Professional Documents
Culture Documents
f8576cca-8a1c-425a-9998-eae4c02c0fb3
f8576cca-8a1c-425a-9998-eae4c02c0fb3
mohamed ismail
CISA – Domain 1 – The Process of Auditing Information Systems
1. Memorize S1, S2, S4, S9, and S10. Standards S12 thru S16 are recent additions to
CISA and you should have a close intimate acquaintance with S12, S13 & S14.
2. Memorize G5, G10, G18, and G19. Guidelines G41 and G42 are recent additions to
CISA and ROSI is receiving a lot of press. So be familiar with the concept of Return
on Security Investment and how to calculate it. For example, let’s say you spend
$500,000 of anti-virus software for your enterprise and your boss wants justification
for why he/she should continue to spend that kind of money when there hasn’t been
any virus infections in the last year. You respond with, “You’re absolutely right,
there hasn’t been any virus infections in the last year. However, two years ago when
we did have a virus infection it cost the company $15,000 in additional overtime to
clean up after the virus infection. Our incident response team says we’re blocking
about 500 to 700 virus a day, so if we say just 1 virus a day gets thru and multiplying
it by the cost to recover $15,000 that comes out to about $5.4 million dollars in
overtime savings alone.” I think your boss will be impressed with your ROSI.
3) Risk Analysis
4) Internal Controls
5) Performing an IS Audit
1. Know the definitions of Auditing and IS Auditing – they’re different
2. Know the different types of audits, read closely integrated audits and forensic audits
3. Know the different phases of an audit, in other words memorize
4. Understand the concept of risk based auditing including inherent, control, and
detection risks.
5. Be able to give examples of both compliance testing and substantive testing
6. Sampling is a section in the Review Manual that you just have to memorize, that’s it,
memorize
6) Control Self-Assessment
1. Integrated auditing means you work with the financial auditor on an audit which is
based on RISK
2. Understand the difference between continuous monitoring and continuous auditing
The first domain is a basis for understanding the whole area of Certified Information Systems
Auditor, and without a grasp of the basic fundamentals you cannot be successful in the other
domains.