Information Systems Auditing

There are no prerequisites to attend this Course.

Classes will take place in a computer room, preferably.

Classes are theoretical-practical, appealing to the development of the student’s critical sense, with learning based on problem solving and case studies corresponding to failures or weaknesses in internal controls or attacks on computer systems.

Students are encouraged, throughout the semester, to participate and develop a final Audit report on a real information system, preferably one with which they have regular contact, or, alternatively, participate in a registered Job Shadowing activity with one of the partners of this UC. Each student will present their final report/Job Shadowing activity and answer the questions posed by peer-reviewers and other colleagues. This teaching and assessment methodology aims to prepare students for practical life: intervening, arguing, researching, teamwork, managing conflicts, preparing presentations and presenting work.

The positioning of this curricular unit in the Degree in Management Informatics and the lack of any previous preparation – even if of a general nature – in Auditing, makes it imperative that elementary knowledge of Auditing and Internal Control is transmitted, as well as the conduction and planning of audit processes and the profile, skills and behavior of the auditor in the context of data collection.

Aspects related to communication (whether verbal or written communication) and behavior (attitude, attitude, aspects of professional ethics) in auditing are aspects considered as part of the fundamental soft skills in Information Systems Auditing and are covered in this UC .
Know the international reference organizations in the field of Auditing (ISACA and The Institute of Internal Auditors – USA) as well as good international practices to adopt: Internal Control Frameworks and Frameworks for IT Governance.
The Computer Assisted Audit Tools (CAATs) approach allows students to become aware of the complementary procedures available in computer terms.

This Curricular Unit intends, following the knowledge already acquired in the disciplines of Information Systems I and Information Systems II, Computer Security and Databases, to give students complementary skills aimed at Auditing an Information System, Auditing applications, to the entity’s databases or controls.

The partnership between ISCAC and ISACA (www.isaca.org), through the ISACA Academic Advocates Program, assumes particular importance within the scope of this Curricular Unit, facilitating access to up-to-date and relevant documentation in the area of Information Systems Auditing (ISACA Journal), promoting the discussion of emerging themes worldwide and enhancing the involvement of students in the ISACA Student Group of ISCAC (formed in May 2013).

Finally, it is expected that students will be able to intervene in this area of Information Systems Audit through the promotion of events aimed at the general public, namely, through the holding of the “Digital Leaders of Tomorrow” Seminar.

At the end of the semester, the Computer Auditing student should achieve the following objectives:

• Master the basic knowledge of Auditing, namely the procedures to be observed in a generic process of auditing and auditing in Information Technologies;
• Identify the appropriate profile and standards of conduct for exercising the Profession of Auditor and Information Systems Auditor;
• Know the most relevant standards in the field of Information Systems Auditing;
• Know the certifications in the area of Auditing Information Systems and the codes of ethics and conduct;
• Knowing methods, paradigms, and instruments suitable for the elaboration of the diagnosis, audit, and recommendations related to the computer system of an organization.
• Acquire skills for preparing Information Systems Audit reports. These skills include writing in Portuguese with maximum accuracy, as well as the study of bibliography in English and the permanent updating of knowledge.
• Understand the stages and best practices for auditing: application controls, applications, cybersecurity programs, artificial intelligence implementation projects, databases, and Auditing Cloud Computing and Outsourcing operations:
• Analyze procedures at the level of quality policies in Information Systems Audit processes: analyze a Procedure, Work Instructions and Forms, detect non-conformities, make recommendations, and analyze follow-up;
• Know the concept of CAAT and master a data audit tool (for detecting anomalies and fraud).

Students should also be able to have the following skills:

•  behave in accordance with the code of ethics and conduct for auditing information systems
•  produce clear IS audit reports
•  identify weaknesses in IS controls in cases of fraud involving IS and propose corrections and new control rules.

