THE CERTIFIED INFORMATION SYSTEMS AUDITOR PROGRAM ...meena123.addr.com/acsb/CISSP/CISA/2[1].CISA review... · sample questions. This publication is ideal for use in conjunction with

THE CERTIFIED INFORMATION SYSTEMS AUDITOR PROGRAMCANDIDATE’S GUIDE TO THE CISA EXAMINATION

TABLE OF CONTENTS

INTRODUCTION 1

BENEFITS OF BECOMING A CISA 1

THE CISA EXAMINATION 1

ADMINISTRATION OF THE EXAMINATION 2

GRADING THE EXAMINATION 4

TYPES OF QUESTIONS ON THE CISA EXAM 4

CISA EXAM TERMINOLOGY 5

APPLICATION FOR CERTIFICATION 6

REQUIREMENTS FOR MAINTAINING CERTIFICATION 6

REVOCATION OF CERTIFICATION 6

THE CODE OF PROFESSIONAL ETHICS 7

DESCRIPTION OF THE EXAM 8

THE CISA EXAMINATION AND COBIT 16

REFERENCE MATERIALS 19

LIST OF ACRONYMS 22

SAMPLE ADMISSION TICKET 23

SAMPLE ANSWER SHEET 24


1

INTRODUCTION

The Certified Information Systems Auditor ™ (CISA®) Program was established in 1978 to:

• Develop and maintain a testing instrument that could be used to evaluate an individual's competency in conductinginformation systems audits.

• Provide a mechanism for motivating information systems auditors to maintain their competencies and monitoring thesuccess of the maintenance programs.

• Aid top management in developing a sound information systems audit function by providing criteria for personnelselection and development.

BENEFITS OF BECOMING A CISA

Being recognized as a CISA brings with it a great number of professional and organizational benefits. Successful achievementdemonstrates and attests to an individual's information systems audit expertise and indicates a desire to serve an organization withdistinction. This expertise is extremely valuable given the changing nature of information technology and the need to employcertified professionals who are able to apply the most effective information systems audit, control and security practices, and whohave an awareness of the unique requirements particular to information technology environments. Those who become CISAs joinother recognized professionals worldwide who have earned this highly sought after professional designation.

Although certification may not be mandatory for you at this time, a growing number of organizations are recommending thatemployees become certified. In fact, in a recent benchmarking survey conducted by the Association, more than half of theindividuals responded that it is their department policy to recognize individuals who obtain a professional certification. Thisincluded a monetary bonus, promotion within twelve months, or some other type of reward.

The CISA designation assures employers that their staff is able to apply state-of-the-art information systems audit, security andcontrol practices and techniques and that these skills are maintained. For these reasons, many employers require the achievementof the CISA designation as a strong factor for employment and/or advanced promotion.

THE CISA EXAMINATION

Development of the Examination

The detailed Job Process and Content Areas (see Description of the Examination) developed by an experienced and representativepanel of CISAs, should be viewed by candidates as a syllabus for the CISA examination. Although the outlines are intended tobe reasonably comprehensive, candidates are encouraged to investigate additional tasks not specifically listed, but appropriate. Inthe review of these outlines, candidates should use discretion as to the depth of coverage and the amount of time to dedicate to anygiven area.

Description of the Examination

The Certification Board oversees the development of the Examination and ensures the currency of its content. Questions for theCISA examination are developed through a multi-tiered process designed to enhance the ultimate quality of the examination.Once the Certification Board approves the questions, they go into the item pool from which all CISA examination questions aretaken.

The purpose of the examination is to evaluate a candidate’s knowledge and experience in conducting information systems audits.The examination consists of 200 multiple-choice questions, administered during a four-hour session. Candidates may take theexam in Chinese (Mandarin Traditional), Dutch, English, French, German, Hebrew, Italian, Japanese, Korean or Spanish. Aproctor speaking the primary language used at each test site is available. If a candidate desires to take the examination in alanguage other than the primary language of the test site, the proctor may not be conversant in the language chosen. However,written instructions will be available in the language of the examination.


2

Studying for the CISA Exam

Passing the CISA Exam can be achieved through an organized plan of study. To assist individuals with the development of asuccessful study plan, ISACA provides several study aid and review course to exam candidates. (Also seewww.isaca.org/bk_cisa.htm more details).

• 2001 CISA Review Technical Information Manual is updated annually and this year has been completely redesigned to reflectthe new CISA Practice Analysis (conducted every five years). This manual provides a comprehensive study guide to assistindividuals in preparing for the CISA Exam. It includes a thorough explanation of the structure and content of theexamination, tips on how to develop a study plan, examples of questions and coverage of technical matter outlined in thenewly revised process and content areas of the exam. Also included are references to other helpful study material and aglossary of terms commonly found on the exam. This manual can be used as a stand-alone document for individual study oras a guide or reference for study groups.

• 2001 CISA Review Questions, Answers & Explanations Manual consists of the same 400 questions included in the 1998CISA Review Questions, Answers & Explanations Manual (200 questions) and the 1999 Supplement (100 questions) and2000 Supplement (100 questions) but reformatted in the new process and content areas. Questions are representative ofquestion types that have appeared on the examination and included an explanation of the correct answers. Questions aresorted by the new CISA process and content areas and as a sample test. This publication is ideal for use with the 2001 CISATechnical Information Manual.

• CISA Review Questions, Answers & Explanations Manual 2001 Supplement is available and consists of 100 additionalsample questions. This publication is ideal for use in conjunction with the 2001 CISA Review Technical InformationManual.

• CISA Review Questions, Answer & Explanations CD-ROM consist of the same 500 questions included in the 2001 CISAReview Questions, Answers & Explanations Manual and the questions included in the 2001 Supplement. This productenables you to pull random sample exams and specify the number of questions or areas you wish to review. The softwaregrades the exam and provides results broken down by area to help to identify your specific strengths and weaknesses. Alsoincludes are Information Systems Control Journal articles referenced in this guide and the 2001 CISA Review TechnicalInformation Manual.

PLEASE NOTE: This product requires Windows 3.1 and above and a JavaScript 1.1-enables browser, such as NetscapeCommunication 4.05 or Internet Explorer 4.0 (ver 4.72) and above.

