35,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Following on from the success of its bestselling predecessor, this third edition of the CISA - Certified Information Systems Auditor Study Guide serves as your go-to resource for acing the CISA exam. Written by renowned CISA expert Hemang Doshi, this guide equips you with practical skills and in-depth knowledge to excel in information systems auditing, setting the foundation for a thriving career.
Fully updated to align with the 28th edition of the CISA Official Review Manual, this guide covers the latest exam objectives and provides a deep dive into essential IT auditing areas, including IT governance, systems development, and asset protection. The book follows a structured, three-step approach to solidify your understanding. First, it breaks down the fundamentals with clear, concise explanations. Then, it highlights critical exam-focused points to ensure you concentrate on key areas. Finally, it challenges you with self-assessment questions that reflect the exam format, helping you assess your knowledge.
Additionally, you’ll gain access to online resources, including mock exams, interactive flashcards, and invaluable exam tips, ensuring you’re fully prepared for the exam with unlimited practice opportunities.
By the end of this guide, you’ll be ready to pass the CISA exam with confidence and advance your career in auditing.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 477
Veröffentlichungsjahr: 2024
Ähnliche
CISA – Certified Information Systems Auditor Study Guide
Third Edition
Aligned with the CISA Review Manual 2024 with over 1000 practice questions to ace the exam
Hemang Doshi
CISA – Certified Information Systems Auditor Study Guide
Third Edition
Copyright © 2024 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Author: Hemang Doshi
Reviewers: Ayush Singh Panwar and Karl Marx Thangappan
Publishing Product Manager: Anindya Sil
Development Editor: Shubhra Mayuri
Digital Editor: M Keerthi Nair
Presentation Designer: Salma Patel
Editorial Board: Vijin Boricha, Megan Carlisle, Simon Cox, Ketan Giri, Saurabh Kadave, Alex Mazonowicz, Gandhali Raut, and Ankita Thakur
First Published: August 2020
Second Edition: June 2023
Third Edition: October 2024
Production Reference: 3151124
Published by Packt Publishing Ltd.
Grosvenor House
11 St Paul’s Square
Birmingham
B3 1RB
ISBN: 978-1-83588-286-3
www.packtpub.com
Contributors
About the Author
Hemang Doshi has more than 20 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, CEH and enterprise risk management. His books and lectures are sold in more than 175 countries and more than 35 languages.
Gratitude to my mother, Jyoti Doshi, and to the memory of my father, Hasmukh Doshi, for their sacrifices and for exemplifying the power of determination. To my wife, Namrata Doshi, for being my loving partner throughout our life journey together, and to my kids Jia and Neev for allowing me to write this book. To my sister, Pooja Shah, my brother-in-law, Hiren Shah, and my nephew, Phenil Shah, for their love, support, and inspiration. To my in-laws, Chandrakant Shah, Bharti Shah, and Ravish Shah, for their love and motivation. To my mentor and guide, Dipak Mazumder, for showing me how talent and creativity evolve.
About the Reviewers
Ayush Singh Panwar is an accomplished professional with over 8 years of experience in the field of Information Technology, Information Cyber Security Governance, Risk, and Compliance. He possesses several notable security certifications, including CISSP, CISA, CISM, ISO 27001 (Lead Implementer), and PCI DSS (CPCISI). Throughout his career, Ayush has primarily served as an internal auditor and security consultant for multinational organizations operating in the finance, telecom, and automobile sectors. Currently, he holds the position of Assistant Vice President of the Chief Control Office at a leading global bank based in the United Kingdom. Ayush’s expertise lies in conducting information and cyber security audit, evaluating third-party risks, ensuring data privacy, managing cloud security, and implementing ISMS standards.
Karl Marx Thangappan is an IT professional with over 14 years of experience in the field of Information Systems, Technology, Databases, Audit, and Cybersecurity. He holds certifications such as CISSP, CISA, CEH, and Cloud certificates from Azure, Oracle, and AWS. Additionally, he pursued advanced computer security studies at Stanford University. Throughout his career, Karl has traveled to work with a diverse range of clients spanning Australia, the Middle East, and Africa, including large enterprise n-built financial institutions, consulting firms, and startups. Currently, he serves as a Cloud Product Security Consultant in the United Kingdom. As a security entrepreneur, he has developed products like Privileged Access Management (PAM), risk-based vulnerability management and threat modelling with in-built integrations. He has also been involved in projects focused on the robotic automation of complaints and security controls for IT operations. Karl shares his expertise by teaching cybersecurity courses as an adjunct instructor.
Karl expresses gratitude to his brother Siva Anna, his late father, his wife, and his friends for their unwavering support throughout his professional journey.
Foreword
As a Certified Information Systems Auditor (CISA), it is a privilege to introduce the latest edition of the CISA Exam Guide by Mr. Hemang Doshi. This third revision comes at a critical time, as the cybersecurity landscape continues to evolve rapidly. The need for adept information systems auditors has never been more pressing, and this guide serves as a crucial tool in preparing candidates for the challenges of today’s digital environment.
In this updated edition, Mr. Hemang has meticulously revised the content to align with the latest trends and changes in the CISA exam. New sections addressing emerging topics, such as advanced cybersecurity threats, cloud computing, and data privacy regulations, have been added to ensure candidates are equipped with the knowledge and skills necessary to succeed in the current examination format.
My professional journey with Mr. Hemang began in 2022 when I embarked on my path to achieving CISA certification. His training materials, exam guides, and practical tips were invaluable resources, providing clear, concise guidance and relevant practical illustrations. These resources are particularly beneficial for candidates from non-technical backgrounds, such as myself. Mr. Hemang's reputation as a leader in IT audit is well-deserved, and his work continues to inspire and educate aspiring professionals.
The CISA certification remains a cornerstone for those pursuing a career in information systems auditing. It symbolizes a profound understanding of IS audit, control, and security. The journey to attaining any certification is demanding and requires dedication. My advice to aspiring CISAs is to engage deeply with this guide, practice diligently, and remain focused on your objectives. The insights and expertise gained from this guide will not only help you pass the exam but will also serve as a foundation for a successful career.
This guide is more than just an exam preparation tool, it is an essential resource offering comprehensive coverage of exam content and invaluable practical insights. It is designed to empower candidates to excel in their careers as agile and forward-thinking audit professionals.
