Should I get CISA Certified?
CISA is possibly the one ‘pure’ Information systems audit qualification that is recognised anywhere. It is balanced between technical IT knowledge and business understanding.
There are other IT audit certifications – from the IIA’s aborted QiCA to supporting CPA type accounting quals and tech quals such as CCNA – but none with the universal recognition CISA holds.
Having said that, it is a baseline and not a gold standard. If you can’t do this after a few years experience, you probably shouldn’t be an IT auditor. Holding it doesn’t prove your competence in any particular area – but it does verify that you understand what you are doing and have the skills and experience to undertake at least simpler audit assignments.
How can I obtain a CISA qualification?
There are two things you need to do to qualify: Pass a 200 question multiple choice exam in 4 hours, and demonstrate 5 years relevant experience. You can get a year or two off the experience requirement from relevant degrees and qualifications, or other relevant experience.
The exam is wide in it’s scope, but for anyone with a good all-round understanding of enterprise IT and a comprehension of business risk it should not be too hard. There is a book to support it and also a question bank for practice – both are worth having. The book is still mind-numbingly dull and best used as a tool to identify any areas within the syllabus that where you may need further study. The question bank is a far-too-accurate practice questions tool, and many candidates have noticed a strong similarity between some of the bank questions and exam questions on the day. Having written some of the questions used in the exam myself, I understand why this is the case. Still, if a few questions are similar it’s nowhere near enough to pass, so use the practice questions to identify areas of weakness. Address these areas with the book or other resources, then re-test yourself.
What does it cover?
The syllabus is split into five domains (previously six). You need to do well in all areas to pass the exam, but some areas are more important than others. It’s currently going through a refresh in 2024, so the new domains you’ll need to to understand are:
Information Systems Auditing Process (18%)
Providing industry-standard audit services to assist organizations in protecting and controlling information systems, Domain 1 affirms your credibility to offer conclusions on the state of an organization’s IS/IT security, risk and control solutions.
If you’re coming to IT audit from a financial or operational audit background with (say) a CPA or ACCA qualification, or with a couple of years existing experience of IT audit, you should find this familiar. If you are new to auditing, this will be mostly new to you.
Governance and Management of IT (12%)
This domain confirms to stakeholders your abilities to identify critical issues and recommend enterprise-specific practices to support and safeguard the governance of information and related technologies.
This is closely related to ISACAs CGEIT certification, and any IT management experience will help.
Information Systems Acquisition, Development and Implementation (12%)
Basically, change. Domains 3 and 4 offer proof not only of your competency in IT controls, but also your understanding of how IT relates to business.
Project management, systems development, and change management experience will help you here.
Information Systems Operations and Business Resilience (26%)
As per Domain 3, but operations, including business continuity / disaster recovery aspects.
Operational IT roles and disciplines such as ITIL will help you here.
Protection of Information Assets (26%)
Cybersecurity now touches virtually every information systems role, and understanding its principles, best practices and pitfalls is a major focus within Domain 5.
Any cybersecurity experience or certification (such as CISM or CISSP) will assist you with this domain.
This is a slight change from the previous weightings, and indeed the earlier six domain weightings (below taken from 2004), which were:
IS Audit Process – 10% exam weighting
IT Governance – 15% of Exam
Systems and Infrastructure Lifecycle Management – 16% exam weighting (similar to domain 3)
IT Service Delivery and Support – 14% exam weighting (now included in domain 4)
Protection of Information Assets – 31% exam weighting
Business Continuity and Disaster Recovery- 14% exam weighting (now included in domain 4)
You can see that whilst there have been changes over the years, the qualification overall has remained very consistent.
What does it cost?
The exam is around the $500 mark, and you can join ISACA at any time (you don’t need to take the exam first). You don’t have to attend a course, but a number of organisations run CISA preparation classes commercially, which are recommended.
How long will it take?
It varies from person to person. If you are have IT audit experience, good IT knowledge and a strong background in business, you may be able to get away with as little as a few hours preparation. If there are gaps in your knowledge, you have a technical background that has focused on specific areas of the syllabus, or your IT knowledge is weak (for example, you’ve moved recently from a general audit background to and IT audit role), you will need more time. You may want to take relevant courses, read up in weak areas, and spend a few months preparing for the exam.
If you’re doing well in every area on the CD, you should do well in the exam.
Do I get letters after my name?
Yes, you can use the letters CISA, as long are you keep your certification up to date.
Do I need to do CPD?
Yes. You need 20 hours of verifiable CPD a year, and a total of 120 hours over 3 years. However, if you don’t have the time to go on a week-long course each year, ISACA branches run regular seminars, and you can also gain CPD from completing a quiz in their journal or from taking part in branch activities.
Is it for me?
Given the very reasonable cost and the fact that most employers look for it when recruiting, if you’re an IT auditor and you haven’t done CISA yet you should probably have your head examined one way or another. The bottom line is that CISA makes you a safer hire, and therefore more likely to get the job you’re looking for at an acceptable salary. It also helps you improve your knowledge, provides you (and your clients/boss) with comfort that you do in fact know what you are talking about, and will help you identify areas to further improve.
How do I get started with a CISA certification?
Visit the CISA pages on the ISACA web site and enrol.
