Upload
others
View
13
Download
2
Embed Size (px)
Citation preview
CISA EXAM PREP COURSE:
SESSION 2
2 © Copyright 2016 ISACA. All rights reserved.
Job Practice
Domain 1: The
Process of Auditing
Information
Systems, 21%
Domain 2:
Governance and
Management of IT,
16%
Domain 3: Information
Systems Acquisition,
Development and
Implementation, 18%
Domain 5:
Protection of
Information Assets,
25%
Domain 4:
Information Systems
Operations,
Maintenance and
Service
Management, 20%
©Copyright 2016 ISACA. All rights reserved.
Domain 3
Information Systems Acquisition,
Development and Implementation
4 © Copyright 2016 ISACA. All rights reserved.
Domain 3
Provide assurance that the practices for
the acquisition, development, testing and
implementation of information systems
meet the organization’s strategies and
objectives.
5 © Copyright 2016 ISACA. All rights reserved.
Task 3.1
Evaluate the business case for the
proposed investments in information
systems acquisition, development,
maintenance and subsequent retirement
to determine whether it meets business
objectives.
6 © Copyright 2016 ISACA. All rights reserved.
Benefits Realization
To assess whether IT management is fulfilling its value
management responsibilities, the IS auditor must
understand how the business defines value or an ROI for
development-related projects.
Because IT-related initiatives have high expenditures,
these projects must be evaluated on:
o Cost
o Quality
o Development/delivery time
o Reliability and dependability
7 © Copyright 2016 ISACA. All rights reserved.
Benefits Realization Objectives
The objectives of benefits realization include:
o IT-enabled business investments achieve the
promised benefits and deliver measurable business
value.
o Required capabilities (solutions and services) are
delivered on time and within budget.
o IT services and assets continue to contribute to
business value.
8 © Copyright 2016 ISACA. All rights reserved.
Business Case
A business case provides the information required for an
organization to decide whether a project should proceed.
It allows for a comparison of costs and business benefits
and provides justification for setting up or continuing a
project.
It is often the first step in a project and normally derives
from a feasibility study.
9 © Copyright 2016 ISACA. All rights reserved.
Feasibility Study
Conduct a formal review with stakeholders.
Evaluate the cost-effectiveness of the approach.
Provide a recommended approach.
Identify requirements based on stakeholder needs.
Conduct a current analysis.
Define the project scope.
10 © Copyright 2016 ISACA. All rights reserved.
IS Auditor’s Role
During the feasibility study, the IS auditor should perform
the following:
o Review the documentation for the phase to ensure
that it is reasonable.
o Determine whether all cost justifications/benefits are
verifiable and that they show the anticipated costs
and expected benefits.
o Identify and determine the criticality of the need.
o Determine if a solution can be achieved with systems
already in place. If not, review the evaluation of
alternative solutions for reasonableness.
o Determine the suitability of the chosen solution.
11 © Copyright 2016 ISACA. All rights reserved.
Requirements Definition (cont’d)
In order to successfully complete a requirements definition,
the project team will complete tasks such as:
o Identify stakeholders.
o Record requirements in a structured format and consult
with stakeholders.
o Verify requirements are complete, consistent,
unambiguous, verifiable, modifiable, testable and
traceable.
o Detect and correct conflicts.
o Identify any constraints.
o Resolve conflicts.
12 © Copyright 2016 ISACA. All rights reserved.
Task 3.2
Evaluate IT supplier selection and
contract management processes to
ensure that the organization’s service
levels and requisite controls are met.
13 © Copyright 2016 ISACA. All rights reserved.
System Acquisition Factors
Factors impacting whether to develop or acquire a system
include:
o The date the system needs to be functional
o The cost to develop the system as opposed to buying it
o The resources, staff and hardware required
o In a vendor system, the license characteristics (e.g., yearly
renewal, perpetual) and maintenance costs
o Other systems that will need the ability to interface with the
new system
o Compatibility with strategic business plans, risk appetite,
regulatory compliance requirements and the organization’s
IT infrastructure
o Likely future requirements for changes to functionality
14 © Copyright 2016 ISACA. All rights reserved.
Requirements Definition
Requirements definition should include descriptions of what a
system should do, how users will interact with a system,
conditions under which the system will operate and the
information criteria the system should meet.
15 © Copyright 2016 ISACA. All rights reserved.
IS Auditor’s Role
When determining system requirements, the IS auditor should perform
the following:
o Obtain the detailed requirements definition document, and verify its
accuracy through interviews.
o Identify the key team members on the project team.
o Verify that project initiation and cost have received proper
management approval.
o Review the conceptual design specifications to ensure that they
address the needs of the user.
o Review the conceptual design to ensure that control specifications
have been defined.
o Review the UAT specification.
o Determine whether a reasonable number of vendors received a
proposal covering the project scope and user requirements.
o Determine whether an embedded audit routine can be used.
16 © Copyright 2016 ISACA. All rights reserved.
Request For Proposal (RFP)
Product vs. system requirements
Product scalability and interoperability
Customer references
Vendor viability/financial
stability
Availability of complete and
reliable documentation
Vendor support Source code availability
Number of years of experience in
offering the product
A list of recent or planned
enhancements to the product, with
dates
Number of client sites using the
product with a list of current users
Acceptance testing of the product
Source: ISACA, CISA Review Manual 26th Edition, figure 3.14
17 © Copyright 2016 ISACA. All rights reserved.
