The Basics of IT Auditing


If you haven’t conducted an IT audit before, or you’ve only been involved in a couple of IT audits, then this course is the ideal starting point. It aligns to the latest standards and best practice approaches and is updated each year to keep pace with emerging technology. The course will enable you to confidently perform a review of the impact of technology on your organisation. This course is open to all but is best suited to those with limited IT audit experience.


Date: 5th & 6th of November
Time: 09:00 – 17:00
Address: 7A Centralen, Vasagatan 7
Price excl. VAT: 11 175 kr members, 14 900 kr non-members
Lecturer: Stan Dormer, CFIIA
CPE Points: 14

Register here >>

Upon completion you will be able to:

  • Understand the approach to IT Auditing and relevant best practices;
  • Review application systems;
  • Review systems under development;
  • Review configuration and change management;
  • Review physical security;
  • Review logical security;
  • Review contingency and continuity plans; and
  • Perform basic network reviews.

The course is accompanied by an indexed manual that has full course text, examples and practical work.

Stan Dormer, CFIIA, is a recognised expert in the field of governance, auditing, business and project risk and IT. He is the author of numerous articles and was the author of the distance learning materials and revision schools supporting IIA qualifications.


IT Auditing

  • The IT auditor and risk-based auditing how they fit together
  • High-level IT risks: Confidentiality, Integrity, Availability and Accountability
  • Low-level risk connecting to high-level risk
  • Documenting IT audit work

Working to Standards, Best Practices, and the Law

  • Governance: ISO/IEC 38500:2008 – what should be reviewed?
  • COBIT, ITIL and ISO 27000 – what are these?
  • Data Privacy – what should be reviewed?

Auditing Live Systems – Using a Risk-Based Approach

  • Applications and the distribution of controls
  • IT directive, preventative, detective, and corrective controls
  • User constraint and oversight controls
  • What to look for in controls designed to offset application business process risks

Auditing IT Configuration and Change Management

  • Configuration management – what should be reviewed?
  • Change management – what should be reviewed?

Auditing Key Building Blocks of IT Control

  • Physical and environmental security – what should be reviewed?
  • Logical access control: registration, identification, authentication, authorisation, and logging – what should be reviewed?
  • The user community – finding them, extracting them
  • Passwords and biometrics, what should be reviewed?
  • Systems administration, granting permissions, rights, and privileges
  • Common handling procedures related to logical access – discussion
  • Event logging – journals – trails – reporting on user activity, what should be reviewed?
  • How do database systems fit into the picture?
  • Contingency and disaster avoidance including ISO 27031, what should be reviewed?
  • Support options to supplement organisational capacity
  • Maintaining and testing the plan

Basic Networking

  • Network terminology and Network Diagrams
  • LANs, WANs and WLANs
  • Switches, Routers and Firewalls – what should be reviewed?
  • VPNs and Encryption – protecting data flowing across a network
  • Networks overall – what should be reviewed?

Cloud Based Systems

  • Key terminology
  • Service offerings
  • What should be reviewed?
  • Multi-cloud structures