IT Auditing notes 1

The structure of an IT Audit

Phase 1 - Audit Planning Phase

In this phase, auditor review controls such as General Controls and application controls. After that, plan tests of controls and substantive testing procedures.

Phase 2 - Test of Control

Perform tests of control -> Evaluate Test result -> Determine degree of reliance on controls.

Phase 3 - Substantive Testing Phase

Perform Substantive Tests -> Evaluate Result -> issue audit report

PDC Control Models

Preventive 預防

Detective 監察

Corrective 執屎

Internal Control Activities

• Independent verification
• Transaction Authorization
• Segregation of duties
• Supervision
• Audit trail provision

Physical Control

Provision of a secure area - Security perimeter

Prevent unauthorized access

• Physical lock : Conventional keys/Electronic access badge system/cipher lock
• Selection and design of secure areas
• intruder detection system(Camera)
• Sperate from 3rd party area and public area detection
• backup
• loading area

backup

• Full backup
• Incremental backup
  • Cumulative incremental: Since last full backup
  • Differentail incremental: Since last backup(any type)

Resumption programs

Hot Site - full equipped and can be operational in less than 24 hours
Cold site -
Partner with other companies

Risk Analysis

Step 1 - identify Threats and Risks

• Threat Agents: 觸發threats既人or物 fire/hacker/employee/…
• Weaknesses: 弱點
• Risks: weaknesses引致既後果

Step 2 - Quantify Impact of potential Threats

Single Loss Expectancy(SLE) + Annualized frequency = Annual Loss Expectancy(ALE)

Select a counter measurement

Cost/benefits calculation:

ALE before implementing safety measure - ALE after implenting safety measure - annual cost of safeguard = value of safefuard to the company