CISA DOMAIN 1 – THE PROCESS ON AUDITING INFORMATION SYSTEMS
This article covers –
• Overall understanding of the domain
• Important concepts to focus on from exam point of view
The article is split into 4 parts as below:
• Part 1 – Overall understanding of Domain 1, Important concepts from exam point of view – Audit charter,
Audit planning, Risk analysis
• Part 2 – Internal controls, COBIT – 5, Risk-based auditing, Risk treatment
• Part 3 – Compliance testing Vs. Substantive testing, Audit evidence, Audit Sampling and Control self-
assessment
PART 1
Overall understanding of the domain:
• Weightage - This domain constitutes 21 percent of the CISA exam (approximately 32 questions)
• Covers 11 Knowledge statements covering the process of auditing information systems
1. ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques, Code of
Professional Ethics and other applicable standards
2. risk assessment concepts and tools and techniques in planning, examination, reporting and
follow-up
3. Fundamental business processes and the role of IS in these processes
4. Control principles related to controls in information systems
5. Risk-based audit planning and audit project management techniques
6. Applicable laws and regulations which affect the scope, evidence collection and preservation and
frequency of audits
7. Evidence collection techniques used to gather, protect and preserve audit evidence
8. Different sampling methodologies and other substantive/data analytical procedures
9. Reporting and communication techniques
10. Audit quality assurance (QA) systems and frameworks
11. Various types of audits and methods for assessing and placing reliance on the work of other
auditors or control entities
1|P a ge
©Aswini Srinath
, CISA DOMAIN 1 – THE PROCESS ON AUDITING INFORMATION SYSTEMS
Important concepts from exam point of view:
1. Audit Charter:
➢ Audit Charter outlines the overall authority, scope and responsibilities of audit function
➢ Audit charter should be approved by Audit committee or senior management
➢ Internal audit function is always independent of management committee
Points to remember:
• When CISA question is on the approval of audit charter, the answer should be
senior most management, based on the options available.
• IS auditor’s role being more of reporting of audit observations and giving an
“independent audit opinion”
2. Audit planning:
➢ Step 1 – Understanding of business mission, vision, objectives, process which includes
information requirements under CIA trait (Confidentiality, Integrity and Availability of data)
➢ Step 2 – Understanding of business environment
➢ Step 3 - Review prior work papers
➢ Step 4 - Perform Risk analysis
➢ Step 5 - Set audit scope and objectives
➢ Step 6 - Develop audit plan/strategy
➢ Step 7 - Assign audit personal/resources
Point to remember: The first step in the audit planning is always understanding the
business mission, objectives and business environment, then analyzing the risk involved
based in the audit scope.
➢ Audit planning includes –
1. Short term planning – considers audit issues that will be covered during the year
2. Long term planning - audit plans that will take into account risk-related issues regarding
changes in the organization’s IT strategic direction that will affect the organization’s IT
environment.
2|P a ge
©Aswini Srinath
, CISA DOMAIN 1 – THE PROCESS ON AUDITING INFORMATION SYSTEMS
3. Risk analysis:
➢ Risk is a combination of the probability of an event and its consequence (International
Organization for Standardization [ISO] 31000:2009)
➢ Risk analysis is part of audit planning, and help identify risk and vulnerabilities so the IS auditor
can determine the controls needed to mitigate those risk
Point to remember: CISA candidate should be able to differentiate between threat and
vulnerability. Threat is anything that can exploit a vulnerability, intentionally or accidentally,
and obtain, damage, or destroy an asset. Vulnerability is Weakness or gap in a security
program that can be exploited by threats to gain unauthorized access to an asset
➢ Risk analysis covers Risk Management Framework – ISO 27005, ISO 31000
➢ Risk Assessment Process – The process starts with identifying the sources and events, then
identifying the vulnerabilities associated with the sources, and then analyzing the probability of
the occurrence and the impact.
➢ Risk Management Process - It begins with identifying the business objectives, the information
assets that are associated with business, assessment of risk, how to mitigate the risk (either to
avoid or transfer or mitigate/reduce the risk) and implementing controls to mitigate the risk)
Point to remember:
• CISA candidate should be aware of the difference between Risk assessment and
Risk management. Risk assessment is the process of finding where the risk exists.
Risk management is the second step after performing risk assessment.
• Risk can be mitigated/reduced through implementation of controls/ third-party
insurance, etc.
3|P a ge
©Aswini Srinath
, CISA DOMAIN 1 – THE PROCESS ON AUDITING INFORMATION SYSTEMS
PART 2
4. Internal Controls:
➢ Internal controls are normally composed of policies, procedures, practices and organizational
structures which are implemented to reduce risks to the organizations
➢ The board of directors are responsible for establishing the effective internal control system
Point to remember: When CISA question is on the responsibility of internal controls, the
answer should be senior most management (BoD, CEO, CIO, CISO etc) , based on the
options available.
