Antes de apresentarmos a seleção do que consideramos como os principais livros de auditoria de TI e auditoria de sistemas, é importante visualizar, rapidamente, em quem são os auditores de TI.
Os auditores de TI são responsáveis por examinar e avaliar as políticas, operações e infraestrutura tecnológica de TI de uma companhia. Eles buscar assegurar que os ativos corporativos sejam protegidos de forma adequada e que a integridade dos dados seja garantida e alinhada com os objetivos gerais do negócio. Além disso, identificam problemas de eficiência, conformidade (compliance) e gerenciamento de riscos.
Sabemos que escolher um bom livro não é uma tarefa das mais fáceis. Por mais que você pesquise internet afora e faça download de materiais (artigos, podcasts, vídeos, etc), você não deve deixar de lado livros que são referências no assunto e que irão agregar conhecimento.
Por isso, aqui está uma seleção com o que considero livros importantes e de qualidade comprovada de Auditoria de Tecnologia da Informação e de Sistemas, tanto em inglês quanto em português. Ou seja, também estarão listados audit books, auditing books, information systems audit books, IT audit books, technology audit books e relacionados.
A ideia é manter esta relação sempre atualizada com boas indicações. Ao atualizá-la, a data será informada no final desta página. Bons estudos! =)
Livros de Auditoria de TI e Auditoria de Sistemas de Informação
Auditoria da tecnologia da informação reúne um conjunto de conhecimentos e práticas empresariais em constante mutação, exigindo dos profissionais das áreas organizacionais contínua atualização.
Este livro, com conteúdo renovado e com exemplos da aplicabilidade e utilidade das ferramentas para exercício em auditoria em informática, expõe as percepções da auditoria de sistemas de informação, atendendo a necessidades acadêmicas e empresariais para melhor gestão dos negócios informatizados.
A experiência do autor comprovada em mais de 20 anos de trabalho em auditoria empresarial, tanto como profissional, como no magistério, está retratada nos vários exemplos práticos (da realidade vivida) que permeiam as páginas deste livro.
Entre as características especiais da obra, cita-se o modo articulado como apresenta os capítulos, que, sinteticamente, estão assim organizados: Padrões e código de ética; Desenvolvimento de equipe; Ferramentas e técnicas; Avaliação de software de auditoria de sistemas; Auditoria de redes de computadores; Emissão de relatórios, entre outros tópicos.
Os clientes e acionistas reconhecem a qualidade e solidez das empresas no mercado através da rentabilidade, estratégia, ética e boas práticas de governança corporativa intrínseca aos processos de negócio.
A Tecnologia da Informação entra, nesse cenário de alta competição, como agente de viabilidade e potencialidade empresarial, tendo a Auditoria de Sistemas papel fundamental em medir e aprumar o grau de alinhamento das iniciativas de TI às estratégias de negócio.
Torna-se necessário simplificar o assunto Auditoria de Sistemas para diversas audiências, seja o próprio auditor, o agente de segurança da informação, o gestor de TI ou mesmo a própria área de negócio, interessada em manter um nível maior de controle sobre seus processos automatizados.
Esta obra aborda, de maneira concreta e objetiva, o principal problema de algumas áreas de auditoria, ou seja, a ausência de vivência prática do auditor de sistemas com formação em TI no meio empresarial, bem como sua inter-relação com o processo de Governança Corporativa.
Baseado em melhores práticas internacionais, o livro orienta os profissionais com informações atualizadas sobre o ciclo de vida da auditoria de tecnologia da informação.
Conteúdo do livro:
- Capítulo 1 – Os sistemas de Informação
- Capítulo 2 – Auditoria e Governança de TI
- Capítulo 3 – Análise da Infraestrutura e Sistemas Informatizados
- Capítulo 4 – Gestão de Níveis de Serviços
- Capítulo 5 – Segurança dos Ativos de Informação
- Capítulo 6 – Continuidade de Negócio, Recuperação de Desastre e Plano de Contingência de TI
- Capítulo 7 – Trabalhos de Suporte à Auditoria
- Capítulo 8 – Formalização dos Papéis de Trabalho da Auditoria
- Capítulo 9 – Relatório Final de Auditoria e Acompanhamento
- Anexo 1 – Modelo de RFP
- Anexo 2 – Modelos de SLA
- Anexo 3 – Links e Referências de Auditoria de TI e Segurança da Informação
- Anexo 4 – Resolução dos Exercícios
- Anexo 5 - Glossário
A informação é o bem mais precioso e estratégico do século XXI. A era da informação disponibiliza este bem em um volume significativo e sem precedentes na história. A preocupação com as ameaças à confidencialidade, integridade e disponibilidade também é crescente e o assunto tem sido tratado nas reuniões dos CIOs e CSOs das grandes corporações.
Esta obra foi revisada, atualizada e ampliada para aprofundar a relação da Engenharia de Software com a Segurança da Informação, procurando auxiliar o leitor a desenvolver softwares potencialmente seguros.
O livro possui quatro partes que vão aprofundar o tema Segurança e Auditoria em Sistemas de Informação. Com uma linguagem simples e acessível, o livro aborda: Segurança da Informação em seus aspectos mais amplos, Segurança no Contexto do Desenvolvimento de Software, Auditoria em Sistemas de Informação e ainda a Administração Estratégica da Segurança da Informação. O livro traz ainda um resumo das normas ISO/IEC 27.002 e ISO/IEC 15.408.
A gestão do negócio é o ambiente de atuação da função administrativa de auditoria e tem como principal finalidade a tomada de decisão na perspectiva da mudança do processo ou produto para continuidade organizacional.
