• A
  • A
  • A
  • ABC
  • ABC
  • ABC
  • А
  • А
  • А
  • А
  • А
Regular version of the site
Master 2019/2020

Information Systems Audit

Type: Elective course (Business Informatics)
Area of studies: Business Informatics
Delivered by: Department of Information Systems and Digital Infrastructure Management
When: 2 year, 1, 2 module
Mode of studies: offline
Instructors: Vladimir I. Grekul, Dmitry Pervukhin
Master’s programme: Business Informatics
Language: English
ECTS credits: 6
Contact hours: 72

Course Syllabus

Abstract

The aim of the course is to teach students to use their generalized knowledge in various fields of IT for estimation of information system (IS) characteristics and IS-related controls. This course is based on the program of CISA (Certified Information Systems Auditor) exam and introduces students to the concepts and practical methods of full cycle of IS auditing. This is the main feature of the course that distinguishes it from other similar disciplines studied in Russian and foreign Universities and aimed usually to separate categories of audit (e.g., audit of Information Security Management, IT strategy audit, Network Infrastructure audit etc.).
Learning Objectives

Learning Objectives

  • IT Audit and Assurance Standards, Guidelines, and Tools and Techniques; Code of Professional Ethics; and other applicable standards.
  • Risk assessment concepts, tools and techniques in an audit context.
  • Control objectives and controls related to information systems.
  • Audit planning and audit project management techniques, including follow-up.
  • Fundamental business processes including relevant IT.
  • Applicable regulations that affect the scope, evidence collection and preservation, and frequency of audits.
  • Evidence collection techniques (e.g., observation, inquiry, inspection, interview data analysis) used to gather protect and preserve audit evidence.
  • Reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure).
  • Students should also gain experience in audit project planning and assessing of main information systems characteristics.
Expected Learning Outcomes

Expected Learning Outcomes

  • Understanding of the process of IS audit
  • Understanding of Governance and Management of Information Technologies
  • Understanding of IS acquisition, development and implementation
  • Understanding of IS operations, maintenance and support audit
  • Understanding of a protection of information assets audit
  • Understanding of a BC and DR audit
Course Contents

