isaca-cisa-courseware
DESCRIPTION
cisa course wareTRANSCRIPT
-
Firebrand Training
Presents
CISA
Certified Information Systems Auditor
2014
Firebrand Accelerated Learning
-
ISACA Exam Candidate Information Guide
2014
-
2ISACA Exam Candidate Information Guide
Table of ContentsISACA Certification .................................................................3JuneImportant Date ...........................................................5SeptemberImportant Date ..................................................6DecemberImportant Date ...................................................7Exam Day Information ............................................................8Post Exam Information .........................................................10
ISACAWith more than 110,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders maximize value and manage risk related to information and technology. Founded in 1969, the nonprofit, independent ISACA is an advocate for professionals involved in information security, assurance, risk management and governance. These professionals rely on ISACA as the trusted source for information and technology knowledge, community, standards and certification. The association, which has 200 chapters worldwide, advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems ControlTM (CRISCTM) credentials. ISACA also developed and continually updates COBIT, a business framework that helps enterprises in all industries and geographies govern and manage their information and technology.
ANSI Accredited ProgramPERSONNEL CERTIFICATION#0694ISO/IEC 17024
CISA, CISM and CGEIT Program Accreditation Renewed Under ISO/IEC 17024:2003The American National Standards Institute (ANSI) has accredited the CISA, CISM and CGEIT certifications under ISO/IEC 17024:2003, General Requirements for Bodies Operating Certification Systems of Persons. ANSI, a private, nonprofit organisation, accredits other organizations to serve as third-party product, system and personnel certifiers. ISO/IEC 17024 specifies the requirements to be followed by organizations certifying individuals against specific requirements. ANSI describes ISO/IEC 17024 as expected to play a prominent role in facilitating global standardization of the certification community, increasing mobility among countries, enhancing public safety and protecting consumers.
ANSIs accreditation: Promotes the unique qualifications and expertise that ISACA certifications provide Protects the integrity of the certifications and provides legal defensibility Enhances consumer and public confidence in the certifications and the people who hold them Facilitates mobility across borders or industries
Accreditation by ANSI signifies that ISACAs procedures meet ANSIs essential requirements for openness, balance, consensus and due process. With this accreditation, ISACA anticipates that significant opportunities for CISAs, CISMs and CGEITs will continue to present themselves around the world.
ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.253.1545Fax: +1.847.253.1443Email: [email protected] site: www.isaca.org
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-centerFollow ISACA on Twitter: https://twitter.com/ISACANewsJoin ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficialLike ISACA on Facebook: www.facebook.com/ISACAHQ
Reservation of RightsCopyright 2013 ISACA. Reproduction or storage in any form for any purpose is not permitted without ISACAs prior written permission. No other right or permission is granted with respect to this work. All rights reserved.
ISACA Exams 2014 Important Date InformationExam Date14 June 2014 ExamEarly registration deadline: 12 February 2014Final registration deadline: 11 April 2014
Exam registration changes: Between 12 April and 25 April 2014, charged a US $50 fee, with no changes accepted after 25 April 2014
Refunds: By 11 April 2014, charged a US $100 processing fee, with no refunds after that date
Deferrals: Requests received on or before 25 April 2014, charged a US $50 processing fee. Requests received from 26 April through 23 May 2014, charged a US $100 processing fee. After 23 May 2014, no deferrals will be permitted.
All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)
Exam Date6 September 2014 Exam*Early registration deadline: 11 June 2014Final registration deadline: 21 July 2014* CISA and CISM only at select locations
Exam registration changes: Between 22 July and 28 July, charged a US $50 fee, with no changes accepted after 28 July 2014
Refunds: By 21 July 2014, charged a US $100 processing fee, with no refunds after that date
Deferrals: Requests received on or before 4 August 2014, charged a US $50 processing fee. Requests received from 5 August through 22 August 2014, charged a US $100 processing fee. After 22 August 2014, no deferrals will be permitted.
All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)
Exam Date13 December 2014 ExamEarly registration deadline: 20 August 2014Final registration deadline: 24 October 2014
Exam registration changes: Between 25 October and 31 October, charged a US $50 fee, with no changes accepted after 31 October 2014
Refunds: By 24 October 2014, charged a US $100 processing fee, with no refunds after that date
Deferrals: Requests received on or before 24 October 2014, charged a US $50 processing fee. Requests received from 25 October through 28 November 2014, charged a US $100 processing fee. After 28 November 2014, no deferrals will be permitted.
All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)
Note: The CISA German, Italian and Hebrew languages will only be offered at the
June exam. Visit www.isaca.org/examlocations for a listing of the exam sites for June
and December exam administrations. Visit www.isaca.org/sept2014sites for the exam sites for the September
exam administration.
Please contact [email protected] for further information.
-
3ISACA Exam Candidate Information Guide
ISACA CErTIFICATIon: IS AudIT, SECurITy, GoVErnAnCE And rISk And ConTrol
The ISACA Exam Candidate Information Guide includes candidate information about exam registration, dates, and deadlines and provides important key candidate details for exam day administration. This publication is available online at www.isaca.org/examguide
ISACA offers the following certifications: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC). A brief summary of each follows.
CISA CISM CGEIT CRISC
Description The CISA designation is a globally recognized certification for IS audit control, assurance, and security professionals.
The management-focused CISM certification promotes international security practices and recognizes the individual who manages, designs, and oversees and assesses an enterprises information security.
CGEIT recognizes a wide range of professionals for their knowledge and application of enterprise IT governance principles and practices.
CRISC certification is designed for those experienced in business and technology risk management, and the design, implementation, monitoring and maintenance of IS control.
Eligibility Requirements
Five (5) or more years of experience in IS audit, control, assurance, or security. Waivers are available for a maximum of three (3) years.
Five (5) or more years of experience in information security management. Waivers are available for a maximum of two (2) years.
Five (5) or more years of experience managing, serving in an advisory or oversight role, and/or otherwise supporting the governance of the IT-related contribution to an enterprise including a minimum of one year of experience relating to the definition, establishment and management of a Framework for the Governance of IT. There are no substitutions or experience waivers.
Three (3) or more years of cumulative work experience performing the tasks of a CRISC professional across at least three (3) CRISC domains is required for certification. There are no substitutions or experience waivers.
Domains (%) Domain 1 The Process of Auditing Information Systems (14%)
Domain 2 Governance and Management of IT (14%)
Domain 3 Information Systems Acquisition, Development, and Implementation (19%)
Domain 4 Information Systems Operations, Maintenance and Support (23%)
Domain 5 Protection of Information Assets (30%)
Domain 1 Information Security Governance (24%)
Domain 2 Information Risk Management and Compliance (33%)
Domain 3 Information Security Program Development and Management (25%)
Domain 4 Information Security Incident Management (18%)
Domain 1: Framework for the Governance of Enterprise IT (25%)
Domain 2: Strategic Management (20%)
Domain 3: Benefits Realization (16%)
Domain 4: Risk Optimization (24%)
Domain 5: Resource Optimization (15%)
Domain 1 Risk Identification, Assessment and Evaluation (31%)
Domain 2 Risk Response (17%)Domain 3 Risk Monitoring
(17%)Domain 4 Information Systems
Control Design and Implementation (17%)
Domain 5 IS Control Monitoring and Maintenance (18%)
Number of exam questions*: length of exam
200 questions: 4 hours 200 questions: 4 hours 150 questions: 4 hours 200 questions: 4 hours
* Consists of multiple choice items that cover the respective job practice areas created from the most recent job practice analysis. See page 10 for related links.
-
4ISACA Exam Candidate Information Guide
rEGISTErInG For THE ExAm
register for the examYou can register for an ISACA exam via online registration or hard copy registration form. To place your online registration via the ISACA web site visit www.isaca.org/examreg. To register via hardcopy registration form, complete the hardcopy registration form provided at www.isaca.org/exam and fax or mail to ISACA along with your payment information.
Note: Faxed/mailed registrations will incur an additional US $75 charge.
submit registration fees and Payment isaCa non-isaCa member member note: registration form and payment must Online early registrations received on or before early registration deadline US $420 US $600 be received on or before the early registrationOnline final registrations received by final registration deadline US $470 US $650 deadline to qualify for the early registration
rate.
notes: The CISA German, Italian and Hebrew languages will only be offered at the June exam. Visit www.isaca.org/examlocations for a listing of the exam sites for June and December exam administration. Visit www.isaca.org/sept2014sites for the exam stes for the September exam administraton
Please contact [email protected] for further information.
Consider isaCa membershiPIf you are not yet an ISACA member, consider joining during the registration process and enjoy the member discount on your exam and study materials.
Please visit www.isaca.org/join for detailed information on membership benefits and fees.
Join dates member through From 1 August 2013 to 30 May 2014 31 December 2014 From 1 June 2014 to 31 July 2014 31 December 2014 From 1 August 2014 to December 2014 31 December 2015
Due Dates Deadlines are based on Chicago, Illinois, USA, 5 P.M. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). if not registering online, please mail or fax the registration form to isaCa. do not do both. submitting duplicate registrations online and/or by hard copy to isaCa may result in multiple registrations and charges. Final registration forms and payment must be postmarked or received by fax on or before the final registration date for the exam you are registering for. both pages of the registration form must be received to complete a registration.
aCknowledgment of registrationAn email acknowledgement of the exam registration, exam test site and exam language will be sent to registrants shortly after the processing of the registration. Please review the exam registration details carefully and contact the ISACA certification department at [email protected] for any corrections or changes. A receipt letter acknowledging exam registration and payment with a link to ISACAs Exam Candidate Information Guide should be received by exam registrants within four weeks (depending on your worldwide location and local postal delivery) of the processing of the registration form and payment.
-
ISACA Exam Candidate Information Guide
JUNEIMPORTANT DATE INFORMATION
Exam Date 14 June 2014
Exam Registration ChangesChanges to the exam site, test language and candidate name are subject to the following charges:z On or before 11 April 2014 ................................ No chargez 12 April through 25 April 2014 .......................... US $50
No exam registration changes will be granted after 25 April 2014.
Refund and Deferrals of Feesrefund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 11 April 2014. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment.
deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule:z On or before 25 April ......................................... US $50z 26 April through 23 May .................................... US $100
Deferral requests will not be accepted after 23 May 2014. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.
Any candidate who has not received his/her admission ticket by 1 June 2014 should contact the ISACA certification department at [email protected] or via phone at +1.847.660.5660.
Special AccommodationsUpon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements. Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested. Documented disability requests must be accompanied by a doctors note. Requests for a religious requirement must be accompanied by a note from the candidates religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 25 April 2014.
Request for Additional Test CentersIf an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 February 2014. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.
Exam locationsFor a complete listing of the exam sites for the June exam administration visit www.isaca.org/examlocations
all deadlines are based on Chicago, illinois, usa, 5 p.m. Central time (utC/gmt-06:00 Chicago, illinois, usa). no refunds or exchanges will be given for study aids, associated taxes, shipping and handling charges, or membership dues. exam registration and membership fees are nontransferable.
5
-
6ISACA Exam Candidate Information Guide
SEPTEMBERIMPORTANT DATE INFORMATION
Exam Date 6 September 2014The September exam administration is only offered for the CISA and CISM certification exams at limited exam sites.
Exam Registration ChangesChanges to the exam site, test language and candidate name are subject to the following charges:z On or before 21 July 2014 ................................. No chargez 22 July through 28 July 2014 ........................... US $50
No exam registration changes will be granted after 28 July 2014.
Refund and Deferrals of Feesrefund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 21 July 2014. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment.
deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule:z On or before 4 August 2014 .............................. US $50z 5 August through 22 August 3014 ..................... US $100
Deferral requests will not be accepted after 22 August 2014. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.
Any candidate who has not received his/her admission ticket by 15 August 2014 should contact the ISACA certification department at [email protected] or via phone at +1.847.660.5660.
Special AccommodationsUpon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities. Consideration for reasonable alterations in exam format, presentation, and allowance of food or drink at the exam site must be requested and accompanied by a doctors note. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 21 July 2014.
Exam LocationsFor a complete listing of the exam sites for the September exam administration visit www.isaca.org/sept2014sites.
all deadlines are based on Chicago, illinois, usa, 5 p.m. Central time (utC/gmt-06:00 Chicago, illinois, usa). no refunds or exchanges will be given for study aids, associated taxes, shipping and handling charges, or membership dues. exam registration and membership fees are nontransferable.
-
7ISACA Exam Candidate Information Guide
DECEMBERIMPORTANT DATE INFORMATION
Exam Date 13 December 2014
Exam Registration ChangesChanges to the exam site, test language and candidate name are subject to the following charges:z On or before 24 October .................................... No chargez 25 October through 31 October ......................... US $50
No exam registration changes will be granted after 31 October 2014.
Refund and Deferrals of Feesrefund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 24 October 2014. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment.
deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule:z On or before 24 October .................................... US $50z 25 October through 28 November ..................... US $100
Deferral requests will not be accepted after 28 November 2014. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.
Any candidate who has not received his/her admission ticket by 1 December 2014 should contact the ISACA certification department at [email protected] or via phone at +1.847.660.5660.
Special AccommodationsUpon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements. Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested. Documented disability requests must be accompanied by a doctors note. Requests for a religious requirement must be accompanied by a note from the candidates religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 24 october 2014.
Request for Additional Test CentersIf an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 August 2014. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.
Exam LocationsFor a complete listing of the exam sites for the December exam administration visit www.isaca.org/examlocations.
all deadlines are based on Chicago, illinois, usa, 5 p.m. Central time (utC/gmt-06:00 Chicago, illinois, usa). no refunds or exchanges will be given for study aids, associated taxes, shipping and handling charges, or membership dues. exam registration and membership fees are nontransferable.
-
8ISACA Exam Candidate Information Guide
ExAm dAy InFormATIonAdmission TicketApproximately two to three weeks prior to the exam date, candidates will be sent an email admission ticket (eticket) from ISACA. Exam candidates can also download a copy of the admission ticket at www.isaca.org > MyISACA page of the web site. Tickets will indicate the date, registration time and location of the exam, as well as a schedule of events for that day and a list of materials that candidates must bring with them to take the exam. Candidates are not to write on the admission ticket. Candidates can use their admission ticket (either a printout of their e-ticket or their downloaded ticket) only at the designated test center.
Identification on Exam DayCandidates will be admitted to the test center only if they have a valid admission ticket and an acceptable form of identification (ID). An acceptable form of ID must be a current and original government-issued ID that contains the candidates name, as it appears on the admission ticket, and the candidates photograph. The information on the ID cannot be handwritten. All of these characteristics must be demonstrated by the single piece of ID provided. Examples include, but are not limited to, a passport, drivers license, military ID, state ID, green card and national ID. Any candidate who does not provide an acceptable form of ID will not be allowed to sit for the exam and will forfeit his/her registration fee. IDs will be checked during the exam administration.
Please Note: In order to receive an admission ticket, all fees must be paid. Admission tickets are sent via email to the current email address on file. Only candidates with an admission ticket and an acceptable government-issued ID will be admitted to take the exam, and the name on the admission ticket must match the name on the government-issued ID. If candidates mailing and/or email addresses change, they should update their profile on the ISACA web site (www.isaca.org) or contact [email protected].
Arrival Time For ExamIt is imperative that candidates note the specific registration and exam times on their admission ticket. NO CANDIDATE WILL BE ADMITTED TO THE TEST CENTER ONCE THE CHIEF EXAMINER BEGINS READING THE ORAL INSTRUCTIONS, APPROXIMATELY 30 MINUTES BEFORE THE EXAM BEGINS. Any candidate who arrives after the oral instructions have begun will not be allowed to sit for the exam and will forfeit his/her registration fee. An admission ticket can only be used at the designated test center specified on the admission ticket. To ensure that you arrive in plenty of time for the exam, we recommend that you become familiar with the exact location and the best travel route to your exam site prior to the date of the exam. Test center telephone numbers and web site references have been provided (when available) to assist you in obtaining directions to the facility.
Observe the Test Centers Rules Candidates will not be admitted to a test center after the oral instructions have begun. Candidates should bring several sharpened no. 2 or HB (soft lead) pencils and a good eraser. Pencils and erasers will not be available at the test center.
As exam venues vary, every attempt will be made to make the climate control comfortable at each exam venue. Candidates may want to dress to their own comfort level.
Candidates are not allowed to bring reference materials, blank paper, note pads or language dictionaries into the test center. Candidates are not allowed to bring or use a calculator in the test center. Candidates are not allowed to bring any type of communication devices (i.e., cell phones, PdAs, Blackberries) into the test center. If exam candidates
are viewed with any such device during the exam administration, their exams will be voided and they will be asked to immediately leave the exam site.
Visitors are not permitted in the test center. no food or beverages are allowed in the test center (without advanced authorization from ISACA).
MisconductCandidates who are discovered engaging in any kind of misconductsuch as giving or receiving help; using notes, papers or other aids; attempting to take the exam for someone else; using any type of communication device, including cell phones, during the exam administration; or removing the exam booklet, answer sheet or notes from the testing roomwill be disqualified. Candidates who leave the testing area without authorization or accompaniment by a test proctor will not be allowed to return to the testing room and will be subject to disqualification. The testing agency will report such irregularities to the respective ISACA Certification Committee.
Reasons for Dismissal or Disqualification unauthorized admission to the test center. Candidate creates a disturbance or gives or receives help. Candidate attempts to remove test materials or notes from the test center. Candidate impersonates another candidate. Candidate brings items into the test center that are not permitted. Candidate possession of any communication device (i.e., cell phone, PdA, BlackBerry) during the exam administration Candidate unauthorized leave of the test area
-
9ISACA Exam Candidate Information Guide
Candidates are not allowed to bring any type of communication device into the test center. If candidates are observed with any communication device (i.e., cellular phone, PDA, BlackBerry) during the exam adminstration, their exams will be voided and they will be asked to immediately leave the test site. Neither ISACA or its testing vendor takes responsibility for personal belongings of candidates. ISACA will not assume responsibility for stolen, lost or damaged personal property. To review the Personal Belongings Policy, please visit www.isaca.org/cisabelongings, www.isaca.org/cismbelongings, www.isaca.org/cgeitbelongings, or www.isaca.org/criscbelongings.
Taking the Exam/Types of Questions on the ExamsExam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. All questions are designed with one best answer.
Every question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct or best answer from the options. The stem may be in the form of a question or incomplete statement. In some instances, a scenario may also be included. These questions normally include a description of a situation and require the candidate to answer two or more questions based on the information provided. The candidate is cautioned to read each question carefully. An exam question may require the candidate to choose the appropriate answer based on a qualifier, such as MOST likely or BEST. In every case, the candidate is required to read the question carefully, eliminate known incorrect answers and then make the best choice possible. To gain a better understanding of the types of questions that might appear on the exam and how these questions are developed, refer to the Item Writing Guide available at www.isaca.org/itemwriter. Representations of CISA exam questions are available at www.isaca.org/cisaassessment; CISM exam questions are available at www.isaca.org/cismassessment.
Conduct Oneself Properly To protect the security of the exam and maintain the validity of the scores, candidates are asked to sign the answer sheet. The respective ISACA Certification Committee reserves the right to disqualify any candidate who is discovered engaging in any kind of misconduct or
violation of exam rules, such as giving or receiving help; using notes, papers or other aids; attempting to take the exam for someone else; or removing test materials or notes from the test center. The testing agency will provide the respective ISACA Certification Committee with records regarding such irregularities for their review and to render a decision.
Be Careful in Completing the Answer Sheet Before a candidate begins the exam, the test center chief examiner will read aloud the instructions for entering identification information on the answer
sheet. A candidates identification number as it appears on the admission ticket and all other requested information must be correctly entered or scores may be delayed or incorrectly reported.
A proctor speaking the primary language used at each test center is available. If a candidate desires to take the exam in a language other than the primary language of the test center, the proctor may not be conversant in the language chosen. However, written instructions will be available in the language of the exam.
A candidate is instructed to read all instructions carefully and understand them before attempting to answer the questions. Candidates who skip over the directions or read them too quickly could miss important information and possibly lose credit.
All answers are to be marked in the appropriate circle on the answer sheet. Candidates must be careful not to mark more than one answer per question and to be sure to answer a question in the appropriate row of answers. If an answer needs to be changed, a candidate is urged to erase the wrong answer fully before marking in the new one.
All questions should be answered. There are no penalties for incorrect answers. Grades are based solely on the number of questions answered correctly, so do not leave any questions blank.
After completion, candidates are required to hand in their answer sheet and test booklet.
Budget Ones Time The exam is four hours in length. Candidates are advised to pace themselves to complete the entire exam. Candidates are urged to immediately record their answers on the answer sheet. No additional time will be allowed after the exam time has elapsed to
transfer or record answers should a candidate mark answers in the test booklet.
Exam Day CommentsISACA utilizes an internationally recognized professional testing agency to assist the construction, administration and scoring of the exams.
Candidates wishing to comment on the test administration conditions may do so at the conclusion of the testing session by completing the Test Administration Questionnaire. The Test Administration Questionnaire is presented at the back of the examination booklet with corresponding instructions for completion.
Candidates who wish to address any additional comments or concerns about the examination administration, including site conditions or the content of the exam, should contact ISACA international headquarters by letter or by email ([email protected]). Please include the following information in your comments: exam ID number, testing site, date tested and any relevant details on the specific issue. Only those comments received by ISACA during the first 2 weeks after the exam administration will be considered in the final scoring of the exam.
-
10
ISACA Exam Candidate Information Guide
PoST ExAm InFormATon:
Scoring the ExamsThe ISACA exams consists of multiple-choice items. Candidate scores are reported as a scaled score. A scaled score is a conversion of a candidates raw score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. For example, the scaled score of 800 represents a perfect score with all questions answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions were answered correctly. A candidate must receive a score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard of knowledge. A candidate receiving a passing score may then apply for certification if all other requirements are met.
The exams contains some questions which are included for research and analysis purposes only. These questions are not separately identified and not used to calculate your final score.
Approximately five weeks for CISA/CISM and eight weeks for CGEIT/CRISC after the test date, the official exam results will be mailed to candidates. Additionally, with the candidates consent during the registration process, an email message containing the candidates pass/fail status and score will be sent to the candidate. This email notification will only be sent to the address listed in the candidates profile at the time of the initial release of the results. To ensure the confidentiality of scores, exam results will not be reported by telephone or fax. To prevent email notification from being sent to spam folders, candidates should add [email protected] to their address book, whitelist or safe-senders list.
Candidates will receive a score report containing a subscore for each domain area. Successful candidates will receive, along with a score report, details on how to apply for certification.
The subscores can be useful in identifying those areas in which the unsuccessful candidate may need further study before retaking the exam. Unsuccessful candidates should note that the total scaled score cannot be determined by calculating either a simple or weighted average of the subscores.
Candidates receiving a failing score on the exam may request a hand score of their answer sheets. This procedure ensures that no stray marks, multiple responses or other conditions interfered with computer scoring. Candidates should understand, however, that all scores are subjected to several quality control checks before they are reported; therefore, rescores most likely will not result in a score change. Requests for hand scoring must be made in writing to the certification department within 90 days following the release of the exam results. Requests for a hand score after the deadline date will not be processed. All requests must include a candidates name, exam identification number and mailing address. A fee of US $75 must accompany each request.
Passing the exam does not grant the designation. To become certified, each exam passer must complete requirements including submitting an application for certification. Candidates receiving a score less than 450 have not passed and can retake the exam by registering and paying the exam registration fee for the future administration. There are no limits to how many times a candidate can take the exam.
ISACA Code of Professional EthicsISACA sets forth a Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Members and certifieds are required to abide by the Code. Failure to comply with this Code of Professional Ethics can result in an investigation into a members and/or certification holders conduct and, ultimately, in disciplinary measures. The ISACA Code of Professional Ethics can be viewed online at www.isaca.org/ethics.
IMPORTANT ADDITIONAL REFERENCESThese references contain essential exam information and should be read in their entirety.
important additional referencesCisa exam Cism exam Cgeit exam CrisC exam
Certification www.isaca.org/cisa www.isaca.org/cism www.isaca.org/cgeit www.isaca.org/crisc
Preparing for the Exam www.isaca.org/cisaprep www.isaca.org/cismprep www.isaca.org/cgeitprep www.isaca.org/criscprep
Requirements for Certification
www.isaca.org/cisarequirements www.isaca.org/cismrequirements www.isaca.org/cgeitrequirements www.isaca.org/criscrequirements
Job Practice www.isaca.org/cisajobpractice www.isaca.org/cismjobpractice www.isaca.org/cgeitjobpractice www.isaca.org/criscjobpractice
Applying for Certification
www.isaca.org/cisaapp www.isaca.org/cismapp www.isaca.org/cgeitapp www.isaca.org/criscapp
Maintaining your Certification
www.isaca.org/cisacpepolicy www.isaca.org/cismcpepolicy www.isaca.org/cgeitcpepolicy www.isaca.org/crisccpepolicy
Glossary of Terms www.isaca.org/glossary www.isaca.org/glossary www.isaca.org/glossary www.isaca.org/glossary
Acronyms www.isaca.org/cisaprep www.isaca.org/cismprep
-
11
ISACA Exam Candidate Information Guide
Available Study Materials From ISACA:Passing an ISACA exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA offers study aids to exam candidates. Visit www.isaca.org/bookstore for more complete details including detailed descriptions of the products, costs, and languages available. Order early as delivery time can be one to two weeks, depending on geographic location and customs clearance practices.
CISA:CISA Review Manual 2014. CISA Review Questions, Answers & Explanations Manual 2013CISA Review Questions, Answers & Explanations Manual 2013 SupplementCISA Review Questions, Answers & Explanations Manual 2014 SupplementCISA Practice Question database V14 (Cd rom or download version)CISA Online Review Course
CISM:CISM Review Manual 2014CISM Review Questions, Answers & Explanations Manual 2014CISM Review Questions, Answers & Explanations Manual 2014 SupplementCISm Practice Question database V14 (Cd rom or download version)
CGEIT:CGEIT Review Manual 2014CGEIT Review Questions, Answers & Explanations Manual 2013 CGEIT Review Questions, Answers & Explanations Manual 2013 Supplement CGEIT Review Questions, Answers & Explanations Manual 2014 Supplement COBIT5
CRISC:CRISC Review Manual 2014CRISC Review Questions, Answers & Explanations Manual 2013 CRISC Review Questions, Answers & Explanations Manual 2013 Supplement CRISC Review Questions, Answers & Explanations Manual 2014 Supplement CRISC Exam Self Study
ISACA Contact Informationexam and exam registration Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email: [email protected]
Certification Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email: [email protected]
study aids Phone: +1.847.660.5650; Email: [email protected]
isaCa membership Phone: +1.847.660.5600; Email: [email protected]
DOC: 2014 Exam Candidates GuideVersion: V2Update: 2013-1113
-
CISA Job Practice Areas
A job practice serves as the basis for the exam and requirements to earn the
certification. This job practice consists of task and knowledge statements,
organized by domains
CISA Certification Job Practice Notice: A CISA job practice analysis has been completed. This analysis resulted in a new CISA job practice
which reflects the vital and evolving responsibilities of IT auditors. The new CISA job practice (identified below)
was effective beginning with the June 2011 CISA exam administration.
For purposes of these statements, the terms "enterprise" and "organization" or "organizational" are considered
synonymous.
The job practice domains and task and knowledge statements are as follows:
Domain 1The Process of Auditing Information Systems (14%)
Domain 2Governance and Management of IT (14%)
Domain 3Information Systems Acquisition, Development and Implementation (19%)
Domain 4Information Systems Operations, Maintenance and Support (23%)
Domain 5Protection of Information Assets (30%)
-
Domain 1The Process of Auditing Information Systems (14%) Provide audit services in accordance with IT audit standards to assist the organization in protecting
and controlling information systems.
Domain 1Task Statements: 1.1 Develop and implement a risk-based IT audit strategy in compliance with IT audit standards to ensure that key areas are included. 1.2 Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization. 1.3 Conduct audits in accordance with IT audit standards to achieve planned audit objectives. 1.4 Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary. 1.5 Conduct follow-ups or prepare status reports to ensure appropriate actions have been taken by management in a timely manner.
Domain 1Knowledge Statements: 1.1 Knowledge of ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards 1.2 Knowledge of risk assessment concepts, tools and techniques in an audit context 1.3 Knowledge of control objectives and controls related to information systems 1.4 Knowledge of audit planning and audit project management techniques, including follow-up 1.5 Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) including relevant IT 1.6 Knowledge of applicable laws and regulations which affect the scope, evidence collection and preservation, and frequency of audits 1.7 Knowledge of evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis) used to gather, protect and preserve audit evidence 1.8 Knowledge of different sampling methodologies 1.9 Knowledge of reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure) 1.10 Knowledge of audit quality assurance systems and frameworks
-
Domain 2Governance and Management of IT (14%) Provide assurance that the necessary leadership and organization structure and processes are in
place to achieve objectives and to support the organization's strategy.
Domain 2Task Statements: 2.1 Evaluate the effectiveness of the IT governance structure to determine whether IT decisions, directions and performance support the organizations strategies and objectives. 2.2 Evaluate IT organizational structure and human resources (personnel) management to determine whether they support the organizations strategies and objectives. 2.3 Evaluate the IT strategy, including the IT direction, and the processes for the strategys development, approval, implementation and maintenance for alignment with the organizations strategies and objectives. 2.4 Evaluate the organizations IT policies, standards, and procedures, and the processes for their development, approval, implementation, maintenance, and monitoring, to determine whether they support the IT strategy and comply with regulatory and legal requirements. 2.5 Evaluate the adequacy of the quality management system to determine whether it supports the organizations strategies and objectives in a cost-effective manner. 2.6 Evaluate IT management and monitoring of controls (e.g., continuous monitoring, QA) for compliance with the organizations policies, standards and procedures. 2.7 Evaluate IT resource investment, use and allocation practices, including prioritization criteria, for alignment with the organizations strategies and objectives. 2.8 Evaluate IT contracting strategies and policies, and contract management practices to determine whether they support the organizations strategies and objectives. 2.9 Evaluate risk management practices to determine whether the organizations IT-related risks are properly managed. 2.10 Evaluate monitoring and assurance practices to determine whether the board and executive management receive sufficient and timely information about IT performance. 2.11 Evaluate the organizations business continuity plan to determine the organizations ability to continue essential business operations during the period of an IT disruption.
Domain 2Knowledge Statements: 2.1 Knowledge of IT governance, management, security and control frameworks, and related standards, guidelines, and practices 2.2 Knowledge of the purpose of IT strategy, policies, standards and procedures for an organization and the essential elements of each 2.3 Knowledge of organizational structure, roles and responsibilities related to IT 2.4 Knowledge of the processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures 2.5 Knowledge of the organizations technology direction and IT architecture and their implications for setting long-term strategic directions 2.6 Knowledge of relevant laws, regulations and industry standards affecting the organization 2.7 Knowledge of quality management systems 2.8 Knowledge of the use of maturity models 2.9 Knowledge of process optimization techniques 2.10 Knowledge of IT resource investment and allocation practices, including prioritization criteria (e.g., portfolio management, value management, project management) 2.11 Knowledge of IT supplier selection, contract management, relationship management and performance monitoring processes including third party outsourcing relationships 2.12 Knowledge of enterprise risk management 2.13 Knowledge of practices for monitoring and reporting of IT performance (e.g., balanced scorecards, key performance indicators [KPI]) 2.14 Knowledge of IT human resources (personnel) management practices used to invoke the business continuity plan 2.15 Knowledge of business impact analysis (BIA) related to business continuity planning 2.16 Knowledge of the standards and procedures for the development and maintenance of the business continuity plan and testing methods
-
Domain 3Information Systems Acquisition, Development, and Implementation (19%) Provide assurance that the practices for the acquisition, development, testing, and implementation of
information systems meet the organizations strategies and objectives.
Domain 3Task Statements: 3.1 Evaluate the business case for the proposed investments in information systems acquisition, development, maintenance and subsequent retirement to determine whether it meets business objectives. 3.2 Evaluate the project management practices and controls to determine whether business requirements are achieved in a cost-effective manner while managing risks to the organization. 3.3 Conduct reviews to determine whether a project is progressing in accordance with project plans, is adequately supported by documentation and status reporting is accurate. 3.4 Evaluate controls for information systems during the requirements, acquisition, development and testing phases for compliance with the organization's policies, standards, procedures and applicable external requirements. 3.5 Evaluate the readiness of information systems for implementation and migration into production to determine whether project deliverables, controls and organization's requirements are met. 3.6 Conduct post-implementation reviews of systems to determine whether project deliverables, controls and organization's requirements are met.
Domain 3Knowledge Statements: 3.1 Knowledge of benefits realization practices, (e.g., feasibility studies, business cases, total cost of ownership [TCO], ROI) 3.2 Knowledge of project governance mechanisms (e.g., steering committee, project oversight board, project management office) 3.3 Knowledge of project management control frameworks, practices and tools 3.4 Knowledge of risk management practices applied to projects 3.5 Knowledge of IT architecture related to data, applications and technology (e.g., distributed applications, web-based applications, web services, n-tier applications) 3.6 Knowledge of acquisition practices (e.g., evaluation of vendors, vendor management, escrow) 3.7 Knowledge of requirements analysis and management practices (e.g., requirements verification, traceability, gap analysis, vulnerability management, security requirements) 3.8 Knowledge of project success criteria and risks 3.9 Knowledge of control objectives and techniques that ensure the completeness, accuracy, validity and authorization of transactions and data 3.10 Knowledge of system development methodologies and tools including their strengths and weaknesses (e.g., agile development practices, prototyping, rapid application development [RAD], object-oriented design techniques) 3.11 Knowledge of testing methodologies and practices related to information systems development 3.12 Knowledge of configuration and release management relating to the development of information systems 3.13 Knowledge of system migration and infrastructure deployment practices and data conversion tools, techniques and procedures. 3.14 Knowledge of post-implementation review objectives and practices (e.g., project closure, control implementation, benefits realization, performance measurement)
-
Domain 4Information Systems Operations, Maintenance and Support (23%) Provide assurance that the processes for information systems operations, maintenance and support
meet the organizations strategies and objectives.
Domain 4Task Statements: 4.1 Conduct periodic reviews of information systems to determine whether they continue to meet the organizations objectives. 4.2 Evaluate service level management practices to determine whether the level of service from internal and external service providers is defined and managed. 4.3 Evaluate third party management practices to determine whether the levels of controls expected by the organization are being adhered to by the provider. 4.4 Evaluate operations and end-user procedures to determine whether scheduled and non-scheduled processes are managed to completion. 4.5 Evaluate the process of information systems maintenance to determine whether they are controlled effectively and continue to support the organizations objectives. 4.6 Evaluate data administration practices to determine the integrity and optimization of databases. 4.7 Evaluate the use of capacity and performance monitoring tools and techniques to determine whether IT services meet the organizations objectives. 4.8 Evaluate problem and incident management practices to determine whether incidents, problems or errors are recorded, analyzed and resolved in a timely manner. 4.9 Evaluate change, configuration and release management practices to determine whether scheduled and non-scheduled changes made to the organizations production environment are adequately controlled and documented. 4.10 Evaluate the adequacy of backup and restore provisions to determine the availability of information required to resume processing. 4.11 Evaluate the organizations disaster recovery plan to determine whether it enables the recovery of IT processing capabilities in the event of a disaster.
Domain 4Knowledge Statements: 4.1 Knowledge of service level management practices and the components within a service level agreement 4.2 Knowledge of techniques for monitoring third party compliance with the organizations internal controls 4.3 Knowledge of operations and end-user procedures for managing scheduled and non-scheduled processes 4.4 Knowledge of the technology concepts related to hardware and network components, system software and database management systems 4.5 Knowledge of control techniques that ensure the integrity of system interfaces 4.6 Knowledge of software licensing and inventory practices 4.7 Knowledge of system resiliency tools and techniques (e.g., fault tolerant hardware, elimination of single point of failure, clustering) 4.8 Knowledge of database administration practices 4.9 Knowledge of capacity planning and related monitoring tools and techniques 4.10 Knowledge of systems performance monitoring processes, tools and techniques (e.g., network analyzers, system utilization reports, load balancing) 4.11 Knowledge of problem and incident management practices (e.g., help desk, escalation procedures, tracking) 4.12 Knowledge of processes, for managing scheduled and non-scheduled changes to the production systems and/or infrastructure including change, configuration, release and patch management practices 4.13 Knowledge of data backup, storage, maintenance, retention and restoration practices 4.14 Knowledge of regulatory, legal, contractual and insurance issues related to disaster recovery 4.15 Knowledge of business impact analysis (BIA) related to disaster recovery planning 4.16 Knowledge of the development and maintenance of disaster recovery plans 4.17 Knowledge of types of alternate processing sites and methods used to monitor the contractual agreements (e.g., hot sites, warm sites, cold sites) 4.18 Knowledge of processes used to invoke the disaster recovery plans 4.19 Knowledge of disaster recovery testing methods
-
Domain 5Protection of Information Assets (30%) Provide assurance that the organizations security policies, standards, procedures and controls ensure
the confidentiality, integrity and availability of information assets.
Domain 5Task Statements: 5.1 Evaluate the information security policies, standards and procedures for completeness and alignment with generally accepted practices. 5.2 Evaluate the design, implementation and monitoring of system and logical security controls to verify the confidentiality, integrity and availability of information. 5.3 Evaluate the design, implementation, and monitoring of the data classification processes and procedures for alignment with the organizations policies, standards, procedures, and applicable external requirements. 5.4 Evaluate the design, implementation and monitoring of physical access and environmental controls to determine whether information assets are adequately safeguarded. 5.5 Evaluate the processes and procedures used to store, retrieve, transport and dispose of information assets (e.g., backup media, offsite storage, hard copy/print data, and softcopy media) to determine whether information assets are adequately safeguarded.
Domain 5Knowledge Statements: 5.1 Knowledge of the techniques for the design, implementation, and monitoring of security controls, including security awareness programs 5.2 Knowledge of processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team) 5.3 Knowledge of logical access controls for the identification, authentication and restriction of users to authorized functions and data 5.4 Knowledge of the security controls related to hardware, system software (e.g., applications, operating systems), and database management systems. 5.5 Knowledge of risks and controls associated with virtualization of systems 5.6 Knowledge of the configuration, implementation, operation and maintenance of network security controls 5.7 Knowledge of network and Internet security devices, protocols, and techniques 5.8 Knowledge of information system attack methods and techniques 5.9 Knowledge of detection tools and control techniques (e.g., malware, virus detection, spyware) 5.10 Knowledge of security testing techniques (e.g., intrusion testing, vulnerability scanning) 5.11 Knowledge of risks and controls associated with data leakage 5.12 Knowledge of encryption-related techniques 5.13 Knowledge of public key infrastructure (PKI) components and digital signature techniques 5.14 Knowledge of risks and controls associated with peer-to-peer computing, instant messaging, and web-based technologies (e.g., social networking, message boards, blogs) 5.15 Knowledge of controls and risks associated with the use of mobile & wireless devices 5.16 Knowledge of voice communications security (e.g., PBX, VoIP) 5.17 Knowledge of the evidence preservation techniques and processes followed in forensics investigations (e.g., IT, process, chain of custody) 5.18 Knowledge of data classification standards and supporting procedures 5.19 Knowledge of physical access controls for the identification, authentication and restriction of users to authorized facilities 5.20 Knowledge of environmental protection devices and supporting practices 5.21 Knowledge of the processes and procedures used to store, retrieve, transport and dispose of confidential information assets
-
1
4/1/2014 2014 Firebrand
1
ISACA
Trust in, and value from,
information systems
4/1/2014 2014 Firebrand
2
2014 CISA Review Course
Introduction
-
2
4/1/2014 2014 Firebrand
3
Welcome
Welcome to an exciting course!
Educational Value
Top-flight Instructors
Exceptional learning environment
Great support
Your Firebrand staff and instructor are here to answer any questions you may have
4/1/2014 2014 Firebrand
4
Agenda
This introduction will address:
The CISA Certification
Course format
Examination format
Introduction of Attendees
-
3
4/1/2014 2014 Firebrand
5
CISA
Certified Information Systems Auditor
Designed for personnel that will audit and review information systems.
Assurance that systems are designed, developed, implemented and maintained to
support business needs and objectives
Tough but very good quality examination
Requires understanding of the concepts behind information systems audit not just the definitions
4/1/2014 2014 Firebrand
6
CISA Exam Review Course Overview
The CISA Exam is based on the CISA job practice.
The ISACA CISA Certification Committee oversees the development of the exam and ensures the
currency of its content.
There are five content areas that the CISA
candidate is expected to know.
-
4
4/1/2014 2014 Firebrand
7
CISA Job Practice Areas
The Process of Auditing Information
Systems
Governance and Management of IT
Information Systems Acquisition,
Development and Implementation
Information Systems Operations,
Maintenance and Support
Protection of Information Assets
4/1/2014 2014 Firebrand
8
CISA Qualifications
To earn the CISA designation, information security
professionals are required to:
Successfully pass the CISA exam
Submit an Application for CISA certification
Minimum of five years information systems auditing, control or security work experience (waivers for
education)
Adhere to the ISACA Code of Professional Ethics
Adherence to the CISA continuing education policy
Compliance with Information Systems Auditing Standards
-
5
4/1/2014 2014 Firebrand
9
Accelerated Learning Environment
This is a Firebrand Accelerated Learning
Course
This is a fast paced program
Please do not miss a moment of class time
Participate in the discussions and questions
Ask questions challenge your understanding
4/1/2014 2014 Firebrand
10
Daily Format
Lecture and Sample questions
Approximately two domains per day
Domain structure
Learning Objectives
Content
Sample Questions
Please note that the information in every domain
overlaps with the information in other domains during the course we will introduce topics that are
expanded upon in later domains
-
6
4/1/2014 2014 Firebrand
11
Course Structure
Start Time
Breaks
Meals
End of Day
End of class on last day
4/1/2014 2014 Firebrand
12
Logistics
Fire Escapes
Assembly point
Mobile phones / pagers
-
7
4/1/2014 2014 Firebrand
13
The Examination
4/1/2014 2014 Firebrand
14
Description of the Exam
The exam consists of 200 multiple choice
questions that cover the CISA job practice areas.
Four hours are allotted for completing the exam
See the Candidate Guide 2014 included in the
course booklet for further details
-
8
4/1/2014 2014 Firebrand
15
Examination Job Practice Areas
The exam items are based on the content within 5
information systems audit areas
Process of Auditing Information
Systems 14%
Governance and Management of IT
14%
Information Systems
Acquisition, Development and Implementation
19%
Information Systems
Operations, Maintenance and
Support 23%
Protection of Information Assets
30%
CISA
4/1/2014 2014 Firebrand
16
2014 Exam Dates
The exam will be administered three times in
2014
June 14th
September 6th
December 13th
Many examination locations worldwide
Register at www.isaca.org
Note that registration closes many weeks in advance of the exam date
-
9
4/1/2014 2014 Firebrand
17
Examination Day
Be on time!!
The doors are locked when the instructions start approximately 30 minutes before examination start time.
Bring the admission ticket (sent out prior to the
examination from ISACA) and an acceptable form
of original photo identification (passport, photo
id or drivers license).
4/1/2014 2014 Firebrand
18
Completing the Examination Items
Bring several #2 pencils and an eraser
Read each question carefully
Read ALL answers prior to selecting the BEST answer
Mark the appropriate answer on the test answer sheet.
When correcting an answer be sure to thoroughly erase the wrong answer before
filling in a new one.
There is no penalty for guessing. Answer every question.
-
10
4/1/2014 2014 Firebrand
19
Grading the Exam
Candidate scores are reported as a scaled score
based on the conversion of a candidates raw score on an exam to a common scale.
ISACA uses and reports scores on a common scale
from 200 to 800. A candidate must receive a score of
450 or higher to pass.
Exam results will be mailed (and emailed) out
approximately 8 weeks after the exam date.
Good Luck!
4/1/2014 2014 Firebrand
20
Introduction of Classmates
-
11
4/1/2014 2014 Firebrand
21
End of Introduction
-
1
4/1/2014
4/1/2014 1
ISACA
Trust in, and value from,
information systems
4/1/2014
4/1/2014 2
The Process of Auditing
Information Systems
2014 CISA Review Course
-
2
4/1/2014
4/1/2014 3
Ensure that the CISA candidate Has the knowledge necessary to provide audit services in
accordance with IT audit standards to assist the
organization with protecting and controlling information
systems
% of Total Exam Questions
Chapter 4
23%
Chapter 3
19%
Chapter 2
14%
Chapter 1
14%Chapter 5
30%
Exam Relevance
The content area in this chapter will represent
approximately 14% of the
CISA examination
(approximately 28
questions).
4/1/2014
4/1/2014 4
Agenda
Definition and Planning of Audit
Risk Management
Audit Planning
Performing the Audit
Audit, Analysis and Reporting
Conclusion
-
3
4/1/2014
4/1/2014 5
Chapter 1 Learning Objectives
Develop and implement a risk-based IT audit
strategy based on IT Audit standards
Plan specific audits to determine whether
information systems are protected,
controlled and provide value to the
organization
Conduct audits in accordance with IT audit
standards to achieve planned audit
objectives
4/1/2014
4/1/2014 6
Learning Objectives (continued)
Report audit findings and make recommendations
to key stakeholders to communicate results and
effect change when necessary
Conduct follow-ups or prepare status reports to
ensure appropriate actions have been taken by
management in a timely manner
-
4
4/1/2014
4/1/2014 7
Audit Charter
Audit begins with the acceptance of an Audit
Charter
Provides:
Authority for audit
Responsibility
Reporting requirements
Signed by Audit Committee or Senior Management
4/1/2014
4/1/2014 8
Definition of auditing
Systematic process by which a competent, independent person
objectively obtains and evaluates
evidence regarding assertions about
an economic entity or event for the
purpose of forming an opinion about
and reporting on the degree to
which the assertion conforms to an
identified set of standards.
Definition of Auditing
-
5
4/1/2014
4/1/2014 9
Definition of IS auditing
Any audit that encompasses review and evaluation
(wholly or partly) of automated information
processing systems, related non-automated
processes and the interfaces between them.
Definition of Information Systems Auditing
4/1/2014
4/1/2014 10
Audit Objectives
An audit compares (measures) actual activity
against standards and policy
Specific goals of the audit
Confidentiality
Integrity
Reliability
Availability
Compliance with legal and regulatory requirements
-
6
4/1/2014
4/1/2014 11
Involves short and long term planning (annual basis)
New control issues.
Changes / Upgrades to technologies.
Business process / Need/ Goals.
Auditing / Evaluation Techniques.
Audit Planning
4/1/2014
4/1/2014 12
Audit Planning cont.
Based on concerns of management or areas of
higher risk
Process failures
Financial operations
Compliance requirements
-
7
4/1/2014
4/1/2014 13
Audit Program Challenges
Limited number of IS auditors
Maintenance of their technical competence
Assignment of audit staff
IS Audit Resource Management
4/1/2014
4/1/2014 14
Financial audits
Operational audits
Integrated audits
Administrative audits
IS audits
Specialized audits
Forensic audits
Types of Audits
-
8
4/1/2014
4/1/2014 15
Elements of an Audit
Audit scope
Audit objectives
Criteria
Audit procedures
Evidence
Conclusions and opinions
Reporting
4/1/2014
4/1/2014 16
1. Gather Information 2. Identify System and Components
4. Perform Risk Analysis
5. Conduct Internal Control Review
3. Assess Risk
6. Set Audit Scope and Objectives
8. Assign Resources 7. Develop Auditing Strategy
Creating the Plan for an Audit
-
9
4/1/2014
4/1/2014 17
Based on the scope and objective of the
particular assignment
IS auditors concerns:
Security (confidentiality, integrity and availability)
Quality (effectiveness, efficiency)
Fiduciary (compliance, reliability)
Service and capacity
Planning the Audit
4/1/2014
4/1/2014 18
A set of documented audit procedures designed to
achieve planned audit objectives
Composed of:
Statement of scope
Statement of audit objectives
Statement of audit programs
Set up and approved by the audit management
Communicated to all audit staff
Audit Methodology
-
10
4/1/2014
4/1/2014 19
Audit subject
Audit objective
Audit scope
Pre-audit planning
Audit procedures and steps for data gathering
Procedures for evaluating the test or review results
Procedures for communication with management
Audit report preparation
Phases of an Audit
4/1/2014
4/1/2014 20
Audit plans
Audit programs
Audit activities
Audit tests
Audit findings and incidents
Audit Workpapers
-
11
4/1/2014
4/1/2014 21
Understanding of the audit area/subject
Risk assessment and general audit plan
Detailed audit planning
Preliminary review of audit area/subject
Evaluating audit area/subject
Verifying and evaluating controls
Compliance testing
Substantive testing
Reporting (communicating results)
Follow-up
Audit Procedures
4/1/2014
4/1/2014 22
Use of audit software to survey the contents of data files
Assess the contents of operating system parameter files
Flow-charting techniques for documenting automated applications and business process
Use of audit reports available in operation systems
Documentation review
Observation
Types of Tests for IS Controls
-
12
4/1/2014
4/1/2014 23
Forensic Audits
Audits specifically related to a crime or serious
incident
Determine
Scope of incident
Root cause
Personnel and systems involved
Obtain and examine evidence
Report for further action
4/1/2014
4/1/2014 24
Fraud detection is Managements responsibility
Benefits of a well-designed internal control system
Deterring fraud at the first instance
Detecting fraud in a timely manner
Fraud detection and disclosure
Auditors role in fraud prevention and detection
Fraud Detection
-
13
4/1/2014
4/1/2014 25
Risk- Based Auditing A Quick Review of Risk Assessment
and Mitigating Controls
4/1/2014
4/1/2014 26
Definition of Risk
Risk is the likelihood of a threat exploiting a
vulnerability and the resulting impact on business
mission
Risk assessment must be based on business
requirements, not solely on information systems
-
14
4/1/2014
4/1/2014 27
Purpose of Risk Management
Risk Assessment
Identify and prioritize risk
Recommend risk-based controls
Risk Mitigation
Reduce risk
Accept risk
Transfer risk
Avoid risk
Ongoing assessment of risk levels and control
effectiveness
4/1/2014
4/1/2014 28
Risk Management
Identify Business Objectives (BO)
Identify Business Assets that Support the BO
Perform Risk Assess (RA) {Threat Vulnerability
Probability Impact]
Perform Risk Mitigation (RM) [Map Risks with
controls in place]
Perform Risk Treatment (RT) [Treat existing risks not mitigated by existing
controls]
Perform Periodic Risk Re-evaluation (BO, RA, RM,
RT)
-
15
4/1/2014
4/1/2014 29
Identity threats and vulnerabilities
Helps auditor evaluate countermeasures / controls.
Helps auditor decide on auditing objectives.
Support Risk- Based auditing decision.
Leads to implementation of internal controls.
Purpose of Risk Analysis
4/1/2014
4/1/2014 30
Enables management to effectively allocate limited audit resources
Ensures that relevant information has been obtained from all levels of management
Establishes a basis for effectively managing the audit plans
Provides a summary of how the individual audit subject is related to the overall organization as
well as to the business plan
Why Use Risk Based Auditing
-
16
4/1/2014
4/1/2014 31
Assessing security risks
Risk assessments should identify, quantify and prioritize risks against criteria for risk
acceptance and objectives relevant to the
organization
Performed periodically to address changes in:
The environment
Security requirements and when significant changes occur
Risk Assessment and Treatment
4/1/2014
4/1/2014 32
Treating security risks
Each risk identified in a risk assessment needs to be treated in
a cost-effective manner according
to its level of risk
Controls should be selected to ensure that risks are reduced to
an acceptable level
Risk Assessment and Treatment cont.
-
17
4/1/2014
4/1/2014 33
Apply to all areas of an organization and
include policies and practices established by
management to provide reasonable assurance
that specific objectives will be achieved.
General Controls
4/1/2014
4/1/2014 34
Policies, procedures, practices and
organizational structures implemented to reduce
risks
Classification of internal controls
Preventive controls
Detective controls
Corrective controls
Internal Controls
-
18
4/1/2014
4/1/2014 35
Internal control system
Internal accounting controls
Operational controls
Administrative controls
Areas of Internal Control
4/1/2014
4/1/2014 36
Internal control objectives apply to all areas,
whether manual or automated. Therefore,
conceptually, control objectives in an IS environment
remain unchanged from those of a manual
environment.
IS Controls Versus Manual Controls
-
19
4/1/2014
4/1/2014 37
Strategy and direction
General organization and management
Access to IT resources, including data and programs
Systems development methodologies and change
control
Operations procedures
Systems programming and technical support
functions
IS Controls
4/1/2014
4/1/2014 38
Quality assurance procedures
Physical access controls
Business continuity/disaster recovery planning
Networks and communications
Database administration
Protection and detective mechanisms against internal
and external attacks
IS Controls cont.
