General Exam Tips
- 1.Read ALL four answer choices before selecting — the 'obviously correct' option is often a distractor designed for IT practitioners, not auditors
- 2.When two answers seem right, ask: which one reflects what an IS AUDITOR does (evaluate/assess/recommend) vs what an IT admin does (implement/configure/fix)?
- 3.Questions asking 'what should the auditor do FIRST' almost always want you to gather information or conduct a risk assessment — not take action
- 4.The word 'PRIMARY' in a question means hierarchy — risk to independence, then risk to the organization, then operational concerns
- 5.Pace yourself: 150 questions in 240 minutes = 96 seconds per question. Mark hard ones and return; do not stall
- 6.There is no penalty for wrong answers — never leave a question blank
- 7.Domains 4 and 5 together are 52% of the exam; treat them as the exam, and the other domains as supporting material
- 8.If an answer option says the auditor should 'implement,' 'configure,' 'fix,' or 'deploy' anything — that option is almost certainly wrong
- 9.When the scenario involves a third-party vendor, the answer usually involves reviewing contracts, right-to-audit clauses, or SOC reports — not direct technical testing
- 10.ISACA's preferred answer prioritizes formal process and documentation over speed and pragmatism. In real life you might reboot the server first; in ISACA-world you assess the situation and follow the incident response plan first
Quick Navigation
Information Systems Auditing Process
Must-Know Facts
- Audit charter must be approved by the AUDIT COMMITTEE or BOARD — not by IT management or the CIO
- Risk-based audit planning: audit resources go to highest-risk areas; audit rotation schedules and management preferences are never the correct driver
- ISACA ITAF three tiers: mandatory standards (must follow), guidelines (should follow), tools and techniques (may follow)
- Evidence reliability ranking from highest to lowest: auditor re-performance > auditor direct observation > externally generated evidence > client-generated evidence > oral inquiry
- Statistical sampling allows projection of results to the entire population with a measurable confidence level; judgmental sampling does NOT allow population projection
- CAATs (Computer-Assisted Audit Techniques): generalized audit software, test data, integrated test facility (ITF), embedded audit modules, parallel simulation — each for specific scenarios
- Four control types: preventive (stop it), detective (find it), corrective (fix it), compensating (alternative when primary is impractical)
- Audit finding components: condition (what is), criteria (what should be), cause (why), effect (impact), recommendation (how to fix)
- Materiality determines whether a finding is significant enough to report — a finding is material if it could influence the decisions of the report's users
- Audit follow-up: the auditor must verify that management has implemented agreed-upon corrective actions within agreed timelines
Common Traps
Confusing Pairs
Scenario Tips
When a question asks what an auditor should do FIRST upon beginning an IS audit engagement...
Review the audit charter and confirm audit scope and authority. The auditor must first establish that they have authority, independence, and a clear scope before any fieldwork begins
Starting with interviews or system access reviews — these are fieldwork activities, not planning activities. Without a confirmed charter, the auditor lacks authority
When a question asks which CAAT to use to test whether all purchase orders above $10,000 have two approvals across 500,000 transactions...
Generalized audit software (GAS) — it can query the entire population, apply the rule, and extract all exceptions. This is exactly what GAS is designed for: large-population data analysis with defined criteria
Test data or ITF — these test how the SYSTEM processes transactions, not whether existing historical transactions comply with a policy
When the question asks about the PRIMARY purpose of an audit charter...
To formally establish the IS audit function's authority, objectives, scope, responsibilities, and independence. It is the foundational document authorizing the audit function to operate
Describing the audit methodology or providing an audit plan — those are engagement-level documents. The charter is the organizational-level authorization document
Last-Minute Facts
Governance and Management of IT
Must-Know Facts
- Governance (board-level): set direction, evaluate performance, ensure alignment. Management (IT leadership): plan, build, run, monitor operations within the governance framework
- COBIT governance domain = Evaluate, Direct, Monitor (EDM). COBIT management domains = APO, BAI, DSS, MEA
- IT strategic plan must be DERIVED FROM the enterprise business plan — not developed independently by IT and then presented to management
- The CIO should ideally report to the CEO or board — reporting to the CFO signals that IT is viewed as a cost center, not a strategic enabler, creating alignment risk
- IT steering committee advises and prioritizes IT initiatives but does NOT make day-to-day operational decisions — that is management's role
- IT balanced scorecard (BSC) measures IT performance across four perspectives: financial, customer, internal process, and learning/growth
- IT policies (what to do), standards (minimum required levels of implementation), and procedures (step-by-step how to) form a hierarchy — auditors verify all three exist and are enforced
- Benefits realization: IT investment decisions require a business case; post-implementation, management must measure and report whether expected benefits were achieved
- Enterprise architecture frameworks (TOGAF, Zachman) align IT infrastructure and systems with business strategy — auditors evaluate whether EA supports business objectives
- Quality management: CMMI maturity levels (1=Initial, 2=Managed, 3=Defined, 4=Quantitatively Managed, 5=Optimizing) used to assess process maturity
Common Traps
Confusing Pairs
Scenario Tips
When the question presents an IT department that built its own IT strategic plan without business input and asks what the auditor should recommend...
