Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying CISA – Certified Information Systems Auditor Study Guide
  • Table Of Contents Toc
CISA – Certified Information Systems Auditor Study Guide

CISA – Certified Information Systems Auditor Study Guide - Second Edition

By : Hemang Doshi
4.9 (97)
Buy this Book
close
close
CISA – Certified Information Systems Auditor Study Guide

CISA – Certified Information Systems Auditor Study Guide

4.9 (97)
By: Hemang Doshi
Buy this Book

Overview of this book

With the latest updates and revised study material, this second edition of the Certified Information Systems Auditor Study Guide provides an excellent starting point for your CISA certification preparation. The book strengthens your grip on the core concepts through a three-step approach. First, it presents the fundamentals with easy-to-understand theoretical explanations. Next, it provides a list of key aspects that are crucial from the CISA exam perspective, ensuring you focus on important pointers for the exam. Finally, the book makes you an expert in specific topics by engaging you with self-assessment questions designed to align with the exam format, challenging you to apply your knowledge and sharpen your understanding. Moreover, the book comes with lifetime access to supplementary resources on an online platform, including CISA flashcards, practice questions, and valuable exam tips. With unlimited access to the website, you’ll have the flexibility to practice as many times as you desire, maximizing your exam readiness. By the end of this book, you’ll have developed the proficiency to successfully obtain the CISA certification and significantly upgrade your auditing career.
Table of Contents (14 chapters)
close
close
close
Preface
Icon
Preface
Icon
Online Exam-Prep Tools
Icon
Who This Book Is For
Icon
What This Book Covers
Icon
How to Get the Most out of This Book
Icon
Recorded Lectures
Icon
Requirements for the Online Content
Icon
Instructions for Unlocking the Online Content
Icon
Quick Access to the Website
Icon
Conventions Used
Icon
Get in Touch
Icon
Share Your Thoughts
Icon
Download a Free PDF Copy of This Book
1
Chapter 1: Audit Planning
Icon
Chapter 1: Audit Planning
Icon
The Contents of an Audit Charter
Icon
Audit Planning
Icon
Business Process Applications and Controls
Icon
Types of Controls
Icon
Risk-Based Audit Planning
Icon
Types of Audits and Assessments
Icon
Summary
Icon
Chapter Review Questions
Lock Free Chapter
2
Chapter 2: Audit Execution
chevron up
Icon
Chapter 2: Audit Execution
Icon
Audit Project Management
Icon
Sampling Methodology
Icon
Audit Evidence Collection Techniques
Icon
Data Analytics
Icon
Reporting and Communication Techniques
Icon
Control Self-Assessment
Icon
Summary
Icon
Chapter Review Questions
3
Chapter 3: IT Governance
Icon
Chapter 3: IT Governance
Icon
Enterprise Governance of IT (EGIT)
Icon
IT-Related Frameworks
Icon
IT Standards, Policies, and Procedures
Icon
Organizational Structure
Icon
Enterprise Architecture
Icon
Enterprise Risk Management
Icon
Maturity Model
Icon
Laws, Regulations, and Industry Standards Affecting the Organization
Icon
Summary
Icon
Chapter Review Questions
4
Chapter 4: IT Management
Icon
Chapter 4: IT Management
Icon
IT Resource Management
Icon
IT Service Provider Acquisition and Management
Icon
IT Performance Monitoring and Reporting
Icon
Quality Assurance and Quality Management in IT
Icon
Summary
Icon
Chapter Review Questions
5
Chapter 5: Information Systems Acquisition and Development
Icon
Chapter 5: Information Systems Acquisition and Development
Icon
Project Management Structure
Icon
Business Case and Feasibility Analysis
Icon
System Development Methodologies
Icon
Control Identification and Design
Icon
Summary
Icon
Chapter Review Questions
6
Chapter 6: Information Systems Implementation
Icon
Chapter 6: Information Systems Implementation
Icon
Testing Methodology
Icon
System Migration
Icon
Post-Implementation Review
Icon
Summary
Icon
Chapter Review Questions
7
Chapter 7: Information Systems Operations
Icon
Chapter 7: Information Systems Operations
Icon
Understanding Common Technology Components
Icon
IT Asset Management
Icon
Job Scheduling
Icon
End User Computing
Icon
System Performance Management
Icon
Problem and Incident Management
Icon
Change Management, Configuration Management, and Patch Management
Icon
IT Service-Level Management
Icon
Evaluating the Database Management Process
Icon
Summary
Icon
Chapter Review Questions
8
Chapter 8: Business Resilience
Icon
Chapter 8: Business Resilience
Icon
Business Impact Analysis
Icon
Data Backup and Restoration
Icon
System Resiliency
Icon
Business Continuity Plan
Icon
Disaster Recovery Plan
Icon
DRP – Test Methods
Icon
Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
Icon
Alternate Recovery Sites
Icon
Summary
Icon
Chapter Review Questions
9
Chapter 9: Information Asset Security and Control
Icon
Chapter 9: Information Asset Security and Control
Icon
Information Asset Security Frameworks, Standards, and Guidelines
Icon
Privacy Principles
Icon
Physical Access and Environmental Controls
Icon
Identity and Access Management
Icon
Biometrics
Icon
Summary
Icon
Chapter Review Questions
10
Chapter 10: Network Security and Control
Icon
Chapter 10: Network Security and Control
Icon
Network and Endpoint Devices
Icon
Firewall Types and Implementation
Icon
VPN
Icon
Voice over Internet Protocol (VoIP)
Icon
Wireless Networks
Icon
Email Security
Icon
Summary
Icon
Chapter Review Questions
11
Chapter 11: Public Key Cryptography and Other Emerging Technologies
Icon
Chapter 11: Public Key Cryptography and Other Emerging Technologies
Icon
Public Key Cryptography
Icon
Elements of PKI
Icon
Cloud Computing
Icon
Virtualization
Icon
Mobile Computing
Icon
Internet of Things (IoT)
Icon
Summary
Icon
Chapter Review Questions
12
Chapter 12: Security Event Management
Icon
Chapter 12: Security Event Management
Icon
Security Awareness Training and Programs
Icon
Information System Attack Methods and Techniques
Icon
Security Testing Tools and Techniques
Icon
Security Monitoring Tools and Techniques
Icon
Incident Response Management
Icon
Evidence Collection and Forensics
Icon
Summary
Icon
Chapter Review Questions
Icon
Why subscribe?
13
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Share Your Thoughts
Icon
Download a Free PDF Copy of This Book

