After reading the materials, I Learn something about Hardware/Software Acquisition.An IS auditor should be involved in the software acquisition process to determine whether an adequate level of security controls has been considered prior to any agreement being reached. If security controls are not part of the software, it may become difficult to ensure data integrity for the information that will be processed through the system. Risk involved with the software package includes inadequate audit trails, password controls and overall security of the application. Because of the risk, an IS auditor should ensure that these controls are built into the software application.
Through reading, I first have a certain understanding of the tools of system development, and then I am more interested in the actual operation of testing process by combining software as a part of the whole computer system with hardware, peripherals, other systems and data. I am also interested in simulation testing, black and white box testing, regression and parallel testing methods.
Through reading, I first to the system development tools, hardware/software have a certain understanding, also learned if not a part of the software security control, may be difficult to ensure that the processing of information through the system of data integrity, and I learned that Information system auditors should be involved in the software procurement process to determine whether adequate levels of security controls have been considered before any agreement is reached.
It is mentioned in the book that the longer the product is supplied, the higher the reliability. This broke my previous thoughts. I used to think that newer systems or products will have better reliability because of product iterations. Now I realize that in some areas, new products mean that they have not passed the test of time.
While reading, I am very interested in “Acquisition Steps”.
In particular, during the acquisition process, it is necessary to verify that the source of the hardware is not a product from a “gray market” supply source, which may increase the risk of the operability of malware and other unknown products. This is a very important but easy to forget thing.
I am more interested in the “risks related to using USB” mentioned in 4.1.3, because we will use memory cards or flash drives in our daily life and study, because they are small and easy to carry. Come to me Said to be a very commonly used item. But I don’t know that it can be the carrier of USB computer virus. The virus in the malware will be transferred along with the file during the transfer process.
After reading, I am interested in DDS, A decision support system (DSS) is a computerized program used to support determinations, judgments, and courses of action in an organization or a business. A DSS sifts through and analyzes massive amounts of data, compiling comprehensive information that can be used to solve problems and in decision-making. Decision support systems allow for more informed decision-making, timely problem-solving, and improved efficiency in dealing with issues or operations, planning, and even management. The DSS can be employed by operations management and other planning departments in an organization to compile information and data and to synthesize it into actionable intelligence. In fact, these systems are primarily used by mid- to upper-level management.
SIX IS AUDITOR’S ROLE IN INFORMATION SYSTEMS TESTING
• Review the test plan for completeness.
• Reconcile control totals and converted data.
• Review error reports for their precision in recognizing erroneous data and resolution of errors.
• Interview end users of the system for their understanding of new methods, procedures and operating instructions.
• Review system and end-user documentation to determine its completeness and verify its accuracy during the test phase.
• Verify that system security is functioning as designed.
After I reading the article,I learn more about the Hardware/Software Acquisition,system software acquisition,Integrated Resource Management Systems and control identification and design.And above all the most interesting thing for me is the procedures should be established to ensure that input data are validated and edited as close to the time and point of origination as possible.And if input procedures allow supervisor overrides of data validation and editing, automatic logging should occur. A manager who did not initiate the override should review this log.And it can let me know more about how to manipulate the hardware/software well and have the further understanding about IT auditors.
Through reading, I am interested in DDS system.
DECISION SUPPORT SYSTEM:A decision support system (DSS) is an interactive system that provides the user with easy access to decision models and data from a wide range of sources in order to support semistructured decision making tasks typically for business purposes. It is an informational application that is designed to assist an organization in making decisions through data provided by business intelligence tools.
1. DSS tends to be aimed at the less well structured, underspecified problem that upper level managers typically face.
2. DSS attempts to combine the use of models or analytic techniques with traditional data access and retrieval functions.
3. DSS specifically focuses on features which make them easy to use by non-computer-proficient people in an interactive mode; and DSS emphasizes flexibility and adaptability to accommodate changes in the environment and the decision making approach of the user.