A auditoria da gestão exerce a revisão do processo da estratégia, da tática e da operação organizacional, junto à logística e à controladoria. Ocorre tanto em entidades privadas quanto públicas, com foco no cenário atual e futuro. Após esta etapa, são gerados dois tipos de recomendação: recomendações-benefício elaboradas a partir da perspectiva do usuário, cliente ou consumidor do produto ou serviço e recomendações-custo, que visam minimizar o uso e o consumo dos recursos ou atividades dos processos de negócio organizacional.
Quando a auditoria ocorre em todos os ambientes e tecnologias organizacionais, serve como um aprendizado constante e permite que o auditor seja um termômetro das práticas e resultados vivenciados pela empresa.
A presente obra trata dos assuntos: auditoria da gestão, processo e produto, técnicas e procedimentos de auditoria, controle interno, auditoria operacional e de sistemas, métodos, técnicas e aplicações de auditoria operacional e de sistemas e auditoria do ambiente de tecnologia da informação.
Este livro trata dos conceitos envolvidos no controle de acesso, desde os relacionados a questões técnicas até os relacionados a processos.
Aborda processos e ferramentas de auditoria, acesso lógico, auditoria de redes de computadores, de sistemas operacionais e de aplicativos, apresentando também ferramentas de segurança, como firewalls, proxies, IDS e filtros de conteúdo, e o tema gerenciamento de risco e continuidade de negócios.
O objetivo é apresentar uma visão geral dos aspectos mais importantes da auditoria e do controle de acesso.
Por meio de uma abordagem que combina apresentação de teoria e critérios normativos e jurisprudenciais com a experiência prática do autor em fiscalizações realizadas pelo Tribunal de Contas da União (TCU), o livro Auditoria de TI: O Guia de Sobrevivência procura adotar linguagem direta e acessível a profissionais de qualquer área de formação que, de alguma forma, precisem atuar com controle e governança em TI.
Seu principal objetivo e proporcionar orientação a auditores na realização de fiscalizações na área de tecnologia da informação (TI), bem como prover informações a gestores responsáveis por controles e pela conformidade de processos em TI.
O livro aborda os seguintes tópicos, entre outros: processo de auditoria; legislação e jurisprudência; governança e gestão de TI; contratações de TI; segurança da informação; sistemas de informação; análise de dados; transparência e dados abertos.
Esteja preparado para salvar a sua vida e os seus negócios em caso de um incidente ou desastre. Tenha um "plano B" profissional.
As empresas devem analisar detalhadamente o risco de parada nos processos críticos do seu negócio. Esse risco deve ser entendido do ponto de vista corporativo. Devemos, então, avançar à Gestão de Continuidade de Negócios para a distribuição de responsabilidades na sua organização, mantendo assim os processos de negócio operando de forma contínua. O que você faria se:
- A rede da sua organização, e-mail, internet ou um sistema crítico ficasse indisponível por X minutos/horas/dias em virtude de um ataque cibernético?
- Um incêndio destruísse todos os documentos importantes (internos ou de clientes)?
- Uma pessoa chave da sua equipe ficasse doente? Ou recebesse uma proposta de emprego bem superior e deixasse imediatamente a sua empresa?
- O seu principal fornecedor não entregasse o serviço contratado?
- Houvesse um alagamento na sua cidade e os funcionários não conseguissem ir trabalhar?
- Caso ocorresse uma greve de caminhoneiros e os seus produtos não fossem entregues para seus clientes?
- Se existisse uma epidemia de dengue na sua cidade e os seus funcionários fossem contaminados?
- Caso ocorresse um incidente de violação de dados pessoais na sua empresa?
Uma interrupção no processo de negócio crítico pode ocasionar perdas significativas para sua empresa.
Secure Your Systems Using the Latest IT Auditing Techniques.
Fully updated to cover leading-edge tools and technologies, IT Auditing: Using Controls to Protect Information Assets, Third Edition, explains, step by step, how to implement a successful, enterprise-wide IT audit program. New chapters on auditing cybersecurity programs, big data and data repositories, and new technologies are included. This comprehensive guide describes how to assemble an effective IT audit team and maximize the value of the IT audit function. In-depth details on performing specific audits are accompanied by real-world examples, ready-to-use checklists, and valuable templates. Standards, frameworks, regulations, and risk management techniques are also covered in this definitive resource.
- Build and maintain an internal IT audit function with maximum effectiveness and value. - Audit entity-level controls and cybersecurity programs. - Assess data centers and disaster recovery. - Examine switches, routers, and firewalls. - Evaluate Windows, UNIX, and Linux operating systems. - Audit Web servers and applications. - Analyze databases and storage solutions. - Review big data and data repositories. - Assess end user computer devices, including PCs and mobile devices. - Audit virtualized environments. - Evaluate risks associated with cloud computing and outsourced operations. - Drill down into applications and projects to find potential control weaknesses. - Learn best practices for auditing new technologies. - Use standards and frameworks, such as COBIT, ITIL, and ISO. - Understand regulations, including Sarbanes-Oxley, HIPAA, and PCI. - Implement proven risk management practices.
The new fifth edition of Information Technology Control and Audit has been significantly revised to include a comprehensive overview of the IT environment, including revolutionizing technologies, legislation, audit process, governance, strategy, and outsourcing, among others. This new edition also outlines common IT audit risks, procedures, and involvement associated with major IT audit areas. It further provides cases featuring practical IT audit scenarios, as well as sample documentation to design and perform actual IT audit work.
Filled with up-to-date audit concepts, tools, techniques, and references for further reading, this revised edition promotes the mastery of concepts, as well as the effective implementation and assessment of IT controls by organizations and auditors.
For instructors and lecturers there are an instructor’s manual, sample syllabi and course schedules, PowerPoint lecture slides, and test questions. For students there are flashcards to test their knowledge of key terms and recommended further readings. Go to this link for more information.
