When we began writing this book, we had a fundamental tenet: Write a clear handbook
for creating the organization’s IT audit function and for performing their IT audits. We
wanted this book to provide more than checklists and textbook theories but instead to
provide real-life practical guidance from people who have performed IT audit work day
in and day out in real corporations. If we’ve been successful, reading this book will accomplish
three objectives for the reader, above and beyond what can be obtained from
most IT auditing books and classes:
Guide the reader in how to perform the IT audit function in such a way that the
auditors maximize the value they provide to the company.
Part I of this book is dedicated to providing practical guidance on how to perform the
IT audit function in such a way that it will be considered an essential and respected
element of the company’s IT environment. This guidance is pulled from years of experience
and best practices, and even the most experienced of IT auditors will find a
plethora of useful tools and techniques in those chapters.
Enable the reader to perform thorough audits of common IT topics, processes,
and technologies.
Part II of this book is dedicated to guiding the reader with practical, detailed advice on
not only what to do but also why and how to do it. Too many IT audit resources provide
bullet-oriented checklists without empowering the auditor with enough information to
understand why they’re performing that task or how exactly to accomplish the step.
Our goal is to fill that gap for the reader.
Give the reader exposure to IT audit standards and frameworks as well as the
regulations that are currently driving the IT audit profession.
Part III focuses on standards and frameworks such as COBIT, ITIL, and ISO 17799 as
well as regulations such as Sarbanes-Oxley, HIPAA, and PCI. Another goal of this section
is to demystify risk assessment and management, which is required by most regulations.
A wealth of knowledge and resources for hardening systems and performing detailed
penetration tests are available in other texts. That is not the focus of this book. In
our experience as auditors, we have been called on more often to judge the quality of
internal controls from an insider’s standpoint. Therefore, the majority of audit steps in
this book are written with the assumption that the auditor has full access to all configuration
files, documentation, and information. This is not a hackers’ guidebook but
is instead a guidebook on how an auditor can assess and judge the internal controls
and security of the IT systems and processes at his or her company.
