ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard.
https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
Study Flashcards On CISA Domain 4 Information Systems Operations, Maintenance and Support at Cram.com. Quickly memorize the terms, phrases and much more. Infosectrain.com makes it easy to get the grade you want!
PART 1 – CISA Domain 3 – Information Systems Acquisition, development and implementation
Overall understanding of Domain 3
What is benefits realization?
What is portfolio management?
https://www.infosectrain.com/blog/cisa-domain-3-information-systems-acquisition-development-and-implementation-part1/
This article covers –
Overall understanding of the domain
Important concepts to focus on from exam point of view
The article is split into 10 parts as below:
Part 1 – Information Systems operations, Management of IS operations, ITSM
Part 2 – Service Level Agreements, Operational Level Agreements, Incident and problem Management process
https://www.infosectrain.com/blog/cisa-domain-4-information-systems-operations-maintenance-and-service-management/
Knowledge of the purpose of IT strategy, policies, standards & pro cedures for an organization and the essential elements of each
https://www.infosectrain.com/blog/part-2-cisa-domain-2-governance-and-management-of-it/
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
Study Flashcards On CISA Domain 4 Information Systems Operations, Maintenance and Support at Cram.com. Quickly memorize the terms, phrases and much more. Infosectrain.com makes it easy to get the grade you want!
PART 1 – CISA Domain 3 – Information Systems Acquisition, development and implementation
Overall understanding of Domain 3
What is benefits realization?
What is portfolio management?
https://www.infosectrain.com/blog/cisa-domain-3-information-systems-acquisition-development-and-implementation-part1/
This article covers –
Overall understanding of the domain
Important concepts to focus on from exam point of view
The article is split into 10 parts as below:
Part 1 – Information Systems operations, Management of IS operations, ITSM
Part 2 – Service Level Agreements, Operational Level Agreements, Incident and problem Management process
https://www.infosectrain.com/blog/cisa-domain-4-information-systems-operations-maintenance-and-service-management/
Knowledge of the purpose of IT strategy, policies, standards & pro cedures for an organization and the essential elements of each
https://www.infosectrain.com/blog/part-2-cisa-domain-2-governance-and-management-of-it/
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management.
How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice.
The webinar covers:
- What's the CMMI?
- What's the CMMC?
- Maturity in security governance (ISMS, cyber, application)
- Security maturity vs audit cycles
Recorded Webinar: https://youtu.be/9BpETh_nAOw
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
The presentation is about information risk management. It covers information threats, risks, vulnerabilities and importance of risk assessment for information security for software companies in India.
http://www.ifour-consultancy.com
Evaluate your CISA preparation. Attempt below 150 questions which are designed as per CISA exam pattern considering domain wise weightage.
http://datainfosec.blogspot.in/2016/04/cisa-mock-test-question-paper-1.html
Understanding IT Governance and Risk Managementjiricejka
Describes IT Governance Holistic Framework for establishing transparent relation between Business and IT environment.
Describes Governance services and Risk Management Methods
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management.
How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice.
The webinar covers:
- What's the CMMI?
- What's the CMMC?
- Maturity in security governance (ISMS, cyber, application)
- Security maturity vs audit cycles
Recorded Webinar: https://youtu.be/9BpETh_nAOw
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
The presentation is about information risk management. It covers information threats, risks, vulnerabilities and importance of risk assessment for information security for software companies in India.
http://www.ifour-consultancy.com
Evaluate your CISA preparation. Attempt below 150 questions which are designed as per CISA exam pattern considering domain wise weightage.
http://datainfosec.blogspot.in/2016/04/cisa-mock-test-question-paper-1.html
Understanding IT Governance and Risk Managementjiricejka
Describes IT Governance Holistic Framework for establishing transparent relation between Business and IT environment.
Describes Governance services and Risk Management Methods
Governance relates to management, policies, procedures, and decisions for a given area of enterprise responsibility.Hence IT related assets should be governed in way that it will of profitability to the company in order to achieve its goals and objectives.
Since the spread of IT systems has made it a pre-requisite that auditors as well as management have the ability to examine high volumes of data and transaction in order to determine patterns and trends. In addition, the increasing need to continuously monitor and audit IT systems has created an imperative for the effective use of appropriate data mining tools.
