CISA Certified Information Systems Auditor Study Guide E-Book

Table of Contents

Title Page

Copyright Page

Dedication

Acknowledgements

Introduction

What is the Job Market for Certified IS Auditors?

What Is the CISA Certification?

Why Become a CISA?

How to Become a CISA

Why Should I Buy This Book?

How to Use This Book and CD

What to Expect on the CISA Exam

How to Fail your CISA Exam

Test Taking and Preparation

10-Day Countdown

3-Day Countdown

1-Day Countdown

Test Morning

Plan on Using All 4 Hours

Read the Question Carefully

Done! The Exam Is Over

Getting Your CISA Awarded

Related Professional Certifications

Information Systems Security Practices

Auditing

Disaster Recovery and Business Continuity

Project Management

Physical Building Security

Assessment Test

Answers to Assessment Test

Chapter 1 - Secrets of a Successful IS Auditor

Understanding the demand for IS Audits

Understanding Policies, Standards, Guidelines, and Procedures

Auditor Role versus Auditee Role

Auditor Is an Executive Position

Understanding the Corporate Organizational Structure

Managing Projects

Summary

Exam Essentials

Review Questions

Answers to Review Questions

Chapter 2 - Audit Process

Establishing and Approving an Audit Charter

Preplanning the Audit

Performing an Audit Risk Assessment

Determining Whether an Audit Is Possible

Performing the Audit

The hierarchy of internal controls

Gathering Audit Evidence

Conducting Audit Testing

Reporting Your Audit Findings

Conducting Follow-Up Activities

Summary

Exam Essentials

Review Questions

Answers to Review Questions

Chapter 3 - IT Governance

Strategy Planning for Organizational Control

Overview of Tactical Management

Planning and Performance

Overview of Business Process Reengineering

Operations Management

Summary

Exam Essentials

Review Questions

Answers to Review Questions

Chapter 4 - Networking Technology

Understanding the Differences in Computer Architecture

Selecting the Best System

Overview of the Open Systems Interconnect (OSI) Model

Physical Network Design

Overview of Network Topologies

Network Cable Types

Network Devices

Network Services

Expanding the Network

Managing Your Network

Summary

Exam Essentials

Review Questions

Answers to Review Questions

Chapter 5 - Life Cycle Management

Governance in Software Development

Managing Software Quality

Overview of the Steering Committee

Change Management

Managing the Software Project

Overview of the System Development Life Cycle

Overview of Data Architecture

Decision Support Systems

Program Architecture

Centralization versus Decentralization

Electronic Commerce

Summary

Exam Essentials

Review Questions

Answers to Review Questions

Chapter 6 - IT Service Delivery

Nature of IT Services

IT Operations Management

Monitoring the Status of Controls

Capacity Management

Problem Management

Summary

Exam Essentials

Review Questions

Answers to Review Questions

Chapter 7 - Information Asset Protection

Understanding the Threat

Using Administrative Protection

Implementing Physical Protection

Using Technical Protection

Summary

Exam Essentials

Review Questions

Answers to Review Questions

Chapter 8 - Disaster Recovery and Business Continuity

Defining Disaster Recovery

Defining the Purpose of Business Continuity

Uniting Other Plans with Business Continuity

Summary

Exam Essentials

Review Questions

Answers to Review Questions

Appendix A - About the Companion CD

Glossary

Index

CISA Exam Objectives

Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

eISBN : 978-0-470-59596-1

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

Library of Congress Cataloging-in-Publication Data is available from the publisher.

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISA and Certified Information Systems Auditor are trademarks or registered trademarks of Information Systems Audit and Control Association. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.

Dear Reader,

Thank you for choosing CISA: Certified Information Systems Auditor. This book is part of a family of premium quality Sybex books, all written by outstanding authors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than thirty years later, we’re still committed to producing consistently exceptional books. With each of our titles we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.

I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at [email protected], or if you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex.

Best regards,

Neil Edde Vice President & Publisher Wiley Publishing, Inc.

This book is a tribute to the students who attended our classes. Their infinite questions were instrumental in the creation of this Study Guide. I wish to express my appreciation to my past employers and clients for the opportunities that led me down this path.

I would like to express a special appreciation to the following people for their years of encouragement: Kristine Lindamood, Carl Adkins, Thomas Carson Jr., Jeff Kellum, Reno Marsh, Toni Spray, Dewayne Neagle, Scott Barber, Richard Darrell, William “Bill” Giles, Tim and Cynthia McDonald, Pat Cathey, Lori Martin, Gary Sprague, Lori Acree, Terry Perkins, Mike English, Sean Burke, Mike Pratt, Dianna Pickens, David Bassham, Timothy S. Bergmann, Brady Pamplin, Mark and Kris Herber, Wendy Stevens, Brian Wrozek, Frank Carter, Kris Lonborg, Joe Moore, Danney Jarmon, Bob Mahlstedt, Chris and Tammy Stevens, Daryl Luthas, Stephen Harding, Kirk Pingel, Darlene Miller, Matt Gair, Nan Robinson, Tarik Nasir, Gary and Michelle Ames, Mitch and Cindy Waters.

I thank my family-Del, Martha, Rose Ann, John, Joann, and my grandmother Josephine-for their support. In addition, I have been blessed to work with the best staff on this planet: Joe DeVoss, Melissa Robinson, Tom Kormondy, Kayla McGee, Alan Yue, Jon Murphy, and Steve Lineberry.

Semper Fidelis

—Dave Cannon

Acknowledgments

We would like to thank our Acquisitions Editor Jeff Kellum and Development Editor Lisa Bishop for their vision and guidance. Our Technical Editor Brady Pamplin was very helpful in providing his expert assistance during the writing of this book. We wish to thank Production Editor Rachel McConlogue for keeping the book on track, and for her tireless effort in ensuring that we put out the best book possible. We would also like to thank Copy Editor Sharon Wilkey, Compositor Craig Woods, Illustrators Mike Park and Jeffrey Wilson, Proofreader Jen Larsen, and Indexer Ted Laux for their polished efforts to make certain this second edition became a reality.

Introduction

This book is designed for anyone interested in taking the Certified Information Systems Audit or (CISA) exam. The CISA certification is one of the hottest in the market, with annual growth in excess of 28 percent, according to the Information Systems Audit and Control Association (ISACA), the administering organization.

It is a trend worldwide for organizations to have to implement and prove the existence of strong internal controls. You may have heard of a few of these, such as the following:

These are just five of more than twenty high-profile regulations that demand audited proof of internal controls. Frankly, these result in a long list of opportunities for a CISA. This may be the opportunity that you have been looking for, especially if you come from a background of finance or technology.

The CISA world is exploding. Corporations are hiring more consultants than ever before in an effort to obtain compliance before they get caught short. Consulting companies are hiring as many people as they can represent as qualified in an effort to service the same corporations. Small organizations are finding themselves at a competitive disadvantage if they’re unable to demonstrate the same level of internal controls to their larger customers. One of the fundamental rules of auditing is that participating in the remediation (fixing) of problems found during the audit would compromise the auditor’s independence. Under the rules of independence, the independent auditor must remain independent to certify the results as valid. A second, unrelated auditor should work on the remediation. The requirements for regulatory compliance are ongoing, and that means remediation at some level will be ongoing too. In other words, the auditor requirement is actually doubled. The opportunity for you is available right now.

For many years, organizations have undergone the scrutiny of financial audits. As financial systems have become more and more complex, automation has introduced a situation in which the integrity of financial records may be in question. An organization would hire a certified public accountant to review their financial records and attest to their integrity. Larger organizations would hire certified internal auditors to assist with normal internal controls of the business. Now, the long list of regulations requiring internal controls has focused attention on the information systems. Computers are now the house in which the financial records live. The CISA is the top credential for auditing IS and related internal controls.

This book is designed to help you become a well-respected CISA. We have been teaching CISA classes for several years and have some truly outstanding success stories. The test alone is a stepping-stone in your career. Our goal is to take you through the CISA test better than anyone else by showing you the “how and why” of IS auditing. If you are familiar with technology, this book will help you understand how the auditor must act to be successful. If you come from a financial background, we’re going to take you through an introductory tour of technology. The explanations in this book are technically correct and designed to be simple to understand.

Many opinions exist about how the information systems audit should be performed. This book covers the official auditing standards necessary for you to be successful. You’ll find that this book contains the valuable information necessary to operate a successful consulting practice. Initially our focus is on helping you pass your exam. However, this information will help you earn a great deal more than just a paper certificate, if you apply it.

