This Cram Sheet contains distilled information in key areas of knowledge pertinent to the CISA exam.

Review this information as the last thing you do before you enter the testing center, paying special
attention to those areas in which you feel that you need the most review.
IS Audit Process
The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a facilitator.
Using a statistical sample to inventory the tape library is an example of a substantive test.
Audit responsibility enhancement is an objective of a control self-assessment (CSA) program.
If proper identification and authentication are not performed during access control, no accountability
can exist for any action performed.
IS auditors are most likely to perform compliance tests of internal controls if, after their initial
evaluation of the controls, they conclude that control risks are within the acceptable limits. Think of it
this way: If any reliance is placed on internal controls, that reliance must be validated through
compliance testing. High control risk results in little reliance on internal controls, which results in
additional substantive testing.
In planning an audit, the most critical step is identifying the areas of high risk.
Prior audit reports are considered of lesser value to an IS auditor attempting to gain an understanding
of an organizations IT process than evidence directly collected.
When evaluating the collective effect of preventative, detective, or corrective controls within a process,
an IS auditor should be aware of the point at which controls are exercised as data flows through the
system.
The primary purpose of audit trails is to establish accountability and responsibility for processed
transactions.
When implementing continuous monitoring systems, an IS auditors first step is to identify high-risk
areas within the organization.
Auditing resources are allocated to the areas of highest concern, as a benefit of a risk-based approach
to audit planning.
Inherent risk is associated with authorized program exits (trap doors).
After an IS auditor has identified threats and potential impacts, the auditor should identify and evaluate
the existing controls.
Generalized audit software can be used to search for address field duplications.
The use of statistical sampling procedures helps minimize detection risk.
Lack of reporting of a successful attack on the network is a great concern to an IS auditor.

Detection risk results when an IS auditor uses an inadequate test procedure and concludes that
material errors do not exist when errors actually exist.
An integrated test facility is considered a useful audit tool because it compares processing output with
independently calculated data.
Management, Planning, and Organization of IS
A bottom-up approach to the development of organizational policies is often driven by risk
assessment.
An IS auditors primary responsibility is to advise senior management of the risk involved in not
implementing proper segregation of duties, such as having the security administrator perform an
operations function.
Data and systems owners are accountable for maintaining appropriate security measures over
information assets.
Business unit management is responsible for implementing cost-effective controls in an automated
system.
Proper segregation of duties prohibits a system analyst from performing quality-assurance functions.
The primary reason an IS auditor reviews an organization chart is to better understand the
responsibilities and authority of individuals.
If an IS auditor observes that project-approval procedures do not exist, the IS auditor should
recommend to management that formal approval procedures be adopted and documented.
Ensuring that security and control policies support business and IT objectives is a primary objective of
an IT security policies audit.
The board of directors is ultimately accountable for developing an IS security policy.
When auditing third-party service providers, an auditor should be concerned with ownership of
programs and files, a statement of due care and confidentiality, and the capability for continued service
of the service provider in the event of a disaster.
Proper segregation of duties normally prohibits a LAN administrator from also having programming
responsibilities.
When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and longterm (three- to five-year) IS strategies, interview appropriate corporate management personnel, and
ensure that the external environment has been considered. The auditor should not focus on
procedures in an audit of IS strategy.
Above all else, an IS strategy must support the business objectives of the organization.
IS assessment methods enable IS management to determine whether the activities of the organization
differ from the planned or expected levels.

