Information Technology Risk Management

UNIVERSITY OF TEXAS AT DALLAS

Course Syllabus
Fall 2005

Instructor: Mark Salamasick

Course Number: AIM 6336

Semester Hours: 3

Location: SOM 2.116

Time: Thursday, 7:00-9:45 p.m.

Office Phone: (972) 883-4729

Email Address: Mark.Salamasick@utdallas.edu
Homepage URL: http://www.utdallas.edu/~msalam
Internal Audit Program: http://som.utdallas.edu/eiap
Office Hours: Wednesday and Thursday, but call ahead. Other times by appointment.

Prerequisites:
- Business Process Design and Internal Audit (AIM 6380) or Auditing (AIM 6334) or concurrent;

- Management Information Systems (MIS 3351); or

- Comparable undergraduate course work with an emphasis either in Audit or MIS.

Required Materials:
• We will be using the IIA Systems Auditability and Control which is available now only on CD. It is
available through the IIA International directly at a discount only available to members of this class.
You must order through the IIA Bookstore at 877-867-4957 or website at www.theiia.org. Note it
will probably take a day longer to order from website. The special order information is 9100.SAL for
the SAC CD. The cost you should enter is $25.00 for the CD.

• We will also use the Global Technology Audit Guides (GTAG). They are available for free for
download or if you prefer you can by a copy through IIA International for $25. Soft copies are
available from the IIA website and will also be posted in webct.

• PC Management Best Practices also available through the IIA Bookstore or website. The special
order information for the PC Management Best Practices is 482.SAL and price is $12.50.

• Each student will be given access to the Protiviti knowledge system as part of the class. Information
will be used from the website during class and should also be used as a research tool.
AIM 6336 – Information Technology Risk Management 2
• Student membership in ISACA for $25 is highly recommended.

2
AIM 6336 – Information Technology Risk Management 3

Course Objectives:
• Understand the key information technology risk components and ways to mitigate those risks.

• Develop knowledge of Information Systems Auditing and assurance services terms and procedures,
including an awareness of advanced auditing and information processing concepts.

• Identify sources for research of technology risk.

• Utilize the Internet as a research and communication tool for Information Technology Risk
Management and Auditing.

• Learn the controls and key questions to ask concerning controls from an end user standpoint when you
are involved in using computer systems.

• Learn the key controls that are necessary to have a well-controlled data processing department. Also,
be able to explain why these controls are necessary and if there are any compensating controls explain
why the controls may not be necessary.

• Be able to adapt an audit checklist and audit program to various Information Systems environments.

• Develop skills necessary to be able to perform an Information Systems Audit and prepare an internal
or external audit report.

• Be able to describe some of the common features of audit software and be able to describe in which
situations it would best be used.

• Develop an in-depth understanding of a specific information systems risk management topic.

• Develop knowledge required to sit for and pass the CISA exam the certification for Information
Systems Auditors.

• Learn those areas of technology risk that are currently of most concern as identified by the IIA,
AICPA, and ISACA

• Identify and evaluate risks in an e-business environment.

• Understand how to adapt audit coverage in areas of advanced and emerging technologies.

3
AIM 6336 – Information Technology Risk Management 4

Homework:
All assignments should be completed and turned in on time. A number of assignments will require you
to prepare the assignment in PowerPoint and make a short presentation in class. Most of these
assignments will be due the Wednesday before class and need to be posted to webCT.

Attendance:
Notify the instructor in advance, if possible, if you cannot attend class. Class attendance is extremely
important since many of the topics and tours are unique to the class discussion.

Communication:
We will make use of webCT for class assignments. Also, discussion in class is the best way to learn as
many of you bring varied backgrounds to class. We will allow time in class for common questions of the
group. Also, webCT to communicate among other students in the class on the discussion board is a very
good way for all to learn and get an answer to questions quickly. All class communication should be
either in class or webCT. Do not send class email to my regular email address other than if it is for
advising due to the volume of email.
Handouts:
The course will have numerous handouts which will be posted on webCT. These will be used to
stimulate class discussion. All handouts and discussions are potential exam questions. Numerous
presentations will be used to compliment the course with current material. These presentations will cover
material similar to the modules from the IIA, but in a more contemporary manner and use a case study
approach.

Tests:
The tests will include a variety of questions and will most likely be primarily multiple choice. Students
will have the opportunity to participate in writing sample test questions prior to the exam. The modules
listed are from the Institute of Internal Auditors-Systems Auditability and Control. Test questions will be
primarily focused on the class discussions and presentations.

4
AIM 6336 – Information Technology Risk Management 5

CISA Exam:
This course will help prepare students for the CISA exam which is given every June and December for the
first time twice a year with December added. All topical areas of the exam are covered at a high level.
Students taking this course will be eligible for a reduced rate review class in the spring from the North
Texas ISACA Chapter. The class last spring was held from 9-12 on Saturdays at UTD for ten weeks.
Study material is available from ISACA and Pass Matrix offers a CD with test questions that is very good.

Grading:
Your grade will consist of the following:

Test Number Modules Date Points

1 eSAC Various, 1, 2, 9, and 10 October 6 100

2 eSAC Various, 4-8, 11, 13 and C.S. December 1 100

Homework and Class

Discussion/Projects Various 100

Final Project N/A 100

Total Points 400

Class Schedule:
The class schedule is subject to change, based on the needs of the students. Students come with specific
backgrounds and company experience that we can expand on in class. Modules that are listed will be
addressed, but only selected portions will be covered as part of the class. The newer material is out of
eSAC, but much of the framework of controls is included in SAC. The schedule will also be somewhat
flexible based on the availability of guest speakers, tour of a data center, and focus of discussions in class.
The material in SAC should be viewed as that of an encyclopedia and used as reference material. The
material from the PC Management Best Practices should be read in more detail and will be covered in
presentations in class.

5
AIM 6336 – Information Technology Risk Management 6

Schedule PC
Management
Week Date Topic Best Practices
1 August 18, 2005 Introduction
Global Technology Audit Guide
eSAC Summary and eSAC Model
Supplementary Module 1 – Exec. Sum.
2 August 25, 2005 eSAC Risk and Control Environment Chapter 1
Supplementary Module 2 Audit and Control
IIA and ISACA Model Curriculum
IT Risk Management Control Frameworks
Certifications Overview – CISA, CISSP, CCP
IIA Rearch Opportunities in IT
3 September 1, 2005 eAssurance Services and Computer Fraud Chapter 2, Appendix A
4 September 8, 2005 Privacy Chapter 3, Appendix D
5 September 15, 2005 eSAC Security Chapter 4
eSAC Critical Infrastructure
Supplementary Module 9 – Security
6 September 22, 2005 eSAC - Contingency Planning Overview Chapter 5
Module 10 - Contingency Planning
7 September 29, 2005 e-Business Risks and/or Tour
8 October 6, 2005 Test #1
9 October 13, 2005 eSAC - Managing Resources Overview Chapter 7
Module 4 - Managing Computer Resources
Module 8 - Telecommunications
10 October 20, 2005 Systems Development Project Auditing Chapter 6
eSAC - Systems Development Overview
eSAC – Systems Development Life Cycle
Module 5 - Managing Inf. and Dev. Systems
Module 6 - Business Systems
11 October 27, 2005 eSAC – Use of Information Tech. in Audit Chapter 8, Appendix E,
Module 7 - End User Dept. Computing Appendix G
12 November 3, 2005 Client/Server Implementation Case Study
13 November 10, 2005 Module 13 - Advanced Technology and
Emerging Technologies
14 November 17, 2005 Class Presentations
N/A November 24, 2005 Thanksgiving
6
AIM 6336 – Information Technology Risk Management 7
15 December 1, 2005 Test #2

7
AIM 6336 – Information Technology Risk Management 8

Other Class Learning Opportunities:

Opportunities will arise to attend the local Institute of Internal Auditors (IIA) and Information Audit and Control
Association meetings at reduced rates. Meetings are typically on Thursday at lunch. We may have one to two
tours added to the class depending on scheduling. We will also have guest speakers during the course.

North Texas ISACA Meetings and Calendar – www.isacantx.org

The North Teras Chapter of ISACA Meetings are recommended attendance and available at a discount rate of
$10 for students. The meetings are planned for Thursday at lunch time. At the time of putting the syllabus
together speakers and topics had not been selected, but will be announced in class. The first meeting is on
Septebmer 8 and is on IT Balance Scorecard, Performance Masurement, and Internal Control Environment. You
need to register ahead of time to attend these meetings. The local ISACA chapter has over 600 members.

Dallas Chapter of the Institute of Internal Auditors –

http://www.dallasiia.org/
You are invited to attend the luncheon meetings from the Dallas Chapter of the IIA at a reduced rate of $15.
These meetings offer you an opportunity to network with audit professionals, hear great speakers, and learn more
what is going on in the Dallas area. The local chapter has more than 1,500 members and is one of the only
platinum chapters in the world.

Other Associations with a Technology Risk Management Focus

The Information Systems Security Association (ISSA) has a focus on security issues and has a local chapter that
also meets monthly. The Association of Contingency Planners (ACP) which has a focus on Disaster Recovery
Planning is made up primarily of contingency planners also meets monthly. Both of these organizations are
national in scope and have strong chapters in the Dallas Ft. Worth area.