isaca-cisa-courseware

Firebrand Training

Presents

CISA

Certified Information Systems Auditor

2014

Firebrand Accelerated Learning

ISACA Exam Candidate Information Guide

2014

2ISACA Exam Candidate Information Guide

Table of ContentsISACA Certification .................................................................3JuneImportant Date ...........................................................5SeptemberImportant Date ..................................................6DecemberImportant Date ...................................................7Exam Day Information ............................................................8Post Exam Information .........................................................10

ISACAWith more than 110,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders maximize value and manage risk related to information and technology. Founded in 1969, the nonprofit, independent ISACA is an advocate for professionals involved in information security, assurance, risk management and governance. These professionals rely on ISACA as the trusted source for information and technology knowledge, community, standards and certification. The association, which has 200 chapters worldwide, advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems ControlTM (CRISCTM) credentials. ISACA also developed and continually updates COBIT, a business framework that helps enterprises in all industries and geographies govern and manage their information and technology.

ANSI Accredited ProgramPERSONNEL CERTIFICATION#0694ISO/IEC 17024

CISA, CISM and CGEIT Program Accreditation Renewed Under ISO/IEC 17024:2003The American National Standards Institute (ANSI) has accredited the CISA, CISM and CGEIT certifications under ISO/IEC 17024:2003, General Requirements for Bodies Operating Certification Systems of Persons. ANSI, a private, nonprofit organisation, accredits other organizations to serve as third-party product, system and personnel certifiers. ISO/IEC 17024 specifies the requirements to be followed by organizations certifying individuals against specific requirements. ANSI describes ISO/IEC 17024 as expected to play a prominent role in facilitating global standardization of the certification community, increasing mobility among countries, enhancing public safety and protecting consumers.

ANSIs accreditation: Promotes the unique qualifications and expertise that ISACA certifications provide Protects the integrity of the certifications and provides legal defensibility Enhances consumer and public confidence in the certifications and the people who hold them Facilitates mobility across borders or industries

Accreditation by ANSI signifies that ISACAs procedures meet ANSIs essential requirements for openness, balance, consensus and due process. With this accreditation, ISACA anticipates that significant opportunities for CISAs, CISMs and CGEITs will continue to present themselves around the world.

ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.253.1545Fax: +1.847.253.1443Email: [email protected] site: www.isaca.org

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-centerFollow ISACA on Twitter: https://twitter.com/ISACANewsJoin ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficialLike ISACA on Facebook: www.facebook.com/ISACAHQ

Reservation of RightsCopyright 2013 ISACA. Reproduction or storage in any form for any purpose is not permitted without ISACAs prior written permission. No other right or permission is granted with respect to this work. All rights reserved.

ISACA Exams 2014 Important Date InformationExam Date14 June 2014 ExamEarly registration deadline: 12 February 2014Final registration deadline: 11 April 2014

Exam registration changes: Between 12 April and 25 April 2014, charged a US $50 fee, with no changes accepted after 25 April 2014

Refunds: By 11 April 2014, charged a US $100 processing fee, with no refunds after that date

Deferrals: Requests received on or before 25 April 2014, charged a US $50 processing fee. Requests received from 26 April through 23 May 2014, charged a US $100 processing fee. After 23 May 2014, no deferrals will be permitted.

All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)

Exam Date6 September 2014 Exam*Early registration deadline: 11 June 2014Final registration deadline: 21 July 2014* CISA and CISM only at select locations

Exam registration changes: Between 22 July and 28 July, charged a US $50 fee, with no changes accepted after 28 July 2014

Refunds: By 21 July 2014, charged a US $100 processing fee, with no refunds after that date

Deferrals: Requests received on or before 4 August 2014, charged a US $50 processing fee. Requests received from 5 August through 22 August 2014, charged a US $100 processing fee. After 22 August 2014, no deferrals will be permitted.


Exam Date13 December 2014 ExamEarly registration deadline: 20 August 2014Final registration deadline: 24 October 2014

Exam registration changes: Between 25 October and 31 October, charged a US $50 fee, with no changes accepted after 31 October 2014

Refunds: By 24 October 2014, charged a US $100 processing fee, with no refunds after that date

Deferrals: Requests received on or before 24 October 2014, charged a US $50 processing fee. Requests received from 25 October through 28 November 2014, charged a US $100 processing fee. After 28 November 2014, no deferrals will be permitted.


Note: The CISA German, Italian and Hebrew languages will only be offered at the

June exam. Visit www.isaca.org/examlocations for a listing of the exam sites for June

and December exam administrations. Visit www.isaca.org/sept2014sites for the exam sites for the September

exam administration.

Please contact [email protected] for further information.


ISACA CErTIFICATIon: IS AudIT, SECurITy, GoVErnAnCE And rISk And ConTrol

The ISACA Exam Candidate Information Guide includes candidate information about exam registration, dates, and deadlines and provides important key candidate details for exam day administration. This publication is available online at www.isaca.org/examguide

ISACA offers the following certifications: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC). A brief summary of each follows.

CISA CISM CGEIT CRISC

Description The CISA designation is a globally recognized certification for IS audit control, assurance, and security professionals.

The management-focused CISM certification promotes international security practices and recognizes the individual who manages, designs, and oversees and assesses an enterprises information security.

CGEIT recognizes a wide range of professionals for their knowledge and application of enterprise IT governance principles and practices.

CRISC certification is designed for those experienced in business and technology risk management, and the design, implementation, monitoring and maintenance of IS control.

Eligibility Requirements

Five (5) or more years of experience in IS audit, control, assurance, or security. Waivers are available for a maximum of three (3) years.

Five (5) or more years of experience in information security management. Waivers are available for a maximum of two (2) years.

Five (5) or more years of experience managing, serving in an advisory or oversight role, and/or otherwise supporting the governance of the IT-related contribution to an enterprise including a minimum of one year of experience relating to the definition, establishment and management of a Framework for the Governance of IT. There are no substitutions or experience waivers.

Three (3) or more years of cumulative work experience performing the tasks of a CRISC professional across at least three (3) CRISC domains is required for certification. There are no substitutions or experience waivers.

Domains (%) Domain 1 The Process of Auditing Information Systems (14%)

Domain 2 Governance and Management of IT (14%)

Domain 3 Information Systems Acquisition, Development, and Implementation (19%)

Domain 4 Information Systems Operations, Maintenance and Support (23%)

Domain 5 Protection of Information Assets (30%)

Domain 1 Information Security Governance (24%)

Domain 2 Information Risk Management and Compliance (33%)

Domain 3 Information Security Program Development and Management (25%)

Domain 4 Information Security Incident Management (18%)

Domain 1: Framework for the Governance of Enterprise IT (25%)

Domain 2: Strategic Management (20%)

Domain 3: Benefits Realization (16%)

Domain 4: Risk Optimization (24%)

Domain 5: Resource Optimization (15%)

Domain 1 Risk Identification, Assessment and Evaluation (31%)

Domain 2 Risk Response (17%)Domain 3 Risk Monitoring

(17%)Domain 4 Information Systems

Control Design and Implementation (17%)

Domain 5 IS Control Monitoring and Maintenance (18%)

Number of exam questions*: length of exam

200 questions: 4 hours 200 questions: 4 hours 150 questions: 4 hours 200 questions: 4 hours

* Consists of multiple choice items that cover the respective job practice areas created from the most recent job practice analysis. See page 10 for related links.


rEGISTErInG For THE ExAm

register for the examYou can register for an ISACA exam via online registration or hard copy registration form. To place your online registration via the ISACA web site visit www.isaca.org/examreg. To register via hardcopy registration form, complete the hardcopy registration form provided at www.isaca.org/exam and fax or mail to ISACA along with your payment information.

