Introduction to Information Systems Auditing

This intensive course developed, over fifteen years by professional auditors, provides the perfect starting point for someone new to Information Systems Auditing.

Suitability and duration

Suitability: Novice

Duration: 4 days

Who should attend

Those entering information technology audit that need a practical primer to underpin their new career. This course is suited to all comers but an understanding of basic audit terminology and sequence is assumed. All major steps of the course are accompanied by explanations of technology and case work helping delegates to decode technical jargon and develop practical skills.

Benefits

Skills

After completion of this course, you will be able to:

• Comprehend  ITIL/ISO 20000/ISO 27000/COBIT

• Understand the need to relate technology issues to risk

• Identify laws, risks and controls that impact an organisation’s information processing

• Perform reviews of live application systems

• Perform reviews of systems under development

• Review information security policies and physical security within the organisation

• Review contingency and business resumption plans

• Review logical security and access controls

• Explain core network terminology and perform elementary network reviews

Support Materials

The course is accompanied by a 150 page manual containing detailed briefing and reference notes and a set of work programmes.

Programme

IT/IS Auditing

• The IT/IS audit role
• Working to best practices: ITIL/ISO 20000/ISO 27000/COBIT

IT operations and the law

• IT operations and the law
• Confidentiality, availability and integrity and the common findings that emerge from audit reviews

Risks associated with information technology systems

• IT directive, preventative, detective and corrective controls
• Applications and key controls
• Additional controls made available by technology
• Auditing an operational system – an approach that links found risk to business in an intelligible way

Auditing existing systems

• IT directive, preventative, detective and corrective controls
• Applications and key controls
• Additional controls made available by technology
• Auditing an operational system – an approach that links found risk to business

Auditing new systems and developments

• Software procurement – creating the right requirement
• Software development life cycles – formal and informal methods
• Identifying high level risks in systems proposals
• Auditing systems under development – an approach that tracks the evolving solution

Auditing the building blocks of IT control

• Information security (InfoSec) and acceptable use policies
• Performing a review of InfoSec and acceptable use policies
• Physical security – working environments; location, structure and staff control; environmental control
• Performing a physical security review
• Contingency and disaster avoidance
• Auditing business continuity and preparedness arrangements
• Logical security – registration, identification, authentication, biometrics, authorisation, permissions
• structures and logging
• Performing a logical security review
• Simple network diagrams and basic network terminology
• Network management, monitoring and resilience
• Protecting data that is flowing across a network
• Performing a basic network audit