2. THE CISA CERTIFICATION
Certified Information Systems Auditor (CISA) is offered by
Information Systems Audit and Control Association
(ISACA).
CISA Examination is open to all individuals and no
prequalification or education required.
CISA certification provides an avenue for gaining insights
into the various aspects of Information systems audit,
security and internal controls.
CISA certification is a base requirement for an Information
Systems Auditor.
3. THE CISA CERTIFICATION
CISA examination and subsequent certifications aid the
candidate
with knowledge required to -
Conduct IS Audits
Frame security policies and procedures
Implement Security policies and procedures
Manage Information Technology
Direct and Govern Information Technology
4. CISA CERTIFICATION: ELIGIBILITY,
REQUIREMENT, PROCESS
CISA certification
Required work experience
A minimum of 5 years of professional information systems
auditing, control or security work experience
The work experience for CISA certification must be gained
Within the 10-year period preceding the application date for
certification; OR
Within 5 years from the date of originally passing the exam
Process
Complete and submit a CISA Application for Certification
listing the details of professional experience in information
systems auditing, control or security work
5. CISA CERTIFICATION: MAINTENANCE
CISA Certification Maintenance
Minimum of 20 contact hours of CPE annually; and
Minimum of 120 contact hours during a fixed 3-year
period
6. CISA CERTIFICATION: EXAMINATION
STRUCTURE
Number of Questions
Exam is paper and pencil based
The exam consists of 150 questions multiple choice questions
(MCQs)
No negative marking
Duration of Exam
4 hours or 240 minutes
1.6 minute per question
Passing Score
For passing a candidate must receive a scaled score of 450 or
higher to pass the exam out of the 800 scale score. A score of
450 represents a minimum consistent standard of knowledge.
7. CISA CERTIFICATION: READING
MATERIALS
CISA Review Manual 2016/2015 (ISACA Official
Publication)
CISA Review Questions, Answers & Explanations
Manual, 11th
Edition (ISACA Official Publication)
Additional resources from Internet.
At least One Mock Test
8. CISA CERTIFICATION: READING
STRATEGIES
What I have followed
Reading CISA Review Manual thoroughly (at least 2 times)
Practicing CISA Review Questions, Answers & Explanations
Manual until not understood the terms, language and concept of
the questions
Maintaining regularity
Understanding the concept
Please don’t memorize anything, it will not work at the exam.
Group discussion
Note: This method does not work for all, so judge yourself what
you like and go for that
9. QUESTIONS OVERVIEW
The document used by the top management of organizations to delegate
authority to the IS audit function is the:
A. long-term audit plan.
B. audit charter.
C. audit planning methodology.
D. steering committee minutes.
Answer: B
The audit charter outlines the overall authority, scope and
responsibilities of the audit function to achieve the audit objectives
stated in it. This document serves as an instrument for the delegation of
authority to the IS audit function. Long-term audit planning relates to
those aspects of the audit plan that are impacted by the organization’s IT
strategy and environment. Audit planning commences only after the
audit charter has been approved by the highest level of management.
The audit planning methodologies are decided upon based on the
analysis of both long- and short-term audit issues. The steering
committee minutes should address the approval of the audit charter but
is not the driver that delegates authority.
10. QUESTIONS OVERVIEW CONTD..
To reduce the possibility of losing data during processing, the
FIRST point at which control totals should be implemented is:
A. during data preparation.
B. in transit to the computer.
C. between related computer runs.
D. during the return of the data to the user department.
Answer : A
Explanation:
During data preparation is the best answer, because it establishes
control at the earliest point.
11. QUESTIONS OVERVIEW CONTD..
Information for detecting unauthorized input from a terminal
would be BEST provided by the:
A. console log printout.
B. transaction journal.
C. automated suspense file listing.
D. user error report.
Answer : B
Explanation:
The transaction journal would record all transaction activity,
which then could be compared to the authorized source documents
to identify any unauthorized input. A console log printout is not the
best, because it would not record activity from a specific terminal.
An automated suspense file listing would only list transaction
activity where an edit error occurred, while the user error report
would only list input that resulted in an edit error.
12. QUESTIONS OVERVIEW CONTD..
Information for detecting unauthorized input from a terminal
would be BEST provided by the:
A. console log printout.
B. transaction journal.
C. automated suspense file listing.
D. user error report.
Answer : B
Explanation:
The transaction journal would record all transaction activity,
which then could be compared to the authorized source documents
to identify any unauthorized input. A console log printout is not the
best, because it would not record activity from a specific terminal.
An automated suspense file listing would only list transaction
activity where an edit error occurred, while the user error report
would only list input that resulted in an edit error.
13. QUESTIONS OVERVIEW CONTD..
The MOST effective way to ensure that outsourced service
providers comply with the organization’s information security
policy would be:
A. service level monitoring.
B. penetration testing.
C. periodically auditing.
D. security awareness training.
Answer : C
Explanation:
Regular audit exercise can spot any gap in the information security
compliance. Service level monitoring can only pinpoint operational
issues in the organization’s operational environment. Penetration
testing can identify security vulnerability but cannot ensure
information compliance. Training can increase users’ awareness on
the information security policy, but is not more effective than
auditing.
14. QUESTIONS OVERVIEW CONTD..
A project manager of a project that is scheduled to take 18 months
to complete announces that the project is in a healthy financial
position because, after 6 months, only one-sixth of the budget has
been spent. The IS auditor should FIRST determine:
A. what amount of progress against schedule has been achieved.
B. if the project budget can be reduced.
C. if the project could be brought in ahead of schedule.
D. if the budget savings can be applied to increase the project
scope.
Answer : A
15. QUESTIONS OVERVIEW CONTD..
Explanation:
Cost performance of a project cannot be properly assessed in isolation of
schedule performance. Cost cannot be assessed simply in terms of elapsed
time on a project. To properly assess the project budget position it is
necessary to know how much progress has actually been made and, given
this, what level of expenditure would be expected. It is possible that project
expenditure appears to be low because actual progress has been slow. Until
the analysis of project against schedule has been completed, it is impossible
to know whether there is any reason to reduce budget, if the project has
slipped behind schedule, then not only may there be no spare budget but it
is possible that extra expenditure may be needed to retrieve the slippage.
The low expenditure could actually be representative of a situation where
the project is likely to miss deadlines rather than potentially come in ahead
of time. If the project is found to be ahead of budget after adjusting for
actual progress, this is notnecessarily a good outcome because it points to
flaws in the original budgeting process; and, as said above, until further
analysis is undertaken, it cannot be determined whether any spare funds
actually exist. Further, if the project is behind schedule, then adding scope
may be the wrong thing to do.