Chartered Institute of Internal Auditors. IIA IT Auditing Certificate. Syllabus 2015/2017. Chartered Institute of Internal Auditors 1/18

Transcription

1 IIA IT Auditing Certificate Syllabus 2015/2017 Chartered Institute of Internal Auditors 1/18

2 Chartered Institute of Internal Auditors 2/18

3 Contents page Title of the final award 4 Certificate overview 4 Study and tuition 4 Academic level 4 Entry and completion requirements 5 Exemptions 5 Accreditation of prior learning (APL) 5 Assessment and grading 5 Exam 5 Work-related assignment 6 Grading 6 Relevant policies 6 Date from which syllabus is active 6 Date for next review 6 Aims and objectives 7 Knowledge and understanding 8 Appendix 1: Multiple choice question exam 10 Appendix 2: Work-related assignment 11 Chartered Institute of Internal Auditors 3/18

4 IIA IT Auditing Certificate Title of final award: IIA IT Auditing Certificate Certificate overview The IIA IT Auditing Certificate is an advanced accredited module aimed at qualified internal auditors who wish to develop specialist expertise in the particular threats and vulnerabilities associated with IT and information systems. The content and assessment strategy have been developed to ensure that the award provides a detailed grasp of risks associated with data input, security, integrity, resilience and IT transformation together with a deep understanding of the appropriate controls and contingencies. In doing so it builds upon the skills and knowledge of the professional internal auditor. The syllabus has been derived with reference to the demands of the profession, IIA GTAG (Global Technology Audit Guides), IIA GAIT (Guide to the Assessment of IT Risk), the IIA Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, the Institute of Internal Auditors Research Foundation Common Body of Knowledge and the Global Competency Framework for Internal Auditing. Assessment is through a combination of exam and the completion of a work-related assignment. Study and tuition Tuition is available through the Chartered Institute of Internal Auditors via a distance learning programme and is a requirement of the award. Development of the work-related assignment is a core part of the supported learning process and cannot be undertaken without registration with a tutor. The guided time required for learning, including study, research, reading, exam preparation, on-the-job development and completion of the assignment, is 150 hours. Students studying will have access to the Institute s Virtual Learning Environment (VLE). This will allow students to access their online study materials and contact with their tutor. The learning text supplied here is the main source of modular guidance and include clear learning objectives and self-assessment questions with answers. Students will also be able to complete a mock exam and online quizzes, and can also interact with other students and IIA Learning via the VLE Each student is allocated a tutor. The tutor guides the student through the course, supports the student with the work-related assignment, and marks the assignment. Tutor feedback form an integral part of IIA Learning s tuition, as it reinforces and supports the course content. As students will be studying collaboratively with other students, they will also be learning with other students invaluable input and support. Academic level The academic level of the IIA IT Auditing Certificate has been devised to reflect the demands of the profession as well as the corresponding levels of the IIA Diploma and the IIA Advanced Diploma, which are both postgraduate level qualifications, PG1 (level 7). PG1 (level 7) is equivalent to the academic level of a Masters degree. Chartered Institute of Internal Auditors 4/18

5 Entry and completion requirements Entry to the IIA IT Auditing Certificate is open to qualified members of the Chartered Institute of Internal Auditors only, namely those holding PIIA, MIIA or CIA designations. Candidates must be working as an internal auditor and providing independent assurance to an organisation or organisations on risks and controls associated with IS/IT 1 for at least twelve months to complete the award. Candidates must satisfy the full requirements of the award within two years of registering. Exemptions Candidates who have passed the Specialist Information Systems Auditing module exam of the IIA Qualification in Computer Auditing within five years of registering for this award will be exempted from the exam. Accreditation of prior learning (APL) Accreditation of prior learning is not available in respect of any component of this award. Assessment and grading Assessment of candidates for the IIA IT Auditing Certificate is made in two main ways: knowledge and understanding is assessed through a multiple choice exam professional competence is assessed through evidence produced through a work related assignment Exam Exams are held twice a year, in the first week of June and the last week of November, through a two hour exam of 100 multiple choice questions. Candidates are required to demonstrate their knowledge and understanding of the theories, concepts, methods and practices as outlined in the syllabus. They will be expected to relate their knowledge and understanding to contextualised scenarios. It will be necessary to: recognise key terms and models and confirm their appropriate application analyse a range of information make comparisons and draw relevant conclusions identify and select suitable recommendations and evaluative judgements Candidates will need to record their chosen answer from the options presented. One mark will be awarded for every correct answer. No marks will be awarded or deducted for incorrect answers. The syllabus details the knowledge and understanding candidates are required to have in order to complete the exam successfully. Knowledge of new guidance, changes to standards, recent legislation, relevant current affairs and events related to internal auditing is also required. Regardless of the sector in which the candidate works, it will be necessary to understand the role of internal auditing in public, private and voluntary sectors, as detailed in the syllabus. 1 The abbreviation IS/IT is used throughout this document to signify information systems and technology Chartered Institute of Internal Auditors 5/18

