Advanced IT Auditing

Intended for IT auditors who have completed the introductory IT audit course, or for those who want to advance their existing IT knowledge, this intensive 3-day course will provide you with all the knowledge and techniques you need to tackle what are often seen as the ‘specialist’ areas of computer audit activity – networks, operating systems, databases and client-server computing.

In the first part of the course you learn about the principles of data communications and networking, where the basic controls are in the software and hardware, and how to assess the risks involved in data networks. You’ll be able to understand communications terminology, know what questions to ask the network professionals and how to evaluate their answers.

In the second part of the course, you will learn about the principles of computer operating systems, why they are important to the auditor, and how you can audit them. You will see how to set out an audit objective for an operating system audit and how systems are classified in terms of the degree of security they can provide. You will learn about the concepts of trusted software and how it should be secured and audited.

In the final part of the course, you will learn the principles of databases, how they are controlled and secured and the essential audit objectives associated with a database review. You will see how to evaluate database security and what information to request from database administrators to make your audit more efficient. You will also learn about the particular risks associated with the use of client-server computing environments, and where the auditor can make a contribution to the controls in client-server applications.

A ‘hands-on’ option is available for auditors who want to try out the tools and techniques for themselves.

Suggested duration: 3 days, but can be customised to your requirements.

Agenda

Introduction
Basics of IT controls and how they apply to networks, operating systems and databases

Networking concepts
The OSI model and its meaning to the auditor
Network devices – their uses and their risks
Physical network security
Logical network security – infrastructure devices and their risks
Network security issues
Device controls
Network boundaries
The particular risks of wireless networks
Network management software- its uses and misuses
Assessing network risks
Enumerating network devices
Identifying vulnerable devices
Identifying risks network services
Firewalls and how to audit them
The 10 principles of network security
Operating systems
How operating systems work
Operating system security classifications
Assessing OS and system software controls
Software development and trusted software controls
Database Systems
Principles of database operation
How databases interact with operating systems
Audit risks of database systems
Assessing database controls – Oracle and SQL Server
Database audit trails and how to use them
Client-server systems
The nature of client-server processing
How to identify and evaluate client-server controls
A practical example – building and auditing a client-server application