This letter modifies the training program for information technology (IT) examiners as approved by the Staff Development Subcommittee (SDS) of the Strategic Plan Steering Committee (SPSC). Effective with the publication of this SR letter, the revised training program applies to all assistant IT examiners currently employed by the Federal Reserve Banks, as well as to those hired in the future. Completion of this program is a requirement for IT specialists to obtain commissioned examiner status at the Federal Reserve Banks.

This letter replaces SR letter 98-36, dated December 17, 1998, which described the training program leading to commissioned examiner status for the IT examination specialty. Under SR letter 98-36, IT examiners had been required to complete all training classes and three examinations: the First and Second Proficiency Examinations and the Certified Information Systems Auditor (CISA) examination, which is sponsored by the Information Systems Audit and Control Association (ISACA). After analysis of the knowledge and skills tested in the First and Second Proficiency Examinations and the CISA examination, the SDS determined that the level of examination knowledge required for IT examiners is adequately tested under the First Proficiency Examination and the CISA examination. Consequently, the SDS has approved the elimination of the Second Proficiency Examination for examiners specializing in IT. All other aspects of the training program for IT examiners will remain in place. The remainder of this letter sets forth the training program leading to commissioned examiner status for the IT examination specialty.

Based on an assessment of the knowledge and skills required of an IT examiner, the following objectives were identified for the System’s IT Examiner training program.

• Risk-Focused:  The IT Examiner training program will implement the risk-focused approach outlined in SR letter 95-51 and SR letter 98-9. This approach includes an assessment of IT within the supervision of banks of all sizes, from small community banks to large complex organizations, and the integration of IT elements in the overall risk assessment framework.
• Integrated:  Given IT’s presence in banking products, services, and operations across all financial entities, IT examiner training programs will promote integration of examination specialties.
• Elevated:  Training will be elevated to provide examiners specializing in IT with the opportunity to obtain the knowledge and skills needed to evaluate the financial industry’s most complex systems and products

The training program for an assistant IT examiner involves a three-level approach that starts when an assistant examiner is hired and continues until he or she is commissioned.¹ Level One generally stresses the core knowledge needed by every examiner regardless of the area of specialization. Level Two emphasizes an assistant examiner’s specialty area. Level Three focuses on understanding the banker’s perspective in managing a financial institution, including risk management, in contrast to the supervisor’s perspective in examining and regulating the institution. In addition, training at this level promotes the skills needed to evaluate risk management examination processes and analyze issues that are prevalent in all areas under an integrated supervisory approach. The Second Proficiency Examination, which will now be eliminated, had been part of the Level Two program.

The IT training program also includes a framework for post-commissioning classes and other ongoing educational opportunities:  Levels Four-A and Four-B. This framework is similar to the System’s current approach for specialized capital markets training. While the first three levels of the training program promote the knowledge and skills needed by assistant IT examiners to achieve the base level of specialty expertise required to examine noncomplex financial organizations, Levels Four-A and Four-B provide the competencies required by the advanced specialist. Level Four-A develops IT expertise that enables the examiner to evaluate larger, more complex financial organizations. Level Four-B develops the skills needed to analyze the most complex IT risks, platforms, products, emerging technologies, and processes.

Training Requirements.  Assistant IT examiners will complete the following training requirements as part of Level One:

• Orientation Program
• Banking and Supervision Elements (BASE)
• Federal Reserve Act BEST/STaRT Module
• IT Concepts BEST/STaRT Module
• Internal/External Audit BEST/STaRT Module
• Investment Portfolio Management BEST/STaRT Module
• Loan Policy and Administration BEST/STaRT Module

Level One generally provides a foundation of core knowledge that is essential for all examiners, regardless of specialty. Included with Level One is a two-week Orientation Program, the second week of which provides specialty-specific training that prepares the assistant IT examiner for initial on-the-job responsibilities. This second week acquaints the assistant IT examiner with the basic examination procedures and methods, risk framework, preparation of examination work papers, examination program, and rating system.

