Introductory description

This module aims to provide a comprehensive and critical understanding of Cyber Security Auditing, primarily using ISO 27001(Information Security standard) and ISO 19011 (Management systems auditing standard). Students will learn how to set up full programmes to effectively and comprehensively assess information security management systems over a set period in compliance with the requirements of ISO27001. They will further learn how to justify and continually improve the audit programmes they produce.
We will examine the roles of external auditors and explore the importance of external audit for the stakeholders of an organisation.
A variety of techniques will be utilised to teach students how to set up and prepare audits, how to conduct them, how to deal with problems that may arise, how to conduct themselves in a variety of real-life audit situations and how to apply critical thinking to audit scenarios in order to produce useful, effective and accurate audit reports.
Students will learn a number of auditing techniques and approaches and the pros and cons thereof. In particular we will focus on using the auditees own risk assessments and security policies and objectives to educate and facilitate our auditing.
This module will include practical exercises based on real world case studies in managing and consulting on cyber security systems, and auditing organisations for compliance to international standards.
Students will gain an appreciation of the regulatory framework in which auditors operate, apply this knowledge to case study situations and evaluate the procedures used by auditors. As well as considering the processes of both internal and external audit, the module explores the profession of auditing, looking at how the professional firms operate, and profession-wide issues such as audit quality, ethical behaviour, as well as economic and political pressures.

Module aims

Outline syllabus

This is an indicative module outline only to give an indication of the sort of topics that may be covered. Actual sessions held may differ.

The module will include some of the following topics:

• The role of the external auditor: An introduction to, and evaluation of, the ethical and regulatory framework in which audit operates. ISO19011
• The process of an external audit: initial client and engagement acceptance, the method of planning an audit and performing key audit techniques, risk assessment, obtaining audit evidence and reporting audit findings, addressing a range of practical and theoretical issues.
• The application of critical thinking to audit scenarios. The ability to identify the clear evidence of non-conformity and present it such that the finding is unarguable.
• The completion stage of the audit: presentation and agreement on findings, the auditor’s report and types of audit reports.
• Current issues in audit risk and audit quality.
• The relationship between external and internal functions and the role of audit in corporate governance.
• Auditor behaviour and attributes

Learning outcomes

By the end of the module, students should be able to:

• Demonstrate critical appreciation of the need for external and internal audit, and evaluate different approaches to auditing.
• Evaluate the main processes of internal and external audit, and assess whether an engagement has been appropriately accepted, planned and performed.
• Carry out all aspects of a cyber security audit within a specific scope and in compliance with the relevant standards.
• Analyse on areas of difficulty in auditing and consider how the profession can or should react to developments in business practice and economic situations.

Indicative reading list

I. Gray and S. Manson, (2015), The audit process: principles, practice and cases, Thomson Learning.
S. Collings (2011), Interpretation and application of International Standards on Auditing, Wiley.
Academic articles
Budescu, D.V., Peecher, M.E. and Solomon, I., 2012. The joint influence of the extent and nature of audit evidence, materiality thresholds, and misstatement type on achieved audit risk. Auditing: A Journal of Practice & Theory, 31(2), pp.19-41.
Francis, J.R., 2011. A framework for understanding and researching audit quality. Auditing: A Journal of Practice & Theory, 30(2), pp.125-152.
Houston, R.W., Peters, M.F. and Pratt, J.H., 1999. The audit risk model, business risk and audit-planning decisions. The Accounting Review, 74(3), pp.281-298.
Knechel, W.R., Krishnan, G.V., Pevzner, M., Shefchik, L.B. and Velury, U.K., 2012. Audit quality: Insights from the academic literature. Auditing: A Journal of Practice & Theory, 32(sp1), pp.385-421.
Shibano, T., 1990. Assessing audit risk from errors and irregularities. Journal of Accounting Research, pp.110-140.
Tipton, H.F. and Nozaki, M.K., 2007. Information security management handbook. CRC press.
Fitzgerald, T., 2016. Information security governance simplified: from the boardroom to the keyboard. CRC Press.
Brotby, K., 2009. Information security governance: a practical development and implementation approach (Vol. 53). John Wiley & Sons.
Millichamp, A. and Taylor, J. (2018), Auditing, 11th Edition, Cengage Learning - essential text
Collings, S. (2014), Frequently Asked Questions on International Standards on Auditing, 1st Edition, Wily. - recommended text

Research element

There is a strong emphasis on the development, growth and enhancement of individual research skills so as to provide participants with the high level research knowledge, skills and competencies needed to undertake an independent, original piece of research. The module content draws upon and highlights research within the domain and the module assessment requires participants to perform further research before preparing a response to the assessment task.

Subject specific skills

• The relationship between external and internal functions and the role of audit in corporate governance.
• Apply audit regulations to practical business scenarios.
• Recognise factors which impact on audit quality.
• Develop professional scepticism and question information provided when appropriate.
• The audit process including planning an external audit, risk assessment, obtaining audit evidence and reporting audit findings, addressing a range of practical and theoretical issues.

Transferable skills

Critical and analytical thinking, problem solving, communication, professionalism as well as:

• Themes which underpin audit quality, including the application of professional ethics.
• Auditor behaviour and attributes, including the use of professional scepticism and professional judgement.
• Current issues in audit, for example auditor liability and the expectation gap.
• Apply logical reasoning to justify actions to be taken by auditors in a given situation.