By reading this material , I gained some knowledge from this reading which can be helpful for acquiring the information that what roles the handware and software play in the real environment. Also, I knew the approaches of how organization assign some staffs to create hardwares and softwares in order to meet the requirement for completing the business.
When I read the 12th chapter “computing distribution and internet system”, a key word that aroused my interest was “cloud computing”. Cloud service refers to obtaining required services through the network in an on-demand and easy-scalable manner. Cloud computing enables customers to access various resources on demand with as few human interactions as possible. At the same time, when the cloud computing service model migrates data, reliability, feasibility, privacy, compliance, etc. need to be considered. Enterprises of all sizes are turning to cloud services, such as the popular public cloud products AmazonWeb, AWS and Microsoft Azure. The key advantage is that cloud services can be used anytime, anywhere and are very flexible. Cloud computing also saves costs. As cloud services follow a one-to-many model, the cost is greatly reduced compared with the deployment of separate desktop programs. Of course, the organization has to deal with the potential danger, which is the loss of data.
After reading this article, I further understand the hardware / software acquisition, system software acquisition, integrated resource management system and control identification and control design. And most importantly, what I am most interested in is that a program should be established to ensure that the validation and editing of input data is as close to the time and time starting point as possible. Also, if the input process allows the supervisor to override data validation and editing, automatic logging should be performed. Managers who do not initiate coverage should review the log. And it can let me know how to operate hardware / software better, and have a further understanding of it.
Through reading, I have a certain understanding of the system development tools, hardware/software. If it is not part of the software security controls, it may be difficult to ensure the integrity of the data that is being processed through the system, and the information system auditor should be involved in the software procurement process so that the adequacy of the security controls can be determined before any agreement is reached.
An IS auditor must be able to identify and understand controls designed to ensure the authorization,
accuracy and completeness of data input to, processing by and output from various business and
computer applications.An IS auditor must also be familiar with control techniques and how each may be evidenced in the form of reports, logs and audit trails.
After reading the material, I know a lot and more details about the specifications of hardware and software. When acquiring a system, the process of specifications like information processing requirements, hardware requirements and HW/SW evaluation assurance levels (EALs) for security robustness.
Through reading the material, I have a certain understanding of hardware/software acquisition. While acquiring hardware and software, pay attention to whether it comes from a market that will warn you. The supply of such products will largely lead to the increase of malicious software and increase the security and operational risk of other unknown products. The role of the auditor is important when reviewing application controls. IS auditors need to participate in the software acquisition process to ensure safety, feasibility and data integrity, and to build related controls into the software application.
I’m interested in processing controls.It meant to ensure the completeness and accuracy of accumulated data.They ensure that data in a file remain complete and accurate until changed as a result of authorized processing or modification routines.The following are processing control techniques that can be used to address the issues of completeness and accuracy of accumulated data.
A systems development methodology is a structure that an organization uses to plan and control the
development of information systems and software and new business applications. In the face of
increasing system complexity and the need to implement new systems more quickly to achieve benefits before the business changes, system and software development practitioners have adopted
many ways of organizing information system and software projects.
One of things that I am pretty interested in the chapter, when I was reading, is how to choose the best vendor in same level qualification vendors. Ithink the process of choosing is very meticulous. To resolve such a situation, agenda-based presentations should be requested from the short-listed vendors. The agenda-based presentations are scripted business scenarios that are designed to show how the vendor will perform certain critical business functions. Vendors are typically invited to demonstrate their product and follow the sample business scenarios given to them to prepare. It is highly recommended to include adequate participation from various user groups when evaluating the product’s/vendor’s fit and the system’s ease of use. The project team thus has an opportunity to check the intangible issues such as the vendor’s knowledge of the product and the vendor’s ability to understand the business issue at hand. Having each short-listed vendor demonstrate its product following a scripted document also enables the project team to evaluate and finalize the product/vendor selection with knowledge and objectivity built into the process. The finalist vendor candidate is then requested to organize site visits to confirm the findings from the agenda-based presentations and check the system in a live environment.
