CISA Domain 1 Exam Important Points Part 1

Some Key Areas that you must review once you complete Domain 1 from CISA. Some important statements that I have documented from Part 1 of Domain 1 that is PLANNING. Part 2 EXECUTION Section I will documented by end of this month

  1. IS audit is the formal examination of information systems to DETERMINE whether Information systems comply with applicable laws, regulations, contracts and/or industry guidelines.
  2.  IS auditors must FIRST understand and be able to evaluate the Business processes of the organization they are auditing.
    1. This includes test and evaluation of control
  3.  Business process owner
    1. Responsible for identifying process requirements
    2. Approving process design
    3. Managing process performance
    4. Commit resources to process specific risk management activities.
    1. Audit Charter
      1. The responsibility, authority, and accountability of the IS audit function should be appropriately documented in an audit charter
      2. Audit Committee Approved audit Charter
  5. An IS auditor must be technically Competent, having the skills and knowledge necessary to perform audit work.
  6. Audit planning is conducted at the beginning of the audit process to establish the overall audit strategy and detail the specific procedures
    1. The audit plan includes all of the processes that are rated “high,” which would represent the ideal annual audit plan
    1. There are two major areas of concern impact audit and audit scope
      1. Legal requirements place on audit
      2. Legal Requirement placed on auditee and its data
  8. Good Controls are the one who set and designed into the business application that supports the processes
    1. controls may be a combination of management, programmed and manual controls
    2. To EFFECTIVELY  audit business application systems, an IS auditor must obtain a clear understanding of the application system under review.
  9. Controls
    1. Effective control is one that prevents, detects and/or limits an incident and enables recovery from a risk event.
    2. Controls are implemented to reduce risk to the organization
    3. The board of directors and senior management are responsible for establishing the appropriate culture to facilitate an effective and efficient internal control system
    4. Internal controls direct business or operational objectives
    5. Control objectives are narratives of the desired result
      1. Control Objective must have Effectiveness and Efficiency of operations
    6. An IS auditor analyze evidence gathered throughout the audit to determine if the operations analyzed are well controlled and effective
    7. Control matrix is usually used in assessing the proper level of controls
    8. An IS auditor should be aware of compensating controls in areas where controls have been identified as weak.
      1. While a compensating control situation occurs when one stronger control supports a weaker one, overlapping controls are two strong controls.
    1. Effective risk-based auditing uses risk assessment to make the audit plan and minimize the audit risk during the execution of an audit.
    2.  Risk-based audit methodology efficiently help an IS auditor in determining the nature and extent of testing
    3. Auditor need to understand the business, based on that they can identify and categorize the types of risk
    4. Risk assessment can be a scheme where risk has been given elaborate weights based on the nature of the business
    5. Audit Risk
      1. Inherent Risk = Risk before control
      2. Residual Risk: Risk left after implementing control
      3. Detection Risk: Risk which Auditor unable to identify
      4. Control Risk = Control ineffective
      5. Audit Risk = Inherent Risk x Control Risk x Detection Risk
      6. When preparing the overall Information System audit plan, a suitable risk assessment approach should be followed.
  11. Effective Risk assessment should be an ongoing process in an organization
  12. Type of Audit
    1. Information System Audit = Evaluate Information System
    2. Compliance audit = Evaluate the regulatory or industry-specific standard
    3. Financial audit = accuracy of financial reporting
    4. Operational audit = internal control in a given process
    5. Specialized audit = examine areas such as fraud or services performed by third parties.
      1. Third-Party Service Audit
      2. Fraud Audit
      3. Forensic Audit
    6. Computer forensic audit = Investigation of Electronic Devices
    7. Functional audit = Verifying Configuration Items