CISA review Manual 2007

Cisa_IT_Governance_part1_no4

2009-03-09T09:07:00.001-07:00

This is the continuation from part 3 of IT Governance in CISA. It furthers explain the structure requires for an effective IT governance from management.

Amazon.com Widgets

CISA IT Governance Part 1 no. 3

2008-10-28T06:57:00.000-07:00

This is a continuation from Part 2 . Where we again talk about IT Governance , the organization and how key personnel from an organization can make up and support the IT governance team. Watch the video for more details:

Amazon.com Widgets

CISA_IT_Governance_Part_2

2008-08-13T09:41:00.000-07:00

In this second part of IT Governance of the CISA preparation video :

We talk about how IT governance need to be aligned with Enterprise business goals so as to achieve IT Value to the business.

CIAA stands for confidentiality, Integrity , Avaliability and Authentication. And this is what IT governance should be looking out for in Business processes to increase value and maintain compliance & security at the same time

Tags: cisa cism cissp security iso27001

Amazon.com Widgets

CISA04_01_IT_Governance_Part_1

2008-05-18T22:50:00.000-07:00

In this video,

We are talking about how IT governance can bring value to business:

Click on video to learn more:

Tags: cisa cism cissp it security certification

Amazon.com Widgets

Cisa Audit Process_Part2_no3_Last

2008-05-03T01:36:00.000-07:00

hi Friends,

In the last video we talked about using CAATS (Computer Assisted Auditing Tools)to automate audit process. We have CISCO security device manager, Microsoft Baseline Security Analyser & Great Plains software. We will further looked into other auditing methodologies in this video , so click to view:

Tags: cisa cism cissp it security

Amazon.com Widgets

Tips for Passing The CISA exam

2008-04-20T07:46:00.001-07:00

EFFECTIVE APPROACH FOR SUCCESS IN CISA EXAM
Jay , ISACA CISA Certified
Objective of CISA Exam
CISA Exam consists of 200 questions from 7 domains as detailed in the Candidates Guide to the CISA Exam. The CISA Exam tests minimum level of competence for conducting Information Systems Audit.
Understanding of IT
CISA Candidates are expected to have working knowledge of Information Technology. The basic understanding of Information Technology should cover key concepts of various components of Information Technology in their practical deployment. The IT knowledge should encompass overall understanding of IT Infrastructure, IT Facilities, various types of Computer hardware, Systems Software (Operating System, Database, Networking, Multimedia, etc), Business Application software, Office Automation Software and Audit Software. Further, candidates are expected to know concepts and practice of Management as relevant to IT deployment in enterprises.
CRM – only theoretical training
The CISA Review Technical Information Manual (CRM) is not meant for teaching the fundamental concepts of Information Technology. However, IT components are explained only to the extent required. The candidates guide to CISA exam provides the broad range of topics covered and CRM provides the details of concepts of practice of IS Audit as per IS Auditors’ Tasks and Knowledge requirements. Candidates are advised to use the CRM as the basic guide for learning and use additional material as required based on their assessment of gaps and individual competency areas.
IT – Practical Training
Candidates who are not well conversant with IT are advised to do a practical course on IT covering hardware, systems software, office automation, business applications and audit software.
Getting CISA Perspective – practical approach
The overall understanding of a CISA candidate is expected to cover the related domains as per the objectives, tasks and knowledge statements given in the Candidates Guide to CISA Exam. Primarily it encompasses three major disciplines - Information Technology, Management and Auditing. The CISA candidates may follow the following approach for getting the perspective of a CISA:
• Obtain overall understanding of Information Technology – concepts and practice
• Understand the Risks of deployment of relevant IT Component
• Know the features and functionalities of Security and controls of IT Component
• Understand how controls could be implemented using the security features and functionalities so as to mitigate the risks in the relevant IT Component
• Learn how to identify the risks, review the related security, evaluate the implemented controls and identify areas of weaknesses.

