2.1 Information System Auditing Process Overview

What Domain 1 Covers

The Information Systems Auditing Process is the first CISA domain and the procedural and ethical backbone of everything an IS auditor does. ISACA weights it at approximately 18% of the 150-question exam (older review manuals cite ~21%, but the current job-practice blueprint, updated August 2024, lists 18%). The domain is divided into two parts:

• Part A — Planning: IS audit standards, guidelines, and codes of ethics; types of audits, assessments, and reviews; risk-based audit planning; and types of controls and considerations.
• Part B — Execution: audit project management; audit testing and sampling methodology; audit evidence collection techniques; audit data analytics; reporting and communication techniques; and quality assurance and improvement of the audit process.

The central CISA mindset is risk-based: an auditor does not check everything equally. Audit resources are finite, so they are aimed at where failure would hurt the organization most. Whenever an exam item offers a "do more testing" option and a "focus on the highest-risk area" option, the risk-based, governance-aligned choice is usually correct.

ITAF, Standards, Guidelines, and Ethics

ISACA's Information Technology Assurance Framework (ITAF) is the authoritative model that drives consistency across IS audits worldwide. ITAF contains three tiers:

Standards are organized into General (1000-series, e.g., independence, professional ethics, due care), Performance (1200-series, e.g., planning, evidence, supervision), and Reporting (1400-series). A key exam distinction: Standards are not optional, while Guidelines and Tools/Techniques are. If a CISA item asks what an auditor must follow, the answer points to Standards and the Code of Ethics — not Guidelines.

The Code of Professional Ethics demands that auditors maintain independence in attitude and appearance, perform duties with due professional care, support enforcement of standards, and keep information confidential unless legally required to disclose it. An auditor who previously designed the system being reviewed has an independence impairment — a recurring trap answer.

The IS Audit Universe and the Audit Lifecycle

The IS audit universe is the complete inventory of auditable entities — applications, infrastructure, processes, third parties, and projects — each scored for risk. From this universe, leadership builds an annual audit plan, approved by the audit committee of the board, that allocates engagements by risk.

Every individual engagement follows a repeatable lifecycle:

1. Planning — define objective, scope, risk, criteria, and resources.
2. Fieldwork / execution — gather evidence, test controls, document findings.
3. Reporting — communicate findings, risk, and recommendations.
4. Follow-up — verify that management remediated agreed findings.

A CISA auditor is fundamentally an independent, objective provider of assurance. They evaluate and report; they do not own, operate, or fix the controls — doing so would impair independence. This separation between assurance (audit) and operation (management) is tested repeatedly and underlies most "best answer" reasoning in Domain 1.

Types of Audits, Assessments, and Reviews

Domain 1 expects you to recognize the engagement types an IS auditor may perform, because the type drives the objective, evidence, and reporting:

• Compliance audit — tests adherence to laws, regulations, or contractual obligations (for example, PCI DSS, SOX, or GDPR requirements).
• Financial audit — assesses the accuracy and reliability of financial reporting and the IT controls supporting it.
• Operational audit — evaluates the efficiency and effectiveness of operations and internal controls.
• Integrated audit — combines IS (IT) and business or financial audit work into one engagement, linking IT general controls to the business processes that rely on them.
• Administrative audit — reviews operational productivity and resource efficiency.
• Specialized reviews — forensic audits (gathering legally admissible evidence), third-party and service-organization reviews (such as SOC reports), and pre- or post-implementation reviews of development projects.

A recurring exam point: an integrated audit tends to provide the most comprehensive assurance because it connects IT controls to the business outcomes that depend on them rather than auditing IT in isolation. The engagement type also tells you who the stakeholders are and whether the engagement offers reasonable or limited assurance. The objective and scope are always agreed before fieldwork begins; an engagement without a clearly defined objective cannot deliver meaningful assurance, which is itself a frequent distractor in scenario questions.

Knowing the engagement type also shapes how you weigh evidence and how independent the function must be. An external compliance attestation, for instance, carries a higher independence bar than an internal operational review commissioned by management, and a forensic engagement demands a chain of custody that an ordinary operational audit does not. The CISA exam expects you to match the engagement type to its objective, its required assurance level, and the rigor of evidence it demands before any procedure is selected.

In short, the engagement type is not a label you attach after the fact; it is a planning decision that determines the objective, the stakeholders, the assurance level, and the evidence standard for the entire audit, and it must be settled and agreed with the audit sponsor at the very start of planning.