Copyright © 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
Information Technology Control
and Audit, 2nd Edition
By Frederick Gallegos, Sandra Senft, D.P. Manson and C. Gonzales
Reviewed by Vishnu Kanhere, Ph.D., CISA, CISM, CFE, FCA
T
his book is the effort of four authors with nearly 75
years of combined experience in information systems
audit, control and security. Therefore, this textbook
is a compendium of various aspects of IT control and
audit experience.
The book is an introductory reference to the subject matter
of IT auditing and embraces the process of audit, the legal
framework of IT auditing, and security. The book also
addresses auditing IT acquisition and implementation as well
as the auditing of IT operations in stand-alone and global
environments. In addressing these issues, the book’s main
concern is organizational security and financial integrity.
The book is very useful for beginners as well as
practitioners who intend to make IS audit their profession.
It is spread over six parts and 21 chapters with several
appendices included in the sixth part of the book.
Part I addresses the foundation issues for IT audit and control.
Chapter 1 introduces readers to the rationale for controls and
audit and explores the interface between IT and audit.
A detailed chapter on the audit process explains audit
standards and regulations set out by a number of governments
and standard-setting bodies, such as the Institute of Internal
Auditors (IIA), Information Systems Audit and Control
Association (ISACA), and the National Institute of Standards
and Technology (NIST), a division of the US Department
of Commerce.
Special attention is given to financial auditing and
Generally Accepted Accounting Principles (GAAP). Part I also
offers flowcharts and exhibits that lay the foundation for
discussion in later sections.
Part II addresses auditing, IT planning and organization and
examines IT governance and controls. The section starts with a
discussion of Control Objectives for Information and related
Technology (COBIT) and uses the COBIT framework.
Part II provides a lucid understanding of IT governance.
It also emphasizes guarding against overaudit, excessive
controls or security beyond the need. As the authors state,
audit, control and security should not exceed the level of risk
or potential loss the organization may face.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2005
Part III addresses auditing, IT acquisition and implementation.
The software acquisition process and the associated risks are
discussed in detail and presented through flow charts. There is
also a presentation on the different phases of the system
implementation process. Chapter 11 provides an overview of
risks and controls associated with application systems and
maintenance.
Chapter 12 provides interesting reading on change
management and the issues governing it.
The focus of part IV is on the IT operations environment
and encompasses global activities supported by wide area
network (WAN) architectures. Risk management is addressed
in detail in chapter 15.
Part V provides insight into the emerging issues in IT audit.
It focuses on the legal environment, its impact on information
reviews and the important role IT auditors will play in the
future.
Chapter 19 covers IT security and privacy issues. An array
of tools and malware are cogently presented. Intranet and
extranet security issues are also discussed.
The last chapter is on IT auditing. The scope of the chapter
includes career planning and development, quality audit
evaluation, and benchmarking (best practices). A career path
for IT auditors within an audit organization, tracing the path
from audit trainee to partner level, is visually presented. An IT
auditor model curriculum is also presented.
Chapter 21 provides insights into IT auditing in the new
millennium. It addresses the important issues of management,
training, education and development for auditors. One exhibit
provides sample undergraduate course topics and has a futuristic
outlook. It includes topics such as computer forensics,
encryption, cryptography and biometrics, human factors in
systems design, IS integrity, confidentiality, and availability.
The book is well written and presented. Its practical
implementation in the country of origin of the authors
(USA) should provide resiliency to IT security in the
emerging cyberworld.
Vishnu Kanhere, Ph.D., CISA, CISM, CFE, FCA
is an instructor at several management institutes, government
academies and corporate training programs. He is a continuing
professional education resource professional and peer reviewer
for the Institute of Chartered Accountants of India. His
specialties include direct and indirect taxes, internal auditing,
accounting, financial management and project planning, fraud
review and information systems security. Kanhere is a member
of the Sectional Committee LTD 38 on Information Security
Management Systems of the Bureau of Indian Standards, and
the ISACA Publications Committee.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.

© Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME4, 2005