Software Acquisition Process
During software acquisition, the IS auditor should perform the
following:
o Analyze the documentation from the feasibility study to
determine whether the decision to acquire a solution was
appropriate.
o Review the RFP to ensure that it covers the items listed and
whether the selected vendor is supported by the RFP
documentation.
o Attend agenda-based presentations and conference room pilots
to ensure that the system matches the vendor’s response to the
RFP.
o Review the vendor contract prior to its signing.
o Ensure the contract is reviewed by legal counsel before it is
signed.
18 © Copyright 2016 ISACA. All rights reserved.
Physical Architecture Analysis
Requirements are validated using a proof of concept.
The proof of concept should deliver a working prototype
that demonstrates basic setup and functionality.
Source: ISACA, CISA Review Manual 26th Edition, figure 3.24
Vendor selection
Architecture
Workshop 1
1. Review of existing
architecture
2. Analysis and design
3. Draft functional
requirements
4. Functional requirements
5. Define final
functional requirements
6. Proof of concept
Architecture
Workshop 2 Presentation and
discussion of
functional
requirements
Architecture
Workshop 3
Delivery of
prototype
19 © Copyright 2016 ISACA. All rights reserved.
Implementation Planning
• Establish the communication process, and determine the deliverables, contracts and SLAs. Requirements statement is produced.
1. Procurement Phase
• Develop delivery plan: priorities, goals, key facts, principles, communication strategies, key indicators, progress on key tasks and responsibilities.
2. Delivery Time
• Develop and review the plan with involved parties. 3. Installation
Plan
• Develop test plan to include test cases, basic requirements specifications, definition of processes and metrics.
4. Installation Test Plan
Source: ISACA, CISA Review Manual 26th Edition, figure 3.25
20 © Copyright 2016 ISACA. All rights reserved.
Task 3.3
Evaluate the project management
framework and controls to determine
whether business requirements are
achieved in a cost-effective manner while
managing risks to the organization.
21 © Copyright 2016 ISACA. All rights reserved.
Project Management
The project management approach is dependent on the
size of the organization and complexity of the business.
Prior to project involvement, the IS auditor must become
familiar with the standard or structure used by the
organization.
Project management processes include:
o Initiating
o Planning
o Executing
o Controlling
o Closing
22 © Copyright 2016 ISACA. All rights reserved.
Project Context
When analyzing the context of a project, the IS auditor
must consider:
o Importance of the project in the organization
o Connection between the organization’s strategy and
the project
o Relationship between the project and other projects
o Connection between the project and the underlying
business case
23 © Copyright 2016 ISACA. All rights reserved.
Project Context (cont’d)
Understanding the environment and context of the
projects help to identify:
o Common objectives for the organization
o Risk
o Resource connections
24 © Copyright 2016 ISACA. All rights reserved.
Project Objectives
Project objectives are the specific action statements that
support the project goals.
Project objectives should always begin with an action
verb.
A project needs clearly
defined results that are:
mart S
easurable M
ttainable A
ealistic R
imely T
25 © Copyright 2016 ISACA. All rights reserved.
IS Auditor’s Role
The IS auditor should review the adequacy of the following
project management activities:
o Levels of oversight by project committee/board
o Risk management methods
o Issue management
o Cost management
o Processes for planning and dependency management
o Reporting processes
o Change control processes
o Stakeholder management involvement
o Sign-off process
26 © Copyright 2016 ISACA. All rights reserved.
Task 3.4
Conduct reviews to determine whether a
project is progressing in accordance with
project plans, is adequately supported by
documentation, and has timely and
accurate status reporting.
27 © Copyright 2016 ISACA. All rights reserved.
Project Planning
When planning a project, the project manager needs to
determine the various tasks to be performed, as well as
the following:
o Task sequence
o Task duration
o Task priority
o Task budget
o Task resources
During project execution, the project manager must
control the scope, resource usage and risk.
28 © Copyright 2016 ISACA. All rights reserved.
Source: ISACA, CISA Review Manual 26th Edition, figure 3.12
SDLC
Phase 1–Feasibility Study
Phase 2–Requirements Definition
Phase 3A–Software Selection
and Acquisition Phase 3B–Design
Phase 4A–Configuration Phase 4B–Development
Phase 5–Final Testing and
Implementation
Phase 6–
Postimplementation
29 © Copyright 2016 ISACA. All rights reserved.
IS Auditor Role in SDLC (cont’d)
The IS auditor should ensure that:
o The project meets the organization’s goals and
objectives.
o Project planning is performed, including effective
estimates of resources, budget and time.
o Scope creep is controlled and there is a software
baseline.
o Management is tracking software design and
development activities.
o Senior management support is provided.
o Periodic review and risk analysis is performed in each
project phase.
30 © Copyright 2016 ISACA. All rights reserved.
Business Application Development
Two major categories include:
o Organization-centric computing―The objective is to
collect, collate, store, archive and share information
with business users and various applicable support
functions.
o End-user-centric computing―The objective is to
provide different views of data for their performance
optimization.
31 © Copyright 2016 ISACA. All rights reserved.
IS Auditor’s Role
During the design and development phases, the IS auditor should do
the following:
o Review the system flowcharts for adherence to the general design.
o Verify that appropriate approvals were obtained for any changes.
o Review the input, processing and output controls designed into the
system for appropriateness.
o Interview the key users to determine their understanding of how the
system will operate.
o Assess the adequacy of audit trails to provide traceability and
accountability of system transactions.
o Verify the integrity of key calculations and processes.
o Verify that the system can identify and process erroneous data
correctly.
o Review the quality assurance results.
o Verify that all recommended corrections were made.
32 © Copyright 2016 ISACA. All rights reserved.
Task 3.5
Evaluate controls for information
systems during the requirements,
acquisition, development and testing
phases for compliance with the
organization’s policies, standards,
procedures and applicable external
requirements.
33 © Copyright 2016 ISACA. All rights reserved.