• CISA Review Courses through ISACA chapters. Exam candidates may wish to contact the ISACA chapter in his/her area tofind out if a review course is being offered. These courses are often taught by current CISAs who review exam topics andshare the secrets of success.

• CISA Review Course at North America CACS Conference. A two-day review course will be held as a pre-conferenceworkshop to provide CISA candidate's with a concentrated study program. (Conference dates: 29 April-5 May 2001,Orlando, Florida)

ADMINISTRATION OF THE EXAMINATION

Information Systems Audit and Control Association® (ISACA™ ) has contracted with an internationally recognized professionaltesting agency. This not-for-profit corporation engages in the development and administration of credentialing examinations forcertification and licensing purposes. It assists ISACA in the construction, administration and scoring of the CISA Examination.

Admission Ticket

• Approximately two to three weeks prior to the CISA examination date candidates will receive an Admission Ticket (seeSample Admission Ticket). The Admission Ticket will indicate the date, registration time and location of the examination,schedule of events for that day and materials to take the CISA examination. It is imperative that each candidate note thespecific registration and examination time on the Admission Ticket. Due to local conditions, the registration andexamination times may be different from those that have been indicated in this or other publications. The times shown onthis Admission Ticket are to be used.


3

Be Prompt

• Registration will begin at the time indicated on your Admission Ticket at each center. All candidates must be registered andin the test center when the Chief Examiner begins reading the oral instructions. NO CANDIDATE WILL BEADMITTED TO THE TEST CENTER ONCE THE CHIEF EXAMINER BEGINS READING THE ORALINSTRUCTIONS. Next Examination administration date is 8 June 2002.

Remember to Bring Your Admission Ticket

• Candidates can use their Admission Ticket only at the designated test center. Only those candidates with a valid AdmissionTicket and an acceptable form of identification will be admitted. Examples of acceptable forms of identificationinclude those with a photo (such as a passport or photo driver’s license) or other identification with a signature and suchdescriptive information as height, weight, and eye color (such as a non-photo driver’s license). To be admitted, a candidatemust also present a valid Admission Ticket or equivalent, or an indication to the testing agency representative that admissionshould be granted.

Observe the Test Center's Rules

• Candidates will not be admitted to a testing room after the reading of the oral instructions has begun• Candidates should bring several sharpened No. 2 or HB (soft lead) pencils, and a good eraser. Pencils and erasers

will not be available at the test site• Candidates are not allowed to bring reference materials or language dictionaries into the test center• Candidates are not allowed to bring or use a calculator• Scratch paper is not permitted. Candidates may use the margin of the pages, as needed• Visitors are not permitted• Candidates may be excused to leave the room by the proctor during the examination

Reasons for Dismissal

The proctor may dismiss a candidate for any of the following reasons

• Admission to the test center is unauthorized• Candidate creates a disturbance or gives or receives help• Candidate attempts to remove test materials or notes from the examination room• Candidate impersonates another candidate• Candidate brings into the test center reference materials, language dictionaries, calculator or other items that are not permitted

Be Careful in Completing the Answer Sheet

• An example of the multiple-choice Answer Sheet is included to familiarize candidates with its format. Whilemany candidates have taken multiple-choice question exams, there are others who have never experienced amultiple-choice question exam.

• Before a candidate begins the exam, the exam center Chief Examiner will read aloud the instructions for enteringidentification information on the answer sheet. A candidate’s identification number as it appears on theadmission ticket and all other requested information must be entered correctly or scores may be delayed orreported incorrectly.

• A candidate is instructed to read all instructions carefully and understand them before attempting to answer thequestions. Candidates who skip over the directions or read them too quickly could miss important informationand possibly lose credit.

• The examination consists of 200 multiple-choice questions. All answers are to be marked in the appropriatecircle on the answer sheet. Candidates must be careful not to mark more than one answer per question or thewrong question. If an answer needs to be changed, a candidate is urged to erase the wrong answer fully beforewriting in the new one.

• Answer all questions. There are no penalties for incorrect answers. Grades are based solely on thenumber of questions answered correctly, so do not leave any questions blank.


4

• After completion, candidates are required to hand in their Answer Sheet and Test Booklet. Budget Your Time

• The examination, which is four hours in length, allows for a little over one minute per question. Therefore, itis advisable that candidates pace themselves to complete the entire exam. Candidates must complete an averageof 50 questions per hour.

• Candidates are urged to record their answers on the Answer Sheet. No additional time will be allowed afterthe examination time has elapsed to transfer or record answers should a candidate mark theiranswers in the question booklet.

Conduct Yourself Properly

• To protect the security of the examination and maintain the validity of the scores, you will be asked to sign the AnswerSheet.

• The ISACA Certification Board reserves the right to disqualify any candidate who is discovered engaging in any kind ofmisconduct, such as: giving or receiving help; using notes, papers, or other aids; attempting to take the examination forsomeone else; or removing test materials or notes from the testing room. The testing agency will provide the ISACACertification Board with records regarding such irregularities for their review and to render a decision.

GRADING THE EXAMINATION

The CISA examination is scored using a method that utilizes a standard of performance established by a panel of content experts.A passing score is set as the average for all questions of a predicted probability that a qualified candidate should answer correctly.

Because variations in difficulty exist from one exam to the next, the results of each exam are equated. Equating allows uniformityin the grading process and the resultant scaled scores reflect a comparable level of proficiency regardless of when the exam wastaken. This scaled passing score does not represent a specific raw score, or a percentage of questions answered correctly.

At the conclusion of each exam test questions are reviewed. Questions identified as being ambiguous or having other flaws areeither not used in the grading process or given multiple correct answer keys. Raw scores are then arithmetically converted toscaled scores. A scaled score of 75 or above represents a passing score for the entire exam.

Test scores are not available until approximately 10 weeks after the test date. The ISACA Certification Board willmail score reports to the candidates. To ensure the confidentiality of scores, test results will not be reported bytelephone, fax or email.

Successful candidates will receive an Application for Certification as an Information Systems Auditor. For those candidates notpassing the examination, the score report will contain a sub-score for each job domain. The sub-scores can be useful inidentifying those areas in which the candidate may need further study before retaking the examination. Unsuccessful candidatesshould note that taking either a simple or weighted average of the sub-scores does not derive the total scaled score.

Candidates receiving a failing score on the examination may request a re-scoring of their answer sheet. This procedure ensuresthat no stray marks, multiple responses or other conditions interfered with computer scoring. Request for hand scoring must bemade in writing to the Certification Department within 12 months after the examination was administered. All requests mustinclude a candidate’s name, examination identification number and mailing address. A fee of US $50 must accompany thisrequest.

TYPES OF QUESTIONS ON THE CISA EXAM

CISA exam questions are developed with the intent of measuring and testing practical knowledge and the application of generalconcepts and standards. As previously mentioned, all questions are multiple choice and are designed for one best answer.

The candidate is cautioned to read each question carefully. Many times a CISA examination question will require the candidate tochoose the appropriate answer that is MOST likely, LEAST likely, or BEST or a candidate may be asked to choose an answerthat is not related to the other answers, or different from the other answers. In every case the candidate is required to read thequestion carefully, eliminate known incorrect answers and then make the best choice possible. Knowing that these type ofquestions are asked and how to study to answer them will go a long way toward answering them correctly.


5

Every CISA question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct or bestanswer from the options. The stem may be in the form of a question or incomplete statement. In some instances, a scenario ordescription problem may also be included. These questions normally include a description of a situation and require the candidateto answer two or more questions based on the information provided. The following are examples of the types of questions thathave appeared on the exam. These questions are from the CISA Questions, Answers and Explanations Manual.

1. In a risk-based audit approach, an IS auditor is not only influenced by risk but also by:

A. The availability of CAATs.B. management's representations.C. organizational structure and job responsibilities.D. the existence of internal and operational controls.

2. Which of the following encrypt/decrypt steps provides the GREATEST assurance in achieving confidentiality, messageintegrity, and non-repudiation by either sender or recipient?

A. The recipient uses his/her private key to decrypt the secret key.B. The encrypted pre-hash code and the message are encrypted using a secret key.C. The encrypted pre-has code is derived mathematically from the message to be sent.D. The recipient uses the sender's public key, verified with a certificate authority, to decrypt the pre-hash code.

3. A user connected to a LAN has introduced a newly released virus to the network while copying files from a floppy disk.Which of the following would be the MOST effective control in detecting the existence of the virus?

A. Scan of all floppy disks before use.B. Virus monitor on the network file server.C. Scheduled daily scan of all network drives.D. Virus monitor on user's personal computer.

4. A large chain of shops with electronic funds transfer (EFT) at point-of-sale devices has a central communications processorfor connecting with the banking network. Which of the following is the BEST disaster recovery plan for thecommunications processor?

A. Offsite storage of daily backups.B. Alternative standby processor onsite.C. Installation of duplex communication links.D. Alternative standby processor at another network node.

5. During which phase of a system development process would an IS auditor first consider application controls?

A. ConstructionB. System DesignC. Acceptance testingD. Functional specification

For recommended answers and explanations to these questions and for additional study questions, please refer to ISACA's CISAQuestions, Answers and Explanations Manuals.

CISA EXAMINATION TERMINOLOGY

The CISA examination is offered in ten languages around the world. A list of the most frequently used technical terms in Englishalong with how they will appear on the exam in each other language offered is available on ISACA's web site athttp://www.isaca.org/examterm.htm .


6

APPLICATION FOR CERTIFICATION

Once a candidate passes the CISA Examination, he or she has five years to apply for Certification. A successful candidate mustcomplete the Application For Certification as an Information Systems Audit and have their work experience verified using theappropriate forms. Once certified, the new CISA will receive a CISA Continuing Education Policy. At the time of application anindividual also acknowledges that ISACA reserves the right, but is not obligated, to publish or otherwise disclose their CISAstatus.

Requirements for Initial Certification

Certification is granted initially to individuals who have successfully completed the CISA Examination (see Grading theExamination on page 4) and meet the following work experience requirements:

A minimum of five years professional information systems audit, control or security work experience is required for certification.Substitutions and waivers of such experience may be obtained as follows:

• A maximum of one year of information systems, operating or programming experience or one year of auditing experiencecan be substituted for one year of information systems auditing, control or security experience.

• An Associate’s or Bachelor’s degree (the equivalent of 60 to 120 completed college semester credit hours) can be substitutedfor one or two years, respectively, of information systems auditing, control or security experience.

• Each two years of experience as a full-time university instructor in a related field (e.g. computer science, accounting,information systems auditing) may be substituted for one year of information systems auditing, control or securityexperience.

Experience must have been gained within the 10-year period proceeding the date of the Application for Certification as anInformation Systems Auditor or within five years from the date of initially passing the examination. If the Application forCertification as an Information Systems Auditor is not submitted within five years from the passing date of the examination,retaking and passing the examination is required. All experience is verified independently with employers via a Verification ofWork Experience form.

It is important to note that many individuals choose to take the CISA examination prior to meeting the experience requirements.This practice is acceptable and encouraged although the CISA designation will not be awarded until all requirements are met.

REQUIREMENTS FOR MAINTAINING CERTIFICATION

The CISA Continuing Education Policy requires the attainment of continuing education hours over an annual and three-yearreporting period. CISAs must comply with the following requirements to retain certification:

• Attain and submit an annual minimum of twenty (20) continuing education hours• Submit annual continuing education maintenance fees to ISACA Headquarters in full• Attain and submit a minimum of one hundred and twenty (120) continuing education hours for a three-year reporting period• Respond and submit required documentation of continuing education activities if selected for an annual audit• Comply with ISACA’s Code of Professional Ethics

Failure to comply with these general requirements will result in the revocation of an individual’s CISAdesignation.

REVOCATION OF CERTIFICATION

The Certification Board may, at its discretion, after due and thorough consideration, revoke certification for any of the followingreasons:

• Falsifying or deliberately failing to provide relevant information• Intentionally misstating a material fact


7

• Engaging or assisting others in dishonest, unauthorized or inappropriate behavior at any time in connection with theCISA Examination or the certification process

• Violating any provision of the Code of Professional Ethics• Failing to meet the Continuing Education Policy• Failing to pay annual CISA maintenance fees

THE CODE OF PROFESSIONAL ETHICS

The ISACA sets forth a Code of Professional Ethics to guide the professional and personal conduct of members of ISACA and/orholders of the CISA designation.