While a variety of powerful tools are readily available today, the skills required to utilize such tools are not. Not only must the correct testing techniques be selected but the effective interpretation of outcomes presented by the software is essential in the drawing of appropriate conclusions based on the data analysis. This 6 webinar series, based on Richard Cascarino’s book “Data Analytics for Internal Auditors” covers these skills and techniques.
Webinar 4 Analysis and Monitoring 4/2/19
Data analysis and Continuous Monitoring
Continuous Auditing
Financial Analysis
CISO, or Chief Information Security Officer, is an established top-level executive position in the industry, similar to CEO or CTO. CISO is the highest-level executive in an organization charged with information security. With the increasing awareness of digital information as an asset in the industry at large, the demand for CISOs across organizations is on a rise. The CISOs focus on the core areas pertaining to information security in an enterprise and lead the IS program.
Chapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docxmccormicknadine86
Chapter 9
Audit Risk Assessment
Prepared by Dr Phil Saj
1
Learning objectives
Appreciate the importance of audit risk assessment and why it is linked to financial statement assertions.
Explain the importance of business risks in audit planning.
Describe the procedures performed by an auditor to assess risk.
Appreciate the importance of internal control to an entity and to its independent auditors.
2
Learning objectives
Indicate the procedures for obtaining and documenting an understanding of the entity’s internal control.
Explain why and how a preliminary assessment of control risk is made.
Explain the importance of the concept of audit risk and its three components.
3
Management’s financial statement assertions
Existence or occurrence
Assets or liabilities of the entity exist at a given date and whether recorded transactions or events have occurred during the period.
Completeness
Transactions, events and accounts that should be presented in the financial statement are included.
Cut-off
All transactions, events and accounts have been recorded in the correct period.
4
Management’s financial statement assertions
Rights and obligations
Assets represent rights of the entity and liabilities
are the obligations of the entity at a given date.
Valuation and allocation
Asset, liability, components have been included in the
financial statements at the appropriate amounts.
Accuracy
Transactions have been appropriately recorded
in the proper accounts.
5
Management’s financial statement assertions
Presentation and disclosure
Particular components of the financial statements are
properly classified, described and disclosed.
Refer to the textbook Table 9.1, page 363, for illustrations of each of these assertions.
6
Business risk assessment
A business risk approach allows the auditor to:
Identify threats faced by the organisation.
Recognises that most business risks will eventually
have an effect on the financial statements.
Increase the chances of identifying risks of material
misstatements in the financial reports
Categories of business risk:
Financial risk
Operational risk
Compliance risk
7
Risk assessment procedures
Enquiries
Management, staff, internal auditors, company bankers,
legal advisors.
Analytical procedures
Provide a broad indication of the likelihood of possible
errors.
Observations and inspections
Inspection of manuals, visiting business premises,
observing procedures taking place.
8
Importance of internal control
The Committee of Sponsoring Organisations (COSO) of
the Treadway Commission defines internal control as:
a process, effected by an entity’s board of directors,
management and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives in the following categories:
Effectiveness and efficiency of ...
IT management audits can serve multiple purposes and provide many benefits. First, audits are used to validate compliance with established technology related policies, programs and procedures. Then, audits are also used as an investigative tool, to gather information and analyze current operational conditions for the purposed of recommending specific “policies, programs and procedures”. The primary purpose of a given audit will determine the scope and related execution planning. Validation audits are likely performed on a regularly scheduled basis, with a standardized scope and set of executing procedures. Investigative audits are likely triggered in response to a specific need, and planning will be shaped by unique goals and circumstances. Whatever the purpose, the goal is to ensure that audits serve a purpose, are planned for minimal disruption, and that all results are used to maximize IT value.
Ethical Hacking Interview Questions and Answers.pdfShivamSharma909
Ethical hacking is an exciting career opportunity for individuals with excellent problem-solving skills and a passion for information security. Ethical hackers are responsible for safeguarding the critical infrastructure of the organization. They organize penetration tests to identify the vulnerabilities and help the organization take necessary measures to prevent possible cyber-attacks. There has been an increased demand for Ethical hackers in government agencies ( military and intelligence agencies) and private organizations in recent times. To become an ethical hacker requires a sound knowledge of networking and hacking systems.