Each chapter in this book has been arranged in a logical sequence focusing on a practical application. ISACA produces fine materials written by committees of authors. We have chosen to take a different route. We have written the material in this book in the sequence that we would use to teach you prior to an audit engagement. Every point that you read will carry through to the subsequent pages of this Study Guide. The analogy is comparable to building a pyramid. You’ll start with gaining a firm understanding of the basics and build your way up to the advanced material. We strongly suggest that you read the book in sequence, without skipping ahead.

One of our complaints about other study material is that it simply represents a brain dump of answers or contains excessive redundancy. We have tried our best to present the material in an orderly fashion and to provide supporting examples.

ISACA offers the most recognized certification in the world for IS auditors: the Certified Information Systems Auditor (CISA) certification. It is recognized worldwide by all corporations and governments. ISACA has members in more than 140 countries and is recognized as the leader in IT governance, control, and assurance. This association was founded in 1969 as the Electronic Data Processing Auditors Association, with an objective to develop international IS auditing and control standards. As a result, it has created the number one information systems audit certification in the world, the CISA.

ISACA controls and administers the CISA exam worldwide. More than 50,000 professionals have earned their CISA to date. Still, the demand exceeds the supply.

So, why become a CISA? The answer: credibility and opportunity. Many people proclaim themselves to be IS auditors. The majority of uncertified auditors are no more than well-meaning individuals who habitually violate the official audit standards. Here is a short list of the benefits associated with becoming a CISA:

Demonstrates proof of professional achievement The CISA certification provides evidence that you have prior experience and are able to pass a rigorous certification exam. The exam tests your knowledge of auditing practices related to information systems. The test itself is loaded with technical challenges that require a significant understanding of technology. The CISA certification shows that you understand the audit requirements and are able to lead a successful audit in accordance with widely accepted audit practices. The certification demonstrates to the world that your experience represents a significant value.

Provides added value to your employer Today’s employers are savvy to the value of training. Your CISA study is expected to illuminate new methods to improve your skills on the job. It’s fairly common for individuals to start their career by mimicking a more senior person performing a similar job (as the saying goes, monkey see, monkey do). Our goal is to shine the light on specific practices that you should have been following, even if you never heard of them before. Your job performance will improve after you learn the proper foundation and CISA resources.

Provides an assurance of quality to your clients Audit clients are a demanding breed of individuals. The fate of the client’s organization may rest on the findings detailed in the auditor’s report. There is little room for mistakes. The CISA credential indicates that you are a person who can be trusted to deliver accurate results. Who would you trust to represent you: a person with no proof, or someone who can demonstrate a measure of credibility? The person reading the audit report needs to understand that your work is accurate. The client will direct capital and resources to be expended according to the report you provide. The CISA certification represents a third-party audit of your personal knowledge. It helps prove your credibility.

Increases your market value The IS audit market is exploding at a phenomenal rate. The CISA credential helps separate you from the mass of self-proclaimed auditors. Many organizations regard the CISA as the hallmark of professionalism. There is no better way to attract the favorable attention of management. It does not matter whether you’re internal or external to the organization—the credential speaks for itself. The requirements called for in government regulations are becoming a growing concern for executives. Your customer may not understand all the details necessary to describe the job of an auditor; however, your client will recognize that an auditor with the CISA certification should be able to fulfill their needs. In addition, audit firms can bill more money for certified professionals.

Provides a greater opportunity for advancement Every organization strives to hire good people who are motivated. What does the lack of certification say about someone? Is it that they are unmotivated? Could it be that they are not capable? Or is it simply that they are afraid to try? No manager in their right mind would promote an individual who has not proven their value. Taking the time to get trained and certified shows the world that you are motivated, that you are somebody who wants to get things done. That trait alone can get you promoted. Instead of using words to describe your ability, you can prove it with your CISA credential. People will know that you’re serious about your job and will treat you accordingly.

Builds respect and confidence from other people The world today is extremely specialized. Consider that many things of premium value in today’s world are certified. We have certified used cars, certified mail, certified public accountants, certified travel agents, certified lawyers, and even certified Subway sandwich artists. The people you meet may not completely understand what is involved in being a CISA. However, they will understand that you have expended time and energy to obtain the certification. You will gain their respect because of the effort you’ve demonstrated. If given the choice, almost everyone would choose to use a person who is certified. The CISA is a major step toward the widespread credibility that you desire.

The CISA designation is given to individuals who have demonstrated their ability to fulfill the following five requirements:

Pass the CISA exam The CISA examination is offered two times a year, once in June and again in December. You have to register for the test three months before it is administered. You can register online at www.isaca.org or by mail. You take the test with pencil and paper in front of a live test proctor. The examination is 200 multiple-choice questions that will take approximately 4 hours. A grade of 75 percent is required to pass the CISA examination. There is a 4-hour time limit.

