This chapter dealt with subject of IT auditing and began with an overview of auditing which

addressed the key components of an audit. The topics discussed in this section involved
auditing standards, the structure of an audit, management assertions and the audit risk model.
Subsequently, the chapter then turned to internal control and audit issues relating Sections 302
and 404 of SOX. It started with a study of the roles of management and auditors under SOX,
thus, it analyzed the IT control relationship. The design, implementation, and assessment of
internal control over the financial reporting process form the central theme of these sections.
The study of internal control follows the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) control framework which was incorporated into SAS 78. This
segment ended with a review of concerns surrounding computer fraud. Following the next
chapter discussed the risks and control related to IT governance. It started with a brief
description of IT governance and classify its implications for internal control and financial
reporting. The IT function's structure within an organization was then addressed, and the risks
that can result from improper structuring within it. Next, the chapter analyzes the threats and
controls of computer center including protection from natural disasters, fire, temperature and
humidity from damage and destruction. The next segment then introduced the core elements
of a recovery plan for the disaster. In such a plan, many aspects need to be addressed and must
be considered including providing second-site backup, identifying critical applications,
performing backup and off-site storage procedures, creating a disaster recovery team and
testing the DRP. The final chapter segment looked at issues concerning the increasing
movements towards IT outsourcing. Specifically, it studied the fundamental theories of
outsourcing and the potential benefits. There are also major risks often entails with IT
outsourcing which have been discussed. The chapter ended with a review of outsourcing
related audit issues including the reporting standard SSAE 16.