CISA Module 1 of 5 – M A Fazal & Co.

Module 1 Overview

Information Systems Auditing Process — CISA Domain 1 accounts for approximately 21% of the total exam

🎯

Exam Weight

Domain 1 represents ~21% of the CISA exam. Expect approximately 25–30 questions from this domain in the 150-question exam.

📌

Core Purpose

Tests your ability to plan and conduct IS audits in accordance with ISACA standards to ensure organizational assets are safeguarded and controls are effective.

🗂️

Key Sub-Domains

ISACA Audit Standards & Guidelines
Audit Planning & Risk Assessment
Audit Execution & Evidence
Audit Reporting & Follow-up
Control Frameworks (COBIT, ITAF)

✅

Task Statements

Develop a risk-based audit plan
Evaluate audit universe and scope
Perform audit procedures
Communicate audit results
Conduct follow-up activities

📌 What the CISA Exam Tests in Module 1

The IS Auditing Process domain evaluates a candidate's knowledge of the entire audit lifecycle — from initial planning through execution, evidence gathering, reporting, and follow-up. The focus is on risk-based auditing aligned with ISACA's Information Technology Assurance Framework (ITAF).

⚡ Critical Exam Tips

CISA exam questions prioritize the IS auditor's perspective and professional judgment.
Always choose answers that best reflect ISACA's standards and guidelines.
Risk-based audit approach is the dominant framework — always relate decisions to risk.
When two answers seem correct, choose the one that occurs earlier in the audit process.
Independence and objectivity of the auditor is almost always the top priority.

📊 Module 1 Topic Distribution (Approximate)

Audit Standards & Ethics: ~20%
Audit Planning & Risk: ~25%
Audit Execution & Evidence: ~30%
Audit Reporting & Follow-up: ~15%
ITAF & Frameworks: ~10%

IS Audit Standards & Ethics

ISACA Audit Standards, Guidelines, Code of Professional Ethics, and ITAF Framework

🏛️ ISACA's Information Technology Assurance Framework (ITAF)

ITAF is a comprehensive framework for IT assurance that provides guidance on the conduct of IS audits. It has three components:

Standards (IS Audit): Mandatory requirements; define minimum performance levels. Auditors MUST comply.
Guidelines: Provide guidance in applying audit standards. Auditors SHOULD follow.
Tools & Techniques: Examples and templates to assist in following standards. Auditors MAY use these.

⭐ Three Categories of ISACA Audit Standards

General Standards (1000 series): Principles guiding the IS auditor's professional behavior — independence, professional care, knowledge/skills, qualifications.
Performance Standards (1200 series): Describe the nature of IS audit activities and minimum performance requirements.
Reporting Standards (1400 series): Cover the types of reports, the means of communicating results and the information to be included.

🔑 Key General Standards to Memorize

Standard 1001 – Audit Charter: The IS audit function shall have an appropriate charter approved by senior management.
Standard 1002 – Organizational Independence: The IS audit function shall be independent of the area being audited.
Standard 1003 – Professional Independence: The IS auditor shall be free from all actual or perceived conflicts of interest.
Standard 1004 – Reasonable Expectation: IS audit function shall have resources with adequate skills, knowledge, and experience.
Standard 1005 – Due Professional Care: IS auditors shall apply due professional care in all audit activities.
Standard 1006 – Proficiency: IS auditors shall be competent and maintain their professional competence through CPE.
Standard 1007 – Assertions: An assertion is a positive declaration. IS auditors rely on management assertions.
Standard 1008 – Criteria: Audit must have suitable criteria to evaluate the subject matter.

⚖️ ISACA Code of Professional Ethics — 8 Key Principles

Support the implementation of appropriate standards, procedures and controls for IS.
Perform duties with objectivity and due diligence.
Serve the interests of stakeholders in a lawful manner while maintaining high standards.
Maintain the privacy and confidentiality of information obtained during duties.
Maintain competence in the interrelated fields of IS auditing.
Inform appropriate parties of the results of work performed.
Support the education of management, clients, and the general public.
Maintain high standards of conduct and character.

🔍 Auditor Independence Types

Independence is fundamental to the IS audit process:

Organizational Independence: The audit function should be free from interference in its activities by the entity being audited (structural).
Individual Independence: The auditor should be free from actual or perceived conflicts of interest (personal).
Appearance of Independence: Others must also perceive the auditor as independent ("independence in appearance").