Conceptual Clarity
CISA Candidates need to have conceptual clarity in the following key areas:
The inherent risks of Implementing Information Technology
Appropriate risk management strategy for mitigating these risks.
Security and controls, which need to be implanted for, risk mitigation.
Practical Tips for CISA Exam
Exam details

1. The exam is objective (multiple-choice). The answer is available in the choices. Hence, the approach to studies should not be from the perspective of remembering but more from perspective of understanding.

2. The CISA Exam Questions could be broadly categorized into 2 categories:
• Based on Facts – technology, auditing standards
• Based on Analysis – context and decision oriented

3. There are 200 questions to be answered in four hours. This would mean that approx. 70 seconds per question. Some of the questions may be answerable within 30 seconds and some may take more time. Further, in some cases, if you get lost in too much thinking, you may lose track of time and may not have time to answer all questions. Hence, it is essential to manage based on a slot of one hour or for a block of 50 questions. Depending on the progress, you can increase or decrease the pace as required.

4. As there is no negative marking, you must answer all questions. Even in case of questions, where you are not sure of right answer, you may guess intelligently.

5. Do not attempt to read through the question paper fully. You may lose time and may not have time to answer all the questions. The ideal method is to take up one question at a time and answer them one by one.

6. You may decide on which order you want to answer the questions. Some tend to start from question no. 50 or 100 as it gives them confidence they are progressing and come back. However, the ideal approach is to answer sequentially one at a time.

7. There may be questions for which you may not be able to strike the right answer straight away. You may skip, but mark it in the questions paper so that it is identifiable and come back to it later. However, the best approach is to take a DECISION and answer it then and there. You may not have time to come back to the question again. Further, there may always be lurking feeling that you have
left some questions unanswered. This will be at the back of your mind always. However, if you do have to change, please ensure that you erase the previous answer carefully and fully.

8. Please do not think of coming back to the answers for corrections later on. You may change if and only if you are additional insights or data, which necessitates that your previous answer was incorrect.

9. If you have to modify your answers for any reason, please ensure that you erase the previous choice properly so that there is no trace of marking else it may be construed as multiple marking and your answer ignored for valuation.

10. You need to compartmentalize your mind and take one question at a time. Think and decide on the right answer. Once you have answered, forget it and go ahead and tackle the next one and so on. Don’t carry your doubts of the previous question to the next.

11. You may mark the answers in your question paper and transfer it periodically or mark your answer for every question directly in the answer sheet.

12. Get the fundamentals very clearly. Read the IS Auditing standards and guidelines and COBIT Control objectives to get the thinking of an IS Auditor. Put on the cap of the global IS Auditor. Don’t bring in your personal experience and answer questions from your past data unless it is in line with ISACA’s thinking. The questions will not be technology specific or industry specific. Hence, don’t think what is practiced in your technology platform or industry as the most relevant or applicable. It may not be.

13. Take one question at a time. Read it fully and carefully. Identify the stem, the key concept that is being tested. Underline the core concept, which is being tested. Read all the choices even if you have think you have the right answer in the first or second or third choice.

14. You may encounter some questions, which are familiar to you, which you have answered in the CISA review manual or in the test questions. Don’t be prejudiced by your past answers. Read the question fully, understand it, and look at the choices and then answer. It may be possible that the questions may have been rephrased or re-worded and may have a different answer to what you have seen in the tests or the choices may be re-arranged or rephrased.

15. In the choices, when there are two choices which are similar. Pick the one which is more macro and bigger in nature. Remember the context of the situation as given in the question and the available choices have to be considered to arrive at the best choice.

16. For choosing the right answer, you may be able to identify the right answer straight away. You may also adapt the process of elimination by ruling out the apparently incorrect choices one by one so as to narrow down your choices and pick up the right choice.

17. Every question will have one of the choices framed as a distracter. The distracter may attract those with incomplete knowledge or attempting to answer the question with just common sense. It is essential to be able to eliminate the distracter.

18. You may need probably of all of four hours to answer 200 questions. Hence, it is essential that you practice sitting at one place and practicing answering the mock tests so that you get practice of sitting for four to five hours at a stretch.
19. Your concentration level may come down after an hour or so. It is important that you have a little break by having a sip of water and looking away from the question paper and get back your concentration before you start answering again. Take a few deep breaths, stretch yourself if required and then get back to the task. Consistent concentration is important.

