ISACA Model Curriculum for IS Audit and Control, 3rd Edition

Disclaimer
ISACA has designed and created ISACA Model Curriculum for IS Audit and Control, 3rd Edition (the
“Work”), primarily as an educational resource for academics, assurance and control professionals. ISACA
makes no claim that use of any of the Work will assure a successful outcome. The Work should not be
considered inclusive of all proper information, procedures and tests or exclusive of other information,
procedures and tests that are reasonably directed to obtaining the same results. In determining the
propriety of any specific information, procedure or test, audit professionals should apply their own
professional judgment to the specific control circumstances presented by the particular systems or
information technology environment.

Reservation of Rights
© 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means
(electronic,
mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA.
Reproduction and use of all or portions of this publication are solely permitted for academic, internal
and noncommercial use and for consulting/advisory engagements, and must include full attribution of
the material’s source. No other right or permission is granted with respect to this work.

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008
USA Phone: +1.847.253.1545
Fax: +1.847.253.1443
Contact: https://isaca.force.com/support/s/contactsupport
Web site: www.isaca.org
These instructions are a supplement to the full document ISACA Model Curriculum for IS Audit
and Control, 3rd Edition. For further information please refer to the full document found on
http://www.isaca.org/Knowledge-Center/Academia/Pages/Model-Curriculum-for-IS-Audit-and-
Control-3rd-Edition.aspx.

To map a program to the ISACA Model Curriculum for IS Audit and Control, 3rd Edition, enter
the name of the course(s) or session(s) in the program that covers each topic area or subtopic
description along with the amount of time (in whole hours) devoted to covering the topic in each
table. If a described topic is not covered, record a 0 (zero) in the column for contact hours. To be
in alignment with the model, the total time spent in hours should be at least 250 hours and all
areas in the model should have reasonable coverage. Up to a maximum of 25 noncontact hours
may be included. When mapping a graduate program, include the prerequisites from the
undergraduate program.

Before beginning this process:

• Obtain the current course syllabi. Current, expanded course outlines provide more detail and
are better sources.
• Make sure the current textbook supporting the classes and the visual media/projects that may be
used in those classes are accessible. For a question on content, refer to the course textbook or
PowerPoint slides.
• If some of the subject matter is taught in other departments or colleges, a representative who is
knowledgeable of what is taught in those classes may need to provide assistance. For this reason,
an undergraduate program may take more time to map than a graduate program.

A dual monitor, with the model matrix on one screen and the syllabus/expanded course outline
on the other, facilitates the process.

The Excel file includes a summary sheet. As you complete each topic on the Topic-Subtopic
sheet, transfer the course number(s) and course name(s) to the Summary sheet along with the
hours. The Summary sheet will total the number of hours by row and column. A partial sample
mapping is included in the Excel workbook.
The mapping process steps are listed in the following table.

Mapping Process Steps

1 Identify all direct and support courses that apply to the program.
2 Ensure that the current syllabi or expanded course outlines and support materials
for the courses are accessible. It takes approximately 20 hours to complete the
mapping, if expanded course outlines are available from which information can
be extracted. (Note: The topics are all interlinked—Domain 2 drives much of
Domain 4—thety are very much related.)

3 Proceed one by one. Select the first course in the program, examine the elements
and subject matter, and map to the model. Proceed week by week.
4 Use key words from the ISACA template subtopics to search the syllabi to
identify matches. Once that match is made, estimate the amount of time devoted
to the subject based on the syllabus.
5 If uncertain of the content of the subject covered, go to the textbook and
PowerPoint slides/materials used. Note that generic titles used often cover more
than what is implied.
6 Remember to allocate the time per course and identify the course covering each
subject. For example, a quarter system may have 10 weeks and four contact hours
per week (40 hours), but some courses may have lab or project requirements that
may result in more than 40 hours. Map whole hours only. If less than an hour is
devoted to a topic/subtopic it is not considered covered.