Content of book:
- Part 1. Foundation for IT Audit:
- 1. Information Technology Environment and IT Audit
- 2. Legislation Relevant to Information Technology
- 3. The IT Audit Process
- 4. Tools and Techniques Used in Auditing IT
- Part 2. Planning and Organization:
- 5. IT Governance and Strategy
- 6. Risk Management
- 7. Project Management
- 8. System Development Life Cycle
- Part 3. Auditing Environment:
- 9. Application Systems: Risks and Controls
- 10. Change Control Management
- 11. Information Systems Operations
- 12. Information Security
- 13. Systems Acquisition, Service Management, and Outsourcing
- Part 4. Appendixes:
- 1. IT Planning Memo
- 2. Understanding the IT Environment
- 3. Sample IT Audit Programs for General Control IT Areas
- 4. ACL Best Practice Procedures for Testing Accounting Journal Entries
- 5. IT Risk Assessment Example Using NIST SP 800-30
- 6. Sample Change Control Management Policy
- 7. Sample Information Systems Operations Policy
- 8. Auditing End-User Computing Groups
- 9. Recommended Control Areas for Auditing Software Acquisitions
- 10. Glossary
When it comes to computer security, the role of auditors today has never been more crucial. Auditors must ensure that all computers, in particular those dealing with e-business, are secure.
The only source for information on the combined areas of computer audit, control, and security, the IT Audit, Control, and Security describes the types of internal controls, security, and integrity procedures that management must build into its automated systems.
This very timely book provides auditors with the guidance they need to ensure that their systems are secure from both internal and external threats.
There are many webinars and training courses on Data Analytics for Internal Auditors, but no handbook written from the practitioner’s viewpoint covering not only the need and the theory, but a practical hands-on approach to conducting Data Analytics.
The spread of IT systems makes it necessary that auditors as well as management have the ability to examine high volumes of data and transactions to determine patterns and trends. The increasing need to continuously monitor and audit IT systems has created an imperative for the effective use of appropriate data mining tools.
This book takes an auditor from a zero base to an ability to professionally analyze corporate data seeking anomalies.
Content of book:
- Introduction to Data Analysis.
- Understanding Sampling.
- Judgmental vs Statistical Sampling.
- Probability theory in Data Analysis.
- Types of Evidence.
- Population Analysis.
- Correlations and Regressions.
- Conducting the Audit.
- Obtaining Information from IT Systems for Analysis.
- Use of Computer Assisted Audit Techniques.
- Analysis of Big Data.
- Results Analysis and Validation.
- Root Cause Analysis.
- Data Analysis and Continuous Monitoring.
- Continuous Auditing.
- Financial Analysis.
- Excel and Data Analysis.
- ACL and Data Analysis.
- IDEA and Data Analysis.
- Analysis Reporting.
Operational Auditing: Principles and Techniques for a Changing World, 2nd edition, explains the proven approaches and essential procedures to perform risk-based operational audits. It shows how to effectively evaluate the relevant dynamics associated with programs and processes, including operational, strategic, technological, financial and compliance objectives and risks.
This book merges traditional internal audit concepts and practices with contemporary quality control methodologies, tips, tools and techniques. It explains how internal auditors can perform operational audits that result in meaningful findings and useful recommendations to help organizations meet objectives and improve the perception of internal auditors as high-value contributors, appropriate change agents and trusted advisors.
The 2nd edition introduces or expands the previous coverage of: (i) Control self-assessments; (ii) The 7 Es framework for operational quality; (iii) Linkages to ISO 9000; (iv) Flowcharting techniques and value-stream analysis; (v) Continuous monitoring; (vi) The use of Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs); (vii) Robotic process automation (RPA), artificial intelligence (AI) and machine learning (ML); (viii) Adds a new chapter that will examine the role of organizational structure and its impact on effective communications, task allocation, coordination, and operational resiliency to more effectively respond to market demands.
Content of book:
- Definition, Characteristics and Guidance
- Objectives and Phases of Operational Audits
- Risk Assessments
- The 8 Es
- Control Frameworks
- Eight Areas of Waste
- Quality Control
- Documenting Issues
- Continuous Monitoring
- Change Management
- Project Management
- Auditing Business Functions and Activities
- The Toyota Production System (TPS)
Auditing IT Infrastructures for Compliance: Textbook with Lab Manual (Information Systems Security & Assurance)
Part of the Jones& Bartlett Learning Information System Security & Assurance Series!
The Second Edition of Auditing IT Infrastructures for Compliance provides a unique, in-depth look at recent U.S. based Information systems and IT infrastructures compliance laws in both the public and private sector.
Written by industry experts, this book provides a comprehensive explanation of how to audit IT infrastructures for compliance based on the laws and the need to protect and secure business and consumer privacy data. Using examples and exercises, this book incorporates hands-on activities to prepare readers to skillfully complete IT compliance auditing.
About the Series: This book is part of the Information Systems Security and Assurance Series from Jones and Bartlett Learning. Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area.
These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security.
Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking―putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.
Content of book:
- Chapter 1: The Need for Information Systems Security Compliance
- Chapter 2: Overview of U.S. Compliancy Laws
- Chapter 3: What Is the Scope of an IT Compliance Audit?
