🚀 Early Adopter Price: $39/mo for lifeClaim Your Price →
IT Audit Fundamentals
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
ISACA CertificatesAssociateComing Soon

IT Audit Fundamentals

The IT Audit Fundamentals Certificate covers the core concepts of IT audit at an entry level. It is the conceptual on-ramp to CISA and validates understanding of audit principles, IT general controls, application controls, sampling, evidence, and the audit lifecycle.

Who Should Take This

Aspiring IT auditors, junior audit staff, IT staff entering the audit profession, and compliance officers who interact with auditors. Assumes basic IT and business literacy. Learners finish able to participate in IT audit engagements, understand audit terminology, and recognize the most common control areas tested in an IT audit.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
13 Activity Formats

Course Outline

1Audit Foundations
3 topics

Audit Principles

  • Define independence, objectivity, professional skepticism, and due care and identify representative violations of each.
  • Identify the difference between internal audit, external audit, and management's first-line responsibilities (Three Lines model).
  • Apply professional skepticism in a scenario where management's representations conflict with system-generated evidence.

Standards and Codes

  • Identify the ISACA Code of Professional Ethics principles and the ISACA IS Audit and Assurance Standards as the governing framework for ISACA-trained auditors.
  • Identify IIA International Professional Practices Framework (IPPF) and identify its relationship to ISACA standards.

Audit Charter and Authority

  • Define the audit charter and identify its role in establishing the audit function's authority, scope, responsibilities, and reporting line.
2Risk and Planning
3 topics

Risk-Based Audit Approach

  • Identify the risk-based audit approach and describe how it allocates audit resources to higher-risk areas.
  • Apply risk-scoring to a sample IT environment with multiple systems and identify the top-three audit priorities.

Audit Scope and Objectives

  • Distinguish audit scope from audit objectives and describe how each is documented in the engagement plan.
  • Apply scope-definition for an audit of an organization's privileged-access management process and identify what is in and out of scope.
  • Analyze a scope-creep scenario during fieldwork and recommend the appropriate procedure (formal change request, documented impact, sponsor approval).

Audit Plan and Resources

  • Identify the components of an audit plan: scope, objectives, criteria, procedures, sampling, timeline, deliverables.
  • Apply audit-resource allocation to a multi-system audit constrained by a fixed budget and timeline.
3IT General Controls (ITGCs)
4 topics

Access Controls

  • Identify the ITGC access categories: user provisioning, periodic recertification, privileged access, segregation of duties.
  • Apply access-control testing for a sample environment: pull a user list, verify provisioning evidence, identify orphaned and over-privileged accounts.
  • Analyze a segregation-of-duties matrix and identify role combinations that violate stated SoD requirements.

Change Management

  • Identify the change-management ITGC objectives: authorized changes, tested before deploy, segregation between developer and deployer, post-deploy validation.
  • Apply change-control testing on a sample of changes from a CI/CD pipeline: trace from ticket to commit to deploy to validation evidence.

Operations and Monitoring

  • Identify operations ITGCs: job scheduling, batch processing, incident management, problem management, capacity management.
  • Apply operations-control testing using ticket-management tooling and incident logs.

Backup, Recovery, and BCP

  • Identify backup and recovery ITGCs: backup frequency, retention, restoration testing, offsite/immutable copies.
  • Apply restoration-testing evidence review and identify common failure modes (no test, partial test, untested edge cases).
4Application Controls
4 topics

Input Controls

  • Identify input controls: validation rules, range checks, completeness checks, authorization checks, duplicate prevention.
  • Apply input-control testing for a sample transaction by re-performing validation against the documented business rules.

Processing Controls

  • Identify processing controls: run-to-run totals, calculation validation, exception reports, automated reconciliation.
  • Apply processing-control testing using a re-performance technique (independent recalculation against source data).

Output Controls

  • Identify output controls: distribution lists, sensitive-data masking, output reconciliation, retention.
  • Apply output-control review to a sample report and verify that masking, distribution, and retention follow policy.

Master Data and Reference Data

  • Identify master-data integrity controls: change authorization, segregation between maintenance and use, periodic reconciliation.
  • Analyze a master-data scenario where direct database edits bypass the application's controls and propose audit procedures to detect them.
5Audit Evidence and Procedures
3 topics

Evidence Types and Reliability

  • Identify common evidence types: physical observation, inspection of documents, re-performance, inquiry, analytical procedures, system-generated reports.
  • Identify evidence-reliability hierarchy: independent third-party > system-generated with controls > management representation.
  • Apply evidence-selection for a privileged-access audit and identify which evidence types provide the strongest assurance.

