Concept Mapping—A Learning Tool for the Information Systems Audit Profession

By Kristine M. Protzman and Vasant Raval, CISA, DBA
Volume 3, 2006

Continuous professional education is a requirement for information systems (IS) auditors. Information technology keeps changing, and its applications in today’s virtual environment are becoming more complex. Changes in the technology and its applications require an assessment of new risk exposures and attendant controls that are necessary to manage new risks. This article discusses concept mapping, a learning tool with a potential to benefit IS professionals in their efforts to keep pace with the changes that impact them.

Concept mapping (also called mind mapping or knowledge mapping) can be applied to any learning situation. To illustrate its use, this article uses the context of a Certified Information Systems AuditorTM (CISA®) examination candidate preparing to sit for the test. Specifically, it discusses how such maps relate to the discussion of the same topic in the CISA Review Manual. The final part of this article describes specific situations where the IS audit professional can use concept maps to enhance continuous learning.

Knowledge Requirements of CISA Candidates

A renewed focus on controls after the passage of the US Sarbanes-Oxley Act of 2002 has increased demand for skilled IS audit professionals. This is evident in the increased number of applicants for the CISA examination and certification. In June 2005 alone, more than 12,000 people sat for the examination in English. The candidates’ backgrounds can be classified into three categories: experienced IT professionals who must learn IT controls and auditing, financial auditors who must learn deployment of IT in various situations and its effects on risk management, and younger IT-savvy entrants into the workforce who lack real-world experience in IT systems and auditing. For all three groups, although their needs in preparing for the examination may be different, the sheer volume of information necessary to master the exam may be overwhelming. Despite having familiarity with some parts of the topics tested in the exam, it may be hard for candidates to identify links between topics new to them and topics with which they are already familiar.

To help fill these knowledge gaps, the use of concept maps is recommended. A concept map is a learning tool that allows an individual to identify relationships between known and new concepts and, in this manner, comprehend new information. Whether one is preparing for a professional examination, teaching students or working on continuing professional education, concept maps offer an ideal medium to learn and retain new knowledge. This article demonstrates its use with a selected content area, the topic of cryptography.

Concept Maps

A concept map is a knowledge representation tool. Concepts are defined as perceived regularities in events or objects, or records of events or objects, designated by a label.1 For example, there are various shapes and kinds of things that people call a chair, but once a child acquires the concept chair, that child will correctly label almost anything with a seat, back and legs as a chair.2 The concept mapping methodology is developed using Ausubel’s theory of meaningful learning, which suggests that meaningful learning is a process in which new information is related to an existing relevant aspect of an individual’s knowledge structure.

The process of developing concept maps is largely heuristic and iterative in nature. For a selected topic, labels (concepts) are first collected. These concepts are then linked together to show relationships. Often, at this stage, the map may look like a hierarchy. A concept may be connected to more than one other concept, causing multiple branchings of the concept in its propositional form. Horizontally, relationships may be shown using cross-links between concepts from two different branches. The map may have several levels of hierarchy, depending on the level of understanding and complexity of the concept. Once created, concept maps help provide clarity to students on the small number of key ideas that they must focus on for any specific learning task. A map can also provide a kind of visual road map showing some of the pathways that link concepts in developing specific relationships.

Illustrative Concept Maps

The role of concept maps is to enhance learning in an interactive manner. A concept map thus facilitates movement of relevant information through perceptual barriers and provides a base for linkage between newly perceived information and previously acquired knowledge. It is clear that meaningful learning depends in part upon the adequacy of prior knowledge. A critical step in learning and knowledge retention is to relate already learned concepts (e.g., private key cryptography) to what is new in the same knowledge domain (e.g., public key cryptography) by forming a logical link between the two. Without a bridge to facilitate new learning, the concepts may be incomplete or poorly organized, making meaningful learning difficult, time-consuming and even tiring. In contrast, concept maps make the melding of two apparently diverse concepts— one learned and the other yet to be learned—possible. Figure 1 illustrates this concept using the topic of cryptography. Appropriate content from CISA Review Manual 2005 is provided for comparison.


Concept maps are intended to represent meaningful relationships among concepts in the form of propositions. Propositions are two or more concept labels linked by words in a semantic unit. In its simplest form, a concept map is two concepts connected by a linking word to form a proposition. For example, two components of a cryptographic system are a lock and a key. A proposition here is that a cryptographic system is comprised of two concepts, the concepts of a lock and a key. A combination lock is the method of protecting a locker, for example, and the specific combination used is the key to the lock.4 For the same lock, numerous keys (possible combinations) exist. The same type of lock is used by many (and by analogy, the same cryptographic method is used by many), so it is the specific combination (key value) that is secret and provides the protection.

When the new concept of public key cryptography is introduced, the private key cryptography concepts already learned are now extended, highlighting similarities and differences between what is known and what is new. Figure 2 presents both cryptographic approaches.


In looking at the extension of private key cryptography, one can see that there is now a need to clarify and extend the original concept of the key. The new concept introduced has to do with sharing keys. Returning to the analogy discussed earlier, if the locker owner wants others to access the locker, he/she would tell them the combination so they could open and close it. The key must be shared with the people who need to share the secret. Note that this idea of sharing the private key already exists in private key cryptography. However, its presence in the concept map now permits differentiation between what we already know—symmetric keys are shared— and what is new: public key cryptography requires that only the public key is shared.

How does the idea of sharing keys change in public key cryptography? This is suggested by the statement that a pair of related keys is used in public key cryptography—one that is never shared (private key) and one that is openly distributed (public key). Note also what is not changing. As in private key cryptography, the encryption method used in public key cryptography may also be widely known; however, secrecy is maintained through the key used and protected. In the transition from figure 1 to figure 2 , two things are apparent. First, to facilitate perceptual movement to new concepts, a known concept is further clarified by the insertion of concepts implied but not clarified previously: that the key is shared by sender and receiver and that the same key encrypts and decrypts. This level of granularity is necessary to relate the known concept to the new concept. Second, when presented within the context of a known concept, it is easier to map the new concept into one’s knowledge by comparing and contrasting with what has been learned previously.

Applications of Concept Maps

Concept maps can be applied in the following ways:

  • Learning—Presumably, the learning process guided by a concept map is an improvement over a linear text that, by itself, may not clearly convey relationships among concepts discussed. Even when it does convey the meaning clearly, the learner may have difficulty retaining the concept learned. Especially for visual learners, a verbal explanation often leaves out the important points of an idea. As figures 1 and 2 illustrate, drawing concept maps will help a student understand the main ideas involved and confirm that understanding with others.The transition from what is known to new knowledge to be mastered is commonly encountered. For example, consider a student attempting to learn how to configure a firewall. This learning can be facilitated by extending the knowledge of designing an access control list (ACL) to an exercise in creating filters to limit traffic by configuring the firewall. The common thread between the two is how to limit access to information assets. As another example, take the case of a professional who understands auditing and has some experience in consulting services; this individual can learn control self-assessment, an extension of internal auditing where the auditor works as a consultant to the auditee’s function, by linking current knowledge to the idea of control self-assessment.
  • Teaching—Concept maps are an important resource for instructors who wish to deliver complex topics to students. In this situation, the instructor begins with a few key concepts and relationships implicit in a certain topic, such as disaster recovery and contingency planning. The two concepts in this example are potential disaster and business continuity. Having put these up on the chart, the instructor begins to involve students by asking questions. How are potential disasters related to the concern for business continuity? What is an assurance objective common to both (e.g., availability)? What is the sequence of steps taken in each case?Through a dialog with and among students, the instructor is able to involve the students in an interactive process of developing the concept map. In this manner, effective communication and critical thinking skills are involved concurrently with the process of developing the concept map. The students are not only likely to retain what is taught, but they also will likely retain the learned concepts for future application. Interestingly, in such an exercise, the group may not even discuss all concepts but rather choose to develop those branches of the map that are most confusing, vague or contentious.Take an additional scenario. When discussing multiple-choice items, concept maps already developed can be used as a tool to logically derive the answer from a mix of possibilities, weeding out the choices that do not mesh with the drawn concept map.
  • Curriculum development—A curriculum for a profession is comprised of a series of logically related themes. For example, implicit in the CISA exam topics is a network of concepts, conveniently grouped in chapters that cover more closely related topics and subtopics. Thus, it is appropriate in the auditing chapter to talk about the audit process, which includes substantive testing. In turn, substantive testing may use a generalized audit software tool, which can be classified as a computer-assisted audit technique (CAAT). Therefore, the curriculum can be expressed in the form of a hierarchy of “drilled down” topics that are logically related. In describing a curriculum, this process also permits one to question if a particular idea should be discussed within a particular chapter or if it should be moved to another chapter. Incidentally, in going through this exercise of curriculum development, one may find that certain concepts will form a common link among chapters that collectively describe the entire curriculum.
  • Continuing professional education—Since continuing professional education (CPE) involves learning, concept mapping can be applied in these situations as well. For example, in a program covering professional ethics, one may begin with the code of conduct and, through interaction with the participants, form links to the code’s components that explain independence, objectivity, conflict of interest and other related concepts that invariably tie to the code. The CPE program not only becomes more interesting in this manner, but there is also greater interaction and participation in the learning process. Consequently, professionals attending such a program are more likely to internalize the concepts involved and how they are related.


The domain of IS auditing is rapidly becoming more complex. In part, this is due to rapidly developing information technology and its applications. The use of concept maps along with verbal discussions is likely to facilitate learning. What applies to CISA examination preparation is also pertinent to CPE programs. To succeed in the profession, students and practitioners should grasp new technologies and the systems that use them and also understand the sources of risks and how to manage them. A well-designed portfolio of concept maps can effectively support other sources of study material.7


Avery, P.; J. Baker; S. Gross; “‘Mapping’ Learning at the Secondary Level,” The Social Studies, vol. 87, no. 5, 1996, p. 217-222

Markham, K.M.; J.J. Mintzes; M.G. Jones; “The Concept Map as a Research and Evaluation Tool: Further Evidence of Validity,” Journal of Research in Science Teaching, vol. 31, 1994

Novak, J.D.; D.B. Gowin; Learning How to Learn, Cambridge University Press, 1984

Rosenbaum, A; “Mind Mapping: A Tool for Managing Organizational Transition,” Information Strategy: The Executive’s Journal, Winter 2004, p. 32-38

Kristine M. Protzman
is a graduate research assistant in the department of accounting at Creighton University (Nebraska, USA).

Vasant Raval, CISA, DBA
is chair of the department of accounting and a professor at the College of Business Administration at Creighton University (Nebraska, USA). His primary research interests include IS security and control and corporate governance. He is coauthor of a book on accounting information systems and has published many articles in various publications.


1 Novak, J.D.; Learning, Creating, and Using Knowledge: Concept Maps as Facilitative Tools in Schools and Corporations, Lawrence Erlbaum Associates, 1998

2 Macnamara, J.T.; Names for Things: A Study of Human Learning, MIT Press, 1982

3 ISACA, CISA Review Manual 2005, Rolling Meadows, IL, USA, 2005, p. 259

4 Mel, H.X.; D. Baker; Cryptography Decrypted, Addison-Wesley, 2001

5 Op. cit., CISA Review Manual 2005, p. 259-260

6 Ibid., p. 260

7 For additional concept maps useful in CISA exam preparation, please see /programs/cisa/index.php.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Source: ISACA