Virtualization Controls
The IS auditor will need to understand the following concepts:
o Hypervisors and guest images (OS and networks) are securely
configured according to industry standards. Apply hardening to
these virtual components as closely as one would to a physical
server, switch, router, firewall or other computing device.
o Hypervisor management communications should be protected on a
dedicated management network.
o The hypervisor should be patched as the vendor releases the fixes.
o The virtualized infrastructure should be synchronized to a trusted
authoritative time server.
o Unused physical hardware should be disconnected from the host
system.
o All hypervisor services should be disabled unless they are needed.
o Host inspection capabilities should be enabled to monitor the
security of each guest OS and of each activity occurring between
guest OSs.
34 © Copyright 2016 ISACA. All rights reserved.
Application Controls
Application controls ensure that:
o Only complete, accurate and
valid data are entered and
updated in a computer
system.
o Processing accomplishes
the correct task.
o Processing results
meet expectations.
o Data are maintained.
Application Controls
Input
Processing Output
35 © Copyright 2016 ISACA. All rights reserved.
IS Auditor’s Role
The IS auditor’s tasks include the following:
o Identifying significant application components and the
flow of transactions
o Identifying the application control strengths and
evaluating the impact of the control weaknesses
o Developing a testing strategy
o Testing the controls to ensure their functionality and
effectiveness
o Evaluating the control environment by analyzing the
test results and other audit evidence to determine that
control objectives were achieved
o Considering the operational aspects of the application
to ensure its efficiency and effectiveness
36 © Copyright 2016 ISACA. All rights reserved.
Application Control Documentation
The IS auditor should review the following
documentation to gain an understanding of the
application’s development:
System development methodology documents
Functional design
specifications
Program changes
User manuals Technical reference
documentation
37 © Copyright 2016 ISACA. All rights reserved.
Application Control Testing
The IS auditor must test application controls to ensure
their functionality and effectiveness.
Some of the methods and techniques to test the
application system include:
o Snapshot
o Mapping
o Tracing and tagging
o Test data/deck
o Base-case system
evaluation
o Parallel operation
o Integrated test facility
o Parallel simulation
o Transaction selection
programs
o Embedded audit data
collection
o Extended records
38 © Copyright 2016 ISACA. All rights reserved.
Continuous Online Auditing
• Embeds specially written software in the host application system to monitor it on a selective basis
Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM)
• Captures the processing path a transaction follows and applies identifiers for subsequent reviews
Snapshots
• Embeds hooks in the application system to function as red flags, which allows IS or the auditor to intervene
Audit Hooks
• Sets up dummy entities on the production files to confirm the correctness of the processing
Integrated Test Facility (ITF)
• Simulates the execution of an application and audits the transaction if it meets predetermined criteria
Continuous and Intermittent Simulations (CIS)
39 © Copyright 2016 ISACA. All rights reserved.
Task 3.6
Evaluate the readiness of information
systems for implementation and
migration into production to determine
whether project deliverables, controls
and organization’s requirements are met.
40 © Copyright 2016 ISACA. All rights reserved.
Testing
Testing determines that the user requirements have
been validated, the system is performing as anticipated
and internal controls work as intended.
The two primary approaches to testing include:
o Bottom up―Begin testing of individual units, and work
upward until a complete system testing has taken
place.
o Top down―Begin testing the complete system, and
work downward to individual units.
41 © Copyright 2016 ISACA. All rights reserved.
Types of Testing
Unit testing
• Tests program logic within a particular program or module
• Ensures that the internal operation of the program performs according to specification
• Uses a set of test cases that focus on the control structure of the procedural design
Interface or integration testing
• A hardware or software test that evaluates the connection of two or more components that pass information from one area to another
System testing
• A series of tests designed to ensure that modified programs, objects, database schema, etc., which collectively constitute a new or modified system, function properly
Final acceptance testing
• System testing that takes place during the implementation phase and applies the organization’s QA methodology
42 © Copyright 2016 ISACA. All rights reserved.
User Performance Testing
Some of the user procedures that should be observed and tested include:
• SoD―ensures that no individual has the capability of performing more than one of the following processes: origination, authorization, verification or distribution.
• Authorization of input―use written authorization on input documents or unique passwords.
• Balancing―verify that run-to-run control totals and other application totals are reconciled on a timely basis.
• Error control and correction―reports that provide evidence of appropriate review, research, timely correction and resubmission.
• Distribution of reports―produce and maintain critical output reports in a secure manner.
• Review and testing of access authorizations and capabilities―provide information on access levels by individuals.
• Activity reports―provide details, by user, of activity volume and hours.
• Violation reports―indicate any unsuccessful and unauthorized access attempts.
43 © Copyright 2016 ISACA. All rights reserved.
Data Integrity Testing
Data integrity testing is a set of substantive tests that
examine accuracy, completeness, consistency and
authorization of data presently held in a system. Two
common types include:
o Relational integrity tests―Data validation routines
performed at the data element and record-based
levels.
o Referential integrity tests―Define existence
relationships between entities in different tables of a
database that needs to be maintained by the DBMS.
44 © Copyright 2016 ISACA. All rights reserved.
IS Auditor’s Role
During testing, the IS auditor should perform the following:
o Review the test plan, error reports, end user documentation and procedures
used for completeness and accuracy.
o Reconcile control totals and converted data.
o Verify cyclical processing and critical reports for accuracy.
o Interview end users of the system for their understanding of new methods,
procedures and operating instructions.
o Verify that system security is functioning as designed.
o Review parallel testing results and the user acceptance testing.
o Review unit and system test plans to determine whether tests for internal
controls are planned and performed.
o Review the user acceptance testing and ensure that the accepted software
has been delivered to the implementation team. The vendor should not be
able to replace this version.
o Review procedures used for recording and following through on error
reports.
