basic concepts of information system...

Basic Concepts of Information System Auditing 1

Chapter I

Basic Conceptsof Information

System AuditingRafael Rodríguez de Cora

Copyright © 2000, Idea Group Publishing.

INTRODUCTION

The challenge of Information System Auditing, as it isknown nowadays, is a consequence of a most important currenttrend, namely the change from an Industrial to an InformationSociety.

We are involved in profound changes of all kinds leading usinto the 21st century. Organizations depend on the economical,industrial and social environment in which they develop, so, iftechnological tendencies, economical environments and indus-tries change, they have to adapt fast to the new circumstances inorder to survive.

Such a fast change is affecting the whole world and itsunderstanding is fundamental for all kinds of organizations,especially in relation to Information Systems and Related Tech-nologies. For better or worst, the whole Society is more and moredependent on information and communication systems.

On the other hand, the development of information tech-nologies in the last twenty years has been constant and impres-sive. The past five years can be considered as a true technologicalrevolution in depth and impact. Nowadays the majority oforganizations consider that information and its associated tech-

2 Rodriguez de Cora

nology represent their most important assets. The quality, con-trol and security requirements that are implemented for othercompanies’ assets are also required for information systems andtechnology. Management must establish an adequate system ofinternal controls, and such systems should support businessprocesses and resources properly.

The planning, control, security and cost reduction in-volved in Information Systems is currently essential for orga-nizational strategies.

Generally speaking, the current situation of InformationSystems is frequently characterized by a lack of assimilation ofnew technologies, a bad use of information and technologicalresources, a general dissatisfaction of users, obsolescent applica-tions, and a lack of Planning. Applications in the past have notbeen integrated but designed as partial solutions, and they havebeen functioning as independent automated or manual islands.Manual processes were difficult to control and expensive tomaintain. Eventually there was a lack of standards and methods,and a lack of training and general culture concerning the overallaspects of Information Control and Security.

Taking the initiative in dealing with these problems, theprofessional Organization I.S.A.C.A. (Information Systems Au-dit and Control Association) published, following its Founda-tion in December 1995, CobiT (Control Objectives for Informa-tion and Related Technology), as a result of four years of inten-sive research by a broad team of international experts.

In the past, Information System Auditing has been used asa technical complement to Financial Auditing. Because of thegrowing impact of Information and Related Technology inorganizations, this issue becomes more and more important andit can only be seen and executed as an independent discipline.The methods and procedures for Information System Auditingare worth considering by organizations and enterprises of anysize.

As a result of current global competition, the organizationshave to restructure their operations towards a more competitiveand technological environment, and consequently they have totake advantage of using Information Systems and Technologythat are secure and controlled to hold and improve their market


position. This fact should both stimulate students and profes-sionals and increase the awareness of society in general of theimportance of this key profession for the 21st century.

BACKGROUND

The evolution of Information Technology has come aboutthanks to the better or worst utilization made by the users on theone hand, and more or less forced on by the commercial needs ofthe manufacturers and the advancement of technologies, at theother hand.

The Industry of Information Technologies, started from thefirst initial devices, and has gone through several stages from thesixties to date. (Figure 1)

The most significant stages are as follows:• Electromechanical devices - Unit Record - (One device

for each administrative function, like sorting, calcula-tions, filing, printing, etc.)