CISAs shall:

• Support the establishment of and compliance with appropriate standards, procedures, and controls for information systems • Comply with Information Systems Auditing Standards as adopted by the Information Systems Audit and Control

Foundation • Serve in the interest of their employers, stockholders, clients and the general public in a diligent, loyal and honest manner,

and shall not knowingly be a party to any illegal or improper activities • Maintain the confidentiality of information obtained in the course of their duties. The information shall not be used for

personal benefit nor released to inappropriate parties • Perform their duties in an independent and objective manner, and shall avoid activities which threaten, or may appear to

threaten, their independence • Maintain competency in the interrelated fields of auditing and information systems through participation in professional

development activities • Use due care to obtain and document sufficient factual material on which to base conclusions and recommendations • Inform the appropriate parties of the results of audit work performed • Support the education of management, clients, and the general public to enhance their understanding of auditing and

information systems • Maintain high standards of conduct and character in both professional and personal activities


8

DESCRIPTION OF THE EXAMINATION

The results of a year-long project to determine the tasks and knowledge required of today’s and tomorrow’sinformation systems audit professional was completed in April 2000. This CISA Practice Analysis that has resulted,will serve as the blueprint for the CISA examination. The results of the new Practice Analysis indicated that thereare both process and content components in a CISA’s job function. Accordingly, future exams will consist of aprocess and six content areas that cover those tasks that would routinely be performed by a CISA. The process area,which existed in the prior CISA Practice Analysis, has been expanded to provide the CISA candidate with a morecomprehensive description of the full IS audit process. It also recognizes the fact that the CISAs are expected to beable to apply their knowledge of IS audit principles and practices to technical content areas. The following is a briefdescription of these areas, their definitions, and approximate percentage of test questions allocated to each area.

Process-Based Area

The IS Audit Process (10%)Conduct IS audits in accordance with generally accepted IS audit standards and guidelines to ensure that theorganization’s information technology and business systems are adequately controlled, monitored, and assessed.

Content AreasManagement, Planning, and Organization of IS (11%)Evaluate the strategy, policies, standards, procedures and related practices for the management, planning, andorganization of IS.

Technical Infrastructure and Operational Practices (13%)Evaluate the effectiveness and efficiency of the organization’s implementation and ongoing management of technicaland operational infrastructure to ensure that they adequately support the organization’s business objectives.

Protection of Information Assets (25%)Evaluate the logical, environmental, and IT infrastructure security to ensure that it satisfies the organization’sbusiness requirements for safeguarding information assets against unauthorized use, disclosure, modification, damage,or loss.

Disaster Recovery and Business Continuity (10%)Evaluate the process for developing and maintaining documented, communicated, and tested plans for continuity ofbusiness operations and IS processing in the event of a disruption.

Business Application System Development, Acquisition, Implementation, andMaintenance (16%)Evaluate the methodology and processes by which the business application system development, acquisition,implementation, and maintenance are undertaken to ensure that they meet the organization’s business objectives.

Business Process Evaluation and Risk Management (15%)Evaluate business systems and processes to ensure that risks are managed in accordance with the organization’sbusiness objectives.


9

PROCESS AREA

The IS Audit Process

Conduct IS audits in accordance with generally accepted IS audit standards and guidelines to ensure that theorganization’s information technology and business systems are adequately controlled, monitored, and assessed.

Tasks

Develop and/or implement a risk-based IS audit strategy and objectives, in compliance with generally acceptedstandards, to ensure that the organization’s information technology and business processes are adequately controlled,monitored, and assessed, and are aligned with the organization’s business objectives.

Plan specific audits to ensure that the IS audit strategy and objectives are achieved.

Obtain sufficient, reliable, relevant, and useful evidence to achieve the audit objectives.

Analyze information gathered to identify reportable conditions and reach conclusions.

Review the work performed to provide reasonable assurance that objectives have been achieved.

Communicate audit results to key stakeholders.

Facilitate the implementation of risk management and control practices within the organization.

Knowledge Statements

Knowledge of ISACA Standards and Guidelines for IS Auditing and Code of Professional Ethics

Knowledge of generally accepted auditing standards

Knowledge of current IS auditing practices and techniques

Knowledge of techniques to gather information (for example, observation, inquiry, interview, research, automatedtools)

Knowledge of IS/IT developments, practices, and trends

Knowledge of control objectives and controls related to IS (for example, Control Objectives for Information andrelated Technology [COBIT®], Control Objectives for Net Centric Technology [CONeCT]

Knowledge of business sector direction, history, and markets

Knowledge of IS and business risk (for example, threats, impacts)

Knowledge of organization’s use of system platforms, IT infrastructure, and applications

Knowledge of project management techniques

Knowledge of risk analysis methods, principles, and criteria

Knowledge of strategy and planning processes (for example, organizational and audit planning)

Knowledge of communication techniques (for example, reporting, presentations, facilitation, negotiation, conflictresolution)

Knowledge of leadership techniques (for example, strategic planning, facilitation)

Knowledge of personnel management techniques (for example, staffing, training)

Knowledge of principles of quality management, financial management, and business management

Knowledge of governance framework principles


10

CONTENT AREA

Management, Planning, and Organization of IS

Evaluate the strategy, policies, standards, procedures and related practices for the management, planning, andorganization of IS.

Tasks

Evaluate the IS strategy and the processes for its development, deployment, and maintenance to ensure thatit supports the organization’s business objectives.

Evaluate the IS policies, standards, and procedures (for example, performance management, changemanagement, project management, security policies) and the processes for their development, deployment,and maintenance to ensure that they support the IS strategy.

Evaluate IS management practices (for example, IS staffing practices, IS training practices, informationsecurity management) to ensure compliance with IS policies, standards, and procedures.

Evaluate IS organization and structure (for example, roles and responsibilities, segregation of duties) toensure appropriate and adequate support of the organization’s business requirements in a controlled manner.

Evaluate the selection and management of third-party services to ensure that they support the IS strategy.


Knowledge of the components of an IS strategy and an IS policy

Knowledge of leading practices in regard to IS strategy, policy, standards, and procedures

Knowledge of methods and approaches for the development, deployment, and maintenance of an IS strategy

Knowledge of IS project management practices

Knowledge of IS risk management practices

Knowledge of IS change management practices

Knowledge of IS quality management practices

Knowledge of IS information security management practices

Knowledge of IS business continuity management practices

Knowledge of IS problem management practices

Knowledge of IS performance management practices

Knowledge of IS economic performance practices

Knowledge of contracting processes and best contract management practices

Knowledge of roles and responsibilities of IS functions (for example, segregation of duties)

Knowledge of principles of IS organizational structure and design

Knowledge of key performance indicators and performance measurement techniques

Knowledge of relevant legislation and regulations (for example, privacy, intellectual property)

Knowledge of generally accepted international standards and guidelines in software quality managementengineering and process improvement


11

CONTENT AREA

Technical Infrastructure and Operational Practices

Evaluate the effectiveness and efficiency of the organization’s implementation and ongoing management oftechnical and operational infrastructure to ensure that they adequately support the organization’s businessobjectives.

Tasks

Evaluate the acquisition, installation, and maintenance of hardware to ensure that it efficiently andeffectively supports the organization’s IS processing and business requirements and is compatible with theorganization’s strategies.

Evaluate the development/acquisition, implementation, and maintenance of systems software and utilities(for example, operating system, database management systems, security packages) to ensure ongoingsupport of the organization’s IS processing and business requirements and compatibility with theorganization’s strategies.

Evaluate the acquisition, installation, and maintenance of the network infrastructure (for example, voice anddata communications, Internet, Extranet) to ensure efficient and effective support of the organization’s ISprocessing and business requirements.

Evaluate IS operational practices (for example, help desk, user support functions, computer operations,scheduling, configuration management, change management) to ensure efficient and effective utilization ofthe technical resources which are used to support the organization’s IS processing and businessrequirements.

Evaluate the use of system performance and monitoring processes, tools, and techniques (for example,capacity planning, problem management, system management) to ensure that computer systems continue tomeet the organization’s business objectives.


Knowledge of risks and controls related to hardware platforms, systems software and utilities, networkinfrastructure, and IS operational practices

Knowledge of systems performance and monitoring processes, tools, and techniques (for example, networkanalyzers, system error messages, system utilization reports)

Knowledge of the process of IT infrastructure acquisition, development, implementation, and maintenance

Knowledge of change control and configuration management principles for hardware and systems software

Knowledge of current standards and best practices related to management of the technical and operationalinfrastructure (for example, problem management/resource management procedures and processes, helpdesk, scheduling, service level agreements)

Knowledge of the functionality of systems software and utilities (for example, database managementsystems, security packages)

Knowledge of functionality of network components (for example, firewalls, routers, proxy servers,modems, terminal concentrators, hubs, network protocols, remote computing, message queuing)

Knowledge of Internet, Intranet, and Extranet functionality

Knowledge of network topologies (for example, star, token ring)

Knowledge of client/server concepts, principles, and risks (for example, middleware)


12

CONTENT AREA

Protection of Information Assets

Evaluate the logical, environmental, and IT infrastructure security to ensure that it satisfies theorganization’s business requirements for safeguarding information assets against unauthorized use,disclosure, modification, damage, or loss.

Tasks

Evaluate the design, implementation, and monitoring of logical access controls to ensure the integrity,confidentiality, and availability of information assets (for example, programs, data).

Evaluate network infrastructure security to ensure integrity, confidentiality, availability and authorized useof the network and the information transmitted.

Evaluate the design, implementation, and monitoring of environmental controls (for example, firesuppression, uninterruptable power supply [UPS]) to prevent and/or minimize potential losses.

Evaluate the design, implementation, and monitoring of physical access controls to ensure that the level ofprotection for assets and facilities is sufficient to meet the organization’s business objectives.


Knowledge of design, implementation, and monitoring of logical access controls

Knowledge of logical access control principles, tools and techniques

Knowledge of encryption techniques (for example, Data Encryption Standard [DES], RSA)

Knowledge of public key infrastructure (PKI) components (for example, certification authorities [CA],registration authorities)

Knowledge of digital signature techniques

Knowledge of physical security controls (for example, biometrics, card swipes)

Knowledge of network security concepts

Knowledge of techniques for identification, authentication, and restriction of users to authorized functionsand data (for example, dynamic passwords, challenge/response, menus, profiles)

Knowledge of security architecture

Knowledge of security software (for example, features, limitations, vulnerabilities)

Knowledge of security assessment tools (for example, proprietary and public domain software used forautomated assessment of vulnerabilities)

Knowledge of Internet technologies security (for example, secure sockets layer [SSL])

Knowledge of voice communications technology security

Knowledge of attack methods and techniques (for example, hacking, spoofing, Trojan horses, denial ofservice, spamming, fraud)

Knowledge of sources of information regarding threats, standards, evaluation criteria, and best practices inregard to information security

Knowledge of security monitoring, detection and escalation processes, tools, and techniques (for example,audit trails, intrusion detection, computer emergency response team [CERT])

Knowledge of viruses and detection, prevention, and response mechanisms


13

Knowledge of environmental controls (for example, fire extinguishers, cooling systems)

CONTENT AREA

Disaster Recovery and Business Continuity

Evaluate the process for developing and maintaining documented, communicated, and tested plans forcontinuity of business operations and IS processing in the event of a disruption.

Tasks

Evaluate the adequacy of backup and recovery provisions to ensure the resumption of normal informationprocessing in the event of a short-term disruption and/or the need to rerun or restart a process.

Evaluate the organization’s ability to continue to provide information system processing capabilities in theevent that the primary information processing facilities are not available (for example, disaster recovery).

Evaluate the organization’s ability to ensure business continuity in the event of a business disruption.


Knowledge of business continuity planning and business impact analysis techniques

Knowledge of disaster recovery and business continuity techniques (for example, hot site, cold site, fail-safenetwork design, reciprocal agreements)

Knowledge of disaster recovery planning and business continuity processes

Knowledge of media backup and documentation backup procedures (for example, offsite storage, frequency)

Knowledge of testing concepts and methods for disaster recovery and business continuity

Knowledge of insurance in relation to business continuity and disaster recovery

Knowledge of human resource issues (for example, evacuation planning)


14

CONTENT AREA

Business Application System Development, Acquisition, Implementation, and Maintenance

Evaluate the methodology and processes by which the business application system development,acquisition, implementation, and maintenance are undertaken to ensure that they meet the organization’sbusiness objectives.

