Department of Accountancy
R120300
Information Systems Audit and Security
(電腦審計與安全)
Spring 2013 (101 學年度第 2 學期)
1. This mission of the College is to serve business and society in the global economy through
developing professionally qualified and socially responsible business leaders as well as
through advancing the frontiers of knowledge in business management.
2. The strategic objective of
Department of Accountancy is to Explore and advance
theories and practices in accounting to cultivate competitive professionals with ethical
integrity, innovative capabilities and an international perspective.
General Program Learning Goals (goals covered by this course are indicated):

1

2

3
4

5
Graduate students should be able to appreciate business research and to present research findings/ results
effectively in speaking and in writing.
Graduate students should be to integrate different functional areas in solving business problems.
Graduate students should be able to analyze business situations and to recommend innovative resolutions
Graduate students should be able to demonstrate leadership skills of a business manager.
Graduate students should be able to identify ethical dilemmas and to determine necessary courses of action.
Graduate students should possess a global economic perspective and a vision of the global business
environment.
Graduate students should be able to coordinate actions and solve problems jointly with other members of a
professional team.
Instructor: Prof. LihChyun Shu (徐立群)
E-mail: shulc@mail.ncku.edu.tw
Prerequisites: None
Course Description:
In recent years, information technology (IT) has inspired the reengineering of traditional
business operations. As global networks expand the interconnection of the world, the
smooth operation of communication and computing systems becomes vital. The
immediate need for organizations to protect critical information continues to increase. IT
advances have introduced new risks* that require unique internal controls and also have
had great influences on auditing.
In this course, we will first present an overview of information systems audit (or
information technology audit). We then discuss alternative audit approaches and review
1
the internal control concerns. We will give a basic introduction to the broader field of
information security, defining key terms and explaining essential concepts. We will then
examine the business drivers behind the security analysis design process. We will look
into key laws that shape the field of information security, as well as computer ethics
necessary to better educate those implementing security. We then study key areas of
potential computer risk. An overview of relevant technology and systems issues will also
be provided. Finally, students will learn to use computer assisted audit tools in order to
have a hands-on experience.
Course Objectives:
We expect the students to have an in-depth understanding of risks in the use of
information systems. Students will also learn methods used in IT risk assessment and
control. Students will learn CAATTs, i.e., the practice of using computers to automate
or simplify the audit process.
Course Content:
1.
Auditing, Assurance, and Internal Control
2.
IT Assurance Methodology-Practice operation
3.

IT Assurance framework-risk and control

ERP audit, Application control and security, Business Process Control

Journal entry testing and Computer Assisted Audit Tools and
Technologies (CAATT)

Use of audit tool ex: ACL
System Security, Audit and Control

ERP Application security: configurable controls and segregation of
duties

ERP system authorization concept

ERP Audit Approach
4.
Introduction to Information Security
5.
The Need for Security
6.
Risk Management: Identifying, Assessing, and Controlling Risk
7.
Blueprint for Security
2
Textbook:
1.
2.
James A. Hall. “Information Systems Auditing and Assurance,” South Western
College Publishing, 1999.
Michael E. Whitman and Herbert J. Mattord. “Principles of Information Security,”
Thomson Course Technology, 3rd Ed., 2009.
Recommended references (online):
1.
Information Systems Audit and Control Association: http://www.isaca.org/
2.
Illustrative Risks to the Public in the Use of Computer Systems and Related
Technology: http://www.csl.sri.com/users/neumann/illustrative.html
3.
Software Engineering Notes: http://www.sigsoft.org/SEN/
Grading Policy:
(*Including a grading scheme for AACSB Multiple Assessment: )
Homework
Assignments &
Class Participation
35%
COMMU
CPSI
 Speaking
 Writing
 Interdiscip. Competence/
Prob. Solving

Critical
Thinking/
Innovation
LEAD
GLOB
VSP
10%
Case
Term
Discussion Presentation
20%
25%
30%
40%
25%
25%
40%
20%
35%
25%
30%
20%
35%
25%
30%
□ Leadership
□ Ethical Reasoning
□ Global Vision
 Teamwork
Exam
20%
10%
3
Participation of Industry Experts in Teaching
Information systems audit and security is a practice-oriented course. It is important to
expose our students to leading practitioners in the field. In the first part of the course, the
instructor will familiarize students with the basic concept of IT assurance. In the second
part (5 weeks), industry experts from major accounting firms will prepare our students to
learn with cases, and acquaint them with actual IT audit operations. Following that, the
instructor introduces the concept of risk and control of IT audit. With the assistance of
industry experts, students will have an in-depth understanding of the framework of IT audit
in theory and practice.
This course provides students with accounting background a view of IT assurance, apart
from traditional financial assurance, and allows students with IT background to understand
IT staff’s involvement in business to affect financial statements. In the interaction between
the students and industry experts, the course will give our students a general understanding
of IT audit as well the working environments in major accounting firms, enabling them to
plan their future careers.
Profiles of Industry Experts
James Yeh (葉光仁)
James Yeh is a senior consultant in Ernst & Youngs Business Advisory Practice,
specializing in identifying significant process improvement, implementing best
practices for internal control weakness, SOX 404 compliance and internal audit,
data analytics. He has over 4 years advisory experience with a focus on IT risk
management and internal audit. James Yeh has an MBA degree in accounting and
information technology from National Cheng Kung University.
Han Yu (于涵)
Han Yu started his career as an auditor in Deloitte & Touche, providing financial, tax,
and internal control services. Han is experienced in conducting due diligence audit
procedures for various government organizations. Han joined Enterprise Risk
Services in Deloitte & Touche as an enterprise risk management consultant in 2011.
He provides business control and process improvement, segregation of duties, data
4
quality assurance and other business risk integrate services. With financial and
internal audit experience and computer assisted auditing techniques, Han also
provides services to enterprises in business process cycle compliance test, data
conversion project, governance advisory. Han’s industry experiences include:
automotive, public services, professional services, manufacturing, and banking. Han
Yu has an MBA degree in accounting and information technology from National
Cheng Kung University. His master’s thesis is about checking the conformance of
business expected and real process.
Course Schedule Breakdown:
1.
Auditing, Assurance, and Internal Control (3 weeks, covered by the instructor)
2.
IT Assurance Methodology-Practice operation (2 weeks, covered by an
industry expert)
4.

IT Assurance framework-risk and control

ERP audit, Application control and security, Business Process Control

Journal entry testing and Computer Assisted Audit Tools and
Technologies (CAATT)

Use of audit tool ex: ACL
System Security, Audit and Control (3 weeks, covered by an industry expert)

ERP Application security: configurable controls and segregation of
duties

ERP system authorization concept

ERP Audit Approach
4.
Introduction to Information Security (1 week, covered by the instructor)
5.
The Need for Security (2 weeks, covered by the instructor)
6.
Risk Management: Identifying, Assessing, and Controlling Risk (3 weeks,
covered by the instructor)
7.
Blueprint for Security (2 weeks, covered by the instructor)
Expected number of students taking the course: 20 ~ 25
Benefits from having Industry Experts in teaching
With the help of industry experts from two accounting firms, our students will learn the
following important topics in Information Systems Audit and Security, which will help
5
them go to work as IT auditors in major accounting firms immediately after they graduate
from our department:

The frameworks and methodologies for IT assurance

ERP security, configurable controls, and segregation of duties

ERP system audit

Use of CAATT tools

A taste of an IT auditor’s career thru interaction with industry experts
Expenses needed for hiring two industry experts
Round-trip travel between Taipei and Tainan using High speed rail
Payment for teaching (3 hours/week * 5 weeks)
項目
高鐵車票來回
金額
次數
小計
1350 元 x 2
5周
13,500 元
5 周*3 小時/每周
8,625 元
(台北-台南)
鐘點費
575 元/每小時
(講師等級)
總計
22,125 元
6