- Chapter 4: Auditing Standards and Frameworks
- Chapter 5: Planning an IT Infrastructure Audit for Compliance
- Chapter 6: Conducting an IT Infrastructure Audit for Compliance
- Chapter 7: Writing the IT Infrastructure Audit Report
- Chapter 8: Compliance Within the User Domain
- Chapter 9: Compliance Within the Workstation Domain
- Chapter 10: Compliance Within the LAN Domain
- Chapter 11: Compliance Within the LAN-to-WAN Domain
- Chapter 12: Compliance Within the WAN Domain
- Chapter 13: Compliance Within the Remote Access Domain
- Chapter 14: Compliance Within the System/Application Domain
- Chapter 15: Ethics, Education, and Certification for IT Auditors
The Complete Guide to Cybersecurity Risks and Controls presents the fundamental concepts of information and communication technology (ICT) governance and control. In this book, you will learn how to create a working, practical control structure that will ensure the ongoing, day-to-day trustworthiness of ICT systems and data. The book explains how to establish systematic control functions and timely reporting procedures within a standard organizational framework and how to build auditable trust into the routine assurance of ICT operations.
The book is based on the belief that ICT operation is a strategic governance issue rather than a technical concern. With the exponential growth of security breaches and the increasing dependency on external business partners to achieve organizational success, the effective use of ICT governance and enterprise-wide frameworks to guide the implementation of integrated security controls are critical in order to mitigate data theft. Surprisingly, many organizations do not have formal processes or policies to protect their assets from internal or external threats.
The ICT governance and control process establishes a complete and correct set of managerial and technical control behaviors that ensures reliable monitoring and control of ICT operations. The body of knowledge for doing that is explained in this text. This body of knowledge process applies to all operational aspects of ICT responsibilities ranging from upper management policy making and planning, all the way down to basic technology operation.
Table of contents: Why Cybersecurity Management Is Important. Control-Based Information Governance, What It Is and How It Works. A Survey of Control Frameworks, General Structure, and Application. What Are Controls and Why Are They Important?. Implementing a Multitiered Governance and Control Framework in a Business. Risk Management and Prioritization Using a Control Perspective. Control Formulation and Implementation Process. Security Control Validation and Verification. Control Framework Sustainment and Security of Operations.
Implementing Cybersecurity: A Guide to the National Institute of Standards and Technology Risk Management Framework
The book provides the complete strategic understanding requisite to allow a person to create and use the RMF process recommendations for risk management.
This will be the case both for applications of the RMF in corporate training situations, as well as for any individual who wants to obtain specialized knowledge in organizational risk management.
It is an all-purpose roadmap of sorts aimed at the practical understanding and implementation of the risk management process as a standard entity. It will enable an "application" of the risk management process as well as the fundamental elements of control formulation within an applied context.
Table of contents: Introduction to Organizational Security Risk Management. Survey of Existing Risk Management Models. Step 1 – Categorize Information and Information Systems. Step 2 – Select Security Controls. Step 3 – Implement Security Controls. Step 4 – Assess Security Controls. Step 5 – Authorize Information Systems. Step 6 – Monitor Security State. Practical Application to the Implementation of the NIST Risk Management Framework.
IT Auditing Defined will allow readers to grasp the key concepts of Information Technology Auditing and its many facets.
It aims to deliver significant experience to an individual who is interested in learning more about the “Execution” of performing IT Audits within the federal space and preparing a Federal Agency for an external audit.
It walks through the basics of Planning and Scoping, Test of Design, Test of Effectiveness, Workpaper documentation, NFR preparation, and communication with upper management in order to remediate control gaps.
Table of contents: Acknowledgments. 1 - A Brief History of Auditing. 2 - The Basics of IT Auditing. 3 - The IT Audit Process. 4 - Workpaper Development. 5 - Writing Observations.
Step-by-step guide to successful implementation and control of IT systems including the Cloud.
Many auditors are unfamiliar with the techniques they need to know to efficiently and effectively determine whether information systems are adequately protected. Now in a Second Edition, Auditor's Guide to IT Auditing presents an easy, practical guide for auditors that can be applied to all computing environments.
Contents: Follows the approach used by the Information System Audit and Control Association's model curriculum, making this book a practical approach to IS auditing. Serves as an excellent study guide for those preparing for the CISA and CISM exams. Includes discussion of risk evaluation methodologies, new regulations, SOX, privacy, banking, IT governance, CobiT, outsourcing, network management, and the Cloud.
As networks and enterprise resource planning systems bring resources together, and as increasing privacy violations threaten more organization, information systems integrity becomes more important than ever. Auditor's Guide to IT Auditing, Second Edition empowers auditors to effectively gauge the adequacy and effectiveness of information systems controls.
IT Auditing and Application Controls for Small and Mid-Sized Enterprises: Revenue, Expenditure, Inventory, Payroll, and More
Essential guidance for the financial auditor in need of a working knowledge of IT.
If you're a financial auditor needing working knowledge of IT and application controls, Automated Auditing Financial Applications for Small and Mid-Sized Businesses provides you with the guidance you need.
Conceptual overviews of key IT auditing issues are included, as well as concrete hands-on tips and techniques. Inside, you'll find background and guidance with appropriate reference to material published by ISACA, AICPA, organized to show the increasing complexity of systems, starting with general principles and progressing through greater levels of functionality.
- Provides straightforward IT guidance to financial auditors seeking to develop quality and efficacy of software controls. - Offers small- and middle-market business auditors relevant IT coverage. - Covers relevant applications, including MS Excel, Quickbooks, and report writers. - Written for financial auditors practicing in the small to midsized business space.
The largest market segment in the United States in quantity and scope is the small and middle market business, which continues to be the source of economic growth and expansion. Uniquely focused on the IT needs of auditors serving the small to medium sized business, Automated Auditing Financial Applications for Small and Mid-Sized Businesses delivers the kind of IT coverage you need for your organization.