Course Contents

  • The Process of Auditing Information Systems
    Main tasks of auditor:  Develop and implement a risk-based IT audit strategy.  Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.  Conduct audits in accordance with IT audit standards.  Report audit findings and make recommendations to key stakeholders.  Conduct follow-ups or prepare status reports to ensure that appropriate actions have been taken by management in a timely manner. Main areas of auditing expertise: IT Audit and Assurance Standards, Guidelines, and Tools and Techniques; Code of Professional Ethics; and other applicable standards. Risk assessment concepts, tools and techniques in an audit context control objectives and controls related to information systems. Audit planning and audit project management techniques fundamental business processes including relevant IT evidence collection techniques (e.g., observation, inquiry, inspection and interview data analysis) used to gather protect and preserve audit evidence. Compliance and substantive testing. Reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure).
  • Governance and Management of Information Technologies
    Main objectives to be evaluated:  The effectiveness of the IT governance structure.  IT organizational structure and human resources (personnel) management.  IT strategy.  IT policies, standards and procedures.  Adequacy of the quality management system to determine whether it supports the organization's strategies and objectives in a cost-effective manner.  IT management and monitoring of controls.  IT resource investment.  IT contracting strategies and policies. Risk management practices.  Monitoring and assurance practices. Main areas of auditing expertise: IT governance, management, security and control frameworks, and related standards, guidelines and practices. The purpose of IT strategy, policies, standards and procedures for an organization and the essential elements of each. The organizational structure, roles and responsibilities related to IT the processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures. Quality management systems. Maturity models. IT resource investment and allocation practices, including prioritization criteria (e.g., portfolio management, value management, project management). IT supplier selection, conflict management, relationship management and performance monitoring processes including third-party outsourcing relationships enterprise risk management practices for monitoring and reporting of IT performance (e.g., balanced scorecards, key performance indicators [KPIs]). IT human resources (personnel) management practices used to invoke the business continuity plan.
  • Information Systems Acquisition, Development and Implementation
    Main objectives to be evaluated:  Business case for proposed investments in information systems.  Project management practices and controls.  Controls for information systems during the requirements, acquisition, development and testing phases.  Readiness of information systems for implementation and mitigation into production to determine whether project deliverables, controls and the organization's requirements are met.  Post-implementation reviews of systems. Main areas of auditing expertise: Benefits realization practices (e.g., feasibility studies, business cases, total cost of ownership [TCO], ROI). Project governance mechanisms (e.g., steering committee, project oversight board, project management office). Project management control frameworks, practices and tools. Risk management practices applied to projects IT architecture related to data, applications and technology (e.g., distributed applications, web-based applications, web services, n-tier applications) acquisition practices (e.g., evaluation of vendors, vendor management, escrow). Requirements analysis and management practices (e.g., requirements verification, traceability, gap analysis, vulnerability management, security requirements). Project success criteria and risks. Control objectives and techniques that ensure the completeness, accuracy, validity and authorization of transactions and data. system development methodologies and tools, including their strengths and weaknesses (e.g., agile development practices, prototyping, rapid application development [RAD]; object-oriented design techniques). Testing methodologies and practices related to information systems development. Configuration and release management relating to the development of information systems. System migration and infrastructure deployment practices and data conversion tools, techniques and procedures. Post-implementation review objectives and practices.
  • Information Systems Operations, Maintenance and Support
    Main objectives to be evaluated:  Periodic reviews of in format ion systems to determine whether they continue to meet the organization's objectives.  Service level management practices.  Third-party management practices.  Operations and end-user procedures.  Process of information systems maintenance.  Data administration practices.  Capacity and performance monitoring tools and techniques.  Problem and incident management practices.  Change, configuration and release management practices.  Adequacy of backup and restore provisions organization's disaster recovery plan. Main areas of auditing expertise: Service level management practices and the components within a service level agreement. Techniques for monitoring third-party compliance with the organization's internal controls. Operations and end-user procedures for managing scheduled and nonscheduled processes. The technology concepts related to hardware and network components, system software and database management systems. Control techniques that ensure the integrity of system interfaces. Software licensing and inventory practices. system resiliency tools and techniques (e.g., fault tolerant hardware, elimination of single point of failure, clustering). Database administration practices. Capacity planning and related monitoring tools and techniques. Systems performance monitoring processes, tools and techniques (e.g., network analyzers system utilization reports, load balancing). Problem and incident management practices (e.g., help desk, escalation procedures, tracking). Processes for managing scheduled and nonscheduled changes to the production systems and / or infrastructure including change, configuration, release and patch management practices. Data backup, storage, maintenance, retention and restoration practices.
  • Protection of Information Assets
    Main objectives to be evaluated:  Information security policies, standards and procedures.  Design, implementation and monitoring of system and logical security controls.  Design, implementation and monitoring of the data classification processes and procedures for alignment with the organization's policies, standards, procedures and applicable external requirements.  Design, implementation and monitoring of physical access and environmental controls.  Processes and procedures used to store, retrieve, transport and dispose of information assets Main areas of auditing expertise: Techniques for the design, implementation and monitoring of security controls, including security awareness programs. Processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team). Logical access controls for the identification, authentication and restriction of users to authorized functions and data. Security controls related to hardware, system software (e.g., applications, operating systems), and database management systems. Risks and controls associated with virtualization of systems. Configuration, implementation, operation and maintenance of network security controls. Network and Internet security devices, protocols and techniques. Information system attack methods and techniques. Detection tools and control techniques (e.g., malware, virus detection, spyware). Security testing techniques (e.g., intrusion testing, vulnerability scanning). Risks and controls associated with data leakage. Encryption- related techniques. Public key infrastructure (PKI) components and digital signature techniques. Risks and controls associated with peer-to-peer computing, instant messaging, and web-based technologies (e.g., social networking, message boards, blogs). Controls and risks associated with the use of mobile and wireless devices. Voice communications security (e.g., PBX, VoIP). The evidence preservation techniques and processes followed in forensics investigations (e.g., IT, process, chain of custody). Data classification standards and supporting procedures. Physical access controls for the identification, authentication and restriction of users to authorized facilities. Environmental protection devices and supporting practices. Processes and procedures used to store, retrieve, transport and dispose of confidential information assets.
  • Business Continuity and Disaster Recovery
    Main objectives to be evaluated:  The adequacy of backup and restore provisions to ensure the availability of information required to resume processing.  The organization's disaster recovery plan.  The organization's business continuity plan. Main areas of auditing expertise: Data backup, storage, maintenance, retention and restoration processes, and practices. Regulatory, legal, contractual and insurance issues related to business continuity and disaster recovery. Business Impact Analysis (BIA). Development and maintenance of the business continuity and disaster recovery plans. Business continuity and disaster recovery testing approaches and methods. Human resources management practices as related to business continuity and disaster recovery (e.g., evacuation planning, response teams). Processes used to invoke the business continuity and disaster recovery plans. Types of alternate processing sites and methods used to monitor the contractual agreements (e.g., hot sites, warm sites, cold sites).
Assessment Elements

Assessment Elements

  • non-blocking Mid-term test
  • non-blocking Final test
  • non-blocking Exam
Interim Assessment

Interim Assessment

  • Interim assessment (2 module)
    0.5 * Final test + 0.5 * Mid-term test
Bibliography

Bibliography

Recommended Core Bibliography

  • Аудит информационных технологий : учебник, Грекул, В. И., 2015

Recommended Additional Bibliography

  • The audit process : principles, practice and cases, Gray, I., 2015