Professional experience in information systems auditing, control, or security To qualify for certification, you must demonstrate five years of IS auditing experience. ISACA will accept up to two years of substitution toward the work experience requirement, as follows:

Your CISA test results are valid for five years from the examination date. Even without any experience at this time, you can take the examination. Certification will be awarded only after you have provided verification of desired work experience (of five years or the equivalent). ISACA limits acceptable experience to that which has occurred within 10 years prior to your application date.

Continuous adherence to ISACA’s code of professional ethics Trust and integrity are paramount to the auditor’s profession. You will be required to pledge your ongoing support for adherence to the IS auditor’s code of professional ethics.

Continuing education in the profession You are required to continuously improve your skills. Continuing education is the best method of maintaining an individual’s competency. Learning new skills with new certifications will improve your professional abilities. Demonstrating a commitment to continuing education differentiates qualified CISAs from those who have not fulfilled their professional responsibilities. You will be required to demonstrate a minimum of 20 contact hours of training each year, which must total 120 contact hours in a three-year period.

Adherence to well-established IS auditing standards The purpose of auditing standards is to ensure quality and consistency. An auditor who fails to meet the standards places themselves and the profession in peril. ISACA provides excellent information to guide auditors through their professional responsibilities. The auditing standards are based on well-recognized professional practices applied worldwide.

If you’re serious about becoming a professional CISA auditor, you should buy this book to study for your exam. If you’re curious about becoming an auditor, you should buy this book to learn how the job is actually done.

The people entering the CISA profession are usually one of the following:

This book is unique in the field of IS auditing. You will benefit from this book by learning the methods necessary to be a successful auditor. Each chapter builds step-by-step toward obtaining your goal. This book provides important details about how to accomplish your job, the exam objectives for each chapter, and all of the most important auditing concepts.

This book is organized into eight chapters. Each begins with a list of chapter objectives that relate directly to the CISA exam.

An “Exam Essentials” section appears near the end of every chapter to highlight the topics that you’re likely to encounter during your exam. These exam essentials are intended to provide guiding thoughts rather than a laundry list of details. Our goal is to help you focus on the higher-level objectives from each chapter as you move into the next chapter.

At the end of every chapter are approximately 35 review questions with explanations. You can use these review questions to help gauge your level of understanding and better focus your study effort. As you finish each chapter, you should review the questions and check whether your answers are correct. If not, you should really read the section again. Look up any incorrect answers and research why you may have missed the question. It may be a case of failing to read the question and properly considering each of the possible answers. It could also be that you did not understand the information. Either way, going through the chapter a second time would be valuable.

We have included several other testing features in the book and on the companion CD. Following this introduction is an Assessment Test that will help you gauge your study requirements. Take this test before you start reading the book. It will help you identify areas that are critical to your success. The answers to the assessment test appear after the last question. Each question includes a short explanation with information directing you to the appropriate chapter for more information.

Included on this book’s CD are two bonus exams of 80 questions each. In addition, there are more than 300 flash cards. You should use this Study Guide in combination with your other materials to prepare for the exam.

Take these practice exams as if you were taking the real exam. Just sit down and start the exam without using any reference material. We suggest that you study the material in this book in conjunction with the related ISACA references on IS auditing standards. The official CISA exam is very challenging. Most individuals will barely finish the exam before time runs out. Fortunately for you, our students have a high success rate. You have it within you to become the next certified CISA.

You are ready for your CISA exam when you score higher than 90 percent on the practice examinations and chapter reviews.

A copy of this book is on the CD in Adobe Acrobat PDF format for easy reading on any computer.

The practice exams included on the CD are timed to match the pace of your actual CISA exam.

Certainly you are curious about the types of questions you will encounter on the exam. ISACA is very protective of the actual test questions. Let’s look at how the test is designed:

By properly studying this book, you will better understand the hows and whys of being a successful CISA. Just remember, the IS auditor is a specially trained observer and investigator. We don’t actually fix problems; we report findings after using a structured process of investigation. Understanding how to get the right evidence is the key.