7 Map course by course and keep track of allocation. This is easiest for those
familiar with the program and who have the information available.
8 After completing all courses, go back and double-check that the
selections/placement are the best possible and seem reasonable.
9 Have a colleague check the mapping.

Submit the completed mapping grid to ISACA for review by fax at +1.847.253.1443, or mail to:
Technical Research Manager for the Academic Program Subcommittee, ISACA, 3701
Algonquin Road, Suite 1010, Rolling Meadows, IL, 60008, USA. If the program is found to be
in alignment with the ISACA Model Curriculum for IS Audit and Control, the program may be
posted on the ISACA web site and graduates of the program will qualify for one year of work
experience toward the CISA certification. Note that the total noncontact hours (e.g., time
allocated for work on outside assignments) cannot exceed 25 hours.
 Figure 1—The Process of Auditing Information Systems Domain

Topic Hours Subtopic Course(s) Covering the Subtopic Hours

Risk assessment concepts
Control objectives and information system
controls
Risk-based IT audit Applicable laws and regulations affecting the
7
strategy audit scope
Quality assurance systems and frameworks
Technology and audit environment changes
Audit charter/engagement letters
ISACA—IT audit and assurance standards,
guidelines, assurance guide, tools and techniques,
code of professional ethics

Specific audit planning 8 Audit planning techniques and project

management
Audit planning steps
Business processes (e.g., accounting, HR)
Performing risk assessments
Evidence collection techniques (e.g., observation,
inquiry, interviews, inspection, data analysis)

Sampling methodologies
Internal controls and control types (preventive,
IT audit standards 18 detective, etc.)
Steps to determine regulatory requirements
Procedures for testing and evaluating internal
controls
Fraud detection techniques and tools
Use of self assessments
Audit reporting, Reporting and communication techniques
communications and 7 Exit interviewing
follow-up Presentation and reporting techniques
Total hours 40 Total Hours 0
 Figure 2—Governance and Management of IT Domain

Topic Hours Subtopic Course(s) Covering the Subtopic Hours

IT strategy, policies, standards and procedures for
an enterprise and the essential elements of each

IT governance structures 6 IT governance, security and control frameworks,

related standards, guidelines and practices

IT audit role in governance

Committee structures with their roles and
responsibilities
Organizational structure, roles and responsibilities
related to IT
IT organizational structure
6
and HR HR policies such as hiring, performance and
training
Segregation of duties and mapping to roles and
responsibilities
Organizational technology direction
IT strategy and direction 6 Organizational business strategic direction and
how IT aligns with it
Processes for the development, implementation
and maintenance of IT strategy, policies,
standards and procedures for an enterprise and
the essential elements of each
IT policies, standards and
6
procedures

Regulatory and legal requirements impacting the

enterprise
Quality management systems
QMS and IT management Investment and financial allocation techniques
5
of controls

Maturity modeling and process capability

assessment techniques
Monitoring and assurance
6
practices Performance measurement techniques (e.g.,
balance score card techniques)
Process optimization techniques
Sourcing practices
IT resource management 6 Global sourcing practices
Service and operating level agreements (OLAs)

Third-party and outsourcing practices and

techniques
IT contracting strategies Change management techniques
6
and policies
Supplier/vendor selection, contract and
relationship management
Business impact analysis (BIA) and risk
Risk management management practices
6
practices
Enterprise risk management (ERM) system
 Standards and procedures for the development
Business continuity and maintenance of the BCP and the testing
7
planning (BCP) methods

Total hours 60 Total Hours 0

Figure 3—Information Systems Acquisition, Development and Implementation Domain

Topic Hours Subtopic Course(s) Covering the Subtopic Hours

Benefits realization techniques (total cost of
ownership [TCO], return on investment [ROI])
Business case
6
development
Project and portfolio management techniques

Project governance mechanisms

Project management Project control frameworks, practices and tools
8
practices
Project risk management practices
 Project success factors and risk
Project reviews 6 Risk management practices applied to projects

IT architecture related to data, applications and

technology (e.g., distributed applications, web-
based applications, web services, n-tier
applications)
Acquisition practices

Requirements analysis and management practices

(e.g., requirements verification, traceability, gap
analysis vulnerability management, security
requirements)

Control objectives and techniques that ensure

Develop project controls 18 completeness, validity, accuracy and
authorization of transactions and data (e.g.,
COBIT)

Systems development methodologies and tools

including their strengths and weaknesses (e.g.,
agile development practices, prototyping, rapid
application development [RAD], object-oriented
design techniques)

Testing methodologies and practices related to

information systems
Configuration and release management related to
systems development
Information systems
implementation and 7 Systems migration and infrastructure deployment
migration practices and data conversion tools, techniques
and procedures

Postimplementation review objectives and

practices (e.g., project closure, control
Postimplementation implementation, benefits realization and
5
reviews performance measurement)

Total hours 50 Total Hours 0

 Figure 4—Information Systems Operations, Maintenance and Support Domain

Topic Hours Subtopic Course(s) Covering the Subtopic Hours

Technology concepts related to hardware and
network components, system software and
Information systems database management systems
5
reviews
Systems resiliency tools
 Service level management practices and
Service level management components within a service level agreement
7
practices (SLA)

Software licensing and inventory practices

Third-party management Monitoring techniques for third-party compliance
7
practices with enterprise internal controls (SSAE16 and SOC
reporting, IAE 3402)

Operations and end-user procedures for

End-user procedures and managing scheduled and nonscheduled processes
5
operations

Maintenance of Control techniques that ensure the integrity of

3 system interfaces
information systems
Data administration Database administration practices
3
practices
Capacity planning and related monitoring tools
and techniques
Capacity and performance
5
monitoring Systems performance monitoring processes and
tools (e.g., network analyzers, system utilization
reports, load balancing)

Problem and incident management practices (e.g.,

Problem and incident help desk, escalation procedures, tracking and
6
management monitoring)

Processes for managing scheduled and

nonscheduled changes to the production systems
Change, configuration and and/or infrastructure including change,
4 configuration, release and patch management
release management
practices

Backup and restoration of Data backup, storage, maintenance, retention and

5 restoration practices
systems
Total hours 50 Total Hours 0

Figure 5—Protection of Information Assets Domain

Topic Hours Subtopic Course(s) Covering the Subtopic Hours

Approaches and techniques for the design,
implementation and monitoring of security
controls, including awareness programs
Information security
policies, standards and Incident management techniques
7
procedures and generally
accepted practices Risk and control associated with data leakage
Evidence preservation techniques for forensics
investigations
 Logical access controls for the identification,
authentication and restriction of users to
authorize functions and data

Risk and controls associated with virtual systems

Design, implementation Network and Internet security devices, protocols,

and monitoring of system techniques
and logical security Detection tools and control techniques
15
controls to verify
confidentiality, integrity, Security testing techniques( intrusion testing,
availability (CIA) vulnerability scanning)
Encryption tools and techniques
Public key infrastructure
Risk associated with peer-to-peer computing
Controls and risk associated with the use of
mobile and wireless devices
Data classification standards and supporting
procedures
Data classification
7 Procedures for storing, retrieving, transporting
processes and procedures
and disposal of confidential information assets

Physical access controls for the identification,

authentication and restriction of users to
Physical access and authorized facilities
7
environmental controls
Environmental protection devices and supporting
practices
Procedures for storing, retrieving, transporting
Processes for storing, and disposal of confidential information assets
retrieving, transporting
14
and disposing of
information assets Encryption-related techniques

Total hours 50 Total Hours 0

Grand Total 250 Total Hours for Figures 1-5 0

(Course number and name)

Figure 1 - The Process of Auditing Information Systems

Risk-based IT audit strategy
Specific audit planning
IT audit standards
Audit reporting, communications and follow-
up
Total

