Professional Documents
Culture Documents
CISA, Certification
Certified Information Systems Auditor
1
Introduction
2
Certified Information Systems Auditor (CISA)
• Designed for personnel that will audit and review
information systems
• Provide assurance that systems are designed,
developed, implemented and maintained to support
business needs and objectives
• Tough but very good quality examination
• Requires understanding of the concepts behind
information systems audit – not just the definitions
3
• The CISA Exam is based on the CISA job practice
• The ISACA CISA Certification Committee oversees the
development of the exam and ensures the currency of its
content
• There are five content areas that the CISA candidate
is expected to know
4
CISA Qualifications
CISA Qualifications
To earn the CISA designation, information security professionals
are required to:
• Successfully pass the CISA exam
• Submit an Application for CISA certification
• Minimum of five years information systems auditing, control
or security work experience (waivers for education)
• Adhere to the ISACA Code of Professional Ethics
• Adherence to the CISA continuing education policy
• Compliance with Information Systems Auditing Standards
5
CISA Job Practice Areas
6
Description of the exam
7
Current Exam Job Practice Areas
8
Previous Content
9
Examination day
• Be on time!!
• Bring an acceptable form of original photo
identification (passport, photo id or drivers’ license).
• No notes or papers may be taken into the exam.
• Preliminary results will be provided immediately after
the exam
• Detailed results provided in ten days.
10
Complete the examination item
11
Domain 1
12
Exam relevance
13
Agenda
14
DOMAIN 1 EXAM CONTENT OUTLINE
Part A: Planning
1. IS Audit Standards, Guidelines and Codes of Ethics
2. Business Processes
3. Types of Controls
4. Risk-based Audit Planning
5. Types of Audits and Assessments
Part B: Execution
6. Audit Project Management
7. Sampling Methodology
8. Audit Evidence Collection Techniques
9. Data Analytics
10. Reporting and Communication Techniques
11. Quality Assurance and Improvement of the Audit Process
15
Learning Objectives
Within this domain, the IS auditor should be able to:
• Plan an audit to determine whether information systems are protected,
controlled, and provide value to the organization. (T1)
• Conduct an audit in accordance with IS audit standards and a risk-based
IS audit strategy. (T2)
• Communicate audit progress, findings, results and recommendations to
stakeholders. (T3)
• Conduct audit follow-up to evaluate whether risk has been sufficiently
addressed. (T4)
16
Learning Objectives continued
17
Why Audit?
18
What is Information Systems?
19
What is Information Systems Audit?
20
• The credibility of any IS audit activity is largely determined by
its adherence to commonly accepted standards.
21
Internal versus External Audit
• Internal
• Audit charter
• Authority, scope and responsibilities of the audit function
• External
• Formal contract and statement of work
• Both types of audit report to an audit committee or
highest level of management
22
The Audit Universe
23
Analysis of Issues
24
Effects of Laws on Audit Planning
25
Auditing Compliance with Laws & Regulations
26
IS Audit & Assurance Standards
27
Relationship between standards, guidelines & Tools & Techniques
• Standards
• Must be followed by IS auditors
• Guidelines
• Provide assistance on how to implement the standards
• Tools and Techniques
• Provide examples for implementing the standards
28
Types of Audit Standards & Guidelines
• Audit and Assurance standards and guidelines are divided into three
categories:
• General: Provide the guiding principles under which the IS assurance profession
operates
• Deal with an IS auditor’s ethics, independence, objectivity and due care as well as
knowledge, competency and skill.
• Performance: deal with conduct of the assignment such as planning,
supervision, materiality, professional judgment, etc.
• Reporting: types of reports, means of communications, and information communicated
29
General Standards
30
Performance Standards
31
Reporting Standards
• 1401 Reporting
• 1402 Follow-up Audits
32
ISACA IS Audit & Assurance Guidelines
33
ISACA Code of Ethics
35
ITAF
36
Business Process
• IS auditor must understand and be able to evaluate the business
processes
• Understanding business process is the first task to accomplish.
• A business process is an interrelated set of cross-functional activities or
events that result in the delivery of a specific product or service to a
customer.
• The business process should have OWNER who have high level authority.
37
IS Audit Function
• IS internal audit function should be established by an audit
charter approved by the board of directors
Audit Charter
• is a formal document that defines internal audit purpose,
authority, responsibility and position within an organization.
38
IS Audit Resource Management
39
Audit Planning
40
Individual Audit Assignments
49
Risk Analysis
50
Risk Definition
51
Risk Assessment
52
Risk Analysis Process
Identify
• Threats
• Vulnerabilities
• Probability of occurrence
• Magnitude of impact
53
Mitigation Controls
54
Cost Benefit Analysis
55
Acceptable Risk
• The goal of the risk management effort is to ensure that all risk is
at or below the level of risk acceptable to senior management
• Residual risk
56
Risk Reduction Methods
57
Risk Monitoring
58
Overview of Risk Management
59
NIST SP800-30 Risk Assessment Process
60
Internal Controls
61
Preventive Controls
• Restrict access
• Enforce separation of duties (prevent fraud)
62
Detective Controls
63
Corrective Controls
• Correct errors
• Prevent future occurrence of the problems
64
Control Objectives
• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability
65
Specific IS Control Objectives
• Safeguarding assets
• Ensuring SDLC processes are established
• Ensuring integrity of the Operating System (OS), including network
management and operations
66
Sensitive & Critical Applications
67
Auditing for Integrity
68
Auditing for Integrity Cont.…
69
COBIT 5 Principles
70
Governance
71
Management as Compared to Governance
72
General Controls
73
IS Specific Controls
74
Examples of IS Specific Controls
• Controls over:
• Strategy and direction of IT
• Systems development and change control
• Physical and logical access controls
• Networks and communications
• Database administration
• Protection against internal and external attacks
75
Performing an IS Audit
• Adequate planning
• Assess risk to general areas and systems being audited
• Develop audit program objectives
• Develop audit procedures to meet the audit program objectives
76
The Audit Process
• Gather evidence
• Evaluate strengths and weaknesses of controls
• Based on evidence gathered
• Prepare an audit report that presents audit issues (control
weaknesses with recommendations for remediation)
• Present report objectively to management
77
Audit Management
78
Performing an IS Audit- Project Management
79
Control Objectives-Definition
80
Audit Objectives
81
Review of Controls
82
Types of Audit
• The CISA should know the types of audits (may be conducted either
as internal or external audits.
• Compliance audit - test of controls to demonstrate adherence to
specific regulatory or industry standards (PCI-DSS)
• Financial audit – assess accuracy of financial reporting
• Operational audit – evaluate internal control structure e.g.,
application controls
83
Types of Audit Con…
84
Types of Audit Con…
85
Types of Audit Con…
86
Audit Methodology
87
Audit Phases
88
Audit Phases Con…
89
Audit Phases Con…
90
Audit Phases Con…
91
Audit Work Papers
92
Risk-Based Audit
93
Audit Risk & Materiality
• Audit risk is the risk that information may contain a material error
that goes undetected in the course of an audit
• Inherent risk – based on the nature of the business, is the risk
level without taking into account the controls in place
• Control risk – the risk that a material error exists that would not be
effectively detected or prevented by a control in a timely manner
94
Audit Risk & Materiality Con...
95
Materiality
96
Statistical Sampling Risk
97
Risk Assessment
98
Risk Treatment
99
Audit Program
100
Testing IS Controls
101
Fraud Detection
102
Compliance vs Substantive Testing
103
Degree of Testing
104
Audit Evidence
105
Collecting Evidence
106
Evidence Reliability
107
Gathering Evidence
• Review IS standards
• Review IS documentation
• Re-performance
• Walk-throughs
108
Interviewing & Observing personnel
• Identify:
• Actual functions
• Actual processes/procedures
• Security awareness
• Reporting relationships
• Observation drawbacks – behavior may change when a person
knows they are being observed
109
Sampling
110
General Approaches to Sampling
111
Sampling Risks
112
Attribute of Sampling
113
Variable Sampling
114
Sampling Terminology
• Confidence co-efficient
• Level of risk
• Precision
• Expected error rate
• Sample mean
116
Computer Assisted Audit Technique
117
Evaluation of the Control Environment
118
Communicating Audit Results
• Exit interview
• Ensure facts are correct
• Ensure recommendations are realistic
• Gain agreement on audit findings and recommendations
•Recommend implementation dates
•Develop a course of action
119
Presentation to the Management
• Executive summary
• Visual presentation
• Management should not hinder the delivery of audit results
120
Audit Report Structure & Contents
121
Findings
122
Audit Documentation
• Should include:
• Planning and preparation of the audit scope and objective
• Descriptions of the audit areas
• Audit program
• Audit steps and evidence gathered
• Use of services of other auditors or experts
• Audit findings, conclusions and recommendations
• Audit documentation- supports findings
123
Closing Findings
• Follow-up program
• Determine whether management has undertaken
• appropriate corrective action
• Timing based on criticality of findings
• Retest or review of controls
124
Control Self Assessment (CSA)
125
Disadvantage of CSA
• Seen as:
• Audit replacement
• Additional work
• Failure to act on suggestions leads to morale issues
