You will understand what Domain One covers, why it matters in real audits, and how the topics connect end to end. You will also learn the “big picture” flow from engagement initiation through evidence, conclusions, and reporting.

You will learn the responsibilities of an information systems auditor, the difference between auditing and consulting, and what “independence” means in practice. You will also build the audit mindset: curiosity, discipline, and professional skepticism.

You will learn who the key stakeholders are, what each one expects, and where misunderstandings usually happen. You will also learn how to manage communication so scope, access, and accountability stay clear throughout the engagement.

You will learn how internal and external audits differ in purpose, audience, and reporting structure. You will also learn how reporting lines affect independence, escalation, and how findings are acted on.

You will learn the foundations of internal audit work as it applies to technology: governance, risk focus, control evaluation, and documentation discipline. You will also see how information systems assurance fits into enterprise assurance and risk management.

You will learn what the audit committee does, why it matters for independence, and how it supports audit authority. You will also learn what an audit charter should include and how it protects audit scope and access.

You will learn common engagement types such as audits, reviews, assessments, and advisory activities, and what “assurance level” really means. You will also learn how engagement type changes evidence depth, testing rigor, and reporting style.

You will learn how engagements are formally initiated and how scope is defined so it is testable and defensible. You will also learn when to use specialists, how to rely on them properly, and how to remain accountable for conclusions.

You will learn the ethical expectations that drive credibility: integrity, objectivity, confidentiality, and competency. You will also learn how ethical issues appear in real work, such as conflicts of interest, pressure to soften findings, or mishandling sensitive data.

You will learn how assurance is coordinated across functions such as risk, compliance, security, and external auditors. You will also learn when and how you can use other teams’ work without duplicating efforts, and what validation you still must perform.

You will learn how laws, regulations, and contracts shape audit scope and testing criteria. You will also learn how to identify obligations that matter, document them as audit criteria, and avoid gaps that create compliance exposure.

You will learn how auditors convert standards and frameworks into practical audit criteria and test steps. You will also learn how to select the right reference points for the organization’s context and avoid “checkbox auditing.”

You will learn how auditors gather background, understand systems and processes, and identify high-risk areas before fieldwork starts. You will also learn how to build a risk-based plan that focuses testing on what could realistically fail and matter.

You will learn how fieldwork is organized, how testing is performed, and how workpapers become the proof behind conclusions. You will also learn how to keep testing traceable from objective → procedure → evidence → conclusion.

You will learn what makes evidence strong enough to support a finding and how to judge evidence quality. You will also learn how to handle common evidence problems such as incomplete logs, screenshots without context, or uncontrolled data extracts.

You will learn the difference between a control that is well-designed and a control that is actually working in practice. You will also learn how control weaknesses translate into audit risk, business impact, and the severity of findings.

You will learn how to write findings that are clear, fair, and actionable, and how to connect them to criteria, cause, impact, and evidence. You will also learn how reporting quality affects management response, remediation, and audit credibility.

You will learn the full lifecycle from planning through follow-up and how risk thinking guides every step. You will also learn how to align audit work to organizational priorities so audits deliver measurable value.

You will learn why sampling is used, when it is appropriate, and how to avoid misleading conclusions. You will also learn the practical difference between statistical and judgmental sampling, and how to document your sampling rationale.

You will learn what control self-assessment is, what it can and cannot prove, and how auditors treat it as input rather than final evidence. You will also learn how to validate CSA results and use them to target testing efficiently.

You will learn how CAATs help auditors test larger populations, detect anomalies, and increase audit coverage. You will also learn how to plan CAATs properly: defining data requirements, validating completeness, and interpreting results responsibly.

You will learn the difference between continuous auditing and continuous monitoring and where each fits. You will also learn common models, enabling technology, and how to design continuous approaches without turning audit into operations.

You will learn how AI changes audit risks, evidence sources, and expectations around governance and controls. You will also learn practical audit angles for AI usage such as data quality, model risk, access control, change management, and accountability.