Part I – Concepts and Framework

1. Generic Audit Concepts
1.1. Audit Concept and Audit Need
1.2. Need for IT Audit
1.3. Historical aspects
1.4. Audit Types
1.5. Phases of an Audit Process
1.6. Audit Methodology
1.7. Competencies and Behaviors of an Auditor
1.8. Data collection: Interviews and questionnaires
1.9. Audit Reports

2. Concepts of IT Auditing and the Internal IT Audit function
2.1. Historical aspects
2.2. Mission of the Internal IT Audit departments
2.3. Computer Auditor Profile
2.4. Role of the Audit Team
2.5. Attitude: Policing vs Partnership
2.6. Continuous Audit
2.7. Challenges of Computer Auditing
2.8. Anomaly and fraud detection
2.9. International Certification in Auditing

3. Information Systems Audit Process
3.1. Framework
3.2. Internal Controls
3.3. Define what to audit
3.4. Phases of an audit
3.5. Standards

Part II – Auditing Techniques
4. Audit of controls
4.1. Strategic planning
4.2. Performance indicators and metrics
4.3. Approval of monitoring projects and processes
4.4. Policies, standards, and procedures
4.5. Team management
4.6. Asset and capacity management
4.7. Management of change and reflection in systems
4.8. Checklists

5. Audit of Applications
5.1. Framework
5.2. Fundamental aspects of application auditing
5.3. Auditing Phases to Applications
5.4. Reference checklists

6. Audit of Databases
6.1. Framework
6.2. Fundamental aspects of auditing databases
6.3. Audit Phases to Databases
6.4. Tools and technology
6.5. Reference checklists

7. Audit of Cybersecurity Programs
7.1. Framework
7.2. Fundamental aspects of the audit of Cybersecurity Programs
7.3. Audit Phases for Cybersecurity Programs
7.4. Reference checklists

8. Auditing Cloud Computing and Outsourcing operations
8.1. Definitions of cloud computing and other forms of IT outsourcing
8.2. Third-party validations (Third-party attestations) and ISO 27001 certification
8.3. Controls for vendors’ selection
8.4. Items to include in contracts with vendors
8.5. Data security requirements
8.6. Operational, legal, and regulatory compliance challenges

9. Auditing the implementation of Artificial Intelligence’s projects

9.1 Framework
9.2 Checklist
9.3 Case Study

10. Forensic Auditing (Seminar)

10.1. Framework
10.2. Investigation
10.3. Case Study

11. Data Auditing and Auditing Tools for Non-IT Auditors
11.1. Computer Assisted Auditing Tools for anomaly and fraud detection
11.2. IDEA Analytics Practical Course
11.3. Case Study

NAO

Main bibliography

• Kegerreis, Mike, Schiller, Mike, Davis, Chris. (2019). IT Auditing Using Controls to Protect Information Assets, 3rd edition, McGraw Hill editors

Additional Bibliography

• Otero, Angel R., Information Technology Control and Audit, 5th Edition, Auerbach, 2019

• Carneiro, Alberto – Auditoria e Controlo de Sistemas de Informação, FCA, 2009 – ISBN: 972-722-436-9

• Oliveira, José António – Método de Auditoria a Sistemas de informação, Porto Editora, 2006
• Cannon, David L., Bergmann, Timothy S., Pamplin, Brady – CISA: Certified Information Systems Auditor Study Guide, Publisher: John Wiley & Sons; Pap/Cdr St edition (12 May 2006), ISBN-10: 0782144381
• Cascarino, Richard – Auditor’s guide to information systems auditing, John Wiley & Sons, 2007, ISBN: 978-0-470-00989-5
• Granjal, Jorge, Segurança Prática em Sistemas e redes com Linux, FCA Editores, 2017 (apenas a parte correspondente a Auditorias)
• Hunton, James E., Bryant, Stephanie M. Core, Bagranoff, Nancy A. – Concepts of Information Technology Auditing, John Wiley & Sons; Pap/Cdr edition (7 Oct 2003), ISBN-10: 0471222933

Additional web materials and workbooks

• • Site ISACA, Information Systems Audit and Control Association (www.isaca.org)
• • ISACA Journal: http://www.isacajournal-digital.org/isacajournal/Store.action
• • Site “The Institute of Internal Auditors” (https://na.theiia.org/Pages/IIAHome.aspx)
• • Slides de apoio desenvolvidos especificamente para a cadeira
• • Outros Manuais de Aplicativos de suporte à Auditoria (IDEA, ACL, Working Papers)