HOW TO PREPARE FOR AND PASS THE

CERTIFIED INFORMATION SYSTEMS

AUDITOR (CISA) EXAMINATION
Ken Schmidt CISA, CISSP, CIA, CPA

R & M LLC, Consultant

14 March 2017

© 2017 ISACA. All Rights Reserved

WELCOME

• Audio is streamed over your computer Use the Papers tab to find the following:

• Dial in numbers and codes are on the left • PDF Copy of today’s presentation

To receive your CPE credit: • CPE job aid

1. Complete 3 checkpoints • Have a question for the speaker? Access

the Q&A tab
- or -
• Technical issues? Access the Help tab
2. Watch the recorded version from the
beginning to the very end • Questions or suggestions?
Visit https://support.isaca.org
• Don’t forget to take the survey!

© 2017 ISACA. All Rights Reserved

TODAY’S SPEAKER

Ken Schmidt
R& M Consulting

© 2017 ISACA. All Rights Reserved

AGENDA

After completing this session, you will be able to:

• Understand the CISA Exam objectives and content

• Review highlights on how to master the content for the

five Domains (chapters)

• Review proven strategies to analyze and understand

what the exam writer is looking for

• Learn about ISACA resources available to help prepare

for success

© 2017 ISACA. All Rights Reserved

 WHAT AND WHY CISA?

The premier certification for IT/IS Audit, Control and Security

professionals

Sponsored and administered by ISACA

Subject matter will help you find and do your job better

Government requirement for many (US & Global)

CISA has historically been one of the top 5 highest paying

certifications

© 2017 ISACA. All Rights Reserved

 CISA ACCREDITATION

CISA is accredited by The American National Standards

Institute (ANSI) under ISO/IEC 17024:2012
Promotes the unique qualifications and expertise ISACA’s
certifications provide
Protects the integrity of the certifications and provides legal
defensibility
Enhances consumer and public confidence in the
certifications and the people who hold them
Facilitates mobility across borders or industries

More than 129,000 professionals have earned the CISA

certification since it was introduced in 1978.

© 2017 ISACA. All Rights Reserved

 HOW DO I BECOME CERTIFIED?

Earn a passing score on the CISA exam

Adhere to the ISACA Code of Professional Ethics

Commit to abide by the CISA Continuing Professional

Education Policy

Acquire a minimum of 5 years of professional information

systems auditing, control or security work experience.
Substitutions and waivers of such experience may be
obtained if certain education and general IS or audit
experience requirements are met.

Comply with Information Systems Auditing Standards

7

© 2017 ISACA. All Rights Reserved

 IS IT EASY TO PASS?

NO!

. . . But it IS NOT impossible!

Historical pass rates hover around 50%, although exact

numbers are no longer published

If it was easy, it would not be so valuable

The good news: utilizing ISACA resources and a disciplined

preparation program greatly increases the probability of your
success!

© 2017 ISACA. All Rights Reserved

 WHAT DOES THE EXAM CONSIST OF?

150 multiple choice questions, four hour time limit, across 5 domains

Domain 1: The Process of Auditing Information Systems, 21% (32 Q)

Domain 2: Governance and Management of IT, 16% (24 Q)

Domain 3: Information Systems Acquisition, Development and

Implementation, 18% (27 Q)

Domain 4: Information Systems Operations, Maintenance and Service

Management, 20% (30 Q)

Domain 5: Protection of Information Assets, 25% (38 Q)

© 2017 ISACA. All Rights Reserved

 WHAT DOES THE EXAM CONSIST OF? (CONTINUED)

Starting in 2017, the CISA exam is offered via Computer-

Based Testing (CBT) during 3 testing windows per year

The next opportunity to sit for the exam is the May-June 2017
exam window. Registration for this window is currently open
at www.isaca.org/examreg

Further details can be found in the Exam Candidate

Information Guide:

http://www.isaca.org/certification/pages/candidates-guide-
for-exams.aspx

10

© 2017 ISACA. All Rights Reserved

 HOW IS THE EXAM SCORED?

Exam is graded on a 200-800 point scale

Scaled score is a conversion of the raw score on an exam to

a common scale. It is important to note that the exam score
is not based on an arithmetic or percent average.

