0. Introduction to Information Technology (IT-1A)
0. FISCAM (IT-1B)
0. Certification and Accreditation (IT – 2)
0. Conducting a Privacy Audit (IT – 3)
0. Data Reliability Assessments (IT – 4)
0. Yellow Book Primer (REGS – 1)
0. OMB A-123 (REGS – 2)
0. OMB A-133 (REGS – 3) 
0. SAS 70 (REGS – 4)
0. Federal Regulations Affecting IT (REGS – 5) 
0. Certified Information Systems Auditor – Prep Class (PREP – 1)
0. Certification and Accreditation – Prep Class (PREP – 2)
   

1 - Introduction to Information Technology (IT-1A)

Course Description:
This course is designed for those with little or no background to Information Technology related concepts. Often when one conducts an IT audit, they are in need of basic IT concepts. It is very difficult to conduct or prepare for an IT audit unless basic IT skills are acquired. This course serves as the first course to be taken, which will enable the student to either conduct an IT audit or be prepared for others conducting the IT audit.


Who Should Attend This Course:
Typically the students desired for this course are those that will be conducting IT audits. This course is also designed for those with financial backgrounds who have recently switched to IT. Although this course is technical, it is elementary in nature. The students attending are usually from the Office of Inspector General, who will be conducting the IT audit. Students have also attended who are form the IT organizations within a federal agency.

Course Length:
2 Days

CPE:
16 credits

Course Objective:
The sole objective of this course is to introduce various IT concepts so that the student is familiar and ready for IT auditors or conducting an IT audit. Another objective is to introduce the student to the vast array of IT concepts so that as these topics arise throughout their job, they are knowledgeable and ready for their tasks.

Sample Topics: 

Introduction to IT 
System components (e.g. servers) 
Concepts 
Firewalls & Intrusion Detection 
Physical and Logical security 
Encryption & VPN 
More 

2 - FISCAM (IT-1B)

Course Description:
As part of auditing federal financial statements, it is necessary to obtain an understanding of internal control (e.g. FAM, SAS 103 – 112), etc.). As part of that understanding, it is critical to assess the systems, applications, and databases that map to the significant line items on the financial statements. As such, this course will cover the mechanics of performing General and Application Controls Reviews, while applying the various regulatory and authoritative requirements (e.g. FAM, GAGAS, NIST, etc.). This course will employ the FISCAM methodology for performing General and Application Controls Reviews.

Who Should Attend This Course:
Although this course focuses on IT, it is also tailored for the financial auditor wishing to understand the IT steps in support of the financial statement audit. Both Financial and IT auditors should attend this course.

It is recommended that the attendee have attended IT-1A, or possess basic IT skills prior to attending this course.

Course Length:
2 Days

CPE:
16 credits

Course Objective:
At the completion of this course, students should be able to understand the steps necessary for performing General and Application Controls Reviews. Students should also know where to seek further references and support as part of performing the Reviews.

Sample Topics: 
Introduction to General and Application Controls Reviews 
General Controls Reviews 
Security Management (SM) 
Access (AC) 
Configuration Management (CM) 
Segregation of Duties (SD) 
Contingency Planning (CP) 
Application Controls Reviews 
Understanding the Application 
Application Level General Controls (AS) 
Business Process Controls (BP) 
Interface Controls (IN) 
Data Management System Controls (DA)


3 - Certification and Accreditation (IT – 2)

Course Description:
Federal agencies often grapple with the many requirements of a Certification and Accreditation (C&A). A C&A encompasses an array of areas such as FISMA, NIST (800-37, 800-60, FIPS-199, etc.), Privacy regulations, OMB regulations (e.g. how a POA&M should be created and tracked), and more. This course offers a systematic approach for providing an in-depth look at how to conduct a C&A, as well as prepare for a C&A team.

Who Should Attend This Course:
This course should be attended by those performing the C&A, or those IT professionals within a federal agency interacting and responding to the many requests of C&A teams.

Course Length:
2 Days

CPE:
16 credits

Course Objective:
The ultimate objective of this course is to dispel any doubts or inadequacies surrounding the C&A. The student shall complete this course with a firm grasp of C&As. They should be familiar enough to commence performing a C&A, as well as understand the many demands placed by the C&A teams.

Sample Topics: 
Introduction to C&As 
FISMA requirements 
Boundary Scoping 
Security Plans 
IT Contingency Plans 
Privacy Impact Assessments 
Security Test & Evaluation (STE) requirements 
Security Assessment Reports (SAR) 
Finalizing the package

4 - Conducting a Privacy Audit (IT – 3)

Course Description:
Federal agencies are required to ensure a privacy audit is conducted every 2 years. There are many requirements surrounding the privacy audit such as the Privacy Act of 1974, and many OMB memorandums offering further guidance and requirements for compliance. This course will discuss the various regulatory requirements for a privacy audit and ensure the student can either perform the privacy audit or oversee (e.g. OIG capacity) the privacy audit for compliance.

