Customer Reviews

Core Concepts of Information Technology Auditing

5 star:		(1)
4 star:		(2)
3 star:		(0)
2 star:		(1)
1 star:		(2)

 

 

Although this is a college-level text, it can be effectively used by newly minted IT auditors to quickly learn the key knowledge and skill factors needed to function within their roles.

I like and highly recommend this book because of the emphasis on CObIT (Control Objectives for IT), which is the basis for auditing per the IT Governance Institute, which is, in turn under the aegis of Information Systems Audit and Control Association.

As stated by a previous reviewer, this book is wide in scope. The first three chapters cover the basics in clear prose and sufficient detail to give both students and on-the-job new practitioners all of the information needed to orient themselves in the role of an IT auditor. The emphasis on risk management in different domains is another strong point. The chapters covering risks associated with network and telecommunications, e-business systems, and system deployments are both technically accurate and portray realistic scenarios. Chapters 9 (Conducting the IT Audit), and 10 (Fraud and Forensic Auditing) round out the topic areas, leaving no gaps in the knowledge required to be an IT auditor.

The accompanying CD ROM has a software application to be used in conjunction with Appendix B case study. I did not work the case study, nor did I thoroughly exercise the application, so will refrain from making judgments about the usability or value of the application. The case study, though, was well put together and realistic, making it an ideal adjunct for class exercises, as well as working practicing auditors through real world scenarios.

For those new to IT Auditing in general and CObIT in particular I recommend visiting the following two sites: IT Governance Institute, ASIN B0001F8V14, and Information Systems Audit and Control Association, ASIN B00006BW74. You can paste the ASIN numbers in the Search box, select All Products and click the GO button to reach these sites. Once there you can explore additional material that will augment this book, as well as copies of CObIT, and an 84-page document titled 'IT Control Objectives for Sarbanes-Oxley', which is one of the hottest contemporary topics in IT auditing.

This is an up to date and good textbook on IT auditing. It begins with an overview of IT audit, legal and ethical issues, risks and controls and ends with a chapter on fraud and forensic accounting. What makes this book especially suited for classroom or self-study is the inclusion of discussion questions, exercises, notes and recommended reading lists at the end of every chapter.

The authors cover a wide field but on the same time manage to touch upon all important topics. COBIT, ISACA standards and guidelines are heavily used and referenced throughout the book, providing a good link between study and practice and perhaps making the book one of the preparation resources for the Certified Information Systems Auditor (CISA) examination. The book also includes a CD with ACL software and a sample auditing engagement, which may be useful in some cases, although it does cover only a fraction of knowledge presented in the book.

Overall, this book indeed teaches the core concepts of IT/IS auditing. This book exists in two identical versions: one is for the North American market, another is for all other countries, although the coverage is mostly limited to US and Canadian regulations and practices.

As an example, in the chapter on IT Risks and Controls, the only discussion of data integrity is buried in a few lines in a section entitled Security Risk. The examples in the book are mainly about Security issues. Take the subject of data integrity on file transfers. I believe the only mention of the subject outside of Security concerns is a Figure on the OSI Model (Transport layer alone won't detect if a mixture of old and new files are erroneously transfered to downstreams). There is no mention of detection/recovery of skipping/double-posting transactions, error thresholds, data base consistency on no-posts, restart/retry logic, checking for count and amount mismatches, balancing using checkpoints, etc. An auditor I believe should be aware of these types of issues concerning data integrity even in a core concept book.

Affordable book compared to other IT books, it is well written that provides a comprehensive framework for IT auditing. I especially liked the many Figures/Exhibits that listed Key Risks for the many subjects covered. Working in the SOX compliance area, these risks were a useful summary/checklist to understand what risks should be assessed and managed for SOX compliance. It would not be a detailed book for implementation for an CIO and staff to follow, but for an audit assessment of an IT department, I found useful.

Also, solid instructional material on use of ACL, and of course, the software itself.

This was a book I needed to buy for graduate school, but I would not recommend it for students or professors. Nothing useful was learned and even though the book was considered "new," the material seemed outdated.

I was excited about using the enclosed disk to use ACL (and leading reason I bought the book) and add some practical experience. The book references a Workbook.ACL file that does not exist....very frustraiting. Bottom line, it doesn't work. I tried to find the file at Wiley website and does not exist. I thought I would try to download the Appendix B files and give it another shot....no, they are in Excel and there are no instructions to export into ACL. If you are buying this with the anticipation that you will use ACL, forget it.