By the end of this course delegates will be able to:

• Develop an understanding of IT project management
• Gain experience using project management tools and techniques
• Apply the concepts of Risk Management to IT audit project
• Learn about how to audit organizations and audit standards

• In addition, you will learn techniques for auditing automated systems and examine the impact of Sarbanes-Oxley on IT audit. You will leave this session with a solid foundation in the basics of information technology as they apply to audit and security concerns.

Introduction to IT Audit

• Audit objectives and requirements
• Role of IT within the organization
• Management and security risks in an automated environment
• What is a control?
• Internal control defined
• Processes and control points
• Physical space vs. Logical space
• Identifying control points

Planning the IT Audit

• Definition of internal audit
• Objectives of an it audit
• IT audit strategies
• What is an application
• Application vs. General controls
• IT audit control reviews
• IT control categories
• The audit deliverable
• Building the audit team

Auditing Organizations and Standards

• Maintaining audit objectivity
• What is a standard?, AICPA and SAS
• GAO and other certification organizations
• The Institute of Internal Auditors (IIA)

The Treadway Commission

• COSO Integrated Framework
• ISACA and the IT Governance Institute
• COBIT®: Control Objectives for Information and Related Technology
• ISO 27002 security standard

IT Governance and Controls

• What is IT governance?
• Information security governance
• IT policies and procedures
• Separation of duties and outsourcing

Governance and control

Information Technology Basics

• Why learn about technology?
• Computer hardware and CPU operation

Two different classes of computers

• Software, programs and processing
• Distributed systems and client/server technology
• The Open Systems Interconnection (OSI) model
• Maintenance and security

Network Technology and Controls

• Networking risks, Auditing networks
• What is a network?
• LANs, WANs and MANs
• Physical network media (cables)
• Cabling audit objectives
• LAN Protocols
• WAN connectivity and protocols
• MAN protocols
• LAN/WAN/MAN audit objectives
• Network devices
• Network device audit objectives
• Complete networks
• The internet
• Intranets and extranets
• Risks of internet use for business
• Using firewalls
• Internet communications
• Internet Protocol (IP) addressing
• Service (process) addressing
• Internet applications
• The World Wide Web (www)
• Web page technologies
• Internet audit objectives

Shared General and Application Controls

• Logical security
• Data classification
• Logical access controls: system access
• Encryption: information access
• Remote access, PCS and mobile devices
• Information security management
• Change management
• Change management objectives
• Program change control
• Patch management
• Software licensing
• Business continuity/disaster recovery
• Bcp/drp defined
• Business Impact Analysis (BIA)
• Disaster recovery strategy
• Maintaining the plan
• System development technologies
• SDLC, RAD, ERP purchases
• Internal audit involvement, Audit strategy

Application Controls

• What is an application?
• Business application risks
• Application auditing
• Transactions: the audit focus
• Transaction life cycle controls, End
• User computing
• Data warehouses
• The future of applications

Database Technology and Controls

• Managing information
• The program
• Centric model
• Program
• Centric audit concerns
• The data
• Centric model
• What is a database?
• Database terminology
• Database management systems
• Types of databases
• Database audit concerns

Infrastructure General Controls

• Operations controls
• IT operations
• Operating system controls
• System utilities
• System software controls: a review
• Physical security
• Environmental controls