Tasks

Evaluate the processes by which application systems are developed and implemented to ensure that theycontribute to the attainment of the organization’s business objectives.

Evaluate the processes by which application systems are acquired and implemented to ensure that theycontribute to the attainment of the organization’s business objectives.

Evaluate the processes by which application systems are maintained to ensure the continued support of theorganization’s business objectives.


Knowledge of system development methodologies and tools (for example, prototyping, rapid applicationdevelopment [RAD], system development life cycle [SDLC], estimation techniques, object-oriented designtechniques)

Knowledge of documentation and charting methods (for example, flowcharting, entity-relationship [ER]diagrams, modeling)

Knowledge of application change control and implementation best practices

Knowledge of software quality assurance methods (for example, testing methodologies, tools, standards)

Knowledge of risks and controls associated with various application design and development practices (forexample, three-tier client/server applications, object-oriented development, data warehousing)

Knowledge of testing concepts (for example, test plans, test data, test results)

Knowledge of design of business applications in terms of built-in controls, file structure, interfaces,control reports

Knowledge of structured system analysis and design

Knowledge of project management principles, techniques, practices, and standards (for example, ProgramEvaluation Review Technique/Critical Path Method [PERT/CPM], estimation techniques)

Knowledge of application systems acquisition processes (for example, evaluation of vendors, preparation ofcontracts, vendor management, escrow)

Knowledge of application maintenance principles (for example, versioning, release packaging, changecontrols)

Knowledge of programming concepts and techniques

Knowledge of system and data conversion tools, techniques, and procedures

Knowledge of emergency change management procedures

Knowledge of post-implementation review techniques


15

CONTENT AREA

Business Process Evaluation and Risk Management

Evaluate business systems and processes to ensure that risks are managed in accordance with theorganization’s business objectives.

Tasks

Evaluate the efficiency and effectiveness of information systems in supporting business processes, throughtechniques such as benchmarking, best practice analysis, or business process reengineering (BPR), to ensureoptimization of business results.

Evaluate the design and implementation of programmed (for example, automated) and manual controls toensure that identified risks to business processes are at an acceptable level.

Evaluate business process change projects (for example, project culture, organization, management,financing) to ensure that they are properly organized, staffed, managed, and controlled.

Evaluate the organization’s implementation of risk management and governance.


Knowledge of best practice business processes

Knowledge of e-Business application in business processes

Knowledge of business process controls (for example, management controls, automated controls, manualcontrols)

Knowledge of business process performance indicators (for example, indicators to ensure that businessobjectives are being met)

Knowledge of business project organization, management, and control practices

Knowledge of project progress monitoring and reporting mechanisms

Knowledge of methods of business process design, reengineering, and improvement

Knowledge of project success criteria and pitfalls

Knowledge of corporate risk and control frameworks


16

THE CISA EXAMINATION AND C OBIT

COBIT, now in this third edition, is an initiative conducted by the IT Governance Institute in conjunction with theInformation Systems Audit and Control Foundation™. COBIT has been developed as a generally applicable andaccepted standard for good information technology security and control practices that provides a reference frameworkfor management, users, and IS audit, control and security practitioners. COBIT is based on the Information SystemsAudit and Control Foundation's Control Objectives, enhanced with existing and emerging international technical,professional, regulatory and industry-specific standards. The resulting Control Objectives have been developed forapplication to organization-wide information systems.

Although COBIT is not specifically tested on the CISA examination, the COBIT control objectives or processes doreflect the tasks identified in the CISA Practice Analysis. As such, a thorough review of COBIT is recommended forcandidate preparation for the CISA examination. In order to focus a candidate’s attention to the specific COBITprocesses that relate to CISA Practice Analysis tasks the following table has been provided to aid in a candidate’sexam preparation.

CISA Practice Analysis Tasks

The IS Audit Process

Tasks COBIT Processes

Develop and/or implement a risk-based IS audit strategy and objectives, incompliance with generally accepted standards, to ensure that the organization’sinformation technology and business processes are adequately controlled,monitored, and assessed, and are aligned with the organization’s businessobjectives.

PO9, M3,M4

Plan specific audits to ensure that the IS audit strategy and objectives areachieved.

M3,M4

Obtain sufficient, reliable, relevant, and useful evidence to achieve the auditobjectives.

M3,M4

Analyze information gathered to identify reportable conditions and reachconclusions.

M3,M4

Review the work performed to provide reasonable assurance that objectiveshave been achieved.

M3,M4

Communicate audit results to key stakeholders. M3,M4

Facilitate the implementation of risk management and control practices withinthe organization.

PO9, M3,M4



Evaluate the IS strategy and the processes for its development, deployment, andmaintenance to ensure that it supports the organization’s business objectives.

PO1, PO5

Evaluate the IS policies, standards, and procedures and the processes for theirdevelopment, deployment, and maintenance to ensure that they support the ISstrategy.

PO8, AI6, M1


17


Evaluate IS management practices to ensure compliance with IS policies,standards, and procedures.

PO6, PO7, PO10,PO11, DS6

Evaluate IS organization and structure to ensure appropriate and adequatesupport of the organization’s business requirements in a controlled manner.

PO4

Evaluate the selection and management of third-party services to ensure thatthey support the IS strategy.

DS2, PO5

Technical Infrastructure and Operational Practices


Evaluate the acquisition, installation, and maintenance of hardware to ensurethat it efficiently and effectively supports the organization’s IS processing andbusiness requirements and is compatible with the organization’s strategies.

PO2, PO3, AI1, AI3,DS8

Evaluate the development/acquisition, implementation, and maintenance ofsystems software and to ensure ongoing support of the organization’s ISprocessing and business requirements and compatibility with the organization’sstrategies.

AI1, AI5, AI6 DS9

Evaluate the acquisition, installation, and maintenance of the networkinfrastructure to ensure efficient and effective support of the organization’s ISprocessing and business requirements.

PO2, AI3, DS3, DS8,DS13

Evaluate IS operational practices to ensure efficient and effective utilization ofthe technical resources which are used to support the organization’s ISprocessing and business requirements.