Note: Faxed/mailed registrations will incur an additional US $75 charge.

submit registration fees and Payment isaCa non-isaCa member member note: registration form and payment must Online early registrations received on or before early registration deadline US $420 US $600 be received on or before the early registrationOnline final registrations received by final registration deadline US $470 US $650 deadline to qualify for the early registration

rate.

notes: The CISA German, Italian and Hebrew languages will only be offered at the June exam. Visit www.isaca.org/examlocations for a listing of the exam sites for June and December exam administration. Visit www.isaca.org/sept2014sites for the exam stes for the September exam administraton

Please contact [email protected] for further information.

Consider isaCa membershiPIf you are not yet an ISACA member, consider joining during the registration process and enjoy the member discount on your exam and study materials.

Please visit www.isaca.org/join for detailed information on membership benefits and fees.

Join dates member through From 1 August 2013 to 30 May 2014 31 December 2014 From 1 June 2014 to 31 July 2014 31 December 2014 From 1 August 2014 to December 2014 31 December 2015

Due Dates Deadlines are based on Chicago, Illinois, USA, 5 P.M. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). if not registering online, please mail or fax the registration form to isaCa. do not do both. submitting duplicate registrations online and/or by hard copy to isaCa may result in multiple registrations and charges. Final registration forms and payment must be postmarked or received by fax on or before the final registration date for the exam you are registering for. both pages of the registration form must be received to complete a registration.

aCknowledgment of registrationAn email acknowledgement of the exam registration, exam test site and exam language will be sent to registrants shortly after the processing of the registration. Please review the exam registration details carefully and contact the ISACA certification department at [email protected] for any corrections or changes. A receipt letter acknowledging exam registration and payment with a link to ISACAs Exam Candidate Information Guide should be received by exam registrants within four weeks (depending on your worldwide location and local postal delivery) of the processing of the registration form and payment.


JUNEIMPORTANT DATE INFORMATION

Exam Date 14 June 2014

Exam Registration ChangesChanges to the exam site, test language and candidate name are subject to the following charges:z On or before 11 April 2014 ................................ No chargez 12 April through 25 April 2014 .......................... US $50

No exam registration changes will be granted after 25 April 2014.

Refund and Deferrals of Feesrefund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 11 April 2014. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment.

deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule:z On or before 25 April ......................................... US $50z 26 April through 23 May .................................... US $100

Deferral requests will not be accepted after 23 May 2014. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.

Any candidate who has not received his/her admission ticket by 1 June 2014 should contact the ISACA certification department at [email protected] or via phone at +1.847.660.5660.

Special AccommodationsUpon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements. Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested. Documented disability requests must be accompanied by a doctors note. Requests for a religious requirement must be accompanied by a note from the candidates religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 25 April 2014.

Request for Additional Test CentersIf an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 February 2014. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.

Exam locationsFor a complete listing of the exam sites for the June exam administration visit www.isaca.org/examlocations

all deadlines are based on Chicago, illinois, usa, 5 p.m. Central time (utC/gmt-06:00 Chicago, illinois, usa). no refunds or exchanges will be given for study aids, associated taxes, shipping and handling charges, or membership dues. exam registration and membership fees are nontransferable.

5


SEPTEMBERIMPORTANT DATE INFORMATION

Exam Date 6 September 2014The September exam administration is only offered for the CISA and CISM certification exams at limited exam sites.

Exam Registration ChangesChanges to the exam site, test language and candidate name are subject to the following charges:z On or before 21 July 2014 ................................. No chargez 22 July through 28 July 2014 ........................... US $50

No exam registration changes will be granted after 28 July 2014.

Refund and Deferrals of Feesrefund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 21 July 2014. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment.

deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule:z On or before 4 August 2014 .............................. US $50z 5 August through 22 August 3014 ..................... US $100

Deferral requests will not be accepted after 22 August 2014. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.

Any candidate who has not received his/her admission ticket by 15 August 2014 should contact the ISACA certification department at [email protected] or via phone at +1.847.660.5660.

Special AccommodationsUpon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities. Consideration for reasonable alterations in exam format, presentation, and allowance of food or drink at the exam site must be requested and accompanied by a doctors note. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 21 July 2014.

Exam LocationsFor a complete listing of the exam sites for the September exam administration visit www.isaca.org/sept2014sites.



DECEMBERIMPORTANT DATE INFORMATION

Exam Date 13 December 2014

Exam Registration ChangesChanges to the exam site, test language and candidate name are subject to the following charges:z On or before 24 October .................................... No chargez 25 October through 31 October ......................... US $50

No exam registration changes will be granted after 31 October 2014.

Refund and Deferrals of Feesrefund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 24 October 2014. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment.

deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule:z On or before 24 October .................................... US $50z 25 October through 28 November ..................... US $100

Deferral requests will not be accepted after 28 November 2014. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.

Any candidate who has not received his/her admission ticket by 1 December 2014 should contact the ISACA certification department at [email protected] or via phone at +1.847.660.5660.

Special AccommodationsUpon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements. Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested. Documented disability requests must be accompanied by a doctors note. Requests for a religious requirement must be accompanied by a note from the candidates religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 24 october 2014.

Request for Additional Test CentersIf an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 August 2014. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.

Exam LocationsFor a complete listing of the exam sites for the December exam administration visit www.isaca.org/examlocations.



ExAm dAy InFormATIonAdmission TicketApproximately two to three weeks prior to the exam date, candidates will be sent an email admission ticket (eticket) from ISACA. Exam candidates can also download a copy of the admission ticket at www.isaca.org > MyISACA page of the web site. Tickets will indicate the date, registration time and location of the exam, as well as a schedule of events for that day and a list of materials that candidates must bring with them to take the exam. Candidates are not to write on the admission ticket. Candidates can use their admission ticket (either a printout of their e-ticket or their downloaded ticket) only at the designated test center.

Identification on Exam DayCandidates will be admitted to the test center only if they have a valid admission ticket and an acceptable form of identification (ID). An acceptable form of ID must be a current and original government-issued ID that contains the candidates name, as it appears on the admission ticket, and the candidates photograph. The information on the ID cannot be handwritten. All of these characteristics must be demonstrated by the single piece of ID provided. Examples include, but are not limited to, a passport, drivers license, military ID, state ID, green card and national ID. Any candidate who does not provide an acceptable form of ID will not be allowed to sit for the exam and will forfeit his/her registration fee. IDs will be checked during the exam administration.

Please Note: In order to receive an admission ticket, all fees must be paid. Admission tickets are sent via email to the current email address on file. Only candidates with an admission ticket and an acceptable government-issued ID will be admitted to take the exam, and the name on the admission ticket must match the name on the government-issued ID. If candidates mailing and/or email addresses change, they should update their profile on the ISACA web site (www.isaca.org) or contact [email protected].

Arrival Time For ExamIt is imperative that candidates note the specific registration and exam times on their admission ticket. NO CANDIDATE WILL BE ADMITTED TO THE TEST CENTER ONCE THE CHIEF EXAMINER BEGINS READING THE ORAL INSTRUCTIONS, APPROXIMATELY 30 MINUTES BEFORE THE EXAM BEGINS. Any candidate who arrives after the oral instructions have begun will not be allowed to sit for the exam and will forfeit his/her registration fee. An admission ticket can only be used at the designated test center specified on the admission ticket. To ensure that you arrive in plenty of time for the exam, we recommend that you become familiar with the exact location and the best travel route to your exam site prior to the date of the exam. Test center telephone numbers and web site references have been provided (when available) to assist you in obtaining directions to the facility.

Observe the Test Centers Rules Candidates will not be admitted to a test center after the oral instructions have begun. Candidates should bring several sharpened no. 2 or HB (soft lead) pencils and a good eraser. Pencils and erasers will not be available at the test center.