6 Where there are variations in regulations and legislation, as exists, for example, between the UK and Ireland, candidates will only be expected to refer to what is relevant to their situation. Information on entering for the exam and associated policies is given in Appendix 1. Work-related assignment The work-related assignment is an opportunity for candidates to extend their understanding of issues relating to IT auditing through study and research, employ their learning in a practical context and contribute to the body of knowledge on the subject. Candidates are required to demonstrate their appreciation of the implications for internal audit of specialist aspects of IS/IT within their own organisation or that of a client. The assignment requires candidates to apply concepts and frameworks they have learnt in their studies supported by further research into their particular area of specialism. They are required to analyse and evaluate an aspect of IS/IT, and present their work in the form of a report for assessment. The report should include references for the research undertaken and recommendations for their organisation or client. The nature and scope of the assignment will be negotiated between the candidate, their manager and the course tutor, and will require the approval of an initial outline. Further details of the work-related assignment are given in Appendix 2. Candidates will need to be able to express their answers fully by applying an effective command of the English language, using technical terminology and a formal report format. Due attention must be paid to standard conventions of grammar, spelling and style. Grading The exam is marked and a percentage recorded. A minimum of 65% is required for a Pass. The work-based assignment is marked and graded. A minimum of 50% is required for a Pass. Merit and Distinction grades are awarded for marks of 60% and above and 70% and above respectively according to the grading criteria included in the appendix of this document. Relevant policies Relevant policies and other candidate materials may be accessed through the IIA s Student Information Centre at Topics covered include exam regulations, special requirements, exam registration, extenuating circumstances, reviews and appeals, exemptions and quality assurance. Date from which syllabus is active December The first exam session is in June 2015 and last exam session in November Chartered Institute of Internal Auditors 6/18

7 Aims and objectives The aim of this module is to enable candidates to build upon and develop their expertise in risk-based internal audit in the context of IS/IT threats, vulnerabilities and controls. In doing so it requires candidates to be able to understand and analyse: organisational structures, management and activity; financial risks and controls; the principles and processes of riskbased internal audit; the framework of corporate governance and risk management in the UK and Ireland; and the fundamental principles of information systems auditing. The module will enable practising internal auditors to prepare and lead on IS/IT audits requiring detailed technical knowledge and understanding of information systems and processes. It provides specialist IS/IT auditors with the skills to critically assess IS/IT risks and communicate these effectively with middle and senior managers. The module prepares candidates for dealing with risks across the full spectrum of contingencies, including those associated with major IT transformation projects in order to deliver the required level of assurance to the board, embracing current trends and emerging technologies. It also develops the expertise needed to determine the need for and implement external specialists effectively. Close reference is made to the IIA GTAG (Global Technology Audit Guides), IIA GAIT (Guide to the Assessment of IT Risk). The underpinning model used for analysing and evaluating risks is COSO ERM, mapped to UK and European legislation and ISO standards and 27000, and as such the module bridges the gap between organisational and IT objectives. In keeping with the International Professional Practices Framework, the internal audit activity must assess whether the information technology governance of the organisation supports the organisation s strategies and objectives (2110.A2). That activity must also evaluate risk exposures as well as the adequacy and effectiveness of controls in responding to risks relating to the organisation s governance, operations, and information systems regarding the achievement of the organisation s strategic objectives reliability and integrity of financial and operational information effectiveness and efficiency of operations and programmes safeguarding of assets, and compliance with laws, regulations, policies, procedures and contracts. (2120.A1 and 2130.A1) Those who have successfully completed the module will be able to: plan and lead internal audits that focus on the technical risks associated with the current use or planned introduction of information systems and processes identify risks in context and identify, analyse and assess the effectiveness of control measures in place to mitigate risks associated with complex information systems and processes determine the need for and manage the effective use of additional IS/IT experts critically assess and communicate associated risks of a complex nature to middle and senior managers contribute to the evaluation of the effectiveness of IS/IT strategy and governance provide independent assurance on an organisation s information security, integrity and resilience engage with other providers of IS/IT assurance, such as compliance audits, quality assurance functions and other technical specialists contribute technical expertise to internal audits that require deep insight into complex areas of IS/IT risks Chartered Institute of Internal Auditors 7/18

8 Knowledge and understanding On completion of this module, candidates will have knowledge and understanding of: 1. Management of internal auditing in the IS/IT environment 1.1 The information systems audit role, including objectives risk assessment internal audit planning and programmes 1.2 Vulnerability and penetration testing in the IS/IT environment 1.3 Role of IS/IT audit in relation to system development projects 1.4 Internal audit use of IS/IT 1.5 Internal audit reporting 2. IS/IT strategy and governance 2.1 IS/IT strategies and links to corporate and business strategies, objectives and risks 2.2 Organisation and management of information systems, including systems for managing people managing knowledge, information and data managing technology managing other resources 2.3 Performance planning and IS/IT service levels including ITIL 2.4 Outsourcing, including: rationale, strategy and service level agreements risks associated with outsourcing control and audit implications 2.5 Systems and infrastructure lifecycles 2.6 Information governance and IT delivery (eg ITIL) 3. Management of projects and programmes 3.1 Systems development approaches project methodologies milestones and decision points 3.2 IS/IT project management 3.3 Risks associated with projects and programmes, including in-house developments outsourced development projects package software COTS (commercial off-the-shelf) procurement, customisation and implementation Chartered Institute of Internal Auditors 8/18

9 end-user development 4. Management of infrastructure 4.1 Operating systems Concepts, components and functions Role of technical staff in configuration, patching and change control 4.2 Networks and wireless technologies LANs and WANs, including control and security implications audit approaches to LANs and WANs 4.3 Telephony and communications 4.4 Database systems database management system software and the role of the database administration function audit approaches to database software and systems 5. Management of information security 5.1 Security policies rationale, development and enforcement of policies audit involvement and objectives 5.2 Physical and environmental security 5.3 Business continuity management 5.4 Other sources of assurance 6. Auditing of systems 6.1 Auditing application systems types and classifications of controls general approach to IS/IT systems audits IT control frameworks (eg ISO 27001, COBIT) audit approach to complex systems (eg ERP, EDI, point of sale, payment systems including BACS and PCI, EFTPOS, office automation, manufacturing and supply chain management systems) audit approach to emerging technologies 6.2 The Internet risk assessment control, security and legal issues for the organisation audit approach 6.3 E-commerce risk assessment of e-commerce systems control and security issues relating to e-commerce audit approach to implementation and use of e-commerce systems Chartered Institute of Internal Auditors 9/18

10 Appendix 1: Multiple choice question exam Exam policies Exam entry Students must ensure that they access the Institute s online exam entry application form in March to enter the June exams, and in September to enter the November exams. Reminders will be sent to students registered onto the IIA IT Auditing Certificate. Special arrangements Students may require particular arrangements to be put in place so that they are not disadvantaged when undertaking their assessments. Information on applying is given in the policies section of the Student Information Centre. Withdrawals Exam candidates are only able to withdraw their entry on medical grounds. It is not possible to defer an entry for any reason. In the event of a withdrawal being required, students should contact the Institute as soon as they are able to discuss their options. Extenuating circumstances Students suffering from any unexpected extenuating circumstances in the immediate build up to the exams may apply for special consideration to be given. Strict deadlines are in place for such applications. Students should again refer to the policies section of the Student Information Centre. Review of results Students may seek a review of their multiple choice question exam results. The nature of this assessment means that only clerical reviews are available, as per the policy published in the Student Information Centre. Appeals Students may seek appeal of either of their assessments. Appeals for the multiple choice exam results are only possible where a review has previously been submitted. Options for retaking assessments Some students may be unsuccessful in their first attempt at the exam, and are able to resit in a future exam series. However, completion must be achieved within two years of registration onto the certificate. Chartered Institute of Internal Auditors 10/18