AI6, DS8, DS9, DS12,DS13,

Evaluate the use of system performance and monitoring processes, tools, andtechniques to ensure that computer systems continue to meet theorganization’s business objectives.

DS3, DS10, M1

Protection of Information Assets


Evaluate the design, implementation, and monitoring of logical access controlsto ensure the integrity, confidentiality, and availability of information assets.

DS4, DS5, DS7, M1,M2

Evaluate network infrastructure security to ensure integrity, confidentiality,availability and authorized use of the network and the information transmitted.

PO2, DS4, DS5

Evaluate the design, implementation, and monitoring of environmental controlsto prevent and/or minimize potential losses.

DS12, M1, M2

Evaluate the design, implementation, and monitoring of physical accesscontrols to ensure that the level of protection for assets and facilities issufficient to meet the organization’s business objectives.

DS5, DS12, M1, M2


18

Disaster Recovery and Business Continuity


Evaluate the adequacy of backup and recovery provisions to ensure theresumption of normal information processing in the event of a short-termdisruption and/or the need to rerun or restart a process.

PO2, DS4

Evaluate the organization’s ability to continue to provide information systemprocessing capabilities in the event that the primary information processingfacilities are not available.

DS4, DS11, DS12,DS13

Evaluate the organization’s ability to ensure business continuity in the event ofa business disruption.

DS4

Business Application System Development, Acquisition,Implementation, and Maintenance


Evaluate the processes by which application systems are developed andimplemented to ensure that they contribute to the attainment of theorganization’s business objectives.

PO1, PO3, PO9,PO10, PO11, AI2

Evaluate the processes by which application systems are acquired andimplemented to ensure that they contribute to the attainment of theorganization’s business objectives.

PO1, PO3, PO5,PO9, PO10, PO11,AI1, AI2, AI4, AI5

Evaluate the processes by which application systems are maintained to ensurethe continued support of the organization’s business objectives.

PO11, AI6

Business Process Evaluation and Risk Management


Evaluate the efficiency and effectiveness of information systems in supportingbusiness processes, through techniques such as benchmarking, best practiceanalysis, or business process reengineering (BPR), to ensure optimization ofbusiness results.

PO11, M1

Evaluate the design and implementation of programmed and manual controlsto ensure that identified risks to business processes are at an acceptable level.

PO9, M1, M2

Evaluate business process change projects to ensure that they are properlyorganized, staffed, managed, and controlled.

PO4, PO6, PO7,PO10, AI6, DS11

Evaluate the organization’s implementation of risk management andgovernance.

PO9, DS7, M1


19

REFERENCE MATERIALS

American Institute of Certified Public Accountants (AICPA)AICPA Accounting and Auditing Guide, American Institute of Certified Public Accountants

Auerbach PublishersInformation Technology Control and Audit, 1999, Frederick Gallegos, Daniel P. Manson and Sandra

Allen-SenftThe Handbook of Information Security Management, 4th Edition, 2000, Micki Krause and Harold F.

Tipton

British Standard Institution (BSI)British Standard for Information Security Management, Information Security BS7799 c:cure, (available for download at:

http:www.c-cure.org)

Canadian Institute of Chartered AccountantsApplication of Computer Assisted Audit Techniques Using Microcomputers, 1994

Information Technology Control Guidelines, 3rd Edition, 1988

CRC PressInvestigating Computer-Related Crime, 1999, Peter Stephenson

Federal Financial Institutions Examination Council (FFIEC)FFIEC Information Systems Examination Handbook, 1996

Gleim Publications, Inc.Auditing & Systems: Exam Questions and Explanations, 9th Edition, 2000

Global Audit PublicationsFraud Detection: Using Data Analysis Techniques to Detect Fraud, 1999, David G. Coderre

Information Systems Audit and Control Association and FoundationCOBIT® Third Edition©, 2000

Standards and Guidelines for Information Systems Audit and Control Professionals, 2000Digital Signatures - Security & Controls, 1999, Piper, Blake-Wilson, Mitchell

EDI: An Audit Approach, 1994, Rodger JamiesonStepping through the IS Audit. What to expect. How to prepare. 1999, Jennifer L. Bayuk

Information Systems Audit and Control Foundation and Deloitte & Touchee-Commerce Security - A Global Status Report., 2000e-Commerce Security - Enterprise Best Practices, 2000

Information Systems Audit and Control AssociationIS Audit & Control Journal

Volume I, 1999 (out of print)“Incident Management”, Pages 12-13“Internet Security”, Pages 33-38

“All VANs Are Not Created Equal Regarding Internal Control”, Pages 41-47

Volume II, 1999“Business Continuity Planning and e-Business”, Pages 15-16

“Moving in the Next Millennium: Systems Auditing Capability Development for InternalAuditing”, Pages 39-42

“Top Technology Concerns for the Attest, Audit and Assurance Services Functions”,Pages 46-48

Volume III, 1999“A Third Way for Biometric Technology”, Pages 16-18“Successful Audits in New Situations”, Pages 21-23


20

“Audit and Control of a Year 2000 Era E-mail System”, Pages 25-27“InvestigatingPornography on an Organization’s Computers”, Pages 45-49

Volume IV, 1999“IS Auditing: The State of the Profession Going into the 21st Century”, Pages 44-49

“How to Keep a Private Branch Exchange Safe”, Pages 58-60“New Assurance Service Opportunities for Information Systems Auditors”, Pages 65-68

Volume V, 1999“Childproofing the Technology”, pages 9-10

“E-Copyrights – A Light Approach to a Serious Subject” pages 13-14“Continuous Auditing and IT Developments”, pages 17-18

“Automating Reviews in a Distributed Computing Environment”, pages 24-25“Online Monitoring of Software in LAN Environments”, pages 38-41

Volume VI, 1999 (out of print)“Did Not”, pages 9-10“Is your business c:cure?, pages 23-26

“Opportunities in Electronic Commerce Assurance for Information Systems Auditors”,pages 34-39

“The Meaning of Best Practices and the Gathering of Evidence”, pages 41-45“Strategies for Decentralized System Recovery”, pages 49-56

Volume 1, 2000“Fishy Stories”, pages 9-10“ Are E-mails Boon or Bane for Organizations?” pages 27-29“Secure E-Business”, pages 32-37“Intellectual Property and the Internet: Who Owns the Information?” pages 41-45

