Advanced IT Audit School - ITG341


This course focuses on key building blocks of modern IT audit, physical and logical security, including identity and access management, the threats to web-based e-commerce, best practices, and standards for auditing servers, databases, and mobile devices. The topics are reviewed at the advanced level to uncover the complexities that lie within them.


Tuition cost


NASBA Certified CPE

32 Credits


Why you should attend

This course provides in-depth coverage of complex topics auditors often encounter when reviewing IT operations and related risk management activities. We help you learn the best techniques today to meet the challenges of tomorrow.

Who should attend

IT, internal or external auditors, IT audit managers, information security managers, and analysts with 5+ years of experience, or those tasked with auditing web servers, application services, database management systems, and enterprise architecture servic

What You'll learn

You will learn about complex IT topics like access control, web architectures and services, application design, server technology, database management, mobile applications, and the risks and legal elements affecting them.


Familiarity with basic IT controls terminology and concepts is assumed. This is an advanced level class with the following prerequisites:

  • Intermediate IT Audit School (ITG241)
  • Network Security Essentials (ASG203)
  • Or equivalent experience.
  • Identity and Access Control Management (I&ACM) Architecture:
    • fundamental principles of information security
    • information technology security standards
    • information security goals
    • distributed computing control and security risks
    • essential I&AM Policies and Standards GTAG, COSO, ISO 27002
    • information classification
    • risk analysis
    • data breach statistics
    • data security policies
    • secure application design criteria
    • security services – access control, authentication, authorization
    • access control models and architectures
    • security audit log management in multi-tiered applications
    • TCP/IP network risk analysis
    • client/server and middleware security for multi-tiered applications
    • Enterprise directory services, LDAP
    • locating control points in complex, multi-tiered applications
    • security awareness
  • Web Application Architectures:
    • web application software architecture and control points
    • protecting the Web server, perimeter security, demilitarized zones
    • HTTP protocol and state management
    • SSO (single sign), pros and cons
    • web application markup languages fundamentals of cryptography, ISO 27002 – 10, TLS, PKI, Digital signatures
    • web application threats and vulnerabilities
    • cloud computing and security
    • web application attacks and security strategies
  • Auditing Web (HTTP) Servers:
    • summary of baselines for secure server security
    • physical threats, vulnerabilities, risks, and countermeasures
    • information storage media protection, sanitization, and disposal
    • emergency procedures
    • human resources controls: hiring practices, badges, terminations and transfers
    • goals for information security safeguards in applications
    • ISO 27002 -13 Communications Security
    • web server configuration: operational and security requirements
    • web server access control security features: Apache, Microsoft IIS
    • perils and protections for remote Web application development
    • application firewalls and intrusion prevention systems
    • tools, techniques, and checklists for discovering and testing Web server security
  • Secure Application Design, Testing and Audit:
    • server-side Web page programming security
    • mobile code security
    • common security vulnerabilities and attacks on Web application software
    • attacks on Web servers: cross-site scripting, SQL injection, buffer overflow
    • input validation and editing, SQL injection
    • software change controls and configuration management
    • web application vulnerability and testing tools
    • tools, techniques, and checklists for auditing security in application design
  • Auditing Application (Middleware) Servers:
    • roles, architecture, and security control points for XML/object-oriented development
    • environments and associated application servers
    • defining key sources of application server security: declarative vs. programmatic controls, database and Enterprise
    • Information System (EIS) connectors
    • audit and security features in components and servers
    • tools and techniques for auditing and securing application servers
  • Auditing Database Management Systems:
    • database concepts
    • methods for providing data access to users and other applications
    • data access control, authorization, and audit
    • ISO 27002 -12 operations security
    • relational database management systems (DBMS)
    • Structured Query Language (SQL): more than just query
    • security risks associated DBMS systems
    • audit and security features for major DBMS products
    • database security safeguards, access controls, roles
    • database triggers, DDL triggers, DML triggers
    • database encryption
    • DBMS audit logging
    • tools, techniques, and checklists for securing and auditing DBMS components
    • database connectors
    • database audits – how to and checklists
  • Web Services and Service-Oriented Architectures (SOA):
    • Simple Object Access Protocol (SOAP) web services definition and architecture
    • SOAP web services standards
    • Service Oriented Architectures (SOA)
    • SOA Enterprise Service Bus (ESB)
    • Representational State Transfer (REST) web services
    • web services audit and security tools, and techniques
  • Mobile Application Security and Audit:
    • key control points in remote access and mobile applications
    • how mobile application differ from internal server-based applications
    • tools and techniques for protecting the contents of mobile devices
    • checklist for secure mobile and wireless application best practices
  • Laws and Standards Affecting IT Audit:
    • organizational liabilities
    • ethics affecting Information Security
    • international laws, directives, and regulations
    • EU Data Protection Regulation
    • EU General Data Protection Regulation GDPR and its world-wide impact
    • computer crimes and other breaches of information security
    • investigations and evidence of computer crimes
    • incident response
    • information security and auditing standards
    • types of laws
    • privacy issues and legislation
    • intellectual property, copyright laws, and software piracy
    • prominent US and international laws
    • information security and auditing standards

Schedule your course

Use the table below to select the time and location that works best for you.

Timezone: America/Los_Angeles

August 2021

Aug 16th, 2021-Aug 20th, 2021

ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: