CISA®

Certified Information Systems Auditor®

Study GuideThird Edition

CISA®

Certified Information Systems Auditor®

Study GuideThird Edition

David Cannon

Acquisitions Editor: Jeff KellumDevelopment Editor: Sara BarryTechnical Editors: Brady Pamplin and Tim HeagartyProduction Editor: Christine O’ConnorCopy Editor: Sharon WilkeyEditorial Manager: Pete GaughanProduction Manager: Tim TateVice President and Executive Group Publisher: Richard SwadleyVice President and Publisher: Neil EddeBook Designers: Judy Fung and Bill GibsonCompositor: Craig Woods, Happenstance Type-O-RamaProofreader: Publication Services, Inc.Indexer: Robert SwansonProject Coordinator, Cover: Katherine CrockerCover Designer: Ryan SneedIllustrators: Kayla McGee, Aaron TateReviewers: Eric Phifer, Stace McRae, Joseph Shook, Chuck Write, Everette Hubbard, Khan Hamid, and Connie KerrCopyright © 2011 by Wiley Publishing, Inc., Indianapolis, IndianaISBN: 978-0-470-61010-7Published simultaneously in CanadaNo part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis-sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley .com/go/permissions.Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in ren-dering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for dam-ages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the informa-tion the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.Library of Congress Cataloging-in-Publication Data Cannon, David L., 1962- CISA : certified information systems auditor study guide / David L. Cannon. — 3rd ed. p. cm. ISBN 978-0-470-61010-7 (pbk.) 978-1-118-03365-4 (ebk.) 978-1-118-03368-5 (ebk.) 978-1-118-03367-8 (ebk.) 1. Computer security—Examinations—Study guides. 2. Information storage and retrieval systems—Secu-rity measures—Examinations—Study guides. 3. Computer networks—Security measures—Examinations—Study guides. 4. Management information systems—Auditing—Examinations—Study guides. I. Title. QA76.3.C3445 2011 005.8—dc22 2010051405TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISA and Certified Information Systems Auditor are registered trademarks of ISACA. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.10 9 8 7 6 5 4 3 2 1

Dear Reader,

Thank you for choosing CISA: Certified Information Systems Auditor Study Guide, Third Edition. This book is part of a family of premium-quality Sybex books, all of which are written by outstanding authors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than 30 years later, we’re still committed to producing consistently exceptional books. With each of our titles, we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.

I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at nedde@wiley.com. If you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feed-back is critical to our efforts at Sybex.

Best regards,

Neil Edde Vice President and Publisher Sybex, an Imprint of Wiley

This third edition is an ongoing tribute to the students who attended our

seminars. Their infinite questions were instrumental in the creation of this

Study Guide. I wish to express my appreciation to my past employers and

clients for the opportunities that led me down this path.

I have been blessed to work with the best staff on this planet: Joe DeVoss,

Kayla McGee, Aaron Tate, Angela Adair, and Jessica Autry.

I would like to express a special appreciation to the following people for their

years of encouragement: Carl Adkins, Thomas Carson Jr., Jeff Kellum, Sean

Burke, Tarik Nasir, Kris Lonborg, David Bassham, Brady Pamplin, Mark and

Kris Herber, Alicia Haskin, Chuck Wright, Eric Phifer, Alicia Haskin, Frank

Carter, Chris and Tammy Stevens, Daryl Luthas, Matt and Angelia Gair,

Frank Carter, and Gary and Michelle Ames.

I hope reading this little book will help you accomplish your dreams.

Semper Fidelis

AcknowledgmentsWe would like to thank Acquisitions Editor Jeff Kellum and Development Editor Sara Barry for their vision and guidance. Technical Editor Brady Pamplin was very helpful in providing his expert assistance during the writing of this book. We wish to thank Production Editor Christine O’Connor for keeping the book on track, and for her tireless effort in ensuring that we put out the best book possible. We would also like to thank Bonny Andresen, Copy Editor Sharon Wilkey, Compositor Craig Woods at Happenstance Type-O-Rama, Illustrators Kayla McGee, Aaron Tate, TK, Proofreader Publication Services, and Indexer Robert Swanson for their polished efforts to make certain this third edition became a reality.

