The Complete Guide for CISA Examination Preparation (Richard E. Cascarino) (Z-Library)

📄 File Format: PDF

💾 File Size: 1.9 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

The Complete Guide for CISA Examination Preparation

📄 Page 3

Internal Audit and IT Audit Series Editor Dan Swanson, Dan Swanson and Associates, Ltd., Winnipeg, Manitoba, Canada. The Internal Audit and IT Audit series publishes leading-edge books on critical subjects facing audit executives as well as internal and IT audit practitioners. Key topics include Audit Leadership, Cybersecurity, Strategic Risk Management, Auditing Various IT Activities and Processes, Audit Management, and Operational Auditing. The Complete Guide for CISA Examination Preparation Richard E. Cascarino Blockchain for Cybersecurity and Privacy: Architectures, Challenges, and Applications Yassine Maleh, Mohammad Shojafar, Mamoun Alazab, Imed Romdhani The Cybersecurity Body of Knowledge: The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity Daniel Shoemaker, Anne Kohnke, Ken Sigler Corporate Governance: A Pragmatic Guide for Auditors, Directors, Investors, and Accountants Vasant Raval The Audit Value Factor Daniel Samson Managing IoT Systems for Institutions and Cities Chuck Benson Fraud Auditing Using CAATT: A Manual for Auditors and Forensic Accountants to Detect Organizational Fraud Shaun Aghili How to Build a Cyber-Resilient Organization Dan Shoemaker, Anne Kohnke, Ken Sigler Auditor Essentials: 100 Concepts, Tips, Tools, and Techniques for Success Hernan Murdock Project Management Capability Assessment: Performing ISO 33000-Based Capability Assessments of Project Management Peter T. Davis, Barry D. Lewis For more information about this series please visit: https://www.routledge.com/Internal- Audit-and-IT-Audit/book-series/CRCINTAUDITA

📄 Page 4

The Complete Guide for CISA Examination Preparation Richard E. Cascarino

📄 Page 5

First edition published 2021 by CRC Press 6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742 and by CRC Press 2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN © 2021 Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, LLC Reasonable efforts have been made to publish reliable data and information, but the author and pub- lisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information stor- age or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, access www .copyright . com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are not available on CCC please contact mpkbookspermissions @tandf .co .uk Trademark notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. ISBN: 9781138308763 (hbk) ISBN: 9780367551742 (pbk) ISBN: 9780429030000 (ebk) Typeset in Caslon Pro by Deanta Global Publishing Services, Chennai, India

📄 Page 6

v Contents The CompleTe Guide for CiSA exAminATion prepArATion xi ChApTer 1 inTroduCTion To The CiSA exAminATion 1 The Examination Itself 1 Becoming Certified 1 Experience Requirements 2 Educational Waivers 2 Passing the Examination 3 CISA Job Practice Domains and Task and Knowledge Statements 4 ISACA’s Code of Professional Ethics 5 The ISACA Standards 6 Continuous Professional Education (CPE) 7 ChApTer 2 domAin 1 – The proCeSS of AudiTinG informATion SySTemS 9 The First Task 9 The Second Task 10 The Third Task 11 The Fourth Task 11 The Final Stage 12 Knowledge Statements 12 Knowledge of ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics, and Other Applicable Standards 12 Understanding the Fundamental Business Processes 19 Control Principles Related to Controls in Information Systems 22

📄 Page 7

vi Contents Reliability and Integrity of Information 22 Compliance with Policies, Plans, Procedures, Laws, and Regulations 22 Safeguarding of Assets 23 Effectiveness and Efficiency of Operations 23 Risk-Based Audit Planning and Audit Project Management Techniques 24 Inherent Risk 25 Control Risk 25 Audit Risk 25 Planning the Audit Project 25 Quality of the Internal Control Framework 27 Competence of Management 28 Complexity of Transactions 28 Liquidity of Assets 28 Ethical Climate and Employee Morale 28 Auditor Understanding of the Applicable Laws and Regulations That Affect the Scope, Evidence Collection and Preservation, and Frequency of Audits 29 Evidence Collection Techniques 30 Audit Techniques 32 Automated Audit Tools 33 Domain 1 – Examination Tips 35 Domain 1 – Practice Questions 37 Domain One – Review Questions and Hands-On Exercise 42 Domain 1 – Answers to Practice Questions 43 Exercise 1 Sample Answer 46 ChApTer 3 domAin 2 – GovernAnCe And mAnAGemenT of iT 47 Governance in General 47 IT Architecture 51 IT Policies and Standards 52 Project Management 54 Role of the Project Management Office (PMO) 55 Resource Management 56 Project Planning 57 Function Point Analysis 58 Project Tracking and Oversight 59 Project Management Tools 59 GANTT or Bar Charts 60 Program Evaluation Review Techniques (Also Known as a Network Diagram) 60 Critical Path Method 61 Timebox Management 61 Management of Resource Usage 62 Auditor’s Role in the Project Management Process 62 Audit Risk Assessment 63

📄 Page 8

vii Contents Audit Planning 65 Domain 2 – Practice Questions 67 Domain 2 – Review Questions and Hands-on Exercise 72 Exercise 2 – Audit of Customer Receivables 72 You are required to: 73 Exercise 2 Sample Answer 73 Domain 2 – Answers to Practice Questions 74 ChApTer 4 domAin 3 – informATion SySTemS ACquiSiTion, developmenT, And implemenTATion 77 Systems Acquisition 77 Cloud-Based Systems Acquisition 79 Systems Development 80 The SDLC 81 The Iterative Model 85 Prototyping and Rapid Application Development (RAD) 85 Agile Methodologies 85 Lean Methodology 87 Systems Implementation 87 Systems Maintenance Review 88 Domain 3 – Practice Questions 90 Domain 3 – Review Questions and Hands-On Exercise 94 Exercise 3 95 Required 96 Exercise 3 Sample Answer 96 Domain 3 – Answers to Practice Questions 98 ChApTer 5 domAin 4 – informATion SySTemS operATionS, mAinTenAnCe, And ServiCe mAnAGemenT 101 Hardware 102 CPU 102 Peripherals 102 Memory 102 Computer Types 103 Networks 103 Storage 104 Communications 105 Input 105 Output 106 Control 107 Systems Software 107 Auditing Operating Systems 107 People 109 Job Scheduling 110 System Interfaces 110 Frameworks 110

📄 Page 9

viii Contents ITIL 112 Change Management 113 Change Management in the Use of Cloud-Based Applications 115 Problem Management 116 Auditing Change Control 116 Service Management 116 Disaster Recovery Planning 117 Auditing Service Delivery 119 Domain 4 – Practice Questions 122 Domain 4 – Review Questions and Hands-On Exercise 125 Exercise 4 127 Exercise 4 Sample Answer 127 Domain 4 – Answers to Practice Questions 128 ChApTer 6 domAin 5 – proTeCTion of informATion ASSeTS 131 Protection of Information Assets 132 Privacy Principles 133 Design, Implementation, Maintenance, Monitoring, and Reporting of Security Controls 134 Physical and Environmental Controls and Supporting Practices for the Protection of Information Assets 134 Physical Access Controls for the Identification, Authentication, and Restriction of Users 135 Environmental Controls 138 Logical Access Controls for the Identification, Authentication, and Restriction of Users 139 Risk and Controls Associated with Virtualization of Systems 139 Risks and Controls Associated with the Use of Mobile and Wireless Devices 142 Voice Communications Security 143 Network and Internet Security Devices, Protocols, and Techniques 143 Configuration, Implementation, Operation, and Maintenance of Network Security Controls 144 Encryption-Related Techniques and Their Uses 144 Public Key Infrastructure (PKI) Components and Digital Signature Techniques 145 Peer-to-Peer Computing, Instant Messaging, and Web- Based Technologies 146 Data Classification Standards Related to the Protection of Information Assets 147 Storage, Retrieval, Transportation, and Disposal of Confidential Information Assets 148 Data Leakage 148 Risks in End-User Computing 149

