CITP Examination Content Specification Outline

Similar documents
"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

CITP Credential handbook

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

SOC for cybersecurity

ISACA Cincinnati Chapter March Meeting

Certified Information Systems Auditor (CISA)

ADVANCED AUDIT AND ASSURANCE

Information Technology General Control Review

How Secure is Blockchain? June 6 th, 2017

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

IT Attestation in the Cloud Era

COPYRIGHTED MATERIAL. Index

Exploring Emerging Cyber Attest Requirements

Position Description IT Auditor

Application Kit. A guide to the AICPA Certified Information Technology Professional credential

The Minimum IT Controls to Assess in a Financial Audit (Part II)

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Risk Management in Electronic Banking: Concepts and Best Practices

The Common Controls Framework BY ADOBE

Information for entity management. April 2018

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Risk Advisory Academy Training Brochure

THE INTERNATIONAL INSTITUTE OF CERTIFIED FORENSIC ACCOUNTANTS, INC. USA. CERTIFIED IN FRAUD & FORENSIC ACCOUNTING (Cr.

CITP Mentoring Program Guidelines

SOC 3 for Security and Availability

COBIT 5 With COSO 2013

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

Cybersecurity Auditing in an Unsecure World

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Auditing IT General Controls

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

DATA STEWARDSHIP BODY OF KNOWLEDGE (DSBOK)

SOC Reporting / SSAE 18 Update July, 2017

locuz.com SOC Services

Big data privacy in Australia

Security and Privacy Governance Program Guidelines

Information Systems and Tech (IST)

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Advanced Corporate Reporting. Corporate Reporting. Financial Accounting. Management in Organisations

AND ASSURANCE AN INTEGRATED APPROACH SIXTEENTH EDITION GLOBAL EDITION

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

AT FIRST VIEW C U R R I C U L U M V I T A E. Diplom-Betriebswirt (FH) Peter Konrad. Executive Partner Senior Consultant

SERVICE ORGANIZATION CONTROL 3 REPORT

TAN Jenny Partner PwC Singapore

Understanding and Evaluating Service Organization Controls (SOC) Reports

Data Security: Public Contracts and the Cloud

E-guide Getting your CISSP Certification

COURSE BROCHURE CISA TRAINING

Audit Considerations Relating to an Entity Using a Service Organization

INTELLIGENCE DRIVEN GRC FOR SECURITY

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

The SOC 2 Compliance Handbook:

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

CISA Training.

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

CCISO Blueprint v1. EC-Council

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

Security Operations & Analytics Services

ISACA CISA Review Course CHAPTER 1 THE IS AUDIT PROCESS

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

01.0 Policy Responsibilities and Oversight

REPORT 2015/010 INTERNAL AUDIT DIVISION

Course Intended Learning Outcomes (CILOs): Upon successful completion of this course, students should be able to:

REPORT 2015/149 INTERNAL AUDIT DIVISION

Information Governance, the Next Evolution of Privacy and Security

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

Institute of Certified Forensic Accountants. Certificate in Internal Auditing

CISA ITEM DEVELOPMENT GUIDE

Maryland Health Care Commission

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

CISA EXAM PREPARATION - Weekend Program

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

GDPR: A QUICK OVERVIEW

EXAM PREPARATION GUIDE

Contracting for an IT General Controls Audit

Adopting SSAE 18 for SOC 1 reports

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

DeMystifying Data Breaches and Information Security Compliance

Sage Data Security Services Directory

Data Classification, Security, and Privacy

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

University of Pittsburgh Security Assessment Questionnaire (v1.7)

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Transcription:

CITP Examination Content Specification Outline

2016 American Institute of CPAs. All rights reserved. DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American Institute of CPAs, its divisions and its committees. This publication is designed to provide accurate and authoritative information on the subject covered. It is distributed with the understanding that the authors are not engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For more information about the procedure for requesting permission to make copies of any part of this work, please email copyright@aicpa.org with your request. Otherwise, requests should be written and mailed to the Permissions Department, AICPA, 220 Leigh Farm Road, Durham, NC 27707-8110.

TABLE OF CONTENTS The Pathway to the CITP Credential...2 High-Level Content Specification Outline...2 Module 1 Information Management...2 Module 2 Information Technology Risk & Advisory...3 Detailed Content Specification Outline...5 AICPA CITP Examination Content Specification Outline 1

THE PATHWAY TO THE CITP CREDENTIAL The content of the Certified Information Technology Professional (CITP ) Examination was developed to test a candidate s understanding of the fundamental sections of the CITP body of knowledge. The content of each of the topical sections is described in outline form and provides an overview of the knowledge and skills tested on the CITP Examination. The examination questions are intended to test each content area and its logical extensions. The percentage range following each major content area in the outline represents the approximate weighting for that content area. The examination is fully computerized and consists of multiple-choice questions only. High-Level Content Specification Outline Module 1 Information Management A. Information Management (20 25%) 1. Data management 2. Information lifecycle management 3. System development/capital acquisition and improvement 4. Application integration 5. Business performance, management 6. Solution administration, monitoring and governance B. Information Governance (25 30%) 1. Policies, procedures and standards 2. Access 3. Software and other process controls 4. Security authorization and authentication 5. Encryption 6. Business continuity and disaster recovery 7. Regulatory compliance (privacy and cybersecurity) C. Accounting Operations Technology Services (5 10%) 1. Solution implementation and delivery 2. Business process design and engineering 2 AICPA CITP Examination Content Specification Outline

Module 2 Information Technology Risk & Advisory A. Information Technology Risk & Advisory Services (10 15%) 1. IT considerations to the financial statement audit 2. Considerations for businesses using vendors 3. IT reviews and consulting engagements 4. Internal audit B. Engagement Compliance (5 10%) 1. Techniques and procedures 2. Planning 3. Risk 4. Scope 5. Evidence-gathering 6. Sampling 7. Fraud considerations 8. Reporting C. IT Controls & Assessment (15 20%) 1. IT controls 2. Assessment of IT controls AICPA CITP Examination Content Specification Outline 3

4 AICPA CITP Examination Content Specification Outline

DETAILED CONTENT SPECIFICATION OUTLINE MODULE 1 INFORMATION MANAGEMENT This module covers knowledge pertaining to Information Management, Information Governance and Accounting Operations Technology Services. Information Management ensures that information is managed such that it provides value in decision-making and serves other managerial needs. The foundation of effective information management is a thorough understanding of the structures and processes associated with managing information from creation or capture through disposition or destruction and the ability to apply data analysis and reporting concepts to analyze enterprise performance. Information Governance centers around the policies, procedures and standards in place to ensure the confidentiality, integrity and availability of information. Accounting Operations Technology Services focus on the use of IT to create or modify works flows and business processes that have the potential to make more effective use of resources. Topic/Content Referenced Readings A. Information Management (20 25%) 1. Data Management a. Types of infrastructure/platforms typically employed b. Data prep/manipulation c. Data analysis: Functions, tools and approaches 1) Business intelligence and analytics d. Information traceability 1) Source traceability 2) Transformation traceability e. Information quality 2. Information Lifecycle Management a. Identify b. Capture c. Manage d. Utilize e. Archive f. Retention policy g. Destruction 3. System Development/Capital Acquisition and Improvement a. Policy and procedure b. Planning/budget c. Test phase d. Implementation e. System development risk f. Customization risks g. Reduction of risk through commercial software AICPA. An overview of Data Management. 2013. AICPA. Why Predictive Analytics should be a CPA Thing. 2014. AICPA. How CPAs Can Drive Business Intelligence. AICPA. Information for Advantage and Knowledge Management. 2015. AICPA. Strategic Business Management: From Planning to Performance. 2012. AICPA Clarified Statement of Auditing Standards. AU-C 500 Audit Evidence. Krishnan, Krish. Data Warehousing in the Age of Big Data. 2013. Morgan Kaufmann. Chapter 12. AICPA. A Practice Aid for Records Retention. 2012. AICPA. A Job Aid to the Solution Selection Process. 2014. Sherman, Richard. Business Intelligence Guidebook. Morgan Kaufmann. 2014. Chapter 7 Technology and Product Architectures. AICPA CITP Examination Content Specification Outline 5