Table of contents: Chapter 1: Why Is IT Auditing Important to the Financial Auditor and the Financial Statement Audit?. Chapter 2: General Controls for the SME. Chapter 3: Application‐Level Security. Chapter 4: General Ledger and the IT Audit. Chapter 5: The Revenue Cycle. Chapter 6: The Expenditure Cycle. Chapter 7: The Inventory Cycle. Chapter 8: The Payroll Cycle. Chapter 9: Risk, Controls, Financial Reporting, and an Overlay of COSO on COBIT. Chapter 10: Integrating the IT Audit into the Financial Audit. Chapter 11: Spreadsheet and Desktop Tool Risk Exposures. Chapter 12: Key Reports and Report Writers Risk Exposures. Chapter 13: IT Audit Deficiencies: Defining and Evaluating IT Audit Deficiencies.
This handbook helps auditors evaluate, measure, and check internal management and financial procedures and systems to increase efficiency and prevent fraud. Reflecting the variety of business situations that auditors face, it encourages them to develop creative approaches for dealing with the problems encountered during the operational audit review. This new edition is fully updated to take account of developments in internal control and corporate governance under Sarbanes-Oxley, and in audit processes particular to financial institutions in light of the credit crunch. It also contains new and updated case studies and checklists.
The Operational Auditing Handbook clarifies the underlying issues, risks and objectives for a wide range of operations and activities and is a professional companion, with many checklists, for those who design self-assessment and audit programmes of business processes in all sectors. Reflecting the strategic importance of information technology today, this second edition is considerably expanded in this area with leading edge material. Other completely new material includes clear, authoritative guidance on how to achieve effective of governance, risk management and internal control processes.
Table of contents: Part I: Understanding Operational Auditing. Chapter 1: Approaches to Operational Auditing. Chapter 2: Business Processes. Chapter 3: Developing Operational Review Programmes for Managerial and Audit Use. Chapter 4: Governance Processes. Chapter 5: Risk Management Processes. Chapter 6: Internal Control Processes. Chapter 7: Review of the Control Environment. Chapter 8: Reviewing Internal Control over Financial Reporting—The Sarbanes-Oxley Approach. Chapter 9: Business/Management Techniques and their Impact on Control and Audit. Chapter 10: Control Self Assessment. Chapter 11: Evaluating the Internal Audit Activity. Part II: Auditing Key Functions. Chapter 12: Auditing the Finance and Accounting Functions. Chapter 13: Auditing Subsidiaries, Remote Operating Units and Joint Ventures. Chapter 14: Auditing Contracts and the Purchasing Function. Chapter 15: Auditing Operations and Resource Management. Chapter 16: Auditing Marketing and Sales. Chapter 17: Auditing Distribution. Chapter 18: Auditing Human Resources. Chapter 19: Auditing Research and Development. Chapter 20: Auditing Security. Chapter 21: Auditing Environmental Responsibility. Part III: Auditing Information Technology. Chapter 22: Auditing Information Technology. Chapter 23: IT Strategic Planning. Chapter 24: IT Organisation. Chapter 25: IT Policy Framework. Chapter 26: Information Asset Register. Chapter 27: Capacity Management. Chapter 28: Information Management (IM). Chapter 29: Records Management (RM). Chapter 30: Knowledge Management (KM). Chapter 31: IT Sites and Infrastructure (Including Physical Security). Chapter 32: Processing Operations. Chapter 33: Back-up and Media Management. Chapter 34: Removable Media. Chapter 35: System and Operating Software (Including Patch Management). Chapter 36: System Access Control (Logical Security). Chapter 37: Personal Computers (Including Laptops and PDAs). Chapter 38: Remote Working. Chapter 39: Email. Chapter 40: Internet Usage. Chapter 41: Software Maintenance (Including Change Management). Chapter 42: Networks. Chapter 43: Databases. Chapter 44: Data Protection. Chapter 45: Freedom of Information. Chapter 46: Data Transfer and Sharing (Standards and Protocol). Chapter 47: Legal Responsibilities. Chapter 48: Facilities Management. Chapter 49: System Development. Chapter 50: Software Selection. Chapter 51: Contingency Planning. Chapter 52: Human Resources Information Security. Chapter 53: Monitoring and Logging. Chapter 54: Information Security Incidents. Chapter 55: Data Retention and Disposal. Chapter 56: Electronic Data Interchange (EDI). Chapter 57: Viruses. Chapter 58: User Support. Chapter 59: BACS. Chapter 60: Spreadsheet Design and Good Practice. Chapter 61: IT Health Checks. Chapter 62: IT Accounting. Appendix 1: Index to SAPGs on the Companion Website. Appendix 2: Standard Audit Programme Guides. Appendix 3: International Data Protection Legislation. Appendix 4: International Freedom of Information Legislation. Appendix 5: Information Management Definitions. Appendix 6: IT and Information Management Policies.
As the power of computing continues to advance, companies have become increasingly dependent on technology to perform their operational requirements and to collect, process, and maintain vital data.
This increasing reliance has caused information technology (IT) auditors to examine the adequacy of managerial control in information systems and related operations to assure necessary levels of effectiveness and efficiency in business processes. In order to perform a successful assessment of a businesss IT operations, auditors need to keep pace with the continued advancements being made in this field.
IT Auditing Using a System Perspective is an essential reference source that discusses advancing approaches within the IT auditing process, as well as the necessary tasks in sufficiently initiating, inscribing, and completing IT audit engagement. Applying the recommended practices contained in this book will help IT leaders improve IT audit practice areas to safeguard information assets more effectively with a concomitant reduction in engagement area risks.
Featuring research on topics such as statistical testing, management response, and risk assessment, this book is ideally designed for managers, researchers, auditors, practitioners, analysts, IT professionals, security officers, educators, policymakers, and students seeking coverage on modern auditing approaches within information systems and technology.
