Information technology control and audit 3th edition sandra senft and frederick

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (7.73 MB, 804 trang )

Information Technology
Control and Audit
Third Edition

CRC_AU6550_FM.indd i

10/10/2008 12:05:20 PM

OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
Architecting Secure Software Systems
Asoke K. Talukder and Manish Chaitanya
ISBN: 978-1-4200-8784-0
Building an Effective Information
Security Policy Architecture
Sandy Bacik
ISBN: 978-1-4200-5905-2
CISO Soft Skills: Securing Organizations
Impaired by Employee Politics, Apathy,
and Intolerant Perspectives
Ron Collette, Michael Gentile and Skye Gentile
ISBN: 978-1-4200-8910-3
Critical Infrastructure: Understanding Its
Component Parts, Vulnerabilities, Operating
Risks, and Interdependencies
Tyson Macaulay
ISBN: 978-1-4200-6835-1
Cyber Forensics: A Field Manual for
Collecting, Examining, and Preserving
Evidence of Computer Crimes, Second

Edition
Albert Marcella, Jr. and Doug Menendez
ISBN: 978-0-8493-8328-1
Digital Privacy: Theory, Technologies,
and Practices
Alessandro Acquisti, Stefanos Gritzalis, Costos Lambrinoudakis and Sabrina di Vimercati
ISBN: 978-1-4200-5217-6
How to Achieve 27001 Certification: An
Example of Applied Compliance Management
Sigurjon Thor Arnason and Keith D. Willett
ISBN: 978-0-8493-3648-5
How to Complete a Risk Assessment in
5 Days or Less
Thomas R. Peltier
ISBN: 978-1-4200-6275-5

Insider Computer Fraud: An In-depth
Framework for Detecting and Defending
against Insider IT Attacks
Kenneth Brancik
ISBN: 978-1-4200-4659-5
IT Auditing and Sarbanes-Oxley
Compliance: Key Strategies for
Business Improvement
Dimitris N. Chorafas
ISBN: 978-1-4200-8617-1
Malicious Bots: An Inside Look
into the Cyber-Criminal Underground
of the Internet
Ken Dunham and Jim Melnick

ISBN: 978-1-4200-6903-7
Mechanics of User Identification
and Authentication: Fundamentals
of Identity Management
Dobromir Todorov
ISBN: 978-1-4200-5219-0
Oracle Identity Management:
Governance, Risk, and Compliance
Architecture, Third Edition
Marlin B. Pohlman
ISBN: 978-1-4200-7247-1
Profiling Hackers: The Science of
Criminal Profiling as Applied to the
World of Hacking
Silvio Ciappi and Stefania Ducci
ISBN: 978-1-4200-8693-5
Security in an IPv6 Environment
Daniel Minoli and Jake Kouns
ISBN: 978-1-4200-9229-5

Information Assurance Architecture
Keith D. Willett
ISBN: 978-0-8493-8067-9

Security Software Development:
Assessing and Managing Security Risks
Douglas A. Ashbaugh
ISBN: 978-1-4200-6380-6

Information Security Management Handbook,

Sixth Edition
Harold F. Tipton and Micki Krause, Editors
ISBN: 978-0-8493-7495-1

Software Deployment, Updating, and Patching
Bill Stackpole and Patrick Hanrion
ISBN: 978-0-8493-5800-5

Information Technology Control and Audit,
Third Edition
Sandra Senft and Frederick Gallegos
ISBN: 978-1-4200-6550-3

Understanding and Applying
Cryptography and Data Security
Adam J. Elbirt
ISBN: 978-1-4200-6160-4

AUERBACH PUBLICATIONS
www.auerbach-publications.com
5P0SEFS$BMMr'BY
E-mail:

CRC_AU6550_FM.indd ii

10/10/2008 12:05:21 PM

Information Technology
Control and Audit

Third Edition

Sandra Senft w Frederick Gallegos

CRC_AU6550_FM.indd iii

10/10/2008 12:05:22 PM

Auerbach Publications
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2009 by Taylor & Francis Group, LLC
Auerbach is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed in the United States of America on acid-free paper
10 9 8 7 6 5 4 3 2 1
International Standard Book Number-13: 978-1-4200-6550-3 (Hardcover)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been
made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright
holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this
form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may
rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the
publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://
www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923,
978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for

identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at

and the Auerbach Web site at

CRC_AU6550_FM.indd iv

10/10/2008 12:05:22 PM

Contents
Preface ..............................................................................................................................xxix
Acknowledgments ............................................................................................................xxxi
Authors .......................................................................................................................... xxxiii

PART I: A FOUNDATION FOR IT AUDIT AND CONTROL
1

Information Technology Environment: Why Are Controls
and Audit Important? ...................................................................................................3
IT Today and Tomorrow ................................................................................................... 5
Information Integrity, Reliability, and Validity: Importance in Today’s Global
Business Environment .............................................................................................. 6
Control and Audit: A Global Concern ............................................................................... 8
E-Commerce and Electronic Funds Transfer ..................................................................... 9
Future of Electronic Payment Systems ............................................................................... 9
Legal Issues Impacting IT .................................................................................................10
Federal Financial Integrity Legislation ..............................................................................10
Federal Security Legislation ..............................................................................................11

Ā e Computer Fraud and Abuse Act........................................................................11
Ā e Computer Security Act of 1987 ....................................................................... 12
Privacy on the Information Superhighway ....................................................................... 12
Privacy Legislation and the Federal Government Privacy Act .......................................... 13
Electronic Communications Privacy Act .................................................................14
Communications Decency Act of 1995 ...................................................................14
Health Insurance Portability and Accountability Act of 1996 .................................14
Security, Privacy, and Audit ..............................................................................................15
Conclusion ........................................................................................................................16
Review Questions .............................................................................................................18
Multiple Choice Questions ......................................................................................18
Exercises ..................................................................................................................19
Answers to Multiple Choice Questions ....................................................................19
Further Readings ..............................................................................................................19

2

Ā e Legal Environment and Its Impact on Information Technology.........................21
IT Crime Issues ............................................................................................................... 22
Protection against Computer Fraud ................................................................................. 23
v

