16
CITP Examination Content Specification Outline
CITP Examination Content Specification Outline
© 2016 American Institute of CPAs. All rights reserved.
DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American Institute of CPAs, its divisions and its committees. This publication is designed to provide accurate and authoritative information on the subject covered. It is distributed with the understanding that the authors are not engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought.
For more information about the procedure for requesting permission to make copies of any part of this work, please email [email protected] with your request. Otherwise, requests should be written and mailed to the Permissions Department, AICPA, 220 Leigh Farm Road, Durham, NC 27707-8110.
TABLE OF CONTENTS
The Pathway to the CITP Credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
High-Level Content Specification Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Module 1 — Information Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Module 2 — Information Technology Risk & Advisory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Detailed Content Specification Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
AICPA CITP Examination Content Specification Outline | 1
THE PATHWAY TO THE CITP CREDENTIAL
The content of the Certified Information Technology Professional (CITP®) Examination was developed to test a candidate’s understanding of the fundamental sections of the CITP body of knowledge. The content of each of the topical sections is described in outline form and provides an overview of the knowledge and skills tested on the CITP Examination.
The examination questions are intended to test each content area and its logical extensions. The percentage range following each major content area in the outline represents the approximate weighting for that content area. The examination is fully computerized and consists of multiple-choice questions only.
High-Level Content Specification Outline
Module 1 — Information Management
A. Information Management (20–25%)1. Data management
2. Information lifecycle management
3. System development/capital acquisition and improvement
4. Application integration
5. Business performance, management
6. Solution administration, monitoring and governance
B. Information Governance (25–30%)1. Policies, procedures and standards
2. Access
3. Software and other process controls
4. Security authorization and authentication
5. Encryption
6. Business continuity and disaster recovery
7. Regulatory compliance (privacy and cybersecurity)
C. Accounting Operations Technology Services (5–10%)
1. Solution implementation and delivery
2. Business process design and engineering
2 | AICPA CITP Examination Content Specification Outline
AICPA CITP Examination Content Specification Outline | 3
Module 2 — Information Technology Risk & Advisory
A. Information Technology Risk & Advisory Services (10–15%)1. IT considerations to the financial statement audit
2. Considerations for businesses using vendors
3. IT reviews and consulting engagements
4. Internal audit
B. Engagement Compliance (5–10%)1. Techniques and procedures
2. Planning
3. Risk
4. Scope
5. Evidence-gathering
6. Sampling
7. Fraud considerations
8. Reporting
C. IT Controls & Assessment (15–20%)
1. IT controls
2. Assessment of IT controls
4 | AICPA CITP Examination Content Specification Outline
AICPA CITP Examination Content Specification Outline | 5
Topic/Content Referenced Readings
A. Information Management (20–25%)
1. Data Managementa. Types of infrastructure/platforms typically employedb. Data prep/manipulationc. Data analysis: Functions, tools and approaches
1) Business intelligence and analyticsd. Information traceability
1) Source traceability2) Transformation traceability
e. Information quality
2. Information Lifecycle Managementa. Identifyb. Capturec. Managed. Utilizee. Archivef. Retention policyg. Destruction
3. System Development/Capital Acquisition and Improvementa. Policy and procedureb. Planning/budgetc. Test phased. Implementatione. System development riskf. Customization risksg. Reduction of risk through commercial software
AICPA. “An overview of Data Management.” 2013.
AICPA. “Why Predictive Analytics should be a CPA Thing.” 2014.
AICPA. “How CPAs Can Drive Business Intelligence.”
AICPA. “Information for Advantage and Knowledge Management.” 2015.
AICPA. “Strategic Business Management: From Planning to Performance.” 2012.
AICPA Clarified Statement of Auditing Standards. AU-C §500 Audit Evidence.
Krishnan, Krish. “Data Warehousing in the Age of Big Data.” 2013. Morgan Kaufmann. Chapter 12.
AICPA. “A Practice Aid for Records Retention.” 2012.
AICPA. “A Job Aid to the Solution Selection Process.” 2014.