📄 Page 10

ix Contents Implementing a Security Awareness Program 149 Information System Attack Methods and Techniques 150 Prevention and Detection Tools and Control Techniques 151 Malware 151 Phishing 151 Pharming 151 Password Attacks 152 Denial of Service (DoS) Attacks 152 ‘Man in the Middle’ (MITM) attacks 153 Drive-By Downloads 153 Rogue Software 153 Ransomware 154 Spyware and Adware 154 Social Engineering 155 Security Testing Techniques 155 Penetration Testing and Vulnerability Scanning 155 Monitoring and Responding to Security Incidents 156 Forensic Investigation and Procedures in Collection and Preservation of the Data and Evidence 156 Domain 5 – Practice Questions 157 Domain 5 – Review Questions and Hands-On Exercise 165 Exercise 5 166 Exercise 5 Sample Answer 166 Domain 5 – Answers to Practice Questions 167 ChApTer 7 prepArinG for The exAminATion 173 Appendix A: GloSSAry of TermS 177 Appendix B: CiSA SAmple exAminATion – ChooSe Any 150 queSTionS 211 Appendix C: SAmple exAminATion AnSwerS 243 index 245

📄 Page 11

(This page has no text content)

📄 Page 12

xi The Complete Guide for CISA Examination Preparation Introduction For any organization to survive and compete successfully in today’s environment, successful implementation of appropriate Computer Systems is essential. Such implementation involves not only the development of appropriate systems, but also their usage, mainte- nance, and reliability. Protection of information assets, systems avail- ability, data integrity, confidentiality, and robustness have become non-negotiables in the competitive world we face today. In response to this, ISACA has updated its Certified Information Systems Auditor (CISA) certification as of June 2019 to reflect the changing priorities and industry trend in order to ensure the align- ment of the Information Systems Auditor’s knowledge base with the needs of tomorrow’s digital age. In order for organizations to utilize the leverage achievable with the effective use of IT, it is important that the systems can be relied upon and they require that the auditors confirm that this is indeed the case. The modern auditors therefore require significantly more knowledge of IT, IT risk, and IT control than did their predecessors.

📄 Page 13

xii CISA EXAMINATION PREPARATION Today’s IT systems process data in high volumes and at high speed with limited or no manual interventions and control opportuni- ties. As a result, the control opportunities previously monitored by management have migrated within the IT environment itself. Fundamental business controls previously relied upon by the audi- tor, such as segregation of duties and management authorization are no longer carried out external to the IT environment and must be audited in a different manner. The concentration of risk resulting from the shift and control implementation means that the balance between preventative, detec- tive, and corrective controls has also had to move into alignment while technology such as cloud-based systems has moved the basis of legal constraints and burdens of proof in the event of dispute into a whole new arena. While this may sound negative, these changes can greatly increase opportunities for auditors to deliver quality service because a concen- tration of risk facilitates the auditors focusing their efforts and utiliz- ing the computer itself to assist in the audit of the IT environment and application systems usage. In addition, built-in program procedures allow the auditor to adopt a systems approach to auditing because the computer encourages consistent execution of controls as opposed to the older manual controls where execution was, to a large extent, at the mercy of the individual supervisor or manager. The effect on the audit is that the focus can be on the control envi- ronment, its design and implementation and the substantive testing of the results of individual transactions can be significantly reduced. Controls with IT systems may be generally classified into two main subdivisions, namely: • General controls – that is, controls governing the envi- ronment within which the computer system is developed, maintained, and operated and within which the application controls operate. These controls include the implementa- tion of appropriate systems development standards, controls over the operation of the computer installation and those governing the functioning and maintenance of System Software. As such, they have a pervasive effect on all appli- cation systems.