• One Computer for many - Mainframes - (Big CentralComputers)

• One Computer for a few - Minicomputers - (Departmen-tal Computers)

• One Computer for one user - PC’s single user - (PersonalComputers)

• A variety of users share resources - LAN - (Departmen-tal Communications. Local Area Network)

• A variety of Computers for a wide range of users - WAN- (Network Computing. Wide Area Network)

• Integration of Information and Communication - WorldWide (Global Intercommunication. Information High-way)

As a result, these stages have generated the design, creationand utilization of different types of Information Systems, whichhave also evolved in time:

• Batch Systems• Interactive Systems• Office Automation

• Client/Server Systems• Network Computing

4 Rodriguez de Cora

The Nineties are characterized by what has been called“Network Computing” by which users can have access to com-puters of all kinds through global communication networks, asshown below in Figure 2:

Figure 1: Information Evolution

Figure 2: Network Computing Environment


Challenges and Strategies for Complexity

This new environment increases the complexity in all kindsof relations. The complexity of systems and technologies, andthe new tendencies mentioned, means an increasing complexityin the exchange of products and services, which leads into anincreasing complexity in the corporate infrastructure and rela-tions of all kinds.

This increased complexity impacts in the general decisionmaking process, and also in the decision making process ofInformation System design, to support the new business needsof the acquisition, utilization and control of the new technolo-gies.

The interrelation of these factors means that the strategieshave to be analyzed and designed in an integrated way, asshown in Figure 3 below:

Figure 3: Strategic Planning of Information Systems

ECONOMICAL

STRATEGY

(GLOBAL ECONOMÍCS

INTEGRATIONCHANGE

MANAGEMENT

INFORMATIONSYSTEM

STRATEGY

STRATEGY OFHR

ORGANIZATIONAL

STRATEGY

6 Rodriguez de Cora

GENERAL AUDIT CONCEPTS

Definitions and types of Auditing

Generally speaking, when it comes to auditing, we speak ofa control tool, which involves a methodology to establish crite-ria, so that we can measure the effectiveness, efficiency andpossible deviations from the established objectives of a givensystem.

The environment or application defines the types or func-tions of auditing (by function of by system), so that we candistinguish:

• Financial Auditing• Production Auditing• Human Resources Auditing• Environmental Auditing• Etc.The type of auditing that is best known applied by organi-

zations and established as compulsory by law is the FinancialAuditing. According to its definition it concerns the “Indepen-dent investigation of the financial situation of an entity, with theintention of expressing an opinion about the financial status incompliance with norms and established procedures and gener-ally accepted accounting principles “.

Since an independent opinion is required, there is a need forthe function of auditing to be performed by external personnel.The people in charge of the External Auditing function in orga-nizations must have strict codes of conduct and professionalethics, and they should have an impartial relationship with theaudited entity.

The opinion on the financial statements of the company isbased on:

• Reviewing and evaluating the Financial Control System.• Performing specific Audit Tests

Information System Auditing

The new developments in Information and Related Tech-nologies have had an enormous impact and influence on the


generation of Financial Statements, administrative systems andprocedures, and accounting.

As soon as data and management procedures are handledby automated systems, Information Systems Auditing comesinto place. This includes new methodologies and control tech-niques, pertinent to an automated environment.

In a similar way to Financial Auditing, Information SystemAuditing requires an opinion about the Information Systemsand data that they process. The data must be accurate, completeand authorized. Errors must be properly detected and correctedin time and there must be planned and accurate procedures toguarantee the continuation of operations.

Information System Auditing, which was once a comple-ment to Financial Auditing, has presently its own existence andcan be considered as a professional discipline.

When we change from a manual to an automated environ-ment, we have to take into account some important differencesfrom a control point of view:

Changes of nature in Automated Systems

MANUAL AUTOMATEDCheap ExpensiveFlexible InflexibleUnpredictable Errors Systematic ErrorsMore division of functions Less division of functionsEasier back-up More difficult or

expensive back-upErrors cause minor impact Errors cause major impactLess need of information More need of information

Changes in auditing procedures.

• Evaluation of automated controls.• Evaluation of effective and efficient use of automated

systems and resources.

8 Rodriguez de Cora

• Impact on the scope and procedures of the followingmain circumstances:- Basic accounting controls in computer programs.- Integration of accounting systems through initial data

input and databases.- Use of computer capacity for decision making.- Automatic transaction initiation.- Loss of visible Audit Trails.- Use of real-time processing.- Concentration of functions and responsibilities in the

Information Service Department.- Accessibility of electromagnetic data and files.

