Syllabus — Information Systems Audit

Year I, Part II — MSNCS, IOE Pulchowk, Tribhuvan University. 4 credits.

Chapter 1 — Introduction to Information Systems Audit (10 marks)

• 1.1 Information Systems Audit and Information Systems Auditor
• 1.2 Legal Requirements of an Information Systems Audit
• 1.3 Systems Environment and Information Systems Audit
• 1.4 Information Systems Assets and Classification of Controls
• 1.5 Information Systems Audit Coverage
• 1.6 IT Audit Standard and Guidelines, Regulatory Requirements
• 1.7 ISO 27001, NIST Cyber Security Framework, COBIT, CIS

Chapter 2 — Hardware and Software Security Issues during Audit (10 marks)

• 2.1 Hardware Security Objective
• 2.2 Peripheral Devices and Storage Media
• 2.3 Authentication Devices
• 2.4 Hardware Acquisition, Hardware Maintenance and Management of Obsolescence
• 2.5 Disposal of Equipment; Problem Management; Change Management
• 2.6 Network and Communication Issues
• 2.7 Overview of Types of Software; Elements of Software Security
• 2.8 Control Issues during Installation and Maintenance
• 2.9 Licensing Issues, ICT Procurement Practice

Chapter 3 — Information Systems Audit Requirements (10 marks)

• 3.1 Risk Analysis; Threats, Vulnerability, Exposure, Likelihood, and Attack
• 3.2 Information Systems Control Objectives; Information Systems Audit Objectives
• 3.3 System Effectiveness and Efficiency
• 3.4 Information Systems Abuse
• 3.5 Asset Safeguarding Objective and Process
• 3.6 Evidence Collection and Evaluation
• 3.7 Logs and Audit Trails as Evidence

Chapter 4 — Conducting an Information System Audit (12 marks)

• 4.1 Audit Program and Audit Plan
• 4.2 Audit Procedures and Approaches
• 4.3 System Understanding and Review
• 4.4 Compliance Reviews and Tests
• 4.5 Substantive Reviews and Tests
• 4.6 Audit Tools and Techniques
• 4.7 Sampling Techniques
• 4.8 Audit Questionnaire; Audit Documentation; Audit Report
• 4.9 Auditing Approaches; Sample Audit Work-Planning Memo
• 4.10 Sample Audit Work Process Flow
• 4.11 Conducting a Risk-Based Information Systems Audit
• 4.12 Risk Assessment and Risk Management Strategy

Chapter 5 — Business Continuity and Disaster Recovery Plan (10 marks)

• 5.1 Business Continuity and Disaster Recovery Process
• 5.2 Business Impact Analysis; Incident Response Plan
• 5.3 Disaster Recovery Plan
• 5.4 Types of Disaster Recovery Plans
• 5.5 Emergency Preparedness Audit Checklist
• 5.6 Business Continuity Strategies
• 5.7 Business Resumption Plan Audit Checklist
• 5.8 Recovery Procedures Testing Checklist; Plan Maintenance Checklist

Chapter 6 — Security Testing and Cloud Computing Audit (8 marks)

• 6.1 Cybersecurity, Global Cybersecurity Landscape
• 6.2 Vulnerability Assessment and Penetration Testing (VAPT)
• 6.3 Secured Software Development Testing, DevOps and DevSecOps
• 6.4 Open Web Application Security Project (OWASP)
• 6.5 Security Testing Tools
• 6.6 Cloud Audit Considerations