CISA Review Manual

1. IS Auditing: Ensuring Compliance, Security, and Efficiency

During the audit process, an IS auditor reviews the control framework, gathers evidence, evaluates the strengths and weaknesses of internal controls based on the evidence and prepares an audit report that presents weaknesses and recommendations for remediation in an objective manner to stakeholders.

Comprehensive Evaluation. IS auditing is a systematic process that goes beyond simple compliance checks. It involves a thorough examination of information systems to ensure they adhere to standards, regulations, and ethical guidelines. The goal is to verify that systems are not only compliant but also secure, efficient, and effective in achieving organizational objectives.

Three Major Phases. The audit process typically consists of three major phases: planning, fieldwork/documentation, and reporting/follow-up. Planning involves defining the scope and objectives of the audit. Fieldwork includes gathering evidence and evaluating controls. Reporting involves communicating findings and recommendations to stakeholders.

ISACA's Role. ISACA provides standards, guidelines, and codes of ethics that guide IS auditors in their professional conduct. These standards define the minimum level of acceptable performance and help ensure the credibility of the audit process. Adherence to these standards is crucial for maintaining the integrity and reliability of IS audit activities.

2. IT Governance: Aligning IT with Business Strategy

Effective governance and management of IT consist of the leadership and organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategy and objectives.

Strategic Alignment. IT governance is not merely about managing IT resources; it's about ensuring that IT investments and activities are aligned with the overall business strategy. This alignment involves setting objectives, measuring performance, and adapting to changes in the business environment. Effective IT governance ensures that IT delivers value to the business and manages IT-related risk.

Key Components. Key components of IT governance include:

• IT resource management
• Performance measurement
• Compliance management

Board and Management Oversight. The board of directors and senior management play a crucial role in IT governance. They are responsible for establishing a comprehensive security control process, overseeing outsourcing relationships, and ensuring the confidentiality of key bank information. Effective risk management controls for ebanking include board and management oversight, security controls, and legal and reputational risk management.

3. System Development: Managing Acquisition and Implementation

The CISA candidate should have a sound understanding of the information systems (hardware and software) acquisition, development and implementation process.

Structured Approach. System development requires a structured approach to ensure that projects are completed on time, within budget, and meet user requirements. This involves following a defined system development life cycle (SDLC) that includes phases such as feasibility study, requirements definition, design, development, testing, implementation, and post-implementation review.

Key Considerations. Key considerations in system development include:

• Project governance and management
• Business case and feasibility analysis
• Control identification and design
• Testing methodologies
• Configuration and release management
• System migration and data conversion
• Post-implementation review

IS Auditor's Role. The IS auditor plays a crucial role in ensuring that controls are designed and implemented effectively throughout the SDLC. This involves reviewing documentation, attending project team meetings, and providing advice on control implementation. The IS auditor also performs tests to verify the effectiveness of controls and reports findings to management.

4. Operations and Resilience: Maintaining Business Continuity

The purpose of business continuity/disaster recovery is to enable a business to continue offering critical services in the event of a disruption and to survive a disastrous interruption to activities.

Ensuring Availability. Maintaining business operations requires a focus on both information systems operations and business resilience. This involves implementing controls to ensure the availability, integrity, and confidentiality of IT services. It also requires developing plans to address potential disruptions and ensure business continuity.

Key Elements. Key elements of business resilience include:

• Business impact analysis (BIA)
• System resiliency
• Data backup, storage, and restoration
• Business continuity plan (BCP)
• Disaster recovery plan (DRP)

IS Auditor's Role. The IS auditor plays a critical role in evaluating the organization's ability to continue business operations in the event of a disruption. This involves reviewing BCPs and DRPs, evaluating offsite storage facilities, and verifying the effectiveness of recovery strategies. The IS auditor also assesses the organization's ability to restore IT systems and data after a disaster.

5. Protecting Information Assets: Security Frameworks and Controls

Information asset security frameworks, standards and guidelines.

Comprehensive Security. Protecting information assets requires a comprehensive approach that encompasses security frameworks, standards, guidelines, and controls. This involves implementing managerial, technical, and physical controls to safeguard information assets. It also involves establishing policies and procedures for data classification, access management, and incident response.

Key Elements. Key elements of information asset security include:

• Information asset security frameworks
• Physical access and environmental controls
• Identity and access management
• Network and endpoint security
• Data classification
• Data encryption

IS Auditor's Role. The IS auditor plays a crucial role in evaluating the effectiveness of security controls and ensuring that information assets are adequately protected. This involves reviewing policies, procedures, and standards, as well as performing technical security testing to identify potential vulnerabilities. The IS auditor also assesses the organization's compliance with regulatory requirements and industry standards.

6. Risk Management: Identifying and Mitigating Threats

Risk is defined as the combination of the probability of an event and its consequence.

Proactive Approach. Effective risk management is a proactive process that involves identifying, assessing, and mitigating threats to information assets. This requires an understanding of the organization's risk appetite and the potential impact of various threats. Risk management is an ongoing process that should be integrated into all aspects of IT operations.

Key Steps. Key steps in the risk management process include:

• Asset identification
• Threat and vulnerability assessment
• Impact evaluation
• Risk calculation
• Risk response

IS Auditor's Role. The IS auditor plays a critical role in evaluating the organization's risk management policies and practices. This involves reviewing risk assessments, evaluating the effectiveness of controls, and providing recommendations for improving the risk management process. The IS auditor also assesses the organization's compliance with regulatory requirements and industry standards.

7. Data Governance: Ensuring Quality and Integrity

Data governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, mutually agreed enterprise objectives to be achieved through the acquisition and management of data/information resources.

Data as an Asset. Data governance is about treating data as a valuable asset and managing it accordingly. This involves establishing policies, procedures, and controls to ensure the quality, integrity, and availability of data. Effective data governance ensures that users have access to reliable and trustworthy data for decision-making.

Key Aspects. Key aspects of data governance include:

• Data quality
• Data life cycle management
• Metadata management
• Data security and privacy

IS Auditor's Role. The IS auditor plays a crucial role in evaluating data governance policies and practices. This involves reviewing data quality metrics, assessing data security controls, and verifying compliance with regulatory requirements. The IS auditor also assesses the organization's ability to manage data throughout its life cycle.

8. Incident Response: Managing and Recovering from Security Events

To minimize damage from security incidents and to recover and to learn from such incidents, a formal incident response capability should be established.

Preparedness is Key. Security incidents are inevitable, and organizations must be prepared to respond effectively. This involves establishing a formal incident response capability that includes policies, procedures, and trained personnel. Incident response management focuses on minimizing damage, restoring services, and learning from incidents to prevent future occurrences.

Key Phases. Key phases in incident response management include:

• Detection
• Analysis
• Containment
• Eradication
• Recovery
• Post-incident activity

IS Auditor's Role. The IS auditor plays a crucial role in evaluating the organization's incident response management policies and practices. This involves reviewing incident response plans, assessing the effectiveness of security monitoring tools, and verifying the organization's ability to recover from security incidents. The IS auditor also assesses the organization's compliance with regulatory requirements and industry standards.

Last updated: March 7, 2025