Who Should Attend This Course:
Those wishing to perform the privacy audit or those within OIG overseeing the privacy audit for compliance.

Course Length:
1 Day

CPE:
8 credits

Course Objective:
At the completion of this course, students will be equipped to perform the privacy audit. They will also be well-informed if they wish to oversee others performing the privacy audit.

Sample Topics: 
Privacy Act of 1974 
FISMA 
OMB M-99-05 Instructions on Complying with President’s Memorandum of May 14, 1998, “Privacy and Personal Information in Federal Records” 
OMB M-99-19 Guidance and Model Language for Federal Web Site Privacy Policies 
OMB M-00-13 Privacy Policies and Data Collection on Federal Web Sites 
OMB M-01-05 Guidance on Inter-Agency Sharing of Personal Data 
OMB M-03-18, Implementation of E-Government Act of 2002 
OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 
OMB M-05-08, Designation of Senior Agency Officials for Privacy 
OMB M-06-15 Safeguarding Personally Identifiable Information 
OMB M-06-16, Protection of Sensitive Agency Information 
OMB M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments 
OMB M-07-16, Safeguarding Against and Responding to Breach of Personally Identifiable Information 
OMB M-07-18, Ensuring New Acquisitions Include Common Security Configurations 
OMB M-07-19, Reporting Instructions for Federal Information Security Management Act and Agency Privacy Management 
OMB M-08-09, New FISMA Privacy Reporting Requirements for FY 2008

5 - Data Reliability Assessments (IT – 4)

Course Description:
If a federal agency wishes to issue a report that has findings, recommendations, or conclusions, and states that they are in compliance with GAGAS, then a data reliability assessment must be performed. This course offers an approach for performing the data reliability assessment. The course uses the methodology proposed by GAO (03-273-G) and expands the course with hands-on discussions from real life experiences.

Who Should Attend This Course:
Those individuals wishing to perform a Data Reliability Assessment should attend this course. Those individuals involved with performance audits where reports are issued with either findings, recommendations, or conclusions should attend to gain clarification as to the requirements of when to perform a Data Reliability Assessment.

Course Length:
1 Day

CPE:
8 credits

Course Objective:
Students completing this will be equipped to perform a Data Reliability Assessment. The students will be familiar with the reporting requirements, as well as the steps necessary to complete the Data Reliability Assessment.

Sample Topics: 
GAO 03-273-G 
What is a Data Reliability Assessment? 
When is a Data Reliability Assessment required? 
What are the 3 judgment options in the Data Reliability Assessment report?

6 - Yellow Book Primer (REGS – 1)

Course Description:
This course covers the basics of complying with the Yellow Book (GAGAS). This course will walk through the various components of the Yellow Book and discuss the various requirements to ensure that the attendees are well-informed. This course acts as a primer by covering the main topics listed in the Yellow Book.

Who Should Attend This Course:
This course is designed for any professional wishing to understand the requirements set forth in the Yellow Book.

Course Length:
1 Day

CPE:
8 credits

Course Objective:
At the completion of this course, students should be able to understand the requirements contained within Yellow Book (e.g. General, Fieldwork, and reporting standards) such as for financial statement audits, Performance audits, and Attestation engagements.

Sample Topics: 
Introduction 
Organization of the Yellow Book 
Applicability 
Types of Audits and Attestation Engagements 
General, Fieldwork, and Reporting Standards


7 - OMB A-123 (REGS – 2)

Course Description:
This course covers the fundamentals of adhering to A-123 relating to IT. A-123 incorporates many other regulatory requirements, and as such, this course will work to explain the compliance related requirements of A-123 and incorporate other authoritative requirements at the same time. This course will also address lessons learned, pitfalls to avoid, and best practices from across the Federal government.

Who Should Attend This Course:
This course is for anyone wishing to apply the requirements of A-123. This course is for both financial and IT personnel, as this teaches the mechanics of adhering to the A-123 requirements; however this course leans towards IT controls as part of the examples used in class.

Course Length:
1 Day

CPE:
8 credits

Course Objective:
At the completion of this course, students should be able to apply the requirements contained within A-123.

