CISA: Certified Information Systems Auditor Study Guide

Building on the proven approach of other Sybex Study Guides, this book takes the exam Content Areas, and Tasks and Knowledge Areas, and breaks them down for the reader in a clear and concise manner. The book will cover:

The IS Audit Process.

Scope & Methodology of IT Audit

The scope of work at organizations' premesis consists of following:

Evaluation of the current IT infrastructure.

How might architecture be modified so that it adds more value to the organization?

Evaluate the processes by which systems and/or infrastructure are developed/acquired and tested to ensure that the deliverables meet the organization’s objectives.

Evaluate the IT procurement policies.

Evaluate the readiness of the system and/or infrastructure for implementation.

Perform reviews of systems and/or infrastructure to ensure that they meet the organization’s objectives and are subject to effective internal control.

Evaluate the process by which systems and/or infrastructure are maintained to ensure the continued support of the organization’s objectives and are subject to effective internal control.

Evaluate the process by which systems and/or infrastructure are disposed of to ensure that they comply with the organization’s policies and procedures.

Evaluate data administration practices to ensure the integrity and optimization of databases.

Evaluate the functionality of the IT infrastructure (e.g., network components, hardware, system software) to ensure that it supports the organization’s objectives.

Evaluate the design, implementation, and monitoring of physical access controls to ensure the confidentiality, integrity, availability and authorized use of information assets.

Methodology included review of existing policies and procedures related to information technology, interviews with management and staff, and analysis of pertinent data and records. Tolls used to audit the systems and networks include Open Audit and Dump ACL.

Background of the Organization for IT Audit

Control Authorities are responsible for determining the appropriate level of access to the systems and requesting authorization for their staff through Information Department. Information Department will clear authorization for access to specific modules and notify the Authorities for approval. These service requests are processed through e-mail or written notes by Help Desk running under Information Department. If the request is for a new hire personal, the Help Desk will set up a new network user ID based on request.

User capabilities are granted individually, based on needs as determined by the Authorities, either by the administrator of Information Department as the staff of this department is responsible for directing, the design, analysis, creation, monitoring, administration, troubleshooting and enhancement of personal computer network or by a Authority (staff in department which has responsibility for such action to be taken
According to procedures Authorities are also responsible for notifying Information Department when an employee is terminated or transferred so that Information Department may be timely cancelled or modify the authorizations of the said employee.

All the purchase requests are routed from information department to the purchase department which is then forwarded to the authority for approval.

Objective of an IT Audit

The audit objective is to determine if current IT infrastructure of the organization is adequate as per the latest IT developments and to suggest the management the ways of improvement in its vision of IT to improve given standards.

A system that is efficient, always available and secure may be developed to meet the needs of the organization.

The audit is scheduled to be performed with the support of the Information Department and Management in premises of organization .

IT Audit in Pakistan

CISA Objectives

The objective of this program is to prepare an understanding of the scope and areas to be tested in the CISA exams, and to prepare the students for the exam.

Benefits

CISA Designation always assures employers that the staff is able to apply state of the art information systems and information technology audit, security and controls practices and techniques. Many employers require that the achievement of CISA designation is a strong factor for employment and/or advancement in their careers.

Contents of the Exam

CISA exam contains those tasks that would routinely be performed by IS & IT auditors. Considering the exam contents, this program covers the following subjects:
· IS Audit Process
· IT Governance
· Systems and Infrastructure Lifecycle Management
· IT Service Delivery and Support
· Protection of Information Asset
· Business Continuity and Disaster Recovery

Participants Profile

This course is open for all graduates, with basic auditing experience. Basic computer knowledge would be an added advantage. The ideal candidates would be auditors, chartered accountants, CA and ACMA students, IT security managers and administrators, database & network administrators, risk managers and IT project managers.

IT Audit

We conduct an Information Technology Audit which focused on physical controls, inventory controls, environmental controls, access security and recovery planning for any Organization' Information Technology System.

The major emphasis of the audit is to look at the strength of IT infrastructure and finding out the gap to improve the standards to meet the future requirements.

Audit objectives are to ensure IT acquisitions comply with policies and standards of central control departments and information department, promote the advancement of the departmental strategic directions for information technology.