CITP Examination Content Specification Outline

Transcription

1 CITP Examination Content Specification Outline

2 2016 American Institute of CPAs. All rights reserved. DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American Institute of CPAs, its divisions and its committees. This publication is designed to provide accurate and authoritative information on the subject covered. It is distributed with the understanding that the authors are not engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For more information about the procedure for requesting permission to make copies of any part of this work, please copyright@aicpa.org with your request. Otherwise, requests should be written and mailed to the Permissions Department, AICPA, 220 Leigh Farm Road, Durham, NC

3 TABLE OF CONTENTS The Pathway to the CITP Credential...2 High-Level Content Specification Outline...2 Module 1 Information Management...2 Module 2 Information Technology Risk & Advisory...3 Detailed Content Specification Outline...5 AICPA CITP Examination Content Specification Outline 1

4 THE PATHWAY TO THE CITP CREDENTIAL The content of the Certified Information Technology Professional (CITP ) Examination was developed to test a candidate s understanding of the fundamental sections of the CITP body of knowledge. The content of each of the topical sections is described in outline form and provides an overview of the knowledge and skills tested on the CITP Examination. The examination questions are intended to test each content area and its logical extensions. The percentage range following each major content area in the outline represents the approximate weighting for that content area. The examination is fully computerized and consists of multiple-choice questions only. High-Level Content Specification Outline Module 1 Information Management A. Information Management (20 25%) 1. Data management 2. Information lifecycle management 3. System development/capital acquisition and improvement 4. Application integration 5. Business performance, management 6. Solution administration, monitoring and governance B. Information Governance (25 30%) 1. Policies, procedures and standards 2. Access 3. Software and other process controls 4. Security authorization and authentication 5. Encryption 6. Business continuity and disaster recovery 7. Regulatory compliance (privacy and cybersecurity) C. Accounting Operations Technology Services (5 10%) 1. Solution implementation and delivery 2. Business process design and engineering 2 AICPA CITP Examination Content Specification Outline

5 Module 2 Information Technology Risk & Advisory A. Information Technology Risk & Advisory Services (10 15%) 1. IT considerations to the financial statement audit 2. Considerations for businesses using vendors 3. IT reviews and consulting engagements 4. Internal audit B. Engagement Compliance (5 10%) 1. Techniques and procedures 2. Planning 3. Risk 4. Scope 5. Evidence-gathering 6. Sampling 7. Fraud considerations 8. Reporting C. IT Controls & Assessment (15 20%) 1. IT controls 2. Assessment of IT controls AICPA CITP Examination Content Specification Outline 3

6 4 AICPA CITP Examination Content Specification Outline

7 DETAILED CONTENT SPECIFICATION OUTLINE MODULE 1 INFORMATION MANAGEMENT This module covers knowledge pertaining to Information Management, Information Governance and Accounting Operations Technology Services. Information Management ensures that information is managed such that it provides value in decision-making and serves other managerial needs. The foundation of effective information management is a thorough understanding of the structures and processes associated with managing information from creation or capture through disposition or destruction and the ability to apply data analysis and reporting concepts to analyze enterprise performance. Information Governance centers around the policies, procedures and standards in place to ensure the confidentiality, integrity and availability of information. Accounting Operations Technology Services focus on the use of IT to create or modify works flows and business processes that have the potential to make more effective use of resources. Topic/Content Referenced Readings A. Information Management (20 25%) 1. Data Management a. Types of infrastructure/platforms typically employed b. Data prep/manipulation c. Data analysis: Functions, tools and approaches 1) Business intelligence and analytics d. Information traceability 1) Source traceability 2) Transformation traceability e. Information quality 2. Information Lifecycle Management a. Identify b. Capture c. Manage d. Utilize e. Archive f. Retention policy g. Destruction 3. System Development/Capital Acquisition and Improvement a. Policy and procedure b. Planning/budget c. Test phase d. Implementation e. System development risk f. Customization risks g. Reduction of risk through commercial software AICPA. An overview of Data Management AICPA. Why Predictive Analytics should be a CPA Thing AICPA. How CPAs Can Drive Business Intelligence. AICPA. Information for Advantage and Knowledge Management AICPA. Strategic Business Management: From Planning to Performance AICPA Clarified Statement of Auditing Standards. AU-C 500 Audit Evidence. Krishnan, Krish. Data Warehousing in the Age of Big Data Morgan Kaufmann. Chapter 12. AICPA. A Practice Aid for Records Retention AICPA. A Job Aid to the Solution Selection Process Sherman, Richard. Business Intelligence Guidebook. Morgan Kaufmann Chapter 7 Technology and Product Architectures. AICPA CITP Examination Content Specification Outline 5

8 Topic/Content Referenced Readings A. Information Management (20 25%) (continued) 4. Application Integration a. Application integration framework b. Conceptualizing application integration for information management c. Financial systems/other systems/electronic medical record (EMR) d. Outside vendor management 5. Business Performance Management a. Budget and profitability management b. Performance metrics and reporting 6. Solution Administration, Monitoring, and Governance a. Continuous monitoring b. Business activity monitoring c. Business solution governance Misra, Harekrishna; Rahman, Hakikur. Managing Enterprise Information Technology Acquisitions. IGI Global Chapter 5 Conceptualization of IT Acquisition Life Cycle Management Model. AICPA. Find Out Why You Need Corporate Performance Management Software and Make Better Business Decisions AICPA. Is Your Company Trying to Eliminate All Vulnerabilities? AICPA. Build a Performance Management Plan That Works B. Information Governance (25 30%) 1. Policies, Procedures and Standards 2. Access a. Logical access 1) Data (transaction) level 2) Application and financial system level i. Evaluate and test application controls ii. Evaluate and test segregation of duties iii. Evaluate and test spreadsheet controls 3) Operating system level 4) Network level i. Firewalls ii. Network access controls b. Hardware and physical access 1) Access to server room, building facilities and sensitive hardcopy records 3. Software and Other Process Controls 4. Security Authorization and Authentication 5. Encryption Lanz, Joel. Communicating Cybersecurity Risks to the Audit Committee. The CPA Journal. May 2016 Issue. Merkow, Mark; Breithaupt, Jim. Information Security: Principles and Practices, Second Edition. Pearson Certification Chapter 2 Information Security Principles of Success; Chapter 4 Governance and Risk Management; Chapter 6 Business Continuity Planning and Disaster Recovery Planning; Chapter 8 Physical Security Control Understanding the Physical Security Domain. Turner, Leslie; Weickgenannt, Andrea. Accounting Information Systems: The Processes and Controls, 2nd Edition. John Wiley and Sons Module 2, Chapter 4 Internal Control and Risks in IT Systems; Module 2, Chapter 7 Auditing Information Technology-Based Processes; Module 4, Chapter 14 E-Commerce and E-Business. 6 AICPA CITP Examination Content Specification Outline

9 Topic/Content Referenced Readings B. Information Governance (25 30%) (continued) 6. Business Continuity and Disaster Recovery a. Business continuity planning (BCP) b. Disaster recovery (DRP) c. Contingency planning 1) Incident response 2) Data backup d. Testing 7. Regulatory Compliance (Privacy and Cybersecurity) AICPA. 5 steps CPAs can take to fight hackers. Journal of Accountancy. April AICPA. Business Continuity: Tools and Techniques AICPA. The Top 5 Cybercrimes Compliance Audits. PCI Security Standards Council. Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessments Procedures, Version C. Accounting Operations Technology Services (5 10%) 1. Solution Implementation and Delivery 2. Business Process Design and Engineering a. Understanding of business processes that affect financial data b. Proper design and integration of internal controls into business processes AICPA. A CPA s Approach to Business Solution Implementations AICPA CITP Examination Content Specification Outline 7

10 MODULE 2 INFORMATION TECHNOLOGY RISK AND ADVISORY This module covers knowledge pertaining to Information Technology Risk and Advisory Services, Engagement Compliance, and IT Controls and Assessment. Information Technology Risk and Advisory knowledge centers around the considerations of IT risks, whether as part of a financial statement audit, service organization control report, internal IT audit, IT review, or IT consulting engagement. Engagement Compliance covers knowledge of techniques and procedures used in conjunction with assurance and advisory services. This includes components of planning, risk assessment, and evidence gathering. IT Controls and Assessment covers knowledge pertaining to IT controls, in relation to the integration of internal control frameworks with financial reporting, management considerations of internal controls, and change management procedures. Topic/Content Referenced Readings A. Information Technology Risk and Advisory Services (10 15%) 1. IT Considerations to the Financial Statement Audit 2. Considerations for Businesses using Vendors a. Service Organization Control Reports 1) SOC 1 reports 2) SOC 2 reports 3) SOC 3 reports 3. IT Reviews and Consulting Engagements a. Information compliance 1) Internal policy and procedure 4. Internal Audit a. Audit universe b. Specific audit programs c. Assessment of IT risk d. Work paper documentation e. Nature/substance of an audit report f. Board reporting 402 Audit Considerations Relating to an Entity. 935 Compliance Audits. AICPA. Trust Services Principles and Criteria AICPA. Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting Guide (SOC 1) AICPA. Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2 ) AICPA Guide Weiss, Martin; Solomon, Michael. Auditing IT Infrastructures for Compliance. Jones and Bartlett Learning Part Two, Auditing for Compliance: Frameworks, Tools, and Techniques. Gantz, Stephen. The Basics of IT Audit. Syngress Chapter 3 Internal Auditing; Chapter 6 IT Audit Components. 8 AICPA CITP Examination Content Specification Outline