20. If you have any medical problems, which hinder your sitting for long stretch of time, or you need regular medication, inform the proctor in advance and take necessary precaution.

21. Don’t stress yourself physically before or during the exam. You need to be fully relaxed so as to have maximum concentration. Avoid last minute reading and late night reading before the exam day. It may not really help.

22. The Questions and choices are straightforward and simple. They are meant for testing your understanding of concepts and practice of IS Audit. They are not meant to test your grammar or proficiency in English. Hence, do not try to analyse the question and answers too much. Don’t try to read between the lines and find hidden meaning. There may not be any.

23. The pass % is normally about 55% globally and varies from centre to centre. However, passing the exam is primarily dependent on your ability to concentrate during your exams and picking up the right choice. Our Analysis reveals that most of the students who fail tend to get around 70% which means that another 5 to 10 questions answered correctly would have got them through. Hence, it is very important that you are able to devote proper time for each of the question and concentrate throughout the exam.

24. The exam consists of one paper, which has all 200 questions. The questions are not in a particular order of domains or chapters but are usually mixed up at random. It is not worthwhile trying to figure out to which domain a questions belongs. What is most important is how well you are able to answer the questions in the exam.

25. Practice the questions and get the reasoning and choice correctly. Remember, the exam is not expected to test your memory but your understanding. Hence, there is no need to cram any definitions or concepts except the most fundamental ones and that too for understanding.

26. Don’t sit up late day before the exam trying to read and catch up on lost time. Remember, the principle of farming, you need to sow in time and take care on
regular basis so as to reap in time. Last minute preparations may result in lack of concentration on the exam day.

27. The questions are not directly picked up from any text book or reading material but are prepared by Practicing CISAs and are aimed to test your understanding of the concepts and practice of IS Audit.
28. Practice, practice and practice questions available with you. But remember the standard of the questions in the exam is much higher than what you have practiced. Be mentally prepared. If you have conceptual clarity and apply your thinking as an IS Auditor, you should be able to pick up the right answer.

29. The exam is based on percentile. The lowest score among all the candidates is converted to 25 percentile and the highest score is converted to 99 percentile. Your raw score is then converted accordingly to a percentile. Hence, depending on the overall performance of the candidates, the number of questions you have to get right to get 75 percentile is dependent on overall performance of all the candidates. However, it is preferable not to worry too much about the percentile but focus on getting the maximum questions right.

30. Ensure that you are marking the answers exactly. Cross-check regularly to ensure this. You have to be extra careful if have skipped any questions to be answered later. It is important to ensure that you skip marking the answers for that question. You may use a ruler for ensuring you are marking the required choice for the appropriate question.

31. As part of preparation, do discuss the questions and answers with an open mind. If you are auditor, get the technology perspective and if you are from IT, get the Audit perspective. Remember as an IS Auditor, you are expected to be auditing Technology as deployed in the organization.

32. The key ideas to be remembered as an IS Auditor are IS Risks, IS Security, IS Control and IS Audit. You need to be well versed with these concepts. The questions may require you to grade the risks in terms of highest or lowest. In terms of security and controls, you may be required to pick up the best or least effective controls in the context of the question. An IS Audit question may require your judgement in terms of concepts, practical procedures or risk ranking or presenting the findings to the management. There may be few questions, which tests your understanding of core technology. For example, encryption, EDI, Internet Security, Telecommunications control, etc.

33. Familiarize yourself with the test. Know the tasks, knowledge and scope of the subject, the type of questions and proposed answers.

34. The Exam is not Technology or platform specific. Hence, do not get too engrossed with technology details and reading of technology.

35. Make a time plan of what you need to read and prioritize. Deal with unread materials concisely. Formulate a reading strategy in advance with a time table and study plan.

36. Form a small study group or e-group for studies and discussions. Review your preparation actively alone and also with group on a regular basis. Review and discuss with group your logic and reasoning and get other perspective also.

37. Prepare yourself emotionally and physically to take the exam.

38. Take your family and friends into confidence so that you are able to sacrifice your social commitments and focus on the exam.