Through the understanding of the reading materials, I have a basic understanding of the tools of system development. And the longer the product is provided, the higher the reliability, which indicates that the time confirms the quality of the product. IS auditors need to be involved in the software purchase process to ensure security and feasibility.
Reading CISA, I was interested in the fact that the information systems auditor needs to be involved in the acquisition of hardware and software to determine whether it is due to business requirements and whether the appropriate level of security controls are considered. At the same time, the information systems auditor needs to perform many activities when reviewing application controls, such as determining business processes, conducting appropriate audit procedures, and so on.
I find that there are so many content and pages in CISA.I dont want to see the book at all.But I still have some interests about the CONTROL IDENTIFICATION AND DESIGN..I think it is very useful for me.I always wanna to the the orperating of the corporation system about auditing.
After reading these materials, I have a deeper understanding of application control. I understand that when the IS auditor reviews the application control, the content of the activities that the IS auditor needs to perform, the system files that the auditor needs to review, and the factors that can be used to analyze the risk assessment model required for the application control
Through reading materials, I found myself very interested in the acquisition steps of the hardware and software. Software and hardware acquisition needs to consider many factors, such as provisions for competitive bidding, analysis of the vendor’s capability to provide maintenance and support, pedigree of the hardware to verify it is not sourced from “gray market” supply sources etc.
one thing of interest that i take away from the CISA reading 3.3.8 – 3.4.6 is the role which IT auditor plays in hardware/software acquisition. In the hardware acquisition process, IT auditor should first determine whether the purchase process is due to a business need and whether the hardware requirements for that need have been taken into account in the specification and then determine whether multiple suppliers have been considered and whether they have been compared against the above measures. In the software acquisition process, IT auditor ought to participate in the software acquisition process to determine whether the appropriate level of security controls are considered before any agreement is reached. If security controls are not part of the software, it may be difficult to ensure the data integrity of the information processed through the system. The package concerns include inadequate audit trails, inadequate password control, and inadequate overall security of the application. Because of the risk, IT auditor should ensure that these controls are built into the software application.
Through reading, I first have a certain understanding of the tools of system development. I used to think that as a result of product iterations, newer systems or products will have better reliability. And when the cloud computing service model migrates data, it needs to consider reliability, feasibility, privacy, compliance and so on. IS auditors must also be familiar with control techniques and how to demonstrate each technology in the form of reports, logs, and audit trails.
1. After reading the material, I learned some knowledge about hardware and software. In the software procurement process, IT auditors need to be involved to determine whether sufficient security controls have been considered. But based on my work experience, I think it seems that IT auditors in large enterprises are rarely able to oppose a certain IT department procurement plan, usually just staying in the position of cooperation and support. Of course, this is also related to the average professional level of Chinese IT auditors.
2. In addition, for the testing part, I participated in regression testing during the internship, but I am a financial professional and I do not have a unified understanding of software and hardware, development and testing of information systems. For the testing part, I only know the process of regression testing. Reading this chapter allows me to understand simulation testing, black box testing, white box testing and parallel testing methods. I have a deeper understanding of the overall testing process.
During a hardware acquisition, the IT auditor should first determine if the acquisition process was motivated by a business need and if the hardware requisites for that need were considered in the specification, and then determine if multiple vendors were considered and compared to the above measures.
During the software procurement process, the IT auditor should be involved in the software purchase process to determine if the appropriate level of security controls has been considered before any agreement is reached. If security controls are not part of the software, it may be difficult to ensure the data integrity of the information that is processed through the system. Problems with software packages include inadequate audit trails, inadequate password controls, and insufficient overall security of the application. Because of the risks involved, IT Auditors should ensure that these controls are built into the software application.
Ying Cheng says
After reading the materials, I Learn something about Hardware/Software Acquisition.An IS auditor should be involved in the software acquisition process to determine whether an adequate level of security controls has been considered prior to any agreement being reached. If security controls are not part of the software, it may become difficult to ensure data integrity for the information that will be processed through the system. Risk involved with the software package includes inadequate audit trails, password controls and overall security of the application. Because of the risk, an IS auditor should ensure that these controls are built into the software application.
