Book Image

CISA – Certified Information Systems Auditor Study Guide

By : Hemang Doshi
Book Image

CISA – Certified Information Systems Auditor Study Guide

By: Hemang Doshi

Overview of this book

Are you looking to prepare for the CISA exam and understand the roles and responsibilities of an information systems (IS) auditor? The CISA - Certified Information Systems Auditor Study Guide is here to help you get started with CISA exam prep. This book covers all the five CISA domains in detail to help you pass the exam. You’ll start by getting up and running with the practical aspects of an information systems audit. The book then shows you how to govern and manage IT, before getting you up to speed with acquiring information systems. As you progress, you’ll gain knowledge of information systems operations and understand how to maintain business resilience, which will help you tackle various real-world business problems. Finally, you’ll be able to assist your organization in effectively protecting and controlling information systems with IT audit standards. By the end of this CISA book, you'll not only have covered the essential concepts and techniques you need to know to pass the CISA certification exam but also have the ability to apply them in the real world.

Related Content you might be interested in

Current Title:

Small book image
CISA – Certified Information Systems Auditor Study Guide
Hemang Doshi
Aug, 2020 | 590 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Dec, 2022 | 718 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Nov, 2021 | 616 pages
Small book image
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Shobhit Mehta
Sep, 2023 | 316 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
1
Section 1: Information System Auditing Process
Section 1: Information System Auditing Process
Free Chapter
2
Audit Planning
Audit Planning
The content of an audit charter
Audit planning
Business process applications and controls
Types of controls
Risk-based audit planning
Types of audit and assessment
Summary
Assessments
3
Audit Execution
Audit Execution
Audit project management
Sampling methodology
Audit evidence collection techniques
Data analytics
Reporting and communication techniques
Control self-assessment
Summary
Assessments
4
Section 2: Governance and Management of IT
Section 2: Governance and Management of IT
5
IT Governance
IT Governance
IT enterprise governance (EGIT)
IT-related frameworks
IT standards, policies, and procedures
Organizational structure
Enterprise architecture
Enterprise risk management
Maturity model
Laws, regulations, and industry standards affecting the organization
Summary
Assessments
6
IT Management
IT Management
IT resource management
IT service provider acquisition and management
IT performance monitoring and reporting
Quality assurance and quality management in IT
Summary
Assessment answers
7
Section 3: Information Systems Acquisition, Development, and Implementation
Section 3: Information Systems Acquisition, Development, and Implementation
8
Information Systems Acquisition and Development
Information Systems Acquisition and Development
Project management structure
Business cases and feasibility analysis
System development methodologies
Control identification and design
Summary
Assessments
9
Information Systems Implementation
Information Systems Implementation
Testing methodology
System migration
Post-implementation review
Summary
Assessments
10
Section 4: Information System Operations and Business Resilience
Section 4: Information System Operations and Business Resilience
11
Information System Operations
Information System Operations
Understanding common technology components
IT asset management
Job scheduling
End user computing
System performance management
Problem and incident management
Change management, configuration management, and patch management
IT service level management
Evaluating the database management process
Summary
Assessment
12
Business Resilience
Business Resilience
Business impact analysis
Data backup and restoration
System resiliency
Business continuity plan
Disaster recovery plan
DRP – test methods
Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
Alternate recovery site
Summary
Assessment
13
Section 5: Protection of Information Assets
Section 5: Protection of Information Assets
14
Information Asset Security and Control
Information Asset Security and Control
Information asset security frameworks, standards, and guidelines
Privacy principles
Physical access and environmental controls
Identity and access management
Biometrics
Summary
Assessments
15
Network Security and Control
Network Security and Control
Network and endpoint devices
Firewall types and implementation
VPN
Voice over Internet Protocol (VoIP)
Wireless networks
Email security
Summary
Assessments
16
Public Key Cryptography and Other Emerging Technologies
Public Key Cryptography and Other Emerging Technologies
Public key cryptography
Elements of PKI
Cloud computing
Virtualization
Mobile computing
Summary
Assessments
17
Security Event Management
Security Event Management
Security awareness training and programs
Information system attack methods and techniques
Security testing tools and techniques
Security monitoring tools and techniques
Incident response management
Evidence collection and forensics
Summary
Assessments
18
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Types of controls

An internal control is a process that is used to safeguard the assets of an organization. Assets can include systems, data, people, hardware, or the reputation of the organization. Internal controls help in achieving the objectives of the organization by mitigating various risks.

Internal controls are implemented through policies, procedures, practices, and organizational structures to address risks. Internal controls provide reasonable assurance to management about the achievement of business objectives. Through internal controls, risk events are prevented or detected and corrected.

Top management is responsible for implementing a culture that supports efficient and effective internal control processes.

Effective controls in an organization can be categorized into the following types:

Let's discuss the control types in detail.

Preventive controls

Preventive controls are designed to be implemented in such a way that prevents a threat event and thus avoids any potential impact of that threat event.