39. Motivation is an important aspect of preparation for the exam. Motivation will help you concentrate and be focused on the task on hand. Self Motivation is the best motivation. Remember, you are taking a prestigious and global recognized exam, which will make a significant difference to your career, earnings and your self-esteem.

40. Visualize receiving the Congratulations letter from ISACA and CISA Certification. See yourself being congratulated by your peers and colleagues.
Exam Venue
41. Visit the venue in advance before the exam and know the route, parking facility and exact place of exam. Reach the exam half an hour before the scheduled time so that you are not running to the venue in a hurry. Do come to the exam to the venue before time and use the time for relaxing.

42. Carry your identification cards, admission tickets, 3-4 pencils sharpened, 2-3 erasers, water bottle. Don’t carry any books. You may not get time to read and it may not be worthwhile trying to read in the last minute. Remember the questions don’t test your memory but are more a test of your judgemental ability as an IS Auditor.

43. The admission ticket is expected to be received by the candidate 2-3 weeks before the exam. It is sent both by email and by post. You can bring printout of email copy to the exam if you don’t receive the hard copy by post. However, if you don’t receive hard copy also, you may contact the chapter office to confirm your name is in the candidates list. The chapter gets a copy of all the candidates writing exam from the test centre. They are authorized to identify candidates who have not received the admission ticket. Hence, please don’t panic if you don’t receive the admission ticket but contact the chapter president or CISA Coordinator of your test centre who would have the complete list of candidates taking the exam from that test centre.

44. The proctor will start reading instructions of the exam 30 minutes before the exam time. You are expected to be in the hall before proctor commences reading the instructions. Proctor may not allow you inside once he starts reading the instructions.

45. The instructions relate to signing of forms and filling up your registration particulars. Clarify your doubts about any procedures you have. Follow the proctor’s instructions carefully and write down the details as per instructions. You
can use pen or pencil for writing the registration no. and other details. However, answers are to be marked only in pencil.

46. The proctor will not answer any questions pertaining to the questions or answers.

47. You can go out of the exam hall for answering nature’s call with permission of proctor. You have to hand over your questions and answer paper before going out of the hall and collect it back on arrival.

48. No additional papers or sheets will be provided. You may use the question papers or its back side for making any rough notes. It is advisable not to make any notes or marking on the answer sheet except for marking the circles for the right choice.

49. The CISA Exam is a closed Exam which means neither the question paper or answer papers are released. You are not expected to discuss the questions or answers with anyone.

50. After completing the exam, leave the venue silently. Don’t discuss your answers with the other candidates to confirm the answers. You may only get confused.

Disclaimer:
We are glad that you read through these tips. While hoping they would be useful to you in passing the CISA Exam, please note that we do not provide any assurance of your success. We don’t claim that all the tips would be relevant and useful. However, you may pick up whatever you deem useful. Your success in the CISA Exam depends on YOU – your preparation and your performance on the exam day. Your success also depends on the overall performance of all the Candidates. You may consider the above as friendly tips from those who have written and passed the CISA Exam themselves and who have interacted with CISA Exam candidates since last five years.
Wish you Success in the CISA Exam.
Author can be contacted at Jay , certexpert2428@gmail.com

Amazon.com Widgets

Cisa Audit process part 2 no 3

2008-04-13T09:30:00.001-07:00

Cisa Audit process part2_no3. It covers CAAT, computer assisted auditing techniques.

Tags: cisa cism cissp audit compliance security

Amazon.com Widgets

CISA Audit Process Part2_02

2008-03-14T18:15:00.000-07:00

hi Friends continuation of CISA Audit Process Part2 from 01. Enjoy :-)

Tags: cisa cism audit security compliance

If you like this blog and would like to contribute by donating some
money to support this blog click below:

Cisa Audit Process Part 2_01

2008-03-14T07:41:00.000-07:00

This is the video for CISA Audit Process Part 2 part 1 . Hope you can learn something from this

Tags: cisa cism security cissp audit controls

If you like this blog and would like to contribute by donating some
money to support this blog click below:

CISA Audit Process Part 1 last video

2008-02-16T07:41:00.000-08:00

hi Friends,

This is the last video on the CISA audit process part 1. Enjoy!! Next video we will go on to IS audit process part 2.

