CertPrepNow
ISACACISA84 concepts

CISA Cheat Sheet

Quick reference for the ISACA Certified Information Systems Auditor exam.

IS Audit Foundations (Domain 1 — 18%)

Auditor Mindset Rule
CISA tests what an IS AUDITOR would recommend — evaluate, assess, and report — not what an IT administrator would implement, configure, or manage.
Risk-Based Audit Planning
Audit engagements must be prioritized based on risk level, directing resources toward highest-risk areas — not by arbitrary rotation schedules or management convenience.
Audit Charter Approval
The audit charter must be approved by the AUDIT COMMITTEE or BOARD, not by IT management — IT director approval is an independence violation because it subordinates audit to the area being audited.
ISACA ITAF (IT Audit Framework)
ISACA's professional standards framework with three levels: mandatory standards, recommended guidelines, and supportive tools and techniques. ITAF defines the authoritative basis for IS audit engagements.
Evidence Reliability Ranking
Most to least reliable: auditor re-performance > auditor direct observation > third-party documentation > auditee-generated documentation > inquiry (asking staff) alone — inquiry is the weakest evidence.
Statistical vs Judgmental Sampling
Statistical sampling results CAN be projected to the entire population with measurable confidence levels; judgmental (non-statistical) sampling CANNOT be projected — this is a frequent exam distinction.
Audit Finding Components
Every audit finding must include: condition (what was found), criteria (what should be), cause (why it happened), effect (what impact), and recommendation (how to fix it).
Materiality
Determines significance of audit findings — a finding is material if it could influence decisions of report users; immaterial findings may be communicated informally but not in the formal audit report.

Audit Techniques & Evidence

CAATs (Computer-Assisted Audit Techniques)
Software tools for performing audit procedures on large data populations including data extraction, analysis, recalculation, and sampling — most effective when testing populations too large for manual review.
Generalized Audit Software (GAS)
Purpose-built audit software (ACL, IDEA) that extracts and analyzes data from various systems — the most common CAAT for recalculating transactions, testing completeness, and sampling large populations.
Integrated Test Facility (ITF)
Processes test transactions alongside live production data without operators knowing — tests controls under real conditions but carries risk of contaminating production data with fictitious records.
Parallel Simulation
Auditor independently re-creates the application's logic and runs actual production data through it, comparing results to the live system output — provides strong evidence of processing accuracy.
Compliance Testing
Tests whether controls are being FOLLOWED per established policies and procedures — checks adherence. If controls are not followed, it is a compliance failure regardless of whether data is accurate.
Substantive Testing
Tests whether DATA and TRANSACTIONS are accurate and complete — checks correctness. Recalculation and reconciliation are substantive tests; used when auditor cannot rely on controls.
Control Self-Assessment (CSA)
Management or process owners assess their own controls, often facilitated by auditors — provides management engagement but does not replace independent audit procedures due to objectivity limitations.

IT Governance & Management (Domain 2 — 18%)

Governance vs Management
Governance EVALUATES, DIRECTS, and MONITORS (board/senior management level). Management PLANS, BUILDS, RUNS, and MONITORS within the governance framework (IT leadership level). Exam frequently tests which level acts in a given scenario.
COBIT Governance Domains (EDM)
Governance activities: Evaluate, Direct, and Monitor (EDM) — performed by the board. Management activities: APO (Align, Plan, Organize), BAI (Build, Acquire, Implement), DSS (Deliver, Service, Support), MEA (Monitor, Evaluate, Assess).
CIO Reporting Structure
CIO reporting to the CFO is a governance WEAKNESS — it subordinates IT strategy to financial management rather than treating IT as a strategic business enabler; CIO should report to the CEO or board.
IT Steering Committee
Cross-functional governance body providing strategic guidance and oversight for IT initiatives — provides direction and oversight but does NOT make day-to-day operational IT decisions (that is management's role).
IT Strategy Alignment
The IT strategic plan must align with and be driven by BUSINESS objectives, not technology trends — the exam always selects the answer that aligns IT decisions with business value.
Policy vs Standard vs Procedure
Policies state WHAT (mandatory high-level direction, senior management approved). Standards define HOW MUCH (specific requirements). Procedures detail HOW (step-by-step instructions). All three must exist and be followed.
IT Balanced Scorecard
Performance management tool measuring IT value across four perspectives: financial, customer, internal process, and learning and growth — provides board-level view of IT delivering business value.

