ISOM4100 Fall 2016

ISOM4100: Information Systems Auditing and Security

Course goals

This course provides a comprehensive approach for auditing information systems including
specific procedures and illustrative case studies useful for auditors and information security
professionals.

Learning outcomes

By the end of this course, you will be able to acquire the following knowledge:

1. Apply information systems auditors mindset

2. Describe risks and controls in organizations
3. Apply information security in business

Course description

This course provides a comprehensive approach for auditing information systems that is
useful for IS auditors and information security professionals. Computer security cases and
examples are used to illustrate IS auditing process, practices and management. It will help you
prepare for CISA later on in your career.

In addition to the concepts of IS auditing and computer security, it also covers the following
chapters in CISA (Certified Information Systems Auditor):

Chapter 1: The Process of Auditing Information Systems

Chapter 2: Governance and Management of IT

Chapter 3: Information Systems Acquisition, Development and Implementation (Partial)

The course is intended to provide the tools required for IS audits involving either outsourced
systems or large mainframes or stand-alone desktops. The course covers physical and logical
security; public key infrastructure; IT governance; e-commerce and Internet security including
encryption and cryptography; information privacy laws and regulations; and project
management controls. The course consists of four parts. The first part introduces core
information systems auditing concepts and IS auditing process; the second part discusses how
senior management make IT decision through IT governance. The third part presents security
problems with business cases; and the fourth part discusses how IS auditors evaluate
organizational projects. Students are expected to participate actively in class.

By James Kwok Page 1

 ISOM4100 Fall 2016

Teaching approach

This is a blended learning course, which contains a 1-hour face-to-face (F2F) lecture, a 1-
hour video lecture, and a 1-hour in-class exercise for each part of this course. After attending
the 1-hour F2F lecture and taking the 1-hour video lecture, students are required to answer
questions in Quizzes, and also participate in discussion forum. This will ensure students to
possess sufficient knowledge and skill to do in-class exercises. There are four case studied in
this course and they all are highly relevant to real cases. The following diagram shows the
study pattern for this course. The next diagram shows the flow of case presentation.

Study Pattern for this course.

Study Pattern for Case study.

In general, the teaching approach of this course is based on the notion of sustained, deep
learning by applying knowledge through lecture. Lecture sessions are also structured to
engage the students in learning proactively (pre-class reading, and pre-class discussion),
actively (in-class exercises of IS auditing topics and in-class discussion of IS auditing

By James Kwok Page 2

 ISOM4100 Fall 2016
problems) and reflectively (in-class discussion of personal views through the answers of in-
class exercises).

Teaching & Learning Roles in the Course Course Learning

Activities Outcomes addressed

F2F Lecture Explain key concepts to students using 1, 2, 3

an active learning approach, in-class
discussion of questions.
Video Lecture Explain other concepts and example to 1, 2, 3
students using an online learning
approach
Case It requires student groups to apply their 1, 2, 3
understandings in systems development
life cycles and IS auditing knowledge to
solve IS auditing problems.

Assessment scheme

An inevitable part of this and of any university course is the evaluation, and the grade. Actually,
in any course, the most important evaluation is your self-evaluation. How many new and
useful ideas and skills did you learn from the course? Has the course changed your view about
yourself, work groups and organizations? If so, your efforts here will pay off. Your course goals
will be assessed in the following manner, and the percentage of your grade may be broken
down as below:

Components Learning goals Percentages of the grade

assessed
A. Exams (midterm + final) 1, 2, 3 62% (15% + 47%)
B. Case (4 cases) 1, 2, 3 20%
C. Online Quiz (9 quizzes) 1, 2, 3 9%
D. In-class exercise (9 ex) 1, 2, 3 9%
TOTAL: 100%

A. Exams (62% = midterm exam 15% + Final exam 47%)

There will be no make-up exams except due to extraordinary circumstances beyond your
control such as medical emergencies. If there is a conflict in exam schedule with another
course, you should resolve it. In case of absence due to medical emergencies, you have to
submit appropriate documentation issued by a registered medical practitioner in order to be
considered for a make-up exam.

All course materials, assigned readings, lecture notes, exercises, discussions, are subject to
the examination.

By James Kwok Page 3

 ISOM4100 Fall 2016
B. Case (20% = 1 case * 14% + 3 cases * 2%)

The objective of case is to assess your understandings of IS auditing and apply them to
different business cases. It is a group work. A pre-assigned group of 4 to 5 students will study
a case and present their findings in class.

Case participation will be graded based on well-prepared questions and participation. These
marks will be added towards your grade of case presentation.