Tags: cisa cism certification it risk security compliance

CISA audit Process part 1 second last video

2008-02-14T19:14:00.000-08:00

hi friends,

The second last video clip on the audit process part 1 exam topic for CISA exam:
Enjoy

Tags: cisa cism compliance audit security risk iso27001

The CISA Prep Guide Mastering the Certified Information Systems Auditor Exam (CD-ROM)

The CISA Prep Guide Mastering the Certified Information Systems Auditor Exam The first commercially available book to offer CISA study material The CISA certification is a prerequisite for many audit and security job postings in the marketplace today. Becom-ing certified takes years of experience and exposure to information systems and risk and control techniques. In this book, John Kramer refers to his own experiences as an auditor and an audit manager to offer you some unique insight to passing the CISA exam, performing IS audits, and audit management, as well as teaching entry-level IS auditors. This firsthand knowledge of what works and what information is most relevant to the professional IS auditor prepares you to study for and pass the CISA exam and perform IS audits with confidence. Organized according to the examination content areas that are currently defined for preparation and study for the CISA examination, each chapter includes sample test questions found on the CISA examination. In addition to valuable reference material and glossaries of terms, this book covers The IS audit process (ten percent of test content) Management, planning, and organization of information systems (eleven percent of test content) Technical infrastructure and operational practices (thirteen percent of test content) Protection of information assets (twenty-five percent of test content) Disaster, recovery, and business continuity (ten percent of test content) Business application system development, acquisition, implementation, and maintenance (sixteen percent of test content) Business process evaluation and risk management (fifteen percent of test content) Test yourself using the interactive CD-ROM This CD-ROM includes the Wiley test engine powered by top-rated Boson software, which allows you to test yourself using practice exams that are randomly generated from the questions in the book. This title is a revision guide to the examinations for the globally respected CISA certificate. It offers CISA study materials, provides definitions and background on the seven content areas of CISA, and includes many sample test questions and explanations of answers. This is the first commercially available book to offer CISA study materials The consulting editor, Ronald Krutz, is the co-author of The CISSP Prep Guide (0-471-26802-X) Provides definitions and background on the seven content areas of CISA Includes many sample test questions and explanations of answers More than 10,000 people registered for the CISA exam in 2002 CD-ROM contains annual updates to the exam so the book remains current for a number of years Introduction. Chapter 1. The Information System Audit Process. Chapter 2. Management, Planning, and Organization of Information Systems. Chapter 3. Technical Infrastructure and Operational Practices. Chapter 4. Protection of Information Assets. Chapter 5. Disaster Recovery and Business Continuity. Chapter 6. Business Application Systems Develop

CISA Audit Process Continued -002-02_p1

2008-01-24T05:47:00.001-08:00

This is a continuation of the previous videos which touches on controls , risks analysis and detailed audit process based on standards by ISACA. Enjoy!!!

Tags: cisa compliance audit risk certification security

CISA Exam Cram (2nd Edition) (Perfect)