As exam venues vary, every attempt will be made to make the climate control comfortable at each exam venue. Candidates may want to dress to their own comfort level.

Candidates are not allowed to bring reference materials, blank paper, note pads or language dictionaries into the test center. Candidates are not allowed to bring or use a calculator in the test center. Candidates are not allowed to bring any type of communication devices (i.e., cell phones, PdAs, Blackberries) into the test center. If exam candidates

are viewed with any such device during the exam administration, their exams will be voided and they will be asked to immediately leave the exam site.

Visitors are not permitted in the test center. no food or beverages are allowed in the test center (without advanced authorization from ISACA).

MisconductCandidates who are discovered engaging in any kind of misconductsuch as giving or receiving help; using notes, papers or other aids; attempting to take the exam for someone else; using any type of communication device, including cell phones, during the exam administration; or removing the exam booklet, answer sheet or notes from the testing roomwill be disqualified. Candidates who leave the testing area without authorization or accompaniment by a test proctor will not be allowed to return to the testing room and will be subject to disqualification. The testing agency will report such irregularities to the respective ISACA Certification Committee.

Reasons for Dismissal or Disqualification unauthorized admission to the test center. Candidate creates a disturbance or gives or receives help. Candidate attempts to remove test materials or notes from the test center. Candidate impersonates another candidate. Candidate brings items into the test center that are not permitted. Candidate possession of any communication device (i.e., cell phone, PdA, BlackBerry) during the exam administration Candidate unauthorized leave of the test area


Candidates are not allowed to bring any type of communication device into the test center. If candidates are observed with any communication device (i.e., cellular phone, PDA, BlackBerry) during the exam adminstration, their exams will be voided and they will be asked to immediately leave the test site. Neither ISACA or its testing vendor takes responsibility for personal belongings of candidates. ISACA will not assume responsibility for stolen, lost or damaged personal property. To review the Personal Belongings Policy, please visit www.isaca.org/cisabelongings, www.isaca.org/cismbelongings, www.isaca.org/cgeitbelongings, or www.isaca.org/criscbelongings.

Taking the Exam/Types of Questions on the ExamsExam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. All questions are designed with one best answer.

Every question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct or best answer from the options. The stem may be in the form of a question or incomplete statement. In some instances, a scenario may also be included. These questions normally include a description of a situation and require the candidate to answer two or more questions based on the information provided. The candidate is cautioned to read each question carefully. An exam question may require the candidate to choose the appropriate answer based on a qualifier, such as MOST likely or BEST. In every case, the candidate is required to read the question carefully, eliminate known incorrect answers and then make the best choice possible. To gain a better understanding of the types of questions that might appear on the exam and how these questions are developed, refer to the Item Writing Guide available at www.isaca.org/itemwriter. Representations of CISA exam questions are available at www.isaca.org/cisaassessment; CISM exam questions are available at www.isaca.org/cismassessment.

Conduct Oneself Properly To protect the security of the exam and maintain the validity of the scores, candidates are asked to sign the answer sheet. The respective ISACA Certification Committee reserves the right to disqualify any candidate who is discovered engaging in any kind of misconduct or

violation of exam rules, such as giving or receiving help; using notes, papers or other aids; attempting to take the exam for someone else; or removing test materials or notes from the test center. The testing agency will provide the respective ISACA Certification Committee with records regarding such irregularities for their review and to render a decision.

Be Careful in Completing the Answer Sheet Before a candidate begins the exam, the test center chief examiner will read aloud the instructions for entering identification information on the answer

sheet. A candidates identification number as it appears on the admission ticket and all other requested information must be correctly entered or scores may be delayed or incorrectly reported.

A proctor speaking the primary language used at each test center is available. If a candidate desires to take the exam in a language other than the primary language of the test center, the proctor may not be conversant in the language chosen. However, written instructions will be available in the language of the exam.

A candidate is instructed to read all instructions carefully and understand them before attempting to answer the questions. Candidates who skip over the directions or read them too quickly could miss important information and possibly lose credit.

All answers are to be marked in the appropriate circle on the answer sheet. Candidates must be careful not to mark more than one answer per question and to be sure to answer a question in the appropriate row of answers. If an answer needs to be changed, a candidate is urged to erase the wrong answer fully before marking in the new one.

All questions should be answered. There are no penalties for incorrect answers. Grades are based solely on the number of questions answered correctly, so do not leave any questions blank.

After completion, candidates are required to hand in their answer sheet and test booklet.

Budget Ones Time The exam is four hours in length. Candidates are advised to pace themselves to complete the entire exam. Candidates are urged to immediately record their answers on the answer sheet. No additional time will be allowed after the exam time has elapsed to

transfer or record answers should a candidate mark answers in the test booklet.

Exam Day CommentsISACA utilizes an internationally recognized professional testing agency to assist the construction, administration and scoring of the exams.

Candidates wishing to comment on the test administration conditions may do so at the conclusion of the testing session by completing the Test Administration Questionnaire. The Test Administration Questionnaire is presented at the back of the examination booklet with corresponding instructions for completion.

Candidates who wish to address any additional comments or concerns about the examination administration, including site conditions or the content of the exam, should contact ISACA international headquarters by letter or by email ([email protected]). Please include the following information in your comments: exam ID number, testing site, date tested and any relevant details on the specific issue. Only those comments received by ISACA during the first 2 weeks after the exam administration will be considered in the final scoring of the exam.

10


PoST ExAm InFormATon:

Scoring the ExamsThe ISACA exams consists of multiple-choice items. Candidate scores are reported as a scaled score. A scaled score is a conversion of a candidates raw score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. For example, the scaled score of 800 represents a perfect score with all questions answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions were answered correctly. A candidate must receive a score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard of knowledge. A candidate receiving a passing score may then apply for certification if all other requirements are met.

The exams contains some questions which are included for research and analysis purposes only. These questions are not separately identified and not used to calculate your final score.

Approximately five weeks for CISA/CISM and eight weeks for CGEIT/CRISC after the test date, the official exam results will be mailed to candidates. Additionally, with the candidates consent during the registration process, an email message containing the candidates pass/fail status and score will be sent to the candidate. This email notification will only be sent to the address listed in the candidates profile at the time of the initial release of the results. To ensure the confidentiality of scores, exam results will not be reported by telephone or fax. To prevent email notification from being sent to spam folders, candidates should add [email protected] to their address book, whitelist or safe-senders list.

Candidates will receive a score report containing a subscore for each domain area. Successful candidates will receive, along with a score report, details on how to apply for certification.

The subscores can be useful in identifying those areas in which the unsuccessful candidate may need further study before retaking the exam. Unsuccessful candidates should note that the total scaled score cannot be determined by calculating either a simple or weighted average of the subscores.

Candidates receiving a failing score on the exam may request a hand score of their answer sheets. This procedure ensures that no stray marks, multiple responses or other conditions interfered with computer scoring. Candidates should understand, however, that all scores are subjected to several quality control checks before they are reported; therefore, rescores most likely will not result in a score change. Requests for hand scoring must be made in writing to the certification department within 90 days following the release of the exam results. Requests for a hand score after the deadline date will not be processed. All requests must include a candidates name, exam identification number and mailing address. A fee of US $75 must accompany each request.

Passing the exam does not grant the designation. To become certified, each exam passer must complete requirements including submitting an application for certification. Candidates receiving a score less than 450 have not passed and can retake the exam by registering and paying the exam registration fee for the future administration. There are no limits to how many times a candidate can take the exam.

