Updated: Dec 31, 2020
The value of CISA
International Certified Information System Auditor is referred to as CISA, also known as IT auditor. CISA has become the most sought-after top talent in the world. Most people with CISA vocational qualification certificates hold important positions in the top five international accounting companies, professional consulting institutions, and world-renowned multinational companies.
According to the salary index and ranking of multiple information technology skills and certificates, CISA has been among the highest-paid certificates in the past three years.
According to the analysis of the British Government’s Cyber Security Skills Report, CISA is one of the most important certificates for employers when recruiting employees.
CISA is a prerequisite for the Australian Government's iRAP certificate and a necessary certificate designated by the Australian Signals Agency.
The Securities Exchange of India (SEBI) stipulates that suppliers of computer-to-computer connection (CTCL) trading software must be audited by auditors who hold CISA/CISSP/ISA/DISA certificates. The Indian Income Tax Department requires all electronic receipt intermediaries to obtain a CISA certificate or pass ISA certification.
Pass the CISA exam, a CISA certificate, whether for individuals or businesses is a great help. Through CISA training, students can improve IT audit and information security-related necessary knowledge and skills can help enterprises and institutions to train a group of professional QUALIFICATIONS of IT auditors, control and security personnel, in order to obtain qualification certification to improve the CISA examination review efficiency.
1. IS audit and assurance standards, guidelines, tools, professional ethics
Information Technology Assurance Framework (ITAF)：
a. Auditing standards: mandatory requirements
General guidelines: basic audit guidelines
Implementation criteria: involving the implementation and management of tasks
Reporting standards: implement report types, communication methods, and communication information
b. Audit Guide: Focus on audit methods and theories
c. Tools and technology (also called programs): provide various methods, tools, and templates.
The relationship between the three: IS auditors must comply with auditing standards, auditing guidelines help to apply auditing standards, and auditing tools and techniques provide examples of specific processes and steps
2. Risk assessment concepts, tools, and techniques
The definition of risk: "Risk is the possibility of a specific threat using the vulnerability of an asset to cause damage to the organization. ("ISO/IEC PDTR13335-1).
The five-step process of risk assessment:
Identify business objectives (BO, Business Object)
Identify information assets (IA, Information Asset)
Conduct a risk assessment (RA, Risk Assessment): threat→vulnerability→possibility→impact
Carry out risk mitigation (RM, Risk Mitigation): implement relevant controls
Carry out risk treatment (RT, Risk Treatment)
Risk-based 5-step audit:
Collect information and plans
Understand internal control
Execute compliance test
Perform substantive testing
Complete the audit and report
Audit risk: The risk of major errors that may not be found in the information during the audit process.
Inherent Risk: The business's own risk, the risk when no control is taken
Control Risk (Control Risk): the risk still exists after taking control
Detection Risk: The risk of drawing the wrong conclusions
Overall audit risk (Overall Audit Risk): a comprehensive assessment of various audit risks for each control objective.
Audit materiality (Materiality): Can be regarded as a serious error by the organization in terms of the extent of the problem.
Sampling cannot detect all errors in the sample population, but it can reduce the inspection risk to an acceptable level.
Small errors may not be serious, but when they are combined, they may make the nature of these errors significant.
Materiality requires reasonable judgment by IS auditors, and it is difficult to determine materiality.
4 methods of risk disposal (the acceptable standard of risk should be determined first):
Reduce risk (Mitigate): take appropriate controls to reduce risk
Accept the risk (Accept): Under the risk acceptance standard of the organization, accept the risk
Avoid risk (Avoid): stop the business activities that generate risks, thereby avoiding risks
Transfer risk (Transfer): transfer risk to other organizations
3 techniques of risk assessment:
Combine the two
3. Information system related control objectives and control measures
Two key contents of internal control: what to achieve and what to avoid.
Three categories of control: preventive, detectable, corrective
5 key principles of COBIT5:
Meet the needs of stakeholders
End-to-end coverage of enterprises
Adopt a single integrated framework
Enable a holistic approach
Distinguish management and governance (the board is responsible for governance, and the management is responsible for management)
4. Audit planning and audit project management techniques
Category 4 Audit plan
Short-term plan: audit items to be implemented in the year
Long-term plan: consider the risk of the organization's adjustment of the IT strategy to the impact of the IT environment
Single audit task
The audit process and 8 steps:
Audit object: determine the audit field
Audit objectives: clear audit objectives
Scope of audit: determine the specific system, function or unit to be checked
Preliminary audit plan: determine required skills and resources; determine information sources for testing and inspection; determine audit locations and facilities
Audit procedures and steps: select test methods; determine interview subjects; collect policies and standards; develop audit tools
Evaluation test and inspection results
Communicate the results with management personnel