➢ Classification of internal controls:
a. Preventive controls
b. Detective controls
c. Corrective controls
Point to remember: CISA question will be scenario based, where the candidate should
have a thorough understanding of all the three controls and able to differentiate between
preventive, detective and corrective controls
➢ Preventive controls: are those internal controls which are deployed to prevent happening of an
event that might affect achievement of organizational objectives. Some examples of preventive
control activities are:
• Employee background checks
• Employee training and required certifications
• Password protected access to asset storage areas
• Physical locks on inventory warehouses
• Security camera systems
• Segregation of duties (i.e. recording, authorization, and custody all handled by separate
individuals)
➢ Detective controls: Detective controls seek to identify when preventive controls were not
effective in preventing errors and irregularities, particularly in relation to the safeguarding of
assets. Some examples of detective control activities are:
4|P a ge
©Aswini Srinath
This article covers –
• Overall understanding of the domain
• Important concepts to focus on from exam point of view
The article is split into 4 parts as below:
• Part 1 – Overall understanding of Domain 1, Important concepts from exam point of view – Audit charter,
Audit planning, Risk analysis
• Part 2 – Internal controls, COBIT – 5, Risk-based auditing, Risk treatment
• Part 3 – Compliance testing Vs. Substantive testing, Audit evidence, Audit Sampling and Control self-
assessment
PART 1
Overall understanding of the domain:
• Weightage - This domain constitutes 21 percent of the CISA exam (approximately 32 questions)
• Covers 11 Knowledge statements covering the process of auditing information systems
1. ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques, Code of
Professional Ethics and other applicable standards
2. risk assessment concepts and tools and techniques in planning, examination, reporting and
follow-up
3. Fundamental business processes and the role of IS in these processes
4. Control principles related to controls in information systems
5. Risk-based audit planning and audit project management techniques
6. Applicable laws and regulations which affect the scope, evidence collection and preservation and
frequency of audits
7. Evidence collection techniques used to gather, protect and preserve audit evidence
8. Different sampling methodologies and other substantive/data analytical procedures
9. Reporting and communication techniques
10. Audit quality assurance (QA) systems and frameworks
11. Various types of audits and methods for assessing and placing reliance on the work of other
auditors or control entities
1|P a ge
©Aswini Srinath
, CISA DOMAIN 1 – THE PROCESS ON AUDITING INFORMATION SYSTEMS
Important concepts from exam point of view:
1. Audit Charter:
➢ Audit Charter outlines the overall authority, scope and responsibilities of audit function
➢ Audit charter should be approved by Audit committee or senior management
➢ Internal audit function is always independent of management committee
Points to remember:
• When CISA question is on the approval of audit charter, the answer should be
senior most management, based on the options available.
• IS auditor’s role being more of reporting of audit observations and giving an
“independent audit opinion”
2. Audit planning:
➢ Step 1 – Understanding of business mission, vision, objectives, process which includes
information requirements under CIA trait (Confidentiality, Integrity and Availability of data)
➢ Step 2 – Understanding of business environment
➢ Step 3 - Review prior work papers
➢ Step 4 - Perform Risk analysis
➢ Step 5 - Set audit scope and objectives
➢ Step 6 - Develop audit plan/strategy
➢ Step 7 - Assign audit personal/resources
Point to remember: The first step in the audit planning is always understanding the
business mission, objectives and business environment, then analyzing the risk involved
based in the audit scope.
➢ Audit planning includes –
1. Short term planning – considers audit issues that will be covered during the year
2. Long term planning - audit plans that will take into account risk-related issues regarding
changes in the organization’s IT strategic direction that will affect the organization’s IT
environment.
2|P a ge
©Aswini Srinath
, CISA DOMAIN 1 – THE PROCESS ON AUDITING INFORMATION SYSTEMS
3. Risk analysis:
➢ Risk is a combination of the probability of an event and its consequence (International
Organization for Standardization [ISO] 31000:2009)
➢ Risk analysis is part of audit planning, and help identify risk and vulnerabilities so the IS auditor
can determine the controls needed to mitigate those risk
Point to remember: CISA candidate should be able to differentiate between threat and
vulnerability. Threat is anything that can exploit a vulnerability, intentionally or accidentally,
and obtain, damage, or destroy an asset. Vulnerability is Weakness or gap in a security
program that can be exploited by threats to gain unauthorized access to an asset
➢ Risk analysis covers Risk Management Framework – ISO 27005, ISO 31000
➢ Risk Assessment Process – The process starts with identifying the sources and events, then
identifying the vulnerabilities associated with the sources, and then analyzing the probability of
the occurrence and the impact.
➢ Risk Management Process - It begins with identifying the business objectives, the information
assets that are associated with business, assessment of risk, how to mitigate the risk (either to
avoid or transfer or mitigate/reduce the risk) and implementing controls to mitigate the risk)
Point to remember:
• CISA candidate should be aware of the difference between Risk assessment and
Risk management. Risk assessment is the process of finding where the risk exists.
Risk management is the second step after performing risk assessment.
• Risk can be mitigated/reduced through implementation of controls/ third-party
insurance, etc.
3|P a ge
©Aswini Srinath
, CISA DOMAIN 1 – THE PROCESS ON AUDITING INFORMATION SYSTEMS
PART 2
4. Internal Controls:
➢ Internal controls are normally composed of policies, procedures, practices and organizational
structures which are implemented to reduce risks to the organizations
➢ The board of directors are responsible for establishing the effective internal control system
Point to remember: When CISA question is on the responsibility of internal controls, the
answer should be senior most management (BoD, CEO, CIO, CISO etc) , based on the
options available.
➢ Classification of internal controls:
a. Preventive controls
b. Detective controls
c. Corrective controls
Point to remember: CISA question will be scenario based, where the candidate should
have a thorough understanding of all the three controls and able to differentiate between
preventive, detective and corrective controls
➢ Preventive controls: are those internal controls which are deployed to prevent happening of an
event that might affect achievement of organizational objectives. Some examples of preventive
control activities are:
• Employee background checks
• Employee training and required certifications
• Password protected access to asset storage areas
• Physical locks on inventory warehouses
• Security camera systems
• Segregation of duties (i.e. recording, authorization, and custody all handled by separate
individuals)
➢ Detective controls: Detective controls seek to identify when preventive controls were not
effective in preventing errors and irregularities, particularly in relation to the safeguarding of
assets. Some examples of detective control activities are:
4|P a ge
©Aswini Srinath
