ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Alignment Grid
 ISACA 2009
All rights reserved.
Page 0
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
ISACA®
With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global
provider of knowledge, certifications, community, advocacy and education on information systems assurance and
security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors
international conferences, publishes the ISACA® Journal, and develops international information systems auditing
and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®),
Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT ® (CGEIT®)
designations.
ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT
professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.
Disclaimer
ISACA has designed and created ISACA Model Curriculum for IS Audit and Control,2 nd Edition (the “Work”),
primarily as an educational resource for academics, assurance, and control professionals. ISACA makes no claim
that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any
proper information, procedures and tests, or exclusive of other information, procedures and tests that are reasonably
directed to obtaining the same results. In determining the propriety of any specific information, procedure or test,
audit professionals should apply their own professional judgment to the specific control circumstances presented by
the particular systems or information technology environment.
Reservation of Rights
 2009 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are solely permitted for academic, internal and noncommercial use and for
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Printed in the United States of America
CGEIT is a trademark/servicemark of ISACA. The mark has been applied for or registered in countries throughout
the world.
 ISACA 2009
All rights reserved.
Page 1
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Acknowledgments
ISACA wishes to recognize:
ISACA Board of Directors
Lynn Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG LLP, UK, International President
George Ataya, CISA, CISM, CGEIT, CISSP, ICT Control SA, Belgium, Vice President
Howard Nicholson, CISA, CGEIT, City of Salisbury, Australia, Vice President
Jose Angel Pena Ibarra, CGEIT, Consultoria en Comunicaciones e Info., SA & CV, Mexico, Vice President
Robert E. Stroud, CGEIT, CA Inc., USA, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President
Frank Yam, CISA, CCP, CFE, CFSA, CIA, FFA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Vice
President
Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young, USA, Past International President
Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Company, USA, Director
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia, Director
Academic Relations Committee
Scott Lee Summers, Ph.D., Brigham Young University, USA, Chair
Jiri Josef Cejka, CISA, Dipl. El. -Ing., OC Oerlikon Corp. AG, Switzerland
Christos Dimitriadis, CISA, CISM, Expernet SA, Greece
Donna Hutcheson, CISA, Energy Future Holdings, USA
Elvia Novak, Deloitte & Touche LLC, USA
Randall Reid, Ph.D., CISA, CISSP, University of West Florida, USA
Krishna Seeburn, CISSP, University of Technology, Mauritius, Mauritius
Theodore Tryfonas, Ph.D., CISA, MBCS CITP, University of Bristol, UK
 ISACA 2009
All rights reserved.
Page 2
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Table of Contents
Page
5
1. Background
2. Development
9
3. Use
11
4. ISACA Model Curriculum for IS Audit and Control, 2nd Edition
13
Appendix 1. Relevance to the COBIT Conceptual Framework and
CISA Content Areas
19
Appendix 2. Suggested Supplemental Skills for IS Auditors
20
Appendix 3. Alignment Grid
21
Appendix 4. Examples of Mapping Programs to the ISACA Model Curriculum for
IS Audit and Control Alignment Grid
30
Appendix 5. Acronyms
58
Appendix 6. References
59
 ISACA 2009
All rights reserved.
Page 3
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Appendix 3. Alignment Grid
To map a program to the ISACA Model Curriculum for IS Audit and Control, 2nd Edition, enter
the name of the course(s) or session(s) in the program that covers each topic area or subtopic
description along with the amount of time (in hours) devoted to covering the topic in each table.
If a described topic is not covered, record a 0 (zero) in the column for contact hours. To be in
alignment with the model, the total time spent in hours should be at least 244 hours and all areas
in the model should have reasonable coverage. When mapping a graduate program, include the
prerequisites from the undergraduate program.
Before beginning this process:
 Obtain the current course syllabi. Current, expanded course outlines provide more detail and
are better sources.
 Make sure the current textbook supporting the classes and the visual media/projects that may
be used in those classes are accessible. For a question on content, refer to the course textbook
or PowerPoint slides.
 If some of the subject matter is taught in other departments or colleges, a representative who
is knowledgeable of what is taught in those classes may need to provide assistance. For this
reason, an undergraduate program may take more time to map than a graduate program.
A dual monitor, with the model matrix on one screen and the syllabus/expanded course outline
on the other, facilitates the process.
The mapping process steps are listed in figure 8.
1
2
3
4
5
6
7
8
9
Figure 8—Mapping Process Steps
Identify all direct and support courses that apply to the program.
Ensure that the current syllabi or expanded course outlines and support materials for the
courses are accessible. It takes approximately 16 hours to complete the mapping, if
expanded course outlines are available from which information can be extracted.
Proceed one by one. Select the first course in the program, examine the elements and
subject matter, and map to the model. Proceed week by week.
Use key words from the ISACA template subtopics to search the syllabi to identify
matches. Once that match is made, estimate the amount of time devoted to the subject
based on the syllabus.
If uncertain of the content of the subject covered, go to the textbook and PowerPoint
slides/materials used. Note that generic titles used often cover more than what is implied.
Remember to allocate the time per course and identify the course covering each subject.
For example, a quarter system may have 10 weeks and four contact hours per week (40
hours), but some courses may have lab or project requirements that may result in more
than 40 hours.
Map course by course and keep track of allocation. This is easiest for those familiar with
the program and who have the information available.
After completing all courses, go back and double-check that the selections/placement are
the best possible and seem reasonable.
Have a colleague check the mapping.
 ISACA 2009
All rights reserved.
Page 21
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Submit the completed tables (below) to ISACA for review by e-mail at research@isaca.org,
fax at +1.847.253.1443, or mail at: Director of Research, Standards and Academic Relations,
ISACA, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL, 60008, USA. If the program is
found to be in alignment with the ISACA Model Curriculum for IS Audit and Control, the
program may be posted on the ISACA web site and graduates of the program will qualify for one
year of work experience toward the CISA certification. Note that the total noncontact hours
(e.g., time allocated for work on outside assignments) cannot exceed 25 hours.
Topic
Hours
IS Audit
Function
Knowledge
6
Fundamental
Auditing
Concepts
7
Standards and
Guidelines for
IS Auditing
5
 ISACA 2009
Figure 1—IS Audit Process Domain Alignment Grid
Course(s)
Subtopic
Covering the Subtopic
Laws and regulations: audit charter
Nature of audit: demand for audits (e.g.,
agency theory, insurance hypothesis,
information hypothesis)
Nature of IS audit: need for control and
audit of computer-based information
systems
Types of audit and auditors: information
systems, external, internal, government/
public sector
IS auditor responsibility, authority and
accountability: audit charter, outsourcing of
IS audit activities
Regulation and control of IS audit: ISACA
standards, guidelines, Code of Professional
Ethics; laws; regulations
Materiality: application of materiality for
IS audit compared to materiality for
financial statement audit
Evidence: types of evidence; meaning of
sufficient, reliable, relevant evidence
Independence: need for independence in
attitude and appearance, situations that may
impair independence
Audit risk: inherent risk, control risk,
detection risk
IS and general audit responsibilities for
fraud
Assurance
Knowledge of ISACA Code of Professional
Ethics
Review of current ISACA IS Auditing
Standards and Guidelines
Standards and guidelines specific to a
region/country: ACM, AGA, AICPA,
AITP, IFAC, IIA, ISO, NIA (See Appendix
5, Acronyms, for full names.)
IS audit practices and techniques
All rights reserved.
Hours
Page 22
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Topic
Internal
Controls
Concepts and
Knowledge
Audit Planning
Process
Audit
Management
 ISACA 2009
Figure 1—IS Audit Process Domain Alignment Grid (cont.)
Course(s)
Hours
Subtopic
Covering the Subtopic
Relevance, structure and indicators of
effective IT governance for organizations
and IS auditors; IT governance structure
Internal control objectives; internal control
and documentation of IS, COCO, COSO,
King, Sarbanes-Oxley Act of 2002, SAS94
Control classifications: preventive,
detective, compensating/corrective
General controls: organizational, security,
13
general operating and disaster recovery,
development, documentation
Application controls: control objectives;
classifications of application controls, e.g.,
computerized/manual, input/processing/
output, preventive/detective/corrective,
audit trails
COBIT: Relevance for organizations and IS
auditors; structure of COBIT
Strategic/tactical audit planning
Engagement letter: purpose and content
Risk assessment: risk-based auditing; risk
assessment methods; standards such as ASNZ 4360, CRAMM
Preliminary evaluation of internal controls:
information gathering and control
7
evaluation techniques
Audit plan, program and scope: compliance
vs. substantive testing, application of risk
assessment to audit plan
Classification, scope of audits: e.g.,
financial, operational, general, application,
OS, physical, logical
Resource allocation/prioritization/
planning/execution/reassignments
Evaluating audit quality/peer reviews
Best practice identification
Computer information systems (CIS) audit
career development
5
Career path planning
Performance assessment
Performance counseling and feedback
Training (internal/external)
Professional development (certifications,
professional involvement, etc.)
All rights reserved.
Hours
Page 23
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Topic
Audit
Evidence
Process
Audit
Reporting
Follow-up
Total hours
Figure 1—IS Audit Process Domain Alignment Grid (cont.)