Volume 2, 2000“The Lingering Doubt”, pages 9-10 “Managed Risk, Enhanced Response”, pages 25-26“Benefits of Year 2000 Work”, pages 28-30“The IT Balanced Scorecard – A Roadmap to Effective Governance of a Shared

Services IT Organization”, pages 31-38“The Balanced Scorecard and IT Governance”, pages 40-43“Enhancing IT Governance Through Enterprise Management Software Solutions”,

pages 44-46

Volume 3, 2000“HeFt”, pages 9-10“Partnership for Critical Infrastructure Security”, pages 23-24“Auditing and Business Controls: Coming of Age in the Healthcare Industry”, pages 44-

48“Defeating the Cyber Criminal: Defense Tactics for Denial of Service Attacks”, 49-51

Volume 4, 2000“Of Wolves and Privacy”, pages 9-10“IT Governance Roundtable – Sponsored by the IT Governance Institute”, pages 27-28“Extracting Data from SAP”, pages 34-37“How to Eliminate the Ten Most Critical Internet Security Threats”, pages 49-55

Volume 5, 2000“Your IT Applications Inventory is all in Your Head – An Observation Related to IT

Governance Tools, page 21“The Changing Role of IS Audit Among the Big Five US-Based Accounting Firms”, page

33“The impact of Higher Education and Professional Certification on the Careers of

Information Systems and Non-Information Systems Auditors”, page 38“What Recruiters and Staffing Agencies Say about Trends in IS Auditing”, page 43.

Institute of Internal Auditing (IIA)


21

Systems Auditability and Control (SAC) Series

John Wiley and Sons, Inc.Computer Security Handbook, 3rd. Edition, Arthur E. Hutt, Seymour Bosworth & Douglas B. Hot.Disaster Recovery Planning For Computers and Communication Resources, 1996, Jon ToigoE-Commerce Security - Weak Links, Best Defenses. Protecting your system from vulnerabilities in

browsers, servers, secure protocols, and firewalls, 1998, Anup K. GhoshE-Mail Security: How To Keep Your Electronic Messages Private, 1995, Bruce SchneierNetwork Auditing, A Control Assessment Approach, 1999, Gordon E. SmithThe Audit Committee Handbook, 3rd Edition, 1999, Louis Braiotta

O’Reilly and AssociatesBuilding Internet Firewalls, 2nd Edition, 2000, Chapman and Swicky

Web Security & Commerce. Risks, Technologies, and Strategies, 1997, Simson Garfinkel with Gene Spafford

Prentice HallInformation Systems Control and Audit, 1999, Weber

Warren, Gorham & LamontHandbook of IT Auditing, 1999, Warren, Edelson and Parker w/2001 SupplementPractical IT Auditing, 1999, Hickman W/2000 supplement

NOTE: Publications in bold are stocked in the ISACA Bookstore.


22

LIST OF ACRONYMS

API Application Programming InterfaceASCII American Standard Code For Information InterchangeATM Automated Teller Machinebit Binary DigitBPR Business Process Re-engineeringCA Certified AuthorityCASE Computer-aided System EngineeringCGI Common Gateway InterfaceCPM Critical Path MethodCPU Central Processing UnitDASD Direct Access Storage DeviceDBA Data Base AdministratorDBMS Data Base Management SystemDES Data Encryption StandardEDI Electronic Data InterchangeEFT Electronic Funds TransferEMRT Emergency Response TimeFTP File Transfer ProtocolHIPO Hierarchy Input-Process-OutputHTML Hyper Text Markup LanguageID IdentificationI/O Input/OutputIP Internet ProtocolIPL Initial Program LoadIS Information SystemsISAM Indexed Sequential Access MethodISDN Integrated Services Digital NetworkISO International Standards OrganizationISP Internet Service ProvidersITF Integrated Test FacilityLAN Local Area NetworkMODEM Modulator/DemodulatorOSI Open Systems InterconnectPBX Private Branch ExchangePC Personal Computer/microcomputerPCR Program Change RequestsPERT Program Evaluation Review TechniquePIN Personal Identification NumberPPP Point-to-Point ProtocolQA Quality AssuranceRAM Random Access MemoryRAS Remote Access ServiceRFI Request for InformationROM Read Only MemoryTCP Transmission Control ProtocolTQM Total Quality ManagementUBE Unsolicited Bulk EmailUPS Uninterruptible Power SupplyVPN Virtual Private NetworkWAN Wide Area NetworkXML Extensible Markup Language


23

SAMPLE ADMISSION TICKET

PROFESSIONAL EXAMINATION SERVICE

You are scheduled to take the INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION®(ISACA™) Certified Information Systems Auditor™ (CISA®) Examination on Saturday, 9 June 2001. Report nolater than 8:00 a.m. on the morning of the examination to the test site listed below. The Chief Examiner will beginreading the instructions at 8:30 a.m.

NO CANDIDATE WILL BE ADMITTED TO THE TEST CENTER ONCE THE CHIEF EXAMINER BEGINSREADING THE ORAL INSTRUCTIONS.

The timed portion of the examination is four (4) hours from 9:00 a.m. to 1:00 p.m

TEST SITE CODE #Test Site NameStreet Address

City, State, Postal or Zip CodeCountry

Your Identification Number is 0110….You are scheduled for the ENGLISH language version of the exam.

YOU MUST bring this admission card, several sharpened No. 2 or HB pencils, an eraser, and an acceptable form ofidentification such as a driver's license or passport to the test site. Please retain this admission card for futurereference.

If you have any questions, please contact ISACA at +1.847.253.1545, extension 471 or 474.

PROFESSIONAL EXAMINATION SERVICEINFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION (ISACA)

Test date: Saturday, 9 June 2001CHANGE of NAME/ADDRESS/ID# FORM

Please print clearly any change or correction to your NAME, ADDRESS or ID# on this form and return this part ofthe form to your exam proctor when instructed to do so. DO NOT return this part of the form if there are nochanges to be recorded.

Documents

THE CERTIFIED INFORMATION SYSTEMS AUDITOR PROGRAM ...meena123.addr.com/acsb/CISSP/CISA/2[1].CISA review... · sample questions. This publication is ideal for use in conjunction with