You will learn how BI platforms create new risk around data pipelines, transformations, dashboards, and decision-making. You will also learn what to audit: data integrity, access, lineage, calculation logic, and the controls that prevent misleading reporting.

You will learn how audits adapt when systems are built and changed continuously through agile delivery. You will also learn what to look for in agile controls: backlog governance, definition of done, release approvals, segregation of duties, and evidence in fast cycles.

You will learn how to evaluate new technologies when standards and maturity are still evolving. You will also learn a practical approach for scoping and testing emerging tech risks such as cloud-native services, automation, internet of things, and new identity models.

You will consolidate the most important habits that determine audit quality: good judgment, strong evidence decisions, and healthy skepticism. You will also learn how to avoid common mistakes like over-trusting management narratives, accepting weak evidence, or concluding beyond what testing supports.

You will learn what Domain Two covers and how governance and management translate into audit scope, criteria, and evidence. You will also see how auditors evaluate oversight, decision-making, risk management, and control frameworks at the enterprise level.

You will learn the core enterprise governance concepts that shape how technology is directed and controlled. You will also learn what evidence shows governance is real, not just documentation, such as decision rights, committees, escalation paths, and performance oversight.

You will learn how security governance assigns accountability and ensures leadership oversight of security objectives. You will also learn what auditors look for in security governance evidence: ownership, reporting, risk acceptance, and measurable security outcomes.

You will learn the difference between governance (direction and oversight) and management (execution and operations). You will also learn how auditors set boundaries so they evaluate oversight effectiveness without drifting into running the function.

You will learn how to audit governance structures such as steering committees and leadership forums. You will also learn how to test decision rights, accountability, performance metrics, and whether governance actually influences priorities and risk decisions.

You will learn why enterprise architecture matters for risk, standardization, and long-term control. You will also learn what to audit: architecture principles, solution approvals, technology standards, exceptions, and how architecture decisions are governed.

You will learn how policies express management intent and set mandatory rules. You will also learn how to audit whether policies are clear, enforceable, communicated, and mapped to real controls and responsibilities.

You will learn how standards translate policy intent into specific requirements. You will also learn how auditors map standards to audit criteria and gather evidence that standard requirements are implemented consistently.

You will learn how procedures turn requirements into repeatable actions and how guidelines support consistent decisions. You will also learn how auditors test whether procedures are used in practice through tickets, logs, approvals, and operational records.

You will learn how to audit common policy areas that directly affect risk and behavior. You will also learn what evidence to seek for compliance, enforcement, exceptions, and accountability in day-to-day operations.

You will learn practical audit approaches for high-risk user-facing topics that drive incidents. You will also learn how to test controls such as filtering, authentication, remote access hardening, and monitoring using real operational evidence.

You will learn what makes governance documents audit-ready: clarity, ownership, version control, alignment, and measurability. You will also learn how weak documentation creates audit risk even when controls exist.

You will learn how auditors evaluate IT risk management as a governance capability, not just a risk register. You will also learn what “good” looks like in risk identification, treatment, monitoring, and reporting.

You will learn the meaning of key risk terms and how they shape audit focus and testing depth. You will also learn how to use these concepts to explain audit priorities and finding severity.

You will learn how frameworks guide risk processes and how auditors judge maturity and consistency. You will also learn how to test whether the organization follows the framework in practice across systems and teams.

You will learn different ways organizations identify risk, from workshops to threat modeling and incident analysis. You will also learn what documentation proves risk identification is systematic and complete.

You will learn how risk is analyzed and where analysis often goes wrong, such as weak assumptions or missing threat scenarios. You will also learn how auditors validate ratings, logic, and supporting evidence.

You will learn the main treatment options and how each should be documented and approved. You will also learn what auditors test: approvals for acceptance, mitigation plans, implementation evidence, and transfer contract terms.

