Information Systems Certified Auditor

Information Systems Certified Auditor SC-ISCA

The Information Systems Certified Auditor (ISCA) certification primarily evaluates the competencies, knowledge, and skills required to audit, control, supervise, and assess information systems and information technology (IT) within an organization. The key aspects that are evaluated include:

1. IT Governance and Management

This area evaluates the auditor's competencies to verify the implementation of an IT governance framework that ensures IT is aligned with the organization's strategic objectives. Key aspects include.

• IT Governance. Assessment of the organization's control structure, such as role allocation, responsibilities, and reporting lines.
• IT Risk Management. Analysis of the risks associated with technology, infrastructure, and information systems.
• IT Strategy. Verification of the alignment between IT strategy and the organization's overall business strategy.
• Policies and Procedures. Review of the documentation of IT policies, control guidelines, and operational procedures.
• Organizational IT Structure. Evaluation of how IT is managed, including resource allocation, skills, competencies, and performance measurement.

2. Acquisition, Development, and Implementation of Information Systems

This area focuses on auditing the processes related to the acquisition, development, testing, and implementation of information systems. Auditors must identify and assess the risks at each stage of the system lifecycle. Key topics include.

• IT Project Planning. Verification of the existence of a methodology for the acquisition and development of systems.
• Software Procurement and Licensing. Validation of proper software acquisition and licensing according to business needs.
• System Development and Implementation. Review of internal and external (outsourcing) development processes and the application of development methodologies such as Agile, DevOps, or traditional approaches.
• System Testing. Assessment of acceptance testing, end-user testing, and quality control to ensure system functionality and security.
• Change Management and Version Control. Evaluation of change control processes, version tracking, and the risks associated with system migrations to new environments or platforms.

3. Operations, Maintenance, and Support of Information Systems

This area focuses on the evaluation of daily IT operations, ensuring the efficiency, availability, and continuity of information systems. Auditors must review the ongoing operations and the support provided to users. Key topics include.

• Capacity Management. Verification that IT infrastructure can support current and future demand.
• Incident and Problem Management. Evaluation of the effectiveness of the incident management process and the organization's ability to resolve recurring issues.
• Business Continuity Management (BCM) and Disaster Recovery Planning (DRP). Review of business continuity and disaster recovery plans to ensure system availability during failures.
• Change Management. Review of processes for managing changes in systems, applications, and infrastructure, ensuring controlled processes are followed to minimize errors.
• Physical and Logical Access Controls. Validation of access control mechanisms, such as user credentials, access cards, multi-factor authentication (MFA), and access control to data centers.

4. Protection of Information Assets

This area focuses on the control mechanisms for information security. Auditors must evaluate access control systems, information integrity, and data confidentiality. Key topics include.

• Information Security Management. Assessment of information security policies and procedures.
• Information Classification and Protection. Verification of information classification and the implementation of appropriate access controls.
• Identity and Access Management (IAM). Auditing the creation of users, roles, and permissions in IT systems.
• Data Encryption. Review of encryption mechanisms to protect sensitive information in transit and at rest.
• Network and Systems Security. Review of network security, firewalls, VPNs, and protection against cyberattacks.
• Physical and Logical Access Controls. Review of controls for access to systems, including physical access to data centers and logical access through passwords and authentication.

5. Information Systems Audit Processes

This area establishes the foundation for the audit of information systems and focuses on the methods and techniques that the auditor must apply at each stage of the audit process. Key topics include.

• IT Audit Planning. Creation of audit plans, identification of objectives, and definition of the audit scope.
• IT Risk Identification. Analysis of inherent risks and control risks affecting the organization.
• Audit Execution. Collection of evidence through interviews, control tests, and analysis of IT logs.
• Control Testing. Validation of the effectiveness of IT internal controls through audit tests.
• Evidence Analysis. Evaluation of the evidence collected and its relationship to the audit objectives.
• Documentation of Findings. Recording observations and conclusions on the effectiveness of IT controls.
• Audit Reporting. Creation of formal reports with the audit findings, recommendations, and conclusions.