I'm studying for CISA and the review manual is thorough — but I retain more when concepts are visual. So I turned all 5 domains into illustrated stories with mnemonics, practice questions, and real-world examples. It's free. Maybe it helps you too.
Free · No signup · No email required
Some people absorb 500 pages of dense text. I'm not one of them. I need images, stories, and patterns. So I built a version of the CISA material that works for how my brain retains information.
When I read "audit risk = inherent risk × control risk × detection risk," I forget it by morning. When I imagine Alex holding the only lantern in a castle with sleeping guards, I remember it weeks later.
81 illustrated scenes where the image teaches the idea — not decorates it. A data migration isn't a paragraph. It's a moving truck with boxes arriving damaged, missing, or intact.
179 practice questions embedded after each concept, in ISACA's actual format. I answer immediately while the concept is fresh, not in a separate practice exam days later.
62 named incidents — Equifax, Target, Wirecard, Colonial Pipeline. When I know WHY these companies failed, the audit principle behind it becomes unforgettable.
Every section follows the same learning sequence. Here's what I found works.
I start each domain by showing the full map — what you'll learn, in what order, and how long it takes. Reduces overwhelm.
Every concept starts with why it matters in the real world. I find I engage more when I know the stakes before the theory.
Alex Chen is a junior auditor at a fictional company called Meridian Corp. Every concept is something Alex encounters on the job. Stories create context that definitions can't.
Each illustration is designed to encode the concept visually — not just look nice. If you can understand the idea from the image alone, the illustration earned its place.
Sentence-based hooks, not just acronym lists. "Super Scary Auditors Face Intimidating Management" for the 6 independence threats. I tested these on myself — the ones that survived are in the book.
3 questions right after each concept, in ISACA's FIRST/BEST/MOST format. Retrieval practice while the concept is still warm.
A named real-world incident after each concept. Not hypothetical — actual companies, actual consequences, actual dollar amounts.
Top 10 wrong-answer patterns per domain. These are the specific ways ISACA tries to trick you — sourced from forums, past candidates, and study group discussions.
Each domain follows Alex Chen through a different challenge at Meridian Corp.
"It's Day 1. The CISO hands Alex her first assignment: audit the IT department. She's never done this before."
By the end, you'll understand the complete audit lifecycle — from planning to reporting — and know how ISACA expects an auditor to think at every stage.
Key topics: Audit standards, risk-based planning, audit risk model, evidence collection, CAATs, reporting
"Week 2. Alex discovers Meridian Corp has no IT governance framework. The CIO says they follow 'best practices.' Alex writes: 'No formal framework adopted.'"
By the end, you'll understand how IT governance connects to business strategy, what good governance looks like, and how to audit organisations that think they have it but don't.
Key topics: COBIT/ITIL/ISO/TOGAF, IT strategy alignment, risk management, vendor management, maturity models
"Week 3. A new CRM is going live in 6 weeks. The project manager says 'we're doing Agile.' Alex asks for sprint records. There are none."
By the end, you'll know how to audit any system development project — from business case to go-live — and spot the red flags that most organisations miss.
Key topics: SDLC, project management, testing types, change management, data migration
"Week 4. It's payday Friday. At 9:47am, the payroll system goes down. 2,400 employees can't access their payslips. Alex is in the server room, notebook open."
By the end, you'll understand IT operations, ITIL service management, BCP/DRP, and incident response — and know the difference between RTO and RPO without looking it up.
Key topics: IT operations, ITIL, BCP/DRP, RTO/RPO, backup strategies, cloud computing
"Week 5. The CEO's email was compromised over the weekend. A phishing attack. The attacker spent 48 hours in the inbox, reading board minutes and forwarding M&A documents."
By the end, you'll understand the full security landscape — from the CIA triad to incident response — and know how to audit an organisation's ability to protect what matters most.
Key topics: CIA triad, access control, encryption, network security, vulnerability management, incident response
This entire picture book — illustrations, stories, mnemonics, questions — was generated using AI, then quality-checked and adjusted by me, a product manager studying for CISA while working in IT. This is what happens when you combine AI generation with human curation.
81 scenes created with Nano Banana Pro, an AI image model. Each prompt was carefully crafted to encode the concept visually, not just create a pretty picture.
Alex Chen's story across 5 domains, every mnemonic, every exam tip — generated by AI, then reviewed and adjusted by me for accuracy and tone. The curation is what makes it trustworthy.
62 named incidents — Equifax, Target, Wirecard, Colonial Pipeline. AI sourced the examples; I verified dates, dollar amounts, and consequences against primary sources.
It's free, it takes about 45 minutes per domain, and it's designed for people who — like me — learn better with pictures than paragraphs.
No signup · No email · Built for visual learners
If you're an educator, training department, or certification body and want an illustrated picture book for your subject matter — I'd love to talk. Same methodology, any topic. Reach out at shawnljj@gmail.com