CISA Exam Cram (2nd Edition) Michael Gregg is founder and president of Superior Solutions, Inc., a Houston-based IT security consulting and auditing firm. The CISA Exam Prep provides you with the markets most comprehensive and current material for passing the new CISA certification exam. Exam Preps best-selling study methods feature chapter review questions, practice exams, exam alerts, notes, tips, and cautions. Youll also have exclusive access to online test questions, which help you assess your understanding of the material before you take your exam. The CISA Exam Cram, Second Edition provides you with the newest material for passing the CISA certification exam. Exam Cram offers readers an innovative approach to study with a video introduction to the exam and strategies for doing well on the exam. Key features of the book includenbspthe cram sheet tearcard and the chapter-ending questions cover all exam objectives. Other tools, including practice exams, exam alerts, notes, tips, and cautions, help you successfully prepare for this exam. The CISA Exam Prep provides readers with comprehensive coverage of the2006 CISA certification exam objectives. Focused specifically on the material readers must know to score high ontheir CISA exams, this bookfeaturesreview questions at the end of each chapter,practice exams, exam alerts, important notes, and handy study tips. The book also features exclusive access to online practice questions, so readers canassess their strengths and weaknessesbefore theytake their exams.Topic Information The Sarbanes-Oxley Act of 2002 elevated systems auditing to a legal requirement for publicly traded companies and many privately held companies are following suit due to increased security risks. The exam is a test of auditing concepts to be used as guidance for systems auditors andmajor changes were incorporated into the 2006 exam.The CISA Exam Prep provides the most comprehensive, accurate, and current coverage ofthese exam objectives. The CISAis now offeredtwice a year, every June and December, in 200 locations worldwide. Since its inception, approximately 45,000 IS auditors, accountants, security practitioners and other leaders in IT governance and assurance from around the world have earned the CISA designation. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . .1 nbsp How This Book Helps You . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 About the CISA Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 CISA Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 How to Prepare for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Additional Exam-Preparation Resources . . . . . . . . . . . . . . . . . . . . . . . . . .

CISA Audit Process part 1 continued - p2 -2

2008-01-24T00:18:00.000-08:00

This is a continuation of part 1 on CISA'S audit process , enjoy!!

Certified Information Systems Auditor - Recap

2008-01-19T22:14:00.000-08:00

In this recap section, we will look at the audit process area again.
Topics like detection controls, correction controls & Preventive controls etc.

See the video for recap

Tags: cisa cism itsecurity compliance audit iso27001

CISA Exam Cram (2nd Edition) (Paperback (Trade Paper))

CISA Audit Process #16

2007-07-10T06:25:00.000-07:00

CISA Audit Process #16

The first step in a risk-based audit approach is to gather information about the business and industry to evaluate the inherent risks. After completing the assessment of the inherent risks, the next step is to complete an assessment of the internal control structure. The controls are then tested and, on the basis of the test results, substantive tests are carried out and assessed.

Related Tags: Risk Assesment, ISO 27001, SOX, IT Compliance, IT Audit, IT risk assesment, Audit, Operational Audit, Process Audit

CISA Audit Process#15

2007-07-10T05:56:00.000-07:00

CISA Audit Process #15

The ISACA IS Auditing Guideline G15 on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.

Related Tags: CISA, CISM, CISSP, SOX, IT Compliance, ISO 27001

CISA Audit Process #14

2007-07-09T08:38:00.000-07:00

Calculation of a Business Risk - Risky Analysis

Overall business risk for a particular threat can be expressed as:

a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.

For example: If you lose some strictly confidential documents which consists of pricing and patent information of new products that your company is going to launch, what is the impact if it falls under the hands of competitors & further more the documents have not been encrypted.

Impact = 10 (high impact)
Probabaility = 0.9( very likely)

Therefore the risk factor is 10 * 0.9 = 9 (very high risk factor)

Related Tags: IT security, Risk, Risk Analysis, Impact Analysis, Risk Factor, Compliance, ISO 27001, SOX

CISA Audit Process #13

2007-06-29T22:25:00.000-07:00

Data Flow Diagrams

Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.

An IT auditor will always need some data flow diagrams from his auditee to verify data confidentiality , Integrity , Ava liability compliance of an organisation the IT auditor is auditing.

Related Tags: IT audit, IT governance, Compliance, ISO 27001, SOX, HIPPA, PCI, Data Confidentiality

CISA Audit Process #12

2007-05-05T06:48:00.000-07:00

IT Application Audit

The objectives of an IT applicaton audit are to evaluate:

The efficiency of the application in meeting the business processes

The impact of any exposures discovered

The business processes served by the application

The appliction's optimization

However, if a IT auditor is performing a review of an application's controls

It will involves the evaluation of the application's automated controls and an assessment of any

exposures resulting from the control weakness.

CISA 2007 - Audit Process # 11

2007-05-03T07:56:00.000-07:00

Auditing Inventory Applicaton

In an audit of an inventory application, the approach which would provide the BEST evidence that purchase orders are valid is testing whether inappropriate personnel can change application parameters.