Xiaohan Chen says
Through reading, I first have a certain understanding of the tools of system development, and then I am more interested in the actual operation of testing process by combining software as a part of the whole computer system with hardware, peripherals, other systems and data. I am also interested in simulation testing, black and white box testing, regression and parallel testing methods.
Yu Hu says
Through reading, I first to the system development tools, hardware/software have a certain understanding, also learned if not a part of the software security control, may be difficult to ensure that the processing of information through the system of data integrity, and I learned that Information system auditors should be involved in the software procurement process to determine whether adequate levels of security controls have been considered before any agreement is reached.
Shengjie Zhang says
It is mentioned in the book that the longer the product is supplied, the higher the reliability. This broke my previous thoughts. I used to think that newer systems or products will have better reliability because of product iterations. Now I realize that in some areas, new products mean that they have not passed the test of time.
Shengyuan Yu says
While reading, I am very interested in “Acquisition Steps”.
In particular, during the acquisition process, it is necessary to verify that the source of the hardware is not a product from a “gray market” supply source, which may increase the risk of the operability of malware and other unknown products. This is a very important but easy to forget thing.
Yijing Zhan says
I am more interested in the “risks related to using USB” mentioned in 4.1.3, because we will use memory cards or flash drives in our daily life and study, because they are small and easy to carry. Come to me Said to be a very commonly used item. But I don’t know that it can be the carrier of USB computer virus. The virus in the malware will be transferred along with the file during the transfer process.
Lei Tian says
After reading, I am interested in DDS, A decision support system (DSS) is a computerized program used to support determinations, judgments, and courses of action in an organization or a business. A DSS sifts through and analyzes massive amounts of data, compiling comprehensive information that can be used to solve problems and in decision-making. Decision support systems allow for more informed decision-making, timely problem-solving, and improved efficiency in dealing with issues or operations, planning, and even management. The DSS can be employed by operations management and other planning departments in an organization to compile information and data and to synthesize it into actionable intelligence. In fact, these systems are primarily used by mid- to upper-level management.
Haoyu Bai says
SIX IS AUDITOR’S ROLE IN INFORMATION SYSTEMS TESTING
• Review the test plan for completeness.
• Reconcile control totals and converted data.
• Review error reports for their precision in recognizing erroneous data and resolution of errors.
• Interview end users of the system for their understanding of new methods, procedures and operating instructions.
• Review system and end-user documentation to determine its completeness and verify its accuracy during the test phase.
• Verify that system security is functioning as designed.
Yiqiong Zhang says
After I reading the article,I learn more about the Hardware/Software Acquisition,system software acquisition,Integrated Resource Management Systems and control identification and design.And above all the most interesting thing for me is the procedures should be established to ensure that input data are validated and edited as close to the time and point of origination as possible.And if input procedures allow supervisor overrides of data validation and editing, automatic logging should occur. A manager who did not initiate the override should review this log.And it can let me know more about how to manipulate the hardware/software well and have the further understanding about IT auditors.
Xiaomeng Chen says
Through reading, I am interested in DDS system.
DECISION SUPPORT SYSTEM:A decision support system (DSS) is an interactive system that provides the user with easy access to decision models and data from a wide range of sources in order to support semistructured decision making tasks typically for business purposes. It is an informational application that is designed to assist an organization in making decisions through data provided by business intelligence tools.
1. DSS tends to be aimed at the less well structured, underspecified problem that upper level managers typically face.
2. DSS attempts to combine the use of models or analytic techniques with traditional data access and retrieval functions.
3. DSS specifically focuses on features which make them easy to use by non-computer-proficient people in an interactive mode; and DSS emphasizes flexibility and adaptability to accommodate changes in the environment and the decision making approach of the user.
Yutong Sun says
By reading this material , I gained some knowledge from this reading which can be helpful for acquiring the information that what roles the handware and software play in the real environment. Also, I knew the approaches of how organization assign some staffs to create hardwares and softwares in order to meet the requirement for completing the business.
