Course Objectives
To: Briefly recap some of the key information needed Help you to draw on your underlying experience Practice your exam technique Be highly interactive and hopefully just a bit FUN !!!!
Unit 19 - Chapter 6 questions Unit 20 - Group Quiz - Jeopardy Unit 21 - Chapter 7 recap
Unit 22 - CISA Chapter 7 questions Unit 23 - End of day mini CISA test
Unit 26 - Team Quiz Unit 27 - General Q & A... Unit 28 - Exam arrangements for Saturday
Please Can you follow the review manual during the course
Page 461
Page 462
This process takes 10 weeks (including notification by post), and remarking can be requested
Page 464
All of the above are contained within your CISA review manual, which should be thought of as a set of checklists.
Page 462
(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
Disaster Recovery and Business Continuity - backup and recovery - disaster recovery - business continuity
Management Planning and Organization of IS - strategies to achieve business objs. - policies and procedures - IS management practices - organisational structures
(11%) 22 questions
Chapter 4
Protection of Information Assets
Chapter 3
Technical Infrastructure and Operational Practices - hardware platforms - software platforms - telecommunications - operations
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
Disaster Recovery and Business Continuity - backup and recovery - disaster recovery - business continuity
Management Planning and Organization of IS - strategies to achieve business objs. - policies and procedures - IS management practices - organisational structures
(11%) 22 questions
Chapter 4
Protection of Information Assets
Chapter 3
Technical Infrastructure and Operational Practices - hardware platforms - software platforms - telecommunications - operations
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 1 Overview
Performing An IS Audit
- Risk Analysis - Controls - Audit Program Development - Audit Resource Scheduling - Evidence Gathering Techniques - Evaluation of Evidence - Audit Reports - Management Actions - Continuous Audit - Control Self Assessment
Key Key
Key ey
The IS Audit Process
ISACA
Standards for Information Systems auditing Information Systems auditing guidelines Code of Professional ethics Standards for Information Systems control professionals Statements on Information Systems Auditing Standards
now replaced by the IS auditing guidelines.
020 Independence
Professional and organisational
040 Competence
Skills and knowledge, continuing professional education
IS Auditing Guidelines
Audit charter Audit documentation Audit considerations for irregularities Audit evidence requirements Audit sampling Corporate governance of information systems Due professional care Effect of involvement in the development, acquisition, implementation or maintenance process on the IS auditors independence.
IS Auditing Guidelines
Effect of pervasive IS controls Materiality concepts for auditing information systems Organisational relationship and independence Outsourcing of IS activities to other organisations Planning the IS audit Report content and form Use of CAATs Use of risk assessment in audit planning Using the work of other auditors and experts.
Controls risk
The risk of a material error which will not be prevented or detected by controls
Detection risk
The risk that an IS auditor uses inadequate procedures and concludes on material errors exist when they do
Use of CAATs, including: test data generators expert systems system utilities - integrated test facilities - specialised audit software (ACL) - SCARF
Evaluation Of Evidence
Factors to consider: compensating and overlapping controls interrelationship (i.e. dependency) of controls sufficient, reliable and relevant impact of any weaknesses (including materiality)
(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
Disaster Recovery and Business Continuity - backup and recovery - disaster recovery - business continuity
Management Planning and Organization of IS - strategies to achieve business objs. - policies and procedures - IS management practices - organisational structures
(11%) 22 questions
Chapter 4
Protection of Information Assets
Chapter 3
Technical Infrastructure and Operational Practices - hardware platforms - software platforms - telecommunications - operations
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 2 Overview
Information Systems Strategies Organisational Structures
- Management Structures - Line Management - Project Management - Job Descriptions/Charts - Segregation of Duties - Compensating Controls - IPF Duties - Sources of Evidence - Strategic Planning - IS Planning/Steering Committees - User Pay Schemes
Key
Key Key
Strategic IS Planning
Four key activities are: Long term organisational planning Long term IS planning Short term IS planning On-going review of IS plans.
Steering Committees
Key functions include:
Review of short and long range IS plans Review and approval of major hardware and software acquisitions Approval and monitoring of major projects Review of IS budgets and expenditure Review of adequacy of resources Decide on centralisation and decentralisation
Outsourcing
There are three key areas to consider: Advantages - greater IS expertise - potential cost savings - faster implementation of systems - increased cost - loss of control - vendor failure - audit rights - integrity, confidentiality and availability - loss of control to vendor - performance management
Disadvantages
Audit/security concerns
Management Principles
People Management Management of change Focus on good processes Security Handling 3rd parties
Measuring Efficiency/Effectiveness
IS effectiveness and efficiency can be measured by using: IS Budgets User satisfaction surveys Industry standards/benchmarking Goal accomplishment Comparison with ISO 9000 quality standards Capability maturity model (p. 76)
- Management sponsorship/responsibility - Use of a quality system - Internal quality audits - Corrective preventative action (feedback).
Should segregate/separate key classes of duties: Transaction authorisation Reconciliation/review Custody of assets.
Compensating Controls
To address poor segregation of duties, consider: Audit trails Transaction logs Reconciliations Independent review. (traces the actions taken) (traces the transaction)
Review Of Terms
Are there any terms which are not really clear ??? Most terms are technology related and knowing these is a key requirement for passing this exam.
(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
Disaster Recovery and Business Continuity - backup and recovery - disaster recovery - business continuity
Management Planning and Organization of IS - strategies to achieve business objs. - policies and procedures - IS management practices - organisational structures
(11%) 22 questions
Chapter 4
Protection of Information Assets
Chapter 3
Technical Infrastructure and Operational Practices - hardware platforms - software platforms - telecommunications - operations
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 3 Overview
Information Systems Operational Practices
- Management of Operations - Operations Practices - Controlling Input/Output - Lights Out Operations - Scheduling - Monitoring Use of Resources - Problem Management - Program Change Control - Librarian Function - Quality Assurance - Service Levels - Technical Support - Physical Security
Key Key
Information Systems Software Platform
Key Key
- Technology Architecture - Software Selection Process - Implementation and Change Control Procedures - Configuration Parameters
Page 101
Hardware Architectures
Three main classes: Large Medium Small (e.g. mainframe) (e.g. mini-computer) (e.g. microcomputer/PC) (e.g. Notebook/ laptop) (e.g. PDA)
Main distinguishing features are: Addressable memory capacity Amount of on-line storage Number of users supported simultaneously.
Page 105
The need to consider all these areas depends partly on the type of hardware being purchased.
Page 106
Page 107
Capacity Management
Factors to consider when planning hardware support for future expansion: Existing CPU utilisation Computer storage utilisation Telecommunications and wide area network traffic Terminal and I/O channel utilisation Number of users New technologies due to be implemented New applications due to be implemented Existing and future service level agreements.
Page 109
(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
Disaster Recovery and Business Continuity - backup and recovery - disaster recovery - business continuity
Management Planning and Organization of IS - strategies to achieve business objs. - policies and procedures - IS management practices - organisational structures
(11%) 22 questions
Chapter 4
Protection of Information Assets
Chapter 3
Technical Infrastructure and Operational Practices - hardware platforms - software platforms - telecommunications - operations
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 3 Overview
Information Systems Operational Practices
- Management of Operations - Operations Practices - Controlling Input/Output - Lights Out Operations - Scheduling - Monitoring Use of Resources - Problem Management - Program Change Control - Librarian Function - Quality Assurance - Service Levels - Technical Support - Physical Security
Key Key
Information Systems Software Platform
Key Key
- Technology Architecture - Software Selection Process - Implementation and Change Control Procedures - Configuration Parameters
Page 101
Page 110
Operating Systems
Key features are: It brings together the users, applications software and the systems Manages computer resources and processing Often includes facilities to assist in operating the computer and development of applications.
Page 110
Doing all of the above at the operating system, database, and application program levels.
Common applications: EFT Office information systems Customer/supplier links such as EDI Electronic messaging (including the Internet).
Page 113
DBMS
Systems software that organises, controls and uses data. Use data dictionaries Structured in one of three ways: Hierarchical Network Relational
Each structure has a number of advantages and disadvantages, with relational generally being the structure of choice for most applications.
Page 114
Update
Reporting - listing additions, deletions, modifications for management and auditor reviews Interface - with the operating system, job scheduling, access control and online program management systems
Page 118
Page 119
Various advantages: Job setup only performed once Job dependencies define Records all job successes and failures Reduces reliance on operators.
Page 119
Utility programs
Systems software which perform maintenance or specialised functions frequently required during operations. Can be related to: Understanding applications systems e.g. flow charter Assessing data quality e.g dump Testing programs e.g. online debugging facilitators Assisting in program development e.g. code generator Improving operational efficiency e.g. monitors.
Page 119
Page 120
Chapter 3 Overview
Information Systems Operational Practices
- Management of Operations - Operations Practices - Controlling Input/Output - Lights Out Operations - Scheduling - Monitoring Use of Resources - Problem Management - Program Change Control - Librarian Function - Quality Assurance - Service Levels - Technical Support - Physical Security
Key Key
Information Systems Software Platform
Key Key
- Technology Architecture - Software Selection Process - Implementation and Change Control Procedures - Configuration Parameters
Page 101
Telecoms Terminology/Devices
Terminals Modems Multiplexors/concentrators Switching types: Line/circuit Message Packet
Front end communication processors Cluster controllers Protocol converters Spools and buffers.
Network components
Repeaters Hubs Bridges Switches Routers Brouters Gateways Multiplexors
Page 130
Transmission Media
Twisted pair Coaxial Fiber optic Radio Microwave Satellite Wireless Bluetooth
Page 132
Networking.
Architectures: Bus Ring Star Completely connected (mesh) (linked to one cable) (formed in a circle) (all linked to a main hub) (direct link between all)
The 7 layer OSI model was used to create interoperability between manufacturers products - the layers are: Application layer Presentation layer Session layer Transport layer end error Network layer Data link layer Physical layer (validation and transaction security) (format, encryption and transformation) (start, manage and stop sessions) (flow control and end to recovery) (packet management, routing and switching) (node to node control and error handling) (transmission of bits)
The Internet
Consists of a Worldwide network exchanging information using common protocols such as TCP and IP Provides a range of services including: World Wide Web FTP RealAudio (supported by HTML and HTTP) (anonymous or otherwise)
Key Internet control issues are: Transaction security Entry security Viruses (such as SSL) (such as firewalls) (macro, Java or browser based).
Page 126
Page 128
Client/Server Points
Allows data and business logic to be distributed to where it best suits the application Typically this means data on the server(s) and application logic on the client
(it is important to understand 2 and 3-tier architectures)
Page 145
Middleware
Commonly used for:
Transaction processing (TP) monitors Remote procedure calls (RPC) Object request broker (ORB) technology Messaging servers
Page 146
Middleware
Middleware is the client/server glue that holds these type of applications together It is located physically on both the client and the server and it facilitates network connection and communication Key risks are: Provides another avenue of access to control Multiple versions of software may get out of sync
Key controls are: Network security controls Change control procedure (such as passwords & encryption) (such as versioning & tracking).
ISO has defined 5 network management tasks: Fault Management Configuration management Accounting resources Performance management Security management
Page 147
Instructions
Come to the front and each take one of the 12 technology lists Each person then gets 90 seconds to draw as many of the technology items on the list as possible whilst the others call them out The items can be tackled in any order although no written words are allowed, and no talking !!! Points for getting them right, plus points for guessing correctly
(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
Disaster Recovery and Business Continuity - backup and recovery - disaster recovery - business continuity
Management Planning and Organization of IS - strategies to achieve business objs. - policies and procedures - IS management practices - organisational structures
(11%) 22 questions
Chapter 4
Protection of Information Assets
Chapter 3
Technical Infrastructure and Operational Practices - hardware platforms - software platforms - telecommunications - operations
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 3 Overview
Information Systems Operational Practices
- Management of Operations - Operations Practices - Controlling Input/Output - Lights Out Operations - Scheduling - Monitoring Use of Resources - Problem Management - Program Change Control - Librarian Function - Quality Assurance - Service Levels - Technical Support - Physical Security
Key Key
Information Systems Software Platform
Key Key
- Technology Architecture - Software Selection Process - Implementation and Change Control Procedures - Configuration Parameters
Page 101
IS operations
Management of IS operations Computer operations Technical support/helpdesk Scheduling Controlling input/output of data Quality assurance Program change control Librarian function Problem management procedures Procedures for monitoring efficient and effective use of resources Management of physical and environmental security.
Page 149
Computer operations
Key operator tasks include: Running and monitoring jobs Restarting applications after abnormal termination Facilitating backing up data Observing IPF for unauthorised entry Mounting tapes Monitoring adherence to job schedules Participating in disaster recovery tests.
(Note more and more of these tasks are becoming automated over time).
Page 149
Key advantages are: Cost reduction Continuous operations Reduced error rate (24-7) (no humans involved !!!) (less expensive staff)
Page 149
Output controls: Report distribution procedures Access control over print spools and output.
Page 150
Management of IS operations
Key functions are resource allocation, and standards and procedures. Also planning, authorising, monitoring, reviewing the operations functions as a whole to ensure consistency with overall business strategies and policies.
Page 151
Service Levels
Normally defined using a SLA Typical tools used to monitor compliance with an SLA are: Abnormal job termination reports Operator problem reports Output distribution reports Console logs Operator work schedules Held desk tracking databases.
Page 151
Scheduling
This is: Defining jobs that can be run and the sequence of execution Maintenance functions should be performed at off peak time Jobs may be scheduled to run ad-hoc when system capacity is spare A key function in ensuring IS resources are optimally utilised.
Page 153
Problem Management
Key steps are: Detection Documentation Control Resolution Reporting (knowing something has happened) (capturing all relevant details) (continuing with other tasks) (fixing the problem) (reporting the fix)
Page 153
Librarian Function
Split between on and off line Typically off line storage includes: Tape vaults Company safes (in-house or 3rd party)
Typical controls over off-line storage include: Securing physical access Ensuring that library will withstand fire/heat for a minimum of 2 hrs Ensuring that library is separately located from the computer room Restricting logical access to key personnel only Maintaining a perpetual inventory (including transfer records) Having a written transfer/re-use policy.
Quality assurance
Ensure everyone participates use of standards, guidelines and procedures Maintain systems development methodology Make improvement recommendations in projects Establish a change control environment Define testing methodology Report issues to management.
Page 155
Technical support tends to be second level - key functions are: Obtaining detailed knowledge of the OS and in-house apps Answering specific technical enquiries Managing the installation of vendor/system changes Monitoring and maintaining system software Maintaining the companys telecommunications network.
Page 155
Chapter 3 Overview
Information Systems Operational Practices
- Management of Operations - Operations Practices - Controlling Input/Output - Lights Out Operations - Scheduling - Monitoring Use of Resources - Problem Management - Program Change Control - Librarian Function - Quality Assurance - Service Levels - Technical Support - Physical Security
Key Key
Information Systems Software Platform
Key Key
- Technology Architecture - Software Selection Process - Implementation and Change Control Procedures - Configuration Parameters
Page 101
Physical/Environmental Security
Consider the full range of issues: Authorisation of entry to the facility Authorisation of temporary staff (such as engineers) Protection against disaster (for example fire) The need to keep equipment cool (air conditioning) Securing of external support facilities (for example power) The need for regular testing The use of emergency shutdown procedures The impact of a client/server based environment.
Instructions
Take a question handout and answer sheet from the front, keeping the questions face down You will have 15 minutes to answer the questions, after which well hand out answer sheets
STOP !!!!