CRC_AU6550_FM.indd v

10/10/2008 12:05:22 PM

vi Ⅲ

Contents

Ā e Computer Fraud and Abuse Act ............................................................................... 24
Computer Abuse Amendments Act...................................................................................25
Sarbanes–Oxley Act (Public Law 107-204) ............................................................ 26
Major Points from the Sarbanes–Oxley Act of 2002 ................................... 27
Criminal Intent ........................................................................................... 29
Penalties and Requirements under Title VIII of the Act.............................. 30
Penalties and Requirements under Title IX of the Act................................. 30
Remedies and Eﬀectiveness .............................................................................................. 30
Legislation Providing for Civil and Criminal Penalties .....................................................31
Ā e Computer Security Act of 1987..................................................................................33
Ā e Homeland Security Act of 2002................................................................................ 34
Privacy on the Information Superhighway ........................................................................35
Ā e National Strategy for Securing Cyberspace ............................................................... 36
Methods Ā at Provide for Protection of Information ....................................................... 37
Ā e Web Copyright Law .................................................................................................. 37
Privacy Legislation and the Federal Government Privacy Act .......................................... 38
Electronic Communications Privacy Act ................................................................ 39
Communications Decency Act of 1995 .................................................................. 40
Encrypted Communications Privacy Act of 1996 ................................................... 40
Health Insurance Portability and Accountability Act of 1996 ................................ 40
HIPAA Compliance .....................................................................................41
Risk Assessment and Communications Act of 1997 ................................................41
Gramm–Leach–Bliley Act of 1999 ..........................................................................41
Internet Governance ................................................................................................41
Conclusion ....................................................................................................................... 42
Review Questions ............................................................................................................ 43
Multiple Choice Questions ..................................................................................... 43
Exercises ................................................................................................................. 44
Answers to Multiple Choice Questions ....................................................................45

Notes ................................................................................................................................45
Further Readings ..............................................................................................................45
Other Internet Sites ......................................................................................................... 46

3

Audit and Review: Its Role in Information Technology.............................................47
Ā e Situation and the Problem .........................................................................................47
Audit Standards ............................................................................................................... 48
Similarities ..............................................................................................................49
Diﬀerences.............................................................................................................. 49
Ā e Importance of Audit Independence ........................................................................... 49
Past and Current Accounting and Auditing Pronouncements .......................................... 50
AICPA Pronouncements: From the Beginning to Now.................................................... 50
Other Standards ...............................................................................................................52
Financial Auditing ............................................................................................................53
Generally Accepted Accounting Principles....................................................................... 54
Generally Accepted Auditing Standards .......................................................................... 54
IT Auditing: What Is It? .................................................................................................. 54
Ā e Need for the IT Audit Function .................................................................................55

CRC_AU6550_FM.indd vi

10/10/2008 12:05:23 PM

Contents

Ⅲ vii

Auditors Have Standards of Practice ................................................................................ 57
Auditors Must Have Independence .................................................................................. 57
High Ethical Standards ................................................................................................... 58
Ā e Auditor: Knowledge, Skills, and Abilities...................................................................59
Broadest Experiences ....................................................................................................... 60
Supplemental Skills .......................................................................................................... 62
Trial and Error ................................................................................................................. 63
Role of the IT Auditor ..................................................................................................... 63
IT Auditor as Counselor .................................................................................................. 64
IT Auditor as Partner of Senior Management .................................................................. 64
IT Auditor as Investigator .................................................................................................65
Types of Auditors and Ā eir Duties, Functions, and Responsibilities ............................... 66
Ā e Internal Audit Function ................................................................................... 66
Ā e External Auditor ...............................................................................................67
Legal Implications ........................................................................................................... 68
Conclusion ....................................................................................................................... 68
Review Questions ............................................................................................................ 69
Multiple Choice Questions ..................................................................................... 69
Exercises ................................................................................................................. 70
Answers to Multiple Choice Questions ................................................................... 71
Notes ............................................................................................................................... 71
Further Readings ............................................................................................................. 71

4

Ā e Audit Process in an Information Technology Environment ................................75
Audit Universe ................................................................................................................. 75
Risk Assessment ................................................................................................................76
Audit Plan........................................................................................................................ 77
Developing an Audit Schedule ......................................................................................... 78

Audit Budget ................................................................................................................... 78
Budget Coordination .............................................................................................. 79
Audit Preparation ................................................................................................... 79
Audit Scope Objectives ........................................................................................... 79
Objective and Context ..................................................................................................... 79
Using the Plan to Identify Problems ................................................................................ 80
Ā e Audit Process .............................................................................................................81
Preliminary Review ..........................................................................................................81
General Data Gathering ......................................................................................... 83
Fact Gathering ........................................................................................................ 84
Preliminary Evaluation of Internal Controls .................................................................... 84
Design Audit Procedures ................................................................................................. 84
Types of IT Audits .................................................................................................. 84
Reviewing Information System Policies, Procedures, and Standards ....................... 84
IT Audit Support of Financial Audits ......................................................................85
Identifying Financial Application Areas ..................................................................85
Auditing Financial Applications ..............................................................................85
Management of IT and Enterprise Architecture ..................................................... 86
Computerized Systems and Applications ................................................................ 86

CRC_AU6550_FM.indd vii

10/10/2008 12:05:23 PM

viii

Ⅲ

Contents

Information Processing Facilities ............................................................................ 86
Systems Development ............................................................................................. 87
Client/Server, Telecommunications, Intranets, and Extranets ................................ 87
Fieldwork and Implementing Audit Methodology ........................................................... 87
Test Controls .......................................................................................................... 88
Final Evaluation of Internal Controls ..................................................................... 88
Validation of Work Performed ......................................................................................... 88
Substantive Testing .......................................................................................................... 89
Documenting Results ...................................................................................................... 90
Audit Findings ........................................................................................................ 90
Analysis .................................................................................................................. 90
Reexamination.........................................................................................................91
Standards .....................................................................................................91
Facts .............................................................................................................91
Veriﬁcation ............................................................................................................. 92
Cause ...................................................................................................................... 92
Exposure and Materiality........................................................................................ 92
Conclusions ............................................................................................................ 93
Recommendations .................................................................................................. 93
Working Papers ...................................................................................................... 93
Audit Report........................................................................................................... 94
Follow Up of Audit Recommendations ................................................................... 94
Communication Strategy ................................................................................................. 94
Conclusion ....................................................................................................................... 97
Review Questions ............................................................................................................ 98
Multiple Choice Questions ..................................................................................... 98
Exercises ................................................................................................................. 99
Answers to Multiple Choice Questions ................................................................... 99
Further Readings ........................................................................................................... 100