Batch control reconciliations is a compensatory control for mitigating risk of inadequate segregation of
duties.
An audit clients business plan should be reviewed before an organizations IT strategic plan is
reviewed.
Key verification is one of the best controls for ensuring that data is entered correctly.
Allowing application programmers to directly patch or change code in production programs increases
risk of fraud.
Technical Infrastructure and Operational Practices
A mesh network topology provides a point-to-point link between every network host. If each host is
configured to route and forward communication, this topology provides the greatest redundancy of
routes and the greatest network fault tolerance.
Layering perimeter network protection by configuring the firewall as a screened host in a screened
subnet behind the bastion host provides a higher level of protection from external attack than a firewall
alone.
An IS auditor usually places more reliance on evidence directly collected, such as through personal
observation.
The directory system of a database-management system describes the location of data and the access
method.
The transport layer of the TCP/IP protocol suite provides for connection-oriented protocols, to ensure
reliable communication.
Improper file access becomes a greater risk when implementing a database system.
Electronic data interface (EDI) supports intervendor communication while decreasing the time
necessary for review because it is usually configured to readily identify errors requiring follow-up.
To properly protect against unauthorized disclosure of sensitive data, hard disks should be
demagnetized prior to disposal or release.
An IS auditor can expect to find system errors to be detailed in the console log.
When reviewing print systems spooling, an IS auditor is most concerned with the potential for
unauthorized printing of report copies.
Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirety or not
at all. Atomicity is part of the ACID test reference for transaction processing.
Functioning as a protocol-conversion gateway for wireless WTLS to Internet SSL, the WAP gateway is a
component that warrants critical concern and review for the IS auditor when auditing and testing
controls that enforce message confidentiality. During protocol conversion, WTLS is decrypted and then
re-encrypted with SSL. Therefore, the traffic is in plain text for a brief moment at the WAP gateway.

When trying to determine the existence of unauthorized access to data by a user or program, the IS
auditor often reviews the system logs.
Proper segregation of duties prevents a computer operator (user) from performing security
administration duties.
A graphical map of the network topology is essential for the IS auditor to obtain a clear understanding
of network management.
Modems (modulation/demodulation) convert analog transmissions to digital, and digital transmissions
to analog, and are required for analog transmissions to enter a digital network.
If users have direct access to a database at the system level, risk of unauthorized and untraceable
changes to the database increases.
Neural networks are effective in detecting fraud because they have the capability to consider a large
number of variables when trying to resolve a problem.
Protection of Information Assets
A long asymmetric encryption key (public-key encryption) increases encryption overhead and cost.
Creating user accounts that automatically expire by a predetermined date is an effective control for
granting temporary access to vendors and external support personnel.
Worms are malicious programs that can run independently and can propagate without the aid of a
carrier program such as email.
Outbound traffic filtering can help prevent an organizations systems from participating in a distributed
denial-of-service (DDoS) attack.
Identifying network applications such as mail, web, or FTP servers to be externally accessed is an
initial step in creating a proper firewall policy.
Improperly configured routers and router access lists are a common vulnerability for denial-of-service
attacks.
With public-key encryption, or asymmetric encryption, data is encrypted by the sender using the
recipients public key, and the data is then decrypted using the recipients private key.
Trojan horse programs are a common form of Internet attack.
The SSL protocol provides confidentiality through symmetric encryption such as Data Encryption
Standard, or DES.
Network performance-monitoring tools are used to measure and ensure proper network capacity
management and availability of services.
Information systems security policies are used as the framework for developing logical access
controls.

Intrusion-detection systems (IDS) are used to gather evidence of network attacks.

Time stamps are an effective control for detecting duplicate transactions such as payments made or
received.
Traffic analysis is a passive attack method used by intruders to determine potential network
vulnerabilities.
File encryption is a good control for protecting confidential data that resides on a PC.
Although many methods of fire suppression exist, dry-pipe sprinklers are considered to be the most
environmentally friendly.
Logical access controls should be reviewed to ensure that access is granted on a least privilege basis
per the organizations data owners.
A callback system is a remote access control in which the user initially connects to the network
systems via dial-up access, only to have the initial connection terminated by the server, which then
subsequently dials back the user at a predetermined number stored in the servers configuration
database.
Disaster Recovery and Business Continuity
End-user involvement is critical during the business impact assessment phase of business continuity
planning.
Redundancy provides both integrity and availability. Organizations should use offsite storage facilities
to maintain redundancy of current and critical information within backup files.
Of the three major types of BCP tests (paper, walk-through, and preparedness), only the preparedness
test uses actual resources to simulate a system crash and validate the plans effectiveness.
The primary purpose of business continuity planning and disaster-recovery planning is to mitigate, or
reduce, the risk and impact of a business interruption or disaster. Total elimination of risk is
impossible.
Disaster recovery for systems typically focuses on making alternative processes and resources
available for transaction processing.
If a database is restored from information backed up before the last system image, the system should
be restarted before the last transaction because the final transaction must be reprocessed.
Of the three major types of BCP tests (paper, walk-through, and preparedness), a walk-through test
requires only that representatives from each operational meet to review the plan.
An offsite processing facility should not be easily identifiable externally because easy identification
would create an additional vulnerability for sabotage.
Criticality of assets is often influenced by the business criticality of the data to be protected and by the
scope of the impact upon the organization as a whole. For example, the loss of a network backbone
creates a much greater impact on the organization as a whole than the loss of data on a typical users