In conclusion, I commend Mr. Hemang for his exemplary work on this revision. I am confident that this guide will be an indispensable asset to all CISA candidates, and I wish you every success on your journey to certification and beyond. Embrace this opportunity to strengthen your competencies and unlock new professional possibilities in the ever-evolving field of information systems auditing.
Javen Khoo Ai Wee
Senior Manager in Group Internal Audit Division of a leading global energy company
Chartered member of The Institute of Internal Auditors (CMIIA) – Malaysia chapter
Certified Internal Auditor (CIA)
Certified Information Systems Auditor (CISA)
Certified Fraud Examiner (CFE)
Certified in Cybersecurity (CC)
Table of Contents
Preface
1
Audit Planning
Making the Most Out of This Book – Your Certification and Beyond
The Contents of an Audit Charter
Key Aspects for the CISA Exam
Audit Planning
Benefits of Audit Planning
Selection Criteria for the Audit Process
Reviewing Audit Planning
Individual Audit Assignments
Audit Process
Key Aspects for the CISA Exam
Business Process Applications and Controls
E-Commerce
Electronic Data Interchange (EDI)
Point of Sale (POS)
Electronic Banking
Electronic Funds Transfer (EFT)
Image Processing
Artificial Intelligence and Expert Systems
Key Aspects from the CISA Exam Perspective
Types of Controls
Preventive Controls
Detective Controls
Corrective Controls
Deterrent Controls
The Difference Between Preventive and Deterrent Controls
Compensating Controls
Control Objectives
Control Measures
Key Aspects for the CISA Exam
Risk-Based Audit Planning
What Is Risk?
Understanding Vulnerability and Threats
Understanding Inherent Risk and Residual Risk
Advantages of Risk-Based Audit Planning
Audit Risk
Risk-Based Auditing Approach
Risk Assessments
Risk Response Methodology
Key Aspects for the CISA Exam
Types of Audits and Assessments
Internal IS Audit Function
Requirement for a Separate IS Audit Function
Governance of an IS Audit Function
Reporting Structure of an IS Audit Function
Management of IS Audit Resources
IS Audit Objective Should be Aligned with the Overall Business Objective
Key Aspects for the CISA Exam Perspective
Managing Third-Party IS Auditors and Other Experts
Regulatory and Other Requirements for Outsourcing
Due Diligence
Appointment Procedures and Best Practices
Contracts, Service-Level Agreements, and Non-Disclosure Agreements
Monitoring the Performance
Key Aspects for the CISA Exam Perspective
Code of Ethics
Summary
Exam Readiness Drill
HOW TO GET STARTED
2
Audit Execution
Audit Project Management
Audit Objectives
Audit Phases
Key Aspects for the CISA Exam
Audit testing and Sampling methodology
Sampling Types
Sampling Risk
Other Sampling Terms
Compliance versus Substantive Testing
Key Aspects for the CISA Exam
Audit Evidence Collection Techniques
Reliability of Evidence
Evidence-Gathering Techniques
Fraud, Irregularities, and Illegal Acts
Key Aspects for the CISA Exam
Data Analytics
CAATs
Precautions While Using CAAT
Continuous Auditing and Monitoring
Key Aspects for the CISA Exam
Reporting and Communication Techniques
Exit Interview
Audit Reporting
Audit Report Objectives
Audit Report Structure
Follow-Up Activities
Key Aspects for the CISA Exam
Control Self-Assessment
Precautions While Implementing CSA
An IS Auditor’s Role in CSA
Key Aspects for the CISA Exam
Agile Auditing
Dictionary Meaning of Agile
Understanding Agile Auditing
Benefits of Agile Auditing
Traditional Auditing vis-à-vis Agile Auditing
Key Aspects for the CISA Exam
Quality Assurance of Audit Processes
Oversight by Audit Committee
Continuous Education and Updating of IS Auditors
Performance Monitoring of IS Audit Functions
Continuous Improvement
Key Aspects for the CISA Exam
Use of AI in the Audit Process
How Does AI Work in Auditing?
Benefits of Using AI in Audit Processes
Risks of Using AI in Audit Processes
Use Cases of AI in the Audit Process
Best Practices for Using AI in Audit Process
Summary
Exam Readiness Drill
HOW TO GET STARTED
3
IT Governance
EGIT
EGIT Processes
The Differences Between Governance and Management
EGIT Good Practices
Effective Information Security Governance
IS Auditor’ Role in EGIT
Key Aspects for the CISA Exam
IT-Related Frameworks
IT Standards, Policies, and Procedures
Policies
Standards
Procedures
Guidelines
Information Security Policy
Top-Down and Bottom-Up Approaches to Policy Development
Key Aspects for the CISA Exam
Organizational Structure
Relationship Between the IT Strategy Committee and the IT Steering Committee
Differences Between the IT Strategy Committee and the IT Steering Committee
Key Aspects for the CISA Exam
Enterprise Architecture
Enterprise Security Architecture
Open System Architecture
Key Aspects for the CISA Exam
Enterprise Risk Management
Risk Management Process Steps
Risk Analysis Methods
Risk Treatment
Key Aspects for the CISA Exam
Maturity Model
Laws, Regulations, and Industry Standards Affecting the Organization
An IS Auditor’s Role in Determining Adherence to Laws and Regulations
Key Aspects for the CISA Exam
Data Privacy Program and Principles
Privacy-Related Regulations
Privacy Principles
Important Privacy-Related Terminology
Auditing a Privacy Program
Key Aspects for the CISA Exam
Data Governance and Data Classification
Key Aspects for the CISA Exam
Summary
Exam Readiness Drill
HOW TO GET STARTED
4
IT Management
IT Resource Management
Human Resource Management
IT Management
Financial Management
Key Aspects for the CISA Exam
IT Service Provider Acquisition and Management
Evaluation Criteria for Outsourcing
Steps for Outsourcing
Outsourcing – Risk Reduction Options
Provisions for Outsourcing Contracts
Role of IS Auditors in Monitoring Outsourced Activities
Globalization of IT Functions
Outsourcing and Third-Party Audit Reports
Monitoring and Review of Third-Party Services
Key Aspects for the CISA Exam
IT Performance Monitoring and Reporting
Development of Performance Metrics
Effectiveness of Performance Metrics
Tools and Techniques for Performance Measurement
Key Aspects for the CISA Exam
Quality Assurance and Quality Management in IT
Quality Assurance
Quality Management
Key Aspects for the CISA Exam
Summary
Exam Readiness Drill
HOW TO GET STARTED
5
Information Systems Acquisition and Development
Project Management Structure
Project Roles and Responsibilities
Project Cost Estimation Methods
Software Size Estimation Methods
Project Evaluation Methods
Project Objectives, OBS, and WBS
Key Aspects for the CISA Exam
Business Case and Feasibility Analysis
Business Cases
Feasibility Analysis
The IS Auditor’s Role in Business Case Development
System Development Methodologies