https://www.infosectrain.com/blog/ethical-hacking-interview-questions-and-answers/
CYBERSECURITY Interview Questions for Freshers.pdfShivamSharma909
Aspiring to start your career in Cybersecurity? Here we bring the top Cybersecurity interview questions for freshers that will help you get your first job
For more details: https://www.infosectrain.com/
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...ShivamSharma909
Cybercrime, according to reports, now risks billions of dollars of assets and data. We have so many access points, public IPs, constant traffic, and loads of data to exploit in today’s day and age. Hackers are having a lot of time to exploit vulnerabilities and develop malicious software for sale. As a result, cybersecurity professionals are in huge demand across all industries.
https://www.infosectrain.com/blog/top-interview-questions-to-master-as-a-comptia-security-certified-professional/
Top 20 Incident Responder Interview Questions and Answers (1).pdfShivamSharma909
Incident responders are the first responders to cyber threats and other security incidents. As an incident responder, your responsibility will include responding to security threats and making quick decisions to mitigate the damage caused by them. There are many opportunities for these professionals worldwide as organizations are focusing more on protecting their critical information systems. Since the Incident responder is an important and responsible position within an organization, the job interview can be quite challenging.
https://www.infosectrain.com/blog/top-20-incident-responder-interview-questions-and-answers/
Top 25 Azure Architect Interview Questions and Answers.pdfShivamSharma909
Microsoft Azure is the second most prevailing Cloud service provider in the market. Microsoft Azure is trusted by more than 80% of the Fortune 500 companies for their Cloud service requirements due to its compelling IaaS solutions. So, there are numerous organizations that are hiring Azure certified experts for various internal job roles. One of the profoundly great and most favored Azure job roles is that of a Cloud Solutions Architect.
https://www.infosectrain.com/blog/top-25-azure-architect-interview-questions-and-answers/
Top 20 Azure Administrator Interview Questions.pdfShivamSharma909
Microsoft Azure is the second most leading Cloud service provider on the prospect. More than 80% of the Fortune 500 organizations trust Microsoft Azure for their Cloud service responsibilities because of its reasonable IaaS solutions. Along these lines, there are various businesses that are recruiting Azure certified specialists for several inside job postings. One of the essentially phenomenal and most favored Azure occupation jobs is that of a Cloud Administrator. This is the reason why Azure Administrators are in such high demand in the market.
Read more: https://www.infosectrain.com/blog/top-20-azure-administrator-interview-questions/
Threat Hunting Professional Online Training CourseShivamSharma909
In Infosectrain, Grab the Threat Hunting Training to achieve a deep understanding of Threat Hunting techniques and the role of Threat Hunters. Our training is curated with the in-depth concepts of Threat Hunting methods and helps you to get certified for the Cyber Threat Hunting Professional exam.
https://www.infosectrain.com/courses/threat-hunting-training/
Why cloud security engineers find CCSE as a perfect fitShivamSharma909
Cloud security specialists collaborated with recognized subject matter experts to create the EC-Council’s Certified Cloud Security Engineer (C|CSE) course. This course at InfosecTrain covers both vendor-neutral and vendor-specific cloud security ideas.
https://www.infosectrain.com/courses/certified-cloud-security-engineer-training-course/
Top 20 certified ethical hacker interview questions and answerShivamSharma909
The technique of discovering vulnerabilities in a software, website, or agency’s structure that a hacker might exploit is known as ethical hacking. They employ this method to avoid cyberattacks and security breaches by legitimately hacking into systems and looking for flaws. CEH was designed to include a hands-on environment and a logical procedure across each ethical hacking area and technique. This is to provide you the opportunity to work towards proving the knowledge and skills to earn the CEH certificate and perform the tasks of an ethical hacker.
Read more: https://www.infosectrain.com/blog/top-20-certified-ethical-hacker-interview-questions-and-answer/
Microsoft Azure is the second most leading Cloud service provider on the prospect. More than 80% of the Fortune 500 organizations trust Microsoft Azure for their Cloud service responsibilities because of its reasonable IaaS solutions. Along these lines, there are various businesses that are recruiting Azure certified specialists for several inside job postings. One of the essentially phenomenal and most favored Azure occupation jobs is that of a Cloud Administrator. This is the reason why Azure Administrators are in such high demand in the market.
Read more: https://www.infosectrain.com/blog/top-20-azure-administrator-interview-questions/
With the importance of cloud security, cloud professionals are widely choosing security career. If you are the one, you should go through these frequently asked AWS security interview questions and answers to land a job in AWS security.
