For purposes of this book, a computing system is generally defined as any computer software application that performs a business function; the supporting database management system, if any; the hardware on which it resides and that provides access to it; and the operating system that controls the hardware. Computing systems include hardware devices that reside within an organization or at a vendor site as well as software programs that are written and maintained by internal programmers, purchased from and maintained by vendors, or reside at third-party processor sites. This book focuses on those computing systems that have or should have some form of auditable security associated with them. Although even basic calculators could be considered computing systems, they are insignificant in terms of the risks associated with their use. Thus, they are excluded from the scope of this book.

Once the "universe" of computing systems in an organization has been identified, the systems must be categorized by criticality; essentially a risk analysis must be performed on them. The risk analysis could prove to be very time consuming The best method for evaluating the risk of the computing systems must be determined. For some it may be in terms of total dollar value of items processed by the system, while for others it may be the total number of items processed, total cost or investment in the system, potential losses if the system were corrupted, a combination of these criteria, ...

Get Auditing Information Systems, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.