IT Audit

Week 1 – Introduction to IT Audit and ISO 27001

  • Topics: IT audit concepts; ISO 27001 overview; types of audits (1st, 2nd, 3rd party)
  • Readings:
    • ISO/IEC 27001:2022, Clauses 4–10 (overview)
    • PECB Lead Auditor Day 1 materials
    • ISACA, IT Auditing: Using Controls to Protect Information Assets (Weiss, 3rd ed.) – Ch. 1

Week 2 – ISMS Fundamentals

  • Topics: ISMS requirements; Annex A controls overview
  • Readings:
    • ISO/IEC 27001:2022 (full text)
    • ISO/IEC 27002:2022 (Annex A guidance)
    • Calder, A. ISO27001/ISO27002: A Pocket Guide (IT Governance Publishing, 2023)

Week 3 – Principles of Auditing

  • Topics: Integrity, objectivity, due professional care, independence
  • Readings:
    • ISO 19011:2018 (Guidelines for Auditing Management Systems) – Clause 4
    • PECB Lead Auditor Day 2 (Audit principles)
    • Messier, Glover, Prawitt. Auditing & Assurance Services (11th ed.) – Ch. 2

Week 4 – Managing an Audit Program

  • Topics: Audit program planning; auditor competence; risk-based auditing
  • Readings:
    • ISO 19011:2018 – Clauses 5–7
    • ISO/IEC 17021-1:2015 (Conformity Assessment) – overview
    • PECB Lead Auditor Day 2 (Audit program management)

Week 5 – Audit Planning & Stage 1 Audit

  • Topics: Stage 1 audit (document review, readiness assessment)
  • Readings:
    • ISO/IEC 27007:2020 (Guidelines for ISMS Auditing)
    • PECB Lead Auditor Day 2 & Day 3
    • D’Aquila, J. Internal Control Audit and Compliance (Wiley, 2019) – Ch. 3

Week 6 – Collecting Audit Evidence

  • Topics: Types of evidence (documentary, physical, technical, verbal, analytical)
  • Readings:
    • ISO 19011:2018 – Clause 6.4.7 (Collecting/Verifying Info)
    • PECB Lead Auditor Day 2 (Audit evidence)
    • ISACA Journal, “Audit Evidence in IT Audits” (2022 issue)

Week 7 – Midterm Exam

  • Coverage: Weeks 1–6

Week 8 – Stage 2 Audit (On-Site Audit)

  • Topics: Opening meetings; roles of audit team, guides, experts
  • Readings:
    • ISO/IEC 17021-1:2015 – Clause 9.3–9.4
    • PECB Lead Auditor Day 3 (Stage 2 audit procedures)

Week 9 – Audit Procedures

  • Topics: Interviews, observations, sampling
  • Readings:
    • ISO 19011:2018 – Annex A (Audit methods)
    • PECB Lead Auditor Day 3 (Audit test plans)
    • ISACA, IT Audit Basics (2018)

Week 10 – Audit Findings & Nonconformities

  • Topics: Audit findings; classifying nonconformities
  • Readings:
    • ISO/IEC 27007:2020 – Nonconformity handling
    • PECB Lead Auditor Day 3 (Audit findings)
    • Calder & Watkins, IT Governance: Implementing Frameworks (2021)

Week 11 – Audit Reports and Closing Meetings

  • Topics: Audit report drafting; closing meeting; conflicts and disagreements
  • Readings:
    • ISO 19011:2018 – Clause 6.5 (Audit reporting)
    • PECB Lead Auditor Day 3 (Audit reporting)

Week 12 – Special Considerations in IT Audit

  • Topics: AI, Big Data, Cloud, Outsourcing
  • Readings:
    • NIST SP 800-145: The NIST Definition of Cloud Computing
    • ISACA, Cloud Governance and Audit Practices (2020)
    • PECB Lead Auditor Day 2 (Trends & technology in auditing)

Week 13 – Surveillance, Recertification & Continuous Improvement

  • Topics: Surveillance audits; recertification audits; continual ISMS improvement【7:Day 4 overview】
  • Readings:
    • ISO/IEC 27006-1:2024 – ISMS Certification guidance
    • PECB Lead Auditor Day 4 (Surveillance/recertification)
    • ISACA Journal, “Continuous Assurance & Monitoring” (2021 issue)

Week 14 – Final Exam & Capstone Audit Simulation

  • Final written exam (case-based, essay, MCQs)
  • Capstone group activity: conduct a mock ISO 27001 audit (opening → evidence collection → findings → report → closing meeting)

Assessment Scheme

  • Class Participation & Exercises – 20%
  • Group Audit Exercises & Reports – 30%
  • Midterm Exam – 20%
  • Final Exam & Capstone Simulation – 30%

References & Readings

Core Standards:

  • ISO/IEC 27001:2022 – Information Security Management Systems (ISMS)
  • ISO/IEC 27002:2022 – Code of Practice for ISMS Controls
  • ISO 19011:2018 – Guidelines for Auditing Management Systems
  • ISO/IEC 27007:2020 – Guidelines for ISMS Auditing
  • ISO/IEC 17021-1:2015 – Conformity Assessment (Requirements for bodies auditing/certifying)
  • ISO/IEC 27006-1:2024 – Requirements for ISMS Certification

Textbooks & Guides:

  • Calder, A. ISO27001/ISO27002: A Pocket Guide. IT Governance, 2023.
  • Weiss, M. IT Auditing: Using Controls to Protect Information Assets (3rd ed.). McGraw-Hill, 2015.
  • Messier, W., Glover, S., Prawitt, D. Auditing & Assurance Services. McGraw-Hill, 11th ed.
  • D’Aquila, J. Internal Control Audit and Compliance: Documentation and Testing under COSO. Wiley, 2019.
  • Calder, A. & Watkins, S. IT Governance: Implementing Frameworks and Standards for IT and Cybersecurity. IT Governance, 2021.

Supplementary:

  • NIST SP 800-145 – The NIST Definition of Cloud Computing
  • ISACA Journal articles on IT auditing, continuous assurance, cloud audits (2020–2022 issues)
  • PECB Lead Auditor Training Materials (Days 1–4, Version 14.0, 2024)

Module Materials

https://drive.google.com/file/d/1Z63posBedVXt2_HQiFK8GtRNDDDLuMMx/view?usp=drivesdk