global citp examination - aicpa

i Valuation Principles Examination

Global CITP® Examination content specification outline Effective Sept. 1, 2019

Certified Information Technology Professional

ii Valuation Principles Examination

Disclaimer: The contents of this publication do not necessarily reflect the position or opinion of the American Institute of CPAs, its divisions and its committees. This publication is designed to provide accurate and authoritative information on the subject covered. It is distributed with the understanding that the authors are not engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought.

For more information about the procedure for requesting permission to make copies of any part of this work, please email [email protected] with your request. Otherwise, requests should be written and mailed to the Permissions Department, AICPA, 220 Leigh Farm Road, Durham, NC 27707–8110.

This document is nonauthoritative and is included for informational purposes only.

Global CITP Examination content specification outline 1

2 The pathway to the CITP credential

2 High-level content specification outline

4 Detailed content specification outline I. Information Security & Cyber Risks II. Business Intelligence, Data Management & Analytics III. IT Governance, Risks & Controls

Contents


High-level content specification outline

The pathway to the CITP credentialThe content of the Certified Information Technology Professional (CITP) Examination was developed to test a candidate’s understanding of the fundamental sections of the CITP body of knowledge. The content of each of the topical sections is described in outline form and provides an overview of the knowledge and skills tested on the CITP Examination.

The examination questions are intended to test each content area and its logical extensions. The percentage following each major content area in the outline represents the approximate weighting for that content area. The examination is fully computerized and consists of multiple-choice questions only.

Module I: Information Security & Cyber Risks

A. Information Security Governance (25%)

1. Information security strategy

2. Policy, procedures, processes, and standards

3. Logical access controls

4. Hardware and physical access controls

5. Security authorization & authentication

6. Business continuity & disaster recovery

B. Cybersecurity Risk Management (12%)

1. Cybersecurity threats

2. Data breaches and privacy

3. Vulnerability management

C. SOC for Cybersecurity (3%)

1. Purpose

2. Content

3. Target audiences

4. How to use in conjunction with cybersecurity risk mitigation


Module II: Business Intelligence, Data Management and Analytics

A. Data Management (5%)

1. Information lifecycle management

2. Infrastructures and platforms

3. Data preparation/manipulation

4. Data governance

B. Data Analysis & Reporting (11%)

1. Data analytics

2. Predictive analytics

3. Audit data analytics

C. Business Intelligence Management (4%)

1. Digital transformation & technology disruptors

2. Data integration

3. Data warehousing

Module III: IT Governance, Risks & Controls

A. IT Governance & Strategy (15%)

1. Role of IT governance within an organization

2. IT governance principles

3. IT governance roles & responsibilities

4. IT governance implementation

5. Benefits of effective IT governance

B. IT Risks, Process & Controls (15%)

1. IT risk identification and assessment

2. IT control frameworks

3. IT general controls

4. Application controls

5. Business process management

6. Change management

7. Assessment of IT controls

C. System and Organization Controls Reporting (10%)

1. System and Organization Controls Reporting Overview

2. Types of Reporting


Topic/content Relevant AICPA education resources

A. Information Security Governance (25%)

1. Information security strategy a. Objectives b. Components c. Alignment with organizational strategy, IT strategy

Information Security Governance CPE self-study Authors: Gwen Bettwy, Mark Williams, Mike Beavers Publisher: AICPA Module 1 — Information Security Governance

2. Policy, procedures, processes, and standards a. Frameworks b. Compliance with applicable laws and regulations c. Roles and responsibilities

Information Security Governance CPE self-study Authors: Gwen Bettwy, Mark Williams, Mike Beavers Publisher: AICPA Module 1 — Information Security Governance

3. Logical access controls a. Objectives b. Data (transactional. level c. Application and financial system level d. Network level e. Identifying, designing, implementing, monitoring, detecting and reporting

Information Security Governance CPE self-study Authors: Gwen Bettwy, Mark Williams, Mike Beavers Publisher: AICPA Module 3 — Logical access controls

4. Hardware and physical access controls a. Objectives b. Identifying, designing, implementing, monitoring, detecting and reporting

Information Security Governance CPE self-study Authors: Gwen Bettwy, Mark Williams, Mike Beavers Publisher: AICPA Module 4 — Physical access controls

5. Security authorization and authentication Information Security Governance CPE self-study Authors: Gwen Bettwy, Mark Williams, Mike Beavers Publisher: AICPA Module 2 — Identity and access management

6. Business continuity and disaster recovery a. Business continuity plan (BCP) b. Disaster recovery plan (DRP) c. Incident response plan (IRP) d. Data backup and recovery

Information Security Governance CPE self-study Authors: Gwen Bettwy, Mark Williams, Mike Beavers Publisher: AICPA Module 6 — Business continuity management

Detailed content specification outlineModule 1. Information Security & Cyber Risks This module focuses on the security and risk management of systems and environments, including the use of the SOC for Cybersecurity report as a tool for reporting IT security and risk management for companies. Information Security Governance — Covers the key areas of information security, including strategy, policies/procedures, control environments, and business continuity/disaster recovery; includes fundamental knowledge of various IT governance frameworks, logical access at the various levels of the “stack,” and the internal control structure of design, implementation, monitoring, and detection/reporting Cybersecurity Risk Management — Covers the major threat vectors for systems, including cyber adversaries, the cybercrime economy and various types of attacks; also includes data breaches and their impact on information privacy, as well as how to manage system vulnerabilities SOC for Cybersecurity — Covers the SOC for Cyber report, including report content, target users and use of the report in conjunction with an entity’s overall cybersecurity risk mitigation strategy



B. Cybersecurity Risk Management (12%)

1. Cybersecurity threats a. Primary types of cyber adversaries (how to identify, what is their motivation. 1. How to identify 2. What is their motivation 3. How to manage/mitigate risk 4. Terms to use — Hacktivists, Nation states, Cybercriminals, Insider threat, Competitors b. Cybercrime economy (what could potentially drive a cybercrime against a company. c. Types of attacks 1. How to identify 2. Effect on the business/financials 3. How to manage/mitigate risk 4. Terms to use — Classic buffer overflow, Web-based application attacks, Denial of Service/DDoS, Malware, ransomware, and spyware, phishing/spear phishing, Social engineering

Cybersecurity Fundamentals for Finance & Accounting Professionals Certificate Program CPE self-study Author: Christopher J. Romeo Publisher: AICPA

2. Data breaches and privacy a. Causes of a data breach b. Organizational impact of a data breach c. Post breach response (business/financial point of view) d. Personally Identifiable Information (PII)

Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate ProgramCPE self-studyAuthor: Christopher J. RomeoPublisher: AICPA

3. Vulnerability management a. Gap analysis, readiness and risk assessments, vulnerability assessments, penetration testing (identification of vulnerabilities and how they could impact business/financials. b. Security policy & plan development (input regarding business/financial implications in the policies/procedures. 1. Identity and access management (IAM) 2. Data loss management and prevention

Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate Program CPE self-study Author: Christopher J. Romeo Publisher: AICPA

C. AICPA Cybersecurity Risk Management Reporting Framework (SOC for Cybersecurity) (3%)

1. Purpose

SOC for Cybersecurity Certificate Program CPE self-study Authors: Tony Chapman, Anurag Sharma Publisher: AICPA

2. Content


3. Target audiences


Module 1. Information Security & Cyber Risks (continued)




1. Information Lifecycle Management a. Identify b. Capture c. Manage d. Utilize e. Archive f. Retention g. Destruction

Data Analysis Fundamentals Certificate Program CPE self-study Publisher: AICPA Data Analytics Modeling Certificate Program CPE self-study Publisher: AICPA

2. Infrastructures & platforms a. Types of Infrastructure/Platforms typically employed 1. ERP or other enterprise software i. ERP implementation 2. Data warehouse infrastructure

Data Analytics Modeling Certificate Program CPE self-study Publisher: AICPA Data Visualization Certificate Program CPE self-study Publisher: AICPA Analytics and Big Data for Accountants CPE self-study Author: Jim Lindell Publisher: AICPA

3. Data preparation/manipulation a. Data consolidation b. Data mapping and collection c. Data selection d. Data cleaning e. Data transformation f. Data reduction g. Data processing

Data Analytics Modeling Certificate Program CPE self-study Publisher: AICPA Analytics and Big Data for Accountants CPE self-study Author: Jim Lindell Publisher: AICPA

Detailed content specification outlineModule II. Business Intelligence, Data Management & Analytics This module focuses on information management and the utilization of information to provide value in decision-making and other managerial needs. Data Management — Covers the information lifecycle, from identification of system information through destruction and the various types of infrastructures and ERPs to support data; also discusses how data is collected and manipulated, including consolidation, cleaning, transformation, reduction, processing, etc.; lastly, covers the governance of data including objectives, strategy, and policies Data Analysis & Reporting — Covers the various types of data analytics, the tools and procedures to perform an analysis, and the methods of reporting and performance indicators; also covers the use of predictive analytics, including the various models, techniques, applications and deployment; lastly, covers the integration of analytics in the audit process, including risks and assertions, and continuous assurance Business Intelligence Management — Covers the various forms of technology disruptors, including cloud tech, IoT, and AI; also covers the use of data integration (ETL, EAI and EDR) as well as data warehousing (Active, OLAP, ROLAP, MOLAP, HOLAP and DOLAP)


Module II. Business Intelligence, Data Management & Analytics (continued)



