CISA 2025 Study Flashcards
Study online at https://quizlet.com/_1pwmhc
1. IS Audit: The formal examination and/or testing of information systems to determine whether
1) Info systems are in compliance with applicable laws, regulations, contracts and/or industry guidelines
2) Info systems are in compliance with applicable laws, regulations, contracts and/or industry guidelines
3) IS data and info have appropriate levels of confidentiality , integrity and availability
4) IS operations are being accomplished efficiently and effectiveness targets are being met
2. 3 Major Phases of the IT Audit: 1) Planning
2) Fieldwork/Documentation
3) Reporting/Follow-Up
3. 3 IS Audit & Assurance Standards: 1) General
2) Performance
3) Reporting
4. ISACA Code of Professional Ethics: CISA Holders Must:
1. Inform parties of work performed
2. Perform their duties with objectivity, due diligence and professional care
3. Serve in the interest of the stakeholders
4. Maintain the privacy and confidentiality of the information obtained in the course of their activities
5. Support the professional education of stakeholders
5. Business Process: An interrelated set of cross functional activities or events that result in a delivery of a
specific product
6. Business Process Owner: The individual responsible for identifying process requirements, approving
process design and managing process performance.
Scope Note: Must be at an appropriately high level in the enterprise and have authority to commit resources to
process-specific risk management activities.
7. Audit Charter: Overarching document that covers the entire scope of audit activities in an entity.
Should outline the overall authority, scope and responsibilities of the audit function.
Highest level of management and/or audit committee should approve it
Should only be changed if the changes can be justified
8. Engagement Letter: Document that is more focused on a particular audit and has a specific objective
9. Audit Planning: - Conducted at the beginning of the audit process to establish the overall strategy and detail
the specific procedures and complete the audit
- Includes both short- and long-term planning
1/6
, CISA 2025 Study Flashcards
Study online at https://quizlet.com/_1pwmhc
10. Short-term Planning: Considers audit issues that will be covered during the year
11. Long-term Planning: Considers risk related issues regarding changes to the org's strategic IT direction
that will affect the overall IT environment
12. Audit Universe: Includes all relevant processes that represent the blueprint of the enterprise's business
13. Risk Factors: Factors that influence the frequency and/or business impact of risk scenarios
14. Steps to Perform Audit Planning: 1. Gain an understanding of the org's mission, objectives and
purpose
2. Gain an understanding of the org's governance structure and practices related to audit procedures
3. Understand changes in the business environment of the auditee
4. Review prior workpapers
5. Identify policies, standards and required guidelines, procedures and organizational structure
6. Perform a risk analysis to help in designing the audit plan
7. Set the audit scope and audit objectives
8. Develop the audit approach or audit strategy
9. Assign personnel resources to the audit
10. Address engagement logistics
15. Content of Legal Regulations: 1. Establishment of regulatory requirements
2. Responsibilities assigned to corresponding entities
3. Financial, operational and iS audit functions
16. 2 Major Areas of Concern (Legal): 1. Legal Requirements placed on audit or IS audit
2. Legal Requirements placed on the auditee, it's systems, data management, reporting, etc.
17. Ecommerce: the buying and selling of goods and services over the internet
18. Types of Ecommerce (6): B to B = business to business
B to C = business to consumer
C to B = consumer to business (selling your service to a business)
C to C = consumer to consumer (usually through a third party)
B to G = business to government
C to G = consumer to government (filing taxes)
19. Single-Tier Architecture: client-based application running on a single computer
20. two-tier architecture: (the most common type), a client (tier one) communicates directly with the server
(tier two)
2/6
, CISA 2025 Study Flashcards
Study online at https://quizlet.com/_1pwmhc
21. Three-tier architecture: -presentation tier
-application tier
-data tier
22. Mobile code: software transmitted between systems are executed on a local system using cross-platform
code without explicit installation by the recipient computer
23. Web servers: will be used to manage web content, and connections, business logic and other services and
other services will be provided by the application server and more databases will be used for storage
24. Databases: Play a key role in ecommerce systems, maintaining data for website pages, accumulating customer
info and storing data for website usage
25. True or False: Persistent customer data should not be stored on web servers
that are exposed directly to the internet: True
26. Extensible Markup Language (XML): The markup language designed to transport and store data
on the Web. (key means of exchanging data)
27. Extensible Stylesheet Language (XSL): Defines how XML should be presented
28. XML Query: Deals with querying XML format data
29. XML Encryption: Deals with encrypting, decrypting and digitally signing XML documents
30. What are the 5 Important Elements of Ecommerce Risk?: 1. Confidentiality
2. Integrity
3. Availability
4. Authentication and nonrepudiation
5. Power to shift customers (stand out from the competition)
31. What are the 4 Ecommerce Requirements?: 1. Building a business case
2. Developing a clear business purpose
3. Using Technology to improve costs
4. Building a business case around the 4 C's
32. What are the 4 C's?: 1. Cost
2. Customer
3. Competitor
4. Capabilities
33. What should an auditor review for an Ecommerce Business Process?: - Intercon-
nection agreements
- Security mechanism and procedures
3/6
, CISA 2025 Study Flashcards
Study online at https://quizlet.com/_1pwmhc
- Firewall mechanisms
- Change management
- SOD
- Application logs
- Protection of data
- Confidentiality of data
- Plans and procedures
- Communications from vendors to customers
34. EDI: Electronic Data Interchange
35. What are the 2 types of software required for EDI?: 1. Communications software
2. Translation software
36. Communications software: Moves data fro one point to another and determines how acknowledge-
ments are transmitted and reconciled.
37. Translation software: helps build a map and shows how the data field from the application correspond
to EDI
38. What are the 2 approaches related to EDI that an IS auditor should be aware
of?: 1. The traditional proprietary version of EDI used by large companies and government partners ($$$$)
2. The development of EDI through the publicly available commercial infrastructure offered through the internet ($$)
39. During an exit interview, the IS auditor should: 1. Ensure that the facts presented in the
report are correct
2. Ensure that the recommendations are realistic and cost-effective and if not, seek alternatives through negotiation
with auditee management
3. Recommend implementation dates for agreed-on recommendations
40. Audit report structure and contents: 1. introduction to the report (audit objectives, scope, period
of audit coverage, general statement of the nature and extent of audit procedures)
2. Audit findings, groups by materiality
3. Audit's overall conclusion and opinion on the adequacy of controls and procedures
4. Auditor's reservations and qualifications (to support conclusion)
5. Detailed audit findings and recommendations (may include/exclude based on materiality)
41. Audit documentation should include: 1. Planning and prep of the audit scope and objectives
2. Description and/or walkthroughs on the scoped audit area
3. Audit program
4/6
Study online at https://quizlet.com/_1pwmhc
1. IS Audit: The formal examination and/or testing of information systems to determine whether
1) Info systems are in compliance with applicable laws, regulations, contracts and/or industry guidelines
2) Info systems are in compliance with applicable laws, regulations, contracts and/or industry guidelines
3) IS data and info have appropriate levels of confidentiality , integrity and availability
4) IS operations are being accomplished efficiently and effectiveness targets are being met
2. 3 Major Phases of the IT Audit: 1) Planning
2) Fieldwork/Documentation
3) Reporting/Follow-Up
3. 3 IS Audit & Assurance Standards: 1) General
2) Performance
3) Reporting
4. ISACA Code of Professional Ethics: CISA Holders Must:
1. Inform parties of work performed
2. Perform their duties with objectivity, due diligence and professional care
3. Serve in the interest of the stakeholders
4. Maintain the privacy and confidentiality of the information obtained in the course of their activities
5. Support the professional education of stakeholders
5. Business Process: An interrelated set of cross functional activities or events that result in a delivery of a
specific product
6. Business Process Owner: The individual responsible for identifying process requirements, approving
process design and managing process performance.
Scope Note: Must be at an appropriately high level in the enterprise and have authority to commit resources to
process-specific risk management activities.
7. Audit Charter: Overarching document that covers the entire scope of audit activities in an entity.
Should outline the overall authority, scope and responsibilities of the audit function.
Highest level of management and/or audit committee should approve it
Should only be changed if the changes can be justified
8. Engagement Letter: Document that is more focused on a particular audit and has a specific objective
9. Audit Planning: - Conducted at the beginning of the audit process to establish the overall strategy and detail
the specific procedures and complete the audit
- Includes both short- and long-term planning
1/6
, CISA 2025 Study Flashcards
Study online at https://quizlet.com/_1pwmhc
10. Short-term Planning: Considers audit issues that will be covered during the year
11. Long-term Planning: Considers risk related issues regarding changes to the org's strategic IT direction
that will affect the overall IT environment
12. Audit Universe: Includes all relevant processes that represent the blueprint of the enterprise's business
13. Risk Factors: Factors that influence the frequency and/or business impact of risk scenarios
14. Steps to Perform Audit Planning: 1. Gain an understanding of the org's mission, objectives and
purpose
2. Gain an understanding of the org's governance structure and practices related to audit procedures
3. Understand changes in the business environment of the auditee
4. Review prior workpapers
5. Identify policies, standards and required guidelines, procedures and organizational structure
6. Perform a risk analysis to help in designing the audit plan
7. Set the audit scope and audit objectives
8. Develop the audit approach or audit strategy
9. Assign personnel resources to the audit
10. Address engagement logistics
15. Content of Legal Regulations: 1. Establishment of regulatory requirements
2. Responsibilities assigned to corresponding entities
3. Financial, operational and iS audit functions
16. 2 Major Areas of Concern (Legal): 1. Legal Requirements placed on audit or IS audit
2. Legal Requirements placed on the auditee, it's systems, data management, reporting, etc.
17. Ecommerce: the buying and selling of goods and services over the internet
18. Types of Ecommerce (6): B to B = business to business
B to C = business to consumer
C to B = consumer to business (selling your service to a business)
C to C = consumer to consumer (usually through a third party)
B to G = business to government
C to G = consumer to government (filing taxes)
19. Single-Tier Architecture: client-based application running on a single computer
20. two-tier architecture: (the most common type), a client (tier one) communicates directly with the server
(tier two)
2/6
, CISA 2025 Study Flashcards
Study online at https://quizlet.com/_1pwmhc
21. Three-tier architecture: -presentation tier
-application tier
-data tier
22. Mobile code: software transmitted between systems are executed on a local system using cross-platform
code without explicit installation by the recipient computer
23. Web servers: will be used to manage web content, and connections, business logic and other services and
other services will be provided by the application server and more databases will be used for storage
24. Databases: Play a key role in ecommerce systems, maintaining data for website pages, accumulating customer
info and storing data for website usage
25. True or False: Persistent customer data should not be stored on web servers
that are exposed directly to the internet: True
26. Extensible Markup Language (XML): The markup language designed to transport and store data
on the Web. (key means of exchanging data)
27. Extensible Stylesheet Language (XSL): Defines how XML should be presented
28. XML Query: Deals with querying XML format data
29. XML Encryption: Deals with encrypting, decrypting and digitally signing XML documents
30. What are the 5 Important Elements of Ecommerce Risk?: 1. Confidentiality
2. Integrity
3. Availability
4. Authentication and nonrepudiation
5. Power to shift customers (stand out from the competition)
31. What are the 4 Ecommerce Requirements?: 1. Building a business case
2. Developing a clear business purpose
3. Using Technology to improve costs
4. Building a business case around the 4 C's
32. What are the 4 C's?: 1. Cost
2. Customer
3. Competitor
4. Capabilities
33. What should an auditor review for an Ecommerce Business Process?: - Intercon-
nection agreements
- Security mechanism and procedures
3/6
, CISA 2025 Study Flashcards
Study online at https://quizlet.com/_1pwmhc
- Firewall mechanisms
- Change management
- SOD
- Application logs
- Protection of data
- Confidentiality of data
- Plans and procedures
- Communications from vendors to customers
34. EDI: Electronic Data Interchange
35. What are the 2 types of software required for EDI?: 1. Communications software
2. Translation software
36. Communications software: Moves data fro one point to another and determines how acknowledge-
ments are transmitted and reconciled.
37. Translation software: helps build a map and shows how the data field from the application correspond
to EDI
38. What are the 2 approaches related to EDI that an IS auditor should be aware
of?: 1. The traditional proprietary version of EDI used by large companies and government partners ($$$$)
2. The development of EDI through the publicly available commercial infrastructure offered through the internet ($$)
39. During an exit interview, the IS auditor should: 1. Ensure that the facts presented in the
report are correct
2. Ensure that the recommendations are realistic and cost-effective and if not, seek alternatives through negotiation
with auditee management
3. Recommend implementation dates for agreed-on recommendations
40. Audit report structure and contents: 1. introduction to the report (audit objectives, scope, period
of audit coverage, general statement of the nature and extent of audit procedures)
2. Audit findings, groups by materiality
3. Audit's overall conclusion and opinion on the adequacy of controls and procedures
4. Auditor's reservations and qualifications (to support conclusion)
5. Detailed audit findings and recommendations (may include/exclude based on materiality)
41. Audit documentation should include: 1. Planning and prep of the audit scope and objectives
2. Description and/or walkthroughs on the scoped audit area
3. Audit program
4/6