Sample Topics: 
Introduction 
Revisions 
Sources for Implementing A-123 
How to Implement 
Challenges 
Lessons Learned


8 - OMB A-133 (REGS – 3)

Course Description:
This course covers the basics of complying with the IT aspects of A-133 in accordance with GAGAS. A-133 specifically states that this engagement should comply with GAGAS, and the GAGAS recommends the FAM as the guidance. As such, this course will incorporate the FAM guidance for employing the IT aspects of an A-133 engagement. Specifically section 300 of the FAM details the various requirements for obtaining an understanding of internal control, as part of the A-133 engagement. This course will focus on those aspects and apply the IT internal control steps necessary to comply with A-133.

Who Should Attend This Course:
This course is for anyone wishing to apply the requirements of A-133. This course is for both financial and IT personnel, as this teaches the mechanics of adhering to the A-133 requirements.

Course Length:
1 Day

CPE:
8 credits

Course Objective:
At the completion of this course, students should be able to apply the requirements contained within GAGAS and the FAM relating to IT internal controls.

Sample Topics: 
Introduction 
GAGAS Requirements 
FAM section 300 Requirements 
Testing Internal Controls in Compliance with A-133


9 - SAS 70 (REGS – 4)

Course Description:
SAS 70 is one of the more misunderstood standards and poses difficulty in implementing correctly. There are a number of challenges to consider when performing a SAS 70 Review (e.g. timing, # of customers depending on the report, Type I versus Type II, first year of implementation, etc.). This course will teach the fundamentals of a SAS 70 and provide real examples of how to ensure the standards are met.

Who Should Attend This Course:
This course is for anyone wishing to understand a SAS 70. This course is for both financial and IT personnel, as this teaches the mechanics of adhering to the SAS 70 requirements.

Course Length:
1 Day

CPE:
8 credits

Course Objective:
At the completion of this course, students should be able to understand the different types of a SAS 70 (e.g. readiness Review, Type I, and Type II), the various sections of the report (e.g. Sections 1-4), and the pitfalls to avoid in implementing the SAS 70.

Sample Topics: 
Introduction 
Internal Control (e.g. COSO) 
Form and Content 
Performing the Engagement 
Other Considerations


10 - Federal Regulations Affecting IT (REGS – 5)

Course Description:
Federal managers must be familiar with a vast amount of federal regulations. As such, this course provides insight into the many requirements so that federal managers will be knowledgeable in their job functions.

Who Should Attend This Course:
Federal managers wishing to understand the many federal requirements promulgated throughout the federal government.

Course Length:
1 Day

CPE:
8 credits

Course Objective:
Whether a federal manager is trying to comply with OMB, GAGAS, NIST, or other Congressional Acts; this course will ensure that students are aware of the various federal regulations so that they can ensure they are performing their jobs effectively.

Sample Topics: 
NIST (e.g. 800-18, 30, 37, 60, FIPS-199, FIPS-200, etc.) 
OMB circulars (A-50, 123, 127, and 130) 
OMB Memorandums 
GAO 
Congressional Acts 
FISMA 
IPIA 
CFO Act 
GPRA 
FMFIA

11 - Certified Information Systems Auditor – Prep Class (PREP – 1)

Course Description:
This course will discuss and provide hands-on exercises surrounding the topics covered on the CISA exam. The CISA certification has become a prestigious title to possess, and as such, many employers are demanding that their employees seek this certification. The course will provide the necessary preparations so that the student can pass the CISA exam on their first attempt.

Who Should Attend This Course:
This course is designed to provide hands-on instruction for those wishing to attain the CISA certification.

Course Length:
4 Days

CPE:
32 credits

Course Objective:
The ultimate objective is that students completing this course will be ready for the CISA exam and pass it on the first attempt.

Sample Topics: 
IT Audit 
Governance 
Systems & Infrastructure Lifecycle Management 
Service Delivery & Support 
Protection of Information Assets 
Business Continuity & Disaster Recovery


12 - Certification and Accreditation – Prep Class (PREP – 2)

Course Description:
This course will discuss and provide hands-on exercises surrounding the topics covered on the CAP exam. The CAP certification has become a prestigious title to possess, and as such, many employers are demanding that their employees seek this certification. The course will provide the necessary preparations so that the student can pass the CAP exam on their first attempt.

Who Should Attend This Course:
This course is designed to provide hands-on instruction for those wishing to attain the CAP certification.

Course Length:
4 Days

CPE:
32 credits

Course Objective:
The ultimate objective is that students completing this course will be ready for the CAP exam and pass it on the first attempt.

Sample Topics: 
IT Understanding the Purpose of Certification 
Initiation of the System Authorization Process 
Certification Phase 
Accreditation Phase 
Continuous Monitoring Phase