ISACA Code of Professional EthicsISACA sets forth a Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Members and certifieds are required to abide by the Code. Failure to comply with this Code of Professional Ethics can result in an investigation into a members and/or certification holders conduct and, ultimately, in disciplinary measures. The ISACA Code of Professional Ethics can be viewed online at www.isaca.org/ethics.

IMPORTANT ADDITIONAL REFERENCESThese references contain essential exam information and should be read in their entirety.

important additional referencesCisa exam Cism exam Cgeit exam CrisC exam

Certification www.isaca.org/cisa www.isaca.org/cism www.isaca.org/cgeit www.isaca.org/crisc

Preparing for the Exam www.isaca.org/cisaprep www.isaca.org/cismprep www.isaca.org/cgeitprep www.isaca.org/criscprep

Requirements for Certification

www.isaca.org/cisarequirements www.isaca.org/cismrequirements www.isaca.org/cgeitrequirements www.isaca.org/criscrequirements

Job Practice www.isaca.org/cisajobpractice www.isaca.org/cismjobpractice www.isaca.org/cgeitjobpractice www.isaca.org/criscjobpractice

Applying for Certification

www.isaca.org/cisaapp www.isaca.org/cismapp www.isaca.org/cgeitapp www.isaca.org/criscapp

Maintaining your Certification

www.isaca.org/cisacpepolicy www.isaca.org/cismcpepolicy www.isaca.org/cgeitcpepolicy www.isaca.org/crisccpepolicy

Glossary of Terms www.isaca.org/glossary www.isaca.org/glossary www.isaca.org/glossary www.isaca.org/glossary

Acronyms www.isaca.org/cisaprep www.isaca.org/cismprep

11


Available Study Materials From ISACA:Passing an ISACA exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA offers study aids to exam candidates. Visit www.isaca.org/bookstore for more complete details including detailed descriptions of the products, costs, and languages available. Order early as delivery time can be one to two weeks, depending on geographic location and customs clearance practices.

CISA:CISA Review Manual 2014. CISA Review Questions, Answers & Explanations Manual 2013CISA Review Questions, Answers & Explanations Manual 2013 SupplementCISA Review Questions, Answers & Explanations Manual 2014 SupplementCISA Practice Question database V14 (Cd rom or download version)CISA Online Review Course

CISM:CISM Review Manual 2014CISM Review Questions, Answers & Explanations Manual 2014CISM Review Questions, Answers & Explanations Manual 2014 SupplementCISm Practice Question database V14 (Cd rom or download version)

CGEIT:CGEIT Review Manual 2014CGEIT Review Questions, Answers & Explanations Manual 2013 CGEIT Review Questions, Answers & Explanations Manual 2013 Supplement CGEIT Review Questions, Answers & Explanations Manual 2014 Supplement COBIT5

CRISC:CRISC Review Manual 2014CRISC Review Questions, Answers & Explanations Manual 2013 CRISC Review Questions, Answers & Explanations Manual 2013 Supplement CRISC Review Questions, Answers & Explanations Manual 2014 Supplement CRISC Exam Self Study

ISACA Contact Informationexam and exam registration Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email: [email protected]

Certification Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email: [email protected]

study aids Phone: +1.847.660.5650; Email: [email protected]

isaCa membership Phone: +1.847.660.5600; Email: [email protected]

DOC: 2014 Exam Candidates GuideVersion: V2Update: 2013-1113

CISA Job Practice Areas

A job practice serves as the basis for the exam and requirements to earn the

certification. This job practice consists of task and knowledge statements,

organized by domains

CISA Certification Job Practice Notice: A CISA job practice analysis has been completed. This analysis resulted in a new CISA job practice

which reflects the vital and evolving responsibilities of IT auditors. The new CISA job practice (identified below)

was effective beginning with the June 2011 CISA exam administration.

For purposes of these statements, the terms "enterprise" and "organization" or "organizational" are considered

synonymous.

The job practice domains and task and knowledge statements are as follows:

Domain 1The Process of Auditing Information Systems (14%)

Domain 2Governance and Management of IT (14%)

Domain 3Information Systems Acquisition, Development and Implementation (19%)

Domain 4Information Systems Operations, Maintenance and Support (23%)

Domain 5Protection of Information Assets (30%)

Domain 1The Process of Auditing Information Systems (14%) Provide audit services in accordance with IT audit standards to assist the organization in protecting

and controlling information systems.

Domain 1Task Statements: 1.1 Develop and implement a risk-based IT audit strategy in compliance with IT audit standards to ensure that key areas are included. 1.2 Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization. 1.3 Conduct audits in accordance with IT audit standards to achieve planned audit objectives. 1.4 Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary. 1.5 Conduct follow-ups or prepare status reports to ensure appropriate actions have been taken by management in a timely manner.

Domain 1Knowledge Statements: 1.1 Knowledge of ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards 1.2 Knowledge of risk assessment concepts, tools and techniques in an audit context 1.3 Knowledge of control objectives and controls related to information systems 1.4 Knowledge of audit planning and audit project management techniques, including follow-up 1.5 Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) including relevant IT 1.6 Knowledge of applicable laws and regulations which affect the scope, evidence collection and preservation, and frequency of audits 1.7 Knowledge of evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis) used to gather, protect and preserve audit evidence 1.8 Knowledge of different sampling methodologies 1.9 Knowledge of reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure) 1.10 Knowledge of audit quality assurance systems and frameworks

Domain 2Governance and Management of IT (14%) Provide assurance that the necessary leadership and organization structure and processes are in

place to achieve objectives and to support the organization's strategy.

Domain 2Task Statements: 2.1 Evaluate the effectiveness of the IT governance structure to determine whether IT decisions, directions and performance support the organizations strategies and objectives. 2.2 Evaluate IT organizational structure and human resources (personnel) management to determine whether they support the organizations strategies and objectives. 2.3 Evaluate the IT strategy, including the IT direction, and the processes for the strategys development, approval, implementation and maintenance for alignment with the organizations strategies and objectives. 2.4 Evaluate the organizations IT policies, standards, and procedures, and the processes for their development, approval, implementation, maintenance, and monitoring, to determine whether they support the IT strategy and comply with regulatory and legal requirements. 2.5 Evaluate the adequacy of the quality management system to determine whether it supports the organizations strategies and objectives in a cost-effective manner. 2.6 Evaluate IT management and monitoring of controls (e.g., continuous monitoring, QA) for compliance with the organizations policies, standards and procedures. 2.7 Evaluate IT resource investment, use and allocation practices, including prioritization criteria, for alignment with the organizations strategies and objectives. 2.8 Evaluate IT contracting strategies and policies, and contract management practices to determine whether they support the organizations strategies and objectives. 2.9 Evaluate risk management practices to determine whether the organizations IT-related risks are properly managed. 2.10 Evaluate monitoring and assurance practices to determine whether the board and executive management receive sufficient and timely information about IT performance. 2.11 Evaluate the organizations business continuity plan to determine the organizations ability to continue essential business operations during the period of an IT disruption.

Domain 2Knowledge Statements: 2.1 Knowledge of IT governance, management, security and control frameworks, and related standards, guidelines, and practices 2.2 Knowledge of the purpose of IT strategy, policies, standards and procedures for an organization and the essential elements of each 2.3 Knowledge of organizational structure, roles and responsibilities related to IT 2.4 Knowledge of the processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures 2.5 Knowledge of the organizations technology direction and IT architecture and their implications for setting long-term strategic directions 2.6 Knowledge of relevant laws, regulations and industry standards affecting the organization 2.7 Knowledge of quality management systems 2.8 Knowledge of the use of maturity models 2.9 Knowledge of process optimization techniques 2.10 Knowledge of IT resource investment and allocation practices, including prioritization criteria (e.g., portfolio management, value management, project management) 2.11 Knowledge of IT supplier selection, contract management, relationship management and performance monitoring processes including third party outsourcing relationships 2.12 Knowledge of enterprise risk management 2.13 Knowledge of practices for monitoring and reporting of IT performance (e.g., balanced scorecards, key performance indicators [KPI]) 2.14 Knowledge of IT human resources (personnel) management practices used to invoke the business continuity plan 2.15 Knowledge of business impact analysis (BIA) related to business continuity planning 2.16 Knowledge of the standards and procedures for the development and maintenance of the business continuity plan and testing methods

Domain 3Information Systems Acquisition, Development, and Implementation (19%) Provide assurance that the practices for the acquisition, development, testing, and implementation of

information systems meet the organizations strategies and objectives.

