WIXLIB

b250325 FM.Fviii12/31/0210:11 AMPage viiiContentsEvaluating Testing Methods, Results Reporting,and Follow-Up ProcessesReporting EvaluationFollow-UpChapter 6334335ResourcesSample Questions336337Business Application Systems Development,Acquisition, Implementation, and MaintenanceEvaluation Approach345347Systems Development Approaches and ManagementProject ManagementFunctional RequirementsRequirements DefinitionsFeasibility AnalysisSystem SpecificationsSystem DesignQuality Assurance Planning and Review ProcessesSystem DevelopmentChange Control MethodologiesThird-Party ParticipationDocumentation and StandardsData Management, Security, and Audit FunctionalityTesting and Code PromotionTrainingConcluding on the Development ProcessAcquisitionEvaluate the Application System Acquisitionand Implementation ProcessVendor Management and EscrowImplementationConversionProblem Management and EscalationEmergency Change ManagementPost-ImplementationAcceptance and Post-Implementation ReviewEvaluating the Maintenance and Enhancement ProcessesVersioning and Release PackagingChapter 86388389392395396397398399399400401ResourcesSample Questions402403Business Process Evaluation and Risk ManagementCorporate GovernanceEvaluating the Effectiveness of the Information Systemsin Supporting the Business Process411413Best Practice Business Process DesignManagement Controls417418420

b250325 FM.F12/31/0210:11 AMPage ixContentsKey Performance Indicators (KPIs)Evaluating Business Process Reengineering ProjectsAssessing Performance and Customer SatisfactionE-Business Applications in Support of BusinessEvaluating the Design and Implementation of Risk ControlsPreventive ControlsDetective ControlsCorrective ControlsAutomated or Programmed ControlsManual ControlsCost-Benefit Analysis of Control EffortsEvaluating Risk Management and GovernanceImplementationRisk AnalysisControl IdentificationGap Analysis and ReportingIndependent AssuranceProvisions for Independent AuditsResourcesSample 2443445450456457Appendix A Answers to Sample Exam QuestionsChapter 1—The IS Audit ProcessChapter 2—Management, Planning, and Organizationof Information SystemsChapter 3—Technical Infrastructure and OperationalPracticesChapter 4—Protection of Information AssetsChapter 5—Disaster Recovery and Business ContinuityChapter 6—Business Application Systems Development,Acquisition, Implementation, and MaintenanceChapter 7— Business Process Evaluation andRisk Management465465Appendix B What’s on the CD-ROM555Index559477488499519530542ix

b250325 FM.F12/31/0210:11 AMPage xAcknowledgmentsI would like to thank my family — Nick, John, and my wife Linda — forputting up with me through the process of developing this book. Withouttheir patience and understanding, this would not have been as easy or asenjoyable. I am also grateful to the many IS auditors whom I have met andworked with during my career in IS auditing. The association with otherprofessionals who pursue excellence in their work is always a benefit topersonal growth.About the AuthorJohn Kramer is the Information Security Manager and Security Architectfor the UPMC Health System. He spent eight years working in informationsystems auditing for both large banking and investment and health careinstitutions. In both environments, he has been responsible for managingall phases of the IS audit programs, conducting risk assessments, and managing IS operations and audit functions. John has had the responsibility forthe development and training of many IS auditors, several of whom havepassed the CISA exam successfully. John has been a CISA since 1995. He isa former Vice President of the Pittsburgh ISACA chapter. He is also aCISSP. His formal education is in electrical engineering.

b250325 FM.F12/31/0210:11 AMPage xiIntroductionInformation systems auditing is a profession that is both rewarding andchallenging. It allows the information systems auditor a unique view of thebusiness processes and the supporting information technology that encompass a wide scope of understanding and perspective. This view is often oneof the overall system and how it works; the big picture. IS auditing is frequently a stepping stone to management positions and careers within thebusiness for which the auditor learns the systems and controls. Processknowledgeable system thinkers with inherent integrity and risk focus areoften sought as reliable management material. The most sought after, globally accepted standard of certification for an IS auditor is that of CISA, Certified Information System Auditor. Since 1978, this designation means thatthe auditor is recognized as a certified professional. Earning the CISA designation shows that the auditor takes his profession seriously and is dedicated to establishing his reputation and career as a proficient professional.CISAs are trained in all aspects of IS auditing and bound by a code ofethics to perform sensitive activities reliably and with integrity. The certification process was established to evaluate competency of IS auditors and provide a mechanism for encouraging IS auditors to maintain and enhance theirknowledge of the IS auditing profession. CISA certification requires a broadknowledge of the information technology management processes and fiveyears of experience in IS auditing, control, or security allowing for a few substitutions and waivers. It also depends on a basic understanding of generallyxi

