分类： 国际注册信息系统审计师（CISA）资格考试

5月CISA冲刺培训讲义第一部分.PPT下载

Management of the IS Audit Function
ISACA IS Auditing Standards and Guidelines
Risk Analysis
Internal Controls
Performing an IS audit
Control Self-assessment
Emerging Changes in the IS Audit Process

Effect of Laws and Regulations on IS Audit Planning
How to determine an organization’s level of compliance with external requirements
Identify those government or other relevant external requirements.
Document pertinent laws and regulations
Assess whether the management of the organization and the IS function have considered the relevant external requirements in making plans and in setting policies, standards and procedures
Review internal IS department/function/activity documents that address adherence to laws applicable to the industry
Determine adherence to established procedures that address these requirements
Determine if there are procedures in place to ensure that contracts or agreements with external IT SP reflect any legal requirements related to responsibilities

2006CISA认证考试复习丛书-信息系统审计实务手册-影印版

2006CISA认证考试复习丛书-信息系统审计实务手册-影印版，分为六章。

CISA 2006-725题题库

1. An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms were correctly authorized. This is an example of:
A. variable sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go sampling.
The correct answer is:C.
Explanation:Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
2. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?
A. Inherent
B. Detection
C. Control
D. Business
The correct answer is:B. Explanation:Detection risks are directly affected by the auditor’s selection of audit procedures and techniques. Inherent risks usually are not affected by the IS auditor. Control risks are controlled by the actions of the company’s management. Business risks are not affected by the IS auditor.
3. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should:
A. refuse the assignment since it is not the role of the IS auditor.
B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation and follow-up.
The correct answer is:B.

CISA Questions And Answer 2005试题资料

大量题目试题资料，DOC文档289页。

试题统计表：

SectionTotal
Section 1
65
Section 2
69
Section 3
92
Section 4
160
Section 5
63
Section 6
106
Section 7
95
Summary650

63. In a critical server, an IS auditor discovers a Trojan horse that was produced by a known virus that exploits a vulnerability of an operating system. Which of the following should an IS auditor do FIRST?
A. Investigate the virus author.
B. Analyze the operating system log.
C. Ensure that the malicious code is removed.
D. Install the patch that eliminates the vulnerability.

The correct answer is:
C. Ensure that the malicious code is removed.
Explanation:
The priority is safeguarding the system; therefore, the IS auditor should suggest corrective controls, i.e., remove the code. The IS auditor is not responsible for investigating the virus. The IS auditor may analyze the virus information and determine if it has affected the operating system, but this is an investigative task that would take place after ensuring that the malicious code has been removed. Installing the patch that eliminates the vulnerability should be done by technical support.

64. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should:
A. refuse the assignment since it is not the role of the IS auditor.
B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation and follow-up.

The correct answer is:
B. inform management of his/her inability to conduct future audits.
Explanation:
In this situation the IS auditor should inform management of the impairment of independence in conducting further audits in the auditee area. An IS auditor can perform non-audit assignments where the IS auditor’s expertise can be of use to the management; however, by performing the non-audit assignment, the IS auditor cannot conduct the future audits of the auditee as his/her independence may be compromised. However, the independence of the IS auditor will not be impaired when suggesting/recommending controls to the auditee after the audit.

65. Which of the following is the PRIMARY advantage of using computer forensic software for investigations?
A. The preservation of the chain of custody for electronic evidence
B. Time and cost savings
C. Efficiency and effectiveness
D. Ability to search for violations of intellectual property rights

CISA Questions And Answer 2005试题资料

大量题目试题资料，DOC文档289页。

试题统计表：

SectionTotal
Section 1
65
Section 2
69
Section 3
92
Section 4
160
Section 5
63
Section 6
106
Section 7
95
Summary650

63. In a critical server, an IS auditor discovers a Trojan horse that was produced by a known virus that exploits a vulnerability of an operating system. Which of the following should an IS auditor do FIRST?
A. Investigate the virus author.
B. Analyze the operating system log.
C. Ensure that the malicious code is removed.
D. Install the patch that eliminates the vulnerability.

The correct answer is:
C. Ensure that the malicious code is removed.
Explanation:
The priority is safeguarding the system; therefore, the IS auditor should suggest corrective controls, i.e., remove the code. The IS auditor is not responsible for investigating the virus. The IS auditor may analyze the virus information and determine if it has affected the operating system, but this is an investigative task that would take place after ensuring that the malicious code has been removed. Installing the patch that eliminates the vulnerability should be done by technical support.

64. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should:
A. refuse the assignment since it is not the role of the IS auditor.
B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation and follow-up.

The correct answer is:
B. inform management of his/her inability to conduct future audits.
Explanation:
In this situation the IS auditor should inform management of the impairment of independence in conducting further audits in the auditee area. An IS auditor can perform non-audit assignments where the IS auditor’s expertise can be of use to the management; however, by performing the non-audit assignment, the IS auditor cannot conduct the future audits of the auditee as his/her independence may be compromised. However, the independence of the IS auditor will not be impaired when suggesting/recommending controls to the auditee after the audit.

65. Which of the following is the PRIMARY advantage of using computer forensic software for investigations?
A. The preservation of the chain of custody for electronic evidence
B. Time and cost savings
C. Efficiency and effectiveness
D. Ability to search for violations of intellectual property rights

CISA Questions And Answer 2006试题资料

大量题目试题资料，DOC文档258页。

Area: 3
141. Which of the following data validation edits could be used by a bank, to ensure the correctness of bank account numbers assigned to customers, thereby helping to avoid transposition and transcription errors?
A. Sequence check
B. Validity check
C. Check digit
D. Existence check

The correct answer is:
C. Check digit
Explanation:
A check digit is a mathematically calculated value that is added to data to ensure that the original data have not been altered. This helps in avoiding transposition and transcription errors. Thus, a check digit can be added to an account number to check for accuracy. Sequence checks ensure that a number follows sequentially and any out of sequence or duplicate control numbers are rejected or noted on an exception report. Validity checks and existence checks match data against predetermined criteria to ensure accuracy.

Area: 3
142. Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems?
A. Parallel testing
B. Pilot testing
C. Interface/integration testing
D. Sociability testing

The correct answer is:
D. Sociability testing
Explanation:
The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development. Parallel testing is the process of feeding data into two systems—the modified system and an alternate system—and comparing the results. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations. Interface/integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure.

CISA Review Questions， Answers & Explanations Manual 2009 supplement.pdf下载

CISA Review Questions， Answers & Explanations Manual 2009 supplement，CISA复习题、答案、解释手册2009增补材料下载，PDF影印格式。

5月CISA冲刺培训讲义第三部分.PPT下载

Chapter 3
Systems and Infrastructure Life Cycle Management

Business Realization
Project Management Structure
Project Management Practices
Business Application Development
Alternative Application Development Approaches
Alternative Forms of Software Project Organization
Alternative Development Methods
Infrastructure Development/Acquisition Practices
Information Systems Maintenance Practices
System Development Tools and Productivity Aids
Process Improvement Practices
Application Controls
Auditing Application Controls
Auditing Systems Development, Acquisition and Maintenance
Business Application Systems

Project Organizational Forms
3 major forms of organizational alignment for project management can be observed:
Influence project organization – the project manager has only a staff function without formal management authority
Pure project organization – the project manager has formal authority over those taking part in the project
Matrix project organization – management authority is shared between the project manager and the department heads
Requests for major projects should be submitted to, and prioritized by, the IS steering committee.
The project manager should be identified and appointed by the IS steering committee.

5月CISA冲刺培训讲义第二部分.PPT下载

Chapter 2
IT Governance

Corporate Governance
Monitoring and Assurance Practices for Board and Executive Management
Information Systems Strategy
Policies and Procedures
Risk Management
IS Management Practices
IS Organization Structure and Responsibilities
Auditing IT Governance Structure and Implementation

IT governance is concerned with two issues: that IT delivers value to the business and that IT risks are mitigated. The first is driven by strategic alignment for IT with the business. The second is driven by embedding accountability into the enterprise.
IT governance is the responsibility of the board of directors and executive management.
IT governance is an integral part of enterprise governance, consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives.
A key element of IT governance is the alignment of business and IT
The key IT governance practice are IT strategy committee, risk management and standard IT balanced scorecard