About the AuthorDavid L. Cannon, CISA, is President and founder of CertTest Training Center, a leading CISA training provider. David has over three decades of practical experience in management and consulting in business development, compliance, IT operations, security and training in such industries as retail, distribution, healthcare, manufacturing, technology and finance. He regularly teaches CISA, BSC, PMP, CISSP and other management seminars across North America with a holistic approach. He’s a long-time pilot surviving major engine failures with-out even scratching the paint. David is committed to helping provide readers the implementa-tion skills necessary for you to be successful. With his latest edition, CISA candidates can rest assured they have the most current self-study content available to advance their career.

Contents at a GlanceIntroduction xxiii

Assessment Test xlvii

Chapter 1 Secrets of a Successful Auditor 1

Chapter 2 Managing IT Governance 53

Chapter 3 Audit Process 131

Chapter 4 Networking Technology Basics 205

Chapter 5 Information Systems Life Cycle 279

Chapter 6 System Implementation and Operations 349

Chapter 7 Protecting Information Assets 417

Chapter 8 Business Continuity and Disaster Recovery 501

Appendix A About the Companion CD 555

Glossary 559

Index 605

ContentsIntroduction xxiii

Assessment Test xlvii

Chapter 1 Secrets of a Successful Auditor 1

Understanding the Demand for IS Audits 3Executive Misconduct 3More Regulation Ahead 5Basic Regulatory Objective 6Governance is Leadership 8Audit Results Indicate the Truth 9

Understanding Policies, Standards, Guidelines, and Procedures 9Understanding Professional Ethics 11

Following the ISACA Code 11Preventing Ethical Conflicts 13

Understanding the Purpose of an Audit 14Classifying Basic Types of Audits 15Determining Differences in Audit Approach 15Understanding the Auditor’s Responsibility 16Comparing Audits to Assessments 16

Differentiating Between Auditor and Auditee Roles 17Applying an Independence Test 18

Implementing Audit Standards 19Where Do Audit Standards Come From? 20Understanding the Various Auditing Standards 22Specific Regulations Defining Best Practices 25Audits to Prove Financial Integrity 28

Auditor Is an Executive Position 29Understanding the Importance of Auditor Confidentiality 30Working with Lawyers 30Working with Executives 31Working with IT Professionals 31Retaining Audit Documentation 32Providing Good Communication and Integration 33Understanding Leadership Duties 33Planning and Setting Priorities 34Providing Standard Terms of Reference 35Dealing with Conflicts and Failures 36Identifying the Value of Internal and External Auditors 36Understanding the Evidence Rule 37Stakeholders: Identifying Who You Need to Interview 38

ts

xxiii

CISA Job Placement Areas

3Understanding Policies, Standards, Guidelines, and Procedures 9Understanding Professional Ethics 11Understanding the Purpose of an Audit 14Differentiating Between Auditor and Auditee Roles 17Implementing Audit Standards 19Auditor Is an Executive Position 29Understanding the Corporate Organizational Structure 39Summary 43Exam Essentials 43Review Questions 45Answers to Review Questions

Control 55Overview of Tactical Management 88Planning and Performance 89Overview of Business Process Reengineering 101Operations Management 119Summary 121Exam Essentials 122Review Questions 123Answers to Review Questions

132Establishing and Approving an Audit Charter 141Preplanning Specific Audits 144Performing an Audit Risk Assessment 153Determining Whether an Audit Is Possible 154

xiv Contents

Understanding the Corporate Organizational Structure 39Identifying Roles in a Corporate Organizational Structure 39Identifying Roles in a Consulting Firm

Organizational Structure 42Summary 43Exam Essentials 43Review Questions 45Answers to Review Questions 50

Chapter 2 Managing IT Governance 53

Strategy Planning for Organizational Control 55Overview of the IT Steering Committee 58Using the Balanced Scorecard 63IT Subset of the BSC 67Decoding the IT Strategy 68Specifying a Policy 70Project Management 72Implementation Planning of the IT Strategy 80Using COBIT 82Identifying Sourcing Locations 83Conducting an Executive Performance Review 88Understanding the Auditor’s Interest in the Strategy 88

Overview of Tactical Management 88Planning and Performance 89

Management Control Methods 89Risk Management 93Implementing Standards 96Human Resources 97System Life-Cycle Management 98Continuity Planning 99Insurance 99Performance Management 99

Overview of Business Process Reengineering 101Why Use Business Process Reengineering 101BPR Methodology 102Genius or Insanity? 102Goal of BPR 103Guiding Principles for BPR 103Knowledge Requirements for BPR 104BPR Techniques 105BPR Application Steps 105Role of IS in BPR 108Business Process Documentation 109BPR Data Management Techniques 109

Contents xv

Benchmarking as a BPR Tool 110Using a Business Impact Analysis 111BPR Project Risk Assessment 112Practical Application of BPR 115Practical Selection Methods for BPR 117Troubleshooting BPR Problems 118Understanding the Auditor’s Interest in

Tactical Management 119Operations Management 119

Sustaining Operations 120Tracking Performance 120Controlling Change 120Understanding the Auditor’s Interest in

Operational Delivery 121Summary 121Exam Essentials 122Review Questions 123Answers to Review Questions 128

Chapter 3 Audit Process 131

Understanding the Audit Program 132Audit Program Objectives and Scope 133Audit Program Extent 134Audit Program Responsibilities 135Audit Program Resources 136Audit Program Procedures 137Audit Program Implementation 137Audit Program Records 138Audit Program Monitoring and Review 139Planning Individual Audits 140

Establishing and Approving an Audit Charter 141Role of the Audit Committee 143

Preplanning Specific Audits 144Understanding the Variety of Audits 145Identifying Restrictions on Scope 147Gathering Detailed Audit Requirements 148Using a Systematic Approach to Planning 150Comparing Traditional Audits to Assessments

and Self-Assessments 151Performing an Audit Risk Assessment 153Determining Whether an Audit Is Possible 154

Identify the Risk Management Strategy 155Is This Audit Feasible? 156

xvi Contents

Performing the Audit 158Selecting the Audit Team 158Determining Competence and Evaluating Auditors 158Ensuring Audit Quality Control 161Establishing Contact with the Auditee 161Making Initial Contact with the Auditee 162Using Data Collection Techniques 164Conducting Document Review 165Understanding the Hierarchy of Internal Controls 167Reviewing Existing Controls 169Preparing the Audit Plan 171Assigning Work to the Audit Team 172Preparing Working Documents 173Conducting Onsite Audit Activities 174

Gathering Audit Evidence 175Using Evidence to Prove a Point 175Understanding Types of Evidence 176Selecting Audit Samples 176Recognizing Typical Evidence for IS Audits 178Using Computer-Assisted Audit Tools 178Understanding Electronic Discovery 181Grading of Evidence 182Timing of Evidence 184Following the Evidence Life Cycle 184

Conducting Audit Evidence Testing 187Compliance Testing 187Substantive Testing 188Tolerable Error Rate 189Record Your Test Results 189Generate Audit Findings 190

Report Findings 192Approving and Distributing the Audit Report 194Identifying Omitted Procedures 194

Conducting Follow-Up (Closing Meeting) 194Summary 195Exam Essentials 196Review Questions 198Answers to Review Questions 203

Chapter 4 Networking Technology Basics 205

Understanding the Differences in Computer Architecture 206Selecting the Best System 211

Identifying Various Operating Systems 211Determining the Best Computer Class 214

Contents xvii

Comparing Computer Capabilities 216Ensuring System Control 217Dealing with Data Storage 218Using Interfaces and Ports 222

Introducing the Open Systems Interconnect Model 225Layer 1: Physical Layer 228Layer 2: Data-Link Layer 228Layer 3: Network Layer 230Layer 4: Transport Layer 236Layer 5: Session Layer 237Layer 6: Presentation Layer 237Layer 7: Application Layer 238Understanding How Computers Communicate 239

Understanding Physical Network Design 240Understanding Network Topologies 241

Identifying Bus Topologies 241Identifying Star Topologies 242Identifying Ring Topologies 242Identifying Meshed Networks 244

Differentiating Network Cable Types 245Coaxial Cable 246Unshielded Twisted-Pair (UTP) Cable 246Fiber-Optic Cable 247

Connecting Network Devices 248Using Network Services 250

Domain Name System 251Dynamic Host Configuration Protocol 252

Expanding the Network 254Using Telephone Circuits 255Using Wireless Access Solutions 259Summarizing the Various Area Networks 262

Using Software as a Service (SaaS) 263Advantages 264Disadvantages 264Cloud Computing 264

Managing Your Network 265Syslog 266Automated Cable Tester 267Protocol Analyzer 267Simple Network Management Protocol 267Remote Monitoring Protocol Version 2 268

Summary 269Exam Essentials 269Review Questions 271Answers to Review Questions 276

xviii Contents

Chapter 5 Information Systems Life Cycle 279

Governance in Software Development 280Management of Software Quality 281

Capability Maturity Model 281International Organization for Standardization 283

Overview of the Executive Steering Committee 287Identifying Critical Success Factors 287Using the Scenario Approach 288Aligning Software to Business Needs 288

Change Management 292Management of the Software Project 292

Choosing an Approach 292Using Traditional Project Management 294

Overview of the System Development Life Cycle 295Phase 1: Feasibility Study 299Phase 2: Requirements Definition 303Phase 3: System Design 307Phase 4: Development 311Phase 5: Implementation 322Phase 6: Postimplementation 327Phase 7: Disposal 329

Overview of Data Architecture 330Databases 330Database Transaction Integrity 334

Decision Support Systems 335Presenting Decision Support Data 337Using Artificial Intelligence 337

Program Architecture 338Centralization versus Decentralization 338Electronic Commerce 338Summary 340Exam Essentials 340Review Questions 342Answers to Review Questions 346

Chapter 6 System Implementation and Operations 349

Understanding the Nature of IT Services 350Performing IT Operations Management 352

Meeting IT Functional Objectives 352Using the IT Infrastructure Library 353Supporting IT Goals 356Understanding Personnel Roles and Responsibilities 356Using Metrics 360

Contents xix

Evaluating the Help Desk 362Performing Service-Level Management 363Outsourcing IT Functions 364

Performing Capacity Management 365Using Administrative Protection 366

Information Security Management 366IT Security Governance 367Authority Roles over Data 368Data Retention Requirements 369Document Access Paths 370Personnel Management 371Physical Asset Management 372Compensating Controls 374

Performing Problem Management 375Incident Handling 376Digital Forensics 378

Monitoring the Status of Controls 380System Monitoring 381Log Management 382System Access Controls 382Data File Controls 385Application Processing Controls 386Antivirus Software 388Active Content and Mobile Software Code 389Maintenance Controls 391

Implementing Physical Protection 394Data Processing Locations 396Environmental Controls 397Safe Media Storage 404

Summary 406Exam Essentials 407Review Questions 409Answers to Review Questions 414

Chapter 7 Protecting Information Assets 417

Understanding the Threat 418Recognizing Types of Threats and Computer Crimes 420Identifying the Perpetrators 421Understanding Attack Methods 424Implementing Administrative Protection 436

Using Technical Protection 439Technical Control Classification 439Application Software Controls 440Authentication Methods 441

xx Contents

Network Access Protection 453Firewall Protection for Wireless Networks 468Intrusion Detection 470Encryption Methods 472Public-Key Infrastructure 476Network Security Protocols 483Design for Redundancy 487Telephone Security 488Technical Security Testing 489

Summary 490Exam Essentials 491Review Questions 493Answers to Review Questions 498

Chapter 8 Business Continuity and Disaster Recovery 501

Debunking the Myths 502Myth 1: Facility Matters 503Myth 2: IT Systems Matter 503From Myth to Reality 503

Understanding the Five Conflicting Disciplines Called Business Continuity 504

Defining Disaster Recovery 505Surviving Financial Challenges 505Valuing Brand Names 505Rebuilding after a Disaster 506

Defining the Purpose of Business Continuity 507Uniting Other Plans with Business Continuity 510

Identifying Business Continuity Practices 510Following a Program Management Approach 513

Understanding the Five Phases of Business Continuity Program 514

Phase 1: Setting Up the BC Program 514Phase 2: The Discovery Process 517Phase 3: Plan Development 523Phase 4: Plan Implementation 541Phase 5: Maintenance and Integration 544

Understanding the Auditor Interests in BC/DR Plans 544Summary 545Exam Essentials 545Review Questions 547Answers to Review Questions 551

Contents xxi

Appendix A About the Companion CD 555

What You’ll Find on the CD 556Sybex Test Engine 556Electronic Flashcards 556PDF of the Book 556Adobe Reader 556

System Requirements 556Using the CD 557Troubleshooting 557

Customer Care 557

Glossary 559

Index 605

IntroductionThis book is designed for anyone interested in taking the Certified Information Systems Auditor (CISA) exam. The CISA certification is one of the hottest in the market, with annual growth in excess of 28 percent, according to the Information Systems Audit and Control Association (ISACA), the governing organization.

It is a trend worldwide for organizations to have to implement and prove the existence of strong internal controls. You may have heard of a few of these, such as the following:

International Basel III accord for risk management in bankingNN

COSO, which includes the Sarbanes-Oxley Act (SOX) for public corporationsNN

U.S. Federal Information Security Management Act (FISMA)NN

Payment card industry (PCI) standards for credit card processingNN

Health Insurance Portability and Accountability Act (HIPAA)NN

These are just five of more than twenty high-profile regulations that demand audited proof of internal controls. Frankly, these result in a long list of opportunities for a CISA. This may be the opportunity that you have been looking for, especially if you come from a background of finance or technology.

What Is the CISA Certification?ISACA offers the most recognized certification in the world for IS auditors: the Certified Information Systems Auditor (CISA) certification. It is recognized worldwide by all corporations and 153 governments of the World Trade Organization. ISACA has active members in more than 140 countries and is recognized as the de facto leader in IT gov-ernance, control, and assurance. This association was founded in 1969 as the Electronic Data Processing Auditors Association, with an objective to develop specific interna-tional IS auditing and control standards derived from the worldwide financial controls issued by Committee of Sponsoring Organizations (COSO). As a result, ISACA has cre-ated the number one information systems audit certification in the world, the CISA.

ISACA controls and administers the CISA exam worldwide. More than 50,000 profession-als have earned their CISA to date. It is one of the most requested credentials in governance and consulting.

What Is the Job Market for Certified IS Auditors?The CISA world is still moving forward. After the worldwide banking collapse of 2008, corporations are hiring and retaining consultants in an effort to prove compliance before they get caught short. Consulting companies also hire CISA-certified professionals to help service clients. Large and small organizations are finding themselves at a competitive dis-advantage if they’re unable to demonstrate a stronger level of internal controls. The myth of an organization being “too big to fail” has officially proven to be false. I’ll show you examples as evidence of this in Chapter 1.

xxiv Introduction

One of the fundamental rules of auditing is that participating in the remediation (fixing) of problems found during the audit would compromise the auditor’s independence. Under the rules of independence, the independent auditor must remain independent to certify the results as valid. A second, unrelated auditor should perform remediation work. The requirements for regulatory compliance are ongoing, and that means remediation at some level will be ongoing too. In other words, the auditor requirement is actually doubled. The opportunity for you is available right now.

For many years, organizations have undergone the scrutiny of financial audits. As financial systems have become more and more complex, computer automation has introduced new concerns over the integrity of electronic financial records. In the past, an organization would simply hire a certified public accountant to review their financial records and attest to their integrity. Larger organizations would hire certified internal auditors to assist with reviewing internal controls of the business to help reduce the ongoing cost of external audits. Now, the long list of regulations requiring internal controls has focused attention on the information systems. Computers are now the house in which the financial records live. The CISA is the top credential for auditing IS and related internal controls. If you can’t prove integrity of the computer environment, you can’t trust the integrity of electronic records either.

Why Become a CISA?So, why become a CISA? The answer: credibility and opportunity. Many people proclaim themselves to be IS auditors. The majority of uncertified auditors are no more than well-meaning individuals who habitually violate the official audit standards. Here is a short list of the benefits associated with becoming a CISA:

Demonstrates Proof of Professional Achievement The CISA certification provides evidence that you have prior audit experience and are able to pass a rigorous certification exam. The exam tests your knowledge of auditing practices related to information systems. The test itself is loaded with technical challenges that require a significant understanding of technology. Your CISA certification shows that you understand the fundamentals of applying audit concepts to the abstract world of information systems. A CISA is expected to lead an audit in accordance with widely accepted audit practices. Being certified demonstrates to the world that your expe-rience represents a significant value.

Provides Added Value to Your Employer Today’s employers are savvy to the value of training. Your CISA study is expected to illuminate new methods to improve your skills on the job. It’s fairly common for individuals to start their career by mimicking a more senior person performing a similar job (as the saying goes, monkey see, monkey do). Our goal is to shine the light on specific practices that you should have been following, even if you never heard of them before. Your job performance will improve after you learn the proper foundation and CISA resources.

Provides an Assurance of Quality to Your Clients Audit clients are a demanding breed of individuals. The fate of the client’s organization may rest on the findings detailed in the auditor’s report. There is little room for mistakes. The CISA credential indicates that you are a person who would be trustworthy to deliver accurate results. Who would you trust to

Introduction xxv

represent you: a person with no proof, or someone who can demonstrate an independent mea-surement of credibility? The person reading the audit report needs to understand that your work is accurate. Clients will direct capital and resources to be expended according to the report you provide. The CISA certification represents a third-party audit of your basic audit knowledge. It helps prove your credibility.

Increases Your Market Value The CISA credential helps separate you from the mass of self-proclaimed auditors. Many organizations regard the CISA as the hallmark of profes-sionalism. There is no better way to attract the favorable attention of management. It does not matter whether you’re internal or external to the organization—the credential speaks for itself. Government regulations with more-intrusive requirements are becoming a grow-ing concern for executives. Your customer may not understand all the details necessary to describe the job of an auditor; however, your client will recognize that an experienced auditor with the CISA certification is usually the best choice to fulfill their needs. In addi-tion, audit firms can bill more money for certified professionals.

Provides a Greater Opportunity for Advancement Every organization strives for good people who are motivated. What does the lack of certification say about someone? Is it that they are unmotivated? Could it be that they are not capable? Or is it simply that they are afraid to try? No manager in their right mind would promote an individual who has not proven their value. Taking the time to get trained and certified shows the world that you are motivated, that you are somebody who wants to get things done. That trait alone can get you promoted. Instead of using words to describe your ability, you can prove it with your CISA credential. People will know that you’re serious about your job and will treat you accordingly.