b250325 FM.Fxii12/31/0210:11 AMPage xiiIntroductionaccepted auditing practices as well as many of the basic processes used everyday in information processing and business management.The CISA certification is a pre-requisite for many audit and security jobpostings in the marketplace today. The majority (71 percent) of those holding a CISA certification surveyed in 2001 believe that obtaining this certification has helped to advance their careers. This opinion was borne out bya recent survey conducted by Foote Partners, which showed that CISAsreceived the highest salary bonuses among the 39 technical skills certification programs studied. Those possessing the CISA certification received amedian 10 percent bonus (as a percent of base salary), the highest bonusamount attributed to a certification. Overall, the average bonus for all certifications tracked during the same time period was only 6.8 percent.More than 10,000 individuals registered for the CISA exam in 2002, yetvery little information is available about what IS auditors’ work is allabout. Becoming certified takes years of experience and exposure to information systems and risk and control techniques. There is no substitute forthis work experience. My hope is that this book will give you insight intoone person’s perspective of how to perform this work, add value to thebusiness organizations you are supporting as an IS auditor, and mostimportantly show you how to consolidate your understanding of the auditprocess into the successful passing of the CISA exam in June.After you have received your certification, you will find that this book isa valuable reference and ongoing tool that you can use while practicingyour trade as an IS audit professional. Technology is a fast-paced and everchanging world where yesterday’s bleeding edge is today’s obsoleteprocess. IS auditing techniques applied to the business processes’ risks andcontrols do not change as much over time, however. They are more closelytied to human behavior and corporate governance, which mature andendure steadfastly over time. To know the IS audit profession is to understand how to go about getting the right results without necessarily havinga full understanding of each and every technical solution that comes along.You don’t need to know all of the technologies in the greatest detail tounderstand how the business processes require them for processing andhow to control risks inherent in the technical solution to business problems. ISACA has created many excellent standards and control-assessmentprocesses to provide the auditor with the tool needed to successfully applyrisk and control examinations to the business processes, assisting them toimprove and achieve the business objectives. The CISA certification is aproud moment for the audit professional, one which marks a milestone ina successful career path.

b250325 FM.F12/31/0210:11 AMPage xiiiIntroductionThe ISACA OrganizationThe Information Systems Audit and Control Association (ISACA) wasfounded in 1969. With over 26,000 members in over 100 countries, it is therecognized world leader in IS governance, control, and assurance. The mission of ISACA is to support enterprise objectives through the development,provision, and promotion of research, standards, competencies, and practices for the effective governance, control, and assurance of information,systems, and technology. The Association helps IS audit, control, and security professionals focus not only on IS, IS risks, and security issues, but alsoon the relationship between IS and the business, business processes, andbusiness risks. There are more than 160 local chapter organizations in citiesacross the globe that provide unique opportunities to leverage commonexperiences and further knowledge of the IS auditing profession.The ExaminationThe CISA examination is administered once a year on a Saturday in earlyJune. You must register at least a month in advance, and by registeringearly you can receive discounts on your registration fees. Discounts arealso afforded to ISACA members for the test and study materials that areoffered by ISACA. This is just one of the many benefits of membership tothis international IS auditing professional organization. In 2002, the examwas given in over forty states in the United States and over seventy othercountries worldwide, many in multiple locations in that country. You canpick a test center where you would like to take the test and the languagethat you would prefer the exam be given in. Two to three weeks before theexam date, you will be sent an admission ticket that must be presented forphysical admission to the exam location. Local ISACA chapters often hostthe test and provide administration and logistics for the exam. Booklets arehanded out and oral instructions are given at the start of the four-hourexam time frame during which you must answer 200 multiple-choice questions similar to the ones at the end of each chapter of this book.Several supplemental resources are available to help in preparing for theexam. ISACA provides some study aids which can be purchased from theirWeb site. Technical books on the details of IS auditing and systems controlsare relatively few, however. Your local ISACA chapter is an excellent sourceof information and can be a valuable resource for finding others to studywith and share preparation for the exam with.xiii

b250325 FM.Fxiv12/31/0210:11 AMPage xivIntroductionObtaining and Maintaining CertificationBecoming a Certified Information Systems Auditor is a process of passingthe exam described in this book, showing a commitment to the professionby agreeing to the professional ethics and continuing education requirements, and providing evidence of five years of IS audit, control, or securityrelated work experience. This is not a paper certification by any measure.Criteria for Becoming a CISACISA certification is a process of assessing individuals for their skills andjudgment related to IS audit, control, and security. In addition to passingthe exam, the candidate must submit evidence of five (5) years of experience in the professional practice of IS audit, control, or security. Substitution and waivers of such experience may also be obtained that will applyto this five-year experience requirement as follows: A maximum of one year of experience may be substituted for One year of other audit experience One year of information systems experience and/or An associate’s degree (60 semester college credits or itsequivalent) Two of the required five years of experience may be substituted for abachelor’s degree (120 semester college credits or its equivalent). One year of IS audit, control, or security experience may be substituted for each two years of experience as a full-time universityinstructor in a related field (e.g., computer science, accounting, ISauditing) with no maximum limitation to the two for one experienceyear substitution.All related experience submitted as evidence for the certification as an ISauditor must have been gained within the ten years preceeding the application for certification or within five years from the date the candidate initially passed the exam. Individuals may choose to take and pass the CISAexam prior to meeting the experience requirements but will not beawarded the CISA designation until all the requirements are met. All experience will be independently verified with employers.

b250325 FM.F12/31/0210:11 AMPage xvIntroductionMaintaining Your CISA CertificationThe CISA certification must be actively maintained by the individual whois awarded with this designation through a program of continuing educational pursuit and annual maintenance fees paid in full to ISACA. The continuing education policy requires that a certified individual earn andsubmit a minimum number of Continuing Professional Education (CPE)hours annually. CISAs must obtain and submit one hundred and twenty(120) CPEs over a three-year reporting period with a minimum of twenty(20) CPEs in any given year. Some CISAs are selected each year for an auditof their CPE credits and their applicability to the continuing educationprocess. You must respond and submit any required supporting documentation if you are selected for this annual audit. For this reason, it is veryimportant to keep separate and accurate records related to your continuingeducational efforts related to maintaining your CISA certification.The Certification Board may at its discretion revoke certification for anumber of reasons. This action would be taken only after due and thorough consideration and for one of the following reasons: Falsifying or deliberately withholding relevant information. Intentionally misstating a material fact. Engaging in or assisting others in dishonest or inappropriate behavior in connection with the CISA exam or the certification process. Violating the Code of Ethics in any way. Failing to meet the Continuing Education requirements. Failing to pay annual CISA maintenance fees.The Approach and Layout of This BookThe approach of this book is a blend of relating experiences and the transference of knowledge: Experiences in passing the CISA exam, years of performing IS audits, and audit management, as well as teaching entry-levelIS auditors. My experiences are somewhat unique because they span bothmedical and financial business environments as both an auditor and auditmanager. Recruiting junior auditors and training them to perform IS auditsand eventually pass the CISA exam were both personally rewarding andxv

b250325 FM.Fxvi12/31/0210:11 AMPage xviIntroductioninstructive to the advancement my understanding of the IS audit profession. I have included information and relate my views about several of thestandards and current direction of the ISACA organization and its evolving testing criteria. This firsthand knowledge of what works and whatinformation is most relevant to the professional IS auditor uniquely positions you, the reader, to study for and pass the CISA exam and perform ISaudits with confidence.Organization of the BookThe text is organized according to the examination content areas that arecurrently defined for preparation and study for the CISA examination:Chapter 1, “The IS Audit Process” (10 percent of test content).Chapter 2, “Management, Planning, and Organization of InformationSystems” (11 percent of test content).Chapter 3, “Technical Infrastructure and Operational Practices”(13 percent of test content).Chapter 4, “Protection of Information Assets” (25 percent of test content).Chapter 5, “Disaster Recovery and Business Continuity” (10 percent oftest content).Chapter 6, “Business Application System Development, Acquisition,Implementation, and Maintenance” (16 percent of test content).Chapter 7, “Business Process Evaluation and Risk Management”(15 percent of test content).Appendix A, “Answers to Sample Exam Questions.”Appendix B, “What’s on the CD-ROM.”Each chapter is accompanied by a series of sample questions that are inthe same format as those found on the CISA examination. Answers areprovided for each question along with an explanation of the answers inAppendix A.Valuable reference material and glossaries of terms include informationwith which you will need to become familiar. Some of the author’s favoriteresources are listed at the end of each chapter to guide the candidate forfurther study and to use in performing IS audits.

b250325 FM.F12/31/0210:11 AMPage xviiIntroductionThe Companion CD-ROMIncluded with this book is a CD-ROM containing all of the questions presented as samples, formatted in a similar fashion as those in the CISA exam.The Test Engine from Boson Software allows you to determine what categories or content areas you are strong and weak in, in order to narrow yourstudy efforts as you prepare for the actual exam. You can review the correctanswers after each question and time your test-taking abilities. Options forkeeping track of your quiz-scoring include asking missed questions overagain in subsequent quizzes and multiple quizzes using select content areasif desired. Scoring is tracked and graded as you progress. Instructions forloading and using the software are included in Appendix B of this book.Who Should Read This BookThis book is not only a useful preparation guide for the CISA exam, butalso will serve as a reference to best audit practices which can be subsequently adapted to the individual situation faced by an IS auditor in his orher work. It can be used to ensure that all aspects of risk and control havebeen considered when preparing for or performing an IS audit engagement. There are three main categories of readers for this comprehensiveexam prep guide: Candidates who are planning on sitting for the CISA exam andwho are looking for a comprehensive and practical guide to all ofthe knowledge required to achieve certification. This book is notdesigned to cover all of the details of every aspect of IS audit andcontrol. Instead it provides a guide that will walk the candidatethrough all audit content areas at a high level, allowing the candidate to determine where they need to follow up with additionalresources and fill in the gaps in their knowledge base. Students of IS management and auditing w

The CISA Prep Guide: Mastering the Certified Information Systems Auditor Exam, is the first comprehensive and commercially available preparation guide to offer CISA study materials. The book provides definitions and background on all of the seven content areas of CISA, along with sample test questions and explanations of answers.