Domain 3Task Statements: 3.1 Evaluate the business case for the proposed investments in information systems acquisition, development, maintenance and subsequent retirement to determine whether it meets business objectives. 3.2 Evaluate the project management practices and controls to determine whether business requirements are achieved in a cost-effective manner while managing risks to the organization. 3.3 Conduct reviews to determine whether a project is progressing in accordance with project plans, is adequately supported by documentation and status reporting is accurate. 3.4 Evaluate controls for information systems during the requirements, acquisition, development and testing phases for compliance with the organization's policies, standards, procedures and applicable external requirements. 3.5 Evaluate the readiness of information systems for implementation and migration into production to determine whether project deliverables, controls and organization's requirements are met. 3.6 Conduct post-implementation reviews of systems to determine whether project deliverables, controls and organization's requirements are met.

Domain 3Knowledge Statements: 3.1 Knowledge of benefits realization practices, (e.g., feasibility studies, business cases, total cost of ownership [TCO], ROI) 3.2 Knowledge of project governance mechanisms (e.g., steering committee, project oversight board, project management office) 3.3 Knowledge of project management control frameworks, practices and tools 3.4 Knowledge of risk management practices applied to projects 3.5 Knowledge of IT architecture related to data, applications and technology (e.g., distributed applications, web-based applications, web services, n-tier applications) 3.6 Knowledge of acquisition practices (e.g., evaluation of vendors, vendor management, escrow) 3.7 Knowledge of requirements analysis and management practices (e.g., requirements verification, traceability, gap analysis, vulnerability management, security requirements) 3.8 Knowledge of project success criteria and risks 3.9 Knowledge of control objectives and techniques that ensure the completeness, accuracy, validity and authorization of transactions and data 3.10 Knowledge of system development methodologies and tools including their strengths and weaknesses (e.g., agile development practices, prototyping, rapid application development [RAD], object-oriented design techniques) 3.11 Knowledge of testing methodologies and practices related to information systems development 3.12 Knowledge of configuration and release management relating to the development of information systems 3.13 Knowledge of system migration and infrastructure deployment practices and data conversion tools, techniques and procedures. 3.14 Knowledge of post-implementation review objectives and practices (e.g., project closure, control implementation, benefits realization, performance measurement)

Domain 4Information Systems Operations, Maintenance and Support (23%) Provide assurance that the processes for information systems operations, maintenance and support

meet the organizations strategies and objectives.

Domain 4Task Statements: 4.1 Conduct periodic reviews of information systems to determine whether they continue to meet the organizations objectives. 4.2 Evaluate service level management practices to determine whether the level of service from internal and external service providers is defined and managed. 4.3 Evaluate third party management practices to determine whether the levels of controls expected by the organization are being adhered to by the provider. 4.4 Evaluate operations and end-user procedures to determine whether scheduled and non-scheduled processes are managed to completion. 4.5 Evaluate the process of information systems maintenance to determine whether they are controlled effectively and continue to support the organizations objectives. 4.6 Evaluate data administration practices to determine the integrity and optimization of databases. 4.7 Evaluate the use of capacity and performance monitoring tools and techniques to determine whether IT services meet the organizations objectives. 4.8 Evaluate problem and incident management practices to determine whether incidents, problems or errors are recorded, analyzed and resolved in a timely manner. 4.9 Evaluate change, configuration and release management practices to determine whether scheduled and non-scheduled changes made to the organizations production environment are adequately controlled and documented. 4.10 Evaluate the adequacy of backup and restore provisions to determine the availability of information required to resume processing. 4.11 Evaluate the organizations disaster recovery plan to determine whether it enables the recovery of IT processing capabilities in the event of a disaster.

Domain 4Knowledge Statements: 4.1 Knowledge of service level management practices and the components within a service level agreement 4.2 Knowledge of techniques for monitoring third party compliance with the organizations internal controls 4.3 Knowledge of operations and end-user procedures for managing scheduled and non-scheduled processes 4.4 Knowledge of the technology concepts related to hardware and network components, system software and database management systems 4.5 Knowledge of control techniques that ensure the integrity of system interfaces 4.6 Knowledge of software licensing and inventory practices 4.7 Knowledge of system resiliency tools and techniques (e.g., fault tolerant hardware, elimination of single point of failure, clustering) 4.8 Knowledge of database administration practices 4.9 Knowledge of capacity planning and related monitoring tools and techniques 4.10 Knowledge of systems performance monitoring processes, tools and techniques (e.g., network analyzers, system utilization reports, load balancing) 4.11 Knowledge of problem and incident management practices (e.g., help desk, escalation procedures, tracking) 4.12 Knowledge of processes, for managing scheduled and non-scheduled changes to the production systems and/or infrastructure including change, configuration, release and patch management practices 4.13 Knowledge of data backup, storage, maintenance, retention and restoration practices 4.14 Knowledge of regulatory, legal, contractual and insurance issues related to disaster recovery 4.15 Knowledge of business impact analysis (BIA) related to disaster recovery planning 4.16 Knowledge of the development and maintenance of disaster recovery plans 4.17 Knowledge of types of alternate processing sites and methods used to monitor the contractual agreements (e.g., hot sites, warm sites, cold sites) 4.18 Knowledge of processes used to invoke the disaster recovery plans 4.19 Knowledge of disaster recovery testing methods

Domain 5Protection of Information Assets (30%) Provide assurance that the organizations security policies, standards, procedures and controls ensure

the confidentiality, integrity and availability of information assets.

Domain 5Task Statements: 5.1 Evaluate the information security policies, standards and procedures for completeness and alignment with generally accepted practices. 5.2 Evaluate the design, implementation and monitoring of system and logical security controls to verify the confidentiality, integrity and availability of information. 5.3 Evaluate the design, implementation, and monitoring of the data classification processes and procedures for alignment with the organizations policies, standards, procedures, and applicable external requirements. 5.4 Evaluate the design, implementation and monitoring of physical access and environmental controls to determine whether information assets are adequately safeguarded. 5.5 Evaluate the processes and procedures used to store, retrieve, transport and dispose of information assets (e.g., backup media, offsite storage, hard copy/print data, and softcopy media) to determine whether information assets are adequately safeguarded.