5

Auditing Information Technology Using Computer-Assisted Audit Tools
and Techniques.........................................................................................................101
Auditor Productivity Tools..............................................................................................102
Audit Planning and Tracking ................................................................................102
Documentation and Presentations .........................................................................103
Communication ....................................................................................................103
Data Management .................................................................................................103
Resource Management...........................................................................................104
Groupware .............................................................................................................104
Using Computer-Assisted Audit Tools in the Audit Process ............................................104
Items of Audit Interest ...........................................................................................106
Audit Mathematics ................................................................................................106
Data Analysis.........................................................................................................106
Flowcharting Techniques ................................................................................................107
Flowcharting as an Analysis Tool ....................................................................................109
Understanding How Computers Process Data .......................................................110
Identifying Documents and Ā eir Flow through the System .................................110

CRC_AU6550_FM.indd viii

10/10/2008 12:05:23 PM

Contents

Ⅲ ix

Deﬁning Critical Data ........................................................................................... 111
Developing Audit Data Flow Diagrams .................................................................112
Evaluating the Quality of System Documentation.................................................112
Assessing Controls over Documents ......................................................................112
Determining the Eﬀectiveness of Processing under Computer Programs ...............113
Evaluating the Usefulness of Reports .....................................................................113
Appropriateness of Flowcharting Techniques ..................................................................113
Sampling ...............................................................................................................114
Random Attribute Sampling ...................................................................... 115
Variable Sampling Techniques....................................................................116
System Validation.......................................................................................116
Computer-Assisted Audit Tools and Techniques for Application Reviews.......................116
Generalized Audit Software ...................................................................................116
Application Testing................................................................................................117
Designing Tests of Controls...................................................................................117
Data Analysis.........................................................................................................118
Compliance Testing ...............................................................................................118
Application Controls .............................................................................................118
Spreadsheet Controls ..................................................................................118
Database Controls ...................................................................................... 119
Computer-Assisted Audit Tools and Techniques for Operational Reviews ......................119
Webmetrics ....................................................................................................................123
Webmetrics as an Audit Tool ......................................................................................... 124
Computer Forensics ........................................................................................................125
Conclusion ......................................................................................................................125
Review Questions ...........................................................................................................125
Multiple Choice Questions ................................................................................... 126
Exercises ............................................................................................................... 127
Answers to Multiple Choice Questions ................................................................. 127
Further Readings ........................................................................................................... 127

6

Managing IT Audit ..................................................................................................129
IT Auditor Career Development and Planning ...............................................................129
Establishing a Career Development Plan ....................................................................... 130
Career Path Planning Needs Management Support .............................................. 130
Knowledge, Skills, and Abilities ............................................................................131
Performance Assessment ........................................................................................132
Performance Counseling/Feedback........................................................................133
Training .................................................................................................................133
Professional Development ..................................................................................... 134
Evaluating IT Audit Quality.......................................................................................... 136
Terms of Assessment .......................................................................................................137
Ā e IT Audit and Auditor Assessment Form ...................................................................137
Criteria for Assessing the Audit .......................................................................................141
Criteria for Assessing the Auditor ...................................................................................141
Applying the Concept .....................................................................................................142
Evaluation of IT Audit Performance ...............................................................................142

CRC_AU6550_FM.indd ix

10/10/2008 12:05:23 PM

x

Ⅲ

Contents

What Is a Best Practice? ..................................................................................................143
Why Is It Important to Learn about Best Practices? ..............................................143
Overview of Best Practices in IT Audit Planning ..................................................143
Research ................................................................................................................144
Benchmarking .......................................................................................................145
Planning Memo .....................................................................................................145
Budget Coordination .............................................................................................146
Risk Analysis .........................................................................................................146
Kick-Oﬀ Meeting ..................................................................................................148
Staﬀ Mentoring .....................................................................................................148
Coaching ...............................................................................................................148
Lunch Meetings.....................................................................................................149
Understand Requirements .....................................................................................149
Conclusion ......................................................................................................................149
Review Questions ...........................................................................................................150
Multiple Choice Questions .................................................................................... 151
Exercises ................................................................................................................152
Answers to Multiple Choice Questions ..................................................................152
Further Readings ............................................................................................................152

7

IT Auditing in the New Millennium ........................................................................155
IT Auditing Trends .........................................................................................................156
Ā e New Dimension: Information Assurance .................................................................158
IT Audit: Ā e Profession .................................................................................................159
A Common Body of Knowledge .....................................................................................159
Certiﬁcation ...................................................................................................................159
Continuing Education ....................................................................................................160

A Code of Ethics and Professional Standards ..................................................................160
Educational Curricula.....................................................................................................160
New Trends in Developing IT Auditors and Education ..................................................162
Career Opportunities in the Twenty-First Century.........................................................169
Public Accounting ..........................................................................................................169
Private Industry ..............................................................................................................169
Management Consulting ................................................................................................170
Government ....................................................................................................................170
Ā e Role of the IT Auditor in IT Governance ................................................................170
Ā e IT Auditor as Counselor ..........................................................................................172
Ā e IT Auditor as Partner of Senior Management ..........................................................172
Educating the Next Generation on IT Audit and Control
Opportunities ........................................................................................................172
Conclusion ......................................................................................................................173
Review Questions ...........................................................................................................173
Multiple Choice Questions ....................................................................................174
Exercises ...............................................................................................................175
Answers to Multiple Choice Questions ..................................................................175
Further Readings ............................................................................................................175

CRC_AU6550_FM.indd x

10/10/2008 12:05:23 PM

Contents

PART II:

Ⅲ xi

AUDITING IT PLANNING AND ORGANIZATION

Chapters 8 through 12 ....................................................................................................177