11 Appendix 2: Work-related assignment The aim of the work-related assignment is to demonstrate that the candidate is able to apply their knowledge and understanding of the threats and vulnerabilities inherent in particular information systems and/or IT in a practical scenario carry out an investigative study of an aspect of IS/IT within their own organisation or that of a client undertake further research as required to extend their knowledge in respect of the specific dimensions of information systems or IT under study produce a report on their findings that highlights the implications for internal audit produce recommendations for the organisation or client related to the risks and internal control within the area of IS/IT under study, for IS/IT governance and for the strategic aims of the organisation The approach taken by the candidate must be agreed by the course tutor but may include: participation in or leadership of an IS/IT audit participation in an IS/IT transformation project a post-implementation review of an IS/IT transformation initiative investigation into existing or proposed IS/IT arrangements The work-related assignment is submitted and considered in three stages an initial proposal, focussing on terms of reference and procedure a draft report, focussing on initial findings a final report, containing all sections but with a focus on conclusions and recommendations Each stage must be completed in sequence and approved by the tutor before completing the next stage. The requirements for submission of the work-related assignment are as follows: candidates must be registered on the IIA IT Auditing Certificate programme candidates must make an initial proposal for approval by their tutor in which they outline the terms of reference for their proposed assignment, including o a description of the activity to be undertaken (guideline 750 words) o an indication of the areas of the syllabus that will be relevant to the assignment o resources to be used (including electronic and printed materials and individuals who may be consulted) o additional research to be undertaken candidates must submit a draft and then a final formal report of 4,000 words (with an allowance of 10% either way) plus appropriate appendices that includes: o a description of study undertaken in IS/IT o an explanation of how the learning from the IIA IT Auditing Certificate has been applied as part of the activity engaged in o a description of the further research that was needed and undertaken in order to meet the demands of the activity o an analysis of the findings that focuses on the risks and controls, the implications for IS/IT governance and for the strategic aims of the organisation o recommendations for the organisation or client related to the risks and internal control within the area of IS/IT under study the final submission must be word processed and both a hard copy and electronic pdf copy must be submitted to the Institute. Each submission must include a cover Chartered Institute of Internal Auditors 11/18

12 sheet confirming their name, membership number, date, assignment title, contents and word count of content (excluding appendices) the hard copy submission should be on white A4 paper using Arial font size 11, oneand-a-half line spacing and page numbers electronic submissions must include only a single pdf attachment and the attachment must be clearly labelled with surname, forename and the assignment title eg Smith John IT assignment xyz the submission should be accompanied by a signed declaration or from the candidate s line manager or other suitable person confirming the work is authentic candidates may re-submit their final report assessment once; any further resubmissions will incur an additional assessment fee candidates must submit their initial proposal, draft report and final report within the duration of the programme and make any resubmission within 12 months of commencing their tuition candidates need to express their answers fully by applying an effective command of the English language, using technical terminology and a formal report format, and consideration will be given to standard conventions of grammar, spelling and style candidates should keep a copy of the original assignment until confirmation of the final grade It is not necessary that candidates have passed the exam when making their submission. For reasons of confidentiality candidates do not need to refer to the names of clients or other confidential details. No portion of the candidate s submission will be copied or distributed or in any other way used by the Institute other than for the purpose of assessment without prior permission of the candidate. The candidate will receive a grade for their assignment approximately 12 weeks after their submission. The result of the submission will be confirmed in writing to the same timetable set for all of the Institute s professional qualification assessments. Results are published twice a year, in mid August and early February. Assessment The candidate and the tutor may agree upon an appropriate format for the report. However, it should reflect the following key areas: Terms of reference the scope, purpose, objectives, rationale, motivations for the study, theory needed, models used, assumptions made etc Procedure how it is to be done, what research is required, other activity needed, timescales Findings simple factual reporting as well as summarising key findings (probably requiring main results to go in appendices) Conclusions what the findings tell us, based on analysis, application of theory and interpretation Recommendations proposals and suggestions in response to the conclusions and linked to the initial objectives, requiring synthesis and evaluation Appendices (as required, to include a summary of the references and resources used) The initial proposal should focus on the terms of reference and procedure by explaining the aims, objectives, methods, resources to be used, research that is required and the links with the formal syllabus of the IIA IT Auditing Certificate. The guideline word length is 750. The initial submission should be accompanied by a note of support from the candidate s line manager or other appropriate person indicating that they confirm the candidate will have the Chartered Institute of Internal Auditors 12/18

