Wen Ting Lu

Source: IT Auditing by Chris Davis and Mike Schiller

Q: Explain the key IT audit phases

A:
Phase 1: Planning- This phase is to determine the objectives and scope of the audit. This planning process will require careful research and consideration.

Phase 2: Fieldwork and Documentation- The audit team is acquiring information and performing interviews that will help them to analyze the…[Read more]

The 3 types of risk mitigating controls are:

1. Preventive Control – These are controls that prevent the loss or harm from occurring
Ex: Authorization and approval procedures;
-Use of passwords to stop unauthorized access to systems/applications
Supervision such as assigning, reviewing/approving, guidance and…[Read more]

Q: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding

A:

Similarities: Both ITIL and COBIT are used by enterprises and IT professionals who need to address business needs in the ITSM area. These two frameworks complement one another.

Differences:

• ITIL was issued by OGC, it focus on i…[Read more]

Ian, I agree with Shahla

I also think that as students, we are more at risks.
The reason is that Temple has database that store over 30,000 students’s confidential data such as SSN# and bank information. If someone hack in Temple’s database, then it will bring a tremendous impact on students because all of their restricted information are…[Read more]

100 Million Accounts Stolen From Russian Web Portal Rambler

This article talks about hackers stole the detail of more than 98 million user accounts from Rambler, one of Russia’s largest web portals. For those of you who are not familiar with Rambler, it is like the “Russian version of Yahoo”, which offers web search, news aggregation, email…[Read more]

Mansi, I agree with you completely.

Auditors should have some understanding of technology prior to performing the audit. According to Professor Yao’s comment in one of the previous posts, auditors usually request information from company or someone who is being audited and they do not access data/information directly via accessing…[Read more]

A control environment is the cornerstone of the internal control system, it supports and decides other elements. In an organization, the control environment represents upper management’s attitudes, awareness and actions towards controls and focus they have on IT controls. The “Top-Down” approach to control are most often use in the organ…[Read more]

I agree with Brou. In the video the employees weren’t aware abut the important of information security, and they didn’t take it seriously. Therefore, they should have training on how to secure their information assets, I believe they have sufficient basic IT knowledge to work with technologies.

You are right Brou, nothing really can be guaranteed. However, I think for my company I will probably suggest my manager to add in a regular telephone line that does not need internet connection. Maybe by adding in telephone line will help to reduce the risk, and we are still able to work with clients when internet service is down.

I agree with Daniel , nowadays organization are living within technology and business are heavily rely on technology, especially computer systems. It’s very important for Operation and Financial auditors to have some understanding of technology because it will help the auditors to better perform the audit. For example, a financial auditors…[Read more]

Q: What is the purpose of all auditors having some understanding of technology?

A: The purpose of all auditors have some understanding of technology is that in today’s society mostly everything is paperless, we all use computers to store information and we rely on these technologies heavily. It’s very important that the auditor have at lea…[Read more]

Q: What are some current system-related risks that you have experienced in your organization?

A: I have experienced some system-related risks in my organization while I was working at a small CPA accounting firm

There are some physical threats such as employees wrote down their log in passwords in sticky notes and put on the desktop screen,…[Read more]

I totally agree! Especially when working with sensitive and confidential information, such as phone number, home address and SSN, etc .

Hi, Binu

You raised a very good and interesting question. I think it can be consider as human error threat.
Data entry errors or omissions could impact data integrity significantly, and there will be lesser extent data available. One possible way to reduce human error threat is to have a second person double check the data entered.

Daniel, I agree with you. But I think everyone should have a unique access code, I believe it will reduce the risk even more. However, all employees including the manager should have training on the importance of secure information assets for personal and business. It’s not a good idea to leave sensitive information such as pass code in…[Read more]

Thanks for pointing this issue out Professor Yao, I forgot about that one.
We should never leave anything in our vehicle, even something that might not worth that much money like clothes. People might break your car window for anything that they find suspicious.
Therefore, everyone should be very cautious and do not leave anything valuable…[Read more]

Q: Describe a business process you have experienced (either as an external or internal participant) and what your role was.
A: One of my experiences that I want to share is working as tax accountant in a small CPA accounting firm. My job was to prepare individual and business tax returns for clients.
In my company, we use a CRM called insightly…[Read more]

Q: In your own words, how would you define a control environment?
A: A control environment is the cornerstone of the internal control system, it supports and decides other elements. In an organization, the control environment represents upper management’s attitudes, awareness and actions towards controls and focus they have on IT controls. The “…[Read more]

Q: The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
A: The Sabanes-Oxley Act (SOX) served as sufficient reaction to protect corporations from accounting errors and…[Read more]