Audit perspective for automated systems:

• Orientation on systems.• Orientation on data.

Information System Auditing Objectives

The general Information System Auditing Objectives are asfollows:

• Validation of the organizational aspects and administra-tion of the Information Service function.

• Validation of the controls of the system development lifecycle.

• Validation of access controls to installations, terminals,libraries, etc.

• Automation of Internal Auditing activities.• Internal Training.• Training members of the Information Service Function

Department• Collaboration with External Auditors

There are good reasons why Management should be prima-rily interested in Auditing. First of all, control for InformationSystems must be exerted in order to prevent:

• Excessive time and development costs.• Unrealistic or impossible objectives to comply with.


• Rigid systems when they become operational.• Non compliance with value added benefits.• Costly methods and systems.

The lack of control involves many risks. Many Systems failbecause of some of the following reasons:

• Lack of management technical capacity• Lack of management support in System development.• Inexperience of employees or lack of training.• Unrealistic expectations with wrong orientations.

Information System Audit Plan

To approach an Information System, a Plan has to be devel-oped, similar to the ones used in Financial Auditing. Some of thetasks involved are as follows:

• Definition of Scope and Objectives.• Analysis and understanding of standard procedures.• Evaluation of system and internal controls.• Audit Procedures and documentation of evidence.• Analysis of facts encountered.• Formation of opinion over the controls.• Presentation of report and recommendations.

One of the most difficult things to determine is the objec-tives and scope of the Audit. As guidance, one can take intoaccount the following variables to determine such scope:

• Extension and scope of the Financial Audit taking place.• Duration and nature of the review, Internal or External

Audit.• Dimension of the installation and level of complexity.• Level of both centralization or distribution of systems

and integration of Databases• Existence of procedures and norms for the development

and production environment.

10 Rodriguez de Cora

Ideal Information System

There are many objectives that can lead towards the imple-mentation of an Information System Audit. In any case, despitethe scope considered, we should look for the following maingeneral objectives, when we consider the Services and Infra-structures where Information Systems are developed:

• The Service should operate as an autonomous depart-ment, dependent on General Management.

• It optimizes the use of technical resources and providesautomated services at minimum costs.

• It anticipates user’s future needs without introducingexperimental products or not sufficiently tested ones.

• It operates in accordance with predefined standards andprocedures, which guarantee reliable processes and anadequate distribution of results.

• Users are involved in the design and planning of applica-tions.

• A cost assigning method, based on actual utilization, ismaintained to measure the user’s utilization of informa-tion resources.

Audit Techniques

Audit Techniques are of various types but they may begrouped in two types of evidence:

• Compliance Tests: They verify the correct execution orregistration of an operation or process through its repeti-tion or observation. (Test data, logic reviews, and sampleof a file).

• Substantive Tests: They make analytic review of realdata, to test its quality, by using certain audit software orpackages. (C.A.A.T.).

Being more specific than the ones mentioned above, some ofthe most general audit techniques and tests are as follows:

• Interviews (management, staff, operators, users).• Observation “on location” of the work environment.• Audit Guidelines and Control Objectives (checklists to


review controls).• Organizational structure, flow charts (of manual and

automated operations), file interrelations.• System documentation and descriptions of the users’

environment (standard software, hardware, terminals,etc.)

• Organizational hierarchy and segregation of duties• Use of specific Audit software• Statistical sampling• Performing other kinds of specific tests to get evidence

PAST AND FUTURE TRENDSIN INFORMATION SYSTEMS AUDITING

For technical reasons, the Information System Auditing hasgone through several phases which, being sometimes confusing,is enlarging, more and more, the distance with Financial Audit-ing, and integrating itself in today’s complex and sophisticatedInformation Systems. Without clearly delimited borders in time,we can define de following phases:

Auditing around the computer:In a first phase, when there were more manual than auto-

mated systems, the Financial Auditors treated the computer asa “black box” and reviewed only the input and output controls,data and procedures, without analyzing the internal process,which required technical knowledge.

