For students who do not go to work, they have less practical experience.
The only way is to read.
How to read: read key knowledge and master skills
Learning process: do exercises and review knowledge points
Before the exam: it is very important to ask for the memory of the exam questions collected by SPOTO.
I took the examination in my tenth year of work. I didn’t pass it for the first time. Later, I found a reason to complain about the instability of the examination system, and was given another examination opportunity for free. Finally, I passed.
Here are my notes
- Audit articles of association:
(1) The audit committee and the board of directors shall authorize the audit articles of association
(2) Senior management approval
(3) Indicate the role, overall authorization / authority, scope and responsibility of IS audit
Excluding audit objectives
- If the auditors are entrusted to do unfamiliar things, they need to be informed in time. If they are informed, the management can still accept and carry out the audit.
Understaffed, seek external help or expert services
- Organizational independence and skill independence
The auditor cannot revoke or modify the audit results.
Audit findings, whether minor or corrected, shall be recorded in the final audit report.
Potential conflicts of interest that affect independence should be brought to the attention of management before implementation.
If the auditor’s independence is impaired (directly involved in system development, design, etc.), it must be explained to the management and disclosed in the report.
- Audit plan
Short term: 1 year. Based on risk. Establish clear objectives and tasks and allocate resources.
Long term: 3 to 5 years, based on organizational business development.
- At the stage of IT audit plan, the main objectives of auditors are: the audit plan formulated should be able to achieve the audit objectives
- When the external environment changes, the audit plan needs to be adjusted in time.
- When involving sensitive data, auditors first check the legal and regulatory requirements on privacy, cross border data, data transmission encryption, local laws.
Store in the cloud and use strong encryption and Services
- Risk assessment: risk identification, risk analysis
The purpose of IT risk analysis is to help auditors identify risks and vulnerabilities
- General process of risk analysis / assessment: identify and control information assets of objectives and activities, and determine key information assets
- When auditors find defects / loopholes / potential problems: (1) further analysis / additional procedures / root cause analysis / ask relevant personnel (2) risk assessment (3) if there is evidence, report the threats found and their impact to the management
- When auditors find violations / major risks / emergencies: report them immediately to reduce risks and avoid major losses
- The purpose of risk assessment is to identify high-risk areas so as to provide reasonable assurance that all important project areas are covered
- Risk disposal method: reduction / mitigation. Risk acceptance / tolerance. Risk aversion. Risk transfer.
For more notes, please visit SPOTO‘s official website.