Concept	Definition	Key Point for Exam
Audit Charter	Formal document that defines the purpose, authority, and responsibilities of the IS audit function	Must be approved by Board/Audit Committee; establishes independence
Objectivity	Mental attitude of impartiality in conducting audit work	Auditor should not audit areas they recently managed (1-year rule)
Due Professional Care	Application of competence and diligence; exercising reasonable care	Does NOT mean infallibility; means skill of a competent professional
Confidentiality	Information obtained during audit is protected	Can be disclosed legally if required by law or professional standards
CPE Requirements	Continuing Professional Education	120 CPE hours per 3-year reporting period, min 20 hours per year

Audit Planning & Execution

Risk-based audit planning, audit programs, evidence collection, and audit techniques

📋 Audit Planning Process — Step by Step

Step 1 – Obtain Knowledge of Business: Understand the entity's objectives, operations, and environment.
Step 2 – Evaluate Prior Audit Results: Review previous audit findings and follow-up actions.
Step 3 – Identify Audit Universe: All auditable units/areas within the organization.
Step 4 – Conduct Risk Assessment: Identify and evaluate inherent and control risks.
Step 5 – Define Audit Scope & Objectives: Determine what will and will not be audited.
Step 6 – Develop Audit Program: Document specific audit procedures and steps.
Step 7 – Assign Staff & Resources: Allocate auditors with appropriate skills.
Step 8 – Address Materiality: Determine significance thresholds for findings.

⚡ Risk-Based Audit Approach

CISA heavily tests this concept. Key relationships to remember:

Audit Risk = Inherent Risk × Control Risk × Detection Risk
Inherent Risk: Risk that errors exist before considering controls (nature of the business).
Control Risk: Risk that controls fail to prevent/detect material errors.
Detection Risk: Risk that audit procedures fail to detect a material error.
Higher inherent/control risk → More substantive testing required → Lower detection risk needed.
Auditors CANNOT change inherent risk but CAN adjust detection risk through testing.

📝 Types of Audit Tests

Compliance Testing: Tests whether controls exist and are operating as intended. Also called "tests of controls."
Substantive Testing: Tests the integrity and completeness of transactions/data. Two types:
- Tests of Transactions (walk-throughs, vouching)
- Tests of Balances (analytical procedures, confirmation)
Key Rule: Compliance testing is performed FIRST. If controls are effective, substantive testing can be reduced.

🔬 Audit Evidence Standards

Audit evidence must possess these qualities (CARS):

C – Complete: Enough to support the audit conclusion.
A – Accurate: Free from errors and distortion.
R – Relevant: Related to the audit objectives.
S – Sufficient: Adequate in quantity for a reasonable conclusion.

Also: COMPETENT evidence is reliable, valid, relevant, and sufficient.

Evidence Type	Description	Reliability
Physical Observation	Auditor's own observation	High
Confirmations	Written responses from third parties	High
Documentary Evidence	Internal/external documents	Medium-High
Analytical Procedures	Comparison, trend analysis	Medium
Inquiry	Oral responses from management	Low
Representations	Written management assertions	Low-Medium

🖥️ Computer-Assisted Audit Techniques (CAATs)

Audit Software: Used to query, analyze and manipulate data (e.g., ACL, IDEA).
Test Data: Dummy transactions entered to test processing logic.
Integrated Test Facility (ITF): Fictitious entity within live system for testing.
Parallel Simulation: Auditor replicates system processing independently.
Embedded Audit Modules: Code built into systems to capture transactions.
SCARF/EAM: System Control Audit Review File — monitors transactions.

📊 Sampling Methods

Statistical Sampling: Uses probability to select and evaluate results; allows quantitative conclusions about risk.
Non-Statistical Sampling: Based on auditor judgment; no mathematical precision.
Random Sampling: Every item has an equal chance of selection.
Stratified Sampling: Population divided into subgroups; useful when items vary in value.
Attribute Sampling: Tests whether a control attribute exists (yes/no).
Variable Sampling: Tests monetary value — used in substantive tests.

Risk Assessment & Internal Controls

Control frameworks, risk assessment methodology, and evaluating control effectiveness

🏗️ Control Frameworks — COBIT 2019

COBIT (Control Objectives for Information and Related Technologies) by ISACA is the primary IT governance and management framework referenced in CISA:

Governance Objectives (6 EDM processes): Evaluate, Direct, Monitor.
Management Objectives (35 processes): Align, Plan, Organize (APO); Build, Acquire, Implement (BAI); Deliver, Service, Support (DSS); Monitor, Evaluate, Assess (MEA).
COBIT aligns IT with business goals and provides metrics for measuring performance.
Key principle: Governance vs. Management distinction — Board governs; management executes.