SDLC Models
SDLC Phases
Software Development Methods
Software Reengineering and Reverse Engineering
Key Aspects for the CISA Exam
Control Identification and Design
Check Digits
Parity Bits
Checksums
Forward Error Control
Data Integrity Principles
Decision Support Systems
Decision Trees
Key Aspects for the CISA Exam
Summary
Exam Readiness Drill
HOW TO GET STARTED
6
Information Systems Implementation
Testing Methodology
Unit Testing
Integration Testing
System Testing
Final Acceptance Testing
Regression Testing
Sociability Test
Pilot Testing
Parallel Testing
White-Box Testing
Black-Box Testing
Alpha Testing
Beta Testing
Testing Approach
Testing Phases
Key Aspects for the CISA Exam
System Migration
Parallel Changeover
Phased Changeover
Abrupt Changeover
Key Aspects for the CISA Exam
Post-Implementation Review
Key Aspects for the CISA Exam
Configuration and Release Management
Release Management
Configuration Management
Key Aspects for the CISA Exam
Summary
Exam Readiness Drill
HOW TO GET STARTED
7
Information Systems Operations
Understanding Common Technology Components
Types of Servers
Universal Serial Bus
Radio-Frequency Identification
IT Asset Management
Performance Reports
Job Scheduling
End-User Computing and Shadow IT
Key Aspects for the CISA Exam
System Performance Management
Nucleus (Kernel) Functions
Utility Programs
Parameter Setting for the Operating System
Registry
Activity Logging
Software Licensing Issues
Source Code Management
Capacity Management
Key Aspects for the CISA Exam
Problem and Incident Management
Network Management Tools
Key Aspects for the CISA Exam
Change Management, Configuration Management, and Patch Management
Change Management Process
Emergency Change Management
Backout Process
The Effectiveness of a Change Management Process
Patch Management
Configuration Management
Key Aspects for the CISA Exam
IT Service-Level Management
Database Management Process
Advantages of Database Management
Database Structures
Key Aspects for the CISA Exam
Operational Log Management
Importance of Log Management
Types of Logs
Log Management Life Cycle
Effective Data Collection
Protection of Log Data
Integration with SIEM Systems
Key Aspects for the CISA Exam
Summary
Exam Readiness Drill
HOW TO GET STARTED
8
Business Resilience
Business Impact Analysis
Key Aspects for the CISA Exam
Data Backup and Restoration
Types of Backup Strategy
Storage Capacity for Each Backup Scheme
Key Aspects for the CISA Exam
System Resiliency
Application Resiliency – Clustering
Telecommunication Network Resiliency
Business Continuity Plan
Steps of the BCP Life Cycle
Contents of the BCP
Backup Procedure for Critical Operations
The Involvement of Process Owners in the BCP
BCP and Risk Assessments
Testing the BCP
Key Aspects for the CISA Exam
Disaster Recovery Plan
The BCP versus the DRP
The Relationship Between the DRP and the BIA
Costs Associated with Disaster Recovery
Data Backup
DRP of a Third-Party Service Provider
Resilient Information Assets
Service Delivery Objective
Key Aspects for the CISA Exam
DRP – Test Methods
Checklist Review
Structured Walk-Through
Tabletop Test
Simulation Test
Parallel Test
Full Interruption Test
Key Aspects for the CISA Exam
Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
RTO
RPO
RTO and RPO for Critical Systems
RTO and RPO and Maintenance Costs
RTO, RPO, and Disaster Tolerance
Key Aspects for the CISA Exam
Alternate Recovery Sites
Mirrored Site
Hot Site
Warm Site
Cold Site
Mobile Site
Reciprocal Agreement
Summary
Exam Readiness Drill
HOW TO GET STARTED
9
Information Asset Security and Control
Information Asset Security Frameworks
Auditing the Information Security Management Framework
Key Aspects for the CISA Exam
Physical Access and Environmental Controls
Environmental Controls
Alarm Controls
Water and Smoke Detectors
Fire Suppression Systems
Physical Access Control
Key Aspects for the CISA Exam
Industrial Control Systems
Identity and Access Management
Access Control Categories
Default Deny Policy – Allow-All Policy
Degaussing (Demagnetizing)
Naming Convention
Authentication Factors
Single Sign-On
Zero Trust
Privileged Access Management
Directory Services
Identity as a Service (IdaaS)
Digital Rights Management (DRM)
Federated Identity Management (FIM)
Key Aspects for the CISA Exam
Biometrics
Biometrics Accuracy Measure
Control over the Biometric Process
Types of Biometric Attacks
Key Aspects for the CISA Exam
Summary
Exam Readiness Drill
HOW TO GET STARTED
10
Network Security and Control
Networking and Endpoint Devices
Open System Interconnection (OSI) Layers
Networking Devices
Network Devices and the OSI Layer
Network Physical Media
Identifying the Risks of Physical Network Media
Network Diagram
Network Protocols
Network Attached Storage (NAS)
Content Delivery Network (CDN)
Network Time Protocol (NTP)
Network Segmentation
Key Aspects for the CISA Exam
Firewall Types and Implementation
Types of Firewalls
Packet-Filtering Router
Stateful Inspection
Circuit-Level
Application-Level
Types of Firewall Implementation
The Firewall and the Corresponding OSI layer
Next-Generation Firewall (NGFW)
Unified Threat Management (UTM)
Key Aspects for the CISA Exam
VPN
VPNs – Technical Aspects
Types of VPN
VPNs – Security Risks
Key Aspects for the CISA Exam
Voice over Internet Protocol (VoIP)
SBCs
Key Aspects for the CISA Exam
Wireless Networks
Enabling MAC Filtering
Enabling Encryption
Disabling a Service Set Identifier (SSID)
Disabling DHCP
Use of Dynamic Encryption Keys
Use of a Randomly Generated Pre-Shared Key (PSK)
Common Attack Methods and Techniques for a Wireless Network
Key Aspects for the CISA Exam
Email Security
Key Aspects for the CISA Exam
Data Loss Prevention
Types of DLP
How DLP Software Operates
Benefits of DLP Software
Key Aspects for the CISA Exam
Summary
Exam Readiness Drill – Chapter Review Questions
HOW TO GET STARTED
11
Public Key Cryptography and Other Emerging Technologies
Public Key Cryptography
Symmetric Encryption versus Asymmetric Encryption
Encryption Keys
The Hash of the Message
Combining Symmetric and Asymmetric Methods
Quantum Cryptography
Homomorphic Encryption
Domain Name System Security Extensions (DNSSEC)
Key Aspects from the CISA Exam Perspective
PKI
PKI Terminology
Processes Involved in PKI
CA versus RA
Key Aspects for the CISA Exam
Cloud Computing
Cloud Computing – Deployment Models
Types of Cloud Services
Cloud Computing – the IS Auditor’s Role
Virtualization
Virtual Circuits
Virtual Local Area Network (VLAN)
Virtual Storage Area Network (VSAN)
Containerization
Mobile Computing
Internet of Things
Summary
Exam Readiness Drill
HOW TO GET STARTED
12
Security Event Management