Tracing purchase orders to a computer listing, comparing receiving reports to purchase order details are after-the fact approaches

Reviewing the application documentation will not give the actual scenario as it is only theory.

Related Tags: IT audit, IT compliance, IT governance, IT security, SOX, ISO 27001, Encryption

Audit Process #10

2007-05-01T07:01:00.000-07:00

Computer Forensic Software

Computer Forensic Software is only utilised if there is a need to collect digital evidence from Information Processing devices such as laptops, computers , PDAs etc. to press charges against fraud, cheat and other computer related crimes.

Computer Forensic Software is most useful for preservation of the chain of custody for electronic evidence

A good Computer Forensic Software should be efficient, effective, time and cost savings.

Another characteristic of a computer forensic software is that it is able to search for violations of intellectual property rights

Related Tags: IT compliance, IT governance, IT audit, IT Forensic, ISO 27001, IT risks

CISA 2007 - Audit Process #9

2007-04-30T23:59:00.000-07:00

Types of IT Audit Testing

Compliance Testing : In a IT audit , Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.

Substantive Testing : In a IT audit , Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized.

Variable Sampling : In a IT audit , Variable sampling is used to estimate numerical values, such as dollar values.

Stop-Or-Go Sampling: In a IT audit , Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.

Related Tags: IT audit, IT governance, IT Compliance, SOX, ISO 27001, CISA, CISM

CISA 2007 - Audit Process #8

2007-04-27T05:54:00.000-07:00

IT Audit Process

Not reporting an intrusion is equivalent to an IT auditor hiding a malicious intrusion, which would be a professional mistake. Although notification to the police may be required and the lack of a periodic examination of access rights might be a concern, they do not represent as big a concern as the failure to report the attack. Reporting to the public is not a requirement and is dependent on the organization's desire, or lack thereof, to make the intrusion known.

An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps the IS auditor to know if there is a proper segregation of functions. A workflow chart would provide information about the roles of different employees. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.

The audit charter typically sets out the role and responsibility of the internal audit department. It should state management's objectives for and delegation of authority to the audit department. It is rarely changed and does not contain the audit plan or audit process, which is usually part of annual audit planning, nor does it describe a code of professional conduct, since such conduct is set by the profession and not by management.

Related Tags: IT Audit, IT Compliance, CISA, CISM, CISSP, IT Governance

CISA 2007 - Audit Process #7

2007-04-21T08:00:00.000-07:00

During a security audit of IT processes, an IT auditor found that there were no documented security procedures.

Since one of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization.

IT auditors should not prepare documentation, and doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.

Related Tags: IT audit, IT compliance, IT governance, CISA, CISM, Serbanes Oxley Act, HIPPA, ISO 27001

CISA 2007 - Audit Process #6

2007-04-21T06:20:00.000-07:00

During an IT audit, if the auditee disagrees with the impact of a finding, it is important for the IT auditor to elaborate and clarify the risks and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which the IT auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, the IT auditor should not automatically agree just because the auditee expresses an alternate point of view at the end of an IT audit

In an IT audit, Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.

Related Tags: IT Compliance, CISA, CISM, IT Governance, IT audit

CISA 2007 Audit Process #5

2007-04-17T09:15:00.000-07:00

CISA 2007 - IT Audit Process & IT Segregation of Duties

During an IT Compliance Audit by observing the IS staff performing their tasks, the IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IS staff, the auditor can get an overview of the tasks performed. Based on the observations and interviews the auditor can evaluate the segregation of duties.

Management may not be aware of the detailed functions of each employee in the IS department; therefore, discussion with the management would provide only limited information regarding segregation of duties during the course of an IT audit.

An organization chart would not provide details of the functions of the employees. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform during an audit

Related Tags: IT Compliance, IT segregation of duties, IT Audit, cisa, cism

CISA 2007 - Audit Process #4

2007-04-14T22:17:00.000-07:00

Redudancy Check - It is a check that appends calculated bits to the end of data stream to check transmission errors of data.

Parity Check - It is a hardware control that detects data errors when data gets transmitted from one computer to another from memory or during transmission.

