| ABOUT THE AUTHORS |
|
xxix | |
| FOREWORD AND ACKNOWLEDGMENT |
|
xxxiii | |
| PART I A FOUNDATION FOR IT AUDIT AND CONTROL |
|
1 | (114) |
|
Chapter 1 Information Technology Environment: Why Are Controls and Audit Important? |
|
|
3 | (26) |
|
|
|
5 | (2) |
|
Information Integrity, Reliability, and Validity: Their Importance in Today's Global Business Environment |
|
|
7 | (2) |
|
Legal Issues Impacting IT |
|
|
9 | (1) |
|
Federal Financial Integrity Legislation |
|
|
10 | (1) |
|
Federal Security Legislation |
|
|
11 | (3) |
|
The Computer Fraud and Abuse Act (CFAA) |
|
|
11 | (1) |
|
The Computer Security Act of 1987 |
|
|
12 | (1) |
|
The Homeland Security Act of 2002 (Inclusion of the Cyber Security Enhancement Act) |
|
|
13 | (1) |
|
Privacy on the Information Superhighway |
|
|
14 | (1) |
|
Private Information Available for the Taking |
|
|
14 | (1) |
|
Privacy Legislation and the Federal Government Privacy Act |
|
|
15 | (3) |
|
Electronic Communications Privacy Act |
|
|
16 | (1) |
|
Communications Decency Act of 1995 |
|
|
17 | (1) |
|
Health Insurance Portability and Accountability Act - 1996 |
|
|
18 | (1) |
|
Current Legislative Activities: Security, Privacy, and Audit |
|
|
18 | (2) |
|
Control and Audit: A Global Concern |
|
|
20 | (1) |
|
E-Commerce and Electronic Funds Transfer |
|
|
21 | (1) |
|
Future of Electronic Payment Systems |
|
|
21 | (1) |
|
|
|
22 | (1) |
|
|
|
23 | (3) |
|
|
|
23 | (3) |
|
|
|
26 | (1) |
|
Answers to Multiple Choice Questions |
|
|
26 | (1) |
|
|
|
26 | (3) |
|
Chapter 2 Audit and Review: Its Role in Information Technology |
|
|
29 | (30) |
|
The Need for the IT Audit Function |
|
|
30 | (1) |
|
|
|
31 | (1) |
|
he Reviewers of Information System Policies, Procedures, Standards, and Their Applications |
|
|
32 | (1) |
|
What Are the Policies and Procedures of Management? |
|
|
32 | (1) |
|
Auditors Have Standards of Practice |
|
|
33 | (1) |
|
Auditors Must Have Independence |
|
|
34 | (1) |
|
The Practice of Continuous Reassessment |
|
|
35 | (1) |
|
|
|
36 | (1) |
|
The Auditor: Knowledge, Skills, and Abilities |
|
|
37 | (1) |
|
|
|
38 | (3) |
|
|
|
41 | (1) |
|
|
|
42 | (1) |
|
|
|
42 | (1) |
|
The Role of the IT Auditor |
|
|
43 | (1) |
|
The IT Auditor as Counselor |
|
|
44 | (1) |
|
The IT Auditor as Partner of Senior Management |
|
|
45 | (1) |
|
Types of Auditors and Their Duties, Functions, and Responsibilities |
|
|
45 | (2) |
|
The Internal Audit Function |
|
|
46 | (1) |
|
|
|
46 | (1) |
|
|
|
47 | (1) |
|
Management Responsibilities Today |
|
|
48 | (1) |
|
|
|
48 | (3) |
|
Three Perspectives on Risk |
|
|
49 | (2) |
|
|
|
49 | (1) |
|
|
|
50 | (1) |
|
Application of Risk Assessment |
|
|
51 | (1) |
|
Participation in Corporate IT Audit Planning |
|
|
51 | (1) |
|
The Organization's Responsibility in Developing IT Audit Skills |
|
|
52 | (1) |
|
|
|
53 | (1) |
|
|
|
54 | (3) |
|
|
|
54 | (2) |
|
|
|
56 | (1) |
|
Answers to Multiple Choice Questions |
|
|
56 | (6) |
|
|
|
56 | (1) |
|
|
|
57 | (2) |
|
Chapter 3 The Audit Process in an Information Technology Environment |
|
|
59 | (34) |
|
|
|
59 | (1) |
|
|
|
60 | (1) |
|
The Situation and the Problem - from EFCA to Enron |
|
|
61 | (1) |
|
|
|
62 | (2) |
|
|
|
63 | (1) |
|
|
|
63 | (1) |
|
The Importance of Audit Independence |
|
|
64 | (1) |
|
Past and Current Accounting and Auditing Pronouncements |
|
|
65 | (1) |
|
AICPA Pronouncements - from the Beginning to Now |
|
|
65 | (2) |
|
|
|
67 | (2) |
|
|
|
69 | (1) |
|
Generally Accepted Accounting Principles (GAAP) |
|
|
69 | (1) |
|
Generally Accepted Auditing Standards (GAAS) |
|
|
69 | (1) |
|
|
|
69 | (1) |
|
|
|
70 | (1) |
|
|
|
70 | (1) |
|
|
|
70 | (1) |
|
Using the Plan to Identify Problems |
|
|
71 | (1) |
|
|
|
72 | (1) |
|
|
|
72 | (1) |
|
|
|
73 | (1) |
|
Identifying Financial Application Areas |
|
|
74 | (1) |
|
|
|
74 | (1) |
|
Field Work and Implementing Audit Methodology |
|
|
74 | (1) |
|
Audit Tools and Techniques |
|
|
75 | (1) |
|
Flowcharting as an Analysis Tool |
|
|
76 | (6) |
|
Understanding How Computers Process Data |
|
|
77 | (1) |
|
Identifying Documents and Their Flow through the System |
|
|
78 | (2) |
|
|
|
80 | (1) |
|
Developing Audit Data Flow Diagrams |
|
|
80 | (1) |
|
Evaluating the Quality of System Documentation |
|
|
80 | (1) |
|
Assessing Controls over Documents |
|
|
81 | (1) |
|
Determining the Effectiveness of Processing under Computer Programs |
|
|
81 | (1) |
|
Evaluating the Usefulness of Reports |
|
|
81 | (1) |
|
Appropriateness of Flowcharting Techniques |
|
|
82 | (1) |
|
Validation of Work Performed |
|
|