Examples of preventive controls include the following:

  • The use of qualified personnel
  • The segregation of duties
  • The use of SOPs to prevent errors
  • Transaction authorization procedures
  • Edit checks
  • Access control procedures
  • Firewalls
  • Physical barriers

Detective controls

Detective controls are designed to detect a threat event once that event has occurred. Detective controls aim to reduce the impact of such events.

Examples of detective controls include the following:

  • Internal audits and other reviews
  • Log monitoring
  • Checkpoints in production jobs
  • Echo controls in telecommunications
  • Error messages over tape labels
  • Variance analysis
  • Quality assurance

Corrective controls

Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to normal operations.

Examples of corrective controls include the following:

  • Business continuity planning
  • Disaster recovery planning
  • Incident response planning
  • Backup procedures

Deterrent controls

The purpose of a deterrent control is to give a warning signal to deter a threat event.

Examples of deterrent controls include the following:

  • CCTV cameras or "under surveillance" signs
  • Warning signs

The difference between preventive and deterrent controls

For the CISA exam, it is important to understand the difference between preventive and deterrent controls. When a preventive control is implemented, an intruder is prevented from performing an act. They do not have a choice in whether or not to perform the act.

When a deterrent control is implemented, the intruder is being given a warning. Here, the intruder has a choice: either to act as per the warning or ignore the warning.

A locked door to a room is a preventive control. Intruders cannot go through the door. On the other hand, just a warning sign that says "No Entry" is a deterrent control. Intruders can ignore the warning and enter the room.

Apart from the controls we have covered thus far, CISA candidates should also understand compensating controls. It should be noted that the absence of one control can be compensated for by having another strong control.

Compensating controls

Compensating controls are alternate measures that are employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area.

For example, in small organizations, the segregation of duties may not always be feasible. In such cases, compensatory controls such as reviews of logs should be implemented.

Similarly, some organizations may prefer to have alternate security measures in place of encryption.

Control objectives

A control objective is a reason why a control is implemented. Control objectives are linked to business objectives.

A control objective generally addresses the following:

  • The effectiveness and efficiency of operational processes. For example, preventive controls attempt to prevent invalid transactions from being processed and assets from being misappropriated. However, detective controls have the objective of detecting errors or fraud that could result in the misstatement of financial statements.
  • Adherence to regulatory requirements.
  • The protection of assets.

It is advisable to document objectives for each and every control. Periodic reviews and monitoring of controls are required to validate results against these objectives.

Control measures

Control measures are implemented to achieve control objectives. Control measures are activities that are taken to prevent, eliminate, or minimize the risk of threat occurrence.

Key aspects from CISA exam perspective

The following table covers the important aspects from a CISA exam perspective:

CISA questions

Possible answer

Segregation of duties is an example of which type of control?

Preventive control

Controls that enable a risk or deficiency to be corrected before a loss occurs are known as what?

Corrective control

Controls that directly mitigate a risk or lack of controls directly acting upon a risk are know as what?

Compensating control

Self-evaluation questions

  1. Controls that are designed to prevent omissions, errors, or negative acts from occurring are which kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
  1. What are controls that are put in place to indicate or detect an error?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Deterrent controls
  2. Which of the following is the segregation of duties an example of?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  3. What is the process of using well-designed documentation to prevent errors an example of?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  4. What kind of control is a control that enables a deficiency or another irregularity to be corrected before a loss occurs?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  5. Utilizing a service of only qualified resource is an example of:
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Internal control
  6. A check subroutine that identifies an error and makes a correction before enabling the process to continue is an example of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  1. Barriers or warning signs are examples of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  2. An "echo" message in a telecommunications protocol is an example of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Compensating control
  3. Checkpoints in a production job are examples of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Compensating control
  4. Controls that minimize the impact of a threat are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
  5. Controls that remedy problems observed by means of detective controls are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
  6. Controls that indirectly address a risk or address the absence of controls that would otherwise directly act upon that risk are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
  1. Controls that predict potential problems before their occurrence are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
  2. The requirement of biometric access for physical facilities is an example of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  3. Which of the following risks represents a process failure to detect a serious error?
    1. Detective risk
    2. Inherent risk
    3. Sampling risk
    4. Control risk
  4. Which of the following statements best describes detective controls and corrective controls?
    1. Both controls can prevent the occurrence of errors
    2. Detective controls are used to avoid financial loss and corrective controls are used to avoid operational risks
    3. Detective controls are used as a deterrent check and corrective controls are used to make management aware that an error has occurred
    4. Detective controls are used to identify that an error has occurred and corrective controls fix a problem before a loss occurs
  5. Why are control objectives defined in an audit program?
    1. To give the auditor an overview for control testing
    2. To restrict the auditor to testing only documented controls
    3. To prevent management from altering the scope of the audit
    4. To help the auditor to plan for the resource requirements
Previous Section
End of Section 5
Next Section