Data Analytics

Data Analytics (DA) is the method of examining data or information. It helps you to understand the data by transforming raw data into usable and meaningful information.

Examples of the Effective Use of Data Analytics

The following are some examples of the use of DA:

  • To determine whether a user is authorized by combining logical access files with the human resource employee database
  • To determine whether events are authorized by combining the file library settings with change management system data and the date of file changes
  • To identify tailgating by combining input with output records
  • To review system configuration settings
  • To review logs for unauthorized access

CAATs

CAATs are extremely useful to IS auditors for gathering and analyzing large and complex data during an IS audit. CAATs help an IS auditor collect evidence from different hardware, software environments, and data formats.

The following table presents a breakdown of the functions of CAAT tools:

CAAT Tools

Functions

General Audit Software

This is a standard type of software that is used to read and access data directly from various database platforms.

Utility and Scanning Software

This helps in generating reports of the database management system.

It scans all the vulnerabilities in the system.

Debugging

This helps in identifying and removing errors from computer hardware or software.

Test Data

This is used to test processing logic, computations, and controls programmed in computer applications.

Table 2.10: Breakdown of CAAT functions

A CAAT helps an IS auditor collect information independently. Information obtained through CAATs is considered more reliable.

Examples of the Effective Use of CAAT Tools

The following are some examples of use cases for CAAT tools:

  • To determine the accuracy of transactions and balances
  • For detailed analysis
  • To ascertain compliance with IS general controls
  • To ascertain compliance with IS application controls
  • To assess network and operating system controls
  • For vulnerability and penetration testing
  • For the security scanning of source code and AppSec testing

Precautions while Using CAAT

An auditor should be aware of the following precautions when using CAAT tools:

  • Ensure the integrity of imported data by safeguarding its authenticity, integrity, and confidentiality
  • Obtain approval for installing the CAAT software on the auditee servers
  • Obtain only read-only access when using CAATs on production data
  • Edits/modifications should be applied to duplicate data and the integrity of the original data should be ensured

Continuous Auditing and Monitoring

A CISA candidate should understand the difference between continuous auditing and continuous monitoring:

Continuous Auditing

Continuous Monitoring

In continuous auditing, an audit is conducted in a real-time or near-real-time environment. In continuous auditing, the gap between operations and an audit is much shorter than under a traditional audit approach.

In continuous monitoring, the relevant process of a system is observed on a continuous basis.

For example, high payouts are audited immediately after a payment is made.

For example, antivirus or IDSs may continuously monitor a system or a network for abnormalities.

Table 2.11: Differences between continuous auditing and continuous monitoring

Continuous auditing and continuous monitoring are mutually exclusive. Continuous assurance can be ensured if both continuous monitoring and continuous auditing are in place. Generally, the results of continuous auditing are the precursor for the introduction of a continuous monitoring process.

Continuous Auditing Techniques

For IS audits, continuous audit techniques are extremely important tools. The following are the five widely used continuous audit tools.

Integrated Test Facility

The following are the features of an Integrated Test Facility (ITF).

In an ITF, a fictitious entity is created in the production environment:

  • The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness.
  • Processed results and expected results are evaluated to check the proper functioning of systems.
  • For example, with the ITF technique, a test transaction is entered. The processing results of the test transaction are compared with the expected results to determine the accuracy of processing. If the processed results match the expected results, then it determines that the processing is correct. Once the verification is complete, test data is deleted from the system.

System Control Audit Review File

The following are the features of a System Control Audit Review File (SCARF):

  • In this technique, an audit module is embedded (inbuilt) into the organization’s host application to track transactions on an ongoing basis.
  • A SCARF is used to obtain data or information for audit purposes.
  • SCARFs record transactions above a specified limit or deviation-/exception-related transactions. These transactions are then reviewed by the auditor.
  • SCARFs are useful when regular processing cannot be interrupted.

Snapshot Technique

The following are the features of the snapshot technique:

  • This technique captures snapshots or pictures of the transaction as it is processed at different stages in the system.
  • Details are captured both before and after the execution of the transaction. The correctness of the transaction is verified by validating the before-processing and after-processing snapshots of the transactions.
  • Snapshots are useful when an audit trail is required.
  • The IS auditor should consider the following significant factors when working with this technique:
    • At what location snapshots are captured
    • At what time snapshots are captured
    • How the reporting of snapshot data is done

Audit Hook

The following are the features of an audit hook:

  • Audit hooks are embedded in the application system to capture exceptions.
  • The auditor can set different criteria to capture exceptions or suspicious transactions.
  • For example, with the close monitoring of cash transactions, the auditor can set criteria to capture cash transactions exceeding $10,000. All these transactions are then reviewed by the auditor to identify fraud, if any.
  • Audit hooks are helpful in the early identification of irregularities, such as fraud or error.
  • Audit hooks are generally applied when only selected transactions need to be evaluated.

Continuous and Intermittent Simulation

The following are the features of Continuous and Intermittent Simulation (CIS):

  • CIS replicates or simulates the processing of the application system.
  • In this technique, a simulator identifies transactions as per the predefined parameters. Identified transactions are then audited for further verification and review.
  • CIS compares its own results with the results produced by application systems. If any discrepancies are noted, it is written to the exception log file.
  • CIS is useful to identify the transactions as per the predefined criteria in a complex environment.

The following table summarizes the features of continuous audit tools:

Audit Tool

Usage

SCARF/EAM

This is useful when regular processing cannot be interrupted.

Snapshots

Pictures or snapshots are used when an audit trail is required.

Audit hooks

When early detection of fraud or error is required.

ITF

Test data is used in a production environment

CIS

CIS is useful for the identification of transactions as per predefined criteria in a complex environment.

Table 2.12: Types of continuous audit tools and their features

An IS auditor should be aware of the methods and procedures through which analysis and findings are reported to the audit committee and senior management. The effective reporting of audit findings and communicating the findings to all the stakeholders are very important parts of audit execution; these are covered in more detail in the next section.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

CISA Questions

Possible Answers

What is the first step of conducting data analytics?

The first step will be determining the objective and scope of analytics.

Which is the most effective online audit technique when an audit trail is required?

The snapshot technique.

What is the advantage of an Integrated Test Facility (ITF)?

Setting up a separate test environment/test process is not required.

An ITF helps validate the accuracy of the system processing.

Which is the most effective online audit technique when the objective is to identify transactions as per predefined criteria?

CIS is most useful to identify transactions as per predefined criteria in a complex environment.

Table 2.13: Key aspects from the CISA exam perspective

CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
CISA – Certified Information Systems Auditor Study Guide
End of Section 2
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon