Chapter 1: The Process of Auditing Information Systems

Chapter 1: The Process of Auditing Information Systems (Domain 1: 18% of CISA

Exam)
This domain establishes the core principles and practices of IS auditing, laying the
groundwork for the subsequent domains.

1.1 IS Audit Standards, Guidelines, Functions and Codes of Ethics

 1.1.1 ISACA IS Audit and Assurance Standards:
o Overview: Introduces the mandatory standards that IS auditors must
follow to ensure consistency, quality, and reliability in their work. These
standards provide a framework for conducting audits.
o Key Concepts:
 General Standards: Deal with the auditor's professional
competence, independence, due professional care, and ethics.
 Performance Standards: Cover planning, supervision, evidence,
and reporting.
 Reporting Standards: Address the communication of audit results.
 1.1.2 ISACA IS Audit and Assurance Guidelines:
o Overview: Provides additional guidance and best practices for applying
the standards. These are not mandatory but are highly recommended.
o Key Concepts: Practical advice on various aspects of auditing, including
specific audit areas, techniques, and technologies.
 1.1.3 ISACA Code of Professional Ethics:
o Overview: A cornerstone of the CISA certification, outlining the ethical
conduct expected of ISACA members and CISA-certified professionals.
o Key Concepts: Principles such as due diligence, honesty, objectivity,
confidentiality, professional competence, and adherence to laws and
regulations.
 1.1.4 ITAF™ (ISACA IT Audit Framework):
o Overview: The comprehensive framework for IT audit and assurance,
providing a structured approach to planning, executing, and reporting IS
audit engagements.
o Key Concepts: Integration of ISACA standards and guidelines into a
cohesive framework.
 1.1.5 IS Internal Audit Function:
o Overview: Discusses the establishment and management of an internal
IS audit department.
o Key Concepts:
 Audit Charter: The formal document authorizing the IS audit
function and defining its authority, responsibilities, and reporting
lines.

Page 1 of 7
 Chapter 1: The Process of Auditing Information Systems

 Management of the IS Audit Function: Covers aspects like

staffing, training, quality assurance, and budgeting.
 IS Audit Resource Management: Efficient allocation and
utilization of audit resources.
 Using the Services of Other Auditors and Experts:
Considerations when relying on external parties.

1.2 Types of Audits, Assessments and Reviews

 1.2.1 Control Self-Assessment (CSA):
o Overview: A process where management and staff directly involved in a
business area assess the effectiveness of controls within their own
processes.
o Key Concepts: Objectives, benefits (e.g., increased ownership of
controls), disadvantages (e.g., lack of objectivity), and the IS auditor's role
(facilitator, not directly involved in assessment).
 1.2.2 Integrated Auditing:
o Overview: Combining financial, operational, and IT audits into a single,
cohesive audit engagement to provide a holistic view of risks and controls.
o Key Concepts: Benefits of efficiency and comprehensive risk coverage.

1.3 Risk-Based Audit Planning

 1.3.1 Individual Audit Assignments:
o Overview: The process of planning specific audit engagements within the
overall annual audit plan.
o Key Concepts: Scoping, objectives, methodologies, resource allocation
for each audit.
 1.3.2 Effect of Laws and Regulations on IS Audit Planning:
o Overview: Understanding the legal and regulatory landscape that impacts
IT and requires compliance, such as data privacy laws (e.g., GDPR,
CCPA), industry-specific regulations, and cybersecurity laws.
o Key Concepts: Identifying relevant laws, assessing compliance risks, and
incorporating them into audit objectives.
 1.3.3 Audit Risk and Materiality:
o Overview: Defining and understanding the various components of audit
risk and the concept of materiality.
o Key Concepts:
 Inherent Risk: The susceptibility of an assertion to a material
misstatement, assuming there are no related internal controls.
 Control Risk: The risk that a material misstatement will not be
prevented or detected by the entity's internal control.

Page 2 of 7
 Chapter 1: The Process of Auditing Information Systems

 Detection Risk: The risk that the IS auditor's procedures will not
detect a material misstatement that exists.
 Materiality: The magnitude of an omission or misstatement of
accounting information that, in the light of surrounding
circumstances, makes it probable that the judgment of a
reasonable person relying on the information would have been
changed or influenced by the omission or misstatement.
 1.3.4 Risk Assessment:
o Overview: The process of identifying, analyzing, and evaluating risks
relevant to the audit objectives.
o Key Concepts: Risk identification, likelihood, impact, and prioritization.
 1.3.5 IS Audit Risk Assessment Techniques:
o Overview: Various methods used by IS auditors to assess risks in an IT
environment.
o Key Concepts: Qualitative and quantitative risk assessment, scenario
analysis, vulnerability assessments.
 1.3.6 Risk Analysis:
o Overview: Deeper dive into techniques for performing risk analysis to
understand the nature and extent of identified risks.

1.4 Types of Controls and Considerations

 1.4.1 Internal Controls:
o Overview: Fundamental concepts of internal control within an
organization.
o Key Concepts: COSO framework, components of internal control (control
environment, risk assessment, control activities, information &
communication, monitoring activities).
 1.4.2 Control Objectives and Control Measures:
o Overview: How controls are designed to achieve specific objectives and
the different types of controls implemented.
o Key Concepts:
 IS Control Objectives: Goals that controls are designed to achieve
(e.g., confidentiality, integrity, availability of information assets).
 General Control Methods: Controls applicable to all IT systems
and operations (e.g., segregation of duties, access controls,
change management).
 IS-Specific Controls: Controls unique to particular IT systems or
applications (e.g., input validation, output reconciliation).

Page 3 of 7
 Chapter 1: The Process of Auditing Information Systems

 Business Process Applications and Controls: Focus on controls

embedded within specific business processes and their related
applications.
 1.4.3 Control Classifications:
o Overview: Categorizing controls based on their nature and timing.
o Key Concepts:
 Preventive Controls: Prevent errors or unauthorized acts from
occurring (e.g., segregation of duties).
 Detective Controls: Identify errors or unauthorized acts that have
occurred (e.g., log monitoring).
 Corrective Controls: Correct errors or recover from unauthorized
acts (e.g., backup and recovery procedures).
 Compensating Controls: Mitigate the risk when a primary control
is missing or ineffective.
 1.4.4 Control Relationship to Risk:
o Overview: The direct link between identified risks and the controls
designed to mitigate them.
 1.4.5 Prescriptive Controls and Frameworks:
o Overview: Discussion of control frameworks and standards like COBIT,
ITIL, ISO 27001, and NIST Cybersecurity Framework that provide
prescriptive guidance for implementing controls.

1.5 Audit Project Management

 1.5.1 Audit Program/Plan Development:
o Overview: Developing a detailed plan for executing the audit, including
specific procedures, timelines, and responsibilities.
o Key Concepts: Audit objectives, scope, methodology, resource allocation,
and reporting.
 1.5.2 Project Management for IS Audits:
o Overview: Applying project management principles to manage IS audit
engagements effectively.
 1.5.3 Minimum Skills to Develop an Audit Program:
o Overview: The competencies required for an IS auditor to effectively plan
and execute an audit.
 1.5.4 Audit Work Papers:
o Overview: Documentation of the audit process, including evidence
gathered, procedures performed, and conclusions reached.
o Key Concepts: Purpose, content, organization, and retention of work
papers.
 1.5.5 Fraud, Irregularities and Illegal Acts:

Page 4 of 7
 Chapter 1: The Process of Auditing Information Systems

o Overview: The IS auditor's responsibility concerning the detection and

reporting of fraud.
o Key Concepts: Red flags, fraud detection techniques, and reporting
protocols.
 1.5.6 Agile Auditing:
o Overview: A significant update in the 28th edition. This section introduces
the concept of applying agile methodologies to the audit process.
o Key Concepts: Agile principles, benefits (e.g., faster feedback,
continuous assurance), and comparison to traditional audit approaches.
o Agile Auditing Overview: What it is and why it's becoming relevant.
o Benefits of Agile Auditing: Increased responsiveness, adaptability, and
value delivery.
o Agile Auditing Compared to Established Assurance Standards: How
agile principles align with or deviate from existing ISACA standards.

1.6 Audit Testing and Sampling Methodology

 1.6.1 Compliance Versus Substantive Testing:
o Overview: Differentiating between two primary types of audit tests.
o Key Concepts:
 Compliance Testing: Tests designed to determine whether
controls are operating effectively.
 Substantive Testing: Tests designed to detect material
misstatements in financial or operational data.
 1.6.2 Sampling/Sampling Risk:
o Overview: The use of sampling in audit testing and the associated risks.
o Key Concepts:
 Statistical Sampling: Uses mathematical rules to determine
sample size and evaluate results.
 Non-Statistical Sampling: Uses auditor judgment to determine
sample size and evaluate results.
 Sampling Risk: The risk that the auditor's conclusion based on a
sample may be different from the conclusion that would be reached
if the entire population were subjected to the same audit procedure.

1.7 Evidence Collection

 1.7.1 Interviewing and Observing Personnel in Performance of Their Duties:
o Overview: Techniques for gathering information through direct interaction
and observation.
 1.7.2 Computer-Assisted Audit Techniques (CAATs) as a Continuous Online
Audit Approach:

Page 5 of 7
 Chapter 1: The Process of Auditing Information Systems

o Overview: The use of software tools to automate audit tasks and analyze
large volumes of data.
o Key Concepts:
 Generalized Audit Software (GAS): Tools used for data
extraction, analysis, and reporting.
 Utility Programs: System-level tools used for specific tasks (e.g.,
file comparison).
 Specialized Audit Software: Designed for specific audit purposes.
 Continuous Auditing Techniques:
 Integrated Test Facility (ITF): Creating dummy entities
within a live system to process test transactions.
 System Control Audit Review File (SCARF): Embedding
audit modules in application systems to collect transactions
with specific characteristics.
 Snapshot Technique: Capturing snapshots of transactions
at different points in their processing.
 Audit Hooks: Exits in programs that allow auditors to insert
audit routines.
 Continuous and Intermittent Simulation (CIS): Simulating
the processing of real transactions to compare with actual
results.
 1.7.3 Continuous Auditing and Monitoring:
o Overview: The evolving concept of performing audit activities on an
ongoing basis to provide real-time assurance.
 1.7.4 Other Evidence Collection Techniques:
o Overview: Other methods like confirming information with third parties,
reviewing documentation, and performing recalculations.
 1.7.5 Artificial Intelligence (AI) in IS Audit:
o Overview: A significant new addition in the 28th edition, discussing the
application of AI in auditing.
o Key Concepts:
 The Role of RPA (Robotic Process Automation) and AI Within
the Audit Life Cycle: How these technologies can automate
repetitive tasks, enhance data analysis, and improve efficiency.
 AI/ML (Machine Learning) Techniques: Specific AI and machine
learning techniques relevant to auditing (e.g., anomaly detection,
predictive analytics).
 Audit Algorithms: How algorithms can be used to identify patterns
and anomalies in data.

Page 6 of 7
 Chapter 1: The Process of Auditing Information Systems

 Interpretation of AI/ML Results: The challenges and

considerations in interpreting and validating the outcomes of AI-
driven audit tools.
 AI/ML Audit Risk and Considerations: The new risks introduced
by using AI in audits, such as data bias, model transparency, and
ethical implications.

1.8 Audit Reporting and Follow-Up

 1.8.1 Audit Reporting:
o Overview: The process of communicating audit findings, conclusions, and
recommendations to management and other stakeholders.
o Key Concepts: Objectives of an audit report, key elements (findings,
recommendations, management response), types of opinions.
 1.8.2 Follow-Up Activities:
o Overview: The IS auditor's responsibility to monitor the implementation of
corrective actions based on audit recommendations.
o Key Concepts: Verification of remediation, ongoing monitoring.

Page 7 of 7