Table of contents: Section 1. IT audit planning process. Chapter 1. Activity: building the IT audit project plan ; Chapter 2. Activity: finalizing the IT audit project plan. Section 2. IT audit study and evaluation of controls process. Chapter 3. Activity: studying the IT audit area controls ; Chapter 4. Activity: evaluating the IT audit area controls. Section 3. IT audit testing of controls process. Chapter 5. Activity: IT audit test preparation ; Chapter 6. Activity: evaluation of the IT audit tests. Section 4. IT audit report on controls process. Chapter 7. Activity: review of the IT audit findings ; Chapter 8. Activity: initializing the IT audit report. Section 5. IT audit follow-up process. Chapter 9. Activity: review of the IT audit responses ; Chapter 10. Activity: IT audit follow-up course of action.
There are many literatures on banking, banking laws, internal audit system and their applications in the banking sector, with each book focusing on a specific area.
A Guide to Risk-Based Internal Audit System in Banks covers everything about banks, their operations, business, compliances and areas to be covered in risk-based audits and audit processes, in the form of guidance.
This book will help company managements to implement the internal audit system in banks and at the same time, it explains the role and responsibilities of internal auditors whether in-house or outsourced.
Why this book?
- Written in simple and clear language using appropriate flowcharts and diagrams. - Focuses on practical aspects of internal audit system in banks. - Explains the evolution of the banking sector from traditional to modern. - Explains laws governing the banking sector in India. - Provides practical guidance on auditing each areas of banking operations and the assets and liabilities based on risk. - Serves as a guide to auditors, students, academicians and bankers to understand and apply the risk-based internal audit concept in banks.
Faced with the compliance requirements of increasingly punitive information and privacy-related regulation, as well as the proliferation of complex threats to information security, there is an urgent need for organizations to adopt IT governance best practice.
IT Governance is a key international resource for managers in organizations of all sizes and across industries, and deals with the strategic and operational aspects of information security.
Now in its seventh edition, the bestselling IT Governance provides guidance for companies looking to protect and enhance their information security management systems (ISMS) and protect themselves against cyber threats. The new edition covers changes in global regulation, particularly GDPR, and updates to standards in the ISO/IEC 27000 family, BS 7799-3:2017 (information security risk management) plus the latest standards on auditing. It also includes advice on the development and implementation of an ISMS that will meet the ISO 27001 specification and how sector-specific standards can and should be factored in.
With information on risk assessments, compliance, equipment and operations security, controls against malware and asset management, IT Governance is the definitive guide to implementing an effective information security management and governance system.
This book will help you understand:
- How information technology decisions should be made and monitored, and how to deal with risks;
- The issues and responsibilities associated with risk;
- The importance of information-related legislation and regulation;
- How an organisation’s commercial viability and profitability increasingly depends on the security, confidentiality and integrity of information and information assets;
- The new, global threats and vulnerabilities, particularly in cyberspace; and
- How ISO 27001 compliance should enable organisations to demonstrate a proper response to all the challenges listed above.
Gain a thorough understanding of how modern audits are conducted in today's computer-driven business environment with Information Technology Auditing, 4E.
You gain valuable insights into state-of-the-art auditing issues as this leading accounting text provides you with the background you need to succeed in today's business world.
This edition focuses on the latest information technology aspects of auditing with up-to-date coverage of auditor responsibilities, emerging legislation, and today's fraud techniques and detection. The book focuses on key information technology aspects of auditing, including coverage of transaction processing, Sarbanes-Oxley implications, audit risk, and the COSO control framework. Students review general and application control issues, the latest in fraud techniques and detection, today's IT outsourcing issues and concerns, and modern enterprise system risks and controls.
Expanded end-of-chapter questions, problems, and cases give you important hands-on practice for success in your future career.
Table of contents: 1. Auditing, Assurance, and Internal Control. 2. IT Governance. 3. System Security I--Networks and Operating Systems. 4. System Security II--Data Management. 5. Systems Development and Program Change Procedures. 6. Overview of Transaction Processing and financial Reporting Systems. 7. Computer-Assisted Audit Tools and Techniques. 8. CAATTs for Data Extraction and Analysis. 9. Application Controls and Substantive Testing I--The Revenue Cycle. 10. Application Controls and Substantive Testing II--The Expenditure Cycle. 11. Enterprise Resource Planning Systems. 12. Ethics, Fraud Schemes and Fraud Detection.
A comprehensive guide to understanding and auditing modern information systems.
The increased dependence on information system resources for performing key activities within organizations has made system audits essential for ensuring the confidentiality, integrity, and availability of information system resources. One of the biggest challenges faced by auditors is the lack of a standardized approach and relevant checklist. Understanding and Conducting Information Systems Auditing brings together resources with audit tools and techniques to solve this problem.
Featuring examples that are globally applicable and covering all major standards, the book takes a non-technical approach to the subject and presents information systems as a management tool with practical applications. It explains in detail how to conduct information systems audits and provides all the tools and checklists needed to do so. In addition, it also introduces the concept of information security grading, to help readers to implement practical changes and solutions in their organizations.
- Includes everything needed to perform information systems audits. - Organized into two sections—the first designed to help readers develop the understanding necessary for conducting information systems audits and the second providing checklists for audits. - Features examples designed to appeal to a global audience.
Taking a non-technical approach that makes it accessible to readers of all backgrounds, Understanding and Conducting Information Systems Auditing is an essential resource for anyone auditing information systems.
"A much-needed service for society today. I hope this book reaches information managers in the organization now vulnerable to hacks that are stealing corporate information and even holding it hostage for ransom."
– Ronald W. Hull, author, poet, and former professor and university administrator.
A comprehensive entity security program deploys information asset protection through stratified technological and non-technological controls. Controls are necessary for counteracting threats, opportunities, and vulnerabilities risks in a manner that reduces potential adverse effects to defined, acceptable levels.
