Plain-English definitions of the audit and control terms that recur in CISA study. Simplified for learning; ISACA’s material is authoritative.
| term | definition |
|---|---|
| IS audit | An independent examination of information systems and their controls. |
| Audit independence | Freedom from relationships that could bias the auditor; you do not audit your own work. |
| Objectivity | An unbiased attitude that lets the auditor reach fair conclusions. |
| Audit charter | The document that grants the audit function its authority and scope. |
| Risk-based auditing | Planning and scoping audits by where the risk of control failure is greatest. |
| Audit evidence | The information used to support audit findings and conclusions. |
| Sufficient and appropriate | Evidence that is enough in quantity and relevant + reliable in quality. |
| Sampling | Selecting a subset of items to test, statistically or by judgement. |
| Materiality | Whether an error or weakness is significant enough to affect conclusions. |
| Audit finding | A gap between the condition observed and the expected control criterion. |
| Control | A measure that reduces risk by preventing, detecting or correcting an event. |
| Preventive control | A control that stops an undesirable event from occurring. |
| Detective control | A control that identifies an event after it has occurred. |
| Corrective control | A control that fixes or restores after an event. |
| Compensating control | An alternative control used when the primary control is impractical. |
| General controls | Controls over the whole IT environment (e.g., access, change, operations). |
| Application controls | Controls within a specific application (e.g., input validation, totals). |
| Segregation of duties | Splitting a task so no one person controls an entire sensitive process. |
| IT governance | The structures and processes that direct and control the IT function. |
| SDLC | Systems Development Life Cycle - the stages of building or acquiring a system. |
| Post-implementation review | A check after go-live that the system delivered the intended benefits and controls. |
| Change management | The controlled approval, testing and release of changes to systems. |
| BIA | Business Impact Analysis - identifies critical functions and the impact of disruption. |
| RTO | Recovery Time Objective - target time to restore a process after disruption. |
| RPO | Recovery Point Objective - the acceptable amount of data loss. |
| BCP | Business Continuity Plan - how the business keeps operating through disruption. |
| DRP | Disaster Recovery Plan - how IT services are restored after a disaster. |
| Logical access control | Technical controls that restrict who can use systems and data. |
| Encryption | Converting data so only authorised parties can read it. |
| Data classification | Labelling data by sensitivity to apply the right level of protection. |
| Residual risk | The risk that remains after controls have been applied. |
| Inherent risk | The risk that exists before any controls are applied. |
| Control self-assessment | A method where process owners assess their own controls, reviewed by audit. |