONDUCT A QUALITY CONTROL REVIEW
- CONDUCT A QUALITY ASSURANCE REVIEW
- IMPROVE THE APPLICATION AUDIT PROCESS
- Section 31Workflow Diagramming
- CREATING A WORKFLOW DIAGRAM
- RECOMMENDED PRACTICES FOR DEVELOPING WORKFLOW DIAGRAMS
Appendix A