Systems Development & Change Management (Domain 3 — 12%)

Auditor SDLC Involvement
IS auditors should be involved from the FEASIBILITY phase onward — not just at testing or go-live. Early involvement is far cheaper for identifying control gaps than discovering them post-implementation.
SDLC Implementation Approaches by Risk
Safest to riskiest: Parallel running (old + new simultaneously) > Phased rollout > Pilot (one group) > Direct cutover (big bang). Parallel running is safest but most expensive; direct cutover is fastest but highest risk.
User Acceptance Testing (UAT)
UAT must be performed by BUSINESS USERS, not IT staff or developers — validates that the system meets business requirements from the user perspective. Developer-performed UAT is an audit finding.
Segregation of Duties in Development
Developers must NOT have access to production environments — this is a critical segregation of duties violation that enables unauthorized changes. Testing must occur in separate test environments with test data.
Emergency Change Controls
Emergency changes bypass normal approvals during the change but MUST still be fully documented and receive after-the-fact approval — lack of post-emergency documentation is always an audit finding.
Application Controls Categories
Input controls (validation checks, limit checks, sequence checks) + Processing controls (run-to-run totals, control totals) + Output controls (reconciliation, distribution lists, report logging) — different from general IT controls.
Post-Implementation Review
Conducted after system go-live to verify the system meets original business requirements and delivers expected benefits — closing the audit loop on the SDLC cycle.

BCP, DRP & Recovery Metrics (Domain 4 — 26%)

BIA → BCP → DRP Sequence
Business Impact Analysis must be completed FIRST before developing BCP or DRP — BIA identifies what is critical and how fast it must recover. BCP covers the full business; DRP is the IT/technology subset of BCP.
RTO (Recovery Time Objective)
Maximum acceptable time to restore a system or process after disruption — drives recovery strategy selection (hot site vs warm site vs cold site). A short RTO requires a hot site or active-active configuration.
RPO (Recovery Point Objective)
Maximum acceptable data loss measured in time — drives backup frequency. A short RPO (near-zero) requires real-time data replication; a daily RPO allows nightly full backups.
MTD (Maximum Tolerable Downtime)
Maximum time before the disruption causes irreversible business harm — MTD must ALWAYS be GREATER THAN OR EQUAL TO RTO. If MTD is 4 hours, then RTO must not exceed 4 hours.
Recovery Site Types
Mirror (real-time replication, immediate failover) > Hot site (fully equipped, hours to recover) > Warm site (partially equipped, days) > Cold site (empty facility, weeks). Cost increases with shorter RTO.
Backup Strategy Trade-offs
Incremental backups are faster to CREATE but slower to RESTORE (need last full + all incrementals). Differential backups are slower to CREATE but faster to RESTORE (need last full + last differential only).
BCP/DRP Test Types by Rigor
Least to most rigorous: Checklist/walkthrough → Tabletop (discussion) → Simulation (roleplay) → Parallel test (recovery site + primary running) → Full interruption (actual failover, highest risk).
Problem vs Incident Management
Incident management restores service as quickly as possible. Problem management identifies and eliminates ROOT CAUSES of recurring incidents — they are related but separate ITIL processes.

IS Operations & Infrastructure (Domain 4 — continued)

Operator vs Programmer Segregation
Operators who run production jobs must be separated from programmers who write the code — merging these roles allows unauthorized code modifications to reach production without detection.
Capacity Planning
Proactive process forecasting future resource needs (CPU, storage, network) to ensure performance SLAs are met — auditors assess whether capacity planning is forward-looking and aligned with business growth plans.
SLA Assessment
Auditors evaluate whether IT service level agreements are being consistently met, whether SLAs reflect actual business requirements, and whether remedies for SLA breaches are contractually defined and enforced.
Off-Site Backup Storage
Backups must be stored off-site to support disaster recovery — on-site-only backups would be destroyed in a site-level disaster (fire, flood). Off-site storage is a mandatory DR control.
Data Center Environmental Controls
HVAC (temperature and humidity), UPS (uninterruptible power supply for short outages), generators (extended power outages), fire suppression, and water/leak detection — auditors verify all are tested regularly.
Gas-Based Fire Suppression
Data centers must use gas-based suppression systems (FM-200, Inergen) not water-based sprinklers — water damages electronic equipment and can cause more harm than the fire itself.
Physical Security Layered Defense
Defense-in-depth for physical access: perimeter security (fencing, CCTV) → building access (guards, badge readers) → floor/area access (biometrics) → server room (mantrap, dual-factor) → rack (locks). Each layer provides independent protection.

Access Controls & Identity Management (Domain 5 — 26%)

Access Control Models
DAC (Discretionary) — owner-controlled access. MAC (Mandatory) — system-enforced labels and clearances, most restrictive. RBAC (Role-Based) — role-assigned permissions, most scalable for enterprises and ISACA's preferred model.
Least Privilege Principle
Users must be granted only the minimum access necessary to perform their job functions — excessive access rights are one of the most common and impactful audit findings.
Separation of Duties
No single person should control an entire transaction from initiation to completion — one person can initiate, approve, AND post transactions is always the primary audit concern in financial system scenarios.
Authentication Factors
Something you KNOW (password), something you HAVE (token/smart card), something you ARE (biometrics). Multi-factor authentication (MFA) requires at least two DIFFERENT factor types — two passwords is NOT MFA.
Access Review (Recertification)
Periodic management review of user access rights to identify excessive permissions, terminated users with active accounts, and role changes that were not reflected in access updates — must be done regularly.
Privileged Access Management
Privileged accounts (admins, DBA, root) require extra controls: approval workflow, session monitoring, time-limited access, and regular audit of privileged account activity logs.
Biometric Accuracy: CER
Crossover Error Rate (CER) is where False Acceptance Rate (FAR) equals False Rejection Rate (FRR) — lower CER indicates better biometric accuracy. FAR and FRR are inversely related.

Encryption & Cryptography (Domain 5 — continued)

Symmetric Encryption
Uses one shared secret key for both encryption and decryption — fast and efficient for bulk data. Examples: AES (128/256-bit), 3DES. Primary challenge: secure key distribution to both parties.
Asymmetric Encryption
Uses mathematically linked public/private key pair — public key encrypts, private key decrypts (or vice versa for digital signatures). Slower but solves key distribution. Examples: RSA, ECC.
Hashing
One-way function creating a fixed-length digest for integrity verification — cannot be reversed to recover original data. Examples: SHA-256, SHA-3. Used to detect tampering, not for confidentiality.
Digital Signatures
Sender hashes the message and encrypts the hash with their PRIVATE key — recipient decrypts with sender's PUBLIC key and compares hashes. Provides authentication, integrity, and non-repudiation.
PKI Components
Certificate Authority (CA) issues digital certificates. Registration Authority (RA) verifies identity before CA issues certificates. Certificate Revocation List (CRL) lists invalid certificates. Root CA must be protected offline.
TLS: Hybrid Encryption
TLS uses asymmetric encryption to exchange a symmetric session key, then encrypts all traffic with the faster symmetric key — combining the key distribution advantage of asymmetric with the speed of symmetric.
Encryption Audit Scope
Auditors evaluate whether data at rest AND data in transit are encrypted, whether key management procedures are documented and followed, and whether encryption algorithms meet current standards (not deprecated DES, MD5, SHA-1).

Network Security Controls (Domain 5 — continued)

Firewall Types
Packet filtering (fastest, checks IP/port only) < Stateful inspection (tracks connection state) < Application-layer proxy (deepest inspection, slowest). Auditors verify rule reviews and default-deny posture.
DMZ Architecture
Demilitarized Zone places public-facing servers (web, email) between two firewalls — internet-facing firewall and internal firewall — preventing direct exposure of internal networks to untrusted traffic.
IDS vs IPS
IDS (Intrusion Detection System) passively DETECTS and ALERTS on suspicious traffic — it cannot block. IPS (Intrusion Prevention System) actively BLOCKS malicious traffic inline — this is the key exam distinction.
Network Segmentation
Dividing the network into isolated zones limits lateral movement after a breach — auditors verify that sensitive systems (financial, HR, PII) are isolated from general user networks.
VPN Assessment
Auditors evaluate VPN encryption strength, authentication requirements (MFA recommended), split-tunneling risks (internet traffic bypassing corporate security), and access logging for privileged users.
Vulnerability Scanning vs Penetration Testing
Vulnerability scanning is automated discovery of known weaknesses — non-exploitative. Penetration testing actively exploits vulnerabilities to demonstrate real impact. Auditors evaluate the PROGRAM, not execute the tests.

