CIS Audit: CISA Subject Knowledge You Need to Pass

What Subject Knowledge Does the CISA Exam Test?

The Certified Information Systems Auditor (CISA) exam is built around five domains. Each domain represents a core competency area for IS auditors — and understanding what each domain covers, and how heavily it's weighted, is the foundation of any effective study plan. You can't pass CISA through general IT knowledge. You need subject-specific mastery across all five areas.

ISACA updates the CISA job practice periodically, so before you start studying, verify the current domain weights on ISACA's official site. The most recent structure as of this writing allocates the largest portion to Domain 1 (Information System Auditing Process) and Domain 2 (Governance and Management of IT), with the remaining three domains sharing roughly equal weight. Together, all five domains reflect what IS auditors actually do in practice — from planning an audit engagement to managing IT risk to overseeing disaster recovery programs.

Domain 1: Information System Auditing Process

This domain covers the mechanics of conducting an IS audit. You need to understand audit planning and methodology, including how to define the audit scope, develop risk-based audit plans, and select appropriate audit techniques. Evidence collection — interviews, observation, document review, data sampling — is heavily tested. So is the concept of audit materiality: knowing when a finding is significant enough to act on.

Reporting is another critical area. CISA candidates need to know what a well-structured audit report includes, how findings are categorized by severity, and how recommendations are communicated to management. Auditors don't just find problems — they translate findings into business language that decision-makers can act on. The exam tests whether you understand that translation process.

Control self-assessment (CSA) and continuous auditing concepts appear in this domain too. As organizations move toward real-time monitoring rather than periodic audits, IS auditors need to understand how continuous controls monitoring works and how it fits into the traditional audit lifecycle. This domain sets the foundation for everything else in the exam — if you're weak here, the other domains feel harder than they need to.

Domain 2: Governance and Management of IT

IT governance is about how organizations manage and direct their IT functions to align with business strategy. This domain tests your understanding of IT governance frameworks — COBIT is central, but ITIL, ISO 27001, and the NIST Cybersecurity Framework appear in context as well. You need to know what these frameworks prescribe, not just that they exist.

IT strategy and policy development are core sub-topics. You'll need to understand how IT strategy aligns with organizational objectives, how policies cascade into procedures and standards, and what the auditor's role is in evaluating that alignment. If an organization's IT strategy is disconnected from business goals, that's an audit finding — this domain helps you recognize why.

IT resource management (human, financial, and technology assets) and IT performance monitoring — including KPIs and metrics — round out the domain. The CISA certification tests this at a meaningful depth: not just definitional knowledge, but applied judgment about what good governance looks like and what its absence costs an organization.

Domain 3: Information Systems Acquisition, Development, and Implementation

This domain focuses on the project lifecycle for IT systems — from requirements definition through testing, implementation, and post-implementation review. CISA candidates need to understand software development methodologies (waterfall, agile, DevOps) and what control considerations apply at each stage.

Change management is a major sub-topic. Organizations that implement changes to production systems without adequate controls introduce significant risk. The CISA exam tests your ability to evaluate change management processes — including authorization procedures, testing requirements, version control, and rollback capabilities. Inadequate change management is one of the most common sources of audit findings in real IS audit work.

System testing types — unit, integration, user acceptance, regression, performance — and their roles in the development lifecycle are tested extensively. You need to know what each test type validates, who should perform it (segregation of duties matters here), and what documentation an auditor looks for as evidence.

Post-implementation review rounds out the domain. Once a system goes live, the organization needs a structured review to confirm that the system met its original objectives, that expected benefits are materializing, and that residual risks are being managed. The CISA exam tests whether you understand what a rigorous post-implementation review looks like.

Domain 4: Information Systems Operations and Business Resilience

This domain covers how IT systems are operated day-to-day and how organizations protect continuity when things go wrong. It's one of the most practically grounded domains — the subject matter maps directly to what IT operations teams and business continuity planners do.

Operations management topics include IT service management, incident and problem management, capacity planning, and configuration management. Auditors evaluating an IT operations function need to understand what effective operations look like — documented procedures, change controls, performance monitoring, help desk management — so they can identify where controls are missing or inadequate.

Business continuity planning (BCP) and disaster recovery (DR) are the highest-stakes sub-topics in this domain. You need to understand the difference between BCP (keeping the business running) and DR (recovering IT systems) and how they interrelate. Recovery objectives — RTO (Recovery Time Objective) and RPO (Recovery Point Objective) — are heavily tested. So are backup strategies, testing approaches (tabletop, simulation, full recovery test), and the components of a well-structured BCP/DR plan.

Data backup and recovery controls appear in almost every CISA exam. Candidates need to know not just that backups should exist, but how they should be implemented, where they should be stored (offsite, cloud), how frequently they should be tested, and what the audit evidence looks like for an effective backup program.

Domain 5: Protection of Information Assets

The fifth domain covers information security — logical and physical access controls, network security, encryption, and security incident management. For many CISA candidates, this is the domain they feel most comfortable with if they have an IT security background. But don't get overconfident: the CISA exam tests these topics from an auditor's perspective, not a practitioner's.

Access control is the domain's cornerstone. You need to understand identification, authentication, and authorization; the principle of least privilege; segregation of duties; and privileged access management. The exam tests your ability to evaluate whether an organization's access control framework is designed and operating effectively — including how user access reviews should be conducted and documented.

Encryption covers both symmetric and asymmetric cryptography concepts, key management, digital signatures, and certificates. You don't need to implement these systems — you need to understand them well enough to audit whether an organization's cryptographic controls are appropriate for the sensitivity of the data being protected.

Network security topics include firewall architectures, intrusion detection and prevention systems, VPNs, and secure network design principles. Physical security — data center controls, environmental monitoring, access control to server rooms — completes the domain. Auditors who understand both the logical and physical dimensions of information security protection are far more effective at identifying gaps.

Use CISA certification resources alongside domain-specific practice testing to build comprehensive subject knowledge. Each domain requires both conceptual understanding and the ability to apply that understanding to realistic audit scenarios — which is exactly what CISA exam questions are designed to test.

How to Build CISA Subject Knowledge Effectively

Allocate study time proportionally to domain weights. Domain 1 and Domain 2 together represent the majority of the exam — if you're time-constrained, those domains deserve the most attention. But don't neglect the others; a weak showing in Domain 4 or 5 can drag your overall score below the passing threshold even if you ace the heavy domains.

Read ISACA's official CISA Review Manual — it's dense but authoritative, and the exam is written to align with its content. Supplement with the CISA QAE (Questions, Answers, and Explanations) database, which gives you official exam-style questions with rationale explanations. Understanding why wrong answers are wrong is as important as knowing why correct answers are correct.

Work through CISA exam practice questions after each domain — not at the end of your study period. Domain-by-domain testing catches knowledge gaps while you still have time to fix them. If you wait until the end to test yourself, you'll find gaps you don't have time to address.

The CISA is a 150-question exam with a 4-hour time limit. Most questions are scenario-based — they describe an audit situation and ask what the auditor should do next, or what the best control recommendation is. Answering these well requires not just knowledge of the subject matter but judgment about audit priorities and professional standards. That judgment develops through practice, not just reading.

Study Resources and Final Preparation Tips

Build your study plan around ISACA's official materials first: the CISA Review Manual and the QAE database. Third-party materials from providers like CISA's Certified Information Systems Auditor study guides (Sybex/Wiley), Transcender, and ExamMatrix supplement the official content effectively but shouldn't replace it.

One of the most common CISA preparation mistakes is treating it like a memorization exercise. The exam is deliberately scenario-based — questions describe situations and ask what an auditor should prioritize or recommend. That requires judgment, not just recall. Practice applying your knowledge to scenarios from day one, not just reading definitions.

Join an ISACA chapter if you're not already a member. Chapter study groups, local events, and professional connections with practicing IS auditors provide the contextual understanding that helps exam questions click. Hearing someone describe a real audit situation where Domain 3 controls failed makes those textbook concepts stick in a way that reading alone can't match.

In the final two weeks before the exam, shift from learning to testing. Do full practice exams under timed conditions. Review every wrong answer — not just the ones you marked as uncertain. Your goal is to understand the reasoning behind every answer, not just to identify correct ones.

The certified information systems auditor credential represents a genuine achievement — it signals to employers that you understand how to evaluate IT systems from a risk and control perspective. The subject knowledge required is broad but learnable with the right study approach. Start early, practice consistently, and you'll be prepared when exam day comes.