SteadyCert

ISACA loves sequencing questions: "What should the auditor do FIRST?" or "Which phase does this activity belong to?" If you see a question about what comes FIRST in an audit, the answer is almost always a planning activity — understanding the business, defining scope, or assessing risk. Never jump to fieldwork or testing.

When the exam says "must," "required," or "mandatory" — the answer involves Standards (not guidelines, not tools). When it says "should" — that's Guidelines. When it says "may" — Tools & Techniques. ISACA tests this hierarchy constantly. If a question asks what happens when an auditor deviates from a Standard vs. a Guideline, remember: deviating from Standards requires justification and disclosure in the report. Deviating from Guidelines does not.

Three charter questions ISACA always asks: (1) "Who approves the audit charter?" → Board/audit committee, never management. (2) "What establishes the audit function's authority?" → The audit charter. (3) "An auditor previously designed the system being audited — what threat?" → Self-review. If a question describes ANY situation where the auditor's objectivity could be compromised, identify the specific threat type — ISACA wants the precise category, not just "independence issue."

When ISACA asks "what type of audit should be performed," pay attention to the goal described in the question. If the goal is "verify adherence to policy" → compliance audit. If the goal is "verify accuracy of financial data" → substantive testing within a financial audit. The trap: "IS audit" is not a type of testing — it's a category that can include both compliance and substantive work.

ISACA trap: CSA looks like it replaces the audit. It doesn't. The auditor facilitates but management owns the self-assessment. CSA supplements formal audit — it never replaces it. If a question presents CSA as the ONLY assurance mechanism, that's always wrong. And if the question asks about the auditor's role in CSA, "evaluator" and "assessor" are traps — the answer is "facilitator."

When you see "FIRST" in a Domain 1 question, the answer is almost always about understanding the business or environment — not about starting fieldwork or testing. "What should the auditor do FIRST when planning an IS audit?" → Understand the business environment. Not "identify risks," not "allocate resources," not "start testing." ISACA rewards the auditor who gathers context before acting.

ISACA will present a scenario where something went wrong after the audit and ask which risk component failed. The answer is almost always Detection Risk — because the auditor's procedures didn't catch it. Inherent risk (A) and control risk (B) are properties of the system, not the audit. If the question asks "what can the auditor do to reduce overall audit risk?" — the answer is always about improving detection procedures (more testing, better sampling, CAATs).

ISACA prefers preventive controls, but questions often test whether you know that detective controls are appropriate when prevention isn't feasible. If the question asks what's MISSING and the system already has cameras and alarms — the answer is preventive. But if the question asks "which control is MOST appropriate for detecting unauthorized changes after they occur?" — choosing preventive is the trap. Read what the question is actually asking.

The audit program is developed during planning, not fieldwork. An IS auditor should always discuss findings with management before issuing the final report — giving management a chance to respond is a standard requirement.

ISACA tests the inverse relationship: strong compliance results → less substantive testing needed. But the real trap is confusing what each test does. "Does the backup run every night?" = compliance test (is the control working?). "Is the backed-up data complete and restorable?" = substantive test (is the data accurate?). If the question says "verify the control operates effectively" → compliance. If it says "verify data integrity" → substantive.

ISACA trap: "Statistical sampling is always superior." Wrong. Judgmental (non-statistical) sampling is appropriate when the auditor's expertise can identify high-risk items more effectively than random selection. But if the question asks about projecting results to the entire population or quantifying sampling risk — only statistical sampling can do that. Also remember: attribute sampling → compliance (yes/no, pass/fail), variable sampling → substantive (dollar amounts).

When ISACA asks "which evidence is MOST reliable?" — rank it: external independent sources beat auditor-obtained documents, which beat entity-provided documents, which beat oral statements. The trap: a question might offer "verbal confirmation from the CFO" alongside "system-generated log." The log wins every time — even though the CFO outranks the system. Reliability comes from independence and objectivity, not authority.

ISACA loves testing who owns what: Continuous auditing = auditors. Continuous monitoring = management. If the question asks "who is responsible for continuous monitoring?" and "IS auditor" is an option, it's a trap. Also: test data uses DUMMY transactions (not real ones). ITF runs test data through the LIVE system (risky — must remove test results after). Parallel simulation is the safest CAAT because it uses a copy of the data, not the live system.

ISACA loves asking which component is missing from a finding. If it says "passwords are weak" without referencing a policy standard — the missing element is Criteria. Condition = what you found. Criteria = what it should be. Cause = why. Effect = so what. If ANY of the four is missing, the finding is incomplete. Also: always present findings to management before the final report — but independence violations go straight to the audit committee, not management.

When ISACA asks "what is the PRIMARY purpose of a QA review?" — the answer is conformance with standards, not "finding errors in the report." QA is about the audit process itself, not the auditee. Also watch for: "Who should perform the external QA review?" — it must be someone independent of the audit function. If the CAE (Chief Audit Executive) selects the reviewer, that compromises independence.