CISA domain 1: The process of auditing information systems

Brian Hickey
May 27, 2018 by
Brian Hickey

The Certified Information Systems Auditor (CISA) certification exam focuses on five job practice areas, or domains. You can review them all here. In this article, we will focus on CISA Domain 1: The Process of Auditing Information Systems. This domain is the second largest, accounting for 21% of exam content, which underlines its importance to the certification.

Its aim is to ensure you know how to:

  • Manage the audit process in accordance with IS audit standards
  • Plan audits, ensuring the scope matches the needs of the organization being audited
  • Perform the audit and gather appropriate evidence
  • Communicate the results and recommendations to stakeholders

Isaca IT audit & assurance standards

ISACA IT audit and assurance standards are a central theme for CISA and, although candidates need not memorize the details for the exam, they should have a firm grasp of their scope and application. Many of the standards build on good information systems (IS) practices; candidates who have been practitioners for some time should have no problem grasping the content.

There are three levels:

  1. Standards, or mandatory requirements covering topics like audit and assurance processes and reporting.
  2. Guidelines to help implement the standards. There are over 40 documented guidelines ranging from application systems review through mobile computing to access control.
  3. Tools & techniques, including practical steps for implementing controls. They include business application change control and intrusion detection.

In addition, ISACA certification holders must comply with the organization's code of professional ethics; candidates should also familiarize themselves with its content.

Planning the audit

Good planning is the foundation of a successful audit. The Audit Charter contains the output from the planning exercise and describes the scope, objectives, approach, timeline, roles, and responsibilities for the audit.

Internal audits are approved by senior management, and external audits are a central element of the contract for the audit service.

CISA promotes a risk-based approach to audit planning, which means the risks to the business of using IS are identified and the control framework then reviewed to determine if appropriate risk controls are in place. An understanding of these risks and controls is how the audit scope is developed.

Candidates should know how to identify risks for the organization that is being audited and how to determine the effectiveness of the control framework.

Standard techniques for risk assessment can be used, but these need to be complemented with a good understanding of the unique business environment. For example, for organizations in regulated industries (HIPAA, SOX, DSS-PCI, etc.), there will be specific risks that must be considered and controls that need to be evaluated. During the planning stage, auditors must collaborate with IS and business teams to define the scope accurately and ensure everything is covered. Since regulators may ask to review audit reports, it also means the audit plan should describe how evidence will be stored and for how long.

Audits should be performed as frequently as needed. An annual audit is a minimum, but it will likely be more frequent in response to other triggers, such as a response to an incident, a request from management to confirm compliance with a new regulation or the implementation of new or changed systems.

Perform the audit & gather evidence

An audit can't be a matter of opinion and must be supported by objective evidence that is:

  • Reliable: Factual and current
  • Relevant: Supports audit scope and can be linked to conclusions and recommendations
  • Repeatable: The same evidence would be produced by another auditor

For the exam, candidates need to know how to apply the different techniques used to gather evidence including inquiry, observation, interview, data analysis, sampling, and computer-assisted audit techniques.

Often, the easiest approaches can produce the best results. Reviews of the organization's IS standards, policies and procedures can show if controls have been adequately defined and the use of system generated logs or database reporting tools can be used to measure their effectiveness.

Communicating the results of the audit

Candidates are expected to understand how to prepare an audit report that is clear, complete, and correct. Reporting standards are outlined in the

IT Assurance Framework (ITAF) IS Audit and Assurance Standard and candidates should familiarize themselves with its content before the exam.

Communication skills such as facilitation, listening and empathy are important during audit planning, performance and reporting and make the difference between a report that is quickly dismissed or decisively acted upon.

The audit report should cover scope, objectives, period of review, findings, conclusions, recommendations, and any limitations, such as people who could not be interviewed or documentation that couldn't be accessed. If needed, detailed evidence should be included as an appendix.

Facts must be accurate and should be double checked, preferably by a peer, and recommendations need to be specific and achievable in a timeframe and at a cost proportionate to the size of the organization.

Finally, before the report is issued, the distribution list should be checked to prevent sensitive information from ending up in the wrong hands.

Candidates should remember that audit activity does not end with the issue of the report. A further review needs to confirm recommendations have been implemented and most organizations will implement continuous auditing to ensure controls remain relevant and are meeting their objectives.

Prepare for your CISA exam with an InfoSec Institute boot camp

InfoSec Institute's CISA Boot Camp is a five-day course designed to help you pass the CISA exam on your first attempt. The course covers core sections of the exam and includes a series of practice exam questions. 93% of students who enroll in this course pass the CISA exam on their first attempt.

For more on the CISA certification, view our CISA certification hub.

Brian Hickey
Brian Hickey

Originally a software engineer, Brian Hickey has worked with enterprise technology since the early 80s and held roles in sales, marketing and project management. Most recently he led large scale implementations in financial services where security and compliance were critical components of the delivered solution.