A Standard for Auditing Computer Applications is a dynamic new resource for evaluating all aspects of automated business systems and systems environments. At the heart of A Standard for Auditing Computer Applications system is a set of customizable workpapers that provide blow-by-blow coverage of all phases of the IT audit process for traditional mainframe, distributed processing, and client/server environments.A Standard for Auditing Computer Applications was developed by Marty Krist, an acknowledged and respected expert in IT auditing. Drawing upon his more than twenty years of auditing experience with leading enterprise organizations, worldwide, Marty walks you step-by-step through the audit process for system environments and specific applications and utilities. He clearly spells out what you need to look for and where to look for it, and he provides expert advice and guidance on how to successfully address a problem when you find one.When you order A Standard for Auditing Computer Applications, you receive a powerful package containing all the forms, checklists, and templates you'll ever need to conduct successful audits on downloadable resources. Designed to function as a handy, on-the-job resource, the book follows a concise, quick-access format. It begins with an overview of the general issues inherent in any IT review. This is followed by a comprehensive review of the audit planning process. The remainder of the book provides you with detailed, point-by-point breakdowns along with proven tools for:evaluating systems environments-covers all the bases, including IT administration, security, backup and recovery planning, systems development, and moreEvaluating existing controls for determining hardware and software reliabilityAssessing the new system development processEvaluating all aspects of individual applications, from I/O, processing and logical and physical security to documentation, training, and programmed proceduresAssessing specific applications and utilities, including e-mail, groupware, finance and accounting applications, CAD, R&D, production applications, and more
AUTOMATED APPLICATION REVIEW OVERVIEW
WHAT INTEGRATED APPLICATION SYSTEMS ARE
Proper Operation of the IT Department
Developing Automated Applications
Critical Information Technology Controls
REVIEWING APPLICATION SYSTEMS
The Audit Structure
The Internal Auditors
The Audit Manual
Managing the Individual IT Audit
IT Audit Procedures
Application Development and Testing
Documenting and Reporting Audit Work
External Auditors
ASSESSING IT AUDIT CAPABILITIES
Who Should Perform the Self-Assessment?
Conducting the Self-Assessment
Analysis and Reporting of Results
PART II. DEVELOPING THE IT AUDIT PLAN
OVERVIEW OF COMPUTER APPLICATIONS AUDIT PLANNING STANDARDS AND PROCESSES
IT AUDIT PLANNING
Overview of Standards for IT Audit Planning
STRATEGIC IT AUDIT PLANNING
THE ANNUAL IT AUDIT PLANNING PROCESS
Step 1: Identify All Potential Reviews
Step 2: Evaluate and Prioritize Possible Reviews
Step 3: Setting Preliminary Scopes
Step 4: Select and Schedule IT Audits
Step 5: Merger Audit Plans
SPECIFIC AUDIT PLANNING
Step 1: Assign An Auditor-in-Charge
Step 2: Perform Application Fact Gathering
Step 3: Analyze Application Audit Risk
Step 4: Develop and Rank Measurable Audit Objectives
Step 5: Develop Administrative Plan
Step 6: Write Audit Program
PART III. ASSESSING GENERAL IT CONTROLS
INFORMATION SYSTEMS ADMINISTRATION
Strategic Planning
Tactical Planning
Information Technology Standard Setting
PHYSICAL ACCESS SECURITY
The Data Center
Door Locks
Windows
Data Center Floor
Alarm System
Fire Suppression Systems
The Detection of and Response to Unauthorized Activity
LOGICAL ACCESS SECURITY
User Identification
End User Log-In Considerations
SYSTEMS DEVELOPMENT PROCESS
General Objectives
Specific Objectives
BACKUP AND RECOVERY
Approaches to Making Backups
Media Utilized to Make Backups
Recovery Issues
AUDITING THE MAINFRAME
Planning the Audit
Performing Fieldwork Procedures
Auditing Specific Procedures by Audit Area
Audit Finalization
AUDITING THE MIDRANGE COMPUTER
Planning the Audit
Performing Fieldwork Procedures
Auditing Specific Procedures by Audit Area
Audit Finalization
AUDITING THE NETWORK
Planning the Audit
Performing Fieldwork Procedures
Auditing Specific Procedures by Audit Area
Audit Finalization
PART IV. PERFORMING A COMPLETE EVALUATION
PERFORMING A BASIC EVALUATION
PERFORMING A COMPLETE EVALUATION
General Control Objectives
Participants in the Systems Development Life Cycle
INITIATION PHASE REVIEW
Overview
Initiation Phase Deliverables
Auditing the Initiation Phase
Setting the Scope for the SDLC Audit
Customizing the Audit Objectives
Detailed Audit Testing
Audit Results and Reporting
THE REQUIREMENTS DEFINITION PHASE REVIEW
Overview
Deliverables in the Requirements Definition Phase
The Initial Audit Evaluation
Adjusting Audit Objectives
Detailed Audit Testing
Audit Results and Reporting
Confirming The Audit Strategy
APPLICATION DEVELOPMENT PHASE
Programming Phase Overview
Programming Phase Deliverables
The Initial Audit Assessment
Conducting Interviews
Setting The Audit Objectives
Detailed Audit Testing
The Audit Test
Audit Results and Reporting