What was done, in practice, was just to review manuallywhat the computer produced, since this was fairly easy to do asit concerned almost only batch processes.

Auditing the computer:A second phase came into being when the concentration of

Data and Processes that were inside the computer became moresignificant, and Financial Auditors had to rely upon InformationTechnology Specialists to assure that the controls in an auto-mated environment and within the machine were sufficientlyreliable and allowed a reasonable guarantee of Information


Processing from an Auditor’s point of view.

Auditing through the computer:The third phase arrived when the Information System Au-

diting became an object in itself, because of its importance, andtranscended Financial Auditing, offering a market of indepen-dent consultancy to verify the efficiency and global use of theorganization’s Information Systems.

Auditing with the computer:In this phase Auditors started using the computer in their

turn for typical audit tasks like project preparation, statisticalsampling, reports, and other activities. Auditors turned either toInformation Technology experts who were specialists in theclient’s environment or to their own in-house specialists toperform tests, statistical samples or data extraction programs(Computer Assisted Audit Techniques).

Auditing inside the computer:We are now in a fourth phase, which started a few years ago,

where many hardware and software systems incorporate con-trols and security procedures, which would normally have beencompensated manually, or with alternative procedures andcontrols.

In this context, we can quote some advanced technologies,which require, for their own design and for industry and marketpolicies, the incorporation of controls or security mechanisms:

• Hardware- Parallel processors or clusters- Systems with built-in uninterrupted power supply- Fault Tolerant Systems

• Operating Systems- Security and access mechanisms on many levels- Security level C2 en UNIX System V (“Orange Book-

DOD”)- Built-in Audit subsystems or routines


• Databases- On-line Back-ups- Mirroring- Two-phase commits- Fourth Generation Languages (4GL’s)- Security and access mechanisms on many levels- Transaction Generators for Audit purposes

• Communications- Message switching- Encryption- Fire Walls- Etc.

CONTROL CONCEPTS

The accelerated change in technology also affects the natureand mechanisms of controls. Control technologies are changingin two different ways. On the one hand as mentioned before,basic manual and automated controls are now part of the designof modern hardware and software systems. On the other hand,new control technology, which did not exist before, is availablenow. Audit standards and objectives do not vary between manualand automated systems. But the scope, the emphasis on everytype of control, and the methods and procedures do vary sub-stantially with every kind and level of the system automation.

The ISACF (Information Systems Audit and Control Foun-dation) released in 1996 a product called CobiT: “Control Objec-tives for Information and related Technology”, to define anapplicable control methodology. In 1998 the second version ofCobiT was released, which is now available.

Control Objectives

The Management responsibility is to safeguard theorganization’s assets. Nowadays for many organizations, theinformation and its supporting technology are considered as themost important assets.


In general, the major control objectives are considered to beas follows:

• Safeguarding of assets• Guarantee data accuracy, reliability and authorization• Operation efficiency• Compliance with organizational policies and procedures

Lack of control can generally mean the following risks:• Erroneous decisions• Fraud• Business interruption• Excessive costs• Competitive disadvantages• Illegal situations

IT Control Objective is defined as a statement of the resultor purpose which is desired to be achieved by implementingcontrol procedures in a particular IT activity: In order to providethe information that the organization needs to achieve itsobjectives, IT resources need to be managed by a set of natu-rally grouped processes.

(ISACA, 1998)

Control Environment

Controls can be grouped according to the following threeenvironments:

A B

USERS D.P.