Figure 2-Governance and Management of IT

Risk-based IT audit strategy
IT organizational structure and HR
IT strategy and direction
IT policies, standards and procedures
QMS and IT management of controls
Monitoring and assurance practices
IT resource management
IT contracting strategies and policies
Risk management practices
Business continuity planning (BCP)
Total

Figure 3-Information Systems Acquisition, Development and Implementation

Business case development
Project management practices
Project reviews
Develop project controls
Information systems implementation and
migration
Postimplementation reviews
Total
Figure 4—Information Systems Operations, Maintenance and Support
Information systems reviews
Service level management practices
Third-party management practices
End-user procedures and operations
Maintenance of information systems
Data administration practices
Capacity and performance monitoring
Problem and incident management
Change, configuration and release
management
Backup and restoration of systems
Total

Figure 5—Protection of Information Assets

Information security policies, standards and

procedures and generally accepted practices

Design, implementation and monitoring of

system and logical security controls to verify
confidentiality, integrity, availability (CIA)
Data classification processes and procedures

Physical access and environmental controls

Processes for storing, retrieving, transporting

and disposing of information assets
Total

Totals 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 Previous Mapping Hours (Completed by ISACA)
Hours Over/Under Model Curriculum

Change in Mapped Hours

Model curriculum Hours

New Mapped Hours

7.0 0.0 (7.0) 0.0

8.0 0.0 (8.0) 0.0
18.0 0.0 (18.0) 0.0

7.0 0.0 (7.0) 0.0

40.0 0.0 (40.0) 0.0 0.0

6.0 0.0 (6.0) 0.0

6.0 0.0 (6.0) 0.0
6.0 0.0 (6.0) 0.0
6.0 0.0 (6.0) 0.0
5.0 0.0 (5.0) 0.0
6.0 0.0 (6.0) 0.0
6.0 0.0 (6.0) 0.0
6.0 0.0 (6.0) 0.0
6.0 0.0 (6.0) 0.0
7.0 0.0 (7.0) 0.0
60.0 0.0 (60.0) 0.0 0.0

6.0 0.0 (6.0) 0.0

8.0 0.0 (8.0) 0.0
### 6.0 0.0 (6.0) 0.0
18.0 0.0 (18.0) 0.0

7.0 0.0 (7.0) 0.0

5.0 0.0 (5.0) 0.0
50.0 0.0 (50.0) 0.0 0.0
 5.0 0.0 (5.0) 0.0
7.0 0.0 (7.0) 0.0
7.0 0.0 (7.0) 0.0
5.0 0.0 (5.0) 0.0
3.0 0.0 (3.0) 0.0
3.0 0.0 (3.0) 0.0
5.0 0.0 (5.0) 0.0
6.0 0.0 (6.0) 0.0

4.0 0.0 (4.0) 0.0

5.0 0.0 (5.0) 0.0
50.0 0.0 (50.0) 0.0 0.0

7.0 0.0 (7.0) 0.0

15.0 0.0 (15.0) 0.0

7.0 0.0 (7.0) 0.0

7.0 0.0 (7.0) 0.0

14.0 0.0 (14.0) 0.0

50.0 0.0 (50.0) 0.0 0.0

0 250.0 0.0 -250.0 0.0 0.0

 Figure 1—IS Audit Process Domain Alignment Grid

Topic Hours Subtopic Course(s) Covering the Subtopic Hours

Laws and regulations: audit charter Acct 460 Accounting Information Systems 1

Nature of audit: demand for audits (e.g., agency Acct 451 Auditing I 5
theory, insurance hypothesis, information
hypothesis)

Nature of IS audit: need for control and audit of Acct 456 Information Systems Auditing 1
computer-based information systems and Control

IS Audit Function Types of audit and auditors: information systems,

6 external, internal, government/public sector
Knowledge

IS auditor responsibility, authority and

accountability: audit charter, outsourcing of IS
audit activities

Regulation and control of IS audit: ISACA

standards, guidelines, Code of Professional Ethics;
laws; regulations

Materiality: application of materiality for IS audit Acct 460 Accounting Information Systems 9
compared to materiality for financial statement
audit

Evidence: types of evidence; meaning of Acct 451 Auditing I 1

sufficient, reliable, relevant evidence

Fundamental Auditing Independence: need for independence in attitude

7 and appearance, situations that may impair
Concepts
independence

Audit risk: inherent risk, control risk, detection

risk
IS and general audit responsibilities for fraud
Assurance
Knowledge of ISACA Code of Professional Ethics Acct 460 Accounting Information Systems 1

Review of current ISACA IS Auditing Standards Acct 451 Auditing I 1

and Guidelines
Standards and Guidelines Standards and guidelines specific to a Acct 456 Information Systems Auditing 2
5
for IS Auditing region/country: ACM, AGA, AICPA, AITP, IFAC, IIA, and Control
ISO, NIA (See Appendix 5, Acronyms, for full
names.)

IS audit practices and techniques

 Relevance, structure and indicators of effective IT Acct 460 Accounting Information Systems 6
governance for organizations and IS auditors; IT
governance structure

Internal control objectives; internal control and Acct 451 Auditing I 2

documentation of IS, COCO, COSO, King,
Sarbanes-Oxley Act of 2002, SAS94

Control classifications: preventive, detective, MIS 471 Systems Analysis and Design 6
compensating/corrective
Internal Controls General controls: organizational, security, general
13 operating and disaster recovery, development,
Concepts and Knowledge
documentation

Application controls: control objectives;

classifications of application controls, e.g.,
computerized/manual, input/processing/output,
preventive/detective/corrective, audit trails

COBIT: Relevance for organizations and IS

auditors; structure of COBIT
Strategic/tactical audit planning Acct 451 Auditing I 7
Engagement letter: purpose and content Acct 456 Information Systems Auditing 1
and Control
Risk assessment: risk-based auditing; risk
assessment methods; standards such as AS-NZ
4360, CRAMM

Preliminary evaluation of internal controls:

Audit Planning Process 7 information gathering and control evaluation
techniques

Audit plan, program and scope: compliance vs.

substantive testing, application of risk assessment
to audit plan

Classification, scope of audits: e.g., financial,

operational, general, application, OS, physical,
logical

Resource allocation/prioritization/ Acct 451 Auditing I 1

planning/execution/reassignments
Evaluating audit quality/peer reviews
Best practice identification
Computer information systems (CIS) audit career
development
Audit Management 5
Career path planning
Performance assessment
Performance counseling and feedback
Training (internal/external)
Professional development (certifications,
professional involvement, etc.)
 Evidence: sufficient, reliable, relevant, useful Acct 460 Accounting Information Systems 3

Evidence-gathering techniques, e.g., observation, Acct 451 Auditing I 10

inquiry, interview, testing
Compliance vs. substantive testing: nature of and
difference between compliance and substantive
testing, types of compliance tests, types of
substantive tests

Sampling: sampling concepts, statistical and non-

statistical approaches, design and selection of
samples, evaluation of sample results

Audit Evidence Process 12

Computer-assisted audit techniques (CAATs):
need for, types of, planning for and using CAATs;
continuous online auditing approach

Documentation: relationship with audit evidence;

uses of documentation; minimum content;
custody, retention, retrieval

Analysis: judge the materiality of findings,

identify reportable conditions, reach conclusions

Review: provide reasonable assurance that

objectives have been achieved
Form and content of audit report: purpose, Acct 451 Auditing I 4
structure and content, style, intended recipient,
type of opinion, consideration of subsequent
Audit Reporting Follow-up 3 events

Management actions to implement

recommendations
Total hours 58 Total Hours 61
 Figure 2—IT Governance Domain Alignment Grid

Topic Hours Subtopic Course(s) Covering the Subtopic Hours

IT project management MIS 421 Business Data Communication 1
and Distributed Processing