Evaluating The Audit Strategy
THE EVALUATION AND ACCEPTANCE PHASE
Overview
Initial Assessment of The Acceptance Phase
Gathering and Verifying Information on The Phase Status
Setting Objectives for the Audit
Evaluation and Acceptance Phase Considerations
Detailed Audit Testing
Audit Results and Reporting
Evaluating Audit Results and Plans
PART V ASSESSING IMPLEMENTED SYSTEMS
INITIAL REVIEW PROCEDURES
Initial Review Procedures
Review Existing Audit Files
The Planning Meeting
AUDIT EVIDENCE
Initial Workpapers
IDENTIFY APPLICATION RISKS
The Meaning of Risk
Stand Alone Risk
Relative Risk
Ensuring Success
Identifying Application Risks
Overcoming Obstacles to Success
Assigning Materiality
Computing a Risk Score
DEVELOP A DETAILED PLAN
Writing Measurable Audit Objectives
Verifying the Completeness of Measurable Audit Objectives
EVALUATE INTERNAL CONTROLS
Document Segregation of Responsibilities
Conduct an Internal Control Review
Develop Internal Control Diagrams
Test Internal Controls
Evaluate Internal Control Effectiveness
TEST DATA INTEGRITY
Conduct a Data File Survey
Create Data Test Plan
Develop Test Tools
Verify File Integrity
Evaluate the Correctness of the Test Process
Conduct Data Test
Review Data Test Results
CERTIFY COMPUTER SECURITY
Collect Data
Conduct Basic Evaluation
Conduct Detailed Evaluation
Prepare Report of Results
ANALYZE AUDIT RESULTS
Document Findings
Analyze Findings
Develop Recommendations
Document Recommendations
REVIEW AND REPORT AUDIT FINDINGS
Create the Audit Report
Review Report Reasonableness
Review Readability of Report
Prepare and Distribute Report
REVIEW QUALITY CONTROL
Conduct a Quality Control Review
Conduct a Quality Assurance Review
Improve the Application Audit Process
WORKFLOW DIAGRAMMING
Creating a Workflow Diagram
Recommended Practices for Developing Workflow Diagrams
PART VI APPENDICES
WORKPAPERS
I-3-1 Self Assessment Questionnaire: IT Environment
I-3-2 Analysis Summary for I-3-1
I-3-3 Self Assessment Questionnaire: SDLC Methodology
I-3-4 Analysis Summary for I-3-3
I-3-5 Self Assessment Questionnaire: Internal Audit Capabilities
I-3-6 Analysis Summary for I-3-5
I-3-7 Analysis Summary for I-3-2, I-3-4, and I-3-6
II-5-1 Risk Assessment Model (100-Point System)
II-5-2 Risk Assessment Model (Weighted System)
II-5-3 Risk Assessment Model (10-Point System)
II-5-4 Risk Assessment Model (100-Point Total System)
III-1 Generic Questionnaire
III-2 Generic Program
III-3 Generic Workpaper Set
III-7-1 Complete Sample IT Security Policy
III-11-1 Standard Business Continuity Planning Audit Program
III-13-1 Midrange Questionnaire (AS/400)
III-14-1 Network Questionnaire (Novell)
A-1 Audit Assignment Interview Checklist
A-2 Audit Success Criteria Worksheet
A-3 Preliminary Conference Background Information Checklist
A-4 Conference Preparation Checklist
A-5 Post-Conference Background Information Cheklist
A-6 Input Transactions Worksheet
A-7 Data File Worksheet
A-8 Output Report and User Worksheet
A-9 User Satisfaction Questionnaire
A-10 Data Flow Diagram
A-11 Structural Risk Assessment
A-12 Technical Risk Assessment
A-13 Size Risk Assessment
A-14 Risk Score Summary
A-15 Risk Assessment Program
A-16 Application Risk Worksheet
A-17 Application Risk Worksheet (Blank)
A-18 Application Risk Ranking
A-19 File or Database Population Analysis
A-20 Measurable Application Audit Objectives
A-21 EDP Application Audit Plan
A-22 Responsibility Conflict Matrix
A-23 Data Origination Controls Questionnaire
A-24 Data Input Controls Questionnaire
A-25 Data Processing Controls Questionnaire
A-26 Data Output Controls Questionnaire
A-27 Data Flow Control Diagram
A-28 Transaction Flow Control Diagram
A-29 Responsibility Vulnerability Worksheet
A-30 Transaction Vulnerability Worksheet
A-31 Application Control Test Plan
A-32 Designing the Control Test
A-33 Testing Controls
A-34 Evaluation of Tested Controls
A-35 Computer File Survey
A-36 Manual File Survey
A-37 Data Audit Objective Test
A-38 Test Tool Worksheet
A-39 File Integrity Program
A-40 File Integrity Proof Sheet
A-41 Structural Test Program
A-42 Functional Test Program
A-43 Data Test Program
A-44 Data Test Checklist
A-45 Test Results Review
A-46 Key Security Planning Questions
A-47 Partition of Applications
A-48 Security Requirements
A-49 Risk Analysis
A-50 Document Review Guide
A-51 Planning the Interviews
A-52 Interview Results
A-53 Security Requirements Evaluation
A-54 Methodology Review
A-55 Detailed Review of Security Safeguards
A-56 Security Certification Statement
A-57 Detailed Evaluation Report
A-58 Audit Finding Documentation
A-59 Analysis of Finding
A-60 Developing Recommendations
A-61 Effective Data Processing Control Practices
A-62 Audit Recommendation Worksheet
A-63 Report Objectives Worksheet
A-64 Audit-Report-Writing Program
A-65 Report Reasonableness Checklist
A-66 Report Readability Checklist
A-67 Exit Conference Program
A-68 Report Issuance and Follow-Up Program
A-69 Computer Application Audit Quality Control Checklist
A-70 Audit Performance Problem Worksheet (Blank)
A-71 Audit Performance Problem Worksheet
A-72 Audit Process Problem Cause Identification Worksheet
A-73 Audit Process Improvement Recommendation Worksheet
Biography
Martin A. Krist