You will learn how risk information should flow to leadership in a usable form. You will also learn how auditors assess KRIs, reporting cadence, escalation, and the traceability of decisions.

You will learn how auditors support better risk outcomes without becoming risk owners. You will also learn how to provide advisory input while protecting independence and avoiding management responsibility.

You will learn how controls are categorized and how control type influences testing. You will also learn practical test strategies for preventive, detective, and corrective controls across technical and administrative areas.

You will learn how control objectives define the “why” behind controls and how auditors test whether objectives are met. You will also learn how to evaluate compensating controls, including when they are acceptable and what evidence is required.

You will learn why layered security matters and how it reduces single points of failure. You will also learn how auditors test whether layers are independent, properly configured, and monitored to prevent easy bypass.

You will learn how organizations choose controls based on risk, cost, and regulatory needs. You will also learn what auditors look for: rationale, approvals, implementation plans, and proof that chosen controls actually address the risk.

You will learn how internal control frameworks help organize audit planning and reporting. You will also learn how to use a control model to avoid gaps and ensure coverage across governance, process, and technology layers.

You will learn how to test whether controls are designed correctly and whether they operate consistently over time. You will also learn how failures in either area impact audit conclusions and risk exposure.

You will learn how people-related controls reduce risk across hiring, onboarding, role change, and termination. You will also learn what auditors test: background checks, access provisioning, training, and timely removal of access.

You will learn how segregation of duties failures create fraud and error risk. You will also learn how auditors identify conflicts, assess role design, and validate compensating controls such as monitoring and approvals.

You will learn how vendor relationships expand risk and shift control responsibilities. You will also learn how auditors test due diligence, contracts, service levels, security requirements, and ongoing monitoring.

You will learn how a major operational disruption highlights governance, change, and resilience risks. You will also learn what auditors can extract as test ideas: change control, vendor risk, rollback readiness, monitoring, and incident communication.

You will learn what SOC reports are used for and how to interpret scope, period, and control coverage. You will also learn how auditors decide whether reliance is appropriate and what gaps require additional testing.

You will learn how core IT management processes influence risk and service quality. You will also learn how auditors evaluate planning, prioritization, resource constraints, and supplier management using governance evidence and operational metrics.

You will learn how technology spending is planned, approved, and tracked. You will also learn how auditors review financial governance, investment justification, and whether expected value and risk reduction are being realized.

You will learn how maturity models are used to measure process capability and drive improvements. You will also learn how auditors validate assessment quality, avoid self-scoring bias, and link maturity results to control effectiveness.

You will learn how IT performance is measured and reported to leadership. You will also learn how auditors assess scorecards, key performance indicators, and whether metrics actually drive accountability and corrective action.

You will learn how quality is built into IT work through assurance practices and verified through control activities. You will also learn what evidence supports quality management, such as test results, defect trends, reviews, and corrective actions.

You will consolidate how governance and risk oversight should look when they are working effectively. You will also strengthen your ability to judge whether evidence reflects real oversight or simply documented intent.

You will learn what Domain Three covers and how auditors evaluate technology delivery risk from acquisition through implementation. You will also see how governance, requirements, testing, release, and change controls connect to assurance outcomes.

You will learn how organizations acquire technology and where major risks appear early. You will also learn how auditors test approvals, vendor evaluation, security requirements, and alignment to business needs.

You will learn what makes a feasibility study credible and how business cases justify investment. You will also learn how auditors evaluate assumptions, benefits, constraints, and risk considerations before large spend is committed.

You will learn how budgeting and RFP processes should prevent waste, bias, and uncontrolled risk. You will also learn what auditors test: fairness, documentation, evaluation criteria, approvals, and contract protections.

You will learn the difference between projects and programs and how governance differs for each. You will also learn what auditors use as criteria: roles, steering oversight, reporting, and delivery accountability.

