Chapter 1

1. List and explain five Websites you can go to for information about IT auditing.

1.1. https://www.isaca.org/Journal/archives/2014/Volume-6/Pages/The-Core-of-IT-
Auditing.aspx

With the advent of the latest wave of information technologies such as big data, social media,
technologies as a service and the cloud in general, it is worth taking the time to revisit the
basics of IT audit. Usually, when such new technologies arise, the issues are the same as
something in the past, and the way to address the emerging technology is to do what IT
auditors always do when faced with challenges of new technologies. We go back to the core of
IT auditing and what IT auditing is all about. It is about identifying risk and the appropriate
controls to mitigate risk to an acceptable level.

1.2. https://www.metricstream.com/solutions/it_audit_management.htm

The IT auditing process is inherently complex as it involves multiple internal and external
stakeholders. Existing audit infrastructure has evolved from the bottom up, leaving most
organizations without a single system of record, and preventing top down visibility and control.
Moreover, companies leveraging outsourced services rely on SAS 70 service auditor reports to
gain an understanding of the IT processes of their service providers.

1.3. http://www.bitpipe.com/tlist/IT-Auditing.html

ALSO CALLED: IT Audits, Information Technology Auditing, Auditing (Systems Operations),

Auditing DEFINITION: Examination and verification that systems are operating in compliance
with established policy and operational procedures.

1.4. https://www.itgovernance.co.uk/it_audit

IT Governance is the industry leader for IT governance, risk management, compliance and
information security.

"An information technology (IT) audit or information systems (IS) audit is an examination of the
controls within an entity's information technology infrastructure. These reviews may be
performed in conjunction with a financial statement audit, internal audit, or other form of
attestation engagement."

1.5. https://www.sans.org/curricula/audit

Learn the versatile skills and master the tools and techniques required to perform a
comprehensive IT audit immediately upon returning to work. SANS hands-on IT audit training
courses will deliver the "value-add" organizations are seeking from auditors by providing direct
experience auditing technologies important for all aspects of enterprise IT operations. Our
courses will develop and expand your audit knowledge of security and controls to properly
identify and categorize risks and achieve audit objectives when auditing Applications, Active
Directory, Databases, and Networks.

2. List and explain five Websites you can go to for information about IT security and privacy
issues.

2.1. https://www.google.com/amp/s/www.upwork.com/hiring/development/understanding-it-
security-and-network-security/amp/

Network security. Cyber security. Endpoint security. These different, often overlapping arms of
IT security can get confusing. As hackers get smarter, its increasingly important to know what
each does and how to implement them into your own network.

2.2. https://www.itgovernance.co.uk/what-is-cybersecurity

Cyber security consists of technologies, processes and measures that are designed to protect
systems, networks and data from cyber crimes.

Effective cyber security reduces the risk of a cyber attack and protects entities, organisations
and individuals from the deliberate exploitation of systems, networks and technologies.

2.3. https://privacy.gov.ph/data-privacy-act-primer/

The Data Privacy Act of 2012 is a 21st century law to address 21st century crimes and concerns.
It (1) protects the privacy of individuals while ensuring free flow of information to promote
innovation and growth; (2) regulates the collection, recording, organization, storage, updating or
modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of
personal data; and (3) ensures that the Philippines complies with international standards set for
data protection through National Privacy Commission (NPC).

2.4. https://www.sans.org/it-security/

Information Technology Security also known as, IT Security is the process of implementing
measures and systems designed to securely protect and safeguard information (business and
personal data, voice conversations, still images, motion pictures, multimedia presentations,
including those not yet conceived) utilizing various forms of technology developed to create,
store, use and exchange such information against any unauthorized access, misuse,
malfunction, modification, destruction, or improper disclosure, thereby preserving the value,
confidentiality, integrity, availability, intended use and its ability to perform their permitted
critical functions

2.5. https://www.ischool.utexas.edu/~netsec/overview.html

Information technology security is controlling access to sensitive electronic information so only

those with a legitimate need to access it are allowed to do so. This seemingly simple task has
become a very complex process with systems that need to be continually updated and
processes that need to constantly be reviewed. There are three main objectives for information
technology security: confidentiality, integrity, and availability of data. Confidentiality is
protecting access to sensitive data from those who don't have a legitimate need to use it.
Integrity is ensuring that information is accurate and reliable and cannot be modified in
unexpected ways.

Information technology security is often the challenge of balancing the demands of users versus
the need for data confidentiality and integrity. For example, allowing employees to access a
network from a remote location, like their home or a project site, can increase the value of the
network and efficiency of the employee. Unfortunately, remote access to a network also opens
a number of vulnerabilities and creates difficult security challenges for a network administrator.

3. List and explain five website you can go to for information about U.S or world court laws or
court cases involving IT issues.

3.1. https://saylordotorg.github.io/text_law-for-entrepreneurs/s06-01-the-relationship-
between-state.html

As state courts are concerned with federal law, so federal courts are often concerned with state
law and with what happens in state courts. Federal courts will consider state-law-based claims
when a case involves claims using both state and federal law. Claims based on federal laws will
permit the federal court to take jurisdiction over the whole case, including any state issues
raised. In those cases, the federal court is said to exercise pendent jurisdiction over the state
claims. Also, the Supreme Court will occasionally take appeals from a state supreme court
where state law raises an important issue of federal law to be decided. For example, a convict
on death row may claim that the states chosen method of execution using the injection of
drugs is unusually painful and involves cruel and unusual punishment, raising an Eighth
Amendment issue.

3.2. https://www.criminaldefenselawyer.com/crime-penalties/federal/computer-crimes.htm

Computers and the internet have ingrained themselves as such an indelible part of modern
society that it isn't surprising how often they're used to commit crimes. Computer and internet
crimes run the gamut from identity theft to computer fraud and computer hacking. States and
the federal government have laws that criminalize various types of behavior involving
computers, computer systems, and the internet, and each has its own requirements and
potential penalties.

3.3. http://www.chrisstewartlaw.com/computer--internet-law.html

Computer and internet law encompasses multiple issues. Some of those issues include online
contracting, privacy, website development agreements, mail and internet usage policies, and
domain name disputes. Many other types of law fall under the umbrella of computer and
internet law; these are just some of the issues.

3.4. https://www.law.cornell.edu/wex/computer_and_internet_fraud

Fraud through the criminal use of a computer or the internet can take mane different forms.
"Hacking" is a common form, in which a perpetrator uses technological tools to remotely access
a protected computer or system. Another common form involves the interception of an
electronic transmission unintended for the interceptor, such as passwords, credit card
information, or another types of identity theft.

3.5. https://www.un.org/development/desa/jpo/international-court-of-justice-icj/

Fraud through the criminal use of a computer or the internet can take mane different forms.
"Hacking" is a common form, in which a perpetrator uses technological tools to remotely access
a protected computer or system. Another common form involves the interception of an
electronic transmission unintended for the interceptor, such as passwords, credit card
information, or another types of identity theft

4. You are asked by your IT audit manager to do a background search on IT disaster recovery
planning. List and summarizes five Websites where information can be obtained to help you
in your background research.

4.1. https://m.isaca.org

Collaborate, contribute, consume and create knowledge around topics such as business impact
analysis (BIA), business continuity planning (BCP), and disaster recovery planning (DR).

4.2. http://www.cic.gc.ca

The objective of the audit was to provide assurance that information technology (IT)
information and assets are maintained and safeguarded, through an informatics disaster
recovery plan (IDRP), to ensure the continued availability of information technology functions at
Citizenship and Immigration Canada (CIC).
4.3. https://www.ready.gov

An information technology disaster recovery plan (IT DRP) should be developed in conjunction
with the business continuity plan. Priorities and recovery time objectives for information
technology should be developed during the business impact analysis. Technology recovery
strategies should be developed to restore hardware, applications and data in time to meet the
needs of the business recovery.

Businesses large and small create and manage large volumes of electronic information or data.
Much of that data is important. Some data is vital to the survival and continued operation of the
business. The impact of data loss or corruption from hardware failure, human error, hacking or
malware could be significant. A plan for data backup and restoration of electronic information is
essential.

4.4. https://switchon.eaton.com

Use Eatons disaster recovery checklist to assure your department and company are prepared
for an emergency. Included are specifics on department head onboarding, IT inventory
assessment, network structures and diagrams, back up data procedures and employee
communications. Whether you want to assess your current disaster recovery plan or start a
grassroots recovery proposal, refer to this checklist to discover whats needed to prepare for
and respond to threats.

4.5. http://www.harvardpartners.com

The Disaster Recovery analysis and plan Harvard created for the college met audit requirements
and also became the guideline for improvements to their recovery solutions (i.e., replicated
systems, backup, other colocation and cloud solutions).

5. You are asked by your IT audit manager to obtain studies and articles on conducting
performing control self-assessment reviews. List five articles or Websites that can provide
such information.

5.1. https://www.pwc.com/th/en/rcs/control-self-assessments.html

To achieve this, organisations need to implement Control Self Assessment (CSA) which is defined
as an effective approach to identifying and managing areas of risk exposure, as well as
highlighting potential opportunities.

CSA provides a framework for helping organisations to manage their risks to achieve their
business objectives. In simple terms, CSA involves a structured approach to documenting
business objectives, risks and controls and having operational management and staff assess the
adequacy of controls.

5.2.
https://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/Web+Content/controlselfass
essmenttoolsandresources

Control Self Assessment framework, resources, tools and materials designed to help you apply
control self assessment techniques to internal audit and risk management are available with a
subscription to KnowledgeLeader. Self assessment or risk self assessment is a tool for acquiring
information about business process risks, while empowering the process owners to take
responsibility for identifying and mitigating those risks.

5.3. https://www.accountingweb.com/practice/practice-excellence/control-self-assessment-
everybody-pitching-in-with-internal-controls

CSA is a management technique that can be used to assure key stakeholders, both internal and
external, that an organization's internal controls system is reliable. CSA is a sustainable process
whereby management validates the operating effectiveness of its internal controls via testing.
That is, each process owner and individual control owner within an organization performs
effectiveness testing to verify that key controls are functioning properly, resulting in the
detection or elimination of material misstatements.

5.4. https://www.workiva.com/blog/4-factors-effective-control-self-assessment-csa-program

The origin of the CSA can be tied back to the Watergate scandal in the early 1970s. Social,
political, and business turbulence necessitated its inception. In 1987, the first application of a
CSA was documented by a Canadian internal audit department who was dissatisfied with the
standard auditing techniques used in response to a consent decree as a result of the scandal.

The Institute of Internal Auditors started sponsoring an annual CSA conference in 1993 and
began offering the Certification in Control Self-Assessment (CCSA) in 1999. Finally, the Sarbanes-
Oxley Act of 2002 solidified the requirement of managements assessment over a companys
internal control system, including in the identification of the organizations significant processes
and key controls.

5.5. https://financetrainingcourse.com/education/2015/04/rcsa-risk-control-self-assessment

RCSA (Risk Control Self Assessment) is an empowering method/process by which management

and staff of all levels collectively identify and evaluate risks and associated controls. It is a
technique that adds value by increasing an operating units involvement in designing and
maintaining control and risk systems as well as identifying risk exposures and determining
corrective action. It aims to integrate risk management practices and culture into the way staff
undertake their jobs, and business units achieve their objectives.