Topic/Content Referenced Readings A. Information Management (20 25%) (continued) 4. Application Integration a. Application integration framework b. Conceptualizing application integration for information management c. Financial systems/other systems/electronic medical record (EMR) d. Outside vendor management 5. Business Performance Management a. Budget and profitability management b. Performance metrics and reporting 6. Solution Administration, Monitoring, and Governance a. Continuous monitoring b. Business activity monitoring c. Business solution governance Misra, Harekrishna; Rahman, Hakikur. Managing Enterprise Information Technology Acquisitions. IGI Global. 2013. Chapter 5 Conceptualization of IT Acquisition Life Cycle Management Model. AICPA. Find Out Why You Need Corporate Performance Management Software and Make Better Business Decisions. 2010. AICPA. Is Your Company Trying to Eliminate All Vulnerabilities?. 2010. AICPA. Build a Performance Management Plan That Works. 2012. B. Information Governance (25 30%) 1. Policies, Procedures and Standards 2. Access a. Logical access 1) Data (transaction) level 2) Application and financial system level i. Evaluate and test application controls ii. Evaluate and test segregation of duties iii. Evaluate and test spreadsheet controls 3) Operating system level 4) Network level i. Firewalls ii. Network access controls b. Hardware and physical access 1) Access to server room, building facilities and sensitive hardcopy records 3. Software and Other Process Controls 4. Security Authorization and Authentication 5. Encryption Lanz, Joel. Communicating Cybersecurity Risks to the Audit Committee. The CPA Journal. May 2016 Issue. Merkow, Mark; Breithaupt, Jim. Information Security: Principles and Practices, Second Edition. Pearson Certification. 2014. Chapter 2 Information Security Principles of Success; Chapter 4 Governance and Risk Management; Chapter 6 Business Continuity Planning and Disaster Recovery Planning; Chapter 8 Physical Security Control Understanding the Physical Security Domain. Turner, Leslie; Weickgenannt, Andrea. Accounting Information Systems: The Processes and Controls, 2nd Edition. John Wiley and Sons. 2013. Module 2, Chapter 4 Internal Control and Risks in IT Systems; Module 2, Chapter 7 Auditing Information Technology-Based Processes; Module 4, Chapter 14 E-Commerce and E-Business. 6 AICPA CITP Examination Content Specification Outline

Topic/Content Referenced Readings B. Information Governance (25 30%) (continued) 6. Business Continuity and Disaster Recovery a. Business continuity planning (BCP) b. Disaster recovery (DRP) c. Contingency planning 1) Incident response 2) Data backup d. Testing 7. Regulatory Compliance (Privacy and Cybersecurity) AICPA. 5 steps CPAs can take to fight hackers. Journal of Accountancy. April 2016. AICPA. Business Continuity: Tools and Techniques. 2011. AICPA. The Top 5 Cybercrimes. 2013. 935 Compliance Audits. PCI Security Standards Council. Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessments Procedures, Version 3.2. 2016. C. Accounting Operations Technology Services (5 10%) 1. Solution Implementation and Delivery 2. Business Process Design and Engineering a. Understanding of business processes that affect financial data b. Proper design and integration of internal controls into business processes AICPA. A CPA s Approach to Business Solution Implementations. 2013. AICPA CITP Examination Content Specification Outline 7

MODULE 2 INFORMATION TECHNOLOGY RISK AND ADVISORY This module covers knowledge pertaining to Information Technology Risk and Advisory Services, Engagement Compliance, and IT Controls and Assessment. Information Technology Risk and Advisory knowledge centers around the considerations of IT risks, whether as part of a financial statement audit, service organization control report, internal IT audit, IT review, or IT consulting engagement. Engagement Compliance covers knowledge of techniques and procedures used in conjunction with assurance and advisory services. This includes components of planning, risk assessment, and evidence gathering. IT Controls and Assessment covers knowledge pertaining to IT controls, in relation to the integration of internal control frameworks with financial reporting, management considerations of internal controls, and change management procedures. Topic/Content Referenced Readings A. Information Technology Risk and Advisory Services (10 15%) 1. IT Considerations to the Financial Statement Audit 2. Considerations for Businesses using Vendors a. Service Organization Control Reports 1) SOC 1 reports 2) SOC 2 reports 3) SOC 3 reports 3. IT Reviews and Consulting Engagements a. Information compliance 1) Internal policy and procedure 4. Internal Audit a. Audit universe b. Specific audit programs c. Assessment of IT risk d. Work paper documentation e. Nature/substance of an audit report f. Board reporting 402 Audit Considerations Relating to an Entity. 935 Compliance Audits. AICPA. Trust Services Principles and Criteria. 2016. AICPA. Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting Guide (SOC 1). 2013. AICPA. Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2 ) AICPA Guide. 2015. Weiss, Martin; Solomon, Michael. Auditing IT Infrastructures for Compliance. Jones and Bartlett Learning. 2010. Part Two, Auditing for Compliance: Frameworks, Tools, and Techniques. Gantz, Stephen. The Basics of IT Audit. Syngress. 2013. Chapter 3 Internal Auditing; Chapter 6 IT Audit Components. 8 AICPA CITP Examination Content Specification Outline

