This article covers –
- Overall understanding of the domain
- Important concepts to focus on from exam point of view
The article is split into 3 parts as below:
- Part 1 – Overall understanding of Domain 1, Important concepts from exam point of view – Audit charter, Audit planning, Risk analysis
- Part 2 – Internal controls, COBIT – 5, Risk-based auditing, Risk treatment
- Part 3 – Compliance testing Vs. Substantive testing, Audit evidence, Audit Sampling and Control self-assessment
Overall understanding of the domain:
Weightage – This domain constitutes 21 percent of the CISA exam (approximately 32 questions)
Covers 11 Knowledge statements covering the process of auditing information systems
- ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques, Code of Professional Ethics and other applicable standards
- risk assessment concepts and tools and techniques in planning, examination, reporting and follow-up
- Fundamental business processes and the role of IS in these processes
- Control principles related to controls in information systems
- Risk-based audit planning and audit project management techniques
- Applicable laws and regulations which affect the scope, evidence collection and preservation and frequency of audits
- Evidence collection techniques used to gather, protect and preserve audit evidence
- Different sampling methodologies and other substantive/data analytical procedures
- Reporting and communication techniques
- Audit quality assurance (QA) systems and frameworks
- Various types of audits and methods for assessing and placing reliance on the work of other auditors or control entities
Important concepts from exam point of view:
- Audit Charter outlines the overall authority, scope and responsibilities of audit function
- Audit charter should be approved by Audit committee or senior management
- Internal audit function is always independent of management committee
|Points to remember:
- When CISA question is on the approval of audit charter, the answer should be senior most management, based on the options available.
- IS auditor’s role being more of reporting of audit observations and giving an “independent audit opinion”
- Step 1 – Understanding of business mission, vision, objectives, process which includes information requirements under CIA trait (Confidentiality, Integrity and Availability of data)
- Step 2 – Understanding of business environment
- Step 3 – Review prior work papers
- Step 4 – Perform Risk analysis
- Step 5 – Set audit scope and objectives
- Step 6 – Develop audit plan/strategy
- Step 7 – Assign audit personal/resources
|Point to remember: The first step in the audit planning is always understanding the business mission, objectives and business environment, then analyzing the risk involved based in the audit scope.
Audit planning includes –
- Short term planning – considers audit issues that will be covered during the year
- Long term planning – audit plans that will take into account risk-related issues regarding changes in the organization’s IT strategic direction that will affect the organization’s IT environment.
- Risk is a combination of the probability of an event and its consequence (International Organization for Standardization [ISO] 31000:2009)
- Risk analysis is part of audit planning, and help identify risk and vulnerabilities so the IS auditor can determine the controls needed to mitigate those risk
|Point to remember: CISA candidate should be able to differentiate between threat and vulnerability. Threat is anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. Vulnerability is Weakness or gap in a security program that can be exploited by threats to gain unauthorized access to an asset
- Risk analysis covers Risk Management Framework – ISO 27005, ISO 31000
- Risk Assessment Process – The process starts with identifying the sources and events, then identifying the vulnerabilities associated with the sources, and then analyzing the probability of the occurrence and the impact.
- Risk Management Process – It begins with identifying the business objectives, the information assets that are associated with business, assessment of risk, how to mitigate the risk (either to avoid or transfer or mitigate/reduce the risk) and implementing controls to mitigate the risk)
|Point to remember:
- CISA candidate should be aware of the difference between Risk assessment and Risk management. Risk assessment is the process of finding where the risk exists. Risk management is the second step after performing risk assessment.
- Risk can be mitigated/reduced through implementation of controls/ third-party insurance, etc.