Zijie Yuan says
When I read the 12th chapter “computing distribution and internet system”, a key word that aroused my interest was “cloud computing”. Cloud service refers to obtaining required services through the network in an on-demand and easy-scalable manner. Cloud computing enables customers to access various resources on demand with as few human interactions as possible. At the same time, when the cloud computing service model migrates data, reliability, feasibility, privacy, compliance, etc. need to be considered. Enterprises of all sizes are turning to cloud services, such as the popular public cloud products AmazonWeb, AWS and Microsoft Azure. The key advantage is that cloud services can be used anytime, anywhere and are very flexible. Cloud computing also saves costs. As cloud services follow a one-to-many model, the cost is greatly reduced compared with the deployment of separate desktop programs. Of course, the organization has to deal with the potential danger, which is the loss of data.
Dacheng Xu says
After reading this article, I further understand the hardware / software acquisition, system software acquisition, integrated resource management system and control identification and control design. And most importantly, what I am most interested in is that a program should be established to ensure that the validation and editing of input data is as close to the time and time starting point as possible. Also, if the input process allows the supervisor to override data validation and editing, automatic logging should be performed. Managers who do not initiate coverage should review the log. And it can let me know how to operate hardware / software better, and have a further understanding of it.
Yuting Yang says
Through reading, I have a certain understanding of the system development tools, hardware/software. If it is not part of the software security controls, it may be difficult to ensure the integrity of the data that is being processed through the system, and the information system auditor should be involved in the software procurement process so that the adequacy of the security controls can be determined before any agreement is reached.
Lisheng Lin says
An IS auditor must be able to identify and understand controls designed to ensure the authorization,
accuracy and completeness of data input to, processing by and output from various business and
computer applications.An IS auditor must also be familiar with control techniques and how each may be evidenced in the form of reports, logs and audit trails.
Zhiyuan Lian says
After reading the material, I know a lot and more details about the specifications of hardware and software. When acquiring a system, the process of specifications like information processing requirements, hardware requirements and HW/SW evaluation assurance levels (EALs) for security robustness.
Xuemeng Li says
Through reading the material, I have a certain understanding of hardware/software acquisition. While acquiring hardware and software, pay attention to whether it comes from a market that will warn you. The supply of such products will largely lead to the increase of malicious software and increase the security and operational risk of other unknown products. The role of the auditor is important when reviewing application controls. IS auditors need to participate in the software acquisition process to ensure safety, feasibility and data integrity, and to build related controls into the software application.
Yujia Hu says
I’m interested in processing controls.It meant to ensure the completeness and accuracy of accumulated data.They ensure that data in a file remain complete and accurate until changed as a result of authorized processing or modification routines.The following are processing control techniques that can be used to address the issues of completeness and accuracy of accumulated data.
Chang Cui says
A systems development methodology is a structure that an organization uses to plan and control the
development of information systems and software and new business applications. In the face of
increasing system complexity and the need to implement new systems more quickly to achieve benefits before the business changes, system and software development practitioners have adopted
many ways of organizing information system and software projects.
Yue Ma says
One of things that I am pretty interested in the chapter, when I was reading, is how to choose the best vendor in same level qualification vendors. Ithink the process of choosing is very meticulous. To resolve such a situation, agenda-based presentations should be requested from the short-listed vendors. The agenda-based presentations are scripted business scenarios that are designed to show how the vendor will perform certain critical business functions. Vendors are typically invited to demonstrate their product and follow the sample business scenarios given to them to prepare. It is highly recommended to include adequate participation from various user groups when evaluating the product’s/vendor’s fit and the system’s ease of use. The project team thus has an opportunity to check the intangible issues such as the vendor’s knowledge of the product and the vendor’s ability to understand the business issue at hand. Having each short-listed vendor demonstrate its product following a scripted document also enables the project team to evaluate and finalize the product/vendor selection with knowledge and objectivity built into the process. The finalist vendor candidate is then requested to organize site visits to confirm the findings from the agenda-based presentations and check the system in a live environment.