Security Awareness Training and Programs
Participants
Security Awareness Methods
Social Engineering Attacks
Evaluating the Effectiveness of Security Programs
Key Aspects for the CISA Exam
Information System Attack Methods and Techniques
Key Aspects for the CISA Exam
Security Testing Tools and Techniques
Network Penetration Tests
Threat Intelligence
Key Aspects for the CISA Exam
Security Monitoring Tools and Techniques
IDS
IPS
Honeypots and Honeynets
Key Aspects for the CISA Exam
Incident Response Management
Computer Security Incident Response Team
Key Aspects for the CISA Exam
Evidence Collection and Forensics
Chain of Custody
Key Elements of Computer Forensics
Summary
Exam Readiness Drill
HOW TO GET STARTED
13
Accessing the Online Practice Resources
How to Access These Materials
Purchased from Packt Store (packtpub.com)
Packt+ Subscription
Purchased from Amazon and Other Sources
Troubleshooting Tips
Share Feedback
Back to the Book
Why subscribe?
Other Books You May Enjoy
Share Your Thoughts
Download a Free PDF Copy of This Book
Preface
Certified Information Systems Auditor (CISA) is one of the most sought-after courses in the field of auditing, control, and information security. CISA is a globally recognized certification that validates your expertise and gives you the leverage you need to advance in your career. CISA certification is key to a successful career in IT.
A CISA certification can showcase your expertise and assert your ability to apply a risk-based approach to planning, executing, and reporting on projects and engagements. It helps you gain instant credibility in your interactions with internal stakeholders, regulators, external auditors, and customers.
As per ISACA’s official website (www.isaca.org), the average salary of a CISA holder is US$149,000.
Who This Book Is For
If you are a passionate auditor, risk practitioner, IT professional, or security professional, and are planning to enhance your career by obtaining a CISA certificate, this book is for you.
What This Book Covers
The third edition of the CISA Study guide is aligned with ISACA’s CISA Review Manual, 2024 Edition. The book contains following chapters:
Chapter 1, Audit Planning, deals with the audit processes, standards, guidelines, practices, and techniques that an Information Systems (IS) auditor is expected to use during audit assignments. An IS auditor must have a detailed knowledge of IS processes, business processes, and risk management processes in order to protect an organization’s assets.
Chapter 2, Audit Execution, covers project management techniques, sampling methodology, and audit evidence collection techniques. It provides details regarding data analysis techniques, reporting and communication techniques, and quality assurance processes.
Chapter 3, IT Governance, provides an introduction to IT governance and aspects related to IT enterprise governance. Enterprise governance includes the active involvement of management in IT. Effective IT governance and management involves an organization’s structure as well as IT standards, policies, and procedures.
Chapter 4, IT Management, walks you through various aspects of designing and approving an IT management policy and effective information security governance. It will also teach you how to audit and evaluate IT resource management, along with services provided by third-party service providers, while also covering IT performance monitoring and reporting.
Chapter 5, Information Systems Acquisition and Development, provides information about project governance and management techniques. This chapter discusses how an organization evaluates, develops, implements, maintains, and disposes of its information systems and related components.
Chapter 6, Information Systems Implementation, covers various aspects of IS implementation. The implementation process comprises a variety of stages, including system migration, infrastructure deployment, data conversion or migration, user training, post-implementation review, and user acceptance testing.
Chapter 7, Information Systems Operations, explains how to identify risks related to technology components and how to audit and evaluate IT service management practices; systems performance management; problem and incident management policies and practices; change, configuration, release, and patch management processes; and database management processes.
Chapter 8, Business Resilience, covers all aspects of business impact analysis, system resiliency, data backup, storage and restoration, the business continuity plan, and disaster recovery plans.
Chapter 9, Information Asset Security and Control, discusses the information security management framework, privacy principles, physical access and environmental controls, and identity and access management.
Chapter 10, Network Security and Control, provides an introduction to various components of networks, network-related risks and controls, types of firewalls, and wireless security.
Chapter 11, Public Key Cryptography and Other Emerging Technologies, details various aspects of public key cryptography, cloud computing, virtualization, mobile computing, and the Internet of Things.
Chapter 12, Security Event Management, takes you through the process of evaluating an organization’s information security and privacy policies and practices in depth. It also discusses various types of IS attack methods and techniques and covers different security monitoring tools and techniques, as well as evidence collection and forensics methodology.
Chapter 13, Accessing the Online Practice Resources, presents all the necessary information and guidance on how you can access the online practice resources that come free with your copy of this book. These resources are designed to enhance your exam preparedness.
How to Get the Most out of This Book
This book is directly aligned with ISACA’s CISA Review Manual (2024 Edition) and covers all the topics that a CISA aspirant needs to grasp in order to pass the exam. The key aspect of this book is its use of simple language, which makes it ideal for candidates with non-technical backgrounds. At the end of each topic, key pointers from the CISA exam perspective are presented in a tabular format. This is the unique feature of this book. It also contains more than 1000 exam-oriented practice questions that are designed in consideration of the language and testing methodology used in an actual CISA exam.
It is advisable to stick to the following steps when preparing for the CISA exam:
Step 1: Read the complete book.
Step 2: Attempt the end-of-chapter practice questions in each chapter before moving on to the next one.