The CISA exam is based on ISACA’s auditing standards and the application of the Statement on Auditing Standards (SAS). Abstract concepts of IT require the auditor to use a different approach to auditing. Adults learn by direct experience or by speaking with other people. Here are the two ways to fail your exam:

Rehearsing practice questions more than twice One bad habit is to rehearse by using practice questions. The brain stops learning after the second pass over the same question, and then it starts memorizing the wording. This causes the brain to record the answer as rote memory rather than to learn the information. As a result, you will likely miss the correct answer on your exam because of the different way ISACA presents the questions and answer choices. Another problem is using questions from the Internet that cannot be traced to an official source. Bad questions make the seller money while programming your mind with the wrong information. Beware of ghostly sellers hiding behind websites without full contact information prominently displayed. I suggest you stick to the questions in this book or use the ISACA official practice questions. Stop rehearsing the same question after two passes. Instead, reread the corresponding section in the book.

Improper study preparation The CISA exam is designed to prevent cram study. You will discover that the structure of the exam questions is rather convoluted. Some of the answer choices will barely fit the question. Just select the best choice that honors the spirit and intent of our audit objectives. It’s possible that the best answer is only 51 percent correct. Go with the 51 percent answer if that is the best choice available. This confusion is intentional, to prevent the test taker from using rote memory. The best study technique is to read about 1 hour per night while taking manual notes. Be sure to read all the sections—every page. Previous CISA candidates were quite perturbed to discover that the area they assumed to be their strongest was instead where they scored poorly. You may have many years of experience in the subject, but what matters is that your view agrees with ISACA’s exam. I have not heard of a single person getting a better score after protesting an official exam question. ISACA uses a professional testing company to run their exam. Protest a question if you must, but I’ll wager that you lose the protest and your protest fee in the end.

The CISA examination is quite difficult unless you are prepared. Preparation requires good study habits and a well-planned schedule. You should review your notes at least 30 minutes per night, but not more than 2 hours per day. As we said, cramming for this examination will not work.

Let’s discuss preparations leading up to test day—specifically, the best method to arrange your schedule for that ace grade.

Review each chapter in your Study Guide. Give extra attention to the subjects that you may have skimmed over earlier. The test is written from the viewpoint of an auditor, using directives from ISACA’s world.

Number one hint: Make sure you are reading from the auditor’s perspective.

You should review the flash cards on the accompanying CD. It is also an excellent technique to make your own flashcards by using 3” × 5” index cards. Take a dozen or two dozen to the office each day for random practice between meetings.

Be sure to run through the Bonus Exams on the CD. They are less difficult than the real test, but still a good resource to see where you stand. The value of these tests is in improving your resilience and accuracy.

Be sure to request a day of rest. Ask your boss for personal time. Use vacation time if necessary. Most employers will understand after you remind them of the limited testing dates.

The exam location may be in a hotel, college, or convention center. It will save you a great deal of time and stress to drive over to visit the test site. You should do this even if you have been there recently. The room number for your test will be printed on your exam acceptance letter. Make it a point to locate the meeting room and physically walk up to touch the door. In colleges, it is possible that room 300 is a significant walk away from room 302. Arriving at the wrong building can ruin your day if it makes you late to the exam.

Convention centers are worse. Unknown to you, there may be a big trade convention over the upcoming weekend. Such an event will change the availability of parking in the area. It will also affect the long route you may have to walk in order to enter the examination room.

The best suggestion is to scout the area for a nearby place to eat breakfast. Plan to eat healthy before the exam begins.

The best aid to a high score is to take off early on Friday. Remember, the exam is early on Saturday morning. Make a pact with your friends and family to leave you alone all day Friday. You may consider limiting your diet to simple foods, avoiding anything that is different than usual. This is not the time to experiment.

Make a pact with yourself: There are no errands or chores more important than passing the exam.

Go to bed earlier than usual. Do whatever it takes. You will need to be up and totally focused by 6 a.m. Try to go to bed by 10 p.m. Set two alarm clocks to get up on time. Put your favorite study materials together in a carrying bag. You will take them with you to the exam for a final glance before being seated for the test. The exam is a “closed book” test.

Do not attempt to cram on Friday night; it will work against you in a long test like the CISA. Just review your notes again. Be sure to run through the flash cards and chapter review questions.

We suggest people with a technical background review Chapter 2, “Audit Process,” and Chapter 3, “IT Governance,” twice. If you have a financial background, the best advice is to reread Chapter 4, “Networking Technology,” and Chapter 7, “Information Asset Protection.” Practicing drawing the diagrams and models on a separate sheet of paper will help you understand the specific wording of questions and make it easier to select the correct answer. Be prepared to redraw the models from memory during your exam.