Check Digit - Check digits detect transposition or transcription errors.

Reasonablessness Check - It is a check which compares data to predefined reasonability limits or occurence rates established for the data.

Related Tags: cisa, IT compliance, IT governance, IT audit

CISA 2007 - Audit Process #3

2007-04-12T04:43:00.000-07:00

There are different types of controls that can help prevent, avoid , detect risk:
They are :

Detective Controls : Controls that detect and report errors, omission or malicious acts. Examples are Hash totals, Echo controls in telecommunications.

Preventive Controls : Detect problems before they arise.
Example: Encryption software used to prevent unauthorised access

Corrective Controls: Correct problems before they occur.
Example: Contingency planning, Backup Procedures

Related Tags: cisa, cissp, it audit, it governance, it compliance

CISA 2007 - Audit Process continued #2

2007-04-08T06:45:00.000-07:00

Continuous and Intermittent simulation (CIS) is a moderately complex set of programs which simulate the process instruction of a transaction. As each transaction in entered into a program it is checked to see if it meets certain predefined criteria. If the predefined criteria is met, the program audits the transaction.If not it waits for the next transaction until the predefined criteria is met and audits again.

Audit hooks are low complexity programs that focuses on certain specific conditions instead of detailed criteria in identifying transactions for review.

ITF focuses on test versus live data

During an IT audit, An integrated test facility (ITF) creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data.

SCARF/EAM focuses on controls versus data

A snapshot tool is most useful when an audit trail is required

To detect errors of a previous period of a IT audit, we can make use of Generalized audit software features. It include include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations.

For example,if the vice president of human resources has requested a IT audit to identify payroll overpayments for the previous year.It would be good to use Generalized audit software features because you could design appropriate tests to recompute the payroll and, thereby, determine if there were overpayments and to whom they were made.

Test data would test for the existence of IT controls that might prevent overpayments, but it would not detect specific, previous miscalculations. Neither an integrated test facility nor an embedded audit module would detect errors for a previous period.

Related Tags: IT audit, CISA, CISM, IT governance, IT Compliance

CISA 2007 - Audit Process continued #1

2007-04-08T05:22:00.000-07:00

Inherent risk can also be defined as error occuring without compensating controls.

Sampling risk is the wrong assumption made with regards to a population being sampled for.

A risk-based approach in auditing involves understanding of the business processes of the company audited, this is because business risks will affect the long-term viability of the business.

Before using integrated test facility (ITF) we need to isolate test data from production data because it involves testing of test data on live programs

Related Tags: IT audit, CISA, CISM, IT governance, IT Compliance

CISA 2007 - Audit Process

2007-04-06T18:08:00.000-07:00

In order to conduct a risk-based approach audit. We must understand the different
kinds of risks.

1.) Inherent risks - Risks that occur because of the nature of business. For example complex calculations are more easier to be misstated than simple calculations & money is more likely to be stolen than an inventory of coal.

2.)Control risks - The risk of a material error occurs that will not be prevented or detected timely by internal control systems. For example, the risk of overlooking massive volumes of log files is higher than automatic data validation by computer programs.

3.)Detection risks -The risk that an Information Systems Auditor uses inadequate test procedures and conclude that material errors do not exist when in fact they do.

Using statistical sampling, an IS auditor can quantify how closely the sample should represent the population and quantify the probability of error.

The use of statistical sampling helps minimise detection risks

Related Tags: cissp, cisa, IT audit, IT governance, IT compliance

CISA 2007 Exam Information

2007-04-06T07:35:00.000-07:00

It's time now to share knowledge on CISA 2007 exam. This year it has been divided into

Area 1 - IS Audit Process (10%)
Area 2 - IT Governance (15%)
Area 3 - Systems & Infrastructure Life-Cycle Management(16%)
Area 4 - IT Service and Delivery Report (14%)
Area 5 - Protection of Information Assets (31%)
Area 6 - Business Continuity and Disaster Recovery(14%)

Related Tags: cisa 2007 review manual, cisa, cism, IT audit, IT compliance, IT governance, Disaster Recovery