83 | (1) |
|
Using Personal Computing Technology |
|
|
84 | (1) |
|
The Audit Report and Follow-Up |
|
|
85 | (2) |
|
|
|
87 | (1) |
|
|
|
87 | (1) |
|
|
|
88 | (4) |
|
|
|
89 | (1) |
|
|
|
90 | (1) |
|
|
|
91 | (1) |
|
|
|
92 | (1) |
|
Chapter 4 Auditing Information Technology Using Computer-Assisted Audit Tools and Techniques |
|
|
93 | (22) |
|
Auditor Productivity Tools |
|
|
94 | (3) |
|
Audit Planning and Tracking |
|
|
95 | (1) |
|
Documentation and Presentations |
|
|
95 | (1) |
|
|
|
95 | (1) |
|
|
|
96 | (1) |
|
|
|
96 | (1) |
|
|
|
97 | (1) |
|
Using CAATs in the Audit Process |
|
|
97 | (2) |
|
Technical Skills and Tools |
|
|
99 | (10) |
|
Generalized Audit Software |
|
|
99 | (1) |
|
|
|
99 | (1) |
|
Designing Tests of Controls |
|
|
99 | (1) |
|
|
|
100 | (1) |
|
|
|
100 | (1) |
|
|
|
100 | (1) |
|
|
|
101 | (2) |
|
|
|
101 | (1) |
|
|
|
102 | (1) |
|
|
|
103 | (4) |
|
|
|
103 | (1) |
|
|
|
103 | (2) |
|
|
|
105 | (1) |
|
|
|
106 | (1) |
|
|
|
107 | (4) |
|
Random Attribute Sampling |
|
|
107 | (1) |
|
Variable Sampling Techniques |
|
|
108 | (1) |
|
Computer Forensics: Methods and Techniques |
|
|
109 | (2) |
|
|
|
111 | (1) |
|
|
|
111 | (3) |
|
|
|
112 | (1) |
|
|
|
113 | (1) |
|
Answers to Multiple Choice Questions |
|
|
114 | (1) |
|
|
|
114 | (1) |
| PART II AUDITING IT PLANNING AND ORGANIZATION |
|
115 | (96) |
|
Chapter 5 IT Strategy and Standards |
|
|
121 | (20) |
|
Architecture and Standards |
|
|
123 | (2) |
|
|
|
124 | (1) |
|
|
|
124 | (1) |
|
An Example of Standards: Technology Risk Management Regulations |
|
|
125 | (2) |
|
Where Does Technology Risk Management Belong? |
|
|
127 | (2) |
|
The Strategy: An Effective Technology Risk Management Program |
|
|
129 | (7) |
|
Example: Importance of Business Strategy in Customer Relationship Management |
|
|
131 | (1) |
|
|
|
132 | (1) |
|
|
|
133 | (1) |
|
Barriers to User Adoption |
|
|
134 | (2) |
|
|
|
136 | (1) |
|
|
|
136 | (2) |
|
Multiple Choice Questions |
|
|
136 | (2) |
|
|
|
138 | (1) |
|
|
|
138 | (1) |
|
|
|
138 | (3) |
|
Chapter 6 Planning and Controlling |
|
|
141 | (20) |
|
|
|
141 | (1) |
|
|
|
141 | (2) |
|
|
|
143 | (1) |
|
|
|
143 | (1) |
|
Procurement and Vendor Management |
|
|
143 | (1) |
|
Strategic Sourcing and Vendor Management |
|
|
144 | (1) |
|
Resource Management and Service Management |
|
|
144 | (3) |
|
Financial Management and Budgeting |
|
|
147 | (1) |
|
|
|
147 | (1) |
|
|
|
147 | (1) |
|
|
|
147 | (1) |
|
|
|
147 | (1) |
|
|
|
148 | (1) |
|
The Importance of Project Planning and Control in the Systems Development Life Cycle (SDLC) |
|
|
148 | (3) |
|
Project Planning and Control: E-Commerce Security as a Strategic and Structural Problem |
|
|
151 | (1) |
|
Information Security Management Systems (ISMS) |
|
|
152 | (1) |
|
The Planning and Control Approach to E-Commerce Security Management |
|
|
152 | (3) |
|
|
|
152 | (1) |
|
|
|
153 | (1) |
|
|
|
153 | (1) |
|
|
|
154 | (1) |
|
|
|
154 | (1) |
|
|
|
155 | (2) |
|
Audit Involvement in Planning and Analysis |
|
|
155 | (1) |
|
|
|
156 | (1) |
|
|
|
156 | (1) |
|
|
|
157 | (2) |
|
Multiple Choice Questions |
|
|
157 | (2) |
|
|
|
159 | (1) |
|
Answers to Multiple Choice Questions |
|
|
159 | (1) |
|
|
|
159 | (2) |
|
Chapter 7 Project Management |
|
|
161 | (22) |
|
Project Management Process |
|
|
161 | (2) |
|
Project Management Body of Knowledge (PMBOK) |
|
|
163 | (8) |
|
Project Management Framework |
|
|
163 | (1) |
|
|
|
164 | (1) |
|
|
|
165 | (1) |
|
Program Management versus Project Management |
|
|
165 | (1) |
|
|
|
165 | (1) |
|
Project Tracking and Oversight |
|
|
165 | (1) |
|
|
|
166 | (5) |
|
The Auditor's Role in the Project Management Process |
|
|
171 | (1) |
|
|
|
171 | (4) |
|
|
|
173 | (1) |
|
Project Management Process Review |
|
|
173 | (1) |
|
|
|
174 | (1) |
|
|
|
174 | (1) |
|
|
|
175 | (1) |
|
Example of Project Management Checkpoints and Tools in a Telecom Project |
|
|
175 | (4) |
|
Combating User Resistance to Telecommunications Project Implementation: Involve the User |
|
|
176 | (1) |
|
Project Management Tools: Project Management Software |
|
|
176 | (3) |
|
|
|
179 | (1) |
|
|
|
180 | (2) |
|
Multiple Choice Questions |
|
|
180 | (1) |
|
|
|
181 | (1) |
|
Answers to Multiple Choice Questions |
|
|
181 | (1) |
|
|
|
182 | (1) |
|
Chapter 8 Quality Management |
|
|
183 | (28) |
|
Software Development Standards |
|
|
183 | (6) |
|
Capability Maturity Model (CMM) |
|
|
184 | (5) |
|
How Maturity Correlates to Quality |
|
|
189 | (1) |
|
|
|
189 | (1) |
|
Approaches to Software Development |
|
|
190 | (5) |
|
Software Development Process |