Sampling

  • Distinguish statistical sampling from non-statistical (judgmental) sampling and identify when each is appropriate.
  • Apply attribute-sampling sample-size determination using a confidence level, expected error rate, and tolerable error rate.
  • Analyze a sampling result with a higher-than-expected exception rate and propose follow-up procedures.

Working Papers and Documentation

  • Identify the required content of audit working papers: objective, procedure, source, result, conclusion, sign-off.
  • Apply working-paper review for a sample audit step and identify documentation gaps that would prevent independent re-performance.
6Reporting and Frameworks
4 topics

Findings and Recommendations

  • Identify the standard structure of an audit finding: condition, criteria, cause, effect, recommendation.
  • Apply finding categorization by risk rating (high/medium/low) using consistent criteria across an engagement.

Management Response and Follow-Up

  • Identify the role of management response, agreed remediation, target dates, and audit follow-up in closing findings.
  • Analyze a 'risk accepted' management response and identify the documentation and approval requirements that must accompany it.

Reference Frameworks

  • Identify COBIT 2019 as ISACA's enterprise governance framework and identify its relationship to audit programs.
  • Identify NIST CSF, ISO/IEC 27001, and CIS Controls as commonly used reference frameworks in IT audits.
  • Apply framework-mapping for a sample audit objective using COBIT process domains as the reference baseline.

Audit Communication

  • Apply audience-aware audit reporting: executive summary, technical detail, board-level dashboard, and management remediation tracker.
  • Apply audit-finding wording that distinguishes condition (the fact), criteria (the standard), cause (the why), and effect (the consequence) without conflating them.
7Specialized IT Audit Topics
5 topics

Audit Tooling and Data Analytics

  • Identify common computer-assisted audit techniques (CAATs) and tools: ACL/Galvanize, IDEA, Excel/Python for data extraction and analysis.
  • Apply data-analytic procedures: 100% population testing, duplicate detection, gap analysis, Benford's-law-style anomaly detection.

Cloud and Outsourcing Audits

  • Identify the audit considerations for cloud and outsourced services: shared-responsibility model, SOC 2 Type II reliance, sub-service-organization carve-outs.
  • Apply audit-evidence collection for an organization that has outsourced payroll to a SaaS provider: SOC 2 review, complementary user-entity controls (CUECs), and direct testing where the provider doesn't cover.
  • Analyze a SOC 2 Type II report with several exceptions and identify which exceptions are most relevant for the audit and how they propagate to user-organization assertions.

Privacy Audits

  • Identify privacy-audit objectives: data inventory accuracy, lawful basis, data-subject rights, retention, cross-border transfers, breach response.
  • Apply privacy-audit testing for a sample data-subject access request (DSAR) and identify the controls that ensure the response is complete and timely.

Continuous Audit and Monitoring

  • Identify continuous auditing as the use of automated procedures to test 100% of populations on a recurring cadence and identify the typical implementation: rules in a SIEM, GRC tool, or custom scripts.
  • Apply continuous-monitoring rule design for segregation of duties violations on a sample ERP system.
  • Analyze a continuous-monitoring program that produces high false-positive rates and propose tuning grounded in rule precision and analyst workflow.

Specialized Engagements

  • Identify common specialized IT-audit engagements: SOX 404 ITGCs, system pre-implementation reviews, post-implementation reviews, fraud investigations, third-party audits.
  • Apply audit-program design for a system pre-implementation review focused on whether requirements, security, and controls are adequate before go-live.
  • Analyze a post-implementation review scenario where the system went live without one and identify the resulting gaps and how an audit can retroactively close them.

Scope

Included Topics

  • Audit principles: independence, objectivity, professional skepticism, due care.
  • Audit lifecycle: planning, fieldwork, reporting, follow-up.
  • Risk-based audit approach and audit scope determination.
  • IT general controls (ITGCs): access, change management, operations, backup/recovery.
  • Application controls: input, processing, output, master-data integrity.
  • Sampling techniques: statistical and non-statistical, sample-size determination.
  • Evidence: types, sufficiency, reliability, documentation.
  • Audit reporting: findings, recommendations, management responses, residual risk.
  • Frameworks: COBIT 2019, ITIL, ISO 27001, NIST CSF as audit reference frameworks.

Not Covered

  • Detailed audit planning techniques covered in CISA.
  • Specialized audit areas (cloud audit covered in CCAK; AI audit in AAIA).

IT Audit Fundamentals is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified