CISA Exam – Module 1 Study Materials
🎓 ISACA Certification Prep

CISA Exam – Module 1 Study Guide

Information Systems Auditing Process · Comprehensive Study Material with 100+ Practice Questions

📘 Domain: IS Audit Process
🎯 Weight: 21% of Exam
💡 Questions: 100+
📅 Edition: 2024–2025

Module 1 Overview

Information Systems Auditing Process — CISA Domain 1 accounts for approximately 21% of the total exam

🎯

Exam Weight

Domain 1 represents ~21% of the CISA exam. Expect approximately 25–30 questions from this domain in the 150-question exam.

📌

Core Purpose

Tests your ability to plan and conduct IS audits in accordance with ISACA standards to ensure organizational assets are safeguarded and controls are effective.

🗂️

Key Sub-Domains

  • ISACA Audit Standards & Guidelines
  • Audit Planning & Risk Assessment
  • Audit Execution & Evidence
  • Audit Reporting & Follow-up
  • Control Frameworks (COBIT, ITAF)

Task Statements

  • Develop a risk-based audit plan
  • Evaluate audit universe and scope
  • Perform audit procedures
  • Communicate audit results
  • Conduct follow-up activities

📌 What the CISA Exam Tests in Module 1

The IS Auditing Process domain evaluates a candidate's knowledge of the entire audit lifecycle — from initial planning through execution, evidence gathering, reporting, and follow-up. The focus is on risk-based auditing aligned with ISACA's Information Technology Assurance Framework (ITAF).

⚡ Critical Exam Tips

  • CISA exam questions prioritize the IS auditor's perspective and professional judgment.
  • Always choose answers that best reflect ISACA's standards and guidelines.
  • Risk-based audit approach is the dominant framework — always relate decisions to risk.
  • When two answers seem correct, choose the one that occurs earlier in the audit process.
  • Independence and objectivity of the auditor is almost always the top priority.

📊 Module 1 Topic Distribution (Approximate)

  • Audit Standards & Ethics: ~20%
  • Audit Planning & Risk: ~25%
  • Audit Execution & Evidence: ~30%
  • Audit Reporting & Follow-up: ~15%
  • ITAF & Frameworks: ~10%

IS Audit Standards & Ethics

ISACA Audit Standards, Guidelines, Code of Professional Ethics, and ITAF Framework

🏛️ ISACA's Information Technology Assurance Framework (ITAF)

ITAF is a comprehensive framework for IT assurance that provides guidance on the conduct of IS audits. It has three components:

  • Standards (IS Audit): Mandatory requirements; define minimum performance levels. Auditors MUST comply.
  • Guidelines: Provide guidance in applying audit standards. Auditors SHOULD follow.
  • Tools & Techniques: Examples and templates to assist in following standards. Auditors MAY use these.

⭐ Three Categories of ISACA Audit Standards

  • General Standards (1000 series): Principles guiding the IS auditor's professional behavior — independence, professional care, knowledge/skills, qualifications.
  • Performance Standards (1200 series): Describe the nature of IS audit activities and minimum performance requirements.
  • Reporting Standards (1400 series): Cover the types of reports, the means of communicating results and the information to be included.

🔑 Key General Standards to Memorize

  • Standard 1001 – Audit Charter: The IS audit function shall have an appropriate charter approved by senior management.
  • Standard 1002 – Organizational Independence: The IS audit function shall be independent of the area being audited.
  • Standard 1003 – Professional Independence: The IS auditor shall be free from all actual or perceived conflicts of interest.
  • Standard 1004 – Reasonable Expectation: IS audit function shall have resources with adequate skills, knowledge, and experience.
  • Standard 1005 – Due Professional Care: IS auditors shall apply due professional care in all audit activities.
  • Standard 1006 – Proficiency: IS auditors shall be competent and maintain their professional competence through CPE.
  • Standard 1007 – Assertions: An assertion is a positive declaration. IS auditors rely on management assertions.
  • Standard 1008 – Criteria: Audit must have suitable criteria to evaluate the subject matter.

⚖️ ISACA Code of Professional Ethics — 8 Key Principles

  • Support the implementation of appropriate standards, procedures and controls for IS.
  • Perform duties with objectivity and due diligence.
  • Serve the interests of stakeholders in a lawful manner while maintaining high standards.
  • Maintain the privacy and confidentiality of information obtained during duties.
  • Maintain competence in the interrelated fields of IS auditing.
  • Inform appropriate parties of the results of work performed.
  • Support the education of management, clients, and the general public.
  • Maintain high standards of conduct and character.

🔍 Auditor Independence Types

Independence is fundamental to the IS audit process:

  • Organizational Independence: The audit function should be free from interference in its activities by the entity being audited (structural).
  • Individual Independence: The auditor should be free from actual or perceived conflicts of interest (personal).
  • Appearance of Independence: Others must also perceive the auditor as independent ("independence in appearance").
ConceptDefinitionKey Point for Exam
Audit Charter Formal document that defines the purpose, authority, and responsibilities of the IS audit function Must be approved by Board/Audit Committee; establishes independence
Objectivity Mental attitude of impartiality in conducting audit work Auditor should not audit areas they recently managed (1-year rule)
Due Professional Care Application of competence and diligence; exercising reasonable care Does NOT mean infallibility; means skill of a competent professional
Confidentiality Information obtained during audit is protected Can be disclosed legally if required by law or professional standards
CPE Requirements Continuing Professional Education 120 CPE hours per 3-year reporting period, min 20 hours per year

Audit Planning & Execution

Risk-based audit planning, audit programs, evidence collection, and audit techniques

📋 Audit Planning Process — Step by Step

  • Step 1 – Obtain Knowledge of Business: Understand the entity's objectives, operations, and environment.
  • Step 2 – Evaluate Prior Audit Results: Review previous audit findings and follow-up actions.
  • Step 3 – Identify Audit Universe: All auditable units/areas within the organization.
  • Step 4 – Conduct Risk Assessment: Identify and evaluate inherent and control risks.
  • Step 5 – Define Audit Scope & Objectives: Determine what will and will not be audited.
  • Step 6 – Develop Audit Program: Document specific audit procedures and steps.
  • Step 7 – Assign Staff & Resources: Allocate auditors with appropriate skills.
  • Step 8 – Address Materiality: Determine significance thresholds for findings.

⚡ Risk-Based Audit Approach

CISA heavily tests this concept. Key relationships to remember:

  • Audit Risk = Inherent Risk × Control Risk × Detection Risk
  • Inherent Risk: Risk that errors exist before considering controls (nature of the business).
  • Control Risk: Risk that controls fail to prevent/detect material errors.
  • Detection Risk: Risk that audit procedures fail to detect a material error.
  • Higher inherent/control risk → More substantive testing required → Lower detection risk needed.
  • Auditors CANNOT change inherent risk but CAN adjust detection risk through testing.

📝 Types of Audit Tests

  • Compliance Testing: Tests whether controls exist and are operating as intended. Also called "tests of controls."
  • Substantive Testing: Tests the integrity and completeness of transactions/data. Two types:
    • Tests of Transactions (walk-throughs, vouching)
    • Tests of Balances (analytical procedures, confirmation)
  • Key Rule: Compliance testing is performed FIRST. If controls are effective, substantive testing can be reduced.

🔬 Audit Evidence Standards

Audit evidence must possess these qualities (CARS):

  • C – Complete: Enough to support the audit conclusion.
  • A – Accurate: Free from errors and distortion.
  • R – Relevant: Related to the audit objectives.
  • S – Sufficient: Adequate in quantity for a reasonable conclusion.

Also: COMPETENT evidence is reliable, valid, relevant, and sufficient.

Evidence TypeDescriptionReliability
Physical ObservationAuditor's own observationHigh
ConfirmationsWritten responses from third partiesHigh
Documentary EvidenceInternal/external documentsMedium-High
Analytical ProceduresComparison, trend analysisMedium
InquiryOral responses from managementLow
RepresentationsWritten management assertionsLow-Medium

🖥️ Computer-Assisted Audit Techniques (CAATs)

  • Audit Software: Used to query, analyze and manipulate data (e.g., ACL, IDEA).
  • Test Data: Dummy transactions entered to test processing logic.
  • Integrated Test Facility (ITF): Fictitious entity within live system for testing.
  • Parallel Simulation: Auditor replicates system processing independently.
  • Embedded Audit Modules: Code built into systems to capture transactions.
  • SCARF/EAM: System Control Audit Review File — monitors transactions.

📊 Sampling Methods

  • Statistical Sampling: Uses probability to select and evaluate results; allows quantitative conclusions about risk.
  • Non-Statistical Sampling: Based on auditor judgment; no mathematical precision.
  • Random Sampling: Every item has an equal chance of selection.
  • Stratified Sampling: Population divided into subgroups; useful when items vary in value.
  • Attribute Sampling: Tests whether a control attribute exists (yes/no).
  • Variable Sampling: Tests monetary value — used in substantive tests.

Risk Assessment & Internal Controls

Control frameworks, risk assessment methodology, and evaluating control effectiveness

🏗️ Control Frameworks — COBIT 2019

COBIT (Control Objectives for Information and Related Technologies) by ISACA is the primary IT governance and management framework referenced in CISA:

  • Governance Objectives (6 EDM processes): Evaluate, Direct, Monitor.
  • Management Objectives (35 processes): Align, Plan, Organize (APO); Build, Acquire, Implement (BAI); Deliver, Service, Support (DSS); Monitor, Evaluate, Assess (MEA).
  • COBIT aligns IT with business goals and provides metrics for measuring performance.
  • Key principle: Governance vs. Management distinction — Board governs; management executes.

🛡️ Types of Controls

  • Preventive Controls: Stop errors before they occur. (e.g., access controls, segregation of duties).
  • Detective Controls: Identify errors/irregularities after they occur. (e.g., audit logs, exception reports).
  • Corrective Controls: Correct errors/irregularities after detection. (e.g., backup recovery, patch management).
  • Compensating Controls: Alternative controls when primary controls cannot be implemented.

Exam tip: Preventive > Detective > Corrective is the preferred order. Always prefer prevention.

🔐 Control Categories

  • General Controls (IT General Controls): Apply to the IT environment overall — change management, access controls, data center operations.
  • Application Controls: Specific to individual applications — input, processing, output controls.
  • IT-dependent Manual Controls: Manual controls that rely on IT-generated information.

📐 Risk Assessment Process

  • Threat: Potential cause of an unwanted incident.
  • Vulnerability: A weakness that could be exploited by a threat.
  • Impact: Consequence if the threat exploits the vulnerability.
  • Risk = Threat × Vulnerability × Impact
  • Residual Risk: Risk remaining after controls are applied.
  • Risk Appetite: Amount of risk the organization is willing to accept.
Risk ResponseDescriptionExample
AcceptAcknowledge risk and take no actionLow-impact risk below risk appetite
Mitigate/ReduceImplement controls to reduce likelihood or impactFirewalls, access controls
TransferShift risk to third partyCyber insurance, outsourcing
AvoidEliminate the activity causing riskDiscontinue a risky process

🔑 Segregation of Duties (SoD)

A fundamental internal control concept heavily tested in CISA:

  • No single individual should control all phases of a transaction (authorization, recording, custody).
  • Prevents fraud and errors by requiring collusion to override controls.
  • IT-specific SoD: Systems analyst, programmer, computer operator, data entry, and librarian roles should be separated.
  • In small organizations, compensating controls (management review, audit trails) substitute for SoD.

Audit Reporting & ITAF

Communication of audit results, findings documentation, follow-up procedures, and ITAF requirements

📄 Audit Reporting Requirements (ISACA Standard 1401)

  • The IS auditor shall provide a report, in an appropriate form, upon completion of the audit engagement.
  • The report shall identify the enterprise, the intended recipients, and the restrictions on circulation.
  • The report shall state the scope, objectives, period of coverage, and nature/extent of work performed.
  • The report shall state the findings, conclusions, and recommendations.
  • The report shall state any reservations or qualifications the IS auditor has regarding the engagement.

⭐ Audit Finding Components (CAMP)

Every audit finding must include these elements:

  • C – Condition: What IS — the current situation found during the audit.
  • A – Criteria: What SHOULD BE — the standard/benchmark being applied.
  • M – (Effect/Impact): The risk/consequence of the gap.
  • P – (Root) Cause: Why the condition exists.
  • Also includes Recommendations for corrective action.

📊 Types of Audit Opinions

  • Unqualified (Clean) Opinion: Controls are adequate and effective; no material weaknesses.
  • Qualified Opinion: Controls are generally adequate except for specific issues noted.
  • Adverse Opinion: Controls are inadequate; material weaknesses exist.
  • Disclaimer of Opinion: IS auditor was unable to form an opinion due to scope limitation.

📋 Audit Working Papers

  • Working papers document all audit evidence and procedures performed.
  • They support the audit findings and conclusions in the audit report.
  • Must be complete, accurate, concise, clear and properly indexed.
  • Ownership: Working papers are the property of the IS audit function (not management or client).
  • Retention period varies — typically 5-7 years based on organizational policy.
  • Working papers must be protected from unauthorized access.

🔄 Audit Follow-up Process

  • The IS auditor should evaluate whether management has implemented agreed-upon recommendations timely.
  • Follow-up Timing: Typically 30/60/90 days after report issuance depending on risk level.
  • If management does not implement recommendations, the IS auditor should escalate to appropriate levels.
  • Ultimately, escalation goes to the Board or Audit Committee if senior management does not act.

🏢 Audit Committee Role

  • The Audit Committee (typically a Board subcommittee) provides oversight of the audit function.
  • IS auditors should have direct access to the Audit Committee to ensure independence.
  • The Audit Committee approves the audit charter, audit plan, and reviews audit reports.
  • Any disagreements between the IS auditor and management should be escalated to the Audit Committee.
Report ElementDescription
Title/DateIdentifies the report and when issued
AddresseeWho the report is directed to
Scope & ObjectivesWhat was audited and why
Executive SummaryHigh-level overview of findings
Findings & RecommendationsDetailed issues and suggested actions
Management ResponseAuditee's response to each finding
Auditor Signature/CredentialsIdentifies the responsible auditor

Practice Questions

100 CISA-style questions — click an option to answer; explanation reveals automatically

Answered 0
Correct 0
Wrong 0
Progress0 / 100

Key Terms Glossary

Essential definitions for CISA Module 1 — memorize these for the exam

M A Fazal & Co.
Logo