The Certified Information Systems Auditor certification covers five job practice domains, ranging from Governance and Management of IT to Protection of Information Assets. Performing an audit is, of course, one of an auditor's main tasks, so it's no wonder it ranks as the second most highly weighted domain of the CISA exam.
As defined by ISACA, the Information Systems Auditing Process domain is meant to "establish and/or maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organization goals and objectives."
There's a lot more to the audit process than just performing an audit and gathering evidence. Auditors must not only plan the audit and communicate its results clearly, but also follow the Information Technology Assurance Framework (ITAF) and adhere to ISACA's Code of Professional Ethics. Both will guide auditors and ensure a consistent, trustworthy audit methodology is used.
The Information Systems Auditing Process job practice domain covers the ITAF, Code of Professional Ethics, audit management, audit risk and analysis, self-control audits and more.
The following questions, excerpted from Chapter 3 of CISA: Certified Information Systems Auditor Practice Exams written by Peter Gregory and published by McGraw-Hill, will quiz your knowledge of this job practice domain to help you prep for the CISA exam.
For additional questions and answers, download a PDF of Chapter 3, "The Audit Process." For more insights into what you can expect from the exam and pointers for success, check out this Q&A with Gregory.
About the author
Peter H. Gregory, CISM, CISA, CRISC, CISSP, CIPM, CCISO, CCSK, PCI-QSA, is a 30-year career technologist and an executive director at Optiv Security. He has been developing and managing information security management programs since 2002 and has been leading the development and testing of secure IT environments since 1990. In addition, he spent many years as a software engineer and architect, systems engineer, network engineer and security engineer. Throughout his career, he has written many articles, white papers, user manuals, processes and procedures and has conducted numerous lectures, training classes, seminars and university courses.
Gregory is the author of more than 40 books about information security and technology. He is an advisory board member at the University of Washington's certificate program in information security and risk management and the lead instructor (emeritus) and advisory board member for the University of Washington certificate program in cybersecurity. He is an advisory board member and instructor at the University of South Florida's Cybersecurity for Executives program, a former board member of the Washington State chapter of InfraGard and a founding member of the Pacific CISO Forum. He is a 2008 graduate of the FBI Citizens' Academy and a member of the FBI Citizens' Academy Alumni Association.
Gregory resides with his family in the Seattle area and can be contacted at www.peterhgregory.com.