11 Topic/Content Referenced Readings B. Engagement Compliance (5 10%) 1. Techniques and Procedures 2. Planning a. Research/process documentation/flowcharting b. Understanding business environment and processes 1) Complexity of business 2) Assess the level of IT sophistication, and degree of F/R reliance on IT 3) Business or accounting change, such as within business process and cycles 4) Executive management functions 3. Risk a. Risk Assessment 1) Enterprise risk assessment 2) Financial statement risk assessment 3) IT risk assessment 4) Security risk assessment (Audits) b. Risk Model 1) Inherent risk i. Entity (economy, industry and entity-specific) ii. IT control environment 2) Control risk i. Manual vs. automation; hybrid ii. Preventive, detective and corrective controls iii. Key vs. non-key controls iv. Control gaps 3) Risk of material misstatement i. Combination of inherent and control risk ii. Consider applicable account balances, classes of transactions, and disclosures iii. Tie to relevant F/S assertions iv. Consider adverse effects of the entity s IT v. Assessing RMM due to fraud 240 Consideration of Fraud in a Financial Statement Audit. 265 Communicating I/C Related Matters Identified in an Audit. 300 Planning an Audit. 315 Understanding the Entity, Its Environment, and Assessing the Risks of Material Misstatement. 450 Evaluation of Misstatements Identified During the Audit. 500 Audit Evidence. 520 Analytical Procedures. 530 Audit Sampling. AICPA CITP Examination Content Specification Outline 9

12 Topic/Content Referenced Readings B. Engagement Compliance (5 10%) (continued) 4. Scope a. Develop walkthrough plan b. Preparing an IT audit plan c. Draft risk assessment report 5. Evidence Gathering a. Strategy b. Inquiry c. Observation d. Inspection/reperformance e. Analytical procedures 6. Sampling a. Methodologies b. Size c. Technical tools and techniques (CAATs) 7. Fraud Considerations a. Digital Evidence 1) E-discovery rules and processes 2) Implications of federal and state-specific laws b. Detection and Investigation 1) Use of IT in fraud investigations 2) Data mining/analysis i. Proper digital acquisition tools and procedures ii. Determine suitable digital sources Cascarino, Richard. Auditor s Guide to IT Auditing, Second Edition. John Wiley and Sons Part 1, Chapter 3: IT Risk and Fundamental Auditing Concepts; Part 1, Chapter 6: Risk Management of the IT Function; Part 1, Chapter 7: Audit Planning Process; Part 1, Chapter 9: Audit Evidence Process. AICPA. Board and Audit Committee Involvement in Risk Management Oversight AICPA. Computer Assisted Audit Techniques or CAATS Hingarh, Venna; Ahmed, Arif. Understanding and Conducting Information Systems Auditing + Website. John Wiley and Sons Part 1: Chapter 6 Risk Based Systems Audit. 8. Reporting a. Information presentation b. Information timeliness 10 AICPA CITP Examination Content Specification Outline

13 Topic/Content Referenced Readings C. IT Controls and Assessment (15 20%) 1. IT Controls a. COSO Framework 1) Integration b. Management considerations 1) History and prior control reports 2) Management s attention to controls c. Control environment 1) IT strategic plan 2) IT policies and procedures i. Role of IT governance in the control environment ii. Role of project management in the control environment 3) IT Operations i. Consider portfolio of systems used or in place d. Change management 1) Policies and procedures i. Configuration management ii. Software management iii. Operating system and network management 2) Vulnerability management 3) Systems implications i. Accounting and financial reporting systems ii. Commercial off-the-shelf software (COTS) vs. customized software iii. Enterprise and ERP systems iv. E-Business systems and applications e. Application controls Trugman, Gary R Understanding Business Valuation: A Practical Guide to Valuing Small to Medium-Sized Businesses, 4th ed. New York: AICPA, chap. 2, 3, 6, 17, 21 22, Hitchner, James R Financial Valuation: Application and Models, 3rd ed. New Jersey: John Wiley & Sons, chap. 16 and 23. Pratt, Shannon P., Niculita, Alina V Valuing a Business: The Analysis and Appraisal of Closely Held Companies, 5th ed. New York: McGraw-Hill, chap , AICPA Consulting Services Special Report 03 1 Litigation Services and Applicable Professional Standards AICPA Consulting Services Practice Aid 96 3 Communicating in Litigation Services: Reports 2. Assessment of IT Controls a. Deficiency evaluation of IT-related controls 1) Control deficiency, significant deficiency and material weakness 2) Aggregation of deficiencies b. Materiality/impact to the entity 1) Risk of material misstatement AICPA CITP Examination Content Specification Outline 11

14 12 AICPA CITP Examination Content Specification Outline

15

16 T: F: E: W: aicpa.org/citp