Cloud security is one of the highly critical aspects related to the cloud in present times. More evolved threats are emerging every day, and qualified cloud security professionals are in very small numbers. Therefore, a career in AWS cloud security could be a trustworthy choice for many. If you want to go ahead with a career in AWS security, then you must be worried about AWS security interview questions.
https://www.infosectrain.com/blog/top-15-aws-security-interview-questions/
The Certified Soc Analyst (CSA) is a certification hosted by the EC-Council that validates IT security professionals’ skills and expertise to join a Security Operation Centre (SOC). SOC is a team of Cybersecurity professionals responsible for monitoring and responding to an organization’s security threats.
https://www.infosectrain.com/courses/certified-soc-analyst-csa-certification-training/
Some organizations have the resources and skills to secure their IT infrastructure against security threats; however, many organizations cannot do so. Organizations have a state-of-the-art security software solution or pay thousands of dollars for security tools. Even after that, no organization is entirely secure. Certified Threat Intelligence Analyst (C|TIA) allows cybersecurity professionals to enhance their skills in building sufficient organizational cyber threat intelligence. It is a specialist-level program. CTIA is an examination that tests the individuals’ skills and prepares them to make useful threat intelligence in the organization.
Read more: https://www.infosectrain.com/blog/ctia-course-outline/
Basically, a group of computers connected together with various wires is called a network. Similarly, a group of computers connected together with the help of radio waves in a limited space is called a wireless network.
https://www.infosectrain.com/courses/ceh-v11-certification-training/
Considering that most people have used mobile applications like PUB-G, Instagram, and WhatsApp. I will give you an example of a web application that is also a mobile app. Now assume you’ve lost your mobile or your mobile is switched off, and you are willing to scroll the insta feed. What will you do? Login to your account through Google Chrome. Right? And that’s it, as you can use your Instagram by using a web browser. It is called a web application. A few famous examples of web applications are Facebook, MakeMyTrip, Flipboard, and the 2048 Game.
https://www.infosectrain.com/blog/domain-5-of-the-ceh-web-application-hacking/
Domain 4 of CEH V11: Network and Perimeter HackingShivamSharma909
Networks are composed of two or more computers that share resources (such as printers and CDs), exchange files, and allow electronic communications. A network of computers may be connected by cables, telephone lines, radio waves, satellites, or infrared beams.
https://www.infosectrain.com/blog/domain-4-of-ceh-v11-network-and-perimeter-hacking/
Domain 3 of CEH v11: System Hacking Phases and Attack TechniquesShivamSharma909
Hacking is a dangerous process that hackers use to gain unauthorized access to any smartphone, television, computer, or other network system. The hackers constantly update their programming and computer skills to enter the target’s system without the target’s knowledge and gain valuable financial and personal information.
https://www.infosectrain.com/blog/domain-3-of-ceh-v11-system-hacking-phases-and-attack-techniques/
Domain 2 of CEH v11: Reconnaissance TechniquesShivamSharma909
Reconnaissance is the initial step that every ethical hacker follows. Reconnaissance is a method of gathering all the important information about our target system and network.
The ethical hacker follows the below steps to gather the maximum information about the target:
https://www.infosectrain.com/blog/domain-2-of-ceh-v11-reconnaissance-techniques/
Domain 1 of CEH v11: Information Security and Ethical HackingShivamSharma909
A CEH (Certified Ethical Hacker) is a professional who typically works within a Red Team environment. A Certified Ethical Hacker’s focus must be on attacking systems and accessing applications, networks, databases, or other crucial data on the secured systems. In addition to recognizing attack strategies and exploiting creative attack vectors, a CEH can mimic the skills and creativity of malicious hackers. Unlike black hat hackers, certified ethical hackers approach systems with permission from their owners and maintain the confidentiality of their work.
https://www.infosectrain.com/blog/domain-1-of-ceh-v11-information-security-and-ethical-hacking/
The new AZ-303 and AZ-304 exams are the modified versions of AZ-300 Microsoft Azure Architect Technologies and AZ-301 Microsoft Azure Architect Design, respectively.
https://www.infosectrain.com/blog/how-is-az-303-different-from-az-304/
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
2. https://www.infosectrain.com sales@infosectrain.com Page No.1
Overall understanding of the domain:
Weightage - This domain constitutes 21 percent of the CISA exam
(approximately 32 questions)
Covers 11 Knowledge statements covering the process of auditing
information systems
1. ISACA IS Audit and Assurance Standards, Guidelines, and Tools &
Techniques, Code of Professional Ethics & other applicable standard
2. risk assessment concepts and tools and techniques in planning,
examination, reporting and follow-up
3. Fundamental business processes & the role of IS in these processes
4. Control principles related to controls in information systems
5. Risk-based audit planning and audit project management techniques
6. Applicable laws and regulations which affect the scope, evidence
collection and preservation and frequency of audits
7. Evidence collection techniques used to gather, protect and preserve
audit evidence
8. Different sampling methodologies & other substantive/data analyti-
cal procedures
9. Reporting and communication techniques
10. Audit quality assurance (QA) systems and frameworks
11. Various types of audits & methods for assessing and placing reliance
on the work of other auditors or control entities
3. https://www.infosectrain.com sales@infosectrain.com Page No.2
Important concepts from exam point of view:
1. Audit Charter:
Audit Charter outlines the overall authority, scope and responsibilities of
audit function
Audit charter should be approved by Audit committee, senior management
Internal audit function is always independent of management committee
Points to remember:
When CISA question is on the approval of audit charter, the answer
should be senior most management, based on the options available.
IS auditor’s role being more of reporting of audit observations and
giving an “independent audit opinion”
https://www.infosectrain.com/courses/cisa-certification-training/
4. https://www.infosectrain.com sales@infosectrain.com Page No.3
2. Audit planning:
Step 1 – Understanding of business mission, vision, objectives, process
which includes information requirements under CIA trait (Confidentiality,
Integrity and Availability of data)
Step 2 – Understanding of business environment
Step 3 - Review prior work papers
Step 4 - Perform Risk analysis
Step 5 - Set audit scope and objectives
Step 6 - Develop audit plan/strategy
Step 7 - Assign audit personal/resources
Point to remember: The first step in the audit planning is always under-
standing the business mission, objectives and business environment, then
analyzing the risk involved based in the audit scope.
Audit planning includes –
1. Short term planning – considers audit issues that will be covered during
the year
2. Long term planning - audit plans that will take into account risk-related
issues regarding changes in the organization’s IT strategic direction that
will affect the organization’s IT environment.
5. https://www.infosectrain.com sales@infosectrain.com Page No.4
3. Risk analysis:
Risk is a combination of the probability of an event and its consequence
(International Organization for Standardization [ISO] 31000:2009)
Risk analysis is part of audit planning, and help identify risk and vulnerabili
ties so the IS auditor can determine the controls needed to mitigate those
risk
Point to remember: CISA candidate should be able to differentiate
between threat and vulnerability. Threat is anything that can exploit a vul-
nerability, intentionally or accidentally, and obtain, damage, or destroy an
asset. Vulnerability is Weakness or gap in a security program that can be
exploited by threats to gain unauthorized access to an asset
Risk analysis covers Risk Management Framework – ISO 27005, ISO
31000
Risk Assessment Process –The process starts with identifying the source
& events, then identifying the vulnerabilities associated with the sources, &
then analyzing the probability of the occurrence and the impact.
Risk Management Process - It begins with identifying the business object
ives, the information assets that are associated with business, assessmen
t of risk, how to mitigate the risk (either to avoid or transfer or mitigate/
reduce the risk) and implementing controls to mitigate the risk)
Point to remember:
CISA candidate should be aware of the difference between Risk
assessment and Risk management. Risk assessment is the process
of finding where the risk exists. Risk management is the second step
after performing risk assessment.
Risk can be mitigated/reduced through implementation of controls/
third-party insurance, etc.