First Proficiency Examination.  After successfully completing the Level One training requirements, an assistant IT examiner is eligible to take the System’s First Proficiency Examination, which tests the examiner’s knowledge of the basic core curriculum. The 80-question, multiple-choice examination includes all of the Level One training requirements, except IT Concepts.

The System will continue to use the CISA program for the assistant IT examiner’s Level Two training requirements.² The CISA program provides and measures the achievement of fundamental audit, security, and control skills. This industry program is a globally accepted standard of achievement among information system professionals. Also, this designation demonstrates the System’s commitment to a high level of expertise for its IT examiners.

CISA Program.  The CISA designation is required before an assistant IT examiner can be eligible for commissioning. To achieve the CISA designation, a candidate must successfully complete a multiple-choice CISA examination, adhere to ISACA’s Code of Professional Ethics, and submit evidence that the minimum experience level in professional information systems audit, control, or security has been achieved.³ Complete requirements for achieving the CISA designation are detailed in Attachment I.

CISA-Related Training Requirements.  ISACA does not mandate that specific training requirements be met before taking the CISA examination and obtaining a CISA designation. In order to be prepared for the examination, at a minimum, the typical assistant IT examiner should have successfully reviewed and completed the following training activities before taking the CISA examination. It would also be acceptable for equivalent experience to be substituted; however, until further experience is gained, the rigor of the examination, which is given twice per year (in June and December), should not be underestimated.

• Educational videotape, textbook, or manual that will be incorporated into IT’s second week of the Orientation Program.⁴
• Computer Audit, Control, and Security (CACS) Conference’s Core Competencies Educational Track.
  
  The CACS Conference, sponsored by ISACA, is offered annually. The conference format generally consists of more than 70 sessions divided into seven specific educational tracks. One track concentrates on core competencies, with other tracks providing advanced technical knowledge for the senior professional. The core competencies track should generally be completed by assistant IT examiners within 18 months of being hired. Attachment II provides additional details regarding the CACS Conference.
• CISA Review Courses through ISACA Chapters.
  
  Most local ISACA chapters conduct CISA review courses prior to the CISA examination. Review courses typically meet once per week over an extended period. Planning for the CISA review courses is necessary as these courses are typically only offered in the one- to four-month period prior to the CISA examination. Assistant IT examiners should contact the local ISACA chapter for further information. Information on contacting the ISACA chapters is available on the ISACA Internet website (www.isaca.org).
  
  A few chapters also offer concentrated review courses during a one-week time period. As an alternative to the classroom program, there is a computer-based CISA review module available from Pass/Matrix (www.passmatrix.com). Generally, regardless of chapter, each review course covers the following manuals:
  
  
  • Candidate’s Guide to the CISA Examination.  This guide provides a detailed outline of the subject areas covered on the examination, a suggested list of reference materials, glossary of acronyms, the flowchart symbols commonly used on the examination, and a sample copy of the answer sheet used for the examination
  • CISA Review Technical Information Manual.  This manual includes a thorough explanation of the structure and content of the examination, tips on how to develop a study plan, examples of questions likely to appear on the examination, and coverage of technical matter outlined in the seven content areas of the examination.⁵
  • CISA Review Questions, Answers & Explanations Manual.  This manual is a compilation of sample questions that cover the seven content areas in the examination
  
  If the assistant examiner enrolls in a review course that does not incorporate these manuals, the manuals should be purchased and reviewed as a supplement to the review course.

CISA Examination.  The CISA examination is offered each year in June and December and consists of 200 multiple-choice questions, administered during a four-hour session. A score of 75 percent is required to pass the examination. Test locations are throughout the United States, including all Reserve Bank cities except Kansas City, Missouri. The CISA test location for that district is in Kansas City, Kansas.

In preparation for the CISA examination, the assistant IT examiner will need an organized study plan. The assistant examiner must review the study aids and attend the courses that were previously outlined.

Other Level Two Training Requirements.  In addition to the courses recommended for the CISA examination, assistant IT examiners must also complete the System’s other Level Two training requirements.  These requirements include:

• Report Writing
• Conducting Meetings with Management
• Applications BEST Module
• Bank Secrecy Act computer-based training module (CBT)
• Community Reinvestment Act CBT
• Regulation O CBT
• Residential Mortgage Regulations CBT (overview of Regulations Z and B, RESPA/HMDA, and Fair Credit)

Training Requirements.  The assistant IT examiner is required to complete the System’s following Level Three training requirements, which are also required for assistant safety and soundness examiners and assistant trust examiners:

• Bank Management
• Management Skills
• Examination Management
• Regulation B CBT
• Trust Issues BEST/STaRT Module

Reserve Bank management should ensure that the assistant IT examiner is provided the opportunity to complete assignments that reinforce the knowledge and skills obtained from the System’s training requirements. Particular emphasis should be given to reinforcing the IT examination concepts. Reserve Bank management may choose to have assistant examiners occasionally complete examination procedures in other areas to enhance their understanding of core examination skills and integration concepts. It is also highly desirable for Reserve Bank management and training staff, whenever possible, to coordinate on-the-job assignments to reinforce the knowledge and skills presented in the CISA programs. This post-course intervention is critical to ensuring that the learning objectives for each training program are mastered.

The order in which the training requirements are completed is somewhat flexible. Thus, at times, an assistant IT examiner may be completing aspects of Levels One and Two simultaneously. The assistant examiner may also complete aspects of Levels Two and Three simultaneously. The responsibility is placed on Reserve Bank management and training staff to ensure that courses are taken at a relevant time in an assistant IT examiner’s career. Based upon an individual examiner’s skill advancement and the timing of the CISA examination, it may be appropriate for the assistant IT examiner to complete Level Three training courses prior to completing the CISA examination. For example, the assistant IT examiner may complete all or some of the Level Three training requirements before completing the CISA review course and CISA examination. This flexibility is in recognition that the CISA examination is offered twice per year.

The time frame for entry-level IT examiners to obtain the CISA designation approximates the time required for all entry-level examiners to achieve an examiner commission. Under normal circumstances, it should take an assistant IT examiner three to five years to complete the training requirements, the First Proficiency Examination, and the CISA examination.

After commissioning and based on Reserve Bank needs, IT examiners may obtain additional expertise in Levels Four-A and/or Four-B. IT examiners achieving Level Four-A expertise would be responsible for evaluating larger, more complex organizations. Level Four-B provides knowledge and skills needed in evaluating specific IT risks, platforms, products, emerging technologies, and processes.

Levels Four-A and Four-B training will primarily be achieved through outside programs. The System Staff Development Section’s training center at the Board will act as a clearinghouse of information on these vendor programs that could be accessed by the Reserve Banks. The SDS, based on its own research and recommendations from Reserve Banks, is primarily responsible for providing this information to the training center. The Staff Development training center will also facilitate coordination of course delivery if sufficient System interest in a certain topic is evident. In addition, the System may host Senior Forum seminars focusing on IT issues and technologies as Level Four-A or Four-B training opportunities.

The following table presents an overview of the IT training program requirements during Levels One through Four.

All assistant IT examiners are subject to the training requirements (Levels One, Two, and Three) set forth in this letter. All training requirements leading to the CISA designation and enrollment for the CISA examination should be coordinated through the training staff at the assistant examiner’s Reserve Bank. The SDS and the Reserve Banks will work jointly with the Staff Development training center at the Board to identify and provide Levels Four-A and Four-B training opportunities to System IT staff. Enrollment in these courses will also be facilitated through the Reserve Banks’ training staffs.

Officers in Charge of Supervision are asked to ensure that supervisory personnel and examiners are fully informed of the new training program for their IT examination staffs. Copies of the proposal prepared by the SDS are available from your Reserve Bank’s training staff. If you have questions regarding this letter, please contact William Spaniel, Deputy Associate Director, at (202) 452-3469 or Robert Leibowitz, Manager, System Staff Development, at (202) 973-5078.