This book presents a methodological approach in the context of normative decision theory constructs and concepts with appropriate reference to standards and the respective guidelines. Normative decision theory attempts to establish a rational framework for choosing between alternative courses of action when the outcomes resulting from the selection are uncertain.
Through the methodological application, decision theory techniques can provide objectives determination, interaction assessments, performance estimates, and organizational analysis. A normative model prescribes what should exist according to an assumption or rule.
The rise of artificial intelligence is nothing short of a technological revolution. AI is poised to completely transform accounting and auditing professions, yet its current application within these areas is limited and fragmented. Existing AI implementations tend to solve very narrow business issues, rather than serving as a powerful tech framework for next-generation accounting. Artificial Intelligence for Audit, Forensic Accounting, and Valuation provides a strategic viewpoint on how AI can be comprehensively integrated within audit management, leading to better automated models, forensic accounting, and beyond.
No other book on the market takes such a wide-ranging approach to using AI in audit and accounting. With this guide, you’ll be able to build an innovative, automated accounting strategy, using artificial intelligence as the cornerstone and foundation. This is a must, because AI is quickly growing to be the single competitive factor for audit and accounting firms. With better AI comes better results. If you aren’t integrating AI and automation in the strategic DNA of your business, you’re at risk of being left behind.
- See how artificial intelligence can form the cornerstone of integrated, automated audit and accounting services. - Learn how to build AI into your organization to remain competitive in the era of automation. - Go beyond siloed AI implementations to modernize and deliver results across the organization. - Understand and overcome the governance and leadership challenges inherent in AI strategy.
Accounting and auditing firms need a comprehensive framework for intelligent, automation-centric modernization. Artificial Intelligence for Audit, Forensic Accounting, and Valuation delivers just that—a plan to evolve legacy firms by building firmwide AI capabilities.
Table contents: Part I: Foundations For AI and Audit. Chapter 1: Introduction: Staying Ahead of the Emergent Risk. Chapter 2: Fourth Industrial Revolution and Its Impact on Audit. Chapter 3: What is Artificial Intelligence?. Chapter 4: Rise of Machine Learning. Chapter 5: Machine Learning. Chapter 6: Building an IAA Audit Firm: The Planning Toolkit. Part II: Building the Automated Audit Function in the Enterprise. Chapter 7: Obtain, Retain, and Preplan with AI. Chapter 8: Automated Inherent Risk Assessment. Chapter 9: Automating Internal Controls Assessment. Chapter 10: Automated Procedures. Chapter 11: Reporting and Post-Audit Management. Part III: Forensic Accounting Automation. Chapter 12: Intelligent Automation of Fraud Detection. Chapter 13: Forensic Accounting. Chapter 14: Managing for Value and Valuation. Chapter 15: Tying It Together and Robots. Part IV: Management, Organization, and Governance For AI in Audit. Chapter 16: Client Management. Chapter 17: AI Organization and Project Management. Chapter 18: Governance and Ethics.
Today, information technology plays a pivotal role in financial control and audit: most financial data is now digitally recorded and dispersed among servers, clouds and networks over which the audited firm has no control. Additionally, a firm’s data—particularly in the case of finance, software, insurance and biotech firms— comprises most of the audited value of the firm. Financial audits are critical mechanisms for ensuring the integrity of information systems and the reporting of organizational finances. They help avoid the abuses that led to passage of legislation such as the Foreign Corrupt Practices Act (1977), and the Sarbanes-Oxley Act (2002).
Audit effectiveness has declined over the past two decades as auditor skillsets have failed to keep up with advances in information technology. Information and communication technology lie at the core of commerce today and are integrated in business processes around the world. This book is designed to meet the increasing need of audit professionals to understand information technology and the controls required to manage it. The material included focuses on the requirements for annual Securities and Exchange Commission audits (10-K) for listed corporations. These represent the benchmark auditing procedures for specialized audits, such as internal, governmental, and attestation audits.
Using R and RStudio, the book demonstrates how to render an audit opinion that is legally and statistically defensible; analyze, extract, and manipulate accounting data; build a risk assessment matrix to inform the conduct of a cost-effective audit program; and more.
Table contents: 1 - Fundamentals of Auditing Financial Statements. 2 - Foundations of Audit Analytics. 3 - Analysis of Accounting Transactions. 4 - Risk Assessment and Planning. 5 - Analytical Review: Technical Analysis. 6 - Analytical Review: Intelligence Scanning. 7 - Design of Audit Programs. 8 - Interim Compliance Tests. 9 - Substantive Tests. 10 - Sarbanes-Oxley Engagements. 11 - Blockchains, Cybercrime and Forensics. 12 - Special Engagements: Forecasts and Valuation. 13 - Simulated Transactions for Auditing Service Organizations.
Fraud Auditing Using CAATT: A Manual for Auditors and Forensic Accountants to Detect Organizational Fraud
This book discusses various common occupational and organizational fraud schemes, based on the Association of Certified Fraud Examiners (ACFE) fraud tree and assist fraud examiners and auditors in correctly choosing the appropriate audit tests to uncover such various fraud schemes.
The book also includes information about audit test red flags to watch out for, a list of recommended controls to help prevent future fraud related incidents, as well as step-by-step demonstrations of a number of common audit tests using IDEA® as a CAATT tool.
Table content: Chapter 1 A Pedagogical Approach to Using This Manual. Chapter 2 Compendium of CAATT-Based Audit Tests for the Detection of Asset Misappropriation (Cash and Inventory). Chapter 3 Asset Misappropriation II – Fraudulent Disbursements. Chapter 4 Compendium of CAATT-Based Audit Tests for the Detection of Financial Statement Fraud. Chapter 5 Compendium of CAATT-Based Audit Tests for the Detection of Corruption. Chapter 6 CAATT in Fraud Auditing. Chapter 7 Audit Test Manual for ACFE Fraud Tree Schemes Using IDEA®. Chapter 8 Student Case Study Research and Oral Presentation Project.