8

IT Governance ..........................................................................................................181
IT Processes ....................................................................................................................182
Enterprise Risk Management ..........................................................................................183
What Is Enterprise Risk Management? ..................................................................184
Enterprise Risk Management .................................................................................184
Organizational Oversight ...........................................................................184
Magnitude of Problem ...............................................................................186
Increasing Business Risks ...........................................................................186
Regulatory Issues........................................................................................186
Market Factors ...........................................................................................188
Corporate Governance ...............................................................................188
Best Practice ...............................................................................................189
Future of Enterprise Risk Management .................................................................189
Regulatory Compliance and Internal Controls ...............................................................191
Performance Measurement .............................................................................................191
Balanced Scorecard ................................................................................................192
Metrics and Management ...............................................................................................192
Metric Reporting ............................................................................................................195
Management Responsibilities Today ...............................................................................196
Independent Assurance ...................................................................................................196
Conclusion ......................................................................................................................197
Review Questions ...........................................................................................................198
Multiple Choice Questions ....................................................................................198

Exercises ................................................................................................................199
Answers to Multiple Choice Questions ..................................................................199
Notes ..............................................................................................................................199
Further Readings ........................................................................................................... 200

9

Strategy and Standards ............................................................................................203
IT Processes ................................................................................................................... 203
Strategic Planning .......................................................................................................... 204
IT Steering Committee .................................................................................................. 205
Communication ................................................................................................... 206
Operational Planning ........................................................................................... 206
Portfolio Management ................................................................................................... 207
Demand Management ................................................................................................... 207
Project Initiation ............................................................................................................ 208
Technical Review ........................................................................................................... 208
Architecture and Standards............................................................................................ 209
Enterprise Architecture ......................................................................................... 209
Business Architecture.............................................................................................211
Application Architecture........................................................................................211
Information Architecture .......................................................................................212
Infrastructure Architecture ....................................................................................212

CRC_AU6550_FM.indd xi

10/10/2008 12:05:23 PM

xii

Ⅲ

Contents

Ā e Architecture Function .....................................................................................212
Technology Standards ...........................................................................................213
An Example of Standards: Technology Risk Management Regulations ..........................213
Where Does Technology Risk Management Belong? ......................................................214
Ā e Strategy: An Eﬀective Technology Risk Management Program ...............................215
Example: Importance of Business Strategy in Customer Relationship
Management ..............................................................................................217
Focus on Technology .............................................................................................217
Resistance to Change .............................................................................................218
Barriers to User Adoption ......................................................................................219
Participation in IT Audit Planning .................................................................................221
Conclusion ..................................................................................................................... 222
Review Questions .......................................................................................................... 223
Multiple Choice Questions ................................................................................... 223
Exercises ............................................................................................................... 224
Answers to Multiple Choice Questions ................................................................. 224
Further Readings ........................................................................................................... 224

10 Risk Management.....................................................................................................227

IT Processes ................................................................................................................... 227
Risk Assessment ............................................................................................................. 227
Ā ree Perspectives on Risk .................................................................................... 228
Ā e Guardians........................................................................................... 229
Ā e Gatekeepers ........................................................................................ 229

Application of Risk Assessment ............................................................................ 230
Risk Management................................................................................................. 230
Determination of Objectives..................................................................................231
IT Risk Identiﬁcation ............................................................................................231
IT Risk Assessment Tools and Techniques............................................................ 232
IT Risk Evaluation ............................................................................................... 232
IT Risk Management.............................................................................................233
IT Insurance Risk ...........................................................................................................235
Problems Addressed ...............................................................................................235
Insurance Requirements ........................................................................................235
How to Determine IT Insurance Coverage .................................................................... 237
Reduction and Retention of Risks ........................................................................ 238
Available Guidance ........................................................................................................ 239
U.S. National Institute of Standards and Technology ........................................... 240
Government Accountability Oﬃce ....................................................................... 240
American Institute of Certiﬁed Public Accountants ............................................. 244
Information Systems Audit and Control Association ............................................ 244
Institute of Internal Auditors .................................................................................245
Committee of Sponsoring Organizations of the Treadway
Commission ..............................................................................................245
Conclusion ..................................................................................................................... 246
Review Questions .......................................................................................................... 246
Multiple Choice Questions ................................................................................... 246

CRC_AU6550_FM.indd xii

10/10/2008 12:05:24 PM

Contents

Ⅲ xiii

Exercises ................................................................................................................247
Answers to Multiple Choice Questions ................................................................. 248
Further Readings ........................................................................................................... 248

11 Process and Quality Management............................................................................251

IT Processes ....................................................................................................................252
Organizational Structure .......................................................................................252
Centralized .................................................................................................253
Decentralized .............................................................................................253
Combination of Centralized and Decentralized .........................................253
Shared Services...........................................................................................253
Coordinating Management ....................................................................... 254
Roles and Responsibilities .............................................................................................. 254
IT Management Responsibilities .......................................................................... 254
User Management Responsibilities ....................................................................... 254
Separation of Duties .......................................................................................................255
Resource Management....................................................................................................255
Manage Quality..............................................................................................................256
Quality Management Standards .....................................................................................257
Capability Maturity Model Integration .................................................................258
Software Engineering Institute ..............................................................................259
How Maturity Correlates to Quality ..............................................................................259
International Standards Organization 9000 ..........................................................259
ISO 9000 .................................................................................................. 263
Getting Started: ISO 9000........................................................................ 263
Principal Ā emes of an ISO 9000 Review ............................................................ 264

IT Process Framework ....................................................................................................265
Policies and Procedures ..........................................................................................265
Comparing Processes and Procedures ................................................................... 266
Auditing Policies and Procedures ................................................................................... 267
Conclusion ..................................................................................................................... 268
Review Questions .......................................................................................................... 268
Multiple Choice Questions ................................................................................... 268
Exercises ................................................................................................................270
Answers to Multiple Choice Questions ..................................................................270
Notes ..............................................................................................................................270
Further Readings ............................................................................................................270

12 Financial Management .............................................................................................273

IT Processes ................................................................................................................... 273
Financial Management Framework ................................................................................274
Investment Approval Process ..........................................................................................274
Project Pricing ................................................................................................................275
Realizing the Beneﬁts from IT Investments ....................................................................276
Financial Planning ..........................................................................................................276
Operating Budget ................................................................................................. 277
Capital Budget...................................................................................................... 277
Track against Budget ............................................................................................ 278

CRC_AU6550_FM.indd xiii

10/10/2008 12:05:24 PM

xiv

Ⅲ

Contents

Identify and Allocate Costs............................................................................................ 278
Developing a Pricing Model ................................................................................. 279
Transfer Pricing ..............................................................................................................281
Determining Charging Method ......................................................................................281
Direct-Charge Method ......................................................................................... 282
Indirect-Charge Method....................................................................................... 282
Allocations under Indirect-Charge Method .......................................................... 282
Determining Arm’s Length Price .......................................................................... 282
Cost Contribution Arrangements ......................................................................... 282
Structure of U.S. Guidance............................................................................................ 283
Pricing of Services ................................................................................................ 283
Beneﬁt Test ........................................................................................................... 283
Integral Services and Nonintegral Services ........................................................... 283
Determining the Pricing for Integral Services ....................................................... 284
Determining the Pricing for Nonintegral Services ................................................ 284
Documentation Requirements .............................................................................. 285
Implementing a Pricing Model ............................................................................. 285
Maintaining a Pricing Model................................................................................ 286
Measuring Consumption ...................................................................................... 287
IT Asset Management.................................................................................................... 287
Beneﬁts of IT Asset Management ......................................................................... 288
Tools.... ................................................................................................................. 289
Understanding and Managing Costs .................................................................... 289
Refreshing Technology ......................................................................................... 290
Standardizing Technology .................................................................................... 290

Consolidating Infrastructure ................................................................................ 290
Managing Demand and Service Levels ..................................................................291
Standardizing Governance and Processes .............................................................291
Conclusion ......................................................................................................................291
Review Questions .......................................................................................................... 292
Multiple Choice Questions ................................................................................... 292
Exercises ................................................................................................................293
Answers to Multiple Choice Questions ..................................................................293
Further Readings ........................................................................................................... 294

PART III

IT ACQUISITION AND IMPLEMENTATION

Chapters 13 through 17 ................................................................................................. 297

13 IT Project Management............................................................................................301

IT Processes ................................................................................................................... 302
Program Management .......................................................................................... 302
Program Management versus Project Management .............................................. 302
Project Management ............................................................................................ 303
Project Management Body of Knowledge ...................................................................... 304
Project Management Framework .......................................................................... 304
Project Management ............................................................................................. 305
Resource Management.......................................................................................... 305

CRC_AU6550_FM.indd xiv

10/10/2008 12:05:24 PM

Contents

Ⅲ xv

Project Planning ................................................................................................... 306
Project Tracking and Oversight ............................................................................ 307
Project Management Tools ................................................................................... 307
Ā e Auditor’s Role in the Project Management Process.................................................. 309
Audit Risk Assessment ...........................................................................................312
Audit Plan .............................................................................................................312
Project Management Process Review .....................................................................312
Project Management ..............................................................................................313
Communication ....................................................................................................314
Recommendations ..........................................................................................................314
Example of Project Management Checkpoints and Tools in a Telecom Project ..............314
Combating User Resistance to Telecommunications Project Implementation:
Involve the User ......................................................................................... 315
Project Management Tools: Project Management Software ...................................316
Ā e Importance of Project Planning and Control in the Systems Development
Life Cycle...............................................................................................................318
Conclusion ......................................................................................................................319
Audit Involvement in Planning and Analysis ........................................................ 320
Conception of the Plan ......................................................................................... 320
Project Organization..............................................................................................321
Conclusion ......................................................................................................................321
Review Questions .......................................................................................................... 322
Multiple Choice Questions ................................................................................... 322
Exercises ............................................................................................................... 323

Answers to Multiple Choice Questions ................................................................. 323
Further Readings ........................................................................................................... 323

14 Software Development and Implementation............................................................325

IT Processes ....................................................................................................................325
Approaches to Software Development ............................................................................325
Software Development Process .......................................................................................327
Prototypes and Rapid Application Development ............................................................327
End-User Development...................................................................................................327
Traditional Information Software Development ............................................................ 328
Software Development Phases ...............................................................................329
Analysis...................................................................................................... 330
Design........................................................................................................ 330
Construction .............................................................................................330
Testing........................................................................................................ 330
System Documentation ..............................................................................331
Implementation ..........................................................................................332
Ā e System Implementation Process ...............................................................................333
Implementation Approach .................................................................................... 334
System Testing ...................................................................................................... 334
User Processes and Procedures .............................................................................. 334
Management Reports and Controls .......................................................................335
Problem Management/Reporting ..........................................................................335

CRC_AU6550_FM.indd xv

10/10/2008 12:05:24 PM

xvi

Ⅲ

Contents

User Acceptance Testing ........................................................................................335
Acceptance Team ...................................................................................... 336
Agreed-Upon Requirements ...................................................................... 336
Management Approval .............................................................................. 336
Help Desk and Production Support Training and Readiness ......................................... 336
Data Conversion and Data Correction Processes ...................................................337
Operational Procedures and Readiness ..................................................................337
IT Disaster/Continuity Plans.................................................................................338
Security .................................................................................................................338
Ā e Auditor’s Role in the Development Process ..............................................................339
Risk Assessment ............................................................................................................. 340
Audit Plan...................................................................................................................... 341
Software Development Controls Review........................................................................ 341
Software Development Life Cycle .................................................................................. 342
Analysis ................................................................................................................ 342
Design................................................................................................................... 342
Construction ........................................................................................................ 343
Testing ..................................................................................................................343
Documentation .................................................................................................... 343
Implementation .................................................................................................... 343
Postimplementation ..............................................................................................344
Change Control .................................................................................................... 344
Application Controls ............................................................................................ 344
Communication ................................................................................................... 344

Recommendations ................................................................................................344
Audit Report..........................................................................................................345
Conclusion ......................................................................................................................345
Review Questions .......................................................................................................... 346
Multiple Choice Questions ................................................................................... 346
Exercises ............................................................................................................... 348
Answers to Multiple Choice Questions ................................................................. 348
Further Readings ........................................................................................................... 348

15 IT Sourcing ..............................................................................................................351

