    • CISA Cert Prep: 1 Auditing Information Systems for IS Auditors
    • CISA Cert Prep: 2 Information Technology Governance and Management for IS Auditors
    • CISA Cert Prep: 3 Information Technology Life Cycle for IS Auditors
    • CISA Cert Prep: 4 IT Operations, Maintenance, and Service Delivery for IS Auditors
    • CISA Cert Prep: 5 Information Asset Protection for IS Auditors
  • CISA  review Manual 

Certified Information Systems Auditor (CISA)

Modules under CISA

  • 1. Information Systems Auditing  Process.
  • 2. Governance and Management of IT.
  • 3. Information Systems  Acquisition, Development, and Implementation.
  • 4. Protection of Information Assets.

1. Information Systems Auditing Process

The Topics covered are
  • Planning
  • Execution


Auditing Information Systems 

Information Systems Audits and Assessments

  • Inputs are used from - Vulnerability Assessment, Penetration testing, Compliance assessment [GDPR, HIPAA, Credit cards]
  • HIPAA- Health Insurance Portability and Accountability Act
  • SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants
  • General Data Protection Regulation (GDPR) Compliance 
  • Internal audit of Security policy, standards and procedures 
  • Software development assessment 
  • Incident responses
  • BCP Business continuity Planning

Types of Audits 

Internal Audits and External Audits
Scope of the Audit, Roles, Functions, management responsibility  is definite in Audit Charter 

Audit Planning 

Short-Term Planning
Long-Term Planning

Business Process categorized based on Risk factor  - High, Medium and Low

IS Internal controls

Risk Analysis

  • Vulnerability- weakness in the system
  • Threat - exploits vulnerabilities 
  • Control or Countermeasure 

Internal objectives and controls 

  • CIA - Confidentiality Integrity Availability 
  • Controls Three types
  • Administrative or Soft controls
  • Technical or Logical controls 
  • Physical Controls 

3 Types of Characteristics of controls 


Framework - are like document best practices 

  • ITIL  IT infrastructure Library
  • ISO 27000 series
  • COBIT 5 - Control Objectives for Information and Related Technologies 

Performing IS Audit 

  • Two person rule - Someone does the audit and someone verifies it
  • Independent auditors  

Communicating Audit results 

  • Audit Reporting 
  • Closing Findings
  • Control Self-assessment [CSA] 
  • Continuous Auditing 



Information Systems Auditing Process

Part A. Planning: 

  • IS Audit Standards, Guidelines and Codes of Ethics

  • Business Processes
  • Types of Controls
  • Risk-based Audit Planning
  • Types of Audits and Assessments


  • Audit Project Management
  • Sampling Methodology
  • Audit Evidence Collection Techniques
  • Data Analytics
  • Reporting and Communication Techniques

Quality Assurance and Improvement of the Audit Process

1. Audit Standards, Guidelines and code of ethics

IT Audit Standards  & Guidelines 
ISACA IT audit Framework is divided into  3 categories. 

Under Three Categories 
  • General:
    • Fundamental principles are provided 
  • Performance
    • Address the execution of the task
  • Reporting:
    • Cover the various report formats, methods of communication

2. Business Process


  • Audit Charter - 
  • The audit charter encompasses the management's responsibilities, objectives and entire scope for the IS audit.


  • Audit Resource Management -
  • Auditors need to improve their abilities to conduct audits on emerging technologies. 


  • Short term and long term planning & analysis Annually
  • Risk classified as High, Medium and low
  • Audit plan for all risk rated as high


    • Impact of Laws and Regulations on IS Audit Planning

      • - Evaluate the necessary legal certifications mandated by internal and external entities for IT systems.
      • - Analyze the pertinent laws and regulations that are relevant to the audit.
      • - Implement procedures to ensure adherence and compliance with the regulations.

    E: BUSINESS PROCESS Applications and Control

    • ECommerce
    • Electronic Data Interchange
    • Email
    • Point-of-sale Systems
    • Electronic Banking
    • Electronic Funds Transfer
    • Automated Teller Machine
    • Electronic Finance
    • Integrated Manufacturing Systems
    • Interactive Voice Response
    • Purchase Accounting System
    • Image Processing
    • Industrial Control Systems
    • Artificial Intelligence and Expert System Supply Chain Management

    • Customer Relationship Management

    F: Using the Services of Other Auditors and Experts

    3. Types of Controls

    • Control Objectives and Control Measures IS Control Objectives
    • Evaluation of the Control Environment
    • General Controls
    • IS-specific Controls

    4. Risk based Audit Planning

    • Audit Risk and Materiality
    • Risk Assessment
    • IS Audit Risk Assessment Techniques
    • Risk Analysis

    5. Types of Audits and Assessments

    Part B: Execution

    6 Audit Project Management

    • Audit Objectives
    • Audit Phases
    • Audit Programs
      • Minimum Skills to Develop an Audit Program
      • Audit Work Papers
    • Fraud, Irregularities and Illegal Acts

    7. Sampling Methodology
    • Compliance Versus Substantive Testing
    • Sampling
      • Sampling Risk
    8. Audit Evidence Collection Techniques
    • Interviewing and Observing Personnel in Performance of Their Duties
    9 Data Analytics

    • Computer-assisted Audit Techniques CAATs as a Continuous Online Audit Approach
    • Continuous Auditing and Monitoring
    • Continuous Auditing Techniques

    10 Reporting and Communication Techniques

    • Communicating Audit Results
    • Audit Report Objectives
    • Audit Report Structure and Contents
    • Audit Documentation
    • Follow-up Activities
    • Types of IS Audit Reports

    11 Quality Assurance and Improvement of the Audit Process

    • Control Self-assessment
      • Objectives of CSA
      • Benefits of CSA
      • Disadvantages of CSA
      • The IS Auditor’s Role in CSA
    • Integrated Auditing


    Governance and Management of IT

    The Topics covered are

    • IT Governance
      • IT governance is about setting clear directions and providing instructions to the management team who then carry out the tasks accordingly.

    • IT Management

      • 1. IT Governance and IT Strategy
      • 2. IT-related Frameworks
      • 3. IT Standards, Policies, and Procedures
      • 4. Organizational Structure
      • 5. Enterprise Architecture
      • 6. Enterprise Risk Management
      • 7. Maturity Models
      • 8. Laws, Regulations and Industry Standards Affecting the Organization

    Part A: IT Governance

    Key Practice 

      • Adhere to a governance framework that outlines the rules and guidelines for IT management.
      • COBIT 5 - ISACA framework for IT management
      • ISO 27001
      • ITIL - framework for IT service delivery
      • ISO 38500 - framework of IT governance

        • 1. Create an IT strategy and establish steering committees to guide decision-making.

          • A. Strategy is on governance side

            • Board members who are responsible for overseeing IT matters.
            • Ensuring that IT aligns with the overall business goals.
            • Defining and monitoring strategic objectives.
            • Providing resources for IT initiatives.
            • Optimizing IT spending to achieve maximum value.
            • Managing investments in IT projects.
            • Managing and mitigating IT-related risks.
            • Offering guidance and direction to the management team.

          •  B. Steering committee on management side

            • Managing and overseeing spending related to IT initiatives.
            • Ensuring proper architecture and engineering of IT systems.
            • Allocating resources for IT projects and initiatives.
            • Managing project timelines and deliverables.
            • Forming and leading project teams.
            • Providing feedback to the board about IT strategy and initiatives.

        • 2. Utilize an IT balanced scorecard to measure and track performance.

          • A. Scorecard can be from perspectives

            • Financial Perspective: Evaluating the financial impact and outcomes of IT initiatives.
            • Customer Perspective: Assessing how IT services and solutions meet customer needs and expectations.
            • Internal Processes Perspective: Focusing on improving internal IT processes and operations.
            • Learning & Growth Perspective: Emphasizing the development of IT skills and capabilities for future success.

          • B. Metrics are reported with dashboards

        • 3. Incorporate information governance to ensure the effective management and control of information assets.

          • Security Governance roles

            • Directors
            • Security steering Committee
            • CISO chief information security officer
            • Managers and staff 

          • Security Governance Provides

            • Security and Risk Management: Ensuring protection against potential threats and managing security risks.
            • Asset Security: Safeguarding valuable assets and information.
            • Communications and Network Security: Securing communication channels and networks.
            • Identity and Access Management: Controlling and managing user access to systems and data.
            • Security Assessment and Testing: Conducting evaluations and tests to identify vulnerabilities.
            • Software Development Security: Implementing security measures in software development processes.

        • 4. Enterprise architecture 

          • Translate business drivers to architectural decisions
          • Assist decisions makers 
          • Practice of diagramming and documenting the architecture of the enterprise
          • There are different aspects of enterprise architecture:

            • Business Architecture: This focuses on the organization's business strategy, goals, and objectives.
            • Information Architecture: This deals with the structure, processes, and storage architecture, also known as data architecture.
            • Application Architecture: This involves the design of applications and services, supported by technical architecture, which is also known as information systems architecture.
            • Technical Architecture: This covers the IT infrastructure, including hardware, software, and networks.

            • Check on 
            • Zachman framework 
            • TOGAF - The Open group Architecture Framework
            • SABSA - Sherwood Applied Business Security Architecture

          • 5. Policies, Processes, and Standards

            • Policies: These are rules that state what needs to be done to meet certain requirements.
            • Standards: These specify the specific data or information needed to fulfill those requirements.
            • Processes: These are the steps or procedures that must be followed to meet the requirements.
            • Guidelines: These are suggestions or recommendations on how to meet a requirement effectively.
            • Baselines- Minimum level of security
            • Master Security Program policy

              • The Master Security Program policy outlines all the policies that need to be followed.
              • It also establishes the process for creating, modifying, maintaining, and sharing these policies.

            • Access Control Policies

              • Access Control Policies: These policies define the rules for allowing, removing, changing, and verifying access to systems, applications, and data.
              • Authorization and Identification Policy: This policy outlines how user accounts and group memberships are managed to ensure proper access control.
              • Password Policy: This policy sets guidelines for creating and managing passwords to enhance security.
              • Granting User Rights and Privileges: This policy governs how user rights and privileges are assigned to maintain the appropriate level of access.
              • Monitoring Policy: This policy establishes guidelines for monitoring access and activities to detect any unauthorized or suspicious behavior.

            • Data Classification and Control policies

              • Data Life cycle policy
              • Data classification policy
              • data ownership policy
              • information labelling and handling policy

            • Communication Security policies

              • Data & wireless communication and

              • encryption policies

            • Security testing policies

              • Vulnerability
              • App security testing

            • Configuration and Change management policies

            • Malicious code policy

            • Incident Management Policies

            • Backup and recovery policies

            • Third-party Control policies

          • 6. Auditing Governance and documentation

            • Framework used
              • COBIT
              • ITIL
              • ISO 27001 or 38500

            •  Planning
              • Plans, processes , frequencies

            • Audit Documentation
              • existing - police's 

              • Are Up to date
              • Auditing a balance Scorecard
              • KPIs

          • 7. Risk Management Process

            • Risk Analysis

              • Vulnerabilities
              • Threat
              • Countermeasures 

            • Risk Matrix
            • Probability of occurrence Vs Business impact

            • Plan - Collect Information - Define risk control
              • Risk mitigation
              • Risk transference
              • Risk acceptance
              • Risk Avoidance 

            • Risk Planning Phase

              • Risk assessment team
              • Define team/ scope/ method/ tools/ acceptable risk level

            • Collection Phase

              • Identify assets - Tangible & Intangible 

              • Assign value to assets

              • Identify vulnerabilities and threats
              • calculate risk index - low to high

              • Cost - benefit analysis

              • Residual risks 

              • Uncertainty Analysis

            • Risk Dealing Process
              • Risk Mitigation
              • Risk transference
              • Risk acceptance
              • Risk avoidance

            • Auditing Risk management

                        • 8. IT Management, Structure, and Responsibility 

                          • IT organization structure

                            • Resource
                              • Internal
                                • Employee 

                              •  External
                                • Third-party 

                        Part B: IT Management

                        • 1. IT Resource Management
                        • 2. IT Service Provider Acquisition and Management
                        • 3. IT Performance Monitoring and Reporting
                        • 4. Quality Assurance and Quality Management of IT
                        • 5. 