45 © Copyright 2016 ISACA. All rights reserved.
Task 3.7
Conduct post-implementation reviews of
systems to determine whether project
deliverables, controls and organization’s
requirements are met.
46 © Copyright 2016 ISACA. All rights reserved.
Implementation Planning
After successful testing, the system is implemented
according to the organization’s change control
procedures.
An implementation plan should be prepared well in
advance of the implementation date.
Each step of setting up the production environment
should be documented, including who will be
responsible, how the step will be verified and the
back-out procedure.
47 © Copyright 2016 ISACA. All rights reserved.
Implementation Planning Steps
Step 1―Develop Support Structures
• Develop a gap analysis process.
• Define required roles.
Step 2―Establish Support Functions
• Develop service level agreements (SLAs). SLAs should consider:
• Operating time
• Support time
• Meantime between failures (MTBF)
• Meantime to repair (MTTR)
• Technical support response time
• Implementation plan/knowledge transfer plan
• Develop training plans:
• Staff training
• End user training
48 © Copyright 2016 ISACA. All rights reserved.
IS Auditor’s Role
During the implementation phase, the IS auditor should
perform the following:
o Verify appropriate sign-offs have been obtained.
o Review the programmed procedures used for
scheduling and running the system.
o Review all system documentation to ensure its
completeness.
o Verify all data conversion to ensure that they are
correct and complete.
49 © Copyright 2016 ISACA. All rights reserved.
Post-implementation
Post-implementation reviews are typically conducted
after the project has been in use long enough to realize
its business benefits and costs and to measure the
project’s overall success and impact on the business
units.
Metrics include:
o Total cost of ownership (TCO)
o Return on investment (ROI)
50 © Copyright 2016 ISACA. All rights reserved.
Project Close
Projects have a finite life. Once the project is closed, it is
handed over to end users.
During project closure:
o Assign outstanding issues.
o Assign custody of contracts.
o Archive or hand off documentation.
o Discuss lessons learned.
o Conduct a post-project review.
51 © Copyright 2016 ISACA. All rights reserved.
Certification and Accreditation
Certification is a process by which an assessor
performs a comprehensive assessment against a
standard of management and operational and technical
controls and determines the level of compliance.
o The goal is to determine the extent to which controls
are implemented correctly, operating as intended and
producing the desired outcome.
Accreditation authorizes operation of an information
system, thereby accepting the risk. A senior official
accepts responsibility and is fully accountable for any
adverse impacts.
52 © Copyright 2016 ISACA. All rights reserved.
System Maintenance
Following implementation, a system enters into the
ongoing development or maintenance stage.
System maintenance practices refer primarily to the
process of managing change to application systems
while maintaining the integrity of both the production and
application source and executable code.
A standard change management process needs to be in
place for recording and performing changes, which is
typically established during the project design phase.
53 © Copyright 2016 ISACA. All rights reserved.
Change Management
Change management is a process to document and
authorize any change requests.
Change requests are initiated from the end user,
operational staff, and system development and
maintenance staff.
54 © Copyright 2016 ISACA. All rights reserved.
Change Management (cont’d)
A change management process should include the
procedures for the following:
o A formal change request process
o Documentation
o Testing of changes
o Emergency changes
o Deploying changes into production
o Handling unauthorized changes
55 © Copyright 2016 ISACA. All rights reserved.
Configuration Management
Configuration management uses change management
processes along with checkpoints, reviews and sign-off
procedures.
Develop the configuration
management plan.
Baseline applicable
components.
Analyze and report on the
results.
Develop configuration
status reports.
Develop release procedures.
Perform configuration
control activities.
Update the configuration
status accounting database.
56 © Copyright 2016 ISACA. All rights reserved.
IS Auditor’s Role
The IS auditor should review the change management
process for possible improvements in the following:
o Change request methodology and procedures
o Response time and response effectiveness
o User satisfaction
o Security access restrictions
o Emergency procedures
o Acknowledgement and resolution of items on the
change control log
57 © Copyright 2016 ISACA. All rights reserved.
Process Improvement Practices―BPR
Define the areas to be reviewed.
Develop a project plan.
Gain an understanding of
the process under review.
Redesign and streamline the
process.
Implement and monitor the new
process.
Establish a continuous
improvement process.
BPR Steps
58 © Copyright 2016 ISACA. All rights reserved.
BPR Methods and Techniques
BPR Method Description
Benchmarking
Process
A continuous, systematic process for evaluating the products,
services or work processes of organizations recognized as a
world-class “reference” in a globalized world
ISO 9126 An international standard to assess the quality of software
products
Capability Maturity
Model Integration
(CMMI)
A model used by many organizations to identify best practices
useful in helping them assess and increase the maturity of their
software development processes
ISO/IEC 330xx A series of standards that provide guidance on process
assessment
Business Process
Control Assurance
A technique to evaluate controls at the process and activity level
and the controls specific to the business process owner
59 © Copyright 2016 ISACA. All rights reserved.
Domain 3 Summary
In this domain we have covered the following:
o Evaluating the business case for the proposed information
systems acquisition and development
o Evaluating IT supplier selection and contract management
processes
o Evaluating the project management framework and controls
o Conducting reviews to determine whether a project is
progressing in accordance with project plans
o Evaluating controls for information systems during the
requirements, acquisition, development and testing phases
o Evaluating the readiness of information systems for
implementation and migration into production
o Conducting post-implementation reviews of systems to
determine whether project deliverables, controls and
organization’s requirements are met
60 © Copyright 2016 ISACA. All rights reserved.
