CISA Domain 1 – The Process of Auditing Information Systems

March 16, 2011 by Kenneth Magee

First, Get a copy of the CISA Review Manual and a copy of the Q&A CD

Second, Read one Domain then answer all the questions on the Q&A CD for that Domain until you can answer everyone correctly.  As you answer the questions look in the Review Manual for that Domain for the supporting material and put a post-it flag on the page.

CISA – Domain 1 – The Process of Auditing Information Systems

There are 7 areas that you need to understand in Domain 1.

1)      Management of the IS Audit Function

  1. Need to know about the audit charter and what it contains
  2. Need to know the steps to perform audit planning.  In the CISA review manual on page 34, look at Exhibit 1.2 and commit those steps to memory
  3. Take an ink pen and write on your hand “Gain an understanding of the business’s mission, objectives, purpose and processes.”  IMPORTANT this shows up in about 3-4 questions on the exam.
  4. Read through the section on “Effect of Laws and Regulations on IS Audit Planning, paying particular attention to the Basel II Accord on page 35.

2)     ISACA IT Audit and Assurance Standards and Guidelines

  1. Memorize S1, S2, S4, S9, and S10.  Standards S12 thru S16 are recent additions to CISA  and you should have a close intimate acquaintance with S12, S13 & S14.
  2. Memorize G5, G10, G18, and G19.  Guidelines G41 and G42 are recent additions to CISA and ROSI is receiving a lot of press.  So be familiar with the concept of Return on Security Investment and how to calculate it.  For example, let’s say you spend $500,000 of anti-virus software for your enterprise and your boss wants justification for why he/she should continue to spend that kind of money when there hasn’t been any virus infections in the last year.  You respond with, “You’re absolutely right, there hasn’t been any virus infections in the last year.  However, two years ago when we did have a virus infection it cost the company $15,000 in additional overtime to clean up after the virus infection.  Our incident response team says we’re blocking about 500 to 700 virus a day, so if we say just 1 virus a day gets thru and multiplying it by the cost to recover $15,000 that comes out to about $5.4 million dollars in overtime savings alone.”  I think your boss will be impressed with your ROSI.
  3. Memorize P2, P5, P7, and P10
  4. You should have an understanding of ITAF (Information Technology Assurance Framework) particularly section 3000 on IT Assurance Guidelines

3)     Risk Analysis

  1. Know the definition of risk
  2. Know the remediation methods (Accept, Mitigate, Transfer, Avoid)

4)     Internal Controls

  1. Know the difference between Preventive, Detective, and Corrective controls
  2. Understand how CobiT fits into ISACA’s idea of supporting IT governance and management
  3. Understand the difference between IT control objectives and Internal control objectives

5)     Performing an IS Audit

  1. Know the definitions of Auditing and IS Auditing – they’re different
  2. Know the different types of audits, read closely integrated audits and forensic audits
  3. Know the different phases of an audit, in other words memorize Exhibit 1.5 on page 53
  4. Understand the concept of risk based auditing including inherent, control, and detection risks.
  5. Be able to give examples of both compliance testing and substantive testing
  6. Sampling is a section in the Review Manual that you just have to memorize, that’s it, memorize page 60 of the CISA manual

6)     Control Self-Assessment

  1. Your role is as a facilitator

7)     The Evolving IS Audit Process

  1. Integrated auditing means you work with the financial auditor on an audit which is based on RISK
  2. Understand the difference between continuous monitoring and continuous auditing

The first domain is a basis for understanding the whole area of Certified Information Systems Auditor, and without a grasp of the basic fundamentals you cannot be successful in the other domains.

Posted: March 16, 2011
Kenneth Magee
View Profile

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.

8 responses to “CISA Domain 1 – The Process of Auditing Information Systems”

  1. Compton says:

    Mr. Magee,

    Was reading CISA Certified Information Systems Auditor All-in-One Exam Guide by Peter H. Gregory,

    and one of the questions were:

    What is the appropriate role of an IS auditor in a control self-assessment?
    A. The IS auditor should participate as a subject matter expert
    B. The IS auditor should act as facilitator
    C. The IS auditor should not be involved
    D. The IS auditor should design the control self-assessment

    His answer is A.
    The IS auditor should act as a subject matter expert in a control self assessment, but should not play a major role in the process.

    In the ISACA – CISA Review Manual 2010, it agrees with your notion that the Auditor role, is to be facilitator.

    Question to you: Why would his response be 100% incorrect.

  2. Compton says:

    Mr. Magee,

    I made contact with the author and he verified that the Auditors role in a CSA was that of a facilitator. A typo in his book.


  3. Theresa Frye says:

    Where can I Get a copy of the CISA Review Manual and a copy of the Q&A CD?

  4. Jean Hernandez says:

    If I take the ISACA CISA review questions software and get about 80% of them I can say I am quite prepared for the test?

  5. Shekar says:

    Hi Mr. Magee,

    First of all, a great thanks to you for letting us know what to concentrate upon in the CRM. It definitely makes reading of it easier.

    I just wanted to point out one thing: You have mentioned here that G19 should also be memorized. But when I checked the ISACA Stds document, it says this has been withdrawn w.e.f. 1 Sep 2008. So, does it still apply?

  6. Deepa says:

    What are audit hooks, EAF and ITF? Any examples would be of great help!

  7. Deepa says:

    Advantage of continuous audit approach is that it can improve system security when used in time-sharing environments that process large number of transactions. What are time-sharing environments?

  8. phillimon says:

    Is there someone with a sample of an IS audit report?

Leave a Reply

Your email address will not be published.