13 necessary support to undertake the study as described. The tutor will review the initial submission and determine whether the proposal is feasible and appropriate, taking into account timescale, scope and demands of the syllabus, and resources needed. The initial proposal is not graded, but the tutor will provide feedback and comments aimed at assisting the candidate towards making their final report. In particular, the tutor will indicate the appropriateness of the proposal and whether the candidate should proceed as planned or make alterations to their proposal. The draft report should include an updated version of the terms of reference and procedure, but focus principally on the findings to date. This is an opportunity for the candidate to highlight difficulties and challenges and seek assistance from the tutor. The tutor can also gauge the progress made and provide encouragement and advice as required. The final report should be complete and include the final version of all sections. The report will be assessed and graded according to the criteria given below. A sample of assessed work will be moderated as part of the quality assurance process. Resubmission of assignments Some students may be unsuccessful in their first attempt. Students should of course make every effort to succeed in their assignments and should closely follow the guidance provided by their tutor. If they are unsuccessful in passing the assignment then they are able to resubmit alongside the next cohort of candidates. If they do not take up this option then the assignment may only then be completed by reregistering onto the full IIA IT Auditing Certificate programme. Students wishing to resubmit assignments must advise the Institute in writing of their intentions and must do so within six weeks of the publication of their results so that a tutor may be assigned to assess their resubmission. Initial submissions and Draft reports will not be reviewed; students will only be able to resubmit their Final report and this will need to be submitted to the same deadline as the rest of the cohort being assessed. Students should seek confirmation of deadlines before they commit to making a resubmission. Students declaring an intention to resubmit will be invoiced at the point of declaration. Resubmissions will be subject to an assessment fee equal to that for an exam. Chartered Institute of Internal Auditors 13/18

14 FINAL REPORT Near Pass Pass Merit Distinction Maximum (Total 60) Terms of reference the scope, purpose, objectives, rationale and motivations for the study the underpinning theory needed with reference to theoretical principles, frameworks and models used main assumptions made The study must focus on the technical risks associated with the current use or planned introduction of information systems and processes. outlines the purpose and objectives for the study identifies some theoretical principles and concepts relevant to the ITAC syllabus but lacks depth applies these in a context that it not sufficiently focused on the concerns of internal audit clearly describes the purpose and objectives for the study identifies and describes the main theoretical principles and concepts with reference to the ITAC syllabus applies these ideas within an appropriate IS/IT context from an internal audit perspective clearly describes the purpose and objectives for the study identifies and explains a range of theoretical principles and concepts relevant to the ITAC syllabus applies these ideas within an appropriate IS/IT context from an internal audit perspective clearly describes the purpose and objectives for the study identifies and fully explains a wide range of theoretical concepts, principles and relevant to the ITAC syllabus applies these ideas within an appropriate IS/IT context from an internal audit perspective Chartered Institute of Internal Auditors 14/18

15 Near Pass Pass Merit Distinction Maximum (Total 60) Procedure Note: in the initial report this will be in the form of a plan. In the final report it will be descriptive of the actual procedure adopted. how the study is to be done, what activities are needed and how they will be approached, how the findings will be analysed timescales a description of the research that will be needed and undertaken in order to meet the demands of the activity outlines the steps adopted to undertake the investigation provides some evidence of planning provides minimal consideration of research needed to support the study clearly describes the steps adopted to undertake the investigation provides realistic timescales and evidence of planning outlines research needed to support the study clearly describes and explains the steps adopted to undertake the investigation provides realistic timescales and detailed evidence of planning describes research needed to support the study clearly describes and justifies the steps adopted to undertake the investigation provides realistic timescales and detailed evidence of planning with contingencies for setbacks and disruption describes and justifies research needed to support the study As part of their approach to their study students are expected to engage with a range of individuals associated with the management, operation and governance of IS/IT. This must be identified in their procedure. Chartered Institute of Internal Auditors 15/18