Over the last few years, financial statement scandals, cases of fraud and corruption, data protection violations, and other legal violations have led to numerous liability cases, damages claims, and losses of reputation. As a reaction to these developments, several regulations have been issued: Corporate Governance, the Sarbanes-Oxley Act, IFRS, Basel II and III, Solvency II and BilMoG, to name just a few. In this book, compliance is understood as the process, mapped not only in an internal control system, that is intended to guarantee conformity with legal requirements but also with internal policies and enterprise objectives (in particular, efficiency and profitability).
The current literature primarily confines itself to mapping controls in SAP ERP and auditing SAP systems. Maxim Chuprunov not only addresses this subject but extends the aim of internal controls from legal compliance to include efficiency and profitability and then well beyond, because a basic understanding of the processes involved in IT-supported compliance management processes are not delivered along with the software.
Starting with the requirements for compliance (Part I), he not only answers compliance-relevant questions in the form of an audit guide for an SAP ERP system and in the form of risks and control descriptions (Part II), but also shows how to automate the compliance management process based on SAP GRC (Part III). He thus addresses the current need for solutions for implementing an integrated GRC system in an organization, especially focusing on the continuous control monitoring topics.
Operational Assessment of IT presents ideas and concepts of optimization designed to improve an organization’s business processes and assist business units in meeting organizational goals more effectively. Rather than focus on specific technologies, computing environments, enterprise risks, resource programs, or infrastructure, the book focuses on organizational processes. Throughout the book, the author presents concerns and environments encountered throughout his career to demonstrate issues and explain how you, too, can successfully implement the tools presented in the book.
The assessment process reviews the economics as well as the effectiveness and efficiency of the process. Whether your organization is profit-based, not-for-profit, or even governmental, you cannot provide services or products at a continuous loss. For an operational assessment to be of value, the ultimate goal must be to insure that the business unit process is effective and efficient and employs the financial assets and resources appropriately or helps the business unit make adjustments to improve the operation and use resources more efficiently and economically.
After reading this book, you will be able to devise more efficient and economical ways to meet your customers’ requirements, no matter who or where your customers are. You will learn that the goal of any process is to service or supply customers with what they want. The book provides tools and techniques that will assist you in gaining a 360-degree view of the process so that you can help the business unit improve the delivery of a quality product or a service to the customer.
Table content: Operational Auditing. Operational Assessment Planning. Operational Assessment Fieldwork. Assessment Reporting. IT and COBIT.
This book illustrates the importance of business impact analysis, which covers risk assessment, and moves towards better understanding of the business environment, industry specific compliance, legal and regulatory landscape and the need for business continuity. The book provides charts, checklists and flow diagrams that give the roadmap to collect, collate and analyze data, and give enterprise management the entire mapping for controls that comprehensively covers all compliance that the enterprise is subject to have. The book helps professionals build a control framework tailored for an enterprise that covers best practices and relevant standards applicable to the enterprise.
- Presents a practical approach to assessing security, performance and business continuity needs of the enterprise.
- Helps readers understand common objectives for audit, compliance, internal/external audit and assurance.
- Demonstrates how to build a customized controls framework that fulfills common audit criteria, business resilience needs and internal monitoring for effectiveness of controls.
- Presents an Integrated Audit approach to fulfill all compliance requirements.
Table contents: Understanding Organizational Context. Performing a Business Impact Analysis. BIA Reporting and Commitment of Resources. Risk Assessment and Reporting. Strategic Planning, Internal Control Structure, Management Oversight, and Reporting Tools. Information Technology All Pervasive to the Enterprise. Alignment of IT with Business Requirement. Comparative Analysis of Requirements for Common Standards and Compliances. Appendix: Templates, Questionnaires, Business Impact Analysis and Risk Analysis Forms.
Most organizations have been caught off-guard with the proliferation of smart devices. The IT organization was comfortable supporting the Blackberry due to its ease of implementation and maintenance. But the use of Android and iOS smart devices have created a maintenance nightmare not only for the IT organization but for the IT auditors as well.
This book will serve as a guide to IT and Audit professionals on how to manage, secure and audit smart device. It provides guidance on the handling of corporate devices and the Bring Your Own Devices (BYOD) smart devices.
Table of contents: Part I: Benefits and Risks of Smart Devices, 1. Definition of a Smart Device, 2. Ownership of Devices, 3. Data Types, 4. Uses and Benefits of Smart Devices, 5. The Risks Associated with the Use of Smart Devices, Part II: Security of Smart Devices, 6. Hardware Features, 7. Operating System Security, 8. Securing Smart Devices, Part III: Managing Smart Devices, 9. Smart Devices Use Policy, 10. Security Policy, 11. Mobile Device Management, 12. Registering Smart Devices, 13. Provisional Email, Calendar and Contact, 14. Application Development and Deployment, 15. Connecting to Corporate Network, Part IV: Compliance, Reporting and Monitoring, 16. Compliance, Part V: Reporting, Monitoring and Auditing, 17. Reporting, Monitoring and Auditing, 18. Sample Audit Plan, Part VI: Samples, Sample I. Smart Device Use and Security Policy, Sample II. Smart Device Use Policy Form, Sample III. Minimum Smart Device Configuration Security Standard.
Sugestões de mais livros de qualidade?
Lista atualizada em 26/12/2021
Tem mais sugestões de livros interessantes sobre os temas? Fale comigo.
* * * * *
* Comprando por alguns links desta página (que apontam para a Amazon Brasil ou Hotmart), o preço não muda para o consumidor e o site ganha uma pequena comissão sobre a venda do livro.