Book Image

CISA – Certified Information Systems Auditor Study Guide

By : Hemang Doshi
Book Image

CISA – Certified Information Systems Auditor Study Guide

By: Hemang Doshi

Overview of this book

Are you looking to prepare for the CISA exam and understand the roles and responsibilities of an information systems (IS) auditor? The CISA - Certified Information Systems Auditor Study Guide is here to help you get started with CISA exam prep. This book covers all the five CISA domains in detail to help you pass the exam. You’ll start by getting up and running with the practical aspects of an information systems audit. The book then shows you how to govern and manage IT, before getting you up to speed with acquiring information systems. As you progress, you’ll gain knowledge of information systems operations and understand how to maintain business resilience, which will help you tackle various real-world business problems. Finally, you’ll be able to assist your organization in effectively protecting and controlling information systems with IT audit standards. By the end of this CISA book, you'll not only have covered the essential concepts and techniques you need to know to pass the CISA certification exam but also have the ability to apply them in the real world.

Related Content you might be interested in

Current Title:

Small book image
CISA – Certified Information Systems Auditor Study Guide
Hemang Doshi
Aug, 2020 | 590 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Dec, 2022 | 718 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Nov, 2021 | 616 pages
Small book image
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Shobhit Mehta
Sep, 2023 | 316 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
1
Section 1: Information System Auditing Process
Section 1: Information System Auditing Process
Free Chapter
2
Audit Planning
Audit Planning
The content of an audit charter
Audit planning
Business process applications and controls
Types of controls
Risk-based audit planning
Types of audit and assessment
Summary
Assessments
3
Audit Execution
Audit Execution
Audit project management
Sampling methodology
Audit evidence collection techniques
Data analytics
Reporting and communication techniques
Control self-assessment
Summary
Assessments
4
Section 2: Governance and Management of IT
Section 2: Governance and Management of IT
5
IT Governance
IT Governance
IT enterprise governance (EGIT)
IT-related frameworks
IT standards, policies, and procedures
Organizational structure
Enterprise architecture
Enterprise risk management
Maturity model
Laws, regulations, and industry standards affecting the organization
Summary
Assessments
6
IT Management
IT Management
IT resource management
IT service provider acquisition and management
IT performance monitoring and reporting
Quality assurance and quality management in IT
Summary
Assessment answers
7
Section 3: Information Systems Acquisition, Development, and Implementation
Section 3: Information Systems Acquisition, Development, and Implementation
8
Information Systems Acquisition and Development
Information Systems Acquisition and Development
Project management structure
Business cases and feasibility analysis
System development methodologies
Control identification and design
Summary
Assessments
9
Information Systems Implementation
Information Systems Implementation
Testing methodology
System migration
Post-implementation review
Summary
Assessments
10
Section 4: Information System Operations and Business Resilience
Section 4: Information System Operations and Business Resilience
11
Information System Operations
Information System Operations
Understanding common technology components
IT asset management
Job scheduling
End user computing
System performance management
Problem and incident management
Change management, configuration management, and patch management
IT service level management
Evaluating the database management process
Summary
Assessment
12
Business Resilience
Business Resilience
Business impact analysis
Data backup and restoration
System resiliency
Business continuity plan
Disaster recovery plan
DRP – test methods
Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
Alternate recovery site
Summary
Assessment
13
Section 5: Protection of Information Assets
Section 5: Protection of Information Assets
14
Information Asset Security and Control
Information Asset Security and Control
Information asset security frameworks, standards, and guidelines
Privacy principles
Physical access and environmental controls
Identity and access management
Biometrics
Summary
Assessments
15
Network Security and Control
Network Security and Control
Network and endpoint devices
Firewall types and implementation
VPN
Voice over Internet Protocol (VoIP)
Wireless networks
Email security
Summary
Assessments
16
Public Key Cryptography and Other Emerging Technologies
Public Key Cryptography and Other Emerging Technologies
Public key cryptography
Elements of PKI
Cloud computing
Virtualization
Mobile computing
Summary
Assessments
17
Security Event Management
Security Event Management
Security awareness training and programs
Information system attack methods and techniques
Security testing tools and techniques
Security monitoring tools and techniques
Incident response management
Evidence collection and forensics
Summary
Assessments
18
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Audit planning

CISA aspirants should understand the following important terms before reading about the different aspects of audit planning:

  • Audit universe: An inventory of all the functions/processes/units under the organization.
  • Qualitative risk assessment: In a qualitative risk assessment, risk is assessed using qualitative parameters such as high, medium, and low.
  • Quantitative risk assessment: In a quantitative risk assessment, risk is assessed using numerical parameters and is quantified.
  • Risk factors: Factors that have an impact on risk. The presence of those factors increases the risk, whereas the absence of those factors decreases the risk.

All of the preceding elements are important prerequisites for the design of a structured audit plan. Next, let's discuss the benefits of a structured and well-designed audit plan.

Benefits of audit planning

Audit planning is the initial stage of the audit process. It helps to establish the overall audit strategy and the technique to complete the audit. Audit planning aids in making the audit process more structured and objective oriented.

An audit plan helps to identify and determine the following aspects:

  • The objectives of the audit
  • The scope of the audit
  • The periodicity of the audit
  • The members of the audit team
  • The method of audit

The following are some of the benefits of audit planning:

  • It helps the auditor to focus on high-risk areas
  • It helps in the identification of resource requirements to conduct the audit
  • It helps to estimate the budget for the audit
  • It helps to carry out audit work in a defined structure, which ultimately benefits the auditor as well as the auditee units

Selection criteria

An IS auditor should have a sufficient understanding about the various criteria for the selection of audit processes.

One of the criteria for audit planning is to have an audit universe. All of the significant processes of the enterprise's business should be included in the audit universe.

Each business process may undergo a qualitative or quantitative risk assessment by evaluating the risk in respect to relevant risk factors. Risk factors influence the frequency of the audit. After the risk is evaluated for each relevant factor, criteria may be defined to determine the risk of each process. The audit plan can then be designed to consider all the high-risk areas.

Reviewing audit planning

This audit plan should be reviewed and approved by top management. Generally, approval is obtained from the audit committee of the board.

The audit plan should be flexible enough to address the change in risk environment (that is, new regulatory requirements, changes in the market condition, and other risk factors).

The approved audit plan should be communicated promptly to the following groups:

  • Senior management
  • Business functions and other stakeholders
  • The internal audit team

Individual audit assignments

The next step after doing the overall annual planning is to plan individual audit assignments. The IS auditor must understand the overall environment under review. While planning an individual audit assignment, an IS auditor should consider the following:

  • Prior audit reports
  • Risk assessment reports
  • Regulatory requirements
  • Standard operating processes
  • Technological requirements

Like every other process, the audit process will also have some input and output. The following diagram will help you to understand input and output elements of the audit process:

Figure 1.3 – Audit process flow

For effective audit planning, it is of utmost importance that the IS auditor has a thorough understanding of business process applications and controls. The basic architecture of some of the commonly used applications and their associated risks are discussed in the next topic.

Key aspects from CISA exam perspective

The following figure covers important aspects from the CISA exam perspective:

CISA questions

Possible answers

What is the first step in risk-based audit planning?

To identify areas of high risk

What is a major benefit of risk-based audit planning?

The utilization of resources for high-risk areas

What is the first step to conduct a data center review?

To evaluate vulnerabilities and threats related to data center location

Self-evaluation questions

  1. Which of the following is the first step in risk-based audit planning?
    1. To identify the requirements of relevant stakeholders
    2. To identify high-risk processes in the company
    3. To identify the budget
    4. To identify the profit function
  2. Which of the following is a major advantage of a risk-based approach to audit planning?
    1. Advance communication of the audit plan
    2. Completion of the audit exercise within the allotted time and budget
    3. The collection of audit fees in advance
    4. Optimum use of audit resources for high-risk processes
  3. Which of the following should be the first exercise while reviewing data center security?
    1. The evaluation of the physical security arrangement
    2. The evaluation of vulnerabilities and threats to the data center location
    3. The evaluation of the business continuity arrangement for the data center
    4. The evaluation of the logical security arrangement
  4. Which of the following is the most important aspect of planning an audit?
    1. Identifying high-risk processes
    2. Identifying the experience and capabilities of audit staff
    3. Identifying control testing procedures of the audit
    4. Determining the audit schedule
Previous Section
End of Section 3
Next Section