Information technology has become all-pervasive in today's corporate world. Information and the supporting processes, the computer systems and the networks used for generating, storing and retrieving information as well as the human beings involved in it are the important business assets of every organisation. The confidentiality, integrity and availability of information is essential for any company to maintain its competitive edge, cash flow, profitability, legal compliance and corporate image.

As IT spending is a major item of expenditure for business organisations, it is only natural for them to ensure that their information systems are implemented and running effectively and efficiently. Also, each organisation has to put in place adequate security controls to ensure data accessibility to all the authorised users and data inaccessibility to all the unauthorised users, maintain data integrity and implement safeguards against all security threats to information systems.

Considering the above aspects it is necessary for each organisation to define, document, communicate, implement and audit information systems (IS) security with the help of professionally competent IS auditors. Faced with complex and correspondingly ingenious cyber threats, organisations are looking for professionals with proven experience and knowledge to identify, evaluate and recommend solutions to mitigate system threats and vulnerabilities.

The need to link sound corporate governance with effective internal control has never been greater. As a result, the vital role IT plays in internal control is increasingly visible, and its importance to the financial reporting process is recognized. The U.S. Sarbanes-Oxley Act ushered in a new era of corporate governance and accountability. Similar legislation has been, or is being enacted worldwide to require companies to establish and maintain an adequate internal control structure. Such legislation also requires companies to assess the effectiveness of their internal controls on an annual basis. As the management and control of IT transcends geography, certifications that are internationally recognised are critical to ensure a consistent approach, background and skill set for a systems auditor.

The Certified Information Systems Auditor (CISA) programme conducted by Information Systems Audit and Control Association (ISACA), U.S., is aimed at meeting the above requirement. The programme is designed to assess and certify individuals in the Information Systems audit, control and security professions who demonstrate exceptional skill and judgement.

The CISA designation was established in 1978 with the first examination being conducted in 1981. Since its inception, more than 55000 IS auditors, accountants, security practitioners and other leaders in IT governance and assurance from around the world have earned the CISA designation. The growth of interest in the CISA examination demonstrates the certification's increasing global recognition. CISAs have the proven ability to perform reviews in accordance with globally accepted standards and guidelines to ensure that the organisation's information technology and business systems are adequately controlled, monitored and assessed.

The CISA programme requires certified individuals to:

·  Acquire professional experience

·  Pass a rigorous examination

· Constant upgrading of skills and knowledge through, mandatory contin-uing professional education

Prospects

With increased Government and public scrutiny on those who audit information technology and are responsible for information systems integrity, security and governance, the CISA certification has become an increasingly important tool. Successfully completing the CISA examination is one step toward earning the CISA designation. Candidates also must adhere to ISACA's Code of professional ethics; submit evidence of a minimum of five years of professional IS auditing, control or security work experience; and abide by a program of continuing education. In India, the CISA designation is recognised as one of the most respectable qualifications in the banking information technology field. The Reserve Bank of India and many major commercial banks have recognised CISA qualification for auditing Information systems. It is also one of the most desirable qualifications used when organisations are recruiting for higher-level positions, such as those of information security officers and chief information officers.

Content

The CISA examination is conducted twice in a year in selected centres across the world. The four-hour examination consists of 200 objective type questions, which tests the candidate's depth in the following areas.

The Information Systems (IS) Audit Process (10%)

Conduct IS audits in accordance with generally accepted IS audit standards and guidelines to ensure that the organisation's information technology and business systems are adequately controlled, monitored, and assessed.

Management, Planning and Organisation of IS (11%)

Evaluate the strategy, policies, standards, procedures and related practices for the management, planning, and organisation of IS.

Technical Infrastructure and Operational Practices (13%)

Evaluate the effectiveness and efficiency of the organisation's implementation and ongoing management of technical and operational infrastructure to ensure that they adequately support the organization's business objectives.

Protection of Information Assets (25%)

Evaluate the logical, environmental, and IT infrastructure security to ensure that it satisfies the organization's business requirements for safeguarding information assets against unauthorized use, disclosure, modification, damage or loss.

Disaster Recovery and Business Continuity (10%)

Evaluate the process for developing and maintaining documented, communicated and tested plans for continuity of business operations and IS processing in the event of a disruption.

Business Application System Development, Acquisition, Implementation and Maintenance (16%)

Evaluate the methodology and processes by which the business application system development, acquisition, implementation and maintenance are undertaken to ensure that they meet the organisation's business objectives.

Business Process Evaluation and Risk Management (15%)

Evaluate business systems and processes to ensure that risks are managed in accordance with the organization's business objectives.

(Note: The percentages indicate the emphasis or per cent of questions that will appear from each area.)

Source : Edited Excerpts from the FAQ on CISA

Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here.