Recommend that the IT strategic plan be redeveloped with involvement from business stakeholders and aligned to the enterprise business strategy. Simply approving or getting board sign-off on an already-misaligned plan does not fix the root problem
Recommending the board approve the existing plan — approval alone does not create alignment. The plan itself must reflect business objectives to be valid
When a question asks which COBIT process belongs to governance vs. management...
Governance = EDM processes (Evaluate, Direct, Monitor). If the activity is 'evaluate whether IT aligns with business goals' or 'monitor IT performance and report to the board' — that is governance. If it involves planning, building, running, or supporting IT services — that is management (APO/BAI/DSS/MEA)
Thinking that monitoring and reporting automatically means management — monitoring at the board level to assess whether governance objectives are met is a governance (EDM) activity
Last-Minute Facts
Information Systems Acquisition, Development and Implementation
Must-Know Facts
- IS auditors should be involved from the FEASIBILITY stage of SDLC — not just at testing or implementation. Early involvement prevents costly rework of control gaps
- SDLC phases in order: feasibility study, requirements definition, design, development, testing (unit, integration, system, UAT), implementation, post-implementation review
- User Acceptance Testing (UAT) must be performed by BUSINESS USERS, not IT staff, developers, or QA teams — it validates that the system meets business requirements
- Change management process: request → impact assessment → approval by change advisory board → testing in non-production environment → scheduled implementation → post-implementation review
- Emergency changes: bypass normal approval but MUST have after-the-fact documentation and approval. 'Emergency' does not mean 'undocumented'
- Segregation of duties: developers must NOT have access to production environments. Testing must be done with test data in isolated test environments, not production data
- Implementation strategies from lowest to highest risk: parallel running, phased, pilot, direct cutover
- Post-implementation review: verifies the system meets original requirements, delivers expected benefits, and that controls operate as designed
- Application controls: input controls (validation, sequence, limit/range, completeness), processing controls (run-to-run totals, hash totals, control totals), output controls (reconciliation, distribution, retention)
- Feasibility study evaluates: technical feasibility (can we build it?), economic feasibility (is it cost-effective?), operational feasibility (will users adopt it?), legal/regulatory feasibility
Common Traps
Confusing Pairs
Scenario Tips
When a question asks about 15 emergency changes in a quarter where only 3 have after-the-fact approvals...
The PRIMARY concern is that 12 emergency changes lack after-the-fact documentation, meaning potentially unauthorized or improperly reviewed changes exist in production. This is an uncontrolled change management failure, not merely a documentation oversight
Focusing on the high volume of emergency changes as the primary concern — while worth investigating, the root concern is the missing documentation for the changes that were made, creating accountability and integrity risk
When asked which implementation strategy a hospital should use when replacing its patient records system...
Parallel running — for a critical system where data integrity is essential and failures have serious consequences, parallel running allows the old and new systems to be compared and any discrepancies corrected before fully cutting over
Direct cutover because it is faster — speed is never the right answer for high-criticality system replacements in ISACA's framework
Last-Minute Facts
Information Systems Operations and Business Resilience
Must-Know Facts
- BIA (Business Impact Analysis) must be completed FIRST before developing BCP or DRP — BIA identifies critical processes, quantifies disruption impact, and sets recovery priorities
- Recovery metrics: RTO = maximum acceptable time to restore a system after disruption. RPO = maximum acceptable data loss measured in time. MTD = maximum tolerable downtime before the business fails. Relationship: MTD must be greater than or equal to RTO
- Recovery sites by cost and recovery time: mirror site (real-time replication, immediate), hot site (fully equipped, hours), warm site (partially equipped, days), cold site (empty facility, weeks/months)
- Backup strategies: full backup (complete, slow to create, fast to restore), incremental backup (changes since LAST BACKUP, fast to create, SLOW to restore — needs full + all incrementals), differential backup (changes since LAST FULL BACKUP, moderate to create, faster to restore — needs full + last differential only)
- BCP/DRP testing types from least to most rigorous: tabletop/walkthrough (discuss the plan), simulation (practice response without affecting production), parallel test (test recovery while production continues), full interruption test (switch to backup systems, highest assurance but highest risk)
- Incident management sequence: detect, contain (FIRST PRIORITY after detection — before reporting up the chain), eradicate, recover, post-incident review (lessons learned)
- Problem management vs incident management: incident management restores service QUICKLY. Problem management identifies and eliminates ROOT CAUSES to prevent recurrence
- IT service management (ITIL): service levels defined in SLAs; capacity management ensures resources meet demand; availability management ensures systems meet uptime targets
- Segregation of duties in operations: operators should not have programming access; programmers should not have operator access to production systems
- Data center controls: gas-based fire suppression (FM-200, Inergen, CO2) for IT equipment — never water-based sprinklers. UPS for short-term power, generator for sustained power loss
Common Traps
Confusing Pairs
Scenario Tips
When an organization with a 2-hour RTO and 15-minute RPO for its trading platform asks which recovery strategy to implement...