Take an answer sheet and start marking Are there any questions you want to go over ?
Unit 19 - Chapter 6 questions Unit 20 - Group Quiz - Jeopardy Unit 21 - Chapter 7 recap
Unit 22 - CISA Chapter 7 questions Unit 23 - End of day mini CISA test
(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
Disaster Recovery and Business Continuity - backup and recovery - disaster recovery - business continuity
Management Planning and Organization of IS - strategies to achieve business objs. - policies and procedures - IS management practices - organisational structures
(11%) 22 questions
Chapter 4
Protection of Information Assets
Chapter 3
Technical Infrastructure and Operational Practices - hardware platforms - software platforms - telecommunications - operations
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 4 Overview
Network Infrastructure Security
- Lan Security - Client Server security - Internet threats and security - Encryption - Firewall Security Systems - Intrusion Detection Systems
Key
Importance of IS Management
- Security Policies
Logical Access
Key
Auditing Network Infrastructure Security
Key
Page 185
Page 189
Security Policies
Key components include: management support and commitment access philosophy access authorisation regular reviews of access security awareness compliance with legislation (through training) (i.e. the ground rules) (should be written)
Page 189
Page 194
Technical Exposures
Data diddling (change data before data entry) Trojan horse Rounding down Salami technique (similar to rounding down) Viruses Worms Logic bomb (e.g. year 2000) Trap doors Asynchronous attack (attack data waiting to be transmitted) Data leakage Wire-tapping Piggybacking (technical or otherwise) Denial of service Shut down of the computer (directly or indirectly)
Page 196
Typical perpetrators of violations include: Hackers Employees IS Personnel Temporary staff - vendors and consultants - accidental ignorant - interested parties (the competition, crackers, phrackers etc.)
Page 201
Software tools include: Scanners, signature and Heuristic active monitors integrity CRC checkers Behaviour blockers Immunisers
Other non-direct controls include: written policies and procedures system builds done from clean installation disks backups taken on a regular basis
Page 214
Page 228
Page 228
Effectiveness depends on the number of bits in the key(s) Common cryptosystems are: RSA DES (public) (private) no longer considered strong.
Page 231
Firewall security
Must enable organisations to:
block access to particular sites prevent users from accessing certain servers or services monitor communications between internal/external networks eavesdrop and record all communications encrypt packets between physical locations
Page 239
Page 243
Environmental Controls
Again consider the full range: Raised floors and water detectors Hand-held fire extinguishers Manual fire alarms Smoke detectors Fire suppression systems Fireproofing walls and ceiling Electrical surge protectors UPSs/generators Emergency power-off switches Power leads from two substations Regular inspection by Fire Department Strategically locating computer room Rules on the consumption of food/fluids Fire resistant office materials Documented and Tested Emergency Evacuation Plans (dry-pipe, water and Halon, FM-200)
Page 248
Physical Controls
Remember the full range, not just the obvious: Door locks (bolting, electronic, cipher or biometric)
Logging of entry (manual or electronic) Photo ids Video cameras Security guards Escorted visitor access Bonded maintenance personnel Deadman doors Not advertising location of sensitive facilities Computer terminal locks Single entry points Alarm systems Secured report/ document distribution carts
Page 254
(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
Disaster Recovery and Business Continuity - backup and recovery - disaster recovery - business continuity
Management Planning and Organization of IS - strategies to achieve business objs. - policies and procedures - IS management practices - organisational structures
(11%) 22 questions
Chapter 4
Protection of Information Assets
Chapter 3
Technical Infrastructure and Operational Practices - hardware platforms - software platforms - telecommunications - operations
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 5 Overview
IS Disaster Recovery
- Recovery alternatives - Off-site facilities
Key
Key
Types of Insurance
IS equipment and facilities Media (i.e. software) reconstruction Extra expense Business interruption Valuable papers and records Errors and omissions Fidelity coverage Media transportation (loss in transit).
Should also take account of: Critical recovery time periods User and data processing interrelationships (i.e. weakest link).
Telecommunications Continuity
Common forms of continuity include: Redundancy of company equipment Alternative routing (usually 2) Diverse routing (usually 2 or more) Long haul network diversity Last mile circuit protection Voice recovery.
The range of test types include: Paper tests Preparedness tests Full operational test (walkthrough with key players) (localised/partial version of full test) (the full monty)
Results should be analysed appropriately with common measurements being: Time taken Number of records - amount of work performed - accuracy of work.
Frequency and retention per file Master files (synchronisation) Transaction files (to recreate master files) Real-time files (time stamping, duplicate logging) DBMS (integral feature) File descriptions Licenses Object and source code
(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
Disaster Recovery and Business Continuity - backup and recovery - disaster recovery - business continuity
Management Planning and Organization of IS - strategies to achieve business objs. - policies and procedures - IS management practices - organisational structures
(11%) 22 questions
Chapter 4
Protection of Information Assets
Chapter 3
Technical Infrastructure and Operational Practices - hardware platforms - software platforms - telecommunications - operations
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 6 Overview
Project Management Practices
- - SDLC - Porject Failure Risks - Overall SDLC Project Controls
Maintenance Practices
- Authorisation Procedures - System Documentation - Test Procedures - Change Approvals - Program Migration - Emergency Changes - Source Code Integrity - Coding Standards - Source Code Comparison - Library Control Software
Key
Key
Page 307
Page 312
Risks associated with poor management: Does not meet business needs Overruns in time and money Not delivered at all.
Page 314
RFP contents
Product functionality vs. actual requirements Customer references Vendor viability/financial stability Availability of complete and reliable documentation Vendor on-going support Source code availability Number of years product has been in existence List of recent or planned enhancements (with dates) Number of current client sites/client list Ability to allow acceptance testing at nominal cost.
Page 317
Testing
Unit testing Interface testing System testing Alpha and beta testing Pilot testing Whitebox/ Blackbox Function/Validation testing Regression testing Parallel testing Sociability testing
Page 324
Development methodologies
Data orientated system development Object oriented system development Component-based development Web-based Application Development Prototyping Rapid application development Agile Development Reengineering Reverse engineering Structured analysis.
Page 328
Page 331
RAD
Technique aimed at producing applications in faster timescales Uses a number of key techniques to achieve this: Small, well-trained development teams Evolutionary prototyping Integrated power development tools A central repository Workshops Rigid development time frames (nearly all GUI)
Aim is to leverage automation and more powerful hardware to reduce human effort required.
Page 332
Change control
A key control is the formal authorisation of changes to the live system
(Both prior to being developed and also prior to migration)
However, there should also be some record of the changes, either manually or electronically
(This is especially important where there is poor segregation of duties)
The above applies equally to both operating system and application changes.
Page 335
Controls
Authorisation procedures - new projects, change control User approval before systems go live Continuous update of system documentation Program migration process Emergency changes Configuration Management Library control software Source and executable control integrity Source code comparison
Page 336
Page 337
Timebox Management
Page 344
CASE
Defined as the use of automated tools to aid the software development process Generally divided up into 3 categories: Upper Middle Lower (business and application requirements) (detail designs) (generation of program code and db definitions)
Can be used across a range of platforms and are usually repository based Can be an element of overlap with 4 GLs (especially lower).
Page 344
4GLs
Typical characteristics: Non-procedural language Environmental independence Powerful software facilities Programmer workbench/toolsets concept Simple language subsets (often event driven) (portability)
Often classified as follows: Query and report generators Embedded/related database 4GLs Application generators.