📄 Page 14

xiiiCISA EXAMINATION PREPARATION • Application controls – these are the controls which oper- ate within the business application to ensure that data is pro- cessed completely, accurately, and in a timely manner. Ultimately, the auditors’ job is to determine if the application systems function as intended and evaluate management controls to ensure the integrity, accuracy, and completeness of all information processing. Not only must management rely upon the work done by the audi- tors, whether internal or external, but they need assurance that the work is carried out to internationally accepted standards and the audit processes themselves can be relied upon. As such, management seeks independent proof that the work carried out by the auditors meets this standard. The international standard by which IT auditors are judged is the possession of the qualification of Certified Information Systems Auditor (CISA). This designation is awarded by the Information Systems Audit and Control Association (ISACA) based upon demonstrable work experience as well as success in the CISA examination. ISACA, itself, can trace its roots to the EDP Auditors Association (EDPAA) which was founded in 1969. In 1994 it changed its name to the Information Systems Audit and Control Association and in 2008 rebranded itself as simply ISACA. Today, ISACA consists of more than 145,000 members of whom 140,000 have achieved the CISA qualification since its inception in 1978. This examination evaluates the auditors’ knowledge, skills, and expertise in assessing the risks inherent within the specific IT environment and the adequacy and effectiveness of the controls implemented by management. This book is intended as a study guide for the Certified Information Systems Auditor (CISA) examination and will consist of in-depth explanations of each topic covered within this examination as well as practice questions and tips to highlight key examination informa- tion. Each chapter will contain a summary which will serve as a quick review guide, combined with end-of-chapter questions and hands-on exercises. An examination simulation is included to get candidates familiar with the examination structures. CISA is the most recognized certification in the world for infor- mation systems auditors and is recognized by all members of the

📄 Page 15

xiv CISA EXAMINATION PREPARATION World Trade Organization including more than 150 governments worldwide. The qualification is intended to affirm: • The auditors’ experience and knowledge • The level of knowledge and competency which may be expected of the qualification holder • The currency of the holder’s knowledge due to the require- ments for continuing education From an employer’s perspective it demonstrates that their IT auditor may be relied upon as a proficient and experienced professional with competencies in all five of the domains covered including: • The Process of Auditing Information Systems • Governance and Management of IT • Information Systems Acquisition Development and Implementation • Information Systems Operations, Maintenance, and Service Management • Protection of Information Assets while at the same time maintaining an up-to-date level of knowledge which can be relied upon as an indicator of the anticipated job per- formance level. From an individual auditor’s perspective, the CISA is internation- ally recognized as a gold standard of IT auditing professionalism. It enhances the acceptability of opinions expressed in the eyes of man- agement and, in general, makes the auditor more marketable for future career opportunities. The auditor can also gain respect from their peers and other technical specialists. For non-specialist auditors who wish to enter the IT auditing specialization, either within the organization or as external consultants, CISA provides a recognized entrance into the booming market of IT auditing. For auditors who wish simply to understand the increasing complexities and risk elements of today’s business environment, understanding the CISA dimensions will assist in the demystification of current and future control complexities. The book is comprised of seven chapters. • Chapter 1 covers the CISA examination itself

📄 Page 16

xvCISA EXAMINATION PREPARATION • Chapter 2 covers Domain 1 – The Process of Auditing Information Systems • Chapter 3 covers Domain 2 – Governance and Management of IT • Chapter 4 covers Domain 3 – Information Systems Acquisition, Development, and Implementation • Chapter 5 covers Domain 4 – Information Systems Operations, Maintenance, and Service Management • Chapter 6 covers Domain 5 – Protection of Information Assets • Chapter 7 covers preparing for the examination • Appendix A contains a glossary of commonly used computer terms • Appendix B contains 175 CISA-type questions from which the candidate can construct multiple simulated examinations • Appendix C contains multiple choice answers to the Appendix B questions

📄 Page 17

(This page has no text content)

📄 Page 18

1 1 IntroductIon to the cISA exAmInAtIon By the end of this chapter, readers will understand: • The structure of the CISA examination • The process of becoming certified • Requirements for examination participation • The CISA Domains • The role of ISACA’s Code of Professional Ethics • The use and implementation ISACA Standards • The need for maintaining continuing professional competency The Examination Itself The examination was revised in 2019 and consists of 150 multiple- choice questions to be answered over a four-hour period. The examinations themselves are administered at CBT (Computer Based Testing) locations. The worldwide list of examination sites may be found at https://isacaavailability .psiexams .com/. Due to the vari- ability of examination sites, all prospective candidates should check this list prior to registering and submitting payment for the examina- tion since registration fees are non-refundable. Becoming Certified There is a four-stage process involved in becoming CISA certified. 1. Check the Examination Schedule Before candidates register and pay their fee, it is critical that they verify there is a test site available in a location the candidate can easily access. Candidates may search by loca- tion and date on the ISACA website to ensure that they can take their examination as planned.

📄 Page 19

2 CIsA exAmInAtIon GuIde 2. Register for the Examination Once candidates have verified that there is a suitable testing site available where and when they need it, the candidate can register for their examination. Scheduling for the examination is Step 4. 3. Pay for the Examination Payment is required before a candidate can schedule their examination, however it is not required that payment is made at the time of registration. Candidates may pay on registering for CISA, or choose to register, study at their own pace, and pay at a later stage, prior to examination scheduling. 4. Schedule the Examination Once site availability has been assured, registration and payment made, candidates can schedule their examination. The actual scheduling is managed on the testing partner’s website, not on ISACA .or g. Experience Requirements It is not an essential to have sufficient experience to undertake the CISA examination but in order to be classified as a full CISA, can- didates are required to have five (5) or more years of experience in professional information systems auditing, control, or security work experience. In addition, there is a time limit on application. Starting from the date of initially passing the examination (not the date of original registration for the examination), a completed CISA applica- tion must be submitted to ISACA. If this is not submitted within five years from the passing date of the examination, the individual will be required to re-take and re-pass the examination. Individual experience claimed is required to have been gained within the ten-year period preceding the application date for certi- fication or within five years of passing the examination and must be verified independently by employers. Educational Waivers Individuals registering as CISAs may request waivers for a maxi- mum of three (3) years substitution for actual IT audit experience. Educational waivers may, at ISACA’s discretion, be permitted to sub- stitute for up to two years of experience. At the time of writing, these educational substitutions may be credited.

📄 Page 20

3IntroduCtIon • One year of information systems OR one year of non-IS audit- ing experience can be substituted for one year of experience. • 60 to 120 credit hours (two-year or four-year degree) from university – one or two years credit respectively. • A master’s degree in information security or information technology from an accredited university – one-year credit. • A bachelor’s or master’s degree from a university that enforces the ISACA-sponsored Model Curricula – one-year credit, although only where the three years of educational waiver and experience substitution have not already been claimed. • A candidate who has obtained other degrees, qualifications, and credentials with significant IS auditing, control, assur- ance, or security components may submit the case to the CISA Certification Committee for consideration. Passing the Examination It is not uncommon for highly skilled IS auditors to fail the CISA examination at the first attempt. Generally, this is not due to a lack of knowledge, but the wrong approach to the examination as a whole and the questions in particular, which cause these problems. CISA candidates are expected to have a broad knowledge of the overall concepts and practice of information technology within an organization as well as: • IS risks. • The use of controls to mitigate risks. • The use of the appropriate security features and controls within IS components. • The roles of the auditor in conducting IS audits, including: • Developing an understanding of the risks inherent within the systems as implemented. • Understanding the security risks within the specific archi- tecture utilized by the organization. • Identification and evaluation of the controls implemented to mitigate these risks. • Quantify weaknesses uncovered and make appropri- ate recommendations to mitigate these weaknesses and improve the overall control effectiveness.