• Failure to detect weak controls
126
Auditors Role in CSA
• Facilitator
• Guide
• Consult management
• Risk analysis
127
Continuous Monitoring and Auditing
128
Conclusion
Know
• Audit Planning
• Performing an Audit
• Risk as related to audit planning and performance
• Ongoing Audit techniques
• Ethics
129
Domain 2
130
Exam Relevance
131
Task Statements
• Reporting to management
• Monitoring of controls
132
Corporate Governance
133
Corporate Governance Con…
134
Governance of Enterprise IT (GEIT)
135
Two Goals of GEIT
136
Three Focus Areas of GEIT
• Resource Optimization
• Benefits Realization
• Risk Optimization
137
Drivers for GEIT
• Return on IT investment
138
GEIT Frameworks
• COBIT 5
• ISO/IEC 27001 ITIL®
• ISO/IEC 38500
• ISO/IEC 20000
139
Audit Role in GEIT
140
IT Governance Committees
141
IT Balanced Score Card
142
Effective Information Security Governance
• Consists of:
• Security strategy
• Security policies
• Set of standards for each policy
• Effective organisational security structure
•Void of conflicts of interest
• Institutionalised monitoring program
•Ensure compliance and feedback
143
Effective Governance
144
Information Security Standards Committee
145
Enterprise Architecture
• Enterprise architecture:
• Documenting IT assets in a structured manner
• Managing and planning for IT investments
• Framework for Enterprise Architecture (Zach man)
• Federal Enterprise Model (FEA)
• Performance reference model
• Business reference model
• Service component reference model
• Technical reference model
• Data reference model
146
Information Systems Strategy
• Strategic alignment
• Return on Investment (ROI)
• IT Steering Committee
• High level committee to ensure IT is in harmony with the business
goals and objectives
• Representatives from senior management, business units, HR,
finance, IT
147
Maturity & Process Improvement
148
Investment & Allocation Practice
149
Policies
150
Information Security Policy
151
Audit of Policies
152
Procedures
153
Risk Management Process
• Asset identification
• Evaluation of threats and vulnerabilities
• Evaluation of impact
• Calculation of risk
• Evaluation of response to risk
154
Risk Analysis Method
155
Information Technology Practice
156
Sourcing Practice
• Insourced
• Outsourced
• Hybrid
• Onsite
• Offsite
• Offshore
157
Outsourcing Considerations
158
Cloud
159
Essential Characteristics of the Cloud
1.On-demand self-service
2.Broad network access
3.Resource pooling
4.Rapid elasticity
5.Measured service
160
Outsourcing & Third Party Audit Reports
• SOC 1 – financial statements (note: this is incorrectly described in the ISACA manual)
• SOC 2 – detailed report on controls (usually used internally)
• SOC 3 – summary report on controls (usually used for external
distribution)
161
Monitoring & Review of Third Party Service
• Audit trails
• Resolve issues
• Change control process
162
Financial Management
Budgeting
•Short and long term planning
Control over costs
163
Quality Management
164
Performance Optimization
Accomplished through:
• Continuous improvement (Plan, Do, Check, Act)
• Best Practices (ITIL)
• Frameworks (COBIT)
165
Tools & Techniques for Performance Optimization
• Six Sigma
• IT BSC (Balanced Score Card)
• KPIs
• Benchmarking
166
IT Roles & Responsibilities
167
Separation/Segregation of Duties
168
Auditing IT Governance Structure & Implementation
169
Business Continuity Planning (BCP)
170
IT Business Continuity
171
Disruptive Events
• Natural events
• Pandemic
• Damage to reputation or brand
• Unanticipated/unforeseeable events (black swan events)
172
Business Continuity Planning Process
• Project Planning
• Risk Assessment
• BC Strategy Development
• BC Awareness Training
• BC Plan Testing
• BC Plan Monitoring, Maintenance and Updating
173
Incident Management
174
Business Impact Analysis (BIA)
175
Recovery Strategies
176
Development of BCP
177
Plan Testing
178
Types of Test
179
Plan Maintenance
180
Reviewing Alternative Processing Contract
181
Reviewing Insurance Coverage
182
Domain 3
Information Systems Acquisition, Development and
Implementation
183
Exam Relevance
184
Learning Objectives
Evaluate Business Case for IT investments
• Meets business objectives
Evaluate IT supplier selection and contract management
Evaluate project management framework
185
Quick Reference
186
Benefit Realization
187
Portfolio/Program Management
188
Portfolio/Program Management Con…
189
Business Case Development & Approval
• A business case:
• Provides the information required for an organization to decide
whether a project should proceed
• Is normally derived from a feasibility study as part of project
planning
• Should be of sufficient detail to describe the justification for
setting up and continuing a project
190
Benefit Realization Technique
191
General IT Project Aspects
192
Project Context & Environment
193
Project Organizational Forms
194
Project Communication
195
Project Objectives
196
Roles & Responsibilities of Groups & Individuals
• Senior management
• User management
• Project steering committee
• Project sponsor
• Systems development management
• Project manager
• Systems development project team
• User project team
• Security officer
• Quality assurance
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238