Passing score is 450

You will receive a preliminary score at the end of the exam.

Official scores will be sent via email within 10 days.

11

© 2017 ISACA. All Rights Reserved

DOES MY PROFESSIONAL BACKGROUND MATTER?

YES!!

Holding other certifications means you have been through

this before and know what to expect

A solid IT background helps – else this will be your biggest

learning curve

HOWEVER . . . If you have many years of IT experience, this

creates other challenges for you: you know too much!

REMEMBER: it is the world according to ISACA, not

necessarily “the way we always did things” !

12

© 2017 ISACA. All Rights Reserved

 PREPARATION TIMELINES

IT Auditor with substantial experience (more than 5 years):

- Minimum preparation time: 30-60 days

IT Auditor with moderate experience (less than 5 years):

- Minimum preparation time: 90 days

- Emphasis: IT background: auditing; Audit background: technology

No IT audit or IT experience:

Minimum preparation time: 180 days

Emphasis: technology, then how to audit

13

© 2017 ISACA. All Rights Reserved

 STUDY METHODS

ISACA’s CISA Review Manual

- comprehensive exam reference

- provides all exam-related details

- defines IS auditor roles and responsibilities

- best self-study guide

- complete two readings

14

© 2017 ISACA. All Rights Reserved

 STUDY METHODS (CONTINUED)

ISACA’s Question and Answer Online Database

- crucial for practicing test taking strategies and question

analysis

- includes detailed explanations of all answers, right &

wrong

- a few questions whenever you can; 2-3 hour practice

exam

15

© 2017 ISACA. All Rights Reserved

 STUDY METHODS (CONTINUED)

Live and online review courses

Offered by:

- preconference CACS workshops (2 days)

- April 29-30, 2017 – NA CACS in Las Vegas

- Benefits of attending CACS include:

- Meet others who have passed the CISA Exam

- Meet 1000+ other professionals with 10+ average years of experience

- Get a head start on your CPE requirements

16

© 2017 ISACA. All Rights Reserved

 STUDY METHODS (CONTINUED)

Offered by:

- local ISACA chapters (variable length)

- e.g., Chicago Chapter: 9 classes; every Saturday, 4 hours

- various ISACA affiliates and training companies

17

© 2017 ISACA. All Rights Reserved

 RESOURCES

ISACA Exam Candidate Information Guide:

http://www.isaca.org/certification/pages/candidates-guide-for-exams.aspx

CISA Self-Assessment: http://www.isaca.org/Certification/CISA-Certified-

Information-Systems-Auditor/Prepare-for-the-Exam/Pages/CISA-Self-
Assessment.aspx

Information Technology Assurance Framework:

http://www.isaca.org/knowledge-center/itaf-is-assurance-audit-/is-audit-
and-assurance/pages/objectivesscopeandauthorityofitaudit.aspx

ISACA Bookstore: CISA Exam Resources:

https://www.isaca.org/bookstore/Pages/default.aspx?

18

© 2017 ISACA. All Rights Reserved

 RESOURCES (CONTINUED)

CISA Glossary Of Terms: https://www.isaca.org/Knowledge-

Center/Documents/Glossary/glossary.pdf

CISA Exam Study Community:

http://www.isaca.org/Groups/Professional-English/cisa-
exam-study-community-2013/Pages/Overview.aspx

CISA Frequently Asked Questions:

http://www.isaca.org/certification/cisa-certified-information-
systems-auditor/pages/faqs.aspx

ISACA’s free-to-download whitepapers:

http://www.isaca.org/Knowledge-Center/Pages/default.aspx

19

© 2017 ISACA. All Rights Reserved

 HOW ARE THE QUESTIONS CONSTRUCTED?

ISACA’S CISA Certification Working Group oversees the

development of the CISA exam, ensuring that the job practice
is properly tested.

The actual questions are developed by volunteers as part of

ISACA’s Item Writer Program.

The 150 multiple-choice questions cover the CISA job

practice domains.

20

© 2017 ISACA. All Rights Reserved

 HOW ARE THE QUESTIONS CONSTRUCTED?
(CONTINUED)
The CISA exam is based on a job practice

Topics that candidates are expected to understand are

described in a series of task and knowledge statements.
Task statements describe the specific tasks the CISA candidate
should be able to perform.
Knowledge statements are the knowledge areas required in
order for the candidate to perform the tasks.

Test questions are specifically designed to validate that the

candidate possesses the knowledge to perform a given task.

21

© 2017 ISACA. All Rights Reserved

 HOW ARE THE QUESTIONS CONSTRUCTED?
(CONTINUED)
Objective exams (all MC) are created using standardized
methods, with the resulting questions and answers close to
the following

Out of four answer choices:

• One will be obviously wrong

• Closer evaluation will eliminate another answer

• Comes down to two, often subtle differences

This is how your mastery of the body of knowledge is tested!

22

© 2017 ISACA. All Rights Reserved

WHAT IS THE BEST APPROACH FOR ANALYZING AND
ANSWERING QUESTIONS?

Test taking is a skill that anyone can become better at with

practice

Read the full question

Then read ALL the answers: DO NOT select an answer

without first reading all

Re-read the question, noting carefully key words (more on

this below)

Now apply various techniques to arrive at the BEST answer

(below)

23

© 2017 ISACA. All Rights Reserved

WHAT IS THE BEST APPROACH FOR ANALYZING AND
ANSWERING QUESTIONS? (CONTINUED)
Caution: watch out for distractors (irrelevant information) !

Process of elimination: any obviously wrong?

Questions often ask for BEST, MOST, LEAST

- this is like answering several questions: more than one

answer may be a good response to the question, but which
is the BEST or the MOST important consideration

Best way to master the skill is PRACTICE, PRACTICE,

PRACTICE!

24

© 2017 ISACA. All Rights Reserved

 PRACTICE QUESTION 1

Which of the following is the MOST important skill an IS

auditor should develop to understand the constraints of
conducting an audit?

A. Contingency planning

B. IS management resource allocation

C. Project management

D. Knowledge of internal controls

25

© 2017 ISACA. All Rights Reserved

 QUESTION 1 ANSWER
C is the correct answer.

A. Contingency planning is often associated with the organization’s operations. IS

auditors should have knowledge of contingency planning techniques, but this is not
essential regarding constraints on the conduct of the audit.

B. IS managers are responsible for resource management of their departments. IS

auditors do not manage IS resources.

C. Audits often involve resource management, deliverables, scheduling and deadlines

similar to project management best practices.

D. Knowledge of internal controls is fundamental to IS auditors. Professional

competence is an auditing standard. A lack of understanding of the control environment
would be a constraint on the effectiveness of the audit, but is not the most important
skill needed by the IS auditor.
26

© 2017 ISACA. All Rights Reserved

 PRACTICE QUESTION 2
During an audit, an IS auditor notices that the IT department of a medium-sized
organization has no separate risk management function, and the organization’s operational
risk documentation only contains a few broadly described types of IT risk. What is the
MOST appropriate recommendation in this situation?

A. Create an IT risk management department and establish an IT risk framework with the aid
of external risk management experts.

B. Use common industry standard aids to divide the existing risk documentation into
several individual types of risk which will be easier to handle.

C. No recommendation is necessary because the current approach is appropriate for a

medium-sized organization.

D. Establish regular IT risk management meetings to identify and assess risk, and create a
mitigation plan as input to the organization’s risk management.
27

© 2017 ISACA. All Rights Reserved

 QUESTION 2 ANSWER

D is the correct answer.

A. A medium-sized organization would normally not have a separate IT risk management department.
Moreover, the risk is usually manageable enough so that external help would not be needed.

B. While common risk may be covered by industry standards, they cannot address the specific situation
of an organization. Individual types of risk will not be discovered without a detailed assessment from
within the organization. Splitting the one risk position into several is not sufficient to manage IT risk.

C. The auditor should recommend a formal IT risk management effort because the failure to
demonstrate responsible IT risk management may be a liability for the organization.

D. Establishing regular IT risk management meetings is the best way to identify and assess IT-related
risk in a medium-sized organization, to address responsibilities to the respective management and to
keep the risk register and mitigation plans up to date.

28

© 2017 ISACA. All Rights Reserved

 PRACTICE QUESTION 3

An IS auditor is evaluating a virtual machine–based (VM-based)

architecture used for all programming and testing environments. The
production architecture is a three-tier physical architecture. What is
the MOST important IT control to test to ensure availability and
confidentiality of the web application in production?

A. Server configuration has been hardened appropriately.

B. Allocated physical resources are available.

C. System administrators are trained to use the virtual machine (VM)

architecture.

D. The VM server is included in the disaster recovery plan (DRP).

29

© 2017 ISACA. All Rights Reserved

 QUESTION 3 ANSWER
A is the correct answer.

A. The most important control to test in this configuration is the server configuration hardening. It is
important to patch known vulnerabilities and to disable all non-required functions before production,
especially when production architecture is different from development and testing architecture.

B. The greatest risk is associated with the difference between the testing and production environments.
Ensuring that physical resources are available is a relatively low risk and easily addressed.

C. Virtual machines (VMs) are often used for optimizing programming and testing infrastructure. In this
scenario, the development environment (VM architecture) is different from the production infrastructure
(physical three-tier). Because the VMs are not related to the web application in production, there is no
real requirement for the system administrators to be familiar with a virtual environment.

D. Because the VMs are only used in a development environment and not in production, it may not be
necessary to include VMs in the disaster recovery plan (DRP).

30

© 2017 ISACA. All Rights Reserved

 PRACTICE QUESTION 4

A database administrator has detected a performance problem with

some tables, which could be solved through denormalization. This
situation will increase the risk of:

A. concurrent access.

B. Deadlocks

C. unauthorized access to data.

D. a loss of data integrity.

31

© 2017 ISACA. All Rights Reserved

 QUESTION 4 ANSWER
D is the correct answer.

A. Denormalization will have no effect on concurrent access to data in a database;

concurrent access is resolved through locking.

B. Deadlocks are a result of locking of records. This is not related to normalization.

C. Access to data is controlled by defining user rights to information and is not affected by
denormalization.

D. Normalization is the removal of redundant data elements from the database structure.
Disabling normalization in relational databases will create redundancy and a risk of not
maintaining consistency of data, with the consequent loss of data integrity.

32

© 2017 ISACA. All Rights Reserved

 PRACTICE QUESTION 5
Which of the following user profiles should be of MOST concern to an IS auditor when
performing an audit of an electronic funds transfer (EFT) system?

A. Three users with the ability to capture and verify their own messages

B. Five users with the ability to capture and send their own messages

C. Five users with the ability to verify other users and to send their own messages

D. Three users with the ability to capture and verify the messages of other users and to
send their own messages

33

© 2017 ISACA. All Rights Reserved

 QUESTION 5 ANSWER

A is the correct answer.

A. The ability of one individual to capture and verify their own messages represents an
inadequate segregation because messages can be taken as correct and as if they had
already been verified. The verification of messages should not be allowed by the person
who sent the message.

B. Users may have the ability to send messages but should not be able to verify their own
messages.

C. This is an example of separation of duties. A person can send their own message but
only verify the messages of other users.

D. The ability to capture and verify the messages of others but only send their own
messages is acceptable.

34

© 2017 ISACA. All Rights Reserved

 EXAM LOGISTICS: CAN I DO THIS??

Week before the Exam:

• Take time off work if possible for final review of materials

and more practice questions – CAN NEVER SPEND TOO
MUCH TIME ON THIS!

• Goal is to score consistently in 80-90 percentile across all

Domains

• DO NOT cram or stay up late night before the Exam – get a

good night’s sleep

35

© 2017 ISACA. All Rights Reserved

 EXAM LOGISTICS: CAN I DO THIS?? (CONTINUED)

Day of the Exam:

• Eat a good breakfast

• Allow yourself enough travel time to get to the site

• Stay calm & focused

• Manage your time

36

© 2017 ISACA. All Rights Reserved

Questions?

37

© 2017 ISACA. All Rights Reserved

THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL
FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING
THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-
INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.
YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS
DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND
THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE
PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR
CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF
THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING
PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE
APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.

Copyright © 2017 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This
webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or
transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
38

© 2017 ISACA. All Rights Reserved

THANK YOU
FOR ATTENDING THIS
WEBINAR

© 2017 ISACA. All Rights Reserved