Domain 5Knowledge Statements: 5.1 Knowledge of the techniques for the design, implementation, and monitoring of security controls, including security awareness programs 5.2 Knowledge of processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team) 5.3 Knowledge of logical access controls for the identification, authentication and restriction of users to authorized functions and data 5.4 Knowledge of the security controls related to hardware, system software (e.g., applications, operating systems), and database management systems. 5.5 Knowledge of risks and controls associated with virtualization of systems 5.6 Knowledge of the configuration, implementation, operation and maintenance of network security controls 5.7 Knowledge of network and Internet security devices, protocols, and techniques 5.8 Knowledge of information system attack methods and techniques 5.9 Knowledge of detection tools and control techniques (e.g., malware, virus detection, spyware) 5.10 Knowledge of security testing techniques (e.g., intrusion testing, vulnerability scanning) 5.11 Knowledge of risks and controls associated with data leakage 5.12 Knowledge of encryption-related techniques 5.13 Knowledge of public key infrastructure (PKI) components and digital signature techniques 5.14 Knowledge of risks and controls associated with peer-to-peer computing, instant messaging, and web-based technologies (e.g., social networking, message boards, blogs) 5.15 Knowledge of controls and risks associated with the use of mobile & wireless devices 5.16 Knowledge of voice communications security (e.g., PBX, VoIP) 5.17 Knowledge of the evidence preservation techniques and processes followed in forensics investigations (e.g., IT, process, chain of custody) 5.18 Knowledge of data classification standards and supporting procedures 5.19 Knowledge of physical access controls for the identification, authentication and restriction of users to authorized facilities 5.20 Knowledge of environmental protection devices and supporting practices 5.21 Knowledge of the processes and procedures used to store, retrieve, transport and dispose of confidential information assets

1

4/1/2014 2014 Firebrand

1

ISACA

Trust in, and value from,

information systems

4/1/2014 2014 Firebrand

2

2014 CISA Review Course

Introduction

2

4/1/2014 2014 Firebrand

3

Welcome

Welcome to an exciting course!

Educational Value

Top-flight Instructors

Exceptional learning environment

Great support

Your Firebrand staff and instructor are here to answer any questions you may have

4/1/2014 2014 Firebrand

4

Agenda

This introduction will address:

The CISA Certification

Course format

Examination format

Introduction of Attendees

3

4/1/2014 2014 Firebrand

5

CISA

Certified Information Systems Auditor

Designed for personnel that will audit and review information systems.

Assurance that systems are designed, developed, implemented and maintained to

support business needs and objectives

Tough but very good quality examination

Requires understanding of the concepts behind information systems audit not just the definitions

4/1/2014 2014 Firebrand

6

CISA Exam Review Course Overview

The CISA Exam is based on the CISA job practice.

The ISACA CISA Certification Committee oversees the development of the exam and ensures the

currency of its content.

There are five content areas that the CISA

candidate is expected to know.

4

4/1/2014 2014 Firebrand

7

CISA Job Practice Areas

The Process of Auditing Information

Systems

Governance and Management of IT

Information Systems Acquisition,

Development and Implementation

Information Systems Operations,

Maintenance and Support

Protection of Information Assets

4/1/2014 2014 Firebrand

8

CISA Qualifications

To earn the CISA designation, information security

professionals are required to:

Successfully pass the CISA exam

Submit an Application for CISA certification

Minimum of five years information systems auditing, control or security work experience (waivers for

education)

Adhere to the ISACA Code of Professional Ethics

Adherence to the CISA continuing education policy

Compliance with Information Systems Auditing Standards

5

4/1/2014 2014 Firebrand

9

Accelerated Learning Environment

This is a Firebrand Accelerated Learning

Course

This is a fast paced program

Please do not miss a moment of class time

Participate in the discussions and questions

Ask questions challenge your understanding

4/1/2014 2014 Firebrand

10

Daily Format

Lecture and Sample questions

Approximately two domains per day

Domain structure

Learning Objectives

Content

Sample Questions

Please note that the information in every domain

overlaps with the information in other domains during the course we will introduce topics that are

expanded upon in later domains

6

4/1/2014 2014 Firebrand

11

Course Structure

Start Time

Breaks

Meals

End of Day

End of class on last day

4/1/2014 2014 Firebrand

12

Logistics

Fire Escapes

Assembly point

Mobile phones / pagers

7

4/1/2014 2014 Firebrand

13

The Examination

4/1/2014 2014 Firebrand

14

Description of the Exam

The exam consists of 200 multiple choice

questions that cover the CISA job practice areas.

Four hours are allotted for completing the exam

See the Candidate Guide 2014 included in the

course booklet for further details

8

4/1/2014 2014 Firebrand

15

Examination Job Practice Areas

The exam items are based on the content within 5

information systems audit areas

Process of Auditing Information

Systems 14%

Governance and Management of IT

14%

Information Systems

Acquisition, Development and Implementation

19%

Information Systems

Operations, Maintenance and

Support 23%

Protection of Information Assets

30%

CISA

4/1/2014 2014 Firebrand

16

2014 Exam Dates

The exam will be administered three times in

2014

June 14th

September 6th

December 13th

Many examination locations worldwide

Register at www.isaca.org

Note that registration closes many weeks in advance of the exam date

9

4/1/2014 2014 Firebrand

17

Examination Day

Be on time!!

The doors are locked when the instructions start approximately 30 minutes before examination start time.

Bring the admission ticket (sent out prior to the

examination from ISACA) and an acceptable form

of original photo identification (passport, photo

id or drivers license).

4/1/2014 2014 Firebrand

18

Completing the Examination Items

Bring several #2 pencils and an eraser

Read each question carefully

Read ALL answers prior to selecting the BEST answer

Mark the appropriate answer on the test answer sheet.

When correcting an answer be sure to thoroughly erase the wrong answer before

filling in a new one.

There is no penalty for guessing. Answer every question.

10

4/1/2014 2014 Firebrand

19

Grading the Exam

Candidate scores are reported as a scaled score

based on the conversion of a candidates raw score on an exam to a common scale.

ISACA uses and reports scores on a common scale

from 200 to 800. A candidate must receive a score of

450 or higher to pass.

Exam results will be mailed (and emailed) out

approximately 8 weeks after the exam date.

Good Luck!

4/1/2014 2014 Firebrand

20

Introduction of Classmates

11

4/1/2014 2014 Firebrand

21

End of Introduction

1

4/1/2014

4/1/2014 1

ISACA

Trust in, and value from,

information systems

4/1/2014

4/1/2014 2

The Process of Auditing

Information Systems

2014 CISA Review Course

2

4/1/2014

4/1/2014 3

Ensure that the CISA candidate Has the knowledge necessary to provide audit services in

accordance with IT audit standards to assist the

organization with protecting and controlling information

systems

% of Total Exam Questions

Chapter 4

23%

Chapter 3

19%

Chapter 2

14%

Chapter 1

14%Chapter 5

30%

Exam Relevance

The content area in this chapter will represent

approximately 14% of the

CISA examination

(approximately 28

questions).

4/1/2014

4/1/2014 4

Agenda

Definition and Planning of Audit

Risk Management

Audit Planning

Performing the Audit

Audit, Analysis and Reporting

Conclusion

3

4/1/2014

4/1/2014 5

Chapter 1 Learning Objectives

Develop and implement a risk-based IT audit

strategy based on IT Audit standards

Plan specific audits to determine whether

information systems are protected,

controlled and provide value to the

organization

Conduct audits in accordance with IT audit

standards to achieve planned audit

objectives

4/1/2014

4/1/2014 6

Learning Objectives (continued)

Report audit findings and make recommendations

to key stakeholders to communicate results and

effect change when necessary

Conduct follow-ups or prepare status reports to

ensure appropriate actions have been taken by

management in a timely manner

4

4/1/2014

4/1/2014 7

Audit Charter

Audit begins with the acceptance of an Audit

Charter

Provides:

Authority for audit

Responsibility

Reporting requirements

Signed by Audit Committee or Senior Management

4/1/2014

4/1/2014 8

Definition of auditing

Systematic process by which a competent, independent person

objectively obtains and evaluates

evidence regarding assertions about

an economic entity or event for the

purpose of forming an opinion about

and reporting on the degree to

which the assertion conforms to an

identified set of standards.

Definition of Auditing

5

4/1/2014

4/1/2014 9

Definition of IS auditing

Any audit that encompasses review and evaluation

(wholly or partly) of automated information

processing systems, related non-automated

processes and the interfaces between them.

