CISA Domain 1 – Information System Auditing Process

CISA Domain 1 – Information System Auditing Process (21% weightage)

Domain 1 of the CISA exam forms the cornerstone, equipping you with the knowledge and skills to conduct effective information systems audits. Here’s a summary of the key objectives within Part A and Part B:

Part A: Planning

1. IS Audit Standards, Guidelines and Codes of Ethics: Understand the fundamental principles and best practices outlined in established audit standards like ISACA’s Standards and Code of Professional Ethics, ensuring ethical and professional conduct during audits.
2. Business Processes: Grasp the importance of mapping and understanding an organization’s key business processes to tailor your audit approach and identify potential control weaknesses.
3. Types of Controls: Learn about the different types of controls (preventive, detective, corrective), their application within various IT environments, and their contribution to risk mitigation.
4. Risk-based Audit Planning: Understand how to prioritize audit areas based on identified risks, effectively allocating resources, and focusing on areas with the greatest potential impact.
5. Types of Audits and Assessments: Familiarize yourself with various audit and assessment methodologies (e.g., compliance audits, operational audits, security assessments) and their suitability for different purposes.

Part B: Execution

1. Audit Project Management: Learn about essential project management skills for planning, executing, and controlling an audit project, ensuring timely completion and adherence to objectives.
2. Sampling Methodology: Understand various sampling techniques (e.g., random sampling, stratified sampling) used to gather audit evidence efficiently and draw statistically valid conclusions.
3. Audit Evidence Collection Techniques: Grasp different methods for collecting audit evidence like interviews, observations, document reviews, and testing procedures, ensuring its relevance, accuracy, and reliability.
4. Data Analytics: Learn how to leverage data analytics tools and techniques to analyze large datasets, identify trends, and gain insights that support audit findings and conclusions.
5. Reporting and Communication Techniques: Develop effective communication skills to present audit findings and recommendations clearly and concisely to stakeholders at various levels.
6. Quality Assurance and Improvement of the Audit Process: Understand the importance of self-assessment and continuous improvement, implementing methods to enhance audit quality and effectiveness over time.

Unique Terms and Definitions from CISA Domain 1 – Information System Auditing Process

• IS audit – The formal examination and/or testing of information systems to determine whether they are in compliance with applicable laws, regulations, contracts and/or industry guidelines, and whether they comply with governance criteria and related policies and procedures1.
• IS auditor – A professional who performs IS audit activities and has the skills and knowledge necessary to perform audit work2.
• ISACA – Information Systems Audit and Control Association, a global association that provides guidance, standards, certification and advocacy for IS audit and assurance professionals3.
• ITAF – Information Technology Assurance Framework, a comprehensive and good practice-setting reference model that establishes standards, guidelines and tools and techniques for IS audit and assurance4.
• IS audit and assurance standards – Mandatory requirements for IS auditing and reporting that inform various audiences of the profession’s expectations concerning the work of practitioners5.
• IS audit and assurance guidelines – Guidance and additional information on how to comply with the IS audit and assurance standards67.
• IS audit and assurance tools and techniques – Examples of processes an IS auditor might follow in an audit engagement8.
• Code of Professional Ethics – A set of principles that guides the professional and personal conduct of ISACA members and certification holders910.
• Business process – An interrelated set of cross-functional activities or events that result in the delivery of a specific product or service to a customer11.
• Audit charter – A document that defines the purpose, authority and responsibility of the IS audit function12.
• Audit program – A step-by-step set of audit procedures and instructions that should be performed to complete an audit13.
• Audit scope – The specific systems, function or unit of the organization to be included in the audit review.
• Audit objective – The purpose of the audit, such as to determine whether a system is secure, reliable, compliant or effective.
• Audit approach or strategy – The methodology used to conduct the audit, such as risk-based, control-based or substantive testing14.
• Audit evidence – The information obtained by an IS auditor during the audit process to support the audit opinion and conclusions.
• Audit risk – The risk that an IS auditor may express an inappropriate audit opinion when the audit subject matter is materially misstated.
• Audit opinion – The formal expression of the IS auditor’s findings and conclusions on the audit subject matter.
• Audit report – The written communication of the IS auditor’s findings and recommendations to the intended recipients and users of the audit.
• Audit follow-up – The process of monitoring and ensuring that agreed-upon recommendations or corrective actions have been implemented by management.
• Risk assessment – The process of identifying and evaluating the potential impact and likelihood of threats and vulnerabilities to the organization’s assets and processes.
• Control framework – A set of criteria, standards or best practices that can be used to assess and improve the internal control environment of an organization.
• Internal control – The policies, procedures, practices and organizational structures designed to provide reasonable assurance that a business process will achieve its objectives and that undesired events will be prevented or detected and corrected15.
• Control objective – A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process.
• Control procedure – A specific action or set of actions that are performed to achieve a control objective.
• Control testing – The process of verifying the effectiveness and efficiency of control procedures through compliance or substantive tests.
• Compliance testing – The process of verifying that control procedures are being performed in accordance with policies and standards.
• Substantive testing – The process of verifying the accuracy and completeness of data and transactions through analytical or detailed tests.
• Sampling – The process of selecting a subset of items from a population for the purpose of making inferences about the population.
• Attribute sampling – A sampling technique used to estimate the rate of occurrence of a specific quality or attribute in a population, such as the presence or absence of a control procedure16.
• Variable sampling – A sampling technique used to estimate the monetary value or some other unit of measure of a population, such as the total error amount or the average transaction value17.
• CAATs – Computer-assisted audit techniques, the use of software tools and utilities to perform audit tests or procedures on data or systems.
• AI – Artificial intelligence, the branch of computer science that deals with creating systems or programs that can perform tasks that normally require human intelligence, such as reasoning, learning, decision making or natural language processing.
• Expert system – A type of AI system that uses a knowledge base and an inference engine to emulate the reasoning and judgment of a human expert in a specific domain.
• Knowledge base – A collection of facts, rules, heuristics and other information that represents the knowledge of a human expert in a specific domain.
• Inference engine – A program that uses the knowledge base and the user input to derive conclusions or recommendations.