Wednesday, January 16, 2008

CISA Sample Questions (Part 2)

6. Which of the following is a dynamic analysis tool for the purpose of testing software modules?

A. Black box test
B. Desk checking
C. Structured walk-through
D. Design and code

Answer: A

7. Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:

A. database integrity checks.
B. validation checks.
C. input controls.
D. database commits and rollbacks.

Answer: D

8. A retail company recently installed data warehousing client software at geographically diverse sites. Due to time zone differences between the sites, updates to the warehouse are not synchronized. Which of the following will be affected the MOST?

A. Data availability
B. Data completeness
C. Data redundancy
D. Data inaccuracy

Answer: B

9. An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps.
In this situation, which of the following would be considered an adequate set of compensating controls?

A. Allow changes to be made only with the DBA user account.
B. Make changes to the database after granting access to a normal user account
C. Use the DBA user account to make changes, log the changes and review the change log the following day.
D. Use the normal user account to make changes, log the changes and review the change log the following day.

Answer: C

10. Which of the following represents the GREATEST potential risk in an EDI environment?

A. Transaction authorization
B. Loss or duplication of EDI transmissions
C. Transmission delay
D. Deletion or manipulation of transactions prior to or after establishment of application controls

Answer: A

Monday, December 17, 2007

CISA Sample Questions (Part 1)

1. As updates to an online order entry system are processed, the updates are recorded on a transaction tape and a hard copy transaction log. At the end of the day, the order entry files are backed up on tape. During the backup procedure, a drive malfunctions and the order entry files are lost. Which of the following are necessary to restore these files?

A) The previous day's backup file and the current transaction tape
B) The previous day's transaction file and the current transaction tape
C) The current transaction tape and the current hard copy transaction log
D) The current hard copy transaction log and the previous day's transaction file

Answer: A

2. While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be:

A) shadow file processing.
B) electronic vaulting.
C) hard-disk mirroring.
D) hot-site provisioning.

Answer: A

3. Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems?

A) Parallel testing
B) Pilot testing
C) Interface/integration testing
D) Sociability testing

Answer: D

4. Which of the following risks could result from inadequate software baselining?

A) Scope creep
B) Sign-off delays
C) Software integrity violations
D) Inadequate controls

Answer: A

5.A programmer, using firecall IDs, as provided in the manufacture's manual, gained access to the production environment and made an unauthorized change. Which of the following could have prevented this from happening?

A) Deactivation
B) Monitoring
C) Authorization
D) Resetting

Answer: D

Sunday, December 9, 2007

CISA Exam Tips

- Study the CISA review manual (CRM) religiously. Yup, I used only the CRM as my learning material.

- Use the sample exam questions from the CISA CDs. Get your hands on previous year’s CDs too, if possible. Use the mock-up exam generator provided with the CDs.

- When studing from the CRM and using the sample questions on the CD make notes of things you think are important, or things where you get confused make notes with a small eg.

- Use these notes on the day of the exam for revision, as if you look at the book on the exam day, you will want to look at everything and won't have the time.

- Try and study with a friend, discussion's in this help as you get to know more of examples.

- Try to answer the questions yourself first, then learn the answers. Do not memorize the answers, but try to understand the reasoning behind it.

- Even if you answered right on a question, study the answers anyway. This way, you should get the feel on how the questions on a CISA exam should be answered.

- Experience in audit is an advantage. IT audit is just like any other audit, but with a different scope.

- All the processes behind an IT audit is just the same with other audits: business process understanding, audit scope definition, audit planning, the audit itself, and reporting. The knowledge of these processes will get you to a running start.

- Experience in IT is an even greater advantage.

- Arrive early at the exam location. Nothing will wreak havoc on your mental state like arriving late on the d-day. Provide some time to locate your classroom -my exam location was a school - and seat number.

- Skip the preparation courses. The only way it helped me was in the form of mock-up exam sessions. I also think that these courses will bring some good for you if you don’t have any experience in auditing.

- Have a hearty breakfast first. The test takes four hours, you know – mine lasted from 9 AM to 1 PM– so you’d better prepare yourself for a good fight.

- Have your photo ID card ready. The proctors will really compare yourself with the photograph. I have a friend who was questioned by his proctor because he changed his hairstyle when he took his exam.

- That’s it. Best of luck to you guys taking the exam!

Thursday, December 6, 2007

Is doing CISA worth it ?

As you may know, CISA is not a course of study or training, it is a certification of your competency in computer systems audits. It does not offer you any additional knowledge or experience, but merely confirms that you have such knowledge and experience. You need to have the knowledge and experience to get the certification, not the other way around - CISA is not intended to grant a certificate to practice, but to certify that you are proficient in the practice. The lack of such certification does not signify that you do not have the competency to which CSIA attests. So, is it worth it? Perhaps! You must keep in mind however that the employer in the private sector, whether in India or elsewhere, is more interested in your talents and skills than the various certifications you have collected over the years. While degrees and certifications are important for the employer at the entry-levels jobs, such is not the case beyond that. Your employment record and performance can demonstrate your competency in computer systems audit, without the CISA designation. Even the body conducting the CISA acknowledges that "the certification may not be mandatory for you at this time, but ..." In fact, they do not list a single job in a single country for which the CISA is required.

Some disciplines - such as medicine, audit, construction, plumbing, etc. - require formal credentials, but a vast majority of jobs do not. For example, Professional Engineering (PE) certification in the US is required for signing official documents. However, a vast majority of engineers in the US do not have PE, precisely because it merely certifies your credentials and does not offer you any additional knowledge or skills - and, most employers do not care. Employers care for a certification only when some bureaucratic requirement forces them to care. They are most interested in what you can do for them, not in your certifications.

You ability to move abroad - to the US or UK - for employment is independent of the CISA designation. If your skills are in demand and the domestic market can not provide the talent, employers have the ability to bring in a limited number of highly skilled workers from abroad. So you need a job offer, on which CISA designation is likely to have zero impact; your job prospects are not dependent on CISA.

Chartered Accountant (CA) certification is not recognized outside of India, as you have correctly noted. While basic accounting principals are the same, local practices vary dramatically. The Certified Public Accountant (CPA) certification in the US is similar to that of CA in India. Should you end up in the US and you wish to leverage your CA education, you would have to take the CPA exam.

Basics About CISA

This blog is for people who wants to appear for Certified Information Systems Audit (CISA) exam, or for those want don't know if they really want to give this exam currently.

Anyone can appear for this exam, there is no restriction in that part. However clearing the written exam is only a part of it. After clearing the exam, your score is valid for 5 years. You get 5 years to show relevant experience in the field of audit. Also by providing training or attending local chapter seminars you can collect points, which you will need later.

Once you have cleared the written exam, collected required number of points and experience you can apply for certification. Only after that do you get the certificate stating you are a systems auditor.

The exam takes place 2 times a year, on 2nd Saturday of June and December. You can register for the same on the official website.

The exam covers the following domains:

1) IS Audit Process
2) IT Governance
3) Systems And Infrastructure Management
4) IT Service Delivery And Support
5) Protection Of Information Assets
6) Business Continuity And Disaster Recovery

You can get in touch with me for any kind of further queries at