Builds Respect and Confidence from Other People The world today is extremely specialized. Consider that many things of premium value in today’s world are certified. We have certified used cars, certified mail, certified public accountants, certified travel agents, certified lawyers, and even certified Subway sandwich artists. The people you meet may not completely understand what is involved in being a CISA. However, they will understand that you have expended time and energy to obtain the certification. You will gain their respect because of the effort you’ve demonstrated. If given the choice, almost everyone would choose to use a person who is certified. The CISA is a major step toward the widespread credibility that you desire.

Who Should Buy This Book?If you’re serious about becoming a professional CISA auditor, this is the book to study for your exam. If you’re curious about becoming an auditor, in this book you will learn how the auditor’s job is actually done.

The people entering the CISA profession are usually one of the following:

IT professionals with a desire to expand into the lucrative world of consultingNN

Financial professionals looking for upward mobility with new challengesNN

Internal auditors seeking to demystify the control issues within ITNN

xxvi Introduction

This book is unique in the field of IS auditing. You will benefit by learning the workflow, methods, and decision points necessary to be a successful auditor. Each chapter builds step-by-step toward obtaining your goal. Inside this book are important details about how to accomplish your job, the exam objectives for each chapter, and all of the most important auditing concepts.

Why Is This Book My Best Choice?This book is specifically designed to help you become a well-respected CISA. No jumbled brain dumps or answer cramming in here. We have been teaching very successful CISA seminars for several years with outstanding career results. This book will not replace a $1,000 seminar, but it will help you pass the exam. Your CISA exam alone is just a small steppingstone in your professional life. Passing the exam does not prove you will be a good auditor. It simply gives your client a reason to listen to you for another 15 seconds. Now you have 15 seconds to prove you know what you are talking about.

Imagine telling someone that you are a certified juggler of flaming swords. You can bet their next comment would be, “Light up the swords and start juggling”—show me your skill. Clients are impressed when they see the results, not by you passing an exam. Our goal is to take you through the CISA material better than anyone else by showing you the “how and why” of performing IS audits:

If you are familiar with technology, this book will help you understand how the auditor NN

must act to be successful.

If you come from a financial background, we’re going to take you through an intro-NN

ductory tour of technology. The CISA is not a technician’s test. Our explanations in this book are technically correct and designed to be simple to understand.

Many opinions exist about how the information systems audit should be performed. This book covers a combination of the official auditing standards of COSO, ISO, and ISACA. These are necessary for you to be successful. Rest assured that these standards are not in con-flict with each other. You’ll find that this book contains the valuable information necessary to operate an internal audit or a successful consulting practice. Initially our focus is on helping you pass your exam. However, you will discover that this information can help you earn a great deal more than a paper certificate, if you apply it.

Each chapter in this book has been arranged in a logical sequence focusing on a practical application. ISACA produces fine materials written by committees of authors, each contribut-ing a handful of their own pages. We have chosen to take a different route. The material in this book is written in a complete logical sequence of application that we would use to teach our own staff prior to an audit engagement. Every point you read will build your knowledge through to the subsequent pages of this Study Guide. The analogy is comparable to building a pyramid. You’ll start with gaining a firm understanding of the basics and build your way up to the advanced material with almost no duplication. We strongly suggest that you read the book in sequence, without skipping ahead.

Introduction xxvii

How to Become a CISAThe CISA designation is given to individuals who have demonstrated their ability to fulfill the following five requirements:

Pass the CISA Exam The CISA examination is offered two times a year, once in June and again in December. You have to register for the test three months before it is administered. You can register online at www.isaca.org or by mail. You take the test with pencil and paper in front of a live test proctor. The examination is 200 multiple-choice questions, and there is a 4-hour time limit. A grade equal to 75 percent is required to pass the CISA examination, and you must be in the top 1/3 of ISACA’s grading curve.