IT Processes ....................................................................................................................351
Sourcing Strategy ............................................................................................................351
Software Acquisition Process ..........................................................................................352
Deﬁning the Information and System Requirements .............................................353
Prototypes and Rapid Application Development ............................................................353
Ā e Requirements Document .........................................................................................354
Identifying Various Alternatives ............................................................................354
Oﬀ-the-Shelf Solutions ...................................................................................................354
Purchased Package ..........................................................................................................355
Contracted Development ................................................................................................355
Outsourcing a System from Another Organization .........................................................355
Performing a Feasibility Analysis ...........................................................................356
Conducting a Risk Analysis ...................................................................................356

CRC_AU6550_FM.indd xvi

10/10/2008 12:05:24 PM

Contents

Ⅲ

xvii

Deﬁning Ergonomic Requirements .......................................................................357
Carrying Out the Selection Process .......................................................................357
Request for Information..................................................................................................357
Request for Bid ...............................................................................................................357
Request for Proposal .......................................................................................................357
Evaluating Proposals .......................................................................................................358
Procurement and Supplier Management .........................................................................359
Procuring the Selected Software ............................................................................359
Other Considerations for Software Contracts and Licenses ...................................361
Completing Final Acceptance ................................................................................361
IT Contract Issues ......................................................................................................... 362
Strategic Sourcing and Supplier Management ................................................................ 364
Audit Involvement .................................................................................................365
Auditing Software Acquisitions ......................................................................................365
Alignment with the Company’s Business and IT Strategy .................................... 366
Deﬁnition of the Information Requirements ........................................................ 366
Prototypes ...................................................................................................................... 366
Feasibility Studies (Cost, Beneﬁts, Etc.) ................................................................ 366
Identiﬁcation of Functionality, Operational, Acceptance, and Maintenance
Requirements .............................................................................................367
Conformity with Existing Information and System Architectures .........................367
Adherence to Security and Control Requirements ................................................ 368
Knowledge of Available Solutions ......................................................................... 368
Understanding of the Related Acquisition and Implementation Methodologies ..... 368

Involvement and Buy-In from the User................................................................. 369
Supplier Requirements and Viability .................................................................... 369
Audit Involvement ................................................................................................ 369
Other Resources for Help and Assistance .......................................................................370
Conclusion ......................................................................................................................370
Review Questions ...........................................................................................................371
Multiple Choice Questions ................................................................................... 372
Exercises ................................................................................................................373
Answers to Multiple Choice Questions ..................................................................373
Further Readings ............................................................................................................373

16 Application Controls and Maintenance ...................................................................375

IT Processes ....................................................................................................................375
Application Risks ............................................................................................................375
Weak Security........................................................................................................376
Unauthorized Access or Changes to Data or Programs ......................................... 377
Unauthorized Remote Access ............................................................................... 377
Inaccurate Information ......................................................................................... 377
Erroneous or Falsiﬁed Data Input ......................................................................... 377
Misuse by Authorized End Users ...........................................................................378
Incomplete Processing ...........................................................................................378
Duplicate Transaction Processing ..........................................................................378
Untimely Processing ..............................................................................................378

CRC_AU6550_FM.indd xvii

10/10/2008 12:05:24 PM

xviii Ⅲ

Contents

Communications System Failure ...........................................................................378
Inadequate Testing ................................................................................................378
Inadequate Training ..............................................................................................378
Inadequate Support ...............................................................................................379
Insuﬃcient Documentation ...................................................................................379
End-User Computing Application Risks .........................................................................379
Ineﬃcient Use of Resources .................................................................................. 380
Incompatible Systems ............................................................................................381
Redundant Systems ...............................................................................................381
Ineﬀective Implementations ...................................................................................381
Absence of Segregation of Duties .......................................................................... 382
Incomplete System Analysis .................................................................................. 382
Unauthorized Access to Data or Programs............................................................ 382
Copyright Violations ............................................................................................ 382
Ā e Destruction of Information by Computer Viruses ......................................... 383
Electronic Data Interchange Application Risks .............................................................. 384
Implications of Risks in an Electronic Data Interchange System ...........................385
Application Controls...................................................................................................... 386
Input Controls ...................................................................................................... 386
User Interface ....................................................................................................... 387
Interfaces .............................................................................................................. 387
Authenticity ..........................................................................................................387
Accuracy ...............................................................................................................387
Processing Controls .............................................................................................. 388
Completeness ........................................................................................................388
Error Correction ................................................................................................... 390

Output Controls ................................................................................................... 390
Reconciliation .......................................................................................................390
Distribution ...........................................................................................................391
Retention ...............................................................................................................391
Functional Testing and Acceptance Testing...........................................................391
Management Approval ..........................................................................................391
Documentation Requirements ....................................................................................... 392
Application Software Life Cycle..................................................................................... 392
Application Maintenance ............................................................................................... 392
Application Maintenance: Deﬁned ....................................................................... 392
Corrective Maintenance..................................................................................................393
Adaptive Maintenance ....................................................................................................393
Perfective Maintenance ...................................................................................................393
Measuring Risk for Application Maintenance ...................................................... 394
Audit Involvement ................................................................................................ 394
Conclusion ..................................................................................................................... 394
Review Questions ...........................................................................................................395
Multiple Choice Questions ................................................................................... 396
Exercises ............................................................................................................... 397
Answers to Multiple Choice Questions ................................................................. 397
Further Readings ........................................................................................................... 398

CRC_AU6550_FM.indd xviii

10/10/2008 12:05:24 PM

Contents

Ⅲ xix

17 Change Management................................................................................................399

IT Processes ................................................................................................................... 399
Change Control ............................................................................................................. 399
Points of Change Origination and Initiation ........................................................ 402
Approval Points .................................................................................................... 403
Changes to Documentation .................................................................................. 404
Review Points ....................................................................................................... 404
Vulnerabilities in Software Development and Change Control...................................... 405
Software Conﬁguration Management............................................................................ 406
IT Change Management................................................................................................ 408
Change Management System ......................................................................................... 408
Change Request Process ................................................................................................ 408
Impact Assessment ..........................................................................................................410
Controls over Changes ....................................................................................................411
Emergency Change Process ............................................................................................411
Revisions to Documentation and Procedures ..................................................................411
Authorized Maintenance ................................................................................................412
Software Release Policy...................................................................................................412
Software Distribution Process .........................................................................................412
Change Management Example .......................................................................................413
Objectives ..............................................................................................................413
Scope .....................................................................................................................414
Change Management Boards or Committees ........................................................414
Criteria for Approving Changes .............................................................................415
Postimplementation ...............................................................................................416
Organizational Change Management .............................................................................416
Organizational Culture Deﬁned .....................................................................................416
Managing Organizational Change ........................................................................417

Audit Involvement ..........................................................................................................418
Conclusion ......................................................................................................................419
Review Questions .......................................................................................................... 420
Multiple Choice Questions ................................................................................... 420
Exercises ................................................................................................................421
Answers to Multiple Choice Questions ................................................................. 422
Further Readings ........................................................................................................... 422

PART IV:

IT DELIVERY AND SUPPORT

COBIT Operational Controls ......................................................................................... 425
Comparing COBIT and General Controls for Operational Auditing ..................... 425
Chapters 18 through 22 ................................................................................................. 425

18 Service Management ................................................................................................429

Introduction .................................................................................................................. 429
IT Processes ................................................................................................................... 429
Information Technology Infrastructure Library ............................................................ 429
Implementing IT Service Management...........................................................................431
Review Services and Requirements .................................................................................431

CRC_AU6550_FM.indd xix

10/10/2008 12:05:25 PM

xx Ⅲ

Contents

Deﬁne IT Services ......................................................................................................... 432
Service-Level Agreements .............................................................................................. 432
Types of Service-Level Agreements ....................................................................... 433
Customer Service-Level Agreement ...................................................................... 433
Operating-Level Agreement .................................................................................. 433
Supplier Service-Level Agreements ....................................................................... 434
Service Design and Pricing ............................................................................................ 434
Processes to Engage Services .......................................................................................... 436
Roles and Responsibilities .............................................................................................. 436
IT Roles and Responsibilities ................................................................................ 436
Relationship Management ............................................................................................. 436
Service Management ...................................................................................................... 437
Financial Management .................................................................................................. 437
Supplier Management .................................................................................................... 437
Service Delivery ............................................................................................................. 437
Change Management..................................................................................................... 438
Problem Management .................................................................................................... 438
Service Desk .................................................................................................................. 438
Security Administration................................................................................................. 439
Customer Roles and Responsibilities .................................................................... 439
Communication ............................................................................................................ 439
Service Delivery and Monitoring ................................................................................... 439
Service Measurement ............................................................................................ 440
What to Measure .................................................................................................. 440
How to Measure ................................................................................................... 441
Service Management Tools ............................................................................................ 442
Customer Satisfaction Surveys ....................................................................................... 442

Benchmarking ............................................................................................................... 443
Ongoing Service Management ....................................................................................... 443
Service Management of Ā i rd Parties ............................................................................ 444
Evolution of Standards ................................................................................................... 445
Conclusion ..................................................................................................................... 446
Review Questions .......................................................................................................... 446
Multiple Choice Questions ................................................................................... 446
Exercises ............................................................................................................... 447
Answers to Multiple Choice Questions ................................................................. 447
Further Readings ........................................................................................................... 448

19 Service Desk and Problem Management ..................................................................449

IT Processes ................................................................................................................... 449
Training ..........................................................................................................................450
Service Desk ...................................................................................................................451
Support Structures .................................................................................................452
Outsourcing ..........................................................................................................452
Knowledge Management .......................................................................................453
Reporting ..............................................................................................................453
Tools... ...................................................................................................................453

CRC_AU6550_FM.indd xx

10/10/2008 12:05:25 PM

Contents

Ⅲ

xxi

Auditing the Service Desk ..............................................................................................454
Developing Audit Software in the Service Desk..............................................................454
Ā e System Development Life Cycle ......................................................................455
Data Integrity ........................................................................................................457
Data Security .........................................................................................................457
Physical Security and Recovery Procedures............................................................458
Computer Resources ..............................................................................................458
Department Standards...........................................................................................458
Incident and Problem Management ................................................................................458
Incident Management ............................................................................................458
Problem Management............................................................................................459
Roles and Responsibility .......................................................................................459
Procedures .............................................................................................................459
Problem Severity ................................................................................................... 460
Problem Escalation .............................................................................................. 460
Root Cause Analysis ............................................................................................. 460
Service Improvement Programs ............................................................................ 460
Tools ......................................................................................................................461
Problem Reporting ................................................................................................461
Case Example: Acme Computing Services Business Overview and Proﬁle..................... 462
Purpose .................................................................................................................462
Scope..................................................................................................................... 462
Objectives .............................................................................................................462
Key Success Factors .............................................................................................. 463
Conclusion ..................................................................................................................... 463
Review Questions .......................................................................................................... 464
Multiple Choice Questions ................................................................................... 464

Exercises ................................................................................................................465
Answers to Multiple Choice Questions ..................................................................465
Further Readings ............................................................................................................465

20 Security and Service Continuity ..............................................................................467

IT Processes ................................................................................................................... 468
Information Systems Security ........................................................................................ 468
Security Ā reats and Risks ............................................................................................. 469
Security Standards ..........................................................................................................472
International Organization for Standardization and ISO 17799 ............................473
National Institute of Standards and Technology....................................................473
Information Security Controls ........................................................................................474
Security Architecture .............................................................................................475
Information Security Policy ...................................................................................475
Roles and Responsibilities ......................................................................................476
Information Owners Responsibilities ..............................................................................476
Information Custodian Responsibilities ..........................................................................476
User Responsibilities ...................................................................................................... 477
Ā i rd-Party Responsibilities ........................................................................................... 477

CRC_AU6550_FM.indd xxi

10/10/2008 12:05:25 PM

xxii Ⅲ

Contents

Information Classiﬁcation Designations ........................................................................ 477
Vulnerability Management ....................................................................................478
Ā re at Management ..............................................................................................478
Trust Management ...............................................................................................478
Identity Management ............................................................................................479
Security Monitoring ............................................................................................. 480
Incident Management ........................................................................................... 480
Contingency and Disaster Recovery Planning ............................................................... 480
Risk Assessment/Priorities .................................................................................... 482
Planning/Testing/Maintenance ............................................................................ 482
Disaster Recovery Planning Steps ......................................................................... 482
Written Disaster Recovery Plan ..................................................................................... 483
Mission Statement for Disaster Recovery Plan ............................................................... 483
Disaster Recovery Plan Tests and Drill .......................................................................... 483
Conclusion ..................................................................................................................... 484
Review Questions .......................................................................................................... 484
Multiple Choice Questions ................................................................................... 484
Exercises ............................................................................................................... 486
Answers to Multiple Choice Questions ................................................................. 486
Further Readings ........................................................................................................... 486