4. Data governance a. Objectives b. Principles c. Strategy d. Policy e. Architecture

Data Analysis Fundamentals Certificate Program CPE self-study Publisher: AICPA Analytics and Big Data for Accountants CPE self-study Author: Jim Lindell Publisher: AICPA Information Security Governance CPE self-study Authors: Gwen Bettwy, Mark Williams, Mike Beavers Publisher: AICPA Module 1 — Information Security Governance

B. Data Analysis & Reporting (11%)

1. Data analytics a. Types 1. Quantitative analysis 2. Descriptive statistics 3. Data visualization b. Tools, techniques, and procedures c. Performance metrics and reporting

Data Analysis Fundamentals Certificate Program CPE self-study Publisher: AICPA Data Visualization Certificate Program CPE self-study Publisher: AICPA Analytics and Big Data for Accountants CPE self-study Author: Jim Lindell Publisher: AICPA

2. Predictive analytics a. Types 1. Predictive models 2. Descriptive models 3. Decision models b. Techniques 1. Regression 2. Machine learning c. Applications of predictive analytics d. Deployment

Forecasting and Predictive Analytics Certificate Program CPE self-study Publisher: AICPA Data Analytics Modeling Certificate Program CPE self-study Publisher: AICPA Analytics and Big Data for Accountants CPE self-study Author: Jim Lindell Publisher: AICPA

3. Audit data analytics a. Integrating analytics into the audit process 1. Audit applications of data analytics 2. Correlating audit tasks to risks and assertions 3. Continuous assurance

Integrating Audit Data Analytics into the Audit Process CPE self-study Publisher: AICPA Analytics and Big Data for Accountants CPE self-study Author: Jim Lindell Publisher: AICPA


Module II. Business Intelligence, Data Management & Analytics (continued)


C. Business Intelligence Management (4%)

1. Digital transformation & technology disruptors a. Cloud b. Internet of Things (IoT) c. Artificial intelligence

Data Analysis Fundamentals Certificate Program CPE self-study Publisher: AICPA Analytics and Big Data for Accountants CPE self-study Author: Jim Lindell Publisher: AICPA

2. Data integration a. Extract, Transform, and Load (ETL) b. Enterprise Application Integration (EAI) c. Enterprise Data Replication (EDR)

Data Analytics Modeling Certificate Program CPE self-study Publisher: AICPA Analytics and Big Data for Accountants CPE self-study Author: Jim Lindell Publisher: AICPA Data Analysis Fundamentals Certificate Program CPE self-study Publisher: AICPA

3. Data warehousing a. Role in supporting BI b. Architecture and components c. Types 1. Active Data Warehousing 2. Multi-dimensional Analysis — OLAP 3. ROLAP, MOLAP, HOLAP and DOLAP

Data Analytics Modeling Certificate Program CPE self-study Publisher: AICPA Data Visualization Certificate Program CPE self-study Publisher: AICPA Analytics and Big Data for Accountants CPE self-study Author: Jim Lindell Publisher: AICPA



A. IT Governance & Strategy (15%)

1. Role of IT governance within an organization a. IT governance objectives b. Management of the IT function c. Mitigation of IT risk d. IT strategic plan 1. Alignment with organizational strategy

IT Governance, Risks & Controls CPE self-study Publisher: AICPA Module 1 — Role of IT Governance Information Strategy CPE self-study Author: Kaplan Publishing Limited Publisher: AICPA

2. IT governance principles a. Strategy and planning 1. Key components 2. Best practices b. Value delivery management 1. Key components 2. Best practices c. Resource management 1. Key components 2. Best practices d. Risk management 1. Key components 2. Best practices e. Performance management 1. Key components 2. Best practices

IT Governance, Risks, and Controls CPE self-study Publisher: AICPAModule 1 — Role of IT Governance

3. IT governance roles and responsibilities IT Governance, Risks, and Controls CPE self-study Publisher: AICPA Module 1 — Role of IT Governance

4. IT governance implementation IT Governance, Risks, and Controls CPE self-study Publisher: AICPAModule 2 — Implement and Assess IT Governance

5. Benefits of effective IT governance IT Governance, Risks, and Controls CPE self-study Publisher: AICPA Module 2 — Implement and Assess IT Governance

Detailed content specification outlineModule III: IT Governance, Risks & Controls This includes knowledge pertaining to information technology risk and advisory services, engagement compliance, and IT controls and assessment. It also covers knowledge of various IT frameworks and related controls, including the use of SOC reporting as a framework to showcase a service organization’s internal control environment. IT Governance & Strategy — Covers the objectives, strategic planning, implementation and management of the IT function within an organization, as well as mitigation of risk; focuses on the management of value, resources, and performance in relation to key components and best practices of the IT function IT Risks, Process, & Controls — Discusses various IT frameworks, including COSO and COBIT, and the integration of frameworks with IT assessments; covers a variety of key control areas for IT assessments, including ITGCs, application, business process and change management controls System and Organizational Controls (SOC) Reporting — Focuses on the purposes for SOC reporting, the users of SOC reports, and the responsibilities of user auditors


Module III. IT Governance, Risks and Controls (continued)



1. IT risk identification and assessment IT Governance, Risks, and Controls CPE self-study Publisher: AICPA Module 3 — IT Risk Management Risk and Control of Information Systems CPE self-study Author: Kaplan Publishing Limited Publisher: AICPA

2. IT control frameworks a. COSO 1. Categories of objectives 2. Integrated components & principles b. COBIT 1. Domains c. Integration of control frameworks

COSO Internal Control Certificate Program CPE self-study Publisher: Committee of Sponsoring Organizations’ (COSO. Internal Control and COSO Essentials for Financial Managers, Accountants and Auditors CPE self-study Author: Glenn L. Helms IT Governance, Risks, and Controls CPE self-study Publisher: AICPA Module 4 — IT Controls

3. IT general controls a. Objectives of IT general controls b. Types of IT general controls (including ERP)

IT Governance, Risks, and Controls CPE self-study Publisher: AICPA Module 4 — IT Controls Risk and Control of Information Systems CPE self-study Author: Kaplan Publishing Limited Publisher: AICPA Information Security Governance CPE self-study Authors: Gwenn Bettwy, Mark Williams, Mike Beavers Publisher: AICPA Module 3 — Logical access controls

4. Application controls a. Objectives of application controls b. Input controls c. Processing controls d. Output controls

IT Governance, Risks, and Controls CPE self-study Publisher: AICPA Module 4 — IT Controls Risk and Control of Information Systems CPE self-study Author: Kaplan Publishing Limited Publisher: AICPA Information Security Governance CPE self-study Authors: Gwen Bettwy, Mark Williams, Mike Beavers Publisher: AICPA Module 3 — Logical access controls


Module III. IT Governance, Risks and Controls (continued)



5. Business process management a. Business processes that impact financial data b. Integration of internal controls into business processes c. Business activity monitoring and key performance indicators d. Continuous monitoring techniques, applicable tools

IT Governance, Risks, and Controls CPE self-study Publisher: AICPA Module 5 — IT Controls Monitoring

6. Change management a. Configuration management b. Software management c. Operating system management d. Network management e. Software and system evaluation, acquisition & implementation f. Segregation of duties

The Purpose and Management of the Technology and Information Function CPE self-study Publisher: AICPA IT Governance, Risks, and Controls CPE self-study Publisher: AICPA Module 3 — IT Risk Management

7. Assessment of IT controls a. Testing of IT controls 1. Planning 2. Evidence gathering and the nature, timing and extent of procedures 3. Computer-assisted audit techniques (CAATs) b. Deficiency evaluation of IT related controls 1. Control deficiency 2. Significant deficiency 3. Material weakness 4. Aggregation of deficiencies c. Materiality/Impact to the Entity 1. Risk of Material Misstatement

IT Governance, Risks, and Controls CPE self-study Publisher: AICPA Module 4 — IT Controls Internal Control and Risk Assessment: Key Factors in a Successful Audit CPE self-study Author: Lynford Graham

C. System and Organization Controls Reporting (10%)

1. System and Organization Controls Reporting Overview a. Reporting purposes and intended users b. Responsibilities of management of the service organization c. Responsibilities of service auditors d. Use in vendor management

Introduction to SOC for Service Organizations Reporting CPE self-study Author: Patrick A. Morin Publisher: AICPA

2. Types of Reporting a. Report on Controls at a Service Organization Relevant to User Entities Internal Control over Financial Reporting 1. Reporting criteria and report content 2. Performing an engagement as a service auditor 3. Evaluating and reviewing a report from a user or user auditor perspective b. Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy 1. Reporting criteria and report content 2. Performing an engagement as a service auditor 3. Evaluating and reviewing a report from a user or user auditor perspective

Introduction to SOC for Service Organizations Reporting CPE self-study Author: Patrick A. Morin Publisher: AICPA SOC for Service Organizations Deep Dive CPE self-study Authors: Jeffrey S. Locketz, Sean Linton Publisher: AICPA

12 Valuation Principles Examination

P: 888.777.7077 | F: 800.363.5066 | E: [email protected] | W: aicpa.org/CITP

© 2019 Association of International Certified Professional Accountants. All rights reserved. AICPA and American Institute of CPAs are trademarks of the American Institute of Certified Public Accountants and are registered in the United States, the European Union and other countries. The Globe Design is a trademark owned by the Association of International Certified Professional Accountants and licensed to the AICPA. 1904-29444

https://www.aicpa.org/membership/join/abv-exam.html

global citp examination - aicpa

Documents