Professional Experience in Information Systems Auditing, Control, or Security To qualify for certification, you must demonstrate five years of IS auditing experience. ISACA will accept up to two years of substitution toward the work experience requirement, as follows:

Related Experience Substitution You can substitute a maximum of one year of experience from financial or operational auditing, or from information systems experience.

College Credit Hour Substitution The equivalent of an associate or bachelor’s degree can be substituted for one or two years, respectively (60 hours or 120 hours).

University Instructor Experience Substitution A full-time university instructor can substitute two years of on-the-job experience toward one year of the IS auditing control or information security experience.

Your CISA test results are valid for five years from the examination date. Even without any experience at this time, you can take the examination. Certification will be awarded only after you have provided verification of desired work experience (of five years or the equiva-lent). ISACA limits acceptable experience to that which has occurred within 10 years prior to your application date.

Continuous Adherence to ISACA’s Code of Professional Ethics Trust and integrity are paramount to the auditor’s profession. You will be required to pledge your ongoing support for adherence to the IS auditor’s code of professional ethics.

Continuing Education in the Audit Profession You are required to continuously improve your skills. Continuing education is the best method of maintaining an individual’s compe-tency. Learning new skills with new certifications will improve your professional abilities. Demonstrating a commitment to continuing education differentiates qualified CISAs from those who have not fulfilled their professional responsibilities. You will be required to dem-onstrate a minimum of 20 contact hours of training each year, which must total 120 contact hours in a three-year period.

Adherence to Well-Established IS Auditing Standards The purpose of auditing standards is to ensure quality and consistency. Auditors who fail to meet these standards place cli-ents, themselves, and the profession in peril. ISACA provides excellent information to guide auditors through their professional responsibilities. The auditing standards are based on well-recognized professional practices applied worldwide. The auditor’s job is to apply these

xxviii Introduction

standards while providing excellent notes so others can independently reproduce the exact same results. Good work is proven when evidence testing is verifi ed through matching iden-tical results from other auditors.

How to Use This Book and CDThis book is organized into eight chapters. Each begins with a list of chapter objectives that relate directly to the CISA exam.

An “Exam Essentials” section appears near the end of every chapter to highlight the topics that you’re likely to encounter during your exam. These exam essentials are intended to pro-vide guiding thoughts rather than a laundry list of details. Our goal is to help you focus on the higher-level objectives from each chapter as you move into the next chapter.

At the end of every chapter are approximately 25 basic review questions with explana-tions, and more questions are available online. You can use these basic review questions to help gauge your level of understanding and better focus your study effort. As you fi nish each chapter, you should review the questions and check whether your answers are cor-rect. If not, you should really read the section again. Look up any incorrect answers and research why you may have missed the question. It may be a case of failing to read the question and properly considering each of the possible answers. It could also be that you did not understand the information. Either way, going through the chapter a second time would be valuable.

We have included several testing features in the book and on the companion CD. Following this introduction is an assessment test that will help you gauge your study requirements. Take this test before you start reading the book. It will help you identify areas that are critical to your success. The answers to the assessment test appear after the last question. Each question includes a short explanation with information directing you to the appropriate chapter for more information.

Included on this book’s CD are two bonus exams of 80 questions each. In addition, there are more than 300 fl ash cards. You should use this Study Guide in combination with your other materials to prepare for the exam.

Take these practice exams as if you were taking the real exam. Just sit down and start the exam without using any reference material. We suggest that you study the material in this book in conjunction with the related ISACA references on IS auditing standards. The offi cial CISA exam is very challenging. Most individuals will barely fi nish the exam before time runs out. Fortunately for you, our students have a high success rate. You have it within you to become the next certifi ed CISA.

You are ready for your CISA exam when you score higher than 90 percent on the practice examinations and chapter reviews.

A copy of this book is on the CD in Adobe Acrobat PDF format for easy reading on any computer, iPad, or Kindle.

The practice exams included on the CD are timed to match the pace of your actual CISA exam.