If you haven’t conducted an IT audit before, or you’ve only been involved in a couple of IT audits, then this course is the ideal starting point. It aligns to the latest standards and best practice approaches and is updated each year to keep pace with emerging technology. The course will enable you to confidently perform a review of the impact of technology on your organisation.
Who should attend?
This course is open to all but is best suited to those with limited IT audit experience.
What will I learn?
Upon completion you will be able to:
- understand the approach to IT Auditing and relevant best practices
- review best practice and regulations that affect IT Systems
- review application systems
- review systems under development
- review configuration and change management
- review physical security
- review logical security
- review contingency and continuity plans
- perform basic network reviews.
The course is accompanied by an extensive indexed manual that has full course text, examples and practical work.
Introduction to IT auditing
- the IT auditor and risk-based auditing – how they fit together
- high-level IT risks: Confidentiality, Integrity, Availability and Accountability
- low-level risk connecting to high-level risk
- creating, scoping, and documenting IT audit work.
Working to standards, best practices and the Law
- governance: ISO/IEC 38500:2008 - what should be reviewed?
- COBIT, ITIL and ISO 27000 – what are these?
- PCI standard – what should be reviewed?
- data Privacy – what should be reviewed?
- other relevant legislation – what should be reviewed?
Auditing live systems – using a risk-based approach
- applications and the distribution of controls
- IT directive, preventative, detective and corrective controls
- user constraint and oversight controls
- what to look for in controls designed to offset application business process risks.
Auditing systems under development
- software development life cycles, what should be reviewed?
- prototyping – rapid application development – agile development methods.
Auditing IT Configuration and Change Management
- configuration management – what should be reviewed?
- change management – what should be reviewed?
Auditing key building blocks of IT control
- physical and environmental security – what should be reviewed?
- logical access control: registration, identification, authentication, authorisation and logging – what should be reviewed?
- the user community – finding them, extracting them
- passwords and biometrics – what should be reviewed?
- systems administration, granting permissions, rights and privileges
- common handling procedures related to logical access – discussion
- event logging and trails, reporting on user activity – what should be reviewed?
- contingency and disaster avoidance including ISO 27031 – what should be reviewed?
- support options to supplement organisational capacity
- maintaining and testing the plan.
- network terminology and network diagrams
- LANs, WANs and WLANs
- switches, routers and firewalls – what should be reviewed?
- VPNs and encryption – protecting data flowing across a network
- networks overall – what should be reviewed?
CPE competency areas covered
- Business acumen
- Governance, risk and control
21 CPE points
Member: £1700 + VAT
Non-member: £1915 + VAT
SAVE £300 when you book 3 months in advance for a face to face course