Step 3: Go through ISACA’s QAE book or database.
Step 4: Refer to ISACA’s CISA Review Manual.
Step 5: Memorize key concepts using the flashcards on the website. (refer to the section Online Practice Resources)
Step 6: Attempt the online practice question sets. Make a note of the concepts you are weak in, revisit those in the book, and re-attempt the practice questions. (refer to the section Online Practice Resources)
Step 7: Review exam tips on the website. (refer to the section Online Practice Resources)
CISA aspirants will gain a lot of confidence if they approach their preparation as per the mentioned steps.
Recorded Lectures
This book is also available in video lecture format along with 200+ exam-oriented practice questions on Udemy. Buyers of this book are entitled to 30% off of Hemang Doshi’s recorded lectures. For a discount coupon, please write to [email protected].
Online Practice Resources
With this book, you will unlock unlimited access to our online exam-prep platform (Figure 0.1). This is your place to practice everything you learn in the book.
How to access the resources
To learn how to access the online resources, refer to Chapter 13, Accessing the Online Practice Resources at the end of this book.
Figure 0.1 – Online exam-prep platform on a desktop device
Sharpen your knowledge of Certified Information Systems Auditor concepts with multiple sets of mock exams, interactive flashcards, and exam tips accessible from all modern web browsers.
Download the Color Images
We also provide a PDF file that has color images of the screenshots/diagrams used in this book.
You can download it here: https://packt.link/cisagraphicbundle
Conventions Used
There are a number of text conventions used throughout this book.
Code in text: Indicates text in images, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, text on screen and X (formerly known as Twitter) handles. Here is an example: “In the case of the letter q, the received binary code is 11100000, which has an odd number of 1s.”
Bold: Indicates a new term or abbreviation or an important word. Here is an example: “An information system (IS) audit is a systematic examination and evaluation of an organization’s IT infrastructure, policies, and practices.”
Tips or important notes
Appear like this.
Get in Touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details. We ensure that all valid errata are promptly updated in the GitHub repository, with the relevant information available in the Readme.md file. You can access the GitHub repository at https://packt.link/cisagithub.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you’ve read CISA – Certified Information Systems Auditor Study Guide, Third Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
Download a Free PDF Copy of This Book
Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.
Follow these simple steps to get the benefits:
Scan the QR code or visit the link below:https://packt.link/free-ebook/9781835882863
Submit your proof of purchase.That’s it! We’ll send your free PDF and other benefits to your email directly.1
Audit Planning
An information system (IS) audit is a systematic examination and evaluation of an organization’s IT infrastructure, policies, and practices. It aims to ensure that the organization’s ISs are secure, efficient, and aligned with business objectives. IS audits cover a wide range of areas, including data integrity, cybersecurity measures, compliance with regulations, and the overall effectiveness of IT controls. By conducting these audits, organizations can identify vulnerabilities, mitigate risks, and improve their IT governance to support sustainable growth and safeguard sensitive information.
The history of IS audits traces back to the mid-20th century, when computers began transforming business operations. Initially, audits focused on financial controls, but as technology advanced, so did the need to ensure the integrity and security of computerized data and systems. Today, IS audits are critical for businesses to protect data, ensure regulatory compliance, and maintain trust with stakeholders in our increasingly digital world.
Audit planning is an important step in the auditing process. It helps auditors understand what they need to do, how they will do it, and who else will aid the process. This makes the audit more efficient and effective. This chapter will focus on the governance, monitoring, and planning of IS audits.
This chapter covers Domain 1, Information Systems Auditing Process, part A, Planning, of the CISA exam. The following exam topics will be covered in this chapter:
The contents of an audit charterAudit planningBusiness process applications and controlsTypes of controlsRisk-based audit planningTypes of audits and assessmentIS internal audit functionManaging third-party IS auditors and other expertsCode of Professional EthicsMaking the Most Out of This Book – Your Certification and Beyond
This book and its accompanying online resources are designed to be a complete preparation tool for your CISA Exam.
The book is written in a way that you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, interactive flashcards, and exam tips to help you work on your exam readiness from now till your test day.
Before You Proceed
To learn how to access these resources, head over to Chapter 13, Accessing the Online Practice Resources, at the end of the book.
Figure 1.1: Dashboard interface of the online practice resources
Here are some tips on how to make the most out of this book so that you can clear your certification and retain your knowledge beyond your exam:
Read each section thoroughly.Make ample notes: You can use your favorite online note-taking tool or use a physical notebook. The free online resources also give you access to an online version of this book. Click the BACK TO THE BOOK link from the Dashboard to access the book in Packt Reader. You can highlight specific sections of the book there.Chapter Review Questions: At the end of this chapter, you’ll find a link to review questions for this chapter. These are designed to test your knowledge of the chapter. Aim to score at least 75% before moving on to the next chapter. You’ll find detailed instructions on how to make the most of these questions at the end of this chapter in the Exam Readiness Drill - Chapter Review Questions section. That way, you’re improving your exam-taking skills after each chapter, rather than at the end.Flashcards: After you’ve gone through the book and scored 75% more in each of the chapter review questions, start reviewing the online flashcards. They will help you memorize key concepts.Mock Exams: Solve the mock exams that come with the book till your exam day. If you get some answers wrong, go back to the book and revisit the concepts you’re weak in.Exam Tips: Review these from time to time to improve your exam readiness even further.The Contents of an Audit Charter
An audit charter is a formal document that outlines the purpose, authority, scope, and objectives of an audit department. Consider it like a search warrant issued by a board of directors/audit commitee. Just like how a search warrant gives police permission to look for evidence in specific places, the audit plan gives auditors the permission and direction to look at specific parts of a company’s systems and processes. An auditor’s activities are impacted by the charter of the audit department, and it authorizes the accountability and responsibility of the entire audit department. In the absence of an approved charter, the auditee may hardly acknowledge the existence of the audit team.
Figure 1.2: An audit charter needs the support of the auditee
An internal audit is an independent activity and should ideally be reported to a board-level committee. In most organizations, the internal audit function reports to the audit committee of the board. This helps to protect the independence of the audit function as no other business function can interfere in audit processes.
Audit reporting may be biased in the absence of an independent audit function. The independence of the audit function is further ensured through a management-approved audit charter.
The CISA candidate should note the following features of an audit charter:
An audit charter is a formal document defining the internal audit’s objective, authority, and responsibility. The audit charter covers the entire scope of audit activities. An audit charter must be approved by senior management. Figure 1.3 summarizes these features of an audit charter:Figure 1.3: Features of an audit charter
An audit charter should not be changed too often as it defines the objective of the audit function, and hence procedural aspects should not be included. Frequent changes in the audit charter can create confusion and lack of clarity about the audit function’s role and responsibilities. This instability can reduce the audit team’s effectiveness.Also, it is recommended to not include a detailed annual audit calendar, including things such as planning, resource allocation, and other details, such as audit fees and expenses. As the charter requires the approval of the board/senior management, it is advisable to not include details that require frequent adjustment.An audit charter should be reviewed at a minimum annually to ensure that it is aligned with business objectives.An audit charter includes the following:
The mission, purpose, and objective of the audit functionThe scope of the audit functionThe responsibilities of managementThe responsibilities of internal auditorsThe authorized personnel of the internal audit workIf an audit is outsourced to an audit firm, the objective of the audit, along with its detailed scope, should be incorporated in an audit engagement letter. The purpose of the engagement letter is to clearly outline the scope, objectives, responsibilities, and expectations of the audit firms.
Key Aspects for the CISA Exam
The following table covers important aspects for the CISA exam:
Questions
Possible Answers
Who should approve the audit charter of an organization?
Senior management
What should the contents of an audit charter be?
The scope, authority, and responsibilities of the audit function
The actions of an IS auditor are primarily influenced by:
The audit charter
Which document provides the overall authority for an auditor to perform an audit?
The audit charter
What is the primary reason for the audit function directly reporting to the audit committee?
The audit function must be independent of the business function and should have direct access to the audit committee of the board
Table 1.1: Key aspects for the CISA exam
An audit charter forms the basis of structured audit planning. Activities relevant to audit planning are discussed in the next section.
Audit Planning
Audit planning is the initial stage of the audit process. It helps to establish the overall audit strategy and the technique to complete the audit. Audit planning makes the audit process more structured and objective oriented.
CISA aspirants should have an understanding of the following important terms before reading about the different aspects of audit planning:
Audit universe: An inventory of all the functions/processes/units in the organization.Qualitative risk assessment: In a qualitative risk assessment, risk is assessed using qualitative parameters such as high, medium, and low.Quantitative risk assessment: In a quantitative risk assessment, risk is assessed using numerical parameters and is quantified; for example, for a 50% chance of failure, the amount at risk is $1,000.Risk factors: These are factors that have an impact on risk. The presence of such factors increases the risk, whereas their absence decreases the risk.Organization chart: An organization chart is a diagram that shows the structure of an organization and the responsibilities and authorities of various positions and job roles.All the preceding elements are important prerequisites for the design of a structured audit plan.
Benefits of Audit Planning
An audit plan helps to identify and determine the following:
The objectives of the auditThe scope of the auditThe periodicity of the auditThe members of the audit teamThe method of auditA well-thought-out audit plan helps the auditor do the following:
Focus on high-risk areasIdentify the required resources for the auditEstimate a budget for the auditWork to a defined structure, which ultimately benefits the auditor as well as the auditee unitsSelection Criteria for the Audit Process
An IS auditor should have a sufficient understanding of the various criteria for the selection of audit processes. One such criterion is to have an audit universe. All the significant processes of the enterprise’s business should be included in the audit universe for better risk management.
Risk factors influence the frequency of the audit. The audit plan can then be designed to consider all high-risk areas.
Additionally, an IS auditor should also review the organization chart during audit planning to grasp the authority and responsibility of individuals.
Reviewing Audit Planning
The audit plan should be reviewed and approved by senior management. Generally, approval is obtained from the audit committee of the board, but sometimes, the board might also grant approval.
Additionally, the audit plan should be flexible enough to address any changes in the risk environment (that is, new regulatory requirements, changes in market conditions, and other risk factors) as part of agile auditing. Agile auditing is discussed in detail in Chapter 2, Audit Execution.
The approved audit plan should be communicated promptly to the following groups:
Senior managementBusiness functions and other stakeholdersThe internal audit teamIndividual Audit Assignments
The next step after the annual audit planning is to plan individual audit assignments. An individual audit assignment refers to a specific audit project conducted as part of the overall annual audit plan. Each assignment focuses on a particular area or aspect of the organization, such as a department, process, or financial statement line item. The IS auditor must have an understanding of the overall environment under review. While planning an individual audit assignment, an IS auditor should consider the following:
Prior audit reportsRisk assessment reportsRegulatory requirementsStandard operating processesTechnological requirementsAudit Process
Like every other process, the audit process will have some input and output. Elements of input include knowledge about the organization’s objective and processes and knowledge about regulatory requirements, audit resources, and logistics.
Processing involves the identification and review of policies, standards, and guidelines; setting the audit scope; conducting a risk analysis; and developing an audit approach.
The output of the audit process is the audit report, which includes the auditor’s observations and recommendations.
Figure 1.4 summarizes the input and output elements of the audit process:
Figure 1.4: Audit process flow
Key Aspects for the CISA Exam
The following table covers the important aspects from a CISA exam perspective:
Questions
Possible Answers
What is the prime reason for the review of an organization chart?
An organization chart is a diagram that shows the structure of an organization and the responsibilities and authorities of various positions and job roles. An IS auditor reviews the organization chart to understand the authority and responsibility of individuals.
Table 1.2: Key aspects for the CISA exam
For effective audit planning, it is of utmost importance that the IS auditor has a thorough understanding of business process applications and controls. The basic architecture of some commonly used applications and their associated risks are discussed in the next section.
Business Process Applications and Controls
Working knowledge of the business environment and business objectives is required to plan a risk-based audit. The IS auditor should have a sufficient understanding of the overall architecture and the technical specifications of the various applications used by the organization and the risks associated with them.
In understanding the issues and current risks facing the business, the IS auditor should focus on areas that are most meaningful to management. To effectively audit business application systems, an IS auditor is required to gain a thorough understanding of the system under the scope of the audit.
The following are some of the widely used applications in business processes. The CISA candidate should be aware of the risks associated with each of them.