Yalin Zou says
Through the understanding of the reading materials, I have a basic understanding of the tools of system development. And the longer the product is provided, the higher the reliability, which indicates that the time confirms the quality of the product. IS auditors need to be involved in the software purchase process to ensure security and feasibility.
Tianyu Zhang says
Reading CISA, I was interested in the fact that the information systems auditor needs to be involved in the acquisition of hardware and software to determine whether it is due to business requirements and whether the appropriate level of security controls are considered. At the same time, the information systems auditor needs to perform many activities when reviewing application controls, such as determining business processes, conducting appropriate audit procedures, and so on.
Weiwei Zhao says
I find that there are so many content and pages in CISA.I dont want to see the book at all.But I still have some interests about the CONTROL IDENTIFICATION AND DESIGN..I think it is very useful for me.I always wanna to the the orperating of the corporation system about auditing.
Zijie Yuan says
After reading these materials, I have a deeper understanding of application control. I understand that when the IS auditor reviews the application control, the content of the activities that the IS auditor needs to perform, the system files that the auditor needs to review, and the factors that can be used to analyze the risk assessment model required for the application control
Yanxue Li says
Through reading materials, I found myself very interested in the acquisition steps of the hardware and software. Software and hardware acquisition needs to consider many factors, such as provisions for competitive bidding, analysis of the vendor’s capability to provide maintenance and support, pedigree of the hardware to verify it is not sourced from “gray market” supply sources etc.
Yongheng Luo says
one thing of interest that i take away from the CISA reading 3.3.8 – 3.4.6 is the role which IT auditor plays in hardware/software acquisition. In the hardware acquisition process, IT auditor should first determine whether the purchase process is due to a business need and whether the hardware requirements for that need have been taken into account in the specification and then determine whether multiple suppliers have been considered and whether they have been compared against the above measures. In the software acquisition process, IT auditor ought to participate in the software acquisition process to determine whether the appropriate level of security controls are considered before any agreement is reached. If security controls are not part of the software, it may be difficult to ensure the data integrity of the information processed through the system. The package concerns include inadequate audit trails, inadequate password control, and inadequate overall security of the application. Because of the risk, IT auditor should ensure that these controls are built into the software application.
Ziqiao Wang says
Through reading, I first have a certain understanding of the tools of system development. I used to think that as a result of product iterations, newer systems or products will have better reliability. And when the cloud computing service model migrates data, it needs to consider reliability, feasibility, privacy, compliance and so on. IS auditors must also be familiar with control techniques and how to demonstrate each technology in the form of reports, logs, and audit trails.
Hang Zhao says
1. After reading the material, I learned some knowledge about hardware and software. In the software procurement process, IT auditors need to be involved to determine whether sufficient security controls have been considered. But based on my work experience, I think it seems that IT auditors in large enterprises are rarely able to oppose a certain IT department procurement plan, usually just staying in the position of cooperation and support. Of course, this is also related to the average professional level of Chinese IT auditors.
2. In addition, for the testing part, I participated in regression testing during the internship, but I am a financial professional and I do not have a unified understanding of software and hardware, development and testing of information systems. For the testing part, I only know the process of regression testing. Reading this chapter allows me to understand simulation testing, black box testing, white box testing and parallel testing methods. I have a deeper understanding of the overall testing process.
Chun Liu says
During a hardware acquisition, the IT auditor should first determine if the acquisition process was motivated by a business need and if the hardware requisites for that need were considered in the specification, and then determine if multiple vendors were considered and compared to the above measures.
During the software procurement process, the IT auditor should be involved in the software purchase process to determine if the appropriate level of security controls has been considered before any agreement is reached. If security controls are not part of the software, it may be difficult to ensure the data integrity of the information that is processed through the system. Problems with software packages include inadequate audit trails, inadequate password controls, and insufficient overall security of the application. Because of the risks involved, IT Auditors should ensure that these controls are built into the software application.