|
|
191 | (1) |
|
Software Development Phases |
|
|
191 | (10) |
|
|
|
192 | (1) |
|
|
|
193 | (1) |
|
|
|
193 | (1) |
|
|
|
193 | (1) |
|
|
|
193 | (1) |
|
|
|
194 | (1) |
|
Traditional Information Software Development |
|
|
195 | (1) |
|
Prototypes and Rapid Application Development (RAD) |
|
|
196 | (1) |
|
End-User Development (EUD) |
|
|
197 | (1) |
|
The Auditor's Role in the Development Process |
|
|
198 | (2) |
|
|
|
200 | (1) |
|
|
|
201 | (1) |
|
Software Development Controls Review |
|
|
201 | (1) |
|
Software Development Life Cycle |
|
|
201 | (3) |
|
|
|
202 | (1) |
|
|
|
202 | (1) |
|
|
|
203 | (1) |
|
|
|
203 | (1) |
|
|
|
204 | (1) |
|
|
|
204 | (1) |
|
|
|
204 | (1) |
|
|
|
204 | (1) |
|
|
|
204 | (1) |
|
Auditing Quality Assurance |
|
|
205 | (1) |
|
|
|
205 | (1) |
|
|
|
205 | (2) |
|
|
|
207 | (1) |
|
|
|
207 | (1) |
|
|
|
208 | (2) |
|
Multiple Choice Questions |
|
|
208 | (1) |
|
|
|
209 | (1) |
|
Answers to Multiple Choice Questions |
|
|
210 | (1) |
|
|
|
210 | (1) |
| PART III AUDITING IT ACQUISITION AND IMPLEMENTATION |
|
211 | (94) |
|
Chapter 9 Software Acquisition |
|
|
215 | (22) |
|
Software Acquisition Process |
|
|
215 | (10) |
|
Defining the Information and System Requirements |
|
|
215 | (2) |
|
Prototypes and Rapid Application Development (RAD) |
|
|
216 | (1) |
|
The Requirements Document |
|
|
216 | (1) |
|
Identifying Various Alternatives |
|
|
217 | (2) |
|
|
|
217 | (1) |
|
|
|
218 | (1) |
|
|
|
218 | (1) |
|
Outsourcing a System from Another Organization |
|
|
218 | (1) |
|
Performing a Feasibility Analysis |
|
|
219 | (1) |
|
Conducting a Risk Analysis |
|
|
220 | (1) |
|
Defining Ergonomic Requirements |
|
|
220 | (1) |
|
Carrying Out the Selection Process |
|
|
220 | (3) |
|
Request for Information (RFI) |
|
|
221 | (1) |
|
|
|
221 | (1) |
|
Request for Proposal (RFP) |
|
|
221 | (1) |
|
|
|
222 | (1) |
|
Procuring the Selected Software |
|
|
223 | (1) |
|
Other Considerations for Software Contracts and Licenses |
|
|
224 | (1) |
|
Completing Final Acceptance |
|
|
225 | (1) |
|
Reviewing Software Acquisitions |
|
|
225 | (6) |
|
Alignment with the Company's Business and IT Strategy |
|
|
226 | (1) |
|
Definition of the Information Requirements |
|
|
226 | (1) |
|
|
|
226 | (1) |
|
Feasibility Studies (Cost, Benefits, Etc.) |
|
|
227 | (1) |
|
Identification of Functionality, Operational, Acceptance, and Maintenance Requirements |
|
|
228 | (1) |
|
Conformity with Existing Information and System Architectures |
|
|
228 | (1) |
|
Adherence to Security and Control Requirements |
|
|
229 | (1) |
|
Knowledge of Available Solutions |
|
|
229 | (1) |
|
Understanding of the Related Acquisition and Implementation Methodologies |
|
|
229 | (1) |
|
Involvement and Buy-In from the User |
|
|
230 | (1) |
|
Supplier Requirements and Viability |
|
|
230 | (1) |
|
Other Resources for Help and Assistance |
|
|
231 | (1) |
|
|
|
232 | (1) |
|
|
|
232 | (3) |
|
|
|
233 | (2) |
|
|
|
235 | (1) |
|
Answers to Multiple Choice Questions |
|
|
235 | (1) |
|
|
|
235 | (2) |
|
Chapter 10 System Implementation |
|
|
237 | (20) |
|
The System Implementation Process |
|
|
237 | (1) |
|
|
|
238 | (3) |
|
|
|
238 | (1) |
|
User Processes and Procedures |
|
|
239 | (1) |
|
Management Reports and Controls |
|
|
240 | (1) |
|
Problem Management/Reporting |
|
|
240 | (1) |
|
|
|
240 | (1) |
|
|
|
241 | (1) |
|
|
|
241 | (1) |
|
|
|
241 | (1) |
|
Help Desk and Production Support Training and Readiness |
|
|
241 | (4) |
|
Data Conversion and Data Correction Processes |
|
|
242 | (1) |
|
Operational Procedures and Readiness |
|
|
243 | (1) |
|
IT Disaster/Continuity Plans |
|
|
244 | (1) |
|
|
|
244 | (1) |
|
Case Example: GMA Business Overview and Profile |
|
|
245 | (5) |
|
|
|
246 | (1) |
|
Major E-Commerce Security Implementation Issues at GMA |
|
|
247 | (4) |
|
|
|
247 | (2) |
|
Implementing Risk Analysis and Controls at GMA |
|
|
249 | (1) |
|
|
|
250 | (1) |
|
|
|
251 | (1) |
|
|
|
251 | (3) |
|
|
|
252 | (2) |
|
|
|
254 | (1) |
|
Answers to Multiple Choice Questions |
|
|
254 | (1) |
|
|
|
254 | (3) |
|
Chapter 11 Application Risks and Controls |
|
|
257 | (28) |
|
|
|
257 | (5) |
|
|
|
258 | (1) |
|
Unauthorized Access or Changes to Data or Programs |
|
|
258 | (1) |
|
Unauthorized Remote Access |
|
|
259 | (1) |
|
|
|
259 | (1) |
|
Erroneous or Falsified Data Input |
|
|
259 | (1) |
|
Misuse by Authorized End Users |
|
|
259 | (1) |
|
|
|
260 | (1) |
|
Duplicate Transaction Processing |
|
|
260 | (1) |
|
|
|
260 | (1) |
|
Communications System Failure |
|
|
260 | (1) |
|
|
|
260 | (1) |
|
