Description
IT Audit Fundamentals for Government Auditors – Video Course includes 19 online videos and a self-study manual including presentation slides for 14.5 hours of CPE credit.
Are you a government auditor who wants to transition to IT auditing? Or do you feel like there are some holes in your knowledge of IT concepts and terms?
This series of 19 short videos covering every major aspect of IT auditing will give you a strong foundation that will allow you to have an intelligent conversation with an IT professional and lead you to ask the right questions to satisfy your IT related audit objectives.
Join Toby DeRoche, an experienced IT audit manager, as he walks you through the goals and related controls over secure IT systems. Toby demystifies complex concepts and defines terminology and acronyms commonly used by IT professionals. He also shares the common mistakes that IT auditors make and how to avoid them.
National Institute of Science and Technology (NIST) guidelines are emphasized. Each video can be studied and related questions answered individually so that you can learn at your own pace.
Topics include:
- Internal control frameworks including COSO and COBIT
- Access controls and the access management life cycle
- FISCAM (the Federal Information System Controls Audit Manual)
- Provisioning and deprovisioning
- Tests of passwords based on the standards in FISCAM and NIST
- Physical security
- Segregation of duties
- SDLC (Software Development Life Cycle) controls
- Change management testing scenarios
- Job monitoring
- Controls for protecting systems, networks, and programs from digital attacks
- NIST Cybersecurity Framework (CSF)
- Controls for securing sensitive data at rest, in transit, and in use to prevent breaches, leaks, and compliance violations
- SIEM (Security Information and Event Management)
- Log Management
- Investigations into network events and possible attacks
- Backup and recovery procedures
- NIST 800-53
- Business continuity and disaster recovery plans
- Different types of DLP programs
- Data backups
- System updates
- Application deployments
- Security scans
- Data processing activities
- Network security
- The CIA triad: Confidentiality, Integrity, and Availability of data
- Security Awareness Training
- Third-party (or Supply Chain) Risk Management (TPRM)
- SOC (System and Organization Controls) reports and how to audit them
- Strategic objectives
- Governance controls
Course objectives include:
- Identify the use cases for the major IT control framework
- Contrast the major IT control frameworks
- Define the key controls within access management
- Identify best practices in provisioning controls
- Sequence the steps in provisioning and deprovisioning
- Identify password controls
- Recognize problems with passwords that can trip up an auditor when auditing passwords
- Contrast physical security controls managed internally vs externally
- Identify common physical security controls
- Differentiate scenarios that could be possible SOD violations
- Identify separation of duties controls
- Identify SDLC controls
- Sequence the steps of change management
- Describe common concepts in IT change management
- Recognize the purpose behind job monitoring
- Identify how to audit different types of jobs
- Recognize potential control gaps when performing a cybersecurity audit
- Identify the key concepts auditors should review in each domain
- Identify the uses for log management and SIEM tools
- Identify the steps in log management and SIEM
- Identify backup and recovery controls
- Identify key elements of a disaster recovery plan
- Differentiate between disaster recovery and business continuity plans
- Identify the key data loss prevention objectives
- Compare the three types of data loss prevention programs
- Identify the types of tests that auditors can perform when testing DLP
- Contrast Intrusion Detection and Intrusion Prevention Systems
- Identify best practices in Intrusion Detection and Intrusion Prevention Systems
- Identify types of Intrusion Detection Systems
- Relate the goals of security awareness training to common IT Control Frameworks
- Identify best practices in security awareness training
- Identify third-party risk management controls
- Identify real-world examples of Third-Party Risk Management control failures
- Differentiate SOC 1, SOC 2, SOC 3 reports, and bridge letters
- Describe the controls tested in these SOC reports
- Identify common strategy and governance controls
- Compare the concepts of strategy and governance
Program level: Basic
Instructional method: Video with online qualified assessment. QAS SS
NASBA Category of Study: Auditing (Governmental)
Advance preparation: None
Prerequisites: None
Who should attend: Auditors of any experience level who want to learn more about IT auditing within a government context and auditors seeking more information on IT concepts, especially those related to NIST CSF.
CPE Credit Hours: 14.5
Author: Toby DeRoche MBA, CIA, CCSA, CRMA, CFE, CISA, SA, cAAP
This course does qualify for the 24 hour Yellow Book CPE requirement.
Questions? You can find our FAQ here.
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: