Exam Profile: Certified Information Systems Auditor (CISA)

Date: Apr 13, 2011

The Certified Information Systems Auditor exam requires a vast understanding of 5 content areas, blending hand-on knowledge with strategic level awareness of management. The exam is quite challenging to most, but achieving it can open up career opportunities unlike any other certification. This article gives an overview of the exam, covers “pain points,” and offers practical tips on preparation you can use today to pass this difficult exam.

The CISA certification was established in 1978 by the Information Systems Audit and Control Association (ISACA), an association of IS professionals worldwide. Today, there are now over 70,000 candidates worldwide who have successfully passed this rigorous exam. As of 2011, the exam is available in 1two languages.

The CISA is a highly regarded and model certification. Recognition of the CISA is fairly consistent through all regions worldwide, unlike certifications such as CompTIA’s Security+ or those from the SANS Institute, which are US-heavy. In the United States, the CISA is distinguished by the US Department of Defense as one of their few formally-recognized certifications. This respect comes at a price—it’s a certification with a very challenging exam and requires verified work experience.

The exam is open to anyone interested in systems auditing, controls and information security. Obtaining the CISA certification requires passing the exam, plus work experience. It is offered twice a year, administered worldwide on the same day. For the 2011 exams, you may select among 101 countries. In the US alone, it’s available in 77 cities across 22 states.

Additional information about the exam and the certification is in the “CISA Bulletin of Information,” available on the ISACA website.

Exam Details

Number of questions: 200
Types of questions: multiple choice
Passing scores: 450 on a scale from 200 (lowest possible) to 800 (perfect)
Time limit: four hours (works to just over a 1 minute per question)
How to Register: You may register for the CISA exam, next available on June 11, 2011, by visiting the ISACA website

Before registering for the exam, you will create an ISACA account (name and e-mail). Then to register, you provide more demographic information, choose a test site, and pay the registration fee. The fee amount depends whether you are an ISACA member or not, available to you during registration.

Earning the CISA Certification

Passing the exam is one of two requirements for gaining the CISA designation. The second is meeting the required amount of work experience. The most straightforward way to complete the requirement is to have five years of systems auditing experience, but several variants of exceptions and substitutions exist, such as having an advanced degree in IT.

Note that many candidates choose to pass the exam before having the work experience. In fact, ISACA encourages candidates to study for and try the exam at any time, but ensures the certification will be awarded only after a candidate can meet the experience requirement. A candidate has five years after their exam to meet this requirement and apply for the certification.

There are other agreements for a candidate regarding ethics and continued education to obtain the CISA. But this article is about the exam, so consult the ISACA website for more details on gaining the certification.

Trouble Spots

The first trouble spot for exam candidates is the sheer scope of material. Without actually knowing the scope, someone may shrug off the exam as simply a non-technical, IT auditing exam. But after a few minutes reviewing the scope, that opinion may change to