Risk management: economic, social, cultural, MIS 471 Systems Analysis and Design 9
technology risk management
Software quality control management Acct 456 Inform. Systems Auditing and 1
Control
Management of IT infrastructure, alternative IT
IS/IT Management 10 architectures, configuration
Management of IT delivery (operations) and
support (maintenance)
Performance measurement and reporting: IT
balanced scorecard
Outsourcing
Quality assurance
Sociotechnical and cultural approach to
management
MIS 200 Intro. To Managmnt Inform. 1
IS/IT strategic planning: competitive strategies Systems
and business intelligence, link to corporate
strategy
Strategic information systems frameworks and Acct 460 Accounting Inform. Systems 1
applications: types of IS, knowledge
management, decision support systems;
classification of information systems
IS/IT Strategic Planning 8
Management of IT human resources, employee MIS 421 Business Data Communication 2
policies, agreements, contracts and Distributed Processing

Segregation of duties Acct 456 Inform. Systems Auditing and 2

Control
IS/IT training and education
Legal issues relating to the introduction of IT to MIS 200 Intro. To Managmnt Inform. 1
the enterprise (international and country-specific) Systems

Intellectual property issues in cyberspace: Acct 460 Accounting Inform. Systems 1

trademarks, copyrights, patents
IS/IT Management Issues 9
Ethical issues MIS 471 Systems Analysis and Design 6
Privacy Acct 456 Inform. Systems Auditing and 1
Control
IT governance
IS/IT housekeeping
COBIT: management guidelines, a framework for Acct 460 Accounting Inform. Systems 1
IS/IT managers
COBIT: audit’s use in support of the business cycle Acct 456 Inform. Systems Auditing and 1
Support Tools and Control
6
Frameworks
International standards and good practices: ISO
17799, ITIL, privacy standards, COSO, COCO,
Cadbury, King
 Change control reviews Acct 456 Inform. Systems Auditing and 3
Control
Techniques 4
Operational reviews
ISO 9000 reviews
Total hours 37 Total Hours 31

Grand Total 95 Total Hours for Figures 1-2 92

 421 Business Data Comm. & Distributed Processing

Previous Mapping Hours (Completed by ISACA)

456 Information Systems Auditing and Control

200 Intro. To Management Inform. Systems

Hours Over/Under Model Curriculum

460 Accounting Information Systems

471 Systems Analysis and Design

(Course number and name)

Change in Mapped Hours

Model curriculum Hours

New Mapped Hours

Figure 1 - IS Audit Process 451 Audting I
IS Audit Function Knowledge 1 5 1 6.0 7.0 1.0 7.0 0.0
Fundamental Auditing Concepts 9 1 7.0 10.0 3.0 10.0 0.0
Standards and Guidelines for IS Auditing 1 1 2 5.0 4.0 (1.0) 4.0 0.0
Internal Controls Concepts and Knowledge 6 2 6 13.0 14.0 1.0 14.0 0.0
Audit Planning Process 7 1 7.0 8.0 1.0 8.0 0.0
Audit Management 1 5.0 1.0 (4.0) 3.0 -2.0
Audit Evidence Process 3 10 12.0 13.0 1.0 13.0 0.0
Audit Reporting Follow-up 4 3.0 4.0 1.0 4.0 0.0
Total 58.0 61.0 3.0 63.0 -2.0

Figure 2-IT Governance

IS/IT Management 1 9 1 10.0 11.0 1.0 11.0 0.0
IS/IT Strategic Planning 1 2 2 1 8.0 6.0 (2.0) 6.0 0.0
IS/IT Management Issues 1 1 6 1 9.0 9.0 0.0 9.0 0.0
Support Tools and Frameworks 1 1 6.0 2.0 (4.0) 2.0 0.0
Techniques 3 4.0 3.0 (1.0) 4.0 -1.0
Total 37.0 31.0 (6.0) 32.0 -1.0

Totals 23 31 12 21 3 2 0 0 0 0 0 0 0 0 0 0 0 0 95.0 92.0 (3.0) 95.0 -3.0