-
20
4/1/2014
4/1/2014 39
Internal control objectives
Safeguarding of IT assets
Compliance to corporate policies or legal requirements
Input
Authorization
Accuracy and completeness of processing of data input/transactions
Output
Reliability of process
Backup/recovery
Efficiency and economy of operations
Change management process for IT and related systems
Internal Control Objectives
4/1/2014
4/1/2014 40
Cost
Assess managements tolerance for risk
Effectiveness at mitigating Risk
Assessing and Implementing Countermeasures
-
21
4/1/2014
4/1/2014 41
Performing an Audit Risk Assessment
Identify
Business risks
Technological risks
Operational risks
4/1/2014
4/1/2014 42
A Risk Based Audit Approach
-
22
4/1/2014
4/1/2014 43
Risk-based Auditing
Knowledge of business and industry
Prior years audit results
Recent financial information
Regulatory statutes
Inherent risk assessments
Gather Information and Plan;
Control environment
Control procedures
Detection risk assessment
Control risk assessment
Equate total risk
Obtain Understanding of Internal Control;
4/1/2014
4/1/2014 44
Risk-based Auditing
Identify key controls to be tested
Perform tests on reliability, risk prevention, and adherence to organizational policies and procedures
Perform Compliance Tests;
Analytical procedures
Detailed tests of account balances
Other substantive audit procedures
Perform Substantive Tests;
Create recommendations
Write audit report
Conclude the Audit;
-
23
4/1/2014
4/1/2014 45
Audit Planning
4/1/2014
4/1/2014 46
Audit planning steps
Gain an understanding of the businesss mission, objectives, purpose and processes
Identify stated contents (policies, standards, guidelines, procedures, and organization structure)
Evaluate risk assessment and privacy impact analysis
Perform a risk analysis
Audit Planning
-
24
4/1/2014
4/1/2014 47
Conduct an internal control review
Set the audit scope and audit objectives
Develop the audit approach or audit strategy
Assign personnel resources to audit and address engagement logistics
Audit Planning cont.
4/1/2014
4/1/2014 48
Regulatory requirements
Adequate controls
Privacy
Responsibilities
Oversight and Governance
Protection of assets
Financial Management
Correlation to financial, operational and IT audit functions
Effect of Laws and Regulations on IS Audit
Planning
-
25
4/1/2014
4/1/2014 49
Performing the Audit
4/1/2014
4/1/2014 50
Procedures developed by the ISACA Standards
Board provide examples of possible processes an
IS auditor might follow in an audit engagement
The IS auditor should apply their own professional
judgment to the specific circumstances
ISACA IT Audit and Assurance Tools and
Techniques
-
26
4/1/2014
4/1/2014 51
Framework for the ISACA IS Auditing Standards:
Standards
Guidelines
Procedures
ISACA IT Audit and Assurance Standards
Framework
4/1/2014
4/1/2014 52
Standards
Must be followed by IS auditors
Guidelines
Provide assistance on how to implement the standards
Tools and Techniques
Provide examples for implementing the standards
Relationship Among Standards, Guidelines and
Tools and Techniques
-
27
4/1/2014
4/1/2014 53
ISACA IT Audit and Assurance Standards
Framework cont.
S1 Audit Charter
S2 Independence
S3 Ethics and Standards
S4 Competence
S5 Planning
S6 Performance of audit work
S7 Reporting
S8 Follow-up activities
S9 Irregularities and illegal acts
S10 IT Governance
S11 Use of risk assessment in audit planning
S12 Audit materiality
S13 Using the Work of Other Experts
S14 Audit Evidence
S15 IT Controls
S16 E-commerce
4/1/2014
4/1/2014 54
It is a requirement that the auditors conclusions be based on sufficient, competent evidence:
Independence of the provider of the evidence
Qualification of the individual providing the information
or evidence
Objectivity of the evidence
Timing of the evidence
Evidence
-
28
4/1/2014
4/1/2014 55
Techniques for gathering evidence:
Review IS organization structures
Review IS policies and procedures
Review IS standards
Review IS documentation
Interview appropriate personnel
Observe processes and employee performance
Gathering Evidence
4/1/2014
4/1/2014 56
General approaches to audit sampling:
Statistical sampling
Non-statistical sampling
Sampling
-
29
4/1/2014
4/1/2014 57
Compliance test
Determines whether controls are in compliance with
management policies and procedures
Substantive test
Tests the integrity of actual processing
Correlation between the level of internal controls
and substantive testing required
Relationship between compliance and substantive
tests
Compliance vs. Substantive Testing
4/1/2014
4/1/2014 58
Testing Controls
Review the system to identify controls
Test compliance to determine whether controls are functioning.
Evaluate the controls to determine the basis for reliance and the nature, scope and timing of
substantive tests.
Use two types of substantive tests to evaluate the validity of the data.
Test balance and transactions
Perform analytic review procedures
-
30
4/1/2014
4/1/2014 59
Process whereby appropriate
audit disciplines are combined
to assess key internal controls
over an operation, process or
entity.
Focuses on risk to the organization (for an
internal auditor)
Focuses on the risk of providing an incorrect or
misleading audit opinion
(for an external auditor)
Integrated Auditing
Operational Audit
Financial Audit
IS Audit
4/1/2014
4/1/2014 60
Considerations when using services of other
auditors and experts:
Audit charter or contractual stipulations
Impact on overall and specific IS audit objectives
Impact on IS audit risk and professional liability
Independence and objectivity of other auditors and experts
Using the Services of Other Auditors and
Experts
-
31
4/1/2014
4/1/2014 61
Considerations when using services of other
auditors and experts:
Professional competence, qualifications and experience
Scope of work proposed to be outsourced and approach
Supervisory and audit management controls
Method of communicating the results of audit work
Compliance with legal and regulatory stipulations
Compliance with applicable professional standards
Using the Services of
Other Auditors and Experts cont.
4/1/2014
4/1/2014 62
Audit Risk
Inherent Risk
Control Risk
Overall Audit Risk
Detection Risk
-
32
4/1/2014
4/1/2014 63
CAATs enable IS auditors to gather information independently
CAATs include:
Generalized audit software (GAS)
Utility software
Debugging and scanning software
Test data
Application software tracing and mapping
Expert systems
Computer-assisted Audit Techniques
4/1/2014
4/1/2014 64
Computer-assisted Audit Techniques cont.
Features of generalized audit software (GAS):
Mathematical computations
Stratification
Statistical analysis
Sequence checking
-
33
4/1/2014
4/1/2014 65
Computer-assisted Audit Techniques cont.
Functions supported by GAS:
File access
File reorganization
Data selection
Statistical functions
Arithmetical functions
4/1/2014
4/1/2014 66
CAATs as a continuous online audit approach:
Improves audit efficiency
IS auditors must:
Develop audit techniques for use with advanced computerized systems
Be involved in the design of advanced systems to support audit requirements
Make greater use of automated tools
Computer-assisted Audit Techniques cont.
-
34
4/1/2014
4/1/2014 67
Audit Analysis and Reporting
4/1/2014
4/1/2014 68
Audit documentation includes:
Planning and preparation of the audit scope and objectives
Description on the scoped audit area
Audit program
Audit steps performed and evidence gathered
Other experts used
Audit findings, conclusions and recommendations
Audit Documentation
-
35
4/1/2014
4/1/2014 69
Risk analysis
Audit programs
Results
Test evidences
Conclusions
Reports and other complementary information
Automated Work Papers
4/1/2014
4/1/2014 70
Minimum controls:
Access to work papers
Audit trails
Automated features to provide and record approvals
Security and integrity controls
Backup and restoration
Encryption techniques
Automated Work Papers cont.
-
36
4/1/2014
4/1/2014 71
Evaluation of Audit Strengths and
Weaknesses
Assess evidence
Evaluate overall control structure
Evaluate control procedures
Assess control strengths and weaknesses
4/1/2014
4/1/2014 72
Exit interview
Correct facts
Realistic recommendations
Implementation dates for agreed recommendations
Presentation techniques
Executive summary
Visual presentation
Communicating Audit Results
-
37
4/1/2014
4/1/2014 73
Audit report structure and contents
Introduction to the report
Audit findings presented in separate sections
The IS auditors overall conclusion and opinion
The IS auditors reservations with respect to the audit audit limitations
Detailed audit findings and recommendations
Communicating Audit Results cont.
4/1/2014
4/1/2014 74
Communicating Audit Results cont.
Audit recommendations may not be accepted
Negotiation
Conflict resolution
Explanation of results, findings and best practices or legal requirements
-
38
4/1/2014
4/1/2014 75
Ensure that accepted recommendations are implemented as