A legacy payroll application is migrated to a new
application. Which of the following stakeholders should be
PRIMARILY responsible for reviewing and signing-off on
the accuracy and completeness of the data before going
live?
A. IS auditor
B. Database administrator
C. Project manager
D. Data owner
Discussion Question
61 © Copyright 2016 ISACA. All rights reserved.
An IS auditor should ensure that review of online electronic
funds transfer (EFT) reconciliation procedures should
include:
A. vouching.
B. authorizations.
C. corrections.
D. tracing.
Discussion Question
62 © Copyright 2016 ISACA. All rights reserved.
The PRIMARY objective of conducting a
postimplementation review for a business process
automation project is to:
A. ensure that the project meets the intended business
requirements.
B. evaluate the adequacy of controls.
C. confirm compliance with technological standards.
D. confirm compliance with regulatory requirements.
Discussion Question
©Copyright 2016 ISACA. All rights reserved.
Domain 4
Information Systems Operations,
Maintenance and Service Management
64 © Copyright 2016 ISACA. All rights reserved.
Domain 4
Provide assurance that the processes for
information systems operations,
maintenance and service management
meet the organization’s strategies and
objectives.
65 © Copyright 2016 ISACA. All rights reserved.
Task 4.1
Evaluate the IT service management framework
and practices (internal or third party) to
determine whether the controls and service
levels expected by the organization are being
adhered to and whether strategic objectives
are met.
66 © Copyright 2016 ISACA. All rights reserved.
IT Service Management
IT service management (ITSM) supports business needs
through the implementation and management of IT
services.
People, processes, and information technology are each
a part of IT services.
A service management framework provides support for
the implementation of ITSM.
67 © Copyright 2016 ISACA. All rights reserved.
The ITSM Premise
The bases of ITSM are:
o IT can be managed through a series of discrete
processes.
o These processes provide “service” to the business and
are interdependent.
Service level agreements (SLA) detail service
expectations.
To ensure high levels of service, ITSM metrics are
compared against the SLA expectations.
68 © Copyright 2016 ISACA. All rights reserved.
SLA Tools
Several reporting tools aid in determining whether
service expectations are being met. These include:
o Exception reports
o System and application logs
o Operator problem reports
o Operator work schedules
69 © Copyright 2016 ISACA. All rights reserved.
Audit of Infrastructure
Enterprise architecture (EA) describes the design of the
components of a business system or subsystem.
o EA documents an organization’s IT assets in a
structured form, facilitating consideration of IT
investments and clarifying interrelationships between
IT components.
70 © Copyright 2016 ISACA. All rights reserved.
Audit of Infrastructure (cont’d)
When auditing infrastructure and operations, the IS
auditor should:
o Follow the overall EA.
o Use the EA as a main source of information.
o Ensure that IT systems are aligned with the EA and
meet organizational objectives.
71 © Copyright 2016 ISACA. All rights reserved.
Task 4.2
Conduct periodic reviews of information
systems to determine whether they continue to
meet the organization’s objectives within the
enterprise architecture (EA).
72 © Copyright 2016 ISACA. All rights reserved.
Hardware Review
Source: ISACA, CISA Review Manual 26th Edition, figure 4.26
Hardware acquisition plan and execution
IT asset management
Capacity management
and monitoring
Preventive maintenance
schedule
Hardware availability and
utilization reports
Problem logs, job accounting system reports
73 © Copyright 2016 ISACA. All rights reserved.
Operating System Review
Source: ISACA, CISA Review Manual 26th Edition, figure 4.27
System software selection
procedures
Feasibility study and selection
process
System software security
IT asset management
System software implementation
Authorization documentation
System documentation
System software maintenance
activities
System software change controls
System software installation
change controls
74 © Copyright 2016 ISACA. All rights reserved.
Database Review
Source: ISACA, CISA Review Manual 26th Edition, figure 4.28
Logical schema
Physical schema Access time reports
Database security controls
Interfaces with other software
Backup and disaster recovery procedures
and controls
Database-supported IS controls
IT asset management
75 © Copyright 2016 ISACA. All rights reserved.
Network Review Areas
Source: ISACA, CISA Review Manual 26th Edition, figure 4.29
Physical controls
• Network hardware devices
• File server
• Documentation
• Key logs
• Network wiring closet and transmission wiring
Environmental controls
• Controls in the server facility, including temperature, humidity, static electricity, surge and fire protection
• Protection of backup media
• Cleanliness
Logical security controls
• Passwords
• Network user access and change requests
• Test plans
• Security reports and mechanisms
• Network operation procedures
• Personnel awareness of risks
76 © Copyright 2016 ISACA. All rights reserved.
IS Operations Review
Source: ISACA, CISA Review Manual 26th Edition, figure 4.30
Observe IS personnel
Review operator access
Consider adequacy of
operator manuals
Examine access to the library
Consider contents/location of offline storage
Examine file handling
procedures
Examine data entry processes
Review lights-out operations
77 © Copyright 2016 ISACA. All rights reserved.
Task 4.3
Evaluate IT operations (e.g., job scheduling,
configuration management, capacity and
performance management) to determine
whether they are controlled effectively and
continue to support the organization’s
objectives.
78 © Copyright 2016 ISACA. All rights reserved.
IS Operations
The IS operations function is responsible for the ongoing
support of an organization’s computer and IS
environment, ensuring:
o Computer processing requirements are met
o End users are satisfied
o Information is processed securely
o Outside parties (third parties, cloud computing) meet
the company’s processing requirements
79 © Copyright 2016 ISACA. All rights reserved.