Topic/Content Referenced Readings B. Engagement Compliance (5 10%) 1. Techniques and Procedures 2. Planning a. Research/process documentation/flowcharting b. Understanding business environment and processes 1) Complexity of business 2) Assess the level of IT sophistication, and degree of F/R reliance on IT 3) Business or accounting change, such as within business process and cycles 4) Executive management functions 3. Risk a. Risk Assessment 1) Enterprise risk assessment 2) Financial statement risk assessment 3) IT risk assessment 4) Security risk assessment (Audits) b. Risk Model 1) Inherent risk i. Entity (economy, industry and entity-specific) ii. IT control environment 2) Control risk i. Manual vs. automation; hybrid ii. Preventive, detective and corrective controls iii. Key vs. non-key controls iv. Control gaps 3) Risk of material misstatement i. Combination of inherent and control risk ii. Consider applicable account balances, classes of transactions, and disclosures iii. Tie to relevant F/S assertions iv. Consider adverse effects of the entity s IT v. Assessing RMM due to fraud 240 Consideration of Fraud in a Financial Statement Audit. 265 Communicating I/C Related Matters Identified in an Audit. 300 Planning an Audit. 315 Understanding the Entity, Its Environment, and Assessing the Risks of Material Misstatement. 450 Evaluation of Misstatements Identified During the Audit. 500 Audit Evidence. 520 Analytical Procedures. 530 Audit Sampling. AICPA CITP Examination Content Specification Outline 9

Topic/Content Referenced Readings B. Engagement Compliance (5 10%) (continued) 4. Scope a. Develop walkthrough plan b. Preparing an IT audit plan c. Draft risk assessment report 5. Evidence Gathering a. Strategy b. Inquiry c. Observation d. Inspection/reperformance e. Analytical procedures 6. Sampling a. Methodologies b. Size c. Technical tools and techniques (CAATs) 7. Fraud Considerations a. Digital Evidence 1) E-discovery rules and processes 2) Implications of federal and state-specific laws b. Detection and Investigation 1) Use of IT in fraud investigations 2) Data mining/analysis i. Proper digital acquisition tools and procedures ii. Determine suitable digital sources Cascarino, Richard. Auditor s Guide to IT Auditing, Second Edition. John Wiley and Sons. 2012. Part 1, Chapter 3: IT Risk and Fundamental Auditing Concepts; Part 1, Chapter 6: Risk Management of the IT Function; Part 1, Chapter 7: Audit Planning Process; Part 1, Chapter 9: Audit Evidence Process. AICPA. Board and Audit Committee Involvement in Risk Management Oversight. 2009. AICPA. Computer Assisted Audit Techniques or CAATS. 2010. Hingarh, Venna; Ahmed, Arif. Understanding and Conducting Information Systems Auditing + Website. John Wiley and Sons. 2013 Part 1: Chapter 6 Risk Based Systems Audit. 8. Reporting a. Information presentation b. Information timeliness 10 AICPA CITP Examination Content Specification Outline

Topic/Content Referenced Readings C. IT Controls and Assessment (15 20%) 1. IT Controls a. COSO Framework 1) Integration b. Management considerations 1) History and prior control reports 2) Management s attention to controls c. Control environment 1) IT strategic plan 2) IT policies and procedures i. Role of IT governance in the control environment ii. Role of project management in the control environment 3) IT Operations i. Consider portfolio of systems used or in place d. Change management 1) Policies and procedures i. Configuration management ii. Software management iii. Operating system and network management 2) Vulnerability management 3) Systems implications i. Accounting and financial reporting systems ii. Commercial off-the-shelf software (COTS) vs. customized software iii. Enterprise and ERP systems iv. E-Business systems and applications e. Application controls Trugman, Gary R. 2012. Understanding Business Valuation: A Practical Guide to Valuing Small to Medium-Sized Businesses, 4th ed. New York: AICPA, chap. 2, 3, 6, 17, 21 22, 24 25. Hitchner, James R. 2011. Financial Valuation: Application and Models, 3rd ed. New Jersey: John Wiley & Sons, chap. 16 and 23. Pratt, Shannon P., Niculita, Alina V. 2008. Valuing a Business: The Analysis and Appraisal of Closely Held Companies, 5th ed. New York: McGraw-Hill, chap. 37 38, 40 42. AICPA Consulting Services Special Report 03 1 Litigation Services and Applicable Professional Standards AICPA Consulting Services Practice Aid 96 3 Communicating in Litigation Services: Reports 2. Assessment of IT Controls a. Deficiency evaluation of IT-related controls 1) Control deficiency, significant deficiency and material weakness 2) Aggregation of deficiencies b. Materiality/impact to the entity 1) Risk of material misstatement AICPA CITP Examination Content Specification Outline 11

12 AICPA CITP Examination Content Specification Outline

T: 888.777.7077 F: 800.362.5066 E: citp@aicpa.org W: aicpa.org/citp 21010-378

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback