Chapter Ten

Case Study: Conducting an Information Systems Audit

IN THIS CHAPTER, WE learn about the steps involved in conducting an information systems audit. We have selected a bank as a case study essentially because banks represent one of the most critical and sensitive applications of information systems assets. In addition, the multiple guidelines issued by the central banks of different countries on this matter provide a rich collection of best practices from which we have drawn. The chapter provides a step-by-step guide to conducting an information systems audit at the various levels of a bank, including its branches.

The lessons presented in this chapter are not restricted to applications in bank information systems alone. The methodology is applicable to all information systems, although the specific object of examination is likely to vary. At the end of this chapter we will be ready to conduct an information systems audit of any entities, including those with multilocation systems.


Important security issues involved in an information systems audit of a bank, as well as other organizations, include the following:

User Access Management

The auditor needs to verify the following two points:

1. The existence of formal procedures controlling the allocation of access rights for individual users.
2. The procedures must cover the entire life cycle of user access, from registration of new users to deregistration.

User Registration

The information ...

Get Understanding and Conducting Information Systems Auditing + Website now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.