Sherman, Richard. “Business Intelligence Guidebook”. Morgan Kaufmann. 2014. Chapter 7 – Technology and Product Architectures.
DETAILED CONTENT SPECIFICATION OUTLINE
MODULE 1 — INFORMATION MANAGEMENT
This module covers knowledge pertaining to Information Management, Information Governance and Accounting Operations Technology Services.
Information Management ensures that information is managed such that it provides value in decision-making and serves other managerial needs. The foundation of effective information management is a thorough understanding of the structures and processes associated with managing information from creation or capture through disposition
or destruction and the ability to apply data analysis and reporting concepts to analyze enterprise performance.
Information Governance centers around the policies, procedures and standards in place to ensure the confidentiality, integrity and availability of information.
Accounting Operations Technology Services focus on the use of IT to create or modify works flows and business processes that have the potential to make more effective use of resources.
6 | AICPA CITP Examination Content Specification Outline
Topic/Content Referenced Readings
A. Information Management (20–25%) (continued)
4. Application Integrationa. Application integration frameworkb. Conceptualizing application integration for information
managementc. Financial systems/other systems/electronic medical
record (EMR)d. Outside vendor management
5. Business Performance Managementa. Budget and profitability managementb. Performance metrics and reporting
6. Solution Administration, Monitoring, and Governancea. Continuous monitoringb. Business activity monitoringc. Business solution governance
Misra, Harekrishna; Rahman, Hakikur. “Managing Enterprise Information Technology Acquisitions.” IGI Global. 2013. Chapter 5 – Conceptualization of IT Acquisition Life Cycle Management Model.
AICPA. “Find Out Why You Need Corporate Performance Management Software and Make Better Business Decisions.” 2010.
AICPA. “Is Your Company Trying to Eliminate All Vulnerabilities?.” 2010.
AICPA. “Build a Performance Management Plan That Works.” 2012.
B. Information Governance (25–30%)
1. Policies, Procedures and Standards
2. Accessa. Logical access
1) Data (transaction) level2) Application and financial system level
i. Evaluate and test application controlsii. Evaluate and test segregation of dutiesiii. Evaluate and test spreadsheet controls
3) Operating system level4) Network level
i. Firewallsii. Network access controls
b. Hardware and physical access1) Access to server room, building facilities and
sensitive hardcopy records
3. Software and Other Process Controls
4. Security Authorization and Authentication
5. Encryption
Lanz, Joel. “Communicating Cybersecurity Risks to the Audit Committee.” The CPA Journal. May 2016 Issue.
Merkow, Mark; Breithaupt, Jim. “Information Security: Principles and Practices, Second Edition.” Pearson Certification. 2014. Chapter 2 – Information Security Principles of Success; Chapter 4 – Governance and Risk Management; Chapter 6 – Business Continuity Planning and Disaster Recovery Planning; Chapter 8 – Physical Security Control — Understanding the Physical Security Domain.
Turner, Leslie; Weickgenannt, Andrea. “Accounting Information Systems: The Processes and Controls, 2nd Edition.” John Wiley and Sons. 2013. Module 2, Chapter 4 – Internal Control and Risks in IT Systems; Module 2, Chapter 7 – Auditing Information Technology-Based Processes; Module 4, Chapter 14 – E-Commerce and E-Business.
AICPA CITP Examination Content Specification Outline | 7
Topic/Content Referenced Readings
B. Information Governance (25–30%) (continued)
6. Business Continuity and Disaster Recoverya. Business continuity planning (BCP)b. Disaster recovery (DRP)c. Contingency planning
1) Incident response2) Data backup
d. Testing
7. Regulatory Compliance (Privacy and Cybersecurity)
AICPA. “5 steps CPAs can take to fight hackers.” Journal of Accountancy. April 2016.
AICPA. “Business Continuity: Tools and Techniques.” 2011.
AICPA. “The Top 5 Cybercrimes.” 2013.
AICPA Clarified Statement of Auditing Standards. AU–C § 935 Compliance Audits.
PCI Security Standards Council. “Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessments Procedures, Version 3.2.” 2016.
C. Accounting Operations Technology Services (5–10%)
1. Solution Implementation and Delivery
2. Business Process Design and Engineeringa. Understanding of business processes that affect
financial datab. Proper design and integration of internal controls into
business processes
AICPA. “A CPA’s Approach to Business Solution Implementations.” 2013.
8 | AICPA CITP Examination Content Specification Outline
Topic/Content Referenced Readings
A. Information Technology Risk and Advisory Services (10–15%)
1. IT Considerations to the Financial Statement Audit
2. Considerations for Businesses using Vendorsa. Service Organization Control Reports
1) SOC 1 reports2) SOC 2 reports3) SOC 3 reports
3. IT Reviews and Consulting Engagementsa. Information compliance
1) Internal policy and procedure
4. Internal Audita. Audit universeb. Specific audit programsc. Assessment of IT riskd. Work paper documentatione. Nature/substance of an audit reportf. Board reporting
AICPA Clarified Statement of Auditing Standards. AU–C § 402 Audit Considerations Relating to an Entity.
AICPA Clarified Statement of Auditing Standards. AU–C § 935 Compliance Audits.
AICPA. “Trust Services Principles and Criteria.” 2016.
AICPA. “Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting Guide (SOC 1).” 2013.
AICPA. “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) – AICPA Guide.” 2015.
Weiss, Martin; Solomon, Michael. “Auditing IT Infrastructures for Compliance.” Jones and Bartlett Learning. 2010. Part Two, Auditing for Compliance: Frameworks, Tools, and Techniques.
Gantz, Stephen. “The Basics of IT Audit.” Syngress. 2013. Chapter 3 – Internal Auditing; Chapter 6 – IT Audit Components.
MODULE 2 — INFORMATION TECHNOLOGY RISK AND ADVISORY
This module covers knowledge pertaining to Information Technology Risk and Advisory Services, Engagement Compliance, and IT Controls and Assessment.
Information Technology Risk and Advisory knowledge centers around the considerations of IT risks, whether as part of a financial statement audit, service organization control report, internal IT audit, IT review, or IT consulting engagement.
Engagement Compliance covers knowledge of techniques and procedures used in conjunction with assurance and advisory services. This includes components of planning, risk assessment, and evidence gathering.
IT Controls and Assessment covers knowledge pertaining to IT controls, in relation to the integration of internal control frameworks with financial reporting, management considerations of internal controls, and change management procedures.
AICPA CITP Examination Content Specification Outline | 9
Topic/Content Referenced Readings
B. Engagement Compliance (5–10%)
1. Techniques and Procedures
2. Planninga. Research/process documentation/flowchartingb. Understanding business environment and processes
1) Complexity of business2) Assess the level of IT sophistication, and degree
of F/R reliance on IT3) Business or accounting change, such as within
business process and cycles4) Executive management functions
3. Riska. Risk Assessment
1) Enterprise risk assessment2) Financial statement risk assessment3) IT risk assessment4) Security risk assessment (Audits)
b. Risk Model1) Inherent risk
i. Entity (economy, industry and entity-specific)ii. IT control environment
2) Control riski. Manual vs. automation; hybridii. Preventive, detective and corrective controlsiii. Key vs. non-key controlsiv. Control gaps
3) Risk of material misstatementi. Combination of inherent and control riskii. Consider applicable account balances, classes
of transactions, and disclosuresiii. Tie to relevant F/S assertionsiv. Consider adverse effects of the entity’s ITv. Assessing RMM due to fraud
AICPA Clarified Statement of Auditing Standards. AU–C § 240 Consideration of Fraud in a Financial StatementAudit.
AICPA Clarified Statement of Auditing Standards. AU–C §265 Communicating I/C Related Matters Identified inan Audit.
AICPA Clarified Statement of Auditing Standards. AU–C § 300 Planning an Audit.