16 Near Pass Pass Merit Distinction Maximum (Total 60) Findings >10 15 suitable analysis of the raw data and basic information needed to extract and explain the findings factual reporting of the results of the investigation, making appropriate use of appendices summary data using appropriate techniques and presentation (tables, charts, diagrams, graphs, etc) reports the raw data and basic information without sufficiently highlighting the main findings presents findings with a lack of clarity makes little or ineffective use of presentation methods analyses raw data and basic information in order to extract the findings using an appropriate method reports findings clearly identifies key findings analyses raw data and basic information in order to extract the findings using an appropriate method reports findings fully and accurately, using appendices as required employs graphical and tabular presentation effectively in order to identify key findings, summarising the main points analyses raw data and basic information in order to extract the findings using a range of appropriate techniques reports findings fully and accurately, using appendices effectively employs a range of highly effective presentational methods in order to identify key findings, summarising the main points to maximise understanding The findings are required to include commentary on the inherent risks within the IS/IT environment under study. Chartered Institute of Internal Auditors 16/18

17 Near Pass Pass Merit Distinction Maximum (total 60) Conclusions >14 20 an interpretation of the findings that draws upon the information and reveals patterns, associations and connections based on suitable analysis the implications of the findings within the context of the study the application of theory and interpretation that focuses on the risks and controls, the implications for IS/IT governance and for the strategic aims of the organisation The conclusions are required to comment on the effectiveness of the IS/IT strategy and governance. attempts an interpretation of the findings but approach is unclear or flawed shows some of the connections between separate findings but analysis is incomplete states the implications of the findings in the context of the study without revealing the full picture applies some theoretical concepts in the interpretation but lacks depth expresses conclusions with limited clarity or relevance analyses findings using a suitable approach reveals the connections between separate findings states the implications of the findings within the context of the study employs appropriate theoretical concepts and principles in the interpretation of the findings expresses clear and relevant conclusions clearly thoroughly analyses findings using a range of suitable approaches reveals the connections between separate findings and provides some explanatory reasons for the connections assesses their implications within the context of the study employs a range of appropriate theoretical concepts and principles in the interpretation of the findings expresses clear and relevant conclusions critically analyses findings using a range of suitable approaches reveals the connections between separate findings and provides several different possible explanatory reasons for the connections assesses their implications within the context of the study from a range of different perspectives employs a wide range of appropriate theoretical concepts and principles in the interpretation of the findings expresses clear and relevant conclusions and justifies them Chartered Institute of Internal Auditors 17/18

18 Near Pass Pass Merit Distinction Maximum (total 60) Recommendations >10 15 an assessment of the conclusions and their impact within the context of the study proposals and suggestions in response to the conclusions, linked to the initial objectives, requiring synthesis and evaluation recommendations for the organisation or client related to the risks and internal control within the area of IS/IT under study Recommendations need to address any weaknesses identified in control measure associated with information security, integrity and resilience. makes an incomplete assessment of the conclusions produces proposals that are not fully within the context of the objectives of the study generates some recommendations that do not address all of the implications of the study or with a perspective that is insufficiently strategic assesses the conclusions in the context of the study produces proposals linked to the stated objectives of the study generates appropriate recommendations of a strategic nature based on findings and conclusions assesses the conclusions in the context of the study produces relevant and perceptive proposals linked to the stated objectives of the study as well as recognising the implications outside of the given context generates appropriate original recommendations of a strategic nature based on findings and conclusions assesses the conclusions in the context of the study produces relevant, sound and highly perceptive proposals linked to the stated objectives of the study as well as recognising the implications outside of the given context generates appropriate original and incisive recommendations of a creative and strategic nature based on findings and conclusions, including opportunities for further research or study Chartered Institute of Internal Auditors 18/18