You will learn how planning artifacts create control over scope and deliverables. You will also learn how auditors verify that objectives are clear, work is decomposed properly, and responsibilities are assigned.

You will learn how schedules are managed and how status reporting reveals delivery risk. You will also learn how auditors test progress accuracy, milestone governance, and traceability of decisions and changes.

You will learn how cost estimates are built and why they often drift from reality. You will also learn how auditors review estimation methods, assumptions, variance explanations, and corrective actions.

You will learn what proper closure looks like beyond “go-live.” You will also learn how auditors evaluate benefit realization, unresolved risks, lessons learned, and whether operational ownership is truly transferred.

You will learn enough programming fundamentals to ask the right audit questions and interpret evidence. You will also learn common failure points such as weak input validation, insecure logic, and poor error handling.

You will learn major delivery models and how they change control design and evidence. You will also learn how auditors tailor tests for traditional, iterative, and rapid delivery approaches.

You will learn how requirements are captured and traced through design, testing, and delivery. You will also learn how auditors test traceability, completeness, and security thinking using misuse or abuse cases.

You will learn how architecture and application type affect risk and audit approach. You will also learn how auditors adjust testing for web applications, APIs, client-server systems, and integrations.

You will learn how licensing risk creates financial and legal exposure. You will also learn how auditors test entitlement, usage tracking, contract terms, and controls that prevent non-compliance.

You will learn why re-engineering introduces security and operational risk. You will also learn how auditors evaluate controls for documentation, code integrity, ownership, and the handling of legacy vulnerabilities.

You will learn the core application control categories and why each matters. You will also learn how auditors test correctness, completeness, authorization, error handling, and interface integrity.

You will learn what good testing looks like and what evidence proves it happened. You will also learn how auditors evaluate defect management, test coverage, approvals, and risk-based testing depth.

You will learn what certification and accreditation mean in assurance contexts and how they support audit reliance. You will also learn how auditors validate scope, conditions, exceptions, and ongoing compliance.

You will learn how releases should be governed to prevent outages and unauthorized change. You will also learn what auditors test: approvals, segregation, rollback plans, and deployment logs.

You will learn what can go wrong during cutover and how to reduce disruption risk. You will also learn how auditors verify readiness, data migration controls, fallback capability, and go-live approvals.

You will learn how support and maintenance protect system stability after implementation. You will also learn how auditors test incident handling, root cause analysis, backlog control, and secure maintenance practices.

You will learn how to build an end-to-end audit approach across the project lifecycle. You will also learn practical testing steps that connect governance, requirements, code, testing, and release evidence into a defensible conclusion.

You will learn what change management must achieve: controlled change with traceable approvals. You will also learn how auditors test emergency changes, segregation, and alignment between requests, implementation, and evidence.

You will learn how configuration baselines reduce drift and prevent undocumented change. You will also learn how auditors use CMDB evidence, baseline comparisons, and exception handling to evaluate control effectiveness.

You will learn how version control supports integrity, accountability, and secure collaboration. You will also learn what auditors test: access control, branch protections, approvals, and commit traceability.

You will learn how patching and vulnerability management reduce real-world exploitation risk. You will also learn how auditors test coverage, prioritization, remediation timelines, exceptions, and scanning reliability.

You will learn virtualization-specific risks such as hypervisor exposure and shared resource issues. You will also learn how auditors test access, segmentation, configuration hardening, and monitoring controls in virtual environments.

You will learn how responsibility shifts between cloud provider and customer and how that changes audit scope. You will also learn how auditors test cloud governance, identity controls, logging, configuration, and vendor assurance.

You will learn how deployment model changes risk, control design, and evidence availability. You will also learn how auditors adjust testing for data residency, connectivity, shared tooling, and governance across environments.

You will reinforce how delivery governance and control evidence determine whether systems are safe to deploy and maintain. You will also sharpen judgment for spotting weak traceability, weak testing, and uncontrolled change.