Attachments:

1. CISA Program Requirements
2. CACS Conference
3. CISA Examination Content Area

Supersedes:

SR letter 98-36

Cross Reference:

SR letters 91-1, 95-51, 98-2, 98-9, and 98-26

To earn a CISA designation, candidates are required to:

• Successfully complete the 200-question, multiple-choice CISA examination;
• Adhere to ISACA’s Code of Professional Ethics, which is included in the Candidate’s Guide to the CISA Examination and provided to each registered candidate; and
• Submit evidence of a minimum of five years of professional information systems audit, control, or security work experience.¹⁰ Substitution for and waivers of such experience exist.
  • A maximum of one year of IT audit, control, or security experience may be waived by:
    • One full year of audit experience, or
    • One full year of IT experience, or
    • Associate’s degree (60 semester college credits or its equivalent).
  • Two years of IT audit, control, or security experience may be waived by having a bachelor’s degree (120 semester college credits or its equivalent).
  • One year of IT audit, control, or security experience may be waived for each two years of experience as a full-time university instructor in a related field (i.e., computer science, accounting, IT auditing). No maximum limitation applies (i.e., six years of university instructor experience is equal to three years of IT audit, control, or security experience).

Experience must have been gained within the 10-year period preceding the application for certification or within five years from the date of initially passing the examination. All experience will be verified independently with employers. The assistant IT examiner may choose to take the CISA examination prior to meeting the experience requirements. This practice is acceptable, although the CISA designation will not be awarded until all requirements are met.

To receive a comprehensive information package including a current membership application, the assistant IT examiner should contact:

The application for certification must be submitted within five years from the passing date of the CISA examination.

The CACS Conference is offered annually, typically in the spring. The conference format generally consists of more than 70 sessions divided into seven specific educational tracks. One track concentrates on core competencies, with other tracks providing advanced technical knowledge for the senior professional.

A recent core competencies track included the following 11 sessions:

• Introduction to Information Systems Auditing
• Information Security Fundamentals
• Change Management Concepts
• Disaster Recovery
• Systems Development Methodology Auditing
• Applications Auditing
• Data Center Operations
• Information Systems Audit Project Management
• Internet Resources for Information Systems Auditors
• Career Development
• Integrated Auditing

Other tracks have provided training in:

• Internet and Electronic Commerce
• Information Security Issues
• Audit and Security of Enterprise Systems
• Networking and IT Infrastructure
• Advanced Information Security and Audit Principles
• Technology Risk Management

Each of these tracks offers eight to twelve sessions. Participants typically attend all sessions within a track; however, the conference permits the flexibility to attend sessions in other tracks if desired. Contact ISACA for complete information on the next scheduled CACS Conference.

The content areas are defined through a practice analysis that is conducted by an examination’s oversight committee at regular intervals and consists of both process and content components in a CISA’s job function. Accordingly, examinations consist of tasks that are routinely performed by a CISA and the required knowledge to perform these tasks. The following is a brief description of these areas, their definitions, and approximate percentage of test questions allocated to each area.

Evaluate the strategy, policies, standards, procedures and related practices for the management, planning, and organization of IS

Evaluate the effectiveness and efficiency of the organization’s implementation and ongoing management of technical and operational infrastructure to ensure that they adequately support the organization’s business objectives.

Evaluate the logical, environmental, and IT infrastructure security to ensure that it satisfies the organization’s business requirements for safeguarding information assets against unauthorized use, disclosure, modification, damage, or loss.

Evaluate the process for developing and maintaining documented, communicated, and tested plans for continuity of business operations and IS processing in the event of a disruption.

Evaluate the methodology and processes by which the business application system development, acquisition, implementation, and maintenance are undertaken to ensure that they meet the organization’s business objectives.

Evaluate business systems and processes to ensure that risks are managed in accordance with the organization’s business objectives.

Conduct IS audits in accordance with generally accepted IS audit standards and guidelines to ensure that the organization’s information technology and business systems are adequately controlled, monitored, and assessed.