🛡️ Types of Controls

Preventive Controls: Stop errors before they occur. (e.g., access controls, segregation of duties).
Detective Controls: Identify errors/irregularities after they occur. (e.g., audit logs, exception reports).
Corrective Controls: Correct errors/irregularities after detection. (e.g., backup recovery, patch management).
Compensating Controls: Alternative controls when primary controls cannot be implemented.

Exam tip: Preventive > Detective > Corrective is the preferred order. Always prefer prevention.

🔐 Control Categories

General Controls (IT General Controls): Apply to the IT environment overall — change management, access controls, data center operations.
Application Controls: Specific to individual applications — input, processing, output controls.
IT-dependent Manual Controls: Manual controls that rely on IT-generated information.

📐 Risk Assessment Process

Threat: Potential cause of an unwanted incident.
Vulnerability: A weakness that could be exploited by a threat.
Impact: Consequence if the threat exploits the vulnerability.
Risk = Threat × Vulnerability × Impact
Residual Risk: Risk remaining after controls are applied.
Risk Appetite: Amount of risk the organization is willing to accept.

Risk Response	Description	Example
Accept	Acknowledge risk and take no action	Low-impact risk below risk appetite
Mitigate/Reduce	Implement controls to reduce likelihood or impact	Firewalls, access controls
Transfer	Shift risk to third party	Cyber insurance, outsourcing
Avoid	Eliminate the activity causing risk	Discontinue a risky process

🔑 Segregation of Duties (SoD)

A fundamental internal control concept heavily tested in CISA:

No single individual should control all phases of a transaction (authorization, recording, custody).
Prevents fraud and errors by requiring collusion to override controls.
IT-specific SoD: Systems analyst, programmer, computer operator, data entry, and librarian roles should be separated.
In small organizations, compensating controls (management review, audit trails) substitute for SoD.

Audit Reporting & ITAF

Communication of audit results, findings documentation, follow-up procedures, and ITAF requirements

📄 Audit Reporting Requirements (ISACA Standard 1401)

The IS auditor shall provide a report, in an appropriate form, upon completion of the audit engagement.
The report shall identify the enterprise, the intended recipients, and the restrictions on circulation.
The report shall state the scope, objectives, period of coverage, and nature/extent of work performed.
The report shall state the findings, conclusions, and recommendations.
The report shall state any reservations or qualifications the IS auditor has regarding the engagement.

⭐ Audit Finding Components (CAMP)

Every audit finding must include these elements:

C – Condition: What IS — the current situation found during the audit.
A – Criteria: What SHOULD BE — the standard/benchmark being applied.
M – (Effect/Impact): The risk/consequence of the gap.
P – (Root) Cause: Why the condition exists.
Also includes Recommendations for corrective action.

📊 Types of Audit Opinions

Unqualified (Clean) Opinion: Controls are adequate and effective; no material weaknesses.
Qualified Opinion: Controls are generally adequate except for specific issues noted.
Adverse Opinion: Controls are inadequate; material weaknesses exist.
Disclaimer of Opinion: IS auditor was unable to form an opinion due to scope limitation.

📋 Audit Working Papers

Working papers document all audit evidence and procedures performed.
They support the audit findings and conclusions in the audit report.
Must be complete, accurate, concise, clear and properly indexed.
Ownership: Working papers are the property of the IS audit function (not management or client).
Retention period varies — typically 5-7 years based on organizational policy.
Working papers must be protected from unauthorized access.

🔄 Audit Follow-up Process

The IS auditor should evaluate whether management has implemented agreed-upon recommendations timely.
Follow-up Timing: Typically 30/60/90 days after report issuance depending on risk level.
If management does not implement recommendations, the IS auditor should escalate to appropriate levels.
Ultimately, escalation goes to the Board or Audit Committee if senior management does not act.

🏢 Audit Committee Role

The Audit Committee (typically a Board subcommittee) provides oversight of the audit function.
IS auditors should have direct access to the Audit Committee to ensure independence.
The Audit Committee approves the audit charter, audit plan, and reviews audit reports.
Any disagreements between the IS auditor and management should be escalated to the Audit Committee.

Report Element	Description
Title/Date	Identifies the report and when issued
Addressee	Who the report is directed to
Scope & Objectives	What was audited and why
Executive Summary	High-level overview of findings
Findings & Recommendations	Detailed issues and suggested actions
Management Response	Auditee's response to each finding
Auditor Signature/Credentials	Identifies the responsible auditor

Practice Questions

100 CISA-style questions — click an option to answer; explanation reveals automatically

Answered 0

Correct 0

Wrong 0

Progress0 / 100

Key Terms Glossary

Essential definitions for CISA Module 1 — memorize these for the exam