Course(s)
Hours
Subtopic
Covering the Subtopic
Evidence: sufficient, reliable, relevant,
useful
Evidence-gathering techniques, e.g.,
observation, inquiry, interview, testing
Compliance vs. substantive testing: nature
of and difference between compliance and
substantive testing, types of compliance
tests, types of substantive tests
Sampling: sampling concepts, statistical
and non-statistical approaches, design and
selection of samples, evaluation of sample
results
12
Computer-assisted audit techniques
(CAATs): need for, types of, planning for
and using CAATs; continuous online
auditing approach
Documentation: relationship with audit
evidence; uses of documentation; minimum
content; custody, retention, retrieval
Analysis: judge the materiality of findings,
identify reportable conditions, reach
conclusions
Review: provide reasonable assurance that
objectives have been achieved
Form and content of audit report: purpose,
structure and content, style, intended
recipient, type of opinion, consideration of
3
subsequent events
Management actions to implement
recommendations
Total Hours
58
Hours
Figure 2—IT Governance Domain Alignment Grid
Topic
IS/IT
Management
 ISACA 2009
Hours
Subtopic
10
IT project management
Risk management: economic, social,
cultural, technology risk management
Software quality control management
Management of IT infrastructure,
alternative IT architectures, configuration
Management of IT delivery (operations) and
support (maintenance)
Performance measurement and reporting:
IT balanced scorecard
Outsourcing
Quality assurance
Sociotechnical and cultural approach to
management
All rights reserved.
Course(s)
Covering the Subtopic
Hours
Page 24
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Topic
Hours
IS/IT Strategic
Planning
8
IS/IT
Management
Issues
9
Support Tools
and
Frameworks
6
Techniques
4
Total hours
37
Figure 2—IT Governance Domain Alignment Grid (cont.)
Course(s)
Subtopic
Covering the Subtopic
IS/IT strategic planning: competitive
strategies and business intelligence, link to
corporate strategy
Strategic information systems frameworks
and applications: types of IS, knowledge
management, decision support systems;
classification of information systems
Management of IT human resources,
employee policies, agreements, contracts
Segregation of duties
IS/IT training and education
Legal issues relating to the introduction of
IT to the enterprise (international and
country-specific)
Intellectual property issues in cyberspace:
trademarks, copyrights, patents
Ethical issues
Privacy
IT governance
IS/IT housekeeping
COBIT: management guidelines, a
framework for IS/IT managers
COBIT: audit’s use in support of the
business cycle
International standards and good practices:
ISO 17799, ITIL, privacy standards, COSO,
COCO, Cadbury, King
Change control reviews
Operational reviews
ISO 9000 reviews
Total Hours
Figure 3—Systems and Infrastructure Lifecycle Management Domain Alignment Grid
Course(s)
Topic
Hours
Subtopic
Covering the Subtopic
IS managing components (e.g., data
processes, technologies, organization),
understanding stakeholders and their
requirements
IS planning methods: system investigation,
IS Planning
9
process integration/reengineering
opportunities, risk evaluation, cost-benefit
analysis, risk assessment, object-oriented
systems analysis and design
Enterprise resource planning (ERP)
software enterprise applications integration
 ISACA 2009
All rights reserved.
Hours
Hours
Page 25
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Figure 3—Systems and Infrastructure Lifecycle Management Domain Alignment Grid (cont.)
Course(s)
Topic
Hours
Subtopic
Hours
Covering the Subtopic
Monitoring service-level performance
against service level agreements (SLAs),
quality of service, availability, response
time, security and controls, processing
integrity, privacy, remedies, amending
SLAs
Data and information: analyze, evaluate
and design information architecture (i.e., the
role of databases and database management
systems, including knowledge management
Information
systems and data warehouses)
Management
16
Data and application architecture (e.g., IS
and Usage
modeling, business models, processes and
solutions); analysis, evaluations and design
of an enterprise’s business processes and
business models
Information management (data
administration, database functions and
administration, database administrator roles
and responsibilities)
Database technology as tools for the auditor
Data structures and basic SQL language
Information systems project management:
planning, organization, human resource
deployment, project control, monitoring,
execution
Traditional methods for the system
development life cycle (SDLC); analysis,
Development,
evaluation and design of an enterprise’s
Acquisition
SDLC phases and tasks
and
12
Approaches for system development:
Maintenance
software packages, prototyping, business
of Information
process reengineering, computer-aided
Systems
software engineering (CASE) tools
System maintenance and change control
procedures for system changes
Risk and control issues, analysis and
evaluation of project characteristics and
risks
Impact of IT
Business process outsourcing (BPO)
on the
Business
4
Processes and
Applications of e-business issues and trends
Solutions
Separation of specification and
implementation in programming
Requirements specification methodology
Software
11
Development
Algorithm design, sorting and searching
algorithms
File handling
 ISACA 2009
All rights reserved.
Page 26
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Figure 3—Systems and Infrastructure Lifecycle Management Domain Alignment Grid (cont.)
Course(s)
Topic
Hours
Subtopic
Hours
Covering the Subtopic
Linked lists and binary trees
Software
Database creation and manipulation
Development
Principles of good screen and report design
(cont.)
Program language alignment
Input/origination controls
Audit and
Processing control procedures
Development
Output controls
19
of Application
Application system documentation
Controls
Audit trails
Total Hours
Total hours
71
Topic
Technical
Infrastructure
 ISACA 2009
Figure 4—IT Service Delivery and Support Domain Alignment Grid
Course(s)
Hours
Subtopic
Covering the Subtopic
IT architecture/standards
Hardware: all IT equipment, including
mainframe, minicomputers, client-servers,
routers, switches, communications, PCs,
etc.
Software: operating systems, utility
software, database systems, etc.
Network: communications equipment and
services rendered to provide networks,
network-related hardware, network-related
software; use of service providers that
provide communication services, etc.
Baseline controls
Security/testing and validation
Performance monitoring and evaluation
25
tools
IT governance: maintaining and making it
work for IT
IT control monitoring and evaluation tools,
such as access control systems monitoring
or intrusion detection systems monitoring
Managing information resources and
information infrastructure: enterprise
management software
Service center management and operations
standards/guidelines: COBIT, ITIL, ISO
17799
Issues and considerations of service center
vs. proprietary technical infrastructures
Open systems
All rights reserved.
Hours
Page 27
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Topic
Service Center
Management
Total hours
Topic
Information
Assets
Security
Management
Logical IT
Security
 ISACA 2009
Figure 4— IT Service Delivery and Support Domain Alignment Grid (cont.)
Course(s)
Hours
Subtopic
Covering the Subtopic
Service center management and operations
standards/guidelines: COBIT, ITIL, ISO
17799
Change management/implementation of
new and changed systems: organization of
the tools used to control the introduction of
new and changed products into the service
center environment
Security management
Resource/configuration management:
compliance with organization/IT operating
standards, policies and procedures (e.g.,
proper use of computer languages)
Problem and incident management
Capacity planning and prognosis
12
Management of the distribution of
automated systems
Administration of release and versions of
automated systems
Management of suppliers
Customer liaison
Service level management
Contingency/backup and recovery
management
Call center management
Management of operations of the
infrastructure (central and distributed)
Network management
Risk management
Key management principles
Total Hours
37
Figure 5—Protection of Information Assets Domain Alignment Grid
Course(s)
Hours
Subtopic
Covering the Subtopic
Information technology and security basics,
concept of IT security, need for securing IT
resources, policy framework on IT assets
security, management of IT security,
10
training
Standards, compliance and assurance on IT
security
Components of logical IT security, logical
access control issues and exposures, access
control software
Logical security risks, controls and audit
7
considerations (audit of logical access,
security testing)
Logical security features, tools, procedures
All rights reserved.
Hours
Hours
Page 28
ISACA Model Curriculum for IS Audit and Control, 2nd Edition
Topic
Applied IT
Security:
Hightechnology
Resources
Physical and
Environmental
Security
Total hours
Figure 5—Protection of Information Assets Domain Alignment Grid (cont.)
Course(s)
Hours
Subtopic
Covering the Subtopic
Communications and network security:
principles of network security, client-server,
Internet and web-based services, firewall
security systems and other connectivity
protection resources (e.g., cryptography,
digital signatures, key management
policies), intrusion detections systems,
9
COBIT, system reviews
Mainframe security facilities
Basic database application and system
security
Security in the system development and
maintenance processes
Environmental issues and exposures:
concepts of physical IT security
3
Physical access exposures and controls
Total Hours
29
Figure 6—Disaster Recovery and Business Continuity Domain Alignment Grid
Course(s)
Topic
Hours
Subtopic
Covering the Subtopic
Management support and commitment to
the process
Plan preparation and documentation
Protection of
Management approval and distribution of
the IT
the plan
Architecture
Testing, maintenance and revision of the
and Assets:
10
plan; training
Disaster
Audit’s role
Recovery
Planning
Backup provisions
Business continuity planning
Business impact analysis
Description of insurance
Items that can be insured
Insurance
2
Types of insurance coverage
Valuation of assets: equipment, people,
information process, technology
Total Hours
Total Hours
12
Grand Total
 ISACA 2009
244
Hours
Hours
Total Hours for Figures 1-6
All rights reserved.
Page 29