AICPA Clarified Statement of Auditing Standards. AU–C § 315 Understanding the Entity, Its Environment, andAssessing the Risks of Material Misstatement.
AICPA Clarified Statement of Auditing Standards. AU–C § 450 Evaluation of Misstatements Identified During theAudit.
AICPA Clarified Statement of Auditing Standards. AU–C § 500 Audit Evidence.
AICPA Clarified Statement of Auditing Standards. AU–C § 520 Analytical Procedures.
AICPA Clarified Statement of Auditing Standards. AU–C § 530 Audit Sampling.
10 | AICPA CITP Examination Content Specification Outline
Topic/Content Referenced Readings
B. Engagement Compliance (5–10%) (continued)
4. Scopea. Develop walkthrough planb. Preparing an IT audit planc. Draft risk assessment report
5. Evidence Gatheringa. Strategyb. Inquiryc. Observationd. Inspection/reperformancee. Analytical procedures
6. Samplinga. Methodologiesb. Sizec. Technical tools and techniques (CAATs)
7. Fraud Considerationsa. Digital Evidence
1) E-discovery rules and processes2) Implications of federal and state-specific laws
b. Detection and Investigation1) Use of IT in fraud investigations2) Data mining/analysis
i. Proper digital acquisition tools and proceduresii. Determine suitable digital sources
8. Reportinga. Information presentationb. Information timeliness
Cascarino, Richard. “Auditor’s Guide to IT Auditing, Second Edition.” John Wiley and Sons. 2012. Part 1, Chapter 3: IT Risk and Fundamental Auditing Concepts; Part 1, Chapter 6: Risk Management of the IT Function; Part 1, Chapter 7: Audit Planning Process; Part 1, Chapter 9: Audit Evidence Process.
AICPA. “Board and Audit Committee Involvement in Risk Management Oversight.” 2009.
AICPA. “Computer Assisted Audit Techniques or CAATS.” 2010.
Hingarh, Venna; Ahmed, Arif. “Understanding and Conducting Information Systems Auditing + Website”. John Wiley and Sons. 2013
Part 1: Chapter 6 – Risk Based Systems Audit.
AICPA CITP Examination Content Specification Outline | 11
Topic/Content Referenced Readings
C. IT Controls and Assessment (15–20%)
1. IT Controlsa. COSO Framework
1) Integrationb. Management considerations
1) History and prior control reports2) Management’s attention to controls
c. Control environment1) IT strategic plan2) IT policies and procedures
i. Role of IT governance in the control environmentii. Role of project management in the control
environment3) IT Operations
i. Consider portfolio of systems used or in placed. Change management
1) Policies and proceduresi. Configuration managementii. Software managementiii. Operating system and network management
2) Vulnerability management
3) Systems implications
i. Accounting and financial reporting systemsii. Commercial off-the-shelf software (COTS) vs.
customized softwareiii. Enterprise and ERP systemsiv. E-Business systems and applications
e. Application controls
2. Assessment of IT Controlsa. Deficiency evaluation of IT-related controls
1) Control deficiency, significant deficiency andmaterial weakness
2) Aggregation of deficienciesb. Materiality/impact to the entity
1) Risk of material misstatement
Trugman, Gary R. 2012. Understanding Business Valuation: A Practical Guide to Valuing Small to Medium-Sized Businesses, 4th ed. New York: AICPA, chap. 2, 3, 6, 17, 21–22, 24–25.
Hitchner, James R. 2011. Financial Valuation: Application and Models, 3rd ed. New Jersey: John Wiley & Sons, chap. 16 and 23.
Pratt, Shannon P., Niculita, Alina V. 2008. Valuing a Business: The Analysis and Appraisal of Closely Held Companies, 5th ed. New York: McGraw-Hill, chap. 37–38, 40–42.
AICPA Consulting Services Special Report 03–1 — Litigation Services and Applicable Professional Standards
AICPA Consulting Services Practice Aid 96–3 — Communicating in Litigation Services: Reports
12 | AICPA CITP Examination Content Specification Outline