workstation.
Although the primary business objective of BCP and DRP is to mitigate the risk and impact of a
business interruption, the dominating objective remains the protection of human life.
Of the three major types of offsite processing facilities (hot, warm, and cold), a cold site is
characterized by at least providing for electricity and HVAC. A warm site improves upon this by
providing for redundant equipment and software that can be made operational within a short time.
Minimizing single points of failure or vulnerabilities of a common disaster are mitigated by
geographically dispersing resources.
With the objective of mitigating the risk and impact of a major business interruption, a disasterrecovery plan should endeavor to reduce the length of recovery time necessary and the costs
associated with recovery.
Although DRP results in an increase of pre- and post-incident operational costs, the extra costs are
more than offset by reduced recovery and business impact costs.
Mitigating the risk and impact of a disaster or business interruption usually takes priority over
transferring risk to a third party such as an insurer.
A cold site is often an acceptable solution for preparing for recovery of noncritical systems and data.
Offsite data storage should be kept synchronized when preparing for recovery of time-sensitive data
such as that resulting from transaction processing.
Any changes in systems assets, such as replacement of hardware, should be immediately recorded
within the assets inventory of a business continuity plan.
Shadow file processing can be implemented as a recovery mechanism for extremely time-sensitive
transaction processing.
Business Application System Development, Acquisition, Implementation, and Maintenance
Obtaining user approval of program changes is very effective for controlling application changes and
maintenance.
A clause for requiring source code escrow in an application vendor agreement is important to ensure
that the source code remains available even if the application vendor goes out of business.
Library control software restricts source code to read-only access.
Decision trees use questionnaires to lead the user through a series of choices to reach a conclusion.
Regression testing is used in program development and change management to determine whether
new changes have introduced any errors in the remaining unchanged code.
Source code escrow protects an application purchasers ability to fix or change an application in case
the application vendor goes out of business.

Determining time and resource requirements for an application-development project is often the most
difficult part of initial efforts in application development.
The project sponsor is ultimately responsible for providing requirement specifications to the softwaredevelopment team.
A primary high-level goal for an auditor who is reviewing a system-development project is to ensure
that business objectives are achieved. This objective guides all other systems-development objectives.
Regression testing should use data from previous tests to obtain accurate conclusions regarding the
effects of changes or corrections to a program, and ensure that those changes and corrections have
not introduced new errors.
Whenever an application is modified, the entire program, including any interface systems with other
applications or systems, should be tested to determine the full impact of the change.
An IS auditor should carefully review the functional requirements in a systems-development project to
ensure that the project is designed to meet business objectives.
The quality of the metadata produced from a data warehouse is the most important consideration in the
warehouses design.
Procedures to prevent scope creep are baseline in the Design Phase of the Systems Development Life
Cycle (SDLC) model.
Function point analysis (FPA) provides an estimate of the size of an information system based on the
number and complexity of a systems inputs, outputs, and files.
Application controls should be considered as early as possible in the systems-development process,
even in the development of the projects functional specifications.
User management assumes ownership of a systems-development project and the resulting system.
Rapid Application Development (RAD) is used to develop strategically important systems faster, reduce
development costs, and still maintain high quality.
Business Process Evaluation and Risk Management
Run-to-run totals can verify data through various stages of application processing.
Input/output controls should be implemented for both the sending and the receiving application in an
integrated systems environment.
The board of directors and executive officers are ultimately accountable for the functionality, reliability,
and security within IT governance.
An authentication technique for sending and receiving data between EDI systems is crucial to prevent
unauthorized transactions.
Data-mining techniques can be used to help identify and investigate unauthorized transactions.

After identifying potential security vulnerabilities, the IS auditor should perform a business impact
analysis of the threats that would exploit the vulnerabilities.
Network environments often add to the complexity of program-to-program communication, making
application systems implementation and maintenance more difficult.