Page 345
(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
Disaster Recovery and Business Continuity - backup and recovery - disaster recovery - business continuity
Management Planning and Organization of IS - strategies to achieve business objs. - policies and procedures - IS management practices - organisational structures
(11%) 22 questions
Chapter 4
Protection of Information Assets
Chapter 3
Technical Infrastructure and Operational Practices - hardware platforms - software platforms - telecommunications - operations
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 7 Overview
Business Application Systems
-eCommerce - EDI - POS - AI - Data warehouse
Application Controls
Input/Output - data validation - Integrity
IT Governance
Key Key
IT Governance
Encompasses IS, technology and communication, business legal across all stakeholders Governed by generally accepted good/best practice to ensure resources we are used effectively and the risks are managed appropriately Strategic alignment between IT and enterprise objectives
Batch controls: Totals Batch balancing (e.g. dollars, items, documents and hash) (batch registers, control accounts and computer agreement)
e-Commerce
B2B B2C Architectures
2-tier 3-tier (server provides content, client handles display) (database server, web server, web browser)
Risk
Confidentiality, Integrity & Availability Authentication and Non-Repudiation Power shift to customer
EDI
In use for about 20 years, and gained popularity over the last 5 years Now being potentially overshadowed by the Internet Three main components are generally required: Communications handler EDI interface Application system (transmits & receives documents) (translates between EDI and app) (the in-house programs)
Hybrid nature means that EDI presents issues both in terms of security and application development Should use a mixture of inbound, outbound and general controls.
Specialised systems
AI and expert systems Data warehouses DSSs.
AI Technologies
Audit issue:
Errors generated from an AI system may impact a business more than errors from a traditional system
Expert systems are the most common type and consist of two key components: Knowledge base, expressed as: decision trees rules semantic nets Inference engine.
Audit techniques:
Review decision logic, procedures for updating knowledge etc.
AI Technologies
AI technologies include: Audit issue - expert systems Natural language processors Neural networks Intelligent text managers (e.g. rule based DIP) Voice recognition Foreign language translators.
Data Warehousing
Defined as a subject oriented information store designed specifically for decision support Key characteristics: Subject-orientated Integrated - time-variant - non-volatile
Topology can either be: A single central warehouse A series of data marts Or a mixture of both
Key issues are: The quality of data and the accuracy of the extraction process Data ownership.
DSSs
Characteristics include: Aimed at less structured problems Emphasis on flexibility and adaptability Effectiveness over efficiency Decision focus Can be framework based.
Often built via prototyping to ensure accurate capture of requirements Trends include: Better supported by advances in database and graphics technologies Greater numbers of experienced designers skilled in this area Greater need to understand data to stay competitive.
Instructions
Take a question handout and answer sheet from the front, keeping the questions face down You will have 15 minutes to answer the questions, after which well hand out answer sheets
Exam Technique
Key points to remember: Not time pressured, however. ..4 hrs x 60 mins / 200 qs = 1.2 mins per question. ..so dont ignore timing completely !!!! Much more important is your reading technique as: it is hard to maintain concentration across the full 200 questions they are partially designed to trick you up
Also, need to think with a CISA perspective - not the real world !!!
Mock Exam
The exam will be: 2 hours in length 100 questions spread over the 7 chapters in the correct proportions feature a range of question difficulties:(s) (a) (u) = straightforward = ambiguous = unusual
It should be taken seriously as the next two hours are the best indication of how well prepared you will be for the real thing on Saturday morning.
STOP !!!!
Unit 26 - Team Quiz Unit 27 - General Q & A... Unit 28 - Exam arrangements for Saturday
Exam Review
Instructions: Swap papers for marking Total up the scores Indicate with a dot the incorrect answers on the 10x10 grid at the front Indicate with a dot the total score on the score sheet at the front Hand back the answer sheets Take time to review your mistakes against the explanations listed.
Instructions
Split into 2 teams This final quiz is in two rounds: Round 1 - Categories Of Your Choice
(where each team takes it in turns to pick a category and answer 10 questions on this category).
A question not answerable by one team is open to the other team for a bonus mark. Note: no looking in your books !!!
15 questions in total There is a point for each correct answer, however each team gets only one attempt at each question On your marks, get set, go !!!!
Exam Arrangements
The details of the exam are: Takes place Saturday 14th June Not admitted if do not arrive by 8.30 a.m.
(even though exam does not start until 9.00 a.m.)