Time to get up and get yourself moving. Be sure to arrive at the exam early. Test room locations have been known to change overnight, especially at college locations.

After arrival, you can sit in the hallway while you wait. This is an excellent time to make a final review of your notes. There is no advantage to being seated before 7:30 a.m. Just park yourself within a few feet of the door to ensure that you are not forgotten or missed. You can expect a long line at some test locations. Major cities may have 200-300 people sitting in different rooms.

Upon entering the room, ask if you can draw inside the test booklet. Tell the proctor you like to make longhand notes when solving problems. Usually the booklet will never be reused, so you can mark in it all day long.

You can make notes to yourself in the booklet and mark your favorite answer, and then just transfer the answer from the test booklet to the answer sheet. This technique really helps if you start jumping around or choose to skip a question for later. Consider drawing useful diagrams such as the OSI model on the inside back cover of the booklet. The proctor will tell you that only answers on the answer sheet will count toward your score.

You should expect the test to take the entire 4 hours. Manage your time carefully to avoid running out of time before finishing the test. It is advisable to plan ahead for both pace and breaks. The exam proctor will usually allow you to take restroom breaks as long as you do not talk to anyone about the exam while out of the room. You might find it helpful to reduce fatigue by just taking a walk to the restroom and then splashing water on your face. One trip per hour seems to work fine. Most test takers will finish in the last 10 minutes before time is called by the proctor.

Read each question very carefully! The questions are intentionally worded differently from this Study Guide. For overly confusing questions or ones that you are not sure of, try reading them twice or even three times.

On the first pass, circle the operative points in the question, such as the words not, is, best, and, or, and so on. Next, underline the nouns or the subject of the question. For example, if the question is “The purpose of controls is to…,” you would underline purpose and circle the word is.

On the second pass, ensure that you understand the implied direction of the question and its subject. Is the question a positive (is) or negative (is not) implication? Watch for meanings that are positive, negative, inclusive, or exclusive. A common technique used for writing test questions is to imply terminology associations that should not exist or vice versa. Do not violate the intent of the question or answer. Most people fail a question by misreading it.

On the third pass, dissect the available answers by using a similar method. Watch for conflicting meaning or wrong intent.

Place a star next to any question in the booklet when you have doubts about your answer. You can return to the question before turning in your answer sheet. (This keeps your answer sheet clean of any stray marks.)

For your final check, you can compare the answers marked in the test booklet to your answer sheet. Remember that there is no penalty for wrong answers. Do not leave any blank. Just take a guess if you must.

Plan for a relaxing activity with your family or friends after the exam. We suggest you plan something that is fun and doesn’t require mental concentration; you will be mentally worn out after the exam. Do not punish yourself by looking up the answers for a particular test question. The test is over.

You should receive your score from ISACA in about five to seven weeks. It may be by email or a simple one-page letter.

We wish you all the best. Good luck on your exam.

A notice of your official score will be mailed or emailed to you six to eight weeks after the exam. You should expect the mailed letter to be two pages stating that you either failed or passed. ISACA will inform you of your score. Contesting a score is usually a waste of effort.

Although this book focuses on ISACA’s CISA certification, there are many more certifications you should consider for your professional advancement. This section offers a sampling of the more commonly known professional certifications that cover many of the same topics that the CISA does. This list is not inclusive of all certifications. It focuses only on vendor-neutral certification, which provides an unbiased view of the issues facing all vendors and customers.

It is important to be able to separate performance claims (smoke) from truly effective function (results). Results are measured by highest effect on the ultimate need and not by the use of a particular computer software package. There is a big difference between managing and just being an application operator. Persons with the following certifications should be versed in the basics for success in their field.

The following certifications are focused on IS security topics:

Certified Information Systems Security Professional (CISSP) This exam, administered by the International Information Systems Security Certification Consortium, or (ISC)2, covers the 10 knowledge areas of information security. Certification requires passing the exam plus five years of IS security experience.

Systems Security Certified Practitioner (SSCP) This exam, administered by (ISC)2, covers 7 of the 10 knowledge areas of information security. Certification requires passing the exam plus two years of IS security experience. SSCP is a subset of the CISSP subject material. CertTest recommends that you attend the CISSP course to ensure that you receive all the training necessary for your future.

Certified Information Security Manager (CISM) CISM is intended for managers. The CISM certification provides a different level of practices when compared to the CISSP. This exam is administered by ISACA. CISM covers the more advanced areas of risk management, specific management controls, and governing IS security. Certification requires passing the exam plus five years of experience in IS auditing, control, or security. Your CISA experience can count toward the work experience.

Security+ This exam, administered by the Computing Technology Industry Association, or CompTIA (www.comptia.org), is an entry-level security certification. It covers a fraction of the topics covered in the CISSP certification. Security+ is not intended to be a prerequisite for CISM or CISSP. Security+ is good for beginners and individuals who would not be able to meet the work experience of the other certifications.

In addition to the CISA, a few of the other certifications focus on auditing, including the following:

Certified Internal Auditor (CIA) This certification, administered by The Institute of Internal Auditors (www.theiia.org), requires passing a four-part exam. The exams may be taken separately or combined in any order. Each part is 125 multiple-choice questions. In addition, candidates must have a bachelor’s degree or equivalent, plus 24 months of internal auditing experience.

Certified Fraud Examiner (CFE) This certification, administered by the Association of Certified Fraud Examiners (www.acfe.org), requires passing the exam plus a bachelor’s degree and two years of fraud detection-related work experience in the areas of accounting, auditing, fraud investigation, criminology, loss prevention, or law.

Information Assessment Methodology (IAM) This certification, administered by the U.S. National Security Agency (www.nsa.gov), requires U.S. citizenship with at least two years of experience in information system security and/or IS auditing. This certification was originally created by presidential executive order and is now mandated by U.S. Homeland Security Directive/HSPD-7. IAM certification is designed for system administrators and auditors working on government systems, critical infrastructure, and commercial systems.

Information Evaluation Methodology (IEM) IEM is a new certification that extends the IAM to include hands-on technical testing and formal evaluation of IS systems by using the NSA’s official evaluation methodology. Certification is administered by the U.S. National Security Agency. The only way to get certified is to attend the actual class and perform the labs in person under the supervision of the NSA’s official instructor. You must complete all the labs in person, just like taking your driving test to get a driver’s license.

The following certifications focus on disaster recovery and business continuity topics:

Associate Business Continuity Professional (ABCP) This certification, administered by the Disaster Recovery Institute International, or DRII (www.drii.org), covers the 10 best practices of disaster recovery and business continuity. The Associate covers the same material as the CBCP, but does not require any work experience.

Certified Business Continuity Professional (CBCP) This certification, also administered by DRII, requires passing the CBCP exam, plus you must have two years of experience as a business continuity/disaster recovery planner.

Master Business Continuity Professional (MBCP) This certification, also administered by DRII, requires participation in the DRII Masters program along with passing a qualifying exam and then the MBCP exam. You must also have five years of practical experience.

Fellow of the Business Continuity Institute (FBCI ) This certification, administered by the Business Continuity Institute (www.thebci.org), is based on a points-scoring system.

The following certifications focus on project management:

Certified Associate in Project Management (CAPM) This certification, administered by the Project Management Institute (www.pmi.org), requires passing the CAPM exam plus 23 hours of formal PMI training or 1,500 hours of project management-related work experience. The CAPM test covers a reduced version of the PMP content areas. CertTest recommends that all CAPM candidates follow the complete PMP study curriculum to ensure you receive the full training necessary for a leadership role. The secret is to show your boss that you have been trained with as much knowledge as a PMP. This will help you advance, even though you are still building your hours of experience.

Project Management Professional (PMP) This certification, also administered by the Project Management Institute, covers 44 process areas of project management. Certification requires 35 hours of formal PMI training with 4,500 hours of project management-related work experience if you have a four-year college degree. Alternatively, you can qualify with 7,500 hours of experience and a high school diploma. PMI will check your work references before you can schedule your exam. The PMP exam is a 4-hour computer-based test that you must take in person at your nearest Prometric testing center. You are officially a PMP after your experience is accepted and you pass your exam.

Project+ This entry-level certification is administered by CompTIA. Certification is obtained via a computer-based exam at your nearest Prometric test center. No work experience is required. Project+ is not intended to be a prerequisite for CAPM or PMP.

The following certifications focus on physical building security topics:

Physical Security Professional (PSP) This certification is administered internationally by ASIS International (www.asisonline.org). Certification requires passing the exam plus a high school diploma and five years of verified security-related work experience.

Certified Protection Professional (CPP) This certification, also administered internationally by ASIS International, requires passing the exam plus a bachelor’s degree and nine years of verified security-related work experience. A minimum of three years of your experience must be in security management.