Risk Concepts & Control Types

Inherent Risk vs Residual Risk
Inherent risk is the exposure BEFORE controls are applied. Residual risk is the exposure REMAINING after controls are implemented. Management must formally accept residual risk if it exceeds risk appetite.
Control Types by Function
Preventive (stop problems BEFORE they occur: access controls, input validation) + Detective (identify problems AFTER they occur: audit logs, IDS) + Corrective (fix problems after detection: patches, incident response).
Compensating Controls
Alternative controls used when the primary control is impractical or infeasible — must provide equivalent or better protection to the control they substitute for. Auditors must verify that the compensating control adequately mitigates the same risk.
General IT Controls (GITCs) vs Application Controls
GITCs are infrastructure-wide (access security, change management, operations) and support ALL applications. Application controls are specific to ONE application. If GITCs are weak, auditors CANNOT rely on application controls.
Inherent vs Control vs Detection Risk
Audit risk model: Inherent risk (risk the area is susceptible to errors) x Control risk (risk controls fail to prevent/detect) x Detection risk (risk auditor fails to find remaining errors) = Audit risk.
Risk Treatment Options
Mitigate (reduce likelihood or impact), Transfer (insurance, outsourcing), Accept (acknowledge and monitor), Avoid (eliminate the activity). Transferring risk does NOT transfer accountability to the third party.

Security Assessment & Incident Response

Incident Response Sequence
Detection → Containment (FIRST priority after detection to limit damage) → Eradication → Recovery → Post-Incident Review (lessons learned). Containment comes before eradication — do not eradicate before containing spread.
Chain of Custody
Documented chronological record of who collected, handled, transferred, and accessed digital evidence — must be maintained throughout to ensure legal admissibility. Break in chain can render evidence inadmissible.
Digital Forensics: Volatility Order
Collect most volatile evidence first: CPU registers/cache → RAM/running processes → Network connections → Disk contents → Backup media. Failing to follow this order risks destroying volatile evidence.
Security Awareness Training
Must cover ALL employees, be role-appropriate, updated regularly, and measured for behavioral effectiveness — completion rate alone is NOT an effectiveness measure. Social engineering awareness is critical.
Data Classification
Defines protection requirements by sensitivity (Public, Internal, Confidential, Restricted) — drives access controls, encryption requirements, handling procedures, and retention and destruction methods.
SOC Reports for Cloud Audit
SOC 1 covers financial reporting controls. SOC 2 covers security, availability, processing integrity, confidentiality, and privacy (Trust Services Criteria). SOC 3 is a public summary version of SOC 2.
Right-to-Audit Clause
Contracts with cloud providers and third-party vendors must include a right-to-audit clause allowing the organization (or its auditors) to independently verify controls — without it, the auditor can only rely on vendor-provided SOC reports.

Key Exam Distinctions & Traps

BIA Before BCP/DRP
BIA must be completed FIRST — this is the single most-tested sequencing fact on Domain 4. Without BIA, recovery priorities are arbitrary guesswork.
MTD >= RTO Always
Maximum Tolerable Downtime must always be greater than or equal to RTO — if RTO exceeds MTD, the business fails before recovery completes. Violation of this relationship is always an audit finding.
MFA Factor Type Rule
Two passwords or two security questions are NOT multi-factor authentication — MFA requires two DIFFERENT factor types (know + have, know + are, have + are). This trap appears in Domain 5 questions.
Developer Production Access
Developers with access to production environments is always a critical segregation of duties violation regardless of context — never choose an answer that allows this as an acceptable control.
Auditor Re-performance as Strongest Evidence
When the auditor independently re-performs a control or recalculates a transaction, it produces the strongest evidence — this is stronger than reviewing documents the auditee provided.
Full Interruption Test vs Tabletop
Tabletop exercises test AWARENESS of the plan. Full interruption testing provides BEST ASSURANCE the plan actually works — but carries the highest operational risk. Match test type to what assurance level is needed.
Shared Responsibility in Cloud
In cloud environments, the customer is responsible for what runs ON the cloud (data, applications, access configurations); the provider is responsible for the cloud infrastructure — auditors must understand the boundary.

Ready to test yourself?

Start a timed CISA mock exam or review practice questions by domain.