E-Commerce
To understand how e-commerce works, it’s essential that you know about the different application architectures used in e-commerce:
Single-tier architecture: In this simplest form of architecture, the entire application runs on a single computer. This means everything from the user interface to the database is handled by one machine. This setup is mostly used for small applications or client-based software where everything is contained within the user’s computer.Two-tier architecture: This involves two parts: a client and a server. The client is the user’s computer that interacts with the server, which handles the database and application logic. This separation allows more efficient data processing and management, making it suitable for slightly larger applications.Three-tier architecture: This is the most common architecture for modern e-commerce systems and includes three layers:Presentation tier: This is where the user interacts with the system, such as through a web browser or mobile app. It displays the interface and sends user requests to the application tier.Application tier: Also known as the business logic layer, this part processes user requests, performs computations, and makes decisions based on the business rules.Data tier: This layer manages the database, storing and retrieving data as needed by the application tier.E-commerce applications come with several risks that can impact both the business and its customers. Here are the main risks explained simply:
Compromise of confidential user data: This risk involves hackers or unauthorized users gaining access to sensitive information such as customer names, addresses, credit card numbers, and passwords. If this data is compromised, it can lead to identity theft and financial losses for customers, and damage the business’s reputation.Data integrity issues: This occurs when data is altered without authorization. For example, someone might change prices, modify transaction records, or alter inventory details. These unauthorized changes can lead to incorrect business decisions and loss of customer trust.System unavailability: If the e-commerce site goes down or becomes inaccessible, it can disrupt business operations. Customers won’t be able to make purchases, and the business might lose sales and revenue. Continuous system availability is crucial for maintaining business continuity.Repudiation of transactions: This risk involves one party denying that a transaction took place. For example, a customer might claim they didn’t make a purchase, or the business might claim they didn’t receive payment. This can lead to disputes and financial losses.Having an understanding of these risks helps businesses implement better security measures to protect their e-commerce applications and maintain trust with their customers.
The IS auditor should evaluate e-commerce platforms with the goal of ensuring that the platform operates securely and efficiently, protecting both the interests of the business and the customer. An IS auditor’s objectives when auditing an e-commerce application are as follows:
To review the overall security architecture related to firewalls, encryption, networks, and PKI to ensure confidentiality, integrity, availability, and the non-repudiation of e-commerce transactions.Non-repudiation ensures that a transaction is enforceable and that the claimed sender cannot later deny generating and sending the message.
To review the process of log capturing and monitoring for e-commerce transactionsTo review the incident management processTo review the effectiveness of controls implemented for privacy lawsTo review anti-malware controlsTo review business continuity arrangementsElectronic Data Interchange (EDI)
EDI is the online transfer of data or information between two enterprises. EDI ensures an effective and efficient transfer platform without the use of paper. EDI applications contain processing features such as transmission, translation, and the storage of transactions flowing between two enterprises. An EDI setup can be either traditional EDI (batch transmission within each trading partner’s computer) or web-based EDI (accessed through an internet service provider).
The following are some common examples of EDI in use:
Purchase orders: A retailer sends an electronic purchase order to a supplier to order goods. The purchase order includes details such as item descriptions, quantities, and prices. This replaces traditional paper orders, speeding up the process and reducing errors.Invoices: After goods are shipped, the supplier sends an electronic invoice to the retailer. The invoice details the items shipped, prices, and total amount due. This allows for faster processing and payment.EDI comes with several risks that businesses need to be aware of. The following points expand on each risk and explain the potential outcomes:
Transaction authorization: Unauthorized transactions can lead to financial losses, shipment of incorrect goods, or fraudulent activities. For example, someone might place an order without proper authorization, leading to the delivery of goods that were not actually needed or approved.Lack of inherent authentication: This can result in unauthorized access or fraudulent transactions. For example, a hacker could intercept or alter EDI messages, leading to financial loss or data breaches.Uncertainty without a trading partner agreement: Without a clear agreement, disputes over transaction terms, delivery issues, or payment problems can arise. For instance, if a shipment is delayed or incorrect, the lack of a trading partner agreement can make it difficult to resolve the issue or determine who is at fault.Performance-related issues: Poor performance can disrupt business operations, delay transactions, and harm relationships with trading partners. For example, if an EDI system crashes, it might delay the processing of purchase orders, leading to missed deliveries and unhappy customers.Unauthorized access: Unauthorized access can lead to data theft, fraud, and compromised business information. For instance, a competitor could access sensitive data about pricing and strategy, putting the business at a disadvantage.Data integrity and confidentiality: Altered data can result in incorrect orders, financial discrepancies, and loss of trust. For example, if an order quantity is changed during transmission, it could lead to overstocking or understocking. Loss of confidentiality can lead to data breaches and legal penalties.Loss or duplication of EDI transactions: Lost transactions can result in unfulfilled orders, payment delays, and operational inefficiencies. Duplicate transactions can lead to double shipments, overbilling, or accounting errors. For instance, if a purchase order is duplicated, the supplier might ship twice the quantity needed, causing logistical and financial issues.Understanding these risks helps businesses implement better security measures, establish clear agreements, and ensure reliable EDI systems to mitigate potential problems and maintain smooth operations.
The IS auditor evaluates EDI to ensure that the EDI system operates smoothly and securely, supporting seamless business operations. The IS auditor’s objectives when auditing an EDI application are as follows:
To verify the data’s confidentiality, integrity, and authenticity, as well as the non-repudiation of transactions.To determine invalid transactions and data before they are uploaded to the system.To determine the accuracy, validity, and reasonableness of data.To validate and ensure the reconciliation of totals between the EDI system and the trading partner’s system. This means comparing the figures in the records on both sides to ensure they agree and that there are no mistakes or differences.The IS auditor should also verify the use of some controls to validate the sender, as follows:
The use of control fields within an EDI message. Control fields are special parts of the EDI message that help track and manage the data being sent. They ensure the information is organized correctly and can be processed smoothly.The use of value-added network (VAN) sequential control numbers or reports. VAN uses numbered sequences or reports to keep track of each EDI message sent. This helps ensure that all messages are accounted for and none are missed or duplicated.Acknowledgment from the sender for the transactions.The auditor should also verify the availability of the following controls:
Control requirements for inbound transactions:A log of each inbound transaction on receipt.Segment count totals should be built into the transaction set trailer. The total number of segments should be included at the end of the EDI message to ensure everything is complete.Checking digits to detect transposition and transcription errors.Control requirements for outbound transactions:Transactions should be compared with the trading partner’s profileProper segregation of duties should be ensured for high-risk transactionsA log should be maintained for outbound transactionsEDI audits also involve the use of audit monitors (to capture EDI transactions) and expert systems (to evaluate transactions).
Point of Sale (POS)
A point of sale (POS) is the place where a retail transaction happens. It is the point at which a customer makes a payment to the merchant in exchange for goods or services.
Debit and credit card transactions are the most common examples of POS. Data is captured at the time and place of sale. The risks associated with POS are as follows:
Skimming, which refers to the unauthorized capturing of card data with the purpose of duplicating the cardUnauthorized disclosure of PINsAn IS auditor should evaluate POS systems to ensure the security, reliability, and accuracy of the transactions processed through the system. The IS auditor’s objectives when auditing POS systems are as follows:
To determine that data used for authentication (PIN/CVV) is not stored in the local POS systemTo determine that the cardholder’s data (either at rest or in transit) is encryptedTo determine compliance with regulatory requirements such as PCI DSSElectronic Banking
Electronic banking (e-banking) websites and mobile-based systems are integrated with the bank’s core system to support automatic transactions without any manual intervention. Automated processing improves processing speed and reduces opportunities for human error and fraud. However, e-banking increases the dependence on the internet and communication infrastructure.
Two risks associated with e-banking are as follows:
Heavy dependence on internet service providers, telecommunication companies, and other technology firms. If these services go down or have issues, business operations can be interrupted.Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity.When evaluating e-banking systems, an IS auditor aims to ensure the security, reliability, and compliance of the banking platform. The IS auditor’s objectives when auditing an e-banking application are as follows:
To validate the effectiveness of the governance and detect any oversight in e-banking activitiesTo determine arrangements for the confidentiality, integrity, and availability of e-banking infrastructureTo determine the effectiveness of security controls with respect to authentication and the non-repudiation of electronic transactionsTo review the effectiveness of the controls implemented for privacy lawsTo review anti-malware controlsTo review business continuity arrangementsElectronic Funds Transfer (EFT)
EFT is the process through which money can be transferred from one account to another electronically, that is, without cheque writing and cash collection procedures.
Some of the risks associated with EFTs are as follows:
Heavy dependence on internet service providers, telecommunication companies, and other technology firmsCyber risks such as system hacking, system unavailability, and a lack of transaction integrityWhen evaluating EFTs, the IS auditor should ensure that the EFT system meets the necessary security and operational requirements. The IS auditor’s objectives when auditing EFT applications are as follows:
To determine the availability of two-factor authentication for secure transactions.To ensure that systems and communication channels have undergone appropriate security testing.To determine that transaction data (either at rest or in transit) is encrypted.To determine the effectiveness of controls on data transmission.To review security arrangements for the integrity of switch operations: an EFT switch connects with all equipment in the network.To review the log capturing and monitoring process of EFT transactions. In the absence of paper documents, it is important to have an alternate audit trail for each transaction.To ensure that a key verification system is in place. Key verification is a method where data is entered a second time and compared with the initial data entry to ensure that the data entered is correct before any transaction takes place.Image Processing
An image processing system processes, stores, and retrieves image data. An image processing system requires huge amounts of storage resources and strong processing power for scanning, compression, displays, and printing. Such systems are capable of identifying colors and shades. The use of image processing (in place of paper documents) offers increased productivity, immediate retrieval of documents, enhanced control over document storage, and efficient disaster recovery procedures.
Some of the risks associated with image processing are as follows:
Implementation without appropriate planning and testing may result in the failure of the processing sytem, for example, the possibility of altered or manipulated images leading to misinformation.The workflow system may need to be completely redesigned to integrate with the image processing system.Traditional controls and audit processes may not be applicable to image processing systems. New controls must be designed for automated processes.Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity are present.The IS auditor’s objectives when auditing image processing applications are as follows:
To determine the effectiveness of controls on the inputs, processing, and outputs of image processing systemsTo determine the reliability of the scanners used for image processingTo review the retention process for original documentsTo determine that original documents are retained at least until a good image has been capturedTo review the confidentiality, integrity, and availability arrangements of image processing systemsTo review the training arrangements for employees to ensure that the processes of image scanning and storing are maintained as per the quality control matrixArtificial Intelligence and Expert Systems
Artificial intelligence (AI) and expert systems capture and utilize the knowledge and experience of individuals. They improve performance and productivity by automating processes that require skills and eliminate the need for manual intervention.
A knowledge base is the most important component of an AI/expert system. It contains information about a particular subject and rules for interpreting that information. The components of a knowledge base include the following:
Decision trees: Questions to lead the user through a series of choicesRules: Rules that use if and then conditionsSemantic nets: A knowledge base that conveys meaningKnowledge interface: Stores expert-level knowledgeData interface: Stores data for analysis and decision-makingThe risks associated with AI are as follows:
Incorrect decisions made or incorrect actions performed by the system due to incorrect assumptions, formulas, or databases in the system. Suppose a bank uses an AI system to calculate customers’ credit scores. If there is an error in the database or the formula used to calculate the scores, it could lead to incorrect credit scores, and the bank may end up rejecting loans to a genuine or worthy customer.Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity.The IS auditor’s roles when auditing AI and expert systems are as follows:
To assess the applicability of AI in various business processes and determine the associated risksTo review adherence to documented policies and proceduresTo review the appropriateness of the assumptions, formulas, and decision logic built into the systemTo review the change management process for updating the systemTo review the security arrangements to maintain the confidentiality, integrity, and availability of the systemKey Aspects from the CISA Exam Perspective
The following covers the important aspects from a CISA exam perspective:
Questions
Possible Answers
What is the major risk of EDI transactions?
The absence of agreement (in the absence of a trading partner agreement, there could be uncertainty related to specific legal liability).
What is the objective of encryption?
To ensure the integrity and confidentiality of transactions.
How are inbound transactions controlled in an EDI environment?
Inbound transactions are controlled via logs of the receipt of inbound transactions, the use of segment count totals, and the use of check digits to detect transposition and transcription errors.
What is the objective of key verification control?
Key verification is generally used in EFT transactions, where another employee re-enters the same data with the aim of checking that the data is correct before any money is transferred.
What is the objective of non-repudiation?
Non-repudiation ensures that a transaction is enforceable and that the claimed sender cannot later deny generating and sending the message.
What is the most important component of the AI/expert system area?
Knowledge base: The knowledge base contains specific information or fact patterns associated with a particular subject matter and the rules for interpreting these facts. Therefore, strict access control should be implemented and monitored to ensure the integrity of the decision rules.