|
|
260 | (1) |
|
|
|
261 | (1) |
|
Insufficient Documentation |
|
|
262 | (1) |
|
End-User Computing (EUC) Application Risks |
|
|
262 | (6) |
|
Inefficient Use of Resources |
|
|
264 | (1) |
|
|
|
264 | (1) |
|
|
|
264 | (1) |
|
Ineffective Implementations |
|
|
265 | (1) |
|
Absence of Segregation of Duties |
|
|
265 | (1) |
|
Incomplete System Analysis |
|
|
265 | (1) |
|
Unauthorized Access to Data or Programs |
|
|
265 | (1) |
|
|
|
266 | (1) |
|
The Destruction of Information by Computer Viruses |
|
|
267 | (1) |
|
Electronic Data Interchange (EDI) Application Risks |
|
|
268 | (2) |
|
Implications of Risks in an EDI System |
|
|
270 | (1) |
|
|
|
270 | (7) |
|
|
|
271 | (1) |
|
|
|
271 | (1) |
|
|
|
271 | (1) |
|
|
|
272 | (1) |
|
|
|
272 | (1) |
|
|
|
273 | (1) |
|
|
|
274 | (1) |
|
|
|
275 | (1) |
|
|
|
275 | (1) |
|
|
|
275 | (1) |
|
|
|
276 | (1) |
|
Functional Testing and Acceptance |
|
|
276 | (1) |
|
|
|
276 | (1) |
|
Documentation Requirements |
|
|
277 | (1) |
|
Application Software Life Cycle |
|
|
277 | (1) |
|
System Development Methodology |
|
|
277 | (1) |
|
|
|
278 | (1) |
|
|
|
278 | (2) |
|
Application Maintenance: Defined |
|
|
278 | (1) |
|
|
|
278 | (1) |
|
|
|
279 | (1) |
|
|
|
279 | (1) |
|
Measuring Risk for Application Maintenance |
|
|
279 | (1) |
|
|
|
280 | (1) |
|
|
|
281 | (3) |
|
|
|
281 | (2) |
|
|
|
283 | (1) |
|
Answers to Multiple Choice Questions |
|
|
284 | (1) |
|
|
|
284 | (1) |
|
Chapter 12 Change Management |
|
|
285 | (20) |
|
Vulnerabilities in Software Development and Change Control |
|
|
285 | (1) |
|
Software Configuration Management |
|
|
286 | (1) |
|
|
|
287 | (1) |
|
|
|
287 | (1) |
|
|
|
287 | (2) |
|
|
|
289 | (3) |
|
|
|
292 | (1) |
|
|
|
292 | (1) |
|
Revisions to Documentation and Procedures |
|
|
292 | (1) |
|
|
|
293 | (1) |
|
|
|
293 | (1) |
|
Software Distribution Process |
|
|
294 | (1) |
|
Change Management Example |
|
|
295 | (3) |
|
|
|
295 | (1) |
|
|
|
296 | (1) |
|
Change Management Boards or Committees |
|
|
296 | (1) |
|
Criteria for Approving Changes |
|
|
297 | (1) |
|
|
|
298 | (1) |
|
Organizational Change Management |
|
|
298 | (1) |
|
Organizational Culture Defined |
|
|
298 | (2) |
|
Managing Organizational Change Management |
|
|
299 | (1) |
|
|
|
300 | (1) |
|
|
|
301 | (3) |
|
|
|
301 | (2) |
|
|
|
303 | (1) |
|
Answers to Multiple Choice Questions |
|
|
303 | (1) |
|
|
|
304 | (1) |
| PART IV AUDITING IT OPERATIONS: FROM STANDALONE TO GLOBAL |
|
305 | (174) |
|
Chapter 13 IT Operations Environments: Complexities and Control Issues |
|
|
307 | (28) |
|
|
|
308 | (3) |
|
Areas of Control and Risk Issues |
|
|
310 | (1) |
|
IT Operations Issues in Network Installation |
|
|
311 | (3) |
|
|
|
314 | (1) |
|
|
|
315 | (3) |
|
|
|
315 | (1) |
|
|
|
315 | (1) |
|
|
|
315 | (1) |
|
|
|
315 | (1) |
|
|
|
315 | (1) |
|
|
|
316 | (1) |
|
Frame Relay Network Services |
|
|
316 | (1) |
|
Asynchronous Transfer Mode Network Services |
|
|
317 | (1) |
|
The Network Management System |
|
|
317 | (1) |
|
|
|
317 | (1) |
|
|
|
317 | (1) |
|
|
|
317 | (1) |
|
|
|
318 | (1) |
|
|
|
318 | (1) |
|
|
|
318 | (1) |
|
Tools for Network Monitoring |
|
|
318 | (2) |
|
|
|
318 | (1) |
|
|
|
319 | (1) |
|
|
|
319 | (1) |
|
Network Management Software |
|
|
319 | (1) |
|
General Statistical Tools |
|
|
320 | (1) |
|
|
|
320 | (1) |
|
The Internet, Intranet, and Extranet |
|
|
320 | (9) |
|
|
|
323 | (1) |
|
|
|
324 | (1) |
|
|
|
324 | (1) |
|
LAN Security Issues: Wired versus Wireless |
|
|
324 | (1) |
|
What Can Be Done to the Wired LANs? |
|
|
324 | (1) |
|
Physical Security: Site Control and Management |
|
|
324 | (1) |
|
|
|
325 | (1) |
|
Eavesdropping Countermeasures |
|
|
325 | (1) |
|
Why WLANs Are More Secure |
|
|
325 | (1) |
|
Spread-Spectrum Technology |
|
|
325 | (1) |
|
|
|
326 | (1) |
|
|
|
326 | (1) |
|
Network Management Control Issues |
|
|
327 | (1) |
|
Importance of National Information Infrastructure |
|
|
328 | (1) |
|
|
|
329 | (1) |
|
|
|
330 | (2) |
|
|
|
330 | (2) |
|
|
|
332 | (1) |
|
Answers to Multiple Choice Questions |
|
|
332 | (1) |
|
|
|
332 | (3) |
|
Chapter 14 Operational Control Issues |
|
|
335 | (28) |
|
Organizational Policy and Organization Controls |
|
|
335 | (1) |
|
Data Files and Program Controls |
|
|
336 | (1) |
|
Backup/Restart and Disaster Recovery Controls |
|
|
337 | (1) |
|
Physical Security and Access Controls |
|
|
337 | (1) |
|
|
|
338 | (2) |
|
COBIT Operational Controls |
|
|
340 | (1) |
|
Comparing COBIT and General Controls for Operational Auditing |
|
|
340 | (5) |
|
Problem Management Auditing |
|
|
345 | (1) |
|
Problem Management Auditing in Action Overview |
|
|
345 | (2) |
|
|
|
346 | (1) |
|
|
|
346 | (1) |
|
|
|
346 | (1) |
|
|
|
347 | (1) |
|
Introduction to Data Center Reviews |
|
|
347 | (1) |
|
Data Center Audit Program |
|
|
348 | (2) |
|
A. Administration of IT Activities |
|
|
348 | (1) |
|
|
|
348 | (1) |
|
B. Operating Systems Software and Data |
|
|
349 | (1) |
|
|
|
349 | (1) |
|
C. Computer Operations/Business Resumption |
|
|
349 | (1) |
|
|
|
349 | (1) |
|
D. Security Administration |
|
|
350 | (1) |
|
|
|
350 | (1) |
|
Software and Data Security Controls |
|
|
350 | (2) |
|
Physical and Environmental Controls Management |
|
|
350 | (1) |
|
|
|
351 | (1) |
|
Policy and Procedures Documentation |
|
|
351 | (1) |
|
Data and Software Backup Management |
|
|
351 | (1) |
|
Other Management Controls |
|
|
351 | (1) |
|
The Call Center (CC) Concept |
|
|
352 | (2) |
|
New Audit Responsibilities |
|
|
354 | (1) |
|
Developing Audit Software in the CC |
|
|
354 | (1) |
|
|
|
355 | (4) |
|
The System Development Life Cycle |
|
|
356 | (1) |
|
|
|
357 | (1) |
|
|
|
357 | (1) |
|
Physical Security and Recovery Procedures |
|
|
358 | (1) |
|
|
|
358 | (1) |
|
|
|
358 | (1) |
|
|
|
359 | (1) |
|
|
|
359 | (3) |
|
|
|
360 | (1) |
|
|
|
361 | (1) |
|
Answers to Multiple Choice Questions |
|
|
362 | (1) |
|
|
|
362 | (1) |
|
Chapter 15 Assessing Risk in IT Operations |
|
|
363 | (46) |
|
|
|
363 | (1) |
|
|
|
363 | (7) |
|
U.S. National Institute of Standards and Technology (NIST) |
|
|
364 | (1) |
|
Government Accounting Office (GAO) |
|
|
364 | (1) |
|
American Institute of Certified Public Accountants (AICPA) |
|
|
365 | (4) |
|
Information Systems Audit and Control Association (ISACA) |
|
|
369 | (1) |
|
Institute of Internal Auditors (IIA) |
|
|
369 | (1) |
|
Committee of Sponsoring Organizations of the Treadway Commission (COSO) |
|
|
370 | (1) |
|
|
|
370 | (9) |
|
|
|
371 | (1) |
|
Enterprise/Operational Risk Management |
|
|
371 | (1) |
|
|
|
371 | (6) |
|
|
|
371 | (2) |
|
|
|
373 | (1) |
|
Increasing Business Risks |
|
|
373 | (1) |
|
|
|
373 | (2) |
|
|
|
375 | (1) |
|
|
|
376 | (1) |
|
|
|
376 | (1) |
|
Concluding Thoughts on ERM/ORM |
|
|
377 | (2) |
|
|
|
379 | (1) |
|
|
|
379 | (1) |
|
|
|
380 | (12) |
|
Security Tools and Technologies |
|
|
380 | (1) |
|
|
|
380 | (1) |
|
Security Policies and Procedures |
|
|
381 | (1) |
|
|
|
382 | (2) |
|
Internet Firewall Configurations - Bastion Host |
|
|
384 | (1) |
|
Choke Router/Screened Host |
|
|
384 | (1) |
|
Firewalls in a Partitioned Network |
|
|
385 | (1) |
|
Practical Web Security Solutions |
|
|
386 | (2) |
|
|
|
386 | (1) |
|
|
|
387 | (1) |
|
|
|
387 | (1) |
|
|
|
388 | (2) |
|
World Wide Web and Java Risk Conclusions |
|
|
390 | (2) |
|
|
|
392 | (8) |
|
|
|
392 | (1) |
|
|
|
392 | (2) |
|
Reduction and Retention of Risks |
|
|
394 | (1) |
|
|
|
394 | (2) |
|
Determination of Objectives |
|
|
396 | (1) |
|
|
|
396 | (1) |
|
IT Risk Assessment Tools and Techniques |
|
|
397 | (1) |
|
|
|
398 | (1) |
|
|
|
398 | (2) |
|
How to Determine IT Insurance Coverage |
|
|
400 | (2) |
|
|
|
402 | (1) |
|
|
|
403 | (2) |
|
|
|
403 | (2) |
|
|
|
405 | (1) |
|
Answers to Multiple Choice Questions |
|
|
405 | (1) |
|
|
|
405 | (1) |
|
|
|
405 | (4) |
|
Chapter 16 Audit Methods and Techniques for Operations |
|
|
409 | (30) |
|
Auditing Contingency and Disaster Recovery Planning |
|
|
410 | (2) |
|
Audit of Disaster Recovery Planning Steps |
|
|
410 | (3) |
|
Written Disaster Recovery Plan |
|
|
411 | (1) |
|
Mission Statement for Disaster Recovery Plan |
|
|
411 | (1) |
|
Disaster Recovery Plan Tests and Drill |
|
|
412 | (1) |
|
|
|
412 | (1) |
|
Importance of DBMS Recovery |
|
|
413 | (7) |
|
|
|
414 | (1) |
|
|
|
414 | (1) |
|
|
|
415 | (1) |
|
|
|
416 | (2) |
|
|
|
416 | (1) |
|
Applications and Systems Programmers |
|
|
417 | (1) |
|
Web Designers and Developers |
|
|
417 | (1) |
|
|
|
417 | (1) |
|
Backup and Recovery of the Data Warehouse |
|
|
418 | (1) |
|
Data Warehouse Integrity Check List |
|
|
419 | (1) |
|
Trends in Data Warehousing |
|
|
419 | (1) |
|
Auditing Data Communications |
|
|
420 | (2) |
|
Data Communications Controls |
|
|
422 | (3) |
|
LAN Audit and Security Issues: Wired versus Wireless |
|
|
425 | (7) |
|
What Can Be Done to the Wired LANs? |
|
|
426 | (1) |
|
Physical Security: Site Control and Management |
|
|
426 | (1) |
|
|
|
426 | (1) |
|
Eavesdropping Countermeasures |
|
|
426 | (1) |
|
For Wireless: Key Audit and Security Checkpoints |
|
|
427 | (1) |
|
Control Concerns with IEEE 802.11 Wired Equivalent Privacy (WEP) Protocol |
|
|
427 | (1) |
|
|
|
427 | (1) |
|
|
|
427 | (1) |
|
IEEE 802.11i Robust Security Network Standard |
|
|
428 | (1) |
|
Auditing End-User Computing |
|
|
428 | (1) |
|
Preliminary Audit Planning |
|
|
428 | (1) |
|
Defining the Audit Methodology |
|
|
429 | (1) |
|
Defining the Scope and Content of the Audit |
|
|
429 | (1) |
|
|
|
429 | (1) |
|
Reviewing the EUC Group's Procedures and Objectives |
|
|
430 | (1) |
|
Evaluating the EUC Groups' Effectiveness by Reviewing Their Documentation |
|
|
431 | (1) |
|
|
|
431 | (1) |
|
|
|
432 | (1) |
|
|
|
432 | (1) |
|
|
|
433 | (3) |
|
|
|
434 | (1) |
|
|
|
435 | (1) |
|
Answers to Multiple Choice Questions |
|
|
435 | (1) |
|
|
|
436 | (3) |
|
Chapter 17 Using Tools and Techniques in IT Operation Reviews |
|
|
439 | (40) |
|
Computer-Assisted Audit Tools and Techniques for Operational Reviews |
|
|
440 | (3) |
|
|
|
443 | (1) |
|
Definition of Systems Maintenance |
|
|
443 | (1) |
|
|
|
444 | (5) |
|
Points of Change Origination and Initiation |
|
|
445 | (3) |
|
|
|
448 | (1) |
|
|
|
448 | (1) |
|
|
|
449 | (1) |
|
Reviewing Operating Systems |
|
|
449 | (3) |
|
Types and Uses of System Software |
|
|
451 | (1) |
|
Reliance on Systems Software |
|
|
452 | (2) |
|
Controlling Access to Systems Software |
|
|
454 | (1) |
|
Controlling Changes to System Software |
|
|
455 | (1) |
|
SAP Implementation and Control Issues |
|
|
455 | (8) |
|
Understanding the Corporate Culture |
|
|
455 | (1) |
|
Understood and Complete Process Changes |
|
|
456 | (1) |
|
Communication: Never Enough! |
|
|
456 | (1) |
|
|
|
456 | (1) |
|
SAP Project Manager Competence |
|
|
457 | (1) |
|
|
|
457 | (1) |
|
Project Methodology: It Is Important |
|
|
458 | (1) |
|
|
|
458 | (1) |
|
|
|
458 | (1) |
|
Establishing Security and Controls |
|
|
459 | (1) |
|
Security Features of the Basis Component |
|
|
459 | (1) |
|
Summary of Access Control |
|
|
460 | (1) |
|
|
|
460 | (1) |
|
|
|
460 | (1) |
|
|
|
461 | (1) |
|
Confidentiality, Integrity, and Security Management |
|
|
461 | (1) |
|
EDI and Internet Security |
|
|
462 | (1) |
|
|
|
463 | (1) |
|
CRBE (Formerly Known as CTQA) |
|
|
463 | (1) |
|
|
|
463 | (1) |
|
|
|
464 | (1) |
|
Getting Started: ISO 9000 |
|
|
464 | (3) |
|
|
|
465 | (1) |
|
|
|
465 | (1) |
|
Principal Themes of an ISO 9000 Review |
|
|
466 | (1) |
|
|
|
467 | (1) |
|
WebMetrics: An Introduction |
|
|
468 | (2) |
|
WebMetrics as an Audit Tool |
|
|
470 | (1) |
|
|
|
470 | (1) |
|
|
|
471 | (1) |
|
|
|
472 | (3) |
|
|
|
473 | (2) |
|
|
|
475 | (1) |
|
|
|
475 | (1) |
|
|
|
475 | (4) |
| PART V EMERGING ISSUES IN IT AUDIT |
|
479 | (150) |
|
Chapter 18 The Legal Environment and Its Impact on Information Technology: From IT Crime Law to IT Contract Law to Netlaw |
|
|
483 | (42) |
|
|
|
484 | (2) |
|
Protection against Computer Fraud |
|
|
486 | (1) |
|
The Computer Fraud and Abuse Act (CFAA) |
|
|
487 | (2) |
|
Computer Abuse Amendments Act |
|
|
489 | (6) |
|
Sarbanes-Oxley Act (Public Law 107-204) |
|
|
489 | (16) |
|
Major Points from the Sarbanes-Oxley Act of 2002 |
|
|
491 | (3) |
|
|
|
494 | (1) |
|
Penalties and Requirements under Title VIII of the Act |
|
|
495 | (1) |
|
Penalties and Requirements under Title IX of the Act |
|
|
495 | (1) |
|
Remedies and Effectiveness |
|
|
495 | (2) |
|
Legislation Providing for Civil and Criminal Penalties |
|
|
497 | (1) |
|
The Computer Security Act of 1987 |
|
|
498 | (2) |
|
The Homeland Security Act of 2002 |
|
|
500 | (2) |
|
|
|
502 | (3) |
|
Netlaw: Privacy on the Information Superhighway |
|
|
505 | (3) |
|
Private Information Available for the Taking |
|
|
505 | (3) |
|
The National Strategy for Securing Cyberspace |
|
|
508 | (3) |
|
Methods that Provide for Protection of Information |
|
|
511 | (1) |
|
|
|
511 | (1) |
|
Privacy Legislation and the Federal Government Privacy Act |
|
|
512 | (4) |
|
Electronic Communications Privacy Act |
|
|
513 | (2) |
|
Communications Decency Act of 1995 |
|
|
515 | (1) |
|
Encrypted Communications Privacy Act of 1996 |
|
|
515 | (1) |
|
Health Insurance Portability and Accountability Act of 1996 (HIPAA) |
|
|
515 | (1) |
|
|
|
516 | (1) |
|
Risk Assessment and Communications Act of 1997 |
|
|
516 | (1) |
|
Risk Gramm-Leach-Bliley Act of 1999 |
|
|
516 | (1) |
|
Current Pending Bills and Other Legislative Material |
|
|
516 | (2) |
|
|
|
518 | (1) |
|
|
|
518 | (1) |
|
|
|
519 | (3) |
|
|
|
520 | (2) |
|
|
|
522 | (1) |
|
Answers to Multiple Choice Questions |
|
|
522 | (12) |
|
|
|
522 | (1) |
|
|
|
522 | (1) |
|
|
|
523 | (2) |
|
Chapter 19 Security and Privacy of Information Technology: From the Individual to the Extranet/Intranet/Internet |
|
|
525 | (42) |
|
Information Systems Security and Privacy in 1998 |
|
|
526 | (1) |
|
Information Systems Security and Privacy Today |
|
|
527 | (4) |
|
Interconnected Systems and Electronic Commerce: Global Issues |
|
|
531 | (1) |
|
International Organization for Standardization and ISO 17799 |
|
|
531 | (2) |
|
The Battleground: The Internet |
|
|
533 | (1) |
|
|
|
534 | (7) |
|
|
|
534 | (1) |
|
|
|
535 | (1) |
|
|
|
536 | (2) |
|
|
|
538 | (1) |
|
|
|
538 | (2) |
|
|
|
539 | (1) |
|
Flash Bombs and War Scripts |
|
|
540 | (1) |
|
Denial-of-Service Attacks |
|
|
540 | (1) |
|
|
|
540 | (1) |
|
Exploiting the TCP/IP Holes |
|
|
541 | (3) |
|
|
|
543 | (1) |
|
Recommendation to IT Auditors, Security, and IT Professionals |
|
|
544 | (1) |
|
Intranet Definition and Components |
|
|
545 | (3) |
|
Intranet Benefits and Obstacles |
|
|
546 | (1) |
|
|
|
547 | (1) |
|
Intranet/Extranet Security |
|
|
548 | (6) |
|
Technology Tactics Used to Protect Networks |
|
|
549 | (2) |
|
|
|
551 | (1) |
|
Network Security Products |
|
|
552 | (2) |
|
A New Challenge: Wireless Technology |
|
|
554 | (3) |
|
|
|
555 | (2) |
|
The Future of Intranets and Other Networks |
|
|
557 | (1) |
|
|
|
557 | (4) |
|
|
|
561 | (3) |
|
|
|
562 | (1) |
|
|
|
563 | (1) |
|
Answers to Multiple Choice Questions |
|
|
564 | (5) |
|
|
|
564 | (1) |
|
|
|
564 | (2) |
|
|
|
566 | (1) |
|
Chapter 20 IT Auditing: Career Planning and Development, Evaluating Audit Quality, and Best Practices |
|
|
567 | (38) |
|
IT Auditor Career Development and Planning |
|
|
568 | (1) |
|
Establishing a Career Development Plan |
|
|
569 | (7) |
|
Career Path Planning Needs Management Support |
|
|
569 | (1) |
|
Knowledge, Skills, and Abilities |
|
|
570 | (1) |
|
|
|
571 | (1) |
|
Performance Counseling/Feedback |
|
|
572 | (1) |
|
|
|
572 | (2) |
|
|
|
574 | (2) |
|
Evaluating IT Audit Quality |
|
|
576 | (1) |
|
Scope and Objectives of an IT Audit |
|
|
577 | (1) |
|
Computerized Systems and Applications |
|
|
577 | (1) |
|
Information Processing Facilities |
|
|
577 | (1) |
|
|
|
577 | (1) |
|
Management of IT and Enterprise Architecture |
|
|
577 | (1) |
|
Client/Server, Telecommunications, Intranets, and Extranets |
|
|
578 | (1) |
|
|
|
578 | (1) |
|
|
|
578 | (1) |
|
The IT Audit and Auditor Assessment Form |
|
|
579 | (3) |
|
|
|
582 | (3) |
|
|
|
582 | (1) |
|
|
|
582 | (1) |
|
|
|
582 | (1) |
|
|
|
582 | (1) |
|
|
|
583 | (1) |
|
|
|
583 | (1) |
|
|
|
583 | (1) |
|
|
|
583 | (1) |
|
|
|
583 | (1) |
|
|
|
584 | (1) |
|
|
|
584 | (1) |
|
Relations with the Auditee |
|
|
584 | (1) |
|
Relations with Audit Management |
|
|
584 | (1) |
|
Follow-Up of Audit Recommendations |
|
|
584 | (1) |
|
Criteria for Assessing the Audit |
|
|
585 | (1) |
|
|
|
585 | (1) |
|
|
|
585 | (1) |
|
|
|
585 | (1) |
|
Appropriate Conclusions, Findings, and Recommendations |
|
|
586 | (1) |
|
Follow-Up of Findings and Recommendations |
|
|
586 | (1) |
|
Criteria for Assessing the Auditor |
|
|
586 | (1) |
|
|
|
586 | (2) |
|
Implementation of Measurements |
|
|
588 | (1) |
|
|
|
589 | (1) |
|
Evaluation of IT Audit Performance |
|
|
589 | (1) |
|
|
|
590 | (8) |
|
Why Is It Important to Learn about Best Practices? |
|
|
591 | (1) |
|
Overview of Best Practices in IT Audit Planning |
|
|
591 | (1) |
|
|
|
592 | (1) |
|
|
|
593 | (1) |
|
|
|
593 | (1) |
|
|
|
594 | (1) |
|
|
|
594 | (1) |
|
|
|
595 | (2) |
|
|
|
597 | (1) |
|
|
|
597 | (1) |
|
|
|
597 | (1) |
|
|
|
598 | (1) |
|
|
|
598 | (1) |
|
|
|
599 | (2) |
|
|
|
600 | (1) |
|
|
|
601 | (4) |
|
Answers to Multiple Choice Questions |
|
|
602 | (1) |
|
|
|
602 | (3) |
|
Chapter 21 IT Auditing in the New Millennium |
|
|
605 | (24) |
|
|
|
606 | (2) |
|
The New Dimension: Information Assurances |
|
|
608 | (2) |
|
|
|
610 | (1) |
|
A Common Body of Knowledge |
|
|
610 | (1) |
|
|
|
611 | (1) |
|
|
|
611 | (1) |
|
A Code of Ethics and Professional Standards |
|
|
612 | (1) |
|
|
|
612 | (1) |
|
New Trends in Developing IT Auditors and Education |
|
|
613 | (6) |
|
Career Opportunities in the 21st Century |
|
|
619 | (1) |
|
|
|
620 | (1) |
|
|
|
620 | (1) |
|
|
|
620 | (1) |
|
|
|
621 | (1) |
|
The Role of the IT Auditor in IT Governance |
|
|
621 | (2) |
|
The IT Auditor as Counselor |
|
|
623 | (1) |
|
The IT Auditor as Partner of Senior Management |
|
|
623 | (1) |
|
Educating the Next Generation on IT Audit and Control Opportunities |
|
|
624 | (1) |
|
|
|
624 | (1) |
|
|
|
625 | (2) |
|
|
|
625 | (2) |
|
|
|
627 | (1) |
|
Answers to Multiple Choice Questions |
|
|
627 | (1) |
|
|
|
627 | (2) |
| PART VI APPENDICES |
|
629 | (194) |
|
Appendix I Information Technology Audit Cases |
|
|
631 | (8) |
|
Computer-Assisted Audit Cases |
|
|
631 | (8) |
|
|
|
631 | (1) |
|
|
|
631 | (1) |
|
|
|
631 | (1) |
|
Case 2: Ready or Not Auto Insurance |
|
|
632 | (1) |
|
Case 3: Holt Valley Hospital Services, Inc |
|
|
632 | (1) |
|
Case 4: Acme Insurance Corporation |
|
|
633 | (1) |
|
|
|
633 | (1) |
|
Case 5: OnTheRise Corporation |
|
|
633 | (1) |
|
Case 6: Wedco Electronics |
|
|
633 | (1) |
|
Case 7: Amazon Industries |
|
|
634 | (1) |
|
|
|
635 | (1) |
|
|
|
635 | (1) |
|
|
|
635 | (1) |
|
|
|
636 | (1) |
|
|
|
636 | (3) |
|
|
|
637 | (2) |
|
Appendix II Bibliography of Selected Publications for Information Technology Auditors |
|
|
639 | (28) |
|
|
|
639 | (10) |
|
Department of Justice of the United States |
|
|
639 | (2) |
|
General Accounting Office of the United States (GAO) |
|
|
641 | (4) |
|
National Institute of Standards and Technology (NIST) |
|
|
645 | (3) |
|
National Technical Information Service (NTIS) |
|
|
648 | (1) |
|
Publications Available from Professional Association |
|
|
649 | (9) |
|
American Institute of Certified Public Accountants (AICPA) |
|
|
649 | (1) |
|
Association for Computing Machinery |
|
|
650 | (1) |
|
The Canadian Institute of Chartered Accountants (CICA) |
|
|
651 | (1) |
|
The Information Systems Audit and Control Association & Foundation (ISACA) |
|
|
651 | (4) |
|
The Institute of Internal Auditors (IIA) |
|
|
655 | (1) |
|
International Federation for Information Processing |
|
|
656 | (1) |
|
International Federation of Accountants (IFAC) |
|
|
657 | (1) |
|
Quality Assurance Institute |
|
|
657 | (1) |
|
|
|
658 | (9) |
|
Best Practices in Information Technology |
|
|
658 | (1) |
|
Computer Hardware and Software |
|
|
658 | (1) |
|
Computer, Network, and Information Security |
|
|
659 | (1) |
|
Enterprise Resource Planning (ERP) Systems |
|
|
659 | (1) |
|
Information Technology and Accounting Systems |
|
|
660 | (1) |
|
The Internet, E-Commerce, and Web Security |
|
|
661 | (1) |
|
IT Auditing and Control Systems |
|
|
662 | (1) |
|
|
|
663 | (1) |
|
|
|
664 | (1) |
|
|
|
665 | (2) |
|
Appendix III Professional Standards That Apply to Information Technology (Audit, Security, and Privacy Issues) |
|
|
667 | (80) |
|
American Institute of Certified Public Accountants (AICPA) |
|
|
667 | (18) |
|
|
|
668 | (1) |
|
|
|
668 | (17) |
|
The Institute of Internal Auditors (IIA) |
|
|
685 | (18) |
|
|
|
686 | (1) |
|
|
|
686 | (4) |
|
Information Systems Audit and Control Association (ISACA) |
|
|
690 | (1) |
|
|
|
690 | (13) |
|
The Canadian Institute of Chartered Accountants (CICA) |
|
|
703 | (1) |
|
|
|
704 | (1) |
|
|
|
704 | (1) |
|
International Federation of Accountants (IFAC) |
|
|
704 | (6) |
|
|
|
708 | (1) |
|
|
|
708 | (2) |
|
Information System Security Association (ISSA) |
|
|
710 | (1) |
|
|
|
711 | (1) |
|
|
|
711 | (1) |
|
Society for Information Management (SIM) |
|
|
711 | (1) |
|
|
|
711 | (1) |
|
|
|
712 | (1) |
|
Association of Information Technology Professionals (AITP) |
|
|
712 | (1) |
|
|
|
712 | (1) |
|
|
|
712 | (1) |
|
|
|
712 | (1) |
|
|
|
713 | (1) |
|
International Federation for Information Processing (IFIP) |
|
|
713 | (1) |
|
|
|
713 | (1) |
|
|
|
713 | (1) |
|
IFIP Technical Committee (TC) and Working Group (WG) - Aims and Scopes |
|
|
713 | (1) |
|
Association for Computing Machinery (ACM) |
|
|
714 | (11) |
|
|
|
714 | (7) |
|
|
|
721 | (4) |
|
Editor-in-Chief: Carl Cargill, SunSoft (A division of Sun Microsystems) |
|
|
721 | (4) |
|
The Institute of Chartered Accountants in Australia (ICAA) |
|
|
725 | (1) |
|
|
|
725 | (1) |
|
|
|
725 | (1) |
|
National Institute of Standards and Technology (NIST) |
|
|
725 | (11) |
|
|
|
730 | (1) |
|
|
|
730 | (6) |
|
General Accounting Office (GAO) |
|
|
736 | (1) |
|
|
|
737 | (1) |
|
|
|
737 | (1) |
|
International Organization of Supreme Audit Institutions (INTOSAI) |
|
|
737 | (62) |
|
|
|
744 | (1) |
|
|
|
744 | (1) |
|
|
|
744 | (1) |
|
Guidelines for Internal Control Standards |
|
|
744 | (3) |
|
|
|
747 | (52) |
|
Appendix V Sample Audit Programs |
|
|
799 | (24) |
|
Audit Program for Systems Maintenance |
|
|
799 | (2) |
|
ISO 9001 Review: Conclusion and Documents |
|
|
801 | (1) |
|
Lessons Learned - 9001 Review |
|
|
802 | (1) |
|
|
|
803 | (7) |
|
|
|
805 | (5) |
|
UTOP Seven Quality Beliefs |
|
|
805 | (1) |
|
Orange County Quality System |
|
|
805 | (5) |
|
Audit Program for Operating System Security Evaluation |
|
|
810 | (13) |
|
|
|
810 | (13) |
| Index |
|
823 | |