Definition of Information Systems Auditing

4/1/2014

4/1/2014 10

Audit Objectives

An audit compares (measures) actual activity

against standards and policy

Specific goals of the audit

Confidentiality

Integrity

Reliability

Availability

Compliance with legal and regulatory requirements

6

4/1/2014

4/1/2014 11

Involves short and long term planning (annual basis)

New control issues.

Changes / Upgrades to technologies.

Business process / Need/ Goals.

Auditing / Evaluation Techniques.

Audit Planning

4/1/2014

4/1/2014 12

Audit Planning cont.

Based on concerns of management or areas of

higher risk

Process failures

Financial operations

Compliance requirements

7

4/1/2014

4/1/2014 13

Audit Program Challenges

Limited number of IS auditors

Maintenance of their technical competence

Assignment of audit staff

IS Audit Resource Management

4/1/2014

4/1/2014 14

Financial audits

Operational audits

Integrated audits

Administrative audits

IS audits

Specialized audits

Forensic audits

Types of Audits

8

4/1/2014

4/1/2014 15

Elements of an Audit

Audit scope

Audit objectives

Criteria

Audit procedures

Evidence

Conclusions and opinions

Reporting

4/1/2014

4/1/2014 16

1. Gather Information 2. Identify System and Components

4. Perform Risk Analysis

5. Conduct Internal Control Review

3. Assess Risk

6. Set Audit Scope and Objectives

8. Assign Resources 7. Develop Auditing Strategy

Creating the Plan for an Audit

9

4/1/2014

4/1/2014 17

Based on the scope and objective of the

particular assignment

IS auditors concerns:

Security (confidentiality, integrity and availability)

Quality (effectiveness, efficiency)

Fiduciary (compliance, reliability)

Service and capacity

Planning the Audit

4/1/2014

4/1/2014 18

A set of documented audit procedures designed to

achieve planned audit objectives

Composed of:

Statement of scope

Statement of audit objectives

Statement of audit programs

Set up and approved by the audit management

Communicated to all audit staff

Audit Methodology

10

4/1/2014

4/1/2014 19

Audit subject

Audit objective

Audit scope

Pre-audit planning

Audit procedures and steps for data gathering

Procedures for evaluating the test or review results

Procedures for communication with management

Audit report preparation

Phases of an Audit

4/1/2014

4/1/2014 20

Audit plans

Audit programs

Audit activities

Audit tests

Audit findings and incidents

Audit Workpapers

11

4/1/2014

4/1/2014 21

Understanding of the audit area/subject

Risk assessment and general audit plan

Detailed audit planning

Preliminary review of audit area/subject

Evaluating audit area/subject

Verifying and evaluating controls

Compliance testing

Substantive testing

Reporting (communicating results)

Follow-up

Audit Procedures

4/1/2014

4/1/2014 22

Use of audit software to survey the contents of data files

Assess the contents of operating system parameter files

Flow-charting techniques for documenting automated applications and business process

Use of audit reports available in operation systems

Documentation review

Observation

Types of Tests for IS Controls

12

4/1/2014

4/1/2014 23

Forensic Audits

Audits specifically related to a crime or serious

incident

Determine

Scope of incident

Root cause

Personnel and systems involved

Obtain and examine evidence

Report for further action

4/1/2014

4/1/2014 24

Fraud detection is Managements responsibility

Benefits of a well-designed internal control system

Deterring fraud at the first instance

Detecting fraud in a timely manner

Fraud detection and disclosure

Auditors role in fraud prevention and detection

Fraud Detection

13

4/1/2014

4/1/2014 25

Risk- Based Auditing A Quick Review of Risk Assessment

and Mitigating Controls

4/1/2014

4/1/2014 26

Definition of Risk

Risk is the likelihood of a threat exploiting a

vulnerability and the resulting impact on business

mission

Risk assessment must be based on business

requirements, not solely on information systems

14

4/1/2014

4/1/2014 27

Purpose of Risk Management

Risk Assessment

Identify and prioritize risk

Recommend risk-based controls

Risk Mitigation

Reduce risk

Accept risk

Transfer risk

Avoid risk

Ongoing assessment of risk levels and control

effectiveness

4/1/2014

4/1/2014 28

Risk Management

Identify Business Objectives (BO)

Identify Business Assets that Support the BO

Perform Risk Assess (RA) {Threat Vulnerability

Probability Impact]

Perform Risk Mitigation (RM) [Map Risks with

controls in place]

Perform Risk Treatment (RT) [Treat existing risks not mitigated by existing

controls]

Perform Periodic Risk Re-evaluation (BO, RA, RM,

RT)

15

4/1/2014

4/1/2014 29

Identity threats and vulnerabilities

Helps auditor evaluate countermeasures / controls.

Helps auditor decide on auditing objectives.

Support Risk- Based auditing decision.

Leads to implementation of internal controls.

Purpose of Risk Analysis

4/1/2014

4/1/2014 30

Enables management to effectively allocate limited audit resources

Ensures that relevant information has been obtained from all levels of management

Establishes a basis for effectively managing the audit plans

Provides a summary of how the individual audit subject is related to the overall organization as

well as to the business plan

Why Use Risk Based Auditing

16

4/1/2014

4/1/2014 31

Assessing security risks

Risk assessments should identify, quantify and prioritize risks against criteria for risk

acceptance and objectives relevant to the

organization

Performed periodically to address changes in:

The environment

Security requirements and when significant changes occur

Risk Assessment and Treatment

4/1/2014

4/1/2014 32

Treating security risks

Each risk identified in a risk assessment needs to be treated in

a cost-effective manner according

to its level of risk

Controls should be selected to ensure that risks are reduced to

an acceptable level

Risk Assessment and Treatment cont.

17

4/1/2014

4/1/2014 33

Apply to all areas of an organization and

include policies and practices established by

management to provide reasonable assurance

that specific objectives will be achieved.

General Controls

4/1/2014

4/1/2014 34

Policies, procedures, practices and

organizational structures implemented to reduce

risks

Classification of internal controls

Preventive controls

Detective controls

Corrective controls

Internal Controls

18

4/1/2014

4/1/2014 35

Internal control system

Internal accounting controls

Operational controls

Administrative controls

Areas of Internal Control

4/1/2014

4/1/2014 36

Internal control objectives apply to all areas,

whether manual or automated. Therefore,

conceptually, control objectives in an IS environment

remain unchanged from those of a manual

environment.

IS Controls Versus Manual Controls

19

4/1/2014

4/1/2014 37

Strategy and direction

General organization and management

Access to IT resources, including data and programs

Systems development methodologies and change

control

Operations procedures

Systems programming and technical support

functions

IS Controls

4/1/2014

4/1/2014 38

Quality assurance procedures

Physical access controls

Business continuity/disaster recovery planning

Networks and communications

Database administration

Protection and detective mechanisms against internal

and external attacks

IS Controls cont.

20

4/1/2014

4/1/2014 39

Internal control objectives

Safeguarding of IT assets

Compliance to corporate policies or legal requirements

Input

Authorization

Accuracy and completeness of processing of data input/transactions

Output

Reliability of process

Backup/recovery

Efficiency and economy of operations

Change management process for IT and related systems

Internal Control Objectives

4/1/2014

4/1/2014 40

Cost

Assess managements tolerance for risk

Effectiveness at mitigating Risk

Assessing and Implementing Countermeasures

21

4/1/2014

4/1/2014 41

Performing an Audit Risk Assessment

Identify

Business risks

Technological risks

Operational risks

4/1/2014

4/1/2014 42

A Risk Based Audit Approach

22

4/1/2014

4/1/2014 43

Risk-based Auditing

Knowledge of business and industry

Prior years audit results

Recent financial information

Regulatory statutes

Inherent risk assessments

Gather Information and Plan;

Control environment

Control procedures

Detection risk assessment

Control risk assessment

Equate total risk

Obtain Understanding of Internal Control;

4/1/2014

4/1/2014 44

Risk-based Auditing

Identify key controls to be tested

Perform tests on reliability, risk prevention, and adherence to organizational policies and procedures

Perform Compliance Tests;

Analytical procedures

Detailed tests of account balances

Other substantive audit procedures

Perform Substantive Tests;

Create recommendations

Write audit report

Conclude the Audit;

23

4/1/2014

4/1/2014 45

Audit Planning

4/1/2014

4/1/2014 46

Audit planning steps

Gain an understanding of the businesss mission, objectives, purpose and processes

Identify stated contents (policies, standards, guidelines, procedures, and organization structure)

Evaluate risk assessment and privacy impact analysis

Perform a risk analysis

Audit Planning

24

4/1/2014

4/1/2014 47

Conduct an internal control review

Set the audit scope and audit objectives

Develop the audit approach or audit strategy

Assign personnel resources to audit and address engagement logistics

Audit Planning cont.

4/1/2014

4/1/2014 48

Regulatory requirements

Adequate controls

Privacy

Responsibilities

Oversight and Governance

Protection of assets

Financial Management

Correlation to financial, operational and IT audit functions

Effect of Laws and Regulations on IS Audit

Planning

25

4/1/2014

4/1/2014 49

Performing the Audit

4/1/2014

4/1/2014 50

Procedures developed by the ISACA Standards

Board provide examples of possible processes an

IS auditor might follow in an audit engagement

The IS auditor should apply their own professional

judgment to the specific circumstances

ISACA IT Audit and Assurance Tools and

Techniques

26

4/1/2014

4/1/2014 51

Framework for the ISACA IS Auditing Standards:

Standards

Guidelines

Procedures

ISACA IT Audit and Assurance Standards

Framework

4/1/2014

4/1/2014 52

Standards

Must be followed by IS auditors

Guidelines

Provide assistance on how to implement the standards

Tools and Techniques

Provide examples for implementing the standards

Relationship Among Standards, Guidelines and

Tools and Techniques

27

4/1/2014

4/1/2014 53

ISACA IT Audit and Assurance Standards

Framework cont.

S1 Audit Charter

S2 Independence

S3 Ethics and Standards

S4 Competence

S5 Planning

S6 Performance of audit work

S7 Reporting

S8 Follow-up activities

S9 Irregularities and illegal acts

S10 IT Governance

S11 Use of risk assessment in audit planning

S12 Audit materiality

S13 Using the Work of Other Experts

S14 Audit Evidence

S15 IT Controls

S16 E-commerce

4/1/2014

4/1/2014 54

It is a requirement that the auditors conclusions be based on sufficient, competent evidence:

Independence of the provider of the evidence

Qualification of the individual providing the information

or evidence

Objectivity of the evidence

Timing of the evidence

Evidence

28

4/1/2014

4/1/2014 55

Techniques for gathering evidence:

Review IS organization structures

Review IS policies and procedures

Review IS standards

Review IS documentation

Interview appropriate personnel

Observe processes and employee performance

Gathering Evidence

4/1/2014

4/1/2014 56

General approaches to audit sampling:

Statistical sampling

Non-statistical sampling

Sampling

29

4/1/2014

4/1/2014 57

Compliance test

Determines whether controls are in compliance with

management policies and procedures

Substantive test

Tests the integrity of actual processing

Correlation between the level of internal controls

and substantive testing required

Relationship between compliance and substantive

tests

Compliance vs. Substantive Testing

4/1/2014

4/1/2014 58

Testing Controls

Review the system to identify controls

Test compliance to determine whether controls are functioning.

Evaluate the controls to determine the basis for reliance and the nature, scope and timing of

substantive tests.

Use two types of substantive tests to evaluate the validity of the data.

Test balance and transactions

Perform analytic review procedures

30

4/1/2014

4/1/2014 59

Process whereby appropriate

audit disciplines are combined

to assess key internal controls

over an operation, process or

entity.

Focuses on risk to the organization (for an

internal auditor)

Focuses on the risk of providing an incorrect or

misleading audit opinion

(for an external auditor)

Integrated Auditing

Operational Audit

Financial Audit

IS Audit

4/1/2014

4/1/2014 60

Considerations when using services of other

auditors and experts:

Audit charter or contractual stipulations

Impact on overall and specific IS audit objectives

Impact on IS audit risk and professional liability

Independence and objectivity of other auditors and experts

Using the Services of Other Auditors and

Experts

31

4/1/2014

4/1/2014 61

Considerations when using services of other

auditors and experts:

Professional competence, qualifications and experience

Scope of work proposed to be outsourced and approach

Supervisory and audit management controls

Method of communicating the results of audit work

Compliance with legal and regulatory stipulations

Compliance with applicable professional standards

Using the Services of

Other Auditors and Experts cont.

4/1/2014

4/1/2014 62

Audit Risk

Inherent Risk

Control Risk

Overall Audit Risk

Detection Risk

32

4/1/2014

4/1/2014 63

CAATs enable IS auditors to gather information independently

CAATs include:

Generalized audit software (GAS)

Utility software

Debugging and scanning software

Test data

Application software tracing and mapping

Expert systems

Computer-assisted Audit Techniques

4/1/2014

4/1/2014 64

Computer-assisted Audit Techniques cont.

Features of generalized audit software (GAS):

Mathematical computations

Stratification

Statistical analysis

Sequence checking

33

4/1/2014

4/1/2014 65


Functions supported by GAS:

File access

File reorganization

Data selection

Statistical functions

Arithmetical functions

4/1/2014

4/1/2014 66

CAATs as a continuous online audit approach:

Improves audit efficiency

IS auditors must:

Develop audit techniques for use with advanced computerized systems

Be involved in the design of advanced systems to support audit requirements

Make greater use of automated tools


34

4/1/2014

4/1/2014 67

Audit Analysis and Reporting

4/1/2014

4/1/2014 68

Audit documentation includes:

Planning and preparation of the audit scope and objectives

Description on the scoped audit area

Audit program

Audit steps performed and evidence gathered

Other experts used

Audit findings, conclusions and recommendations

Audit Documentation

35

4/1/2014

4/1/2014 69

Risk analysis

Audit programs

Results

Test evidences

Conclusions

Reports and other complementary information

Automated Work Papers

4/1/2014

4/1/2014 70

Minimum controls:

Access to work papers

Audit trails

Automated features to provide and record approvals

Security and integrity controls

Backup and restoration

Encryption techniques

Automated Work Papers cont.

36

4/1/2014

4/1/2014 71

Evaluation of Audit Strengths and

Weaknesses

Assess evidence

Evaluate overall control structure

Evaluate control procedures

Assess control strengths and weaknesses

4/1/2014

4/1/2014 72

Exit interview

Correct facts

Realistic recommendations

Implementation dates for agreed recommendations

Presentation techniques

Executive summary

Visual presentation

Communicating Audit Results

37

4/1/2014

4/1/2014 73

Audit report structure and contents

Introduction to the report

Audit findings presented in separate sections

The IS auditors overall conclusion and opinion

The IS auditors reservations with respect to the audit audit limitations

Detailed audit findings and recommendations

Communicating Audit Results cont.

4/1/2014

4/1/2014 74

Communicating Audit Results cont.

Audit recommendations may not be accepted

Negotiation

Conflict resolution

Explanation of results, findings and best practices or legal requirements

38

4/1/2014

4/1/2014 75

Ensure that accepted recommendations are implemented as

isaca-cisa-courseware

Documents

isaca certifications

exam day information

pos exam information

independent isaca

certification community

cgeit certifications

ansis accreditation

technology knowledge