6. https://www.infosectrain.com sales@infosectrain.com Page No.5
4. Internal Controls:
Internal controls are normally composed of policies, procedures, practices
& organizational structures which are implemented to reduce risks to the
organizations
The board of directors are responsible for establishing the effective inter
nal control system
Point to remember: When CISA question is on the responsibility of
internal controls, the answer should be senior most management (BoD,
CEO, CIO, CISO etc) , based on the options available
Classification of internal controls:
a. Preventive controls
b. Detective controls
c. Corrective controls
Point to remember: CISA question will be scenario based, where the
candidate should have a thorough understanding of all the three controls
and able to differentiate between preventive, detective and corrective
controls
Preventive controls: are those internal controls which are deployed to pre
vent happening of an event that might affect achievement of organization
al objectives. Some examples of preventive control activities are:
Employee background checks
Employee training and required certifications
Password protected access to asset storage areas
Physical locks on inventory warehouses
Security camera systems
Segregation of duties (i.e. recording, authorization, & custody all handled
by separate individuals)
https://www.infosectrain.com/courses/cisa-certification-training/
7. https://www.infosectrain.com sales@infosectrain.com Page No.6
®
Detective controls: Detective controls seek to identify when preventive
controls were not effective in preventing errors and irregularities, particu
larly in relation to the safeguarding of assets. Some examples of detect-
ive control activities are:
bank reconciliations
control totals
physical inventory counts
reconciliation of the general ledgers to the detailed subsidiary ledgers
Internal audit functions
Corrective controls: When detective control activities identify an error or
irregularity, corrective control activities should then see what could or
should be done to fix it, & hopefully put a new system in place to prevent
it the next time around. Some examples of corrective control activities
are:
data backups can be used to restore lost data in case of a fire or other
disaster
data validity tests can require users to confirm data inputs if amounts are
outside a reasonable range
insurance can be utilized to help replace damaged or stolen assets
management variance reports can highlight variances from budget to
actual for management corrective action
training and operations manuals can be revised to prevent future errors
and irregularities
https://www.infosectrain.com/courses/cisa-certification-training/
8. https://www.infosectrain.com sales@infosectrain.com Page No.7
5. COBIT 5:
Developed by ISACA
A comprehensive framework that assist enterprises in achieving their
objectives for the governance & management of enterprise IT (GEIT)
COBIT 5 based on 5 principles and 7 enablers
5 Principles 7 Enablers
1. Meeting Shareholders needs 1. Principles, Policies and Frameworks
2. End-to-End coverage 2. Processes
3. Holistic Approach 3. Organizational Structures
4. Integrated Framework 4. Culture, Ethics and Behaviour
5. Separate governance from
management
5. Information
6. Services, Infrastructure, Application
7. People, Skills and Competencies
(Note: A CISA candidate will
not be asked to specifically
identify the COBIT process,
the COBIT domains or the set
of IT processes defined in
each. However, candidates
should know what frame-
works are, what they do and
why they are used by enter-
prises)
9. https://www.infosectrain.com sales@infosectrain.com Page No.8
6. Risk based auditing
Audit Risk - the risk that information may contain a material error
that may go undetected during the course of the audit.
The audit approach should be as follows:
Step 1 – Gather available information and plan through review of
prior year’s audit results, recent financial information, inherent risk
assessments
Step 2 – Understanding of existing internal controls by analyzing
control procedures, detection risk assessment
Step 3 – Perform compliance testing by identifying key controls to
be tested
Step 4 – Perform substantive testing by test of account balances,
analytical procedures
Step 5 – Conclude the audit - Audit report with independent audit
opinion
Factors which influence audit risk
a. Inherent risk – Risk that an activity would pose if no controls/ other
mitigating factors were in place.
b. Control risk - Risk that a material error exists that would not be prev
ented or detected on a timely basis by the system of internal control
c. Detection risk - The risk that material errors or misstatements that
have occurred will not be detected by the IS auditor
d. Residual risk – Risk that remains after controls are taken into
account
Point to remember: A CISA candidate should know the differences
between preventive, detective and corrective controls. An example of
a question in the exam would be: Which of the following controls
would BEST detect
https://www.infosectrain.com/courses/cisa-certification-training/
10. https://www.infosectrain.com sales@infosectrain.com Page No.9
7. Risk Treatment
Risk identified in the risk assessment needs to be treated.
Possible risk response options include:
Risk mitigation—Applying appropriate controls to reduce the risk
Risk acceptance—Knowingly and objectively not taking action, provid
ing the risk clearly satisfies the organization’s policy and criteria for
risk acceptance
Risk avoidance—Avoiding risk by not allowing actions that would
cause the risk to occur
Risk transfer/sharing—Transferring the associated risk to other par
ties (e.g., insurers or suppliers)
11. https://www.infosectrain.com sales@infosectrain.com Page No.10
8. Compliance testing Vs. substantive testing
Compliance testing - determines whether controls
are in compliance
with management policies and procedures
Examples:
User access rights
Program change control
procedures
Review of logs
Software license audit
Substantive testing -
gathers evidences to
evaluate the integrity of
individual transactions,
data or other information
Examples:
performance of a
complex calculation on
sample basis
testing of account balances
Point to remember:
CISA question will be scenario based and the candidate should
able to differentiate between substantive testing & compliance
testing.
statistical sampling is to be used when the probability of error
must be objectively quantified (i.e no subjectivity is involved).
