Contents
Preface
Exam Duration: 4 hours
Maximum Questions: 150, Multiple-Choice
Domains
Information System Auditing Process (21 %)
Governance and Management of IT (17 %)
Information Systems, Acquisition, Development and Implementation (12 %)
Information Systems Operations and Business Resilience (23 %)
Protection of Information Assets (27 %)
Passing Score: 450 on a scale of 200 to 800 points
Domain I : Information System Auditing Process (21 %)
The objective of this domain is to ensure that the CISA candidate has the knowledge necessary to provide audit services in accordance with IS audit standards to assist the organization with protecting and controlling information systems.
This area represents 21 percent of the CISA exam (approximately 32 questions).
TASK AND KNOWLEDGE STATEMENTS
TASKS
There are five tasks within the domain covering the process of auditing information systems:
T1.1 Execute a risk-based IS audit strategy in compliance with IS audit standards to ensure that key risk areas are audited.
T1.2 Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.
T1.3 Conduct audits in accordance with IS audit standards to achieve planned audit objectives.
T1.4 Communicate audit results and make recommendations to key stakeholders through meetings and audit reports to promote change when necessary.
T1.5 Conduct audit follow-ups to determine whether appropriate actions have been taken by management in a timely manner.
KNOWLEDGE STATEMENTS
The CISA candidate must have a good understanding of each of the topics or areas delineated by the knowledge statements. These statements are the basis for the exam.
There are 11 knowledge statements within the domain covering the process of auditing information systems:
K1.1 Knowledge of ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques, Code of Professional Ethics and other applicable standards
K1.2 Knowledge of risk assessment concepts and tools and techniques in planning, examination, reporting and follow-up
K1.3 Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) and the role of IS in these processes
K1.4 Knowledge of control principles related to controls in information systems
K1.5 Knowledge of risk-based audit planning and audit project management techniques, including follow-up
K1.6 Knowledge of applicable laws and regulations which affect the scope, evidence collection and preservation and frequency of audits
K1.7 Knowledge of evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis, forensic investigation techniques, computer-assisted audit techniques [CAATs]) used to gather, protect and preserve audit evidence
K1.8 Knowledge of different sampling methodologies and other substantive/data analytical procedures
K1.9 Knowledge of reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure, issue writing, management summary, result verification)
K1.10 Knowledge of audit quality assurance (QA) systems and frameworks
K1.11 Knowledge of various types of audits (e.g., internal, external, financial) and methods for assessing and placing reliance on the work of other auditors or control entities
Domain II : Governance and Management of IT (17 %)
The objective of this domain is to ensure that the CISA candidate understands and can provide assurance that the necessary leadership and organizational structures and processes are in place to achieve the objectives and to support the enterprises strategy.
This domain represents 17 percent of the CISA examination (approximately 24 questions).
TASK AND KNOWLEDGE STATEMENTS
TASKS
There are 10 tasks within the IT governance domain:
T2.1 Evaluate the IT strategy, including the IT direction, and the processes for the strategys development, approval, implementation and maintenance for alignment with the organizations strategies and objectives.
T2.2 Evaluate the effectiveness of the IT governance structure to determine whether IT decisions, directions and performance support the organizations strategies and objectives.
T2.3 Evaluate IT organizational structure and human resources (personnel) management to determine whether they support the organizations strategies and objectives.
T2.4 Evaluate the organizations IT policies, standards and procedures and the processes for their development, approval, release/publishing, implementation and maintenance to determine whether they support the IT strategy and comply with regulatory and legal requirements.
T2.5 Evaluate IT resource management, including investment, prioritization, allocation and use for alignment with the organizations strategies and objectives.
T2.6 Evaluate IT portfolio management, including investment, prioritization and allocation, for alignment with the organizations strategies and objectives.
T2.7 Evaluate risk management practices to determine whether the organizations IT-related risks are identified, assessed, monitored, reported and managed.
T2.8 Evaluate IT management and monitoring of controls (e.g., continuous monitoring, quality assurance [QA]) for compliance with the organizations policies, standards and procedures.
T2.9 Evaluate monitoring and reporting of IT key performance indicators (KPIs) to determine whether management receives sufficient and timely information.
T2.10 Evaluate the organizations business continuity plan (BCP), including the alignment of the IT disaster recovery plan (DRP) with the BCP, to determine the organizations ability to continue essential business operations during the period of an IT disruption.
KNOWLEDGE STATEMENTS
The CISA candidate must have a good understanding of each of the topics or areas delineated by the knowledge statements. These statements are the basis for the exam.
There are 17 knowledge statements within the domain covering the governance and management of IT:
K2.1 Knowledge of the purpose of IT strategy, policies, standards and procedures for an organization and the essential elements of each
K2.2 Knowledge of IT governance, management, security and control frameworks and related standards, guidelines and practices
K2.3 Knowledge of organizational structure, roles, and responsibilities related to IT, including segregation of duties (SoD)
K2.4 Knowledge of relevant laws, regulations and industry standards affecting the organization
K2.5 Knowledge of the organizations technology direction and IT architecture and their implications for setting long-term strategic directions
K2.6 Knowledge of the processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures
K2.7 Knowledge of the use of capability and maturity models
K2.8 Knowledge of process optimization techniques
K2.9 Knowledge of IT resource investment and allocation practices, including prioritization criteria (e.g., portfolio management, value management, personnel management)
K2.10 Knowledge of IT supplier selection, contract management, relationship management and performance monitoring processes including third party outsourcing relationships