cisa-d1-auditing-process-types-of-audits-assessments-and-reviews

Types of Audits, Assessments, and Reviews

isaca-cisa · framework · Production-ready

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 3, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Types of Audits, Assessments, and Reviews

Types of Audits, Assessments, and Reviews is the ISACA CISA taxonomy of formal examination approaches used in the Information Systems Auditing Process. Three parent categories organize all engagement types: (1) Audits — independent, objective examinations of controls, processes, or financial data measured against defined criteria, producing a formal assurance opinion; (2) Assessments — structured evaluations of an organization's current state measured against a maturity model or framework (e.g., COBIT 2019, NIST CSF 2.0), producing a maturity score or gap analysis rather than a pass/fail opinion; and (3) Reviews — lighter-touch, less formal examinations of a specific area, producing observations and recommendations without the rigor or independence requirements of an audit. Within audits, CISA distinguishes six primary types: financial IS audits (controls over financial reporting systems), compliance audits (adherence to external regulations such as SOX, HIPAA, PCI-DSS, GDPR), operational audits (efficiency and effectiveness of IT operations), internal control audits (design and operating effectiveness of management controls), integrated audits (two or more audit objectives combined in one engagement with a unified scope, evidence plan, and report), and performance audits (IT resource utilization and service delivery effectiveness). Additional recognized types include: external audits (conducted by a third party independent of the organization), internal audits (conducted by the organization's own audit function), continuous auditing (automated, near-real-time control testing enabled by data analytics and meeting ISACA Standard 1401 evidence requirements), post-audit follow-up audits (verifying remediation of prior findings), and service auditor assessments such as SOC 2 Type I and Type II reports (evaluating service organization controls for third-party reliance). The CISA vocabulary is precise and non-interchangeable: an audit produces an opinion; an assessment produces a maturity level or gap report; a review produces observations. Conflating these terms in an engagement scope produces misaligned stakeholder expectations and unsupportable audit evidence.

Where it stops · what it isn't

—IS WHAT: A structured, documented examination process that produces a formal deliverable — audit report, assessment scorecard, or review memo — with defined objectives, scope, evidence, and conclusions.
—IS NOT WHAT: Informal management walkthroughs, IT health checks without documented methodology, vendor demonstrations, or penetration testing reports (security tests, not audits, unless formally scoped as audit engagements).
—IS WHAT: SOC 2 Type I reports assess whether service organization controls are suitably designed at a point in time; SOC 2 Type II reports assess whether those controls operated effectively over a defined period. Both are third-party reliance documents, not the organization's own audit.
—IS NOT WHAT: A maturity assessment (e.g., COBIT capability assessment) does not constitute an audit and cannot serve as audit evidence of control effectiveness without additional substantive testing.
—IS WHAT: Continuous auditing uses automated tools and analytics to test controls at high frequency or in near-real-time; it is a recognized audit methodology — not continuous monitoring performed by management.
—IS NOT WHAT: Continuous monitoring (performed by management) is not continuous auditing (performed by the audit function). The critical difference is ownership and independence, not technology.
—IS WHAT: An integrated audit deliberately co-designs objectives, evidence plans, and reporting across two or more audit domains (e.g., financial and compliance) in a single engagement.
—IS NOT WHAT: Conducting multiple audits in the same fiscal year on the same system does not constitute an integrated audit. Integration requires unified design from inception, not retroactive combination of workpapers.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

REQUIRES

Risk-based Audit PlanningCOBIT 2019 Framework (for maturity assessments)NIST Cybersecurity Framework 2.0 (for security assessments)

ENABLES

IS Audit Standards, Guidelines, Functions, and Codes of EthicsAudit Reporting and Follow-up

PART OF

Information Systems Auditing Process (CISA Domain 1)

RELATED TO

Audit Quality AssuranceAudit Evidence Collection and Evaluation

CONSTRAINS

SOC 2 Reporting (AICPA Trust Services Criteria)

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.