Job Scheduling
Job scheduling is a major function within the IT
department, and in environments in which a large
number of batch routines are processed, this may be
managed through the use of job scheduling software.
It is necessary to ensure that IS resources are optimized
based on processing requirements.
80 © Copyright 2016 ISACA. All rights reserved.
Scheduling Review
Source: ISACA, CISA Review Manual 26th Edition, figure 4.31
Regularly scheduled
applications
Input deadlines
Data preparation
time
Estimated processing
time
Output deadlines
Procedures for use of KPIs
Processing priorities
Daily job schedule
Console log Exception
processing log Re-executed
jobs Personnel
81 © Copyright 2016 ISACA. All rights reserved.
Task 4.4
Evaluate IT maintenance (patches,
upgrades) to determine whether they are
controlled effectively and continue to
support the organization’s objectives.
82 © Copyright 2016 ISACA. All rights reserved.
Hardware Maintenance
To perform optimally, hardware must be cleaned and serviced
on a routine basis.
When performing an audit of this area, the IS auditor should:
o Ensure that a formal maintenance plan has been
developed. This must be:
• Approved by management
• Implemented and followed
o Identify maintenance costs that exceed budget or are
excessive.
83 © Copyright 2016 ISACA. All rights reserved.
Capacity Management
Computing and network resources must be planned and
monitored to ensure that they are used efficiently and
effectively.
A capacity plan should be developed based on input from
both users and IS managers, and should be reviewed and
updated at least annually.
The IS audit should take into account that capacity
requirements may:
o Fluctuate according to business cycles
o Be interdependent across the capacity plan
84 © Copyright 2016 ISACA. All rights reserved.
Release Management
Major release
• Normally contains a significant change or addition to a new functionality
• These usually supersede all preceding minor upgrades
Minor release
• Upgrades, offering small enhancements and fixes
• Usually supersedes all preceding emergency fixes
Emergency release
• Normally contains corrections to a small number of known problems
• These require implementation as quickly as possible, limiting the execution of testing and release management activities
Source: ISACA, CISA Review Manual 26th Edition, figure 4.8
85 © Copyright 2016 ISACA. All rights reserved.
Patch Management
A patch is software code that is installed to maintain
software as current between full-scale version releases.
A patch often addresses security risks that have been
detected in the original code.
86 © Copyright 2016 ISACA. All rights reserved.
Quality Assurance (QA)
Prior to the introduction of system changes to the
production environment, a QA process should be in
place to verify that these changes are:
o Authorized
o Tested
o Implemented in a controlled manner
QA personnel also oversee the proper maintenance of
program versions and source code to object.
87 © Copyright 2016 ISACA. All rights reserved.
Backup Schemes
Features Full Backup Incremental Backup Differential Backup
What it does? Copies all main
files and folders to
the backup media
Copies files and
folders that have
changed or are new
since last backup
Copies files and
folders that have been
added or changed
since a full backup
was performed
What are its
advantages?
Creates a unique
archive in case of
restoration
Requires less time and
media than full backup
Faster than full
backup; requires only
latest full and
differential backup sets
for full restoration
What are its
disadvantages?
Requires more time
and media capacity
than other methods
All backup sets are
required to implement
a full restoration,
taking more time
Requires more time
and media capacity
than incremental
backup
88 © Copyright 2016 ISACA. All rights reserved.
Contractual Provisions
The use of third-party recovery alternatives should be
guided by contractual provisions such as the following:
o Hardware and software configurations
o Disaster magnitude definition
o Private versus shared facility use
o Organization’s priority relative to other users
o Immediacy and duration of availability
o Security and audit considerations
89 © Copyright 2016 ISACA. All rights reserved.
Task 4.5
Evaluate database management
practices to determine the integrity and
optimization of databases.
90 © Copyright 2016 ISACA. All rights reserved.
Database Management System
Database management system (DBMS) software offers
several benefits:
o Aids in organizing, controlling and using the data
needed by application programs
o Provides the facility to create and maintain a
well-organized database
o Reduces data redundancy and access time, while
offering basic security over sensitive data
91 © Copyright 2016 ISACA. All rights reserved.
Database Controls
Enforced definition standards
Data backup and recovery
procedures
Access control levels
Updates by authorized
personnel only
Controls on concurrent
updating of same data
Checks on data accuracy,
completeness and consistency
Job stream checkpoints
Database reorganization to ensure efficiency
Database restructuring procedures
Use of performance
reporting tools
Minimize use of non-system tools
or utilities
92 © Copyright 2016 ISACA. All rights reserved.
Task 4.6
Evaluate data quality and life cycle
management to determine whether they
continue to meet strategic objectives.
93 © Copyright 2016 ISACA. All rights reserved.
Data Life Cycle
Adapted from: ISACA, COBIT 5: Enabling Information, USA, 2013, figure 23
Plan Design Build/
Acquire
Use/
Operate Monitor Dispose
94 © Copyright 2016 ISACA. All rights reserved.
Data Quality Criteria
Data quality is key to data management, and the IS auditor
should ensure that data is of sufficient quality to allow the
organization to meet its strategic objectives.
Questions such as the following can aid in this determination:
o Are the data being captured and processed to required
standards?
o Are the configurations of the organization’s applications
and database management systems aligned with
organizational objectives?
o Are data being archived, retained or destroyed in line with
a data retention policy?
95 © Copyright 2016 ISACA. All rights reserved.
IT Asset Management (cont’d)
To achieve the objectives of asset management, assets must
be identified.
The inventory record of each information asset should
include:
o Specific identification of the asset
o Relative value to the organization
o Loss implications and recovery priority
o Location
o Security/risk classification
o Asset group, when the asset is part of a larger information
system
o Owner and designated custodian
96 © Copyright 2016 ISACA. All rights reserved.
IT Asset Management (cont’d)
IT asset management is a fundamental prerequisite to
developing a meaningful security strategy.
It is also the first step in managing software licenses and
classifying and protecting information assets.
IT asset management procedures should be employed
for both software and hardware assets.
97 © Copyright 2016 ISACA. All rights reserved.
Types of Software Licenses
Free software licensing types
• Open source
• Freeware
• Shareware
Paid software licensing types
• Per central processing unity (CPU)
• Per seat
• Concurrent users
• Utilization
• Per workstation
• Enterprise
Adapted from: ISACA, CISA Review Manual 26th Edition, figures 4.18 and 4.19
98 © Copyright 2016 ISACA. All rights reserved.
Source Code Management
Source code is the language in which a program is
written; it tells the computer what to do.
Source code may contain intellectual property that
should be protected, and access should be restricted.
The management of source code is related to change
management, release management, quality assurance
and information security management.
99 © Copyright 2016 ISACA. All rights reserved.
Source Code Management (cont’d)
Source code should be managed using a version control
system (VCS), which maintains a central repository.
This allows programs to check program source code out
and in to the repository. With check-in, a new version is
created.
100 © Copyright 2016 ISACA. All rights reserved.
Source Code Audit
The IS auditor must be aware of the following items
relating to source code:
o Who has access to the code
o Who can commit code, pushing it into production
o Alignment of program source code to program objects
o Alignment with change and release management
o Backup of source code, including those located offsite
and in escrow agreements
101 © Copyright 2016 ISACA. All rights reserved.
Task 4.7
Evaluate problem and incident management
practices to determine whether problems and
incidents are prevented, detected, analyzed,
reported and resolved in a timely manner to
support the organization’s objectives.
102 © Copyright 2016 ISACA. All rights reserved.
Problem Management
Problem Management
• Reduce the number and/or severity of incidents.
• Improve the quality of service of an IS organization.
Incident Management
• React to issues as they arise.
• Return the affected process back to normal service quickly.
• Minimize business impacts of incidents.
Objective
103 © Copyright 2016 ISACA. All rights reserved.
Problem Reporting Review
Source: ISACA, CISA Review Manual 26th Edition, figure 4.32
Interviews with IS personnel
• Have documented procedures been developed to guide the logging, analysis, resolution and escalation of problems?
• Are these actions performed in a timely manner, in accordance with management’s intent and authorization?
Procedures and documentation
• Are procedures adequate for recording, evaluating, resolving or escalating problems?
• Is IT statistics collection and analysis adequate, accurate and complete?
• Are all identified problems recorded for verification and resolution?
Logs and records
• Are the reasons for delays in application program processing valid?
• Are significant and recurring problems identified and actions taken to prevent their recurrence?
• Are there any recurring problems that are not being reported to IS management?
104 © Copyright 2016 ISACA. All rights reserved.
The Support Function
Determine source of computer incidents;
take appropriate corrective action.
Initiate problem reports; ensure timely
incident resolution.
Obtain detailed knowledge of
network, system and applications.
Answer inquiries regarding specific
systems.
Provide second- and third-tier support to business user and
customer.
Provide technical support for
computerized telecommunications
processing.
Maintain documentation of
vendor software and proprietary systems.
Communicate with IS operations to signal abnormal incident
patterns.
Source: ISACA, CISA Review Manual 26th Edition, figure 4.7
105 © Copyright 2016 ISACA. All rights reserved.
Task 4.8
Evaluate change and release
management practices to determine
whether changes made to systems and
applications are adequately controlled
and documented.
106 © Copyright 2016 ISACA. All rights reserved.
Change Management
The change management process is implemented when:
o Hardware is changed.
o Software is installed or upgraded.
o Network devices are configured.
Change control is part of the broader change management
process.
It is designed to control the movement of application changes
from the test environment through QA and into the production
environment.
107 © Copyright 2016 ISACA. All rights reserved.
Change Management (cont’d)
The change management process ensures that:
o Relevant personnel are aware of the change and its timing.
o Documentation is complete and in compliance.
o Job preparation, scheduling and operating instructions have been
established.
o System and program results have been reviewed and approved
by both project management and the end user.
o Data file and system conversions have been completed
accurately and completely.
o All aspects of jobs turned over have been tested, reviewed and
approved by control/operations personnel.
o Legal and compliance issues have been addressed.
o Risk associated with the change has been planned for, and a
rollback plan has been developed to back out the changes
should that become necessary.
108 © Copyright 2016 ISACA. All rights reserved.
Change Requests
Formalized and documented change processes
incorporate the following elements:
o Change request
o Authorization
o Testing
o Implementation
o Communication to end users
109 © Copyright 2016 ISACA. All rights reserved.
Change Requests (cont’d)
Procedures associated with these may vary according to
the type of change request, including:
o Emergency changes
o Major changes
o Minor changes
110 © Copyright 2016 ISACA. All rights reserved.
Task 4.9
Evaluate end-user computing to
determine whether the processes are
effectively controlled and support the
organization’s objectives.
111 © Copyright 2016 ISACA. All rights reserved.
End-User Computing
End-user computing (EUC) refers to the ability of end
users to design and implement their own information
system using computer software products.
EUC allows users to quickly build and deploy
applications but brings the risk that applications may not
be independently reviewed and created using a formal
development methodology.
112 © Copyright 2016 ISACA. All rights reserved.
End-User Computing (cont’d)
The IS auditor should ensure that the policies for use of
EUC exist.
o An inventory of all such applications should be in
place.
o Those deemed critical enough should be subject to
the same controls of any other application.
113 © Copyright 2016 ISACA. All rights reserved.
Task 4.10
Evaluate IT continuity and resilience
(backups/restores, disaster recovery plan
[DRP]) to determine whether they are
controlled effectively and continue to support
the organization’s objectives.
114 © Copyright 2016 ISACA. All rights reserved.
Disaster Recovery Planning
Planning for disasters is an important part of the risk
management and BCP processes.
The purpose of this continuous planning process is to
ensure that cost-effective controls are in place to prevent
possible IT disruptions and to recover the IT capacity of
the organization in the event of a disruption.
115 © Copyright 2016 ISACA. All rights reserved.
DRP Compliance Requirements
DRP may be subject to compliance requirements depending
on:
o Geographic location
o Nature of the business
o The legal and regulatory framework
Most compliance requirements focus on ensuring continuity of
service with human safety as the most essential objective.
Organizations may engage third parties to perform
DRP-related activities on their behalf; these third parties are
also subject to compliance.
116 © Copyright 2016 ISACA. All rights reserved.
Disaster Recovery Testing
The IS auditor should ensure that all plans are regularly
tested and be aware of the testing schedule and tests to be
conducted for all critical functions.
Test documentation should be reviewed by the IS auditor to
confirm that tests are fully documented with pre-test, test and
post-test reports.
o It is also important that information security is validated to
ensure that it is not compromised during testing.
117 © Copyright 2016 ISACA. All rights reserved.
RPO and RTO Defined
Recovery point objective (RPO)
• Determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data.
• The RPO effectively quantifies the permissible amount of data loss in case of interruption.
Recovery time objective (RTO)
• The amount of time allowed for the recovery of a business function or resource after a disaster occurs.
118 © Copyright 2016 ISACA. All rights reserved.
Application Resiliency
The ability to protect an application against a disaster
depends on providing a way to restore it as quickly as
possible.
A cluster is a type of software installed on every server in
which an application runs. It includes management
software that permits control of and tuning of the cluster
behavior.
119 © Copyright 2016 ISACA. All rights reserved.
Data Storage Resiliency
The data protection method known as RAID, or
Redundant Array of Independent (or Inexpensive) Disks,
is the most common and basic method used to protect
data against loss at a single point of failure.
Such storage arrays provide data replication features,
ensuring that the data saved to a disk on one site
appears on the other site.
120 © Copyright 2016 ISACA. All rights reserved.
Telecommunications Resiliency
The DRP should also contain the organization’s
telecommunication networks.
These are susceptible to the same interruptions as data
centers and several other issues, for example:
o Central switching office disasters
o Cable cuts
o Security breaches
To provide for the maintenance of critical business processes,
telecommunications capabilities must be identified for various
thresholds of outage.
121 © Copyright 2016 ISACA. All rights reserved.
Offsite Library Controls
Secure physical access to library
contents, accessible only to authorized
persons
Encryption of backup media, especially
during transit
Ensuring that the physical construction can withstand heat,
fire and water
Location of the library away from the data center and disasters that may strike both
together
Maintenance of an inventory of all
storage media and files for specified retention periods
Maintenance of library records for specified
retention periods
Maintenance and protection of a catalog
of information regarding data files
122 © Copyright 2016 ISACA. All rights reserved.
During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the IS auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor?
A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident.
B. The corporate business continuity plan (BCP) does not accurately document the systems that exist at remote offices.
C. Corporate security measures have not been incorporated into the test plan.
D. A test has not been made to ensure that tape backups from the remote offices are usable.
Discussion Question
123 © Copyright 2016 ISACA. All rights reserved.
Which of the following is the BEST indicator of the
effectiveness of backup and restore procedures while
restoring data after a disaster?
A. Members of the recovery team were available.
B. Recovery time objectives (RTOs) were met.
C. Inventory of backup tapes was properly maintained.
D. Backup tapes were completely restored at an
alternate site.
Discussion Question
124 © Copyright 2016 ISACA. All rights reserved.
Domain 4 Summary
Evaluate IT service management framework and
practices.
Evaluate IT operations (e.g., job scheduling,
configuration management, capacity and performance
management).
Evaluate IT maintenance (patches, upgrades).
Evaluate database management practices.
125 © Copyright 2016 ISACA. All rights reserved.
Domain 4 Summary (cont’d)
Evaluate data quality and life cycle management.
Evaluate problem and incident management practices.
Evaluate change and release management practices.
Evaluate end-user computing.
Evaluate IT continuity and resilience (backups/restores,
disaster recovery plan [DRP]).
126 © Copyright 2016 ISACA. All rights reserved.
Which of the following is the MOST efficient way to test the
design effectiveness of a change control process?
A. Test a sample population of change requests
B. Test a sample of authorized changes
C. Interview personnel in charge of the change control
process
D. Perform an end-to-end walk-through of the process
Discussion Question
127 © Copyright 2016 ISACA. All rights reserved.
Which of the following is the GREATEST risk of an
organization using reciprocal agreements for disaster
recovery between two business units?
A. The documents contain legal deficiencies.
B. Both entities are vulnerable to the same incident.
C. IT systems are not identical.
D. One party has more frequent disruptions than the
other.
Discussion Question
128 © Copyright 2016 ISACA. All rights reserved.
During an audit of a small enterprise, the IS auditor noted that
the IS director has superuser-privilege access that allows the
director to process requests for changes to the application
access roles (access types). Which of the following should the IS
auditor recommend?
A. Implement a properly documented process for
application role change requests.
B. Hire additional staff to provide a segregation of duties
(SoD) for application role changes.
C. Implement an automated process for changing
application roles.
D. Document the current procedure in detail, and make it
available on the enterprise intranet.
Discussion Question