Statistical sampling is an objective method of sampling in which
each item has equal chance of selection
https://www.infosectrain.com/courses/cisa-certification-training/
12. Point to remember: A CISA candidate, given an audit scenario,
should be able to determine which type of evidence gathering tech-
nique would be best
https://www.infosectrain.com sales@infosectrain.com Page No.11
9. Audit Evidence
any information used by the IS auditor to determine whether the entity
or data being audited follows the established criteria or objectives &
supports audit conclusions
Techniques for gathering evidence:
Review IS organization structures
Review IS policies and procedures
Review IS standards
Review IS documentation
Interview appropriate personnel
Observe processes and employee performance
Walkthrough
13. https://www.infosectrain.com sales@infosectrain.com Page No.12
10.Audit Sampling
The subset of population members used to perform testing
Two approaches of sampling:
a. Statistical sampling - using
mathematical laws of probability to
create the sample size
b. Non-Statistical
sampling -
Uses auditor
judgment to
determine the
method of
sampling
Methods of sampling
a. Attribute sampling - Applied in compliance testing situations, deals
with the presence or absence of the attribute & provides conclusions
that are expressed in rates of incidence. Involves three types:
Attribute sampling - selecting a small number of transactions & ma-
king assumptions about how their characteristics represent the full
population of which the selected items are a part
Stop-or-Go Sampling - This model help prevents excessive sampling of
an attribute by allowing an audit test to be stopped at the earliest po
ssible moment. It is mostly used when auditor believes that relatively
few errors will be found in populations
Discovery sampling – It is mostly used when the objective of audit is
to discover fraud
24
https://www.infosectrain.com/courses/cisa-certification-training/
14. https://www.infosectrain.com sales@infosectrain.com Page No.13
b. Variable sampling - Applied in substantive testing situations, deals
with population characteristics that vary, such as monetary values &
weights or any other measurement and provides conclusions related
to deviations from the norm. Involves three types:
Stratified mean per unit – It a statistical model in which population is
divided into groups and samples are drawn from the various groups
Un-stratified mean per unit – A statistical model in which sample
mean (Average) is calculated and projected as an estimated total.
Difference estimation – Statistical model used to estimate the total
difference between audited values and unaudited values based on
differences obtained from sample observations.
c. Important statistical terms:
Confident coefficient (CC) – A percentage expression of the probabil
ity that the characteristics of sample are true representation of the
population.
Stronger the internal control,
lower the confident
coefficient
Level of risk – Equal to
one minus the confidence
coefficient [if confident
co-efficient is
95%, the level of
risk is
(100-95= 5%)]
Expected error
rate (ERR) – An
estimate stated
as a percent of
the error that
may exist. The greater the ERR, greater the sample size
Point to remember: The IS auditor should be familiar with the different
types of sampling techniques and when it is appropriate to use each of
them
15. https://www.infosectrain.com sales@infosectrain.com Page No.14
11.Control Self-assessment (CSA)
a. What is CSA?
assessment of controls made by the staff and management of the
unit or units involved
management technique that assures stakeholders, customers and
other parties that the internal control system of the organization is
reliable.
Ensures that employees are aware of the risk to the business & they
conduct periodic, proactive reviews of controls
b. Objectives of CSA
to leverage the internal audit function by
shifting some of the control monitoring
responsibilities to the functional areas
not intended to replace audit’s
responsibilities but to enhance them
c. Benefits of CSA
Early detection of risk
More effective and improved
internal controls
Developing a sense
of ownership of the
controls in the
employees and
process owners
reducing their
resistance to
control improvement
initiatives
Increased communication between operational and
top management
Highly motivated employees
https://www.infosectrain.com/courses/cisa-certification-training/
16. https://www.infosectrain.com sales@infosectrain.com Page No.15
d. Disadvantages of CSA
mistaken as an audit function replacement
considered as an additional workload
Failure to act on improvement suggestions could damage employee
morale
Lack of motivation may limit effectiveness in the detection of weak
controls
e. Auditor’s role in CSA
The auditor’s role in CSAs should be considered enhanced when audit
departments establish a CSA program.
Auditors internal control professionals & assessment facilitators
https://www.infosectrain.com/courses/cisa-certification-training/