Upgrade Your Career with Exciting Offers on our Career-defining Courses Upto 50% OFF | Offer ending in:
D H M S Grab Now


This article covers –

  • Overall understanding of the domain
  • Important concepts to focus on from exam point of view

The article is split into 3 parts as below:

  • Part 1 – Overall understanding of Domain 1, Important concepts from exam point of view – Audit charter, Audit planning, Risk analysis
  • Part 2 – Internal controls, COBIT – 5, Risk-based auditing, Risk treatment
  • Part 3 – Compliance testing Vs. Substantive testing, Audit evidence, Audit Sampling and Control self-assessment


Overall understanding of the domain:
Weightage – This domain constitutes 21 percent of the CISA exam (approximately 32 questions)
Covers 11 Knowledge statements covering the process of auditing information systems
  1. ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques, Code of Professional Ethics and other applicable standards
  2. risk assessment concepts and tools and techniques in planning, examination, reporting and follow-up
  3. Fundamental business processes and the role of IS in these processes
  4. Control principles related to controls in information systems
  5. Risk-based audit planning and audit project management techniques
  6. Applicable laws and regulations which affect the scope, evidence collection and preservation and frequency of audits
  7. Evidence collection techniques used to gather, protect and preserve audit evidence
  8. Different sampling methodologies and other substantive/data analytical procedures
  9. Reporting and communication techniques
  10. Audit quality assurance (QA) systems and frameworks
  11. Various types of audits and methods for assessing and placing reliance on the work of other auditors or control entities
Important concepts from exam point of view:

1.Audit Charter:

  • Audit Charter outlines the overall authority, scope and responsibilities of audit function
  • Audit charter should be approved by Audit committee or senior management
  • Internal audit function is always independent of management committee
Points to remember:

  •  When CISA question is on the approval of audit charter, the answer should be senior most management, based on the options available.
  •  IS auditor’s role being more of reporting of audit observations and giving an “independent audit opinion”


2.Audit planning:

  • Step 1 – Understanding of business mission, vision, objectives, process which includes information requirements under CIA trait (Confidentiality, Integrity and Availability of data)
  • Step 2 – Understanding of business environment
  • Step 3 – Review prior work papers
  • Step 4 – Perform Risk analysis
  • Step 5 – Set audit scope and objectives
  • Step 6 – Develop audit plan/strategy
  • Step 7 – Assign audit personal/resources
Point to remember: The first step in the audit planning is always understanding the business mission, objectives and business environment, then analyzing the risk involved based in the audit scope. 

Audit planning includes –

  • Short term planning – considers audit issues that will be covered during the year
  • Long term planning – audit plans that will take into account risk-related issues regarding changes in the organization’s IT strategic direction that will affect the organization’s IT environment.

3.Risk analysis:

  • Risk is a combination of the probability of an event and its consequence (International Organization for Standardization [ISO] 31000:2009) 
  • Risk analysis is part of audit planning, and help identify risk and vulnerabilities so the IS auditor can determine the controls needed to mitigate those risk
Point to remember: CISA candidate should be able to differentiate between threat and vulnerability. Threat is anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. Vulnerability is Weakness or gap in a security program that can be exploited by threats to gain unauthorized access to an asset 
  • Risk analysis covers Risk Management Framework – ISO 27005, ISO 31000
  • Risk Assessment Process – The process starts with identifying the sources and events, then identifying the vulnerabilities associated with the sources, and then analyzing the probability of the occurrence and the impact.
  • Risk Management Process – It begins with identifying the business objectives, the information assets that are associated with business, assessment of risk, how to mitigate the risk (either to avoid or transfer or mitigate/reduce the risk) and implementing controls to mitigate the risk)
Point to remember:

  • CISA candidate should be aware of the difference between Risk assessment and Risk management. Risk assessment is the process of finding where the risk exists. Risk management is the second step after performing risk assessment.
  • Risk can be mitigated/reduced through implementation of controls/ third-party insurance, etc. 

Part 1, Part 2, Part 3

Aswini Srinath ( )
Writer And Editor
I am a qualified Chartered Accountant based out of Chennai, with 8+ years of experience in various roles in finance domain including CA Practice, financial reporting and auditing. I have always been keen to challenge myself by exploring potential capabilities outside of my core competency. Picked up Information Security as one such thing. Cleared CISA with 2nd Rank in ISACA Chennai Chapter in 2019. Since then, i have been sharing my learning and experience to a small group of avid followers, helping them prepare for their CISA exams. This article is also one such attempt, where I summarize the key areas in each domain based on the importance and weightage from an exam point of view.