2nd Edition

Standard for Auditing Computer Applications

By Martin A. Krist Copyright 1999
    726 Pages
    by Auerbach Publications

    728 Pages
    by Auerbach Publications

    A Standard for Auditing Computer Applications is a dynamic new resource for evaluating all aspects of automated business systems and systems environments. At the heart of A Standard for Auditing Computer Applications system is a set of customizable workpapers that provide blow-by-blow coverage of all phases of the IT audit process for traditional mainframe, distributed processing, and client/server environments.A Standard for Auditing Computer Applications was developed by Marty Krist, an acknowledged and respected expert in IT auditing. Drawing upon his more than twenty years of auditing experience with leading enterprise organizations, worldwide, Marty walks you step-by-step through the audit process for system environments and specific applications and utilities. He clearly spells out what you need to look for and where to look for it, and he provides expert advice and guidance on how to successfully address a problem when you find one.When you order A Standard for Auditing Computer Applications, you receive a powerful package containing all the forms, checklists, and templates you'll ever need to conduct successful audits on downloadable resources. Designed to function as a handy, on-the-job resource, the book follows a concise, quick-access format. It begins with an overview of the general issues inherent in any IT review. This is followed by a comprehensive review of the audit planning process. The remainder of the book provides you with detailed, point-by-point breakdowns along with proven tools for:evaluating systems environments-covers all the bases, including IT administration, security, backup and recovery planning, systems development, and moreEvaluating existing controls for determining hardware and software reliabilityAssessing the new system development processEvaluating all aspects of individual applications, from I/O, processing and logical and physical security to documentation, training, and programmed proceduresAssessing specific applications and utilities, including e-mail, groupware, finance and accounting applications, CAD, R&D, production applications, and more

    PART I OVERVIEW OF INTEGRATED AUDITING
    AUTOMATED APPLICATION REVIEW OVERVIEW
    WHAT INTEGRATED APPLICATION SYSTEMS ARE
    Proper Operation of the IT Department
    Developing Automated Applications
    Critical Information Technology Controls
    REVIEWING APPLICATION SYSTEMS
    The Audit Structure
    The Internal Auditors
    The Audit Manual
    Managing the Individual IT Audit
    IT Audit Procedures
    Application Development and Testing
    Documenting and Reporting Audit Work
    External Auditors
    ASSESSING IT AUDIT CAPABILITIES
    Who Should Perform the Self-Assessment?
    Conducting the Self-Assessment
    Analysis and Reporting of Results
    PART II. DEVELOPING THE IT AUDIT PLAN
    OVERVIEW OF COMPUTER APPLICATIONS AUDIT PLANNING STANDARDS AND PROCESSES
    IT AUDIT PLANNING
    Overview of Standards for IT Audit Planning
    STRATEGIC IT AUDIT PLANNING
    THE ANNUAL IT AUDIT PLANNING PROCESS
    Step 1: Identify All Potential Reviews
    Step 2: Evaluate and Prioritize Possible Reviews
    Step 3: Setting Preliminary Scopes
    Step 4: Select and Schedule IT Audits
    Step 5: Merger Audit Plans
    SPECIFIC AUDIT PLANNING
    Step 1: Assign An Auditor-in-Charge
    Step 2: Perform Application Fact Gathering
    Step 3: Analyze Application Audit Risk
    Step 4: Develop and Rank Measurable Audit Objectives
    Step 5: Develop Administrative Plan
    Step 6: Write Audit Program
    PART III. ASSESSING GENERAL IT CONTROLS
    INFORMATION SYSTEMS ADMINISTRATION
    Strategic Planning
    Tactical Planning
    Information Technology Standard Setting
    PHYSICAL ACCESS SECURITY
    The Data Center
    Door Locks
    Windows
    Data Center Floor
    Alarm System
    Fire Suppression Systems
    The Detection of and Response to Unauthorized Activity
    LOGICAL ACCESS SECURITY
    User Identification
    End User Log-In Considerations
    SYSTEMS DEVELOPMENT PROCESS
    General Objectives
    Specific Objectives
    BACKUP AND RECOVERY
    Approaches to Making Backups
    Media Utilized to Make Backups
    Recovery Issues
    AUDITING THE MAINFRAME
    Planning the Audit
    Performing Fieldwork Procedures
    Auditing Specific Procedures by Audit Area
    Audit Finalization
    AUDITING THE MIDRANGE COMPUTER
    Planning the Audit
    Performing Fieldwork Procedures
    Auditing Specific Procedures by Audit Area
    Audit Finalization
    AUDITING THE NETWORK
    Planning the Audit
    Performing Fieldwork Procedures
    Auditing Specific Procedures by Audit Area
    Audit Finalization
    PART IV. PERFORMING A COMPLETE EVALUATION
    PERFORMING A BASIC EVALUATION
    PERFORMING A COMPLETE EVALUATION
    General Control Objectives
    Participants in the Systems Development Life Cycle
    INITIATION PHASE REVIEW
    Overview
    Initiation Phase Deliverables
    Auditing the Initiation Phase
    Setting the Scope for the SDLC Audit
    Customizing the Audit Objectives
    Detailed Audit Testing
    Audit Results and Reporting
    THE REQUIREMENTS DEFINITION PHASE REVIEW
    Overview
    Deliverables in the Requirements Definition Phase
    The Initial Audit Evaluation
    Adjusting Audit Objectives
    Detailed Audit Testing
    Audit Results and Reporting
    Confirming The Audit Strategy
    APPLICATION DEVELOPMENT PHASE
    Programming Phase Overview
    Programming Phase Deliverables
    The Initial Audit Assessment
    Conducting Interviews
    Setting The Audit Objectives
    Detailed Audit Testing
    The Audit Test
    Audit Results and Reporting
    Evaluating The Audit Strategy
    THE EVALUATION AND ACCEPTANCE PHASE
    Overview
    Initial Assessment of The Acceptance Phase
    Gathering and Verifying Information on The Phase Status
    Setting Objectives for the Audit
    Evaluation and Acceptance Phase Considerations
    Detailed Audit Testing
    Audit Results and Reporting
    Evaluating Audit Results and Plans
    PART V ASSESSING IMPLEMENTED SYSTEMS
    INITIAL REVIEW PROCEDURES
    Initial Review Procedures
    Review Existing Audit Files
    The Planning Meeting
    AUDIT EVIDENCE
    Initial Workpapers
    IDENTIFY APPLICATION RISKS
    The Meaning of Risk
    Stand Alone Risk
    Relative Risk
    Ensuring Success
    Identifying Application Risks
    Overcoming Obstacles to Success
    Assigning Materiality
    Computing a Risk Score
    DEVELOP A DETAILED PLAN
    Writing Measurable Audit Objectives
    Verifying the Completeness of Measurable Audit Objectives
    EVALUATE INTERNAL CONTROLS
    Document Segregation of Responsibilities
    Conduct an Internal Control Review
    Develop Internal Control Diagrams
    Test Internal Controls
    Evaluate Internal Control Effectiveness
    TEST DATA INTEGRITY
    Conduct a Data File Survey
    Create Data Test Plan
    Develop Test Tools
    Verify File Integrity
    Evaluate the Correctness of the Test Process
    Conduct Data Test
    Review Data Test Results
    CERTIFY COMPUTER SECURITY
    Collect Data
    Conduct Basic Evaluation
    Conduct Detailed Evaluation
    Prepare Report of Results
    ANALYZE AUDIT RESULTS
    Document Findings
    Analyze Findings
    Develop Recommendations
    Document Recommendations
    REVIEW AND REPORT AUDIT FINDINGS
    Create the Audit Report
    Review Report Reasonableness
    Review Readability of Report
    Prepare and Distribute Report
    REVIEW QUALITY CONTROL
    Conduct a Quality Control Review
    Conduct a Quality Assurance Review
    Improve the Application Audit Process
    WORKFLOW DIAGRAMMING
    Creating a Workflow Diagram
    Recommended Practices for Developing Workflow Diagrams
    PART VI APPENDICES
    WORKPAPERS
    I-3-1 Self Assessment Questionnaire: IT Environment
    I-3-2 Analysis Summary for I-3-1
    I-3-3 Self Assessment Questionnaire: SDLC Methodology
    I-3-4 Analysis Summary for I-3-3
    I-3-5 Self Assessment Questionnaire: Internal Audit Capabilities
    I-3-6 Analysis Summary for I-3-5
    I-3-7 Analysis Summary for I-3-2, I-3-4, and I-3-6
    II-5-1 Risk Assessment Model (100-Point System)
    II-5-2 Risk Assessment Model (Weighted System)
    II-5-3 Risk Assessment Model (10-Point System)
    II-5-4 Risk Assessment Model (100-Point Total System)
    III-1 Generic Questionnaire
    III-2 Generic Program
    III-3 Generic Workpaper Set
    III-7-1 Complete Sample IT Security Policy
    III-11-1 Standard Business Continuity Planning Audit Program
    III-13-1 Midrange Questionnaire (AS/400)
    III-14-1 Network Questionnaire (Novell)
    A-1 Audit Assignment Interview Checklist
    A-2 Audit Success Criteria Worksheet
    A-3 Preliminary Conference Background Information Checklist
    A-4 Conference Preparation Checklist
    A-5 Post-Conference Background Information Cheklist
    A-6 Input Transactions Worksheet
    A-7 Data File Worksheet
    A-8 Output Report and User Worksheet
    A-9 User Satisfaction Questionnaire
    A-10 Data Flow Diagram
    A-11 Structural Risk Assessment
    A-12 Technical Risk Assessment
    A-13 Size Risk Assessment
    A-14 Risk Score Summary
    A-15 Risk Assessment Program
    A-16 Application Risk Worksheet
    A-17 Application Risk Worksheet (Blank)
    A-18 Application Risk Ranking
    A-19 File or Database Population Analysis
    A-20 Measurable Application Audit Objectives
    A-21 EDP Application Audit Plan
    A-22 Responsibility Conflict Matrix
    A-23 Data Origination Controls Questionnaire
    A-24 Data Input Controls Questionnaire
    A-25 Data Processing Controls Questionnaire
    A-26 Data Output Controls Questionnaire
    A-27 Data Flow Control Diagram
    A-28 Transaction Flow Control Diagram
    A-29 Responsibility Vulnerability Worksheet
    A-30 Transaction Vulnerability Worksheet
    A-31 Application Control Test Plan
    A-32 Designing the Control Test
    A-33 Testing Controls
    A-34 Evaluation of Tested Controls
    A-35 Computer File Survey
    A-36 Manual File Survey
    A-37 Data Audit Objective Test
    A-38 Test Tool Worksheet
    A-39 File Integrity Program
    A-40 File Integrity Proof Sheet
    A-41 Structural Test Program
    A-42 Functional Test Program
    A-43 Data Test Program
    A-44 Data Test Checklist
    A-45 Test Results Review
    A-46 Key Security Planning Questions
    A-47 Partition of Applications
    A-48 Security Requirements
    A-49 Risk Analysis
    A-50 Document Review Guide
    A-51 Planning the Interviews
    A-52 Interview Results
    A-53 Security Requirements Evaluation
    A-54 Methodology Review
    A-55 Detailed Review of Security Safeguards
    A-56 Security Certification Statement
    A-57 Detailed Evaluation Report
    A-58 Audit Finding Documentation
    A-59 Analysis of Finding
    A-60 Developing Recommendations
    A-61 Effective Data Processing Control Practices
    A-62 Audit Recommendation Worksheet
    A-63 Report Objectives Worksheet
    A-64 Audit-Report-Writing Program
    A-65 Report Reasonableness Checklist
    A-66 Report Readability Checklist
    A-67 Exit Conference Program
    A-68 Report Issuance and Follow-Up Program
    A-69 Computer Application Audit Quality Control Checklist
    A-70 Audit Performance Problem Worksheet (Blank)
    A-71 Audit Performance Problem Worksheet
    A-72 Audit Process Problem Cause Identification Worksheet
    A-73 Audit Process Improvement Recommendation Worksheet

    Biography

    Martin A. Krist