C

a) Accounting Controls - Procedures, etc.b) Processing Controls - Data completeness and reliabilityc) Environmental Controls - (All others)


When analyzing a system internal controls, the manual andthe automated part should not be separated. It should always beoriented towards the control guarantee of the system as a whole.This means that analyzing and obtaining an understanding ofthe Information System must take place in the context of thewhole System Life Cycle. On the other hand, the conclusionsachieved about the adequately or deficiency of controls mustfocus on a global mode. This means that we can find that onekind of control may be deficient, but it can be compensated byanother type of control or a general procedure.

Control Scope

The Control Scope defines to which resource it applies to ina given moment of the Audit, such as the facilities, the systemsor specific data. In particular, CobiT defines the following re-sources:

Data: External and internal data objects, structured andnon-structured data, graphics, sound, etc.Application Systems: That is, the sum of manual andprogrammed procedures.Technology: Hardware, operating systems, databasemanagement systems, networking, multimedia, etc.Facilities: Resources to house and support, InformationSystems.People: Including staff skills, awareness and productiv-ity to plan, organize, acquire, deliver, support and moni-tor Information Systems and Services.(ISACA, 1998)

IT Domains & Processes

The CobiT framework consists of Control Objectives and anoverall structure for their classification. CobiT considers themanagement of IT resources, on three levels of IT efforts:

Activities and Tasks, which are needed in order to achievea measurable result.Processes, which are defined as a series of joined activi-ties or tasks with natural (i.e. control) breaks, one layer


up.Domains, which are groups of processes naturallygrouped together.(ISACA, 1998)

Each of these categories in their turn establishes and in-cludes a number of controls, control objectives and methodol-ogy to perform the Audit more specifically. CobiT identifies thefollowing four Domains:

Planning and OrganisationThis domain covers strategy and tactics for Information

Systems and is concerned with the way IT can best contribute tothe achievement of the business objectives. The implementationof the strategic vision needs to be planned, communicated andmanaged, and a proper organization and technological infra-structure must be provided.

Acquisition and ImplementationIT solutions need to be identified, developed or acquired as

well as implemented and integrated into the business process. Inaddition, this domain covers changes in and maintenance ofexisting systems.

Delivery and SupportActual delivery of required services is also a concern. In

order to deliver services, the necessary support processes mustbe set up. This domain includes the actual processing of data byapplication systems, often classified under application controls.

MonitoringAll IT processes need to be regularly assessed over time by

internal and external audit, according to their quality and com-pliance with control requirements.

(ISACA, 1998)


DEVELOPMENT OF THE AUDIT FUNCTION

Planning and Scope

Normally an Audit Program consists of the following phasesor steps:

• Preliminary evaluation of the Audit to define objectivesand scope.

• Investigation of norms, procedures and controls to com-ply with defined objectives and to identify potential existing risks.

• Program elaboration and detailed work schedule, includ-ing necessary logistics and formalities.

• Team selection and definition and other resources tocarry out the program.

• Definition of Audit tests to be performed and tools to use:- Checklists- Tests- Verifications “in-situ”- Etc.

• Performance of Audit work through the knowledge andanalyses of information, collection of evidence, and com-pliance testing and verification.

• Examination of existing controls and risk assessment,exposing deficiencies and documenting findings.

• Verifying results and proposed objectives.• Preparation of the Audit opinion and elaboration of the

Audit report including recommendations.• Review and filing of work papers.

Audit Work Team

In an Audit Work Team, people with different levels nor-mally use the work papers:

• Manager: Responsible for the Audit and quality control,to guarantee that the work is completed and has beendone in compliance with standards and procedures, andconclusions are well documented.


• Senior/Team leader: Responsible for the work papers,scope of the Audit and supervision of the work team

• Staff: Responsible for the performance of the Audit andthe documentation of the work done.

Risk Assessment

Risks to an Information System are normally understood aspotential or real circumstances, which might cause loss of valueto the organization’s assets. In particular the risks which affectsdata, are as follows:

• Manipulation errors.• Intentional Frauds.• Sabotages.• Filtration of confidential information.• Natural disasters.• General environmental accidents.

These risks can have immediate consequences, as follows:• Data corruption, affecting its reliability.• Interruption of processes, limiting data availability.• Destruction of data, resulting in a lack of integrity.• Revelation or subtraction of data, resulting in a lost of

privacy or confidentiality.

In any case, this problem leads to economical loss, whichcan be very serious, affecting the image, or even creating a baseof illegal situations in the organization.

The causes that generate a lack of security can be accidentalor deliberate.

When implementing controls to minimize the risk, oneshould take into account that the cost of this implementationshould always be cheaper and more effective than that of thepotential risk.

Risk evaluation and quantification should always take place,although total security does not exist. There is always a trade-offbetween the cost of risk and the cost of control.


Audit Work Papers and Audit Administration

For the administration of the Audit, the Audit Team mustuse a standard set of work papers. To carry out the Audit andserve as a support of opinions and evidence, the Auditors mustprepare the following set of documents:

• Proposal or Presentation of the Audit.- Progress Reports.- Work Papers. “Permanent File”.- Other Work Papers.- Preliminary Reports.- Final Audit Report (opinion).

• Proposal: Generally speaking the proposal to a customer,or the preceding Audit presentation to an organizationshould have the following structure:- Introduction.- Scope and conditions.- Work Team.- Audit Plan and Schedules- Special Requirements or needs.- Fees (and expenses)

• Progress ReportAt least one or more periodical progress reports should be

made throughout the Audit work: They identify past or futureproblems or incidents, proposing solutions. They are also usefulin reporting scope deviations and possible changes in the plan-ning and budgets.

“Permanent File”The “permanent file” contains information of interest for

the auditor about a system or specific area. The informationobtained and the date of the audit needs to be updated insubsequent system audits.

The permanent files must be designed in a way that containsthe basic documentation about the system or area under review.


• Other Work Papers- Audit Programs.- List of pending issues.- Recommendations and follow-up about weak points.- Administration.

- Assignment and control of resources.- Time and expense reports.- Invoicing management.

- Meetings.- Preliminary.- Periodical.- Final.

• Preliminary ReportsDraft reports, which are to be discussed with the client for

possible comments and observations.

• Final Opinion ReportFinal Audit Report, which will be sent to the Board of

Directors of the customer or organization which asked for theAudit. It must be clear and consistent, resuming the Auditresults.

It must contain specific recommendations resulting fromthe Audit, and describing the impact of the detected lack ofcontrols. The contents of the working papers are fundamentalbecause they are used to support the opinion.

The aspects, which have to be taken into account are asfollows:

• Complete Information.• Precise Information.• Relevant Information• Standard format and uniform structure.


ORGANIZATIONAL ASPECTS

Organization

Information System Auditing can be made by:• Departments of Organization and Methods.• Quality control departments.• Internal Audit Services.• External Audit Firms.

If done internally, the Information System Auditing Func-tion should be under the Internal Auditing Function, and beindependent of the Information Services Function, which is oneof the objectives of the Audit.

There are two types of Information System Auditors:• IT Specialists supporting Auditing.• Auditors with IT expertise.

The size and organization structure of the InformationSystem Audit Function will depend on the size of the organiza-tion and for technical considerations or policies it can be sepa-rated functionally from Financial and Operational Audit De-partments

Educational Plan

The IS Auditor must have a general understanding ofAuditing, regarding both the applications to be reviewed andthe auditee environment.

It is also essential to have an understanding of InformationTechnology, the technological environments and the business ofthe audited firm. Auditors can be trained and educated on fourdifferent and complimentary ways:

• Academic meansA list of colleges and universities offering courses and

degrees in IS controls is now available. This information will alsobe used to disseminate information about ISACA, interchangeideas with students and teachers interested in learning more


about the IS audit profession, encourage ISACA Standards andCode of Ethics, and provide a forum for ideas and suggestionsfrom within the academic community.