There will be 4 cases in this courses. Each group will be assigned to 1 case for working detailed
analysis, which counts 14% towards the course grade (as case group). Other students who are
not assigned for the specific case (participant) are also required to do case preparation as
individual, which would be graded with the cap of 2% per case.

Each case group need to submit a presentation file 2 days before the case presentation. And
we would select few groups to be presenting group and conduct the in-class presentation. The
selection of presenting group would be announced before 1 day of presentation.

Student as individual can also obtain bonus score by asking constructive question in the class
to the presenting group. Maximum 1% would be granted without exceeding the max score for
each case as participant, which is 2% per case, and it is non-cumulative and cannot be carry
onto the next case. For example, if your preparation work for Case 1 was graded 1.5/2, the
bonus score you could obtain is 0.5% for Case 1; and the remaining 0.5% would be void and
cannot be carried forward to Case 2/3/4.

Questions from other non-presenting group members are also welcome though no bonus
score would be granted. It would be great if everyone can contribute to the case discussion.

The details will be announced in the course site and presented in class. Below is the case flow
for students to understand better how the case work be done.

C. Online Quiz (9%)

After each part of video lecture, there will be online quiz to test the student knowledge of that
part. Students need to answer the online quiz based on the lecture video and F2F Lecture.
Credit is only be given when ALL questions are answered correctly for each quiz. There would
be 9 online quizzes in total and each quiz would count 1% towards the total grade.

By James Kwok Page 4

 ISOM4100 Fall 2016
The deadline of the online quiz is usually at 5pm (not 11:59pm) one day before the in-class
exercise lecture. For example, if the in-class exercise lecture is on Sep-14(Wed), the deadline
of the online quiz would be at 5pm on Sep-13(Tue).

Please follow the deadline stated on Canvas and NO LATE SUBMISSION is allowed with any
reason.

D. In-class Exercise (9%)

There would be in-class exercise after the completion of lecture for each topic or sub-topic.
The exercise is group-based and discussion between classmates are strongly encouraged.
There would be 9 in-class exercises in total, each counts 1% towards the total course grade.

Student learning resources

Reference book

Chris Davis, Mike Schiller, Kevin Wheeler (2011), IT Auditing: Using Controls to Protect
Information Assets

ISACA, CISA Review Manual 2013/2014/2015

Course Site

Updates of the course contents and other information will be posted on Canvas -
http://canvas.ust.hk/. You are advised to check this site regularly throughout this course.

Course schedule (Tentative)

L1: Mon. & Wed & Fri. 11:00 11:50 (Room 5620, Lift 31-32 5/F)

By James Kwok Page 5

 ISOM4100 Fall 2016

By James Kwok Page 6

 ISOM4100 Fall 2016
Teaching staff contact details

Prof. Kwoks office is in LSK 4080, 4th floor. You are more than welcome to drop by during his
office hours or any time with any question you may have. For more urgent matters, his email
is jkwok@ust.hk. You may also contact him by phone (2358-7652), but the best way is email.
Prof. Kwok checks emails frequently. Teaching assistant (TA) for this course is Sam Ng, whose
office is in LSK 4065 and he is available for any questions regarding grading, attendance, and
other administrative formalities. His email address is imsamng@ust.hk and office phone
number is 2358-7638.

Academic honesty

Academic integrity is a critical value of the university community. Integrity violations destroy
the fabric of a learning community and the spirit of inquiry that is vital to the effectiveness of
the University. Prof. Kwok has absolutely no tolerance for cheating and there are no
acceptable excuses. Anyone caught cheating, plagiarizing, and any other form of academic
dishonesty will have their course grade lowered by at least one letter grade. In addition, Prof.
Kwok is bound to report any unethical behavior or evidence of dishonesty in this course to the
University. Please remember the current university rule: "If a student is discovered cheating
however minor the offence, the course grade will appear on the student's record with an X,
to show that the grade resulted from cheating. This X grade stays on the record until
graduation. If the student cheats again and "earns" another X grade, the student will be
dismissed from the University." Plagiarism is copying anything (text or ideas) from another
source without citing that source. If you use another person's idea you must cite it, even if you
rewrite the idea in your own words. Extreme care must be taken to avoid passing of other's
work as one's own. You are required to provide appropriate citations when you use ideas and
arguments or otherwise draw on others' work. If you use research from another source or
from the Web you MUST cite the source. This is true even if you use only the general idea and
not the exact words.

Learning environment

Prof. Kwok welcomes feedback on his teaching throughout the semester. You are encouraged
to contact Prof. Kwok or Michael any time you have any questions, suggestions, concerns, or
would like to ask for advice.

By James Kwok Page 7