Hot site with near-real-time data replication (or mirror site). A 2-hour RTO eliminates warm and cold sites. A 15-minute RPO eliminates anything but continuous or near-continuous data replication. Both constraints must be satisfied
Warm site with hourly differential backups — this satisfies neither the RTO (days, not hours, for warm site activation) nor the RPO (hourly backups create up to 60 minutes of data loss, which exceeds 15 minutes)
When the DRP was tested with a tabletop exercise two years ago and the auditor needs to recommend next steps...
Recommend testing at least annually using progressively more rigorous methods — moving beyond tabletop to simulation or parallel testing to actually validate recovery capability. Two years without testing is too infrequent, and tabletop alone provides insufficient assurance
Recommend an immediate full interruption test — this is too aggressive without first validating the plan through less risky test types. Jumping straight to full interruption without prior simulation testing is itself a risk management failure
When asked what MOST indicates that an incident management process is working effectively...
Mean Time to Repair (MTTR) decreasing over time combined with documented containment and root cause analysis for each incident. Effective incident management reduces time to restore AND produces documentation that feeds into problem management
The number of incidents detected — high detection rates indicate good monitoring, not effective incident management. The management question is whether detected incidents are being resolved efficiently and recurrence is decreasing
Last-Minute Facts
Protection of Information Assets
Must-Know Facts
- Defense in depth: layered security controls so that no single failure exposes assets — perimeter, network, host, application, data layers
- Least privilege: users receive only the minimum access necessary for their job function — nothing more
- Separation of duties: no single person can initiate AND approve AND post a transaction. Critical fraud prevention control for financial and privileged operations
- Access control models: DAC (owner decides who accesses their data — flexible), MAC (classification labels enforced by the system — most restrictive, used in government), RBAC (permissions assigned to roles — most scalable for large organizations, ISACA's preferred model for enterprises)
- Authentication factors: something you know (password/PIN), something you have (token/smart card), something you are (biometric). Multi-factor requires at least two DIFFERENT factor types
- Encryption: AES (symmetric, fast, bulk data), RSA (asymmetric, key exchange and digital signatures), SHA-256 (hashing, integrity only — not encryption). PKI components: Certificate Authority (CA), Registration Authority (RA), Certificate Revocation List (CRL)
- Digital signature process: sender hashes the message, encrypts the hash with their PRIVATE key. Receiver decrypts the hash with the sender's PUBLIC key, then re-hashes the message to verify. Provides authentication, non-repudiation, and integrity
- Firewall types: packet filtering (IP/port, stateless, fastest, least secure), stateful inspection (tracks connection state, more secure), application-level proxy (inspects payload, most secure, slowest). Next-generation firewalls add application identification and user identity
- IDS vs IPS: IDS passively detects and ALERTS. IPS actively BLOCKS malicious traffic. IDS does not stop attacks; IPS can cause false-positive blocking of legitimate traffic
- Vulnerability management cycle: discover, assess/prioritize, remediate, verify, report. Patch management is a key component — must test patches in non-production before deploying to production
- Incident response phases: prepare, detect and identify, contain, eradicate, recover, post-incident review. Evidence preservation and chain of custody are mandatory if legal action may follow
- Data classification drives everything: determines access controls, encryption requirements, handling procedures, retention periods, and destruction methods for each data category
Common Traps
Confusing Pairs
Scenario Tips
When a financial application allows one employee to initiate, approve, and post transactions...
This is a separation of duties violation — the PRIMARY concern. No single individual should control an entire transaction cycle because this creates undetected fraud risk. The auditor should recommend segregating these functions across different roles or individuals
Recommending additional logging or monitoring — while compensating controls like enhanced logging are appropriate where full separation is impractical, the primary finding is the SOD violation itself, not monitoring gaps
When an organization asks which VPN authentication method provides true multi-factor authentication...
Password (something you know) + hardware OTP token (something you have) = true MFA. Two passwords, a password + security question, or a long passphrase are all single-factor (all 'something you know')
A password with a complex security question — security questions are knowledge-based, making this one-factor authentication with an extra step, not two-factor
When a vulnerability scan finds critical vulnerabilities on production servers and the auditor needs to evaluate the organization's response...
Verify that the organization prioritizes vulnerabilities by risk, remediates according to a documented schedule tied to severity, tests patches in non-production first, and verifies remediation after patching. The process matters, not just whether individual vulnerabilities were patched
Confirming that all vulnerabilities were patched immediately — not all vulnerabilities require immediate remediation; risk-based prioritization is the correct approach
When a data center fire suppression system uses standard water sprinklers and the auditor is asked what to recommend...
Replace with a gas-based suppression system (FM-200, Inergen, or CO2). Water damages IT equipment — the suppression remedy may be worse than the fire. Gas-based systems extinguish fires without physical damage to electronics
Adding early-warning smoke detectors to the existing sprinkler system — this improves detection speed but does not resolve the core risk that water will damage IT equipment upon activation