• Professional ExperienceThe IS Audit training and experience achieved “on the job”

have become the basic involvement into the profession of themajority of today’s IS Auditors.

These Professionals were normally trained by the big audit-ing firms or great financial and insurance institutes, either asExternal Consultants or Internal IS specialists.

• Professional AssociationsSeveral professional associations exist all over the world in

the areas of IS Audit, Control and Security. They define andcertify standards of competence, subscribe professional ethicsand norms of conduct, and organize courses and seminars.

One of the most important ones is I.S.A.C.A, which regardsitself as a professional association for IT Governance, Audit,Control and Security.

• Specific SeminarsSeveral courses and specific seminars are continually of-

fered comprising technological subjects and Audit related fields,to promote the continuous education policy of ISACA. This ispart of a certification program for IS Auditors called CISA -(Certified Information Systems Auditor).

• Benefits of becoming CISAA growing number of organizations are recommending

that employees become certified. The CISA designation assuresemployers not only that their staff is able to apply state-of -the-art information system audit, security and control practices andtechniques, but also that these skills are maintained. For thesereasons, many employers require the achievement of the CISAdesignation as a strong factor for employment and/or advancedpromotion


Norms of conduct

Because of the nature of its activities, the Auditor is subjectto rigid professional ethics and restricted to adhere to profes-sional standards. Professional ethics and chiefly independenceare the fundamentals of conduct in Audit practice.

As a result, in recent times multinational audit firms, whichhad other activities, were obliged to separate these activities, sothat they did not have other influences, or interests concerningthe auditee.

In this sense, there are several publicized standards, whichAuditors must follow up. They cover several areas of profes-sional practice in relation with the following professional ethics:

• Supporting the establishment of and compliance withstandards, procedures, and controls for Information Sys-tems

• Complying with Information System Auditing standardsas adopted by the Information Systems and ControlAssociation (ISACA)

• Serving in the interest of their employers, stockholders,clients and the general public in a diligent, loyal andhonest manner and not being knowingly party to anyillegal or improper activities.

• Maintaining the confidentiality of information obtainedin the course of their duties. The information shall not beused for personal benefit nor released to inappropriateparties.

• Performing their duties in an independent and objectivemanner and avoiding activities, which threaten, or mayappear to threaten, their independence.

• Maintaining competency in the interrelated field of au-diting and information systems through participation inprofessional development activities.

• Using due care to obtain and document sufficient factualmaterial on which to base conclusions and recommenda-tions.

• Informing the appropriate parties of the results of auditwork performed.

• Supporting the education of management, clients, and


the general public to enhance their understanding ofauditing and information systems

• Maintaining high standards of conduct and character inboth professional and personal activities.

REFERENCESAlonso Rivas, G. (1988). Auditoría Informática. Ed. Díaz de

Santos.Colección Manuales y Desarrollo de Sistemas. (1993) Metodología

de planificación. “Métrica Versión 2”. Ed. MAP.(Handbook) (1992) “Electronic Data Processing”. Ed. Federal

Financial Institutions Examination Council.Information System Audit and Control Foundation, (1998)

“CobiT’” Ed. Information Systems and Control Foundation.ISACA, (1998) “Review Technical Information Manual” Ed.

Information Systems and Control Association.McClure, Carma. (1992) “Case la automatización del software”.

Ed. Rama.Plans, J. (1984) La Calidad Informática. Ed. Deusto.Rao Vallabhaneni, S. (1998) “CISA Examination Textbooks”. Ed.

SRV Professional Publications.Weber, R. (1988) “EDP Auditing”. Conceptual Foundations and

Practice. Ed. McGraw Hill.

WEB SITEShttp://www.isaca.orghttp://www.theiia.orghttp://www.securityforum.orghttp://www.itauditor.orghttp://www.sans.org

basic concepts of information system...

Documents