Certified Information Systems Auditor - Certification Subject Matter

Certification Subject Matter

The CISA certification covers subject matter in a variety of Information Security topics. The CISA examination is based on a series of job practices. Effective June 2011, ISACA has identified the new CISA job practice which reflects the vital and evolving responsibilities of IT auditors to be:

• Domain 1—The Process of Auditing Information Systems (14%)
• Domain 2—Governance and Management of IT (14%)
• Domain 3—Information Systems Acquisition, Development and Implementation (19%)
• Domain 4—Information Systems Operations, Maintenance and Support (23%)
• Domain 5—Protection of Information Assets (30%)

• Domain 1—The Process of Auditing Information Systems (14%)
  • Provide audit services in accordance with IT audit standards to assist the organization in protecting and controlling information systems.

• Domain 1—Task Statements:
  • 1.1 Develop and implement a risk-based IT audit strategy in compliance with IT audit standards to ensure that key areas are included.
  • 1.2 Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.
  • 1.3 Conduct audits in accordance with IT audit standards to achieve planned audit objectives.
  • 1.4 Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary.
  • 1.5 Conduct follow-ups or prepare status reports to ensure appropriate actions have been taken by management in a timely manner.

• Domain 1—Knowledge Statements:
  • 1.1 Knowledge of ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards
  • 1.2 Knowledge of risk assessment concepts, tools and techniques in an audit context
  • 1.3 Knowledge of control objectives and controls related to information systems
  • 1.4 Knowledge of audit planning and audit project management techniques, including follow-up
  • 1.5 Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) including relevant IT
  • 1.6 Knowledge of applicable laws and regulations which affect the scope, evidence collection and preservation, and frequency of audits
  • 1.7 Knowledge of evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis) used to gather, protect and preserve audit evidence
  • 1.8 Knowledge of different sampling methodologies
  • 1.9 Knowledge of reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure)
  • 1.10 Knowledge of audit quality assurance systems and frameworks