21 System Management.................................................................................................489

IT Processes ................................................................................................................... 490
Systems Software ........................................................................................................... 490
Label Checking .............................................................................................................. 490
Library Protection ...........................................................................................................491
Memory Protection .........................................................................................................491
Systems Maintenance......................................................................................................491
Deﬁnition of Systems Maintenance ................................................................................491

Reviewing Operating Systems.........................................................................................492
Types and Uses of System Software .......................................................................493
Reliance on Systems Software ........................................................................................ 494
Controlling Access to Systems Software..........................................................................495
Controlling Changes to System Software....................................................................... 496
Open Systems ................................................................................................................ 496
Open System Standards ........................................................................................ 497
Open Systems Interconnection ............................................................................. 498
Ā e Seven Layers of the OSI Model ...................................................................... 498
Distributed Computing Environment .................................................................. 498
Administration ..................................................................................................... 499
Software ............................................................................................................... 500
Middleware .......................................................................................................... 500
Future Considerations .......................................................................................... 500
Database Technology ......................................................................................................501
Hierarchical Data Model .......................................................................................501
Network Data Model............................................................................................ 502
Relational Data Model ......................................................................................... 502

CRC_AU6550_FM.indd xxii

10/10/2008 12:05:25 PM

Contents

Ⅲ xxiii

Object-Oriented Model ........................................................................................ 502
Combining Technologies ...................................................................................... 502

Distributed Databases........................................................................................... 503
Auditing Database Management Systems Recovery ....................................................... 503
Importance of Database Management Systems Recovery............................................... 503
Ā e Recovery Process ............................................................................................ 504
Transaction Properties .......................................................................................... 504
Causes of Database Management Systems Failure ................................................ 505
Database Users ..................................................................................................... 506
Database Administrator ........................................................................................ 506
Applications and Systems Programmers ......................................................................... 506
Web Designers and Developers ...................................................................................... 507
End Users ...................................................................................................................... 507
Conclusion ..................................................................................................................... 507
Review Questions .......................................................................................................... 508
Multiple Choice Questions ................................................................................... 508
Exercises ............................................................................................................... 509
Answers to Multiple Choice Questions ..................................................................510
Further Readings ............................................................................................................510

22 Operations Management .......................................................................................... 511

IT Processes ....................................................................................................................512
Operational Maturity .....................................................................................................512
Operating Policy and Procedures ....................................................................................512
Dataﬁles and Program Controls......................................................................................513
Physical Security and Access Controls ............................................................................514
Environmental Controls ................................................................................................. 515
Output Controls .............................................................................................................517
Data Communications Controls .....................................................................................517
Data Center Reviews ......................................................................................................518
Data Center Audit Program ............................................................................................519

Administration of IT Activities..............................................................................519
Audit Steps .................................................................................................519
Operating Systems Software and Data...................................................................520
Audit Steps ................................................................................................520
Computer Operations/Business Resumption .........................................................520
Audit Steps ................................................................................................520
Security Administration ........................................................................................520
Audit Steps ................................................................................................520
Software and Data Security Controls..............................................................................521
Physical and Environmental Controls Management .......................................................521
Data Access Management ...............................................................................................521
Policy and Procedures Documentation ...........................................................................521
Data and Software Backup Management ........................................................................522
Other Management Controls ..........................................................................................522
End-User Computing .....................................................................................................522
Auditing End-User Computing .............................................................................522

CRC_AU6550_FM.indd xxiii

10/10/2008 12:05:25 PM

xxiv Ⅲ

Contents

Preliminary Audit Planning...................................................................................523
Deﬁning the Audit Methodology ..........................................................................523
Deﬁning the Scope and Content of the Audit........................................................523
Ā e Audit Plan.......................................................................................................523

Reviewing the End-User Computing Group’s Procedures and Objectives .............524
Evaluating the End-User Computing Group’s Eﬀectiveness by Reviewing
Ā ei r Documentation .................................................................................524
Audit Testing .........................................................................................................525
Ā e Audit Report ...................................................................................................525
Conclusion ......................................................................................................................526
Review Questions ..........................................................................................................526
Multiple Choice Questions ....................................................................................527
Exercises ...............................................................................................................528
Answers to Multiple Choice Questions ..................................................................528
Further Readings ............................................................................................................528

PART V:

ADVANCED TOPICS

Chapters 23 through 26 ..................................................................................................531

23 Virtual Environment ................................................................................................533

Ā e Virtual Environment................................................................................................533
Areas of Control and Risk Issues ...........................................................................536
IT Operations Issues in Network Installation .................................................................536
Types of WANs...............................................................................................................538
Elements of WANs .........................................................................................................539
Access Methods .....................................................................................................539
Connective Devices ...............................................................................................539
Bridges........................................................................................................539
Routers....................................................................................................... 540
Protocols ...............................................................................................................540

Network Services .................................................................................................. 540
Frame Relay Network Services ...................................................................541
ATM Network Services ..............................................................................541
Ā e Network Management System ........................................................................541
Network Topologies...............................................................................................541
Star Topology .............................................................................................541
Ring Topology .......................................................................................... 542
Bus Topology ............................................................................................ 542
Mesh Topology ......................................................................................... 542
Hybrid Topology ....................................................................................... 542
Tools for Network Monitoring....................................................................................... 542
Protocol Analyzers ................................................................................................ 543
WAN Protocol Analyzers .......................................................................... 543
Network Monitors ................................................................................................ 543
Network Management Software ........................................................................... 543
General Statistical Tools ....................................................................................... 544
Hybrids .................................................................................................................544
Ā e Internet, Intranet, and Extranet .............................................................................. 544

CRC_AU6550_FM.indd xxiv

10/10/2008 12:05:25 PM

Information technology control and audit 3th edition sandra senft and frederick

Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về