CertTest Training Center, the training center we teach at, offers many classes for a number of these certifications. In addition, we offer a SuperHERO course, which covers project management, CISM/CISSP for IS security, and business continuity. For more information, visit our website at www.certtest.com.

Assessment Test

1. What are the qualifications of the incident commander when responding to a crisis?

2. Which of the following would be a concern that the auditor should explain in the audit report along with their findings?

3. What are the different types of audits?

4. What indicators are used to identify the anticipated level of recovery and loss at a given point in time?

5. What is the principal issue surrounding the use of CAAT software?

6. Which is not a purpose of risk analysis?

7. Which of the following answers contains the steps for business process reengineering (BPR) in proper sequence?

8. Which of the following functions should be separated from the others if segregation of duties cannot be achieved in an automated system?

9. At which layer of the OSI model does a gateway operate?

10. What is the purpose of the audit committee?

11. What does the third layer of the OSI model equate to in the TCP/IP model?

12. What are three of the four key perspectives on the IT balanced scorecard?

13. Which of the following statements is true concerning asymmetric-key cryptography?

14. How should management act to best deal with emergency changes?

15. What is one of the bigger concerns regarding asset disposal?

16. Which of the following is the most significant issue to consider regarding insurance coverage?

17. Which of the following is required to protect the internal network when a wireless access point is in use?

18. Digital signatures are designed to provide additional protection for electronic messages in order to determine which of the following?

19. What is the primary purpose of database views?

20. Which of the following indicates why continuity planners can create plans without a business impact analysis (BIA)?

21. Segregation of duties may not be practical in a small environment. A single employee may be performing the combined functions of server operator and application programmer. The IS auditor should recommend controls for which of the following?

22. The auditor is permitted to deviate from professional audit standards when they feel it is necessary because of which of the following?

23. What does the principle of auditor independence mean?

24. What are the five phases of business continuity planning according to ISACA, for use on the CISA exam? (Select the answer showing the correct phases and order.)

25. Using public-key infrastructure (PKI) encryption, which key is used by the sender for authentication of the receiving party?

26. Which of the following audit tools incorporates dummy transactions into the normal processing on a system?

27. Which sampling method is used when the likelihood of finding evidence is low?

28. Which of the following would represent the greatest concern to an auditor investigating roles and responsibilities of the IT personnel?

29. When auditing the use of encryption, which of the following would be the primary concern of the auditor?

30. Which method of backup should be used on computer files prior to starting a forensic investigation?

31. Which of the following represents the hierarchy of controls from highest level to lowest level?

32. What is the purpose of using the ACID principle with database applications?

33. Which key is used for decryption in public key cryptography to provide authentication of the person transmitting the message?

34. What is the principle purpose of using Function Point Analysis?

35. Which of the following is not one of the three major control types?

36. What is the primary objective in the third phase of incident response?

37. After presenting the report at the conclusion of an audit, the lead auditor discovers the omission of a procedure. What should the auditor do next?

38. Which of the following management methods provides the most control rather than discretionary flexibility?

39. Executing the verify function during a tape backup is an example of which type of the following controls?

40. Which of the following is the best representation of a soft token used for two-factor authentication?

41. In regards to the IT governance control objectives, which of the following occurrences would the auditor be least concerned about during execution of the audit?

42. Which of the following is not one of the primary methods used to implement physical controls, detective controls, and corrective controls?

43. Which the following statements is true concerning a software worm?

44. What is the purpose behind the system accreditation?

45. Which of the following techniques is used in the storage and transmission of a symmetric encryption key?

46. Which of the following statements is true concerning the auditor’s qualified opinion?

47. Which of the following situations should the auditor consider if the auditee has implemented six phases of the System Development Life Cycle (SDLC)?

48. Which backup method will copy only changed files without resetting the archive bit (archive flag)?

49. In using public-key infrastructure (PKI) encryption, which key is not used by the recipient for decrypting a message?

50. Which of the following situations does not represent a reporting conflict?

51. What is the purpose of a digital signature?

52. Which of the following is the best way to protect encryption keys from being compromised?

53. Which of the following statements is true concerning the role of management and the role of the auditor?

54. During a business continuity audit, it is discovered that the business impact analysis (BIA) was not performed. What would this indicate to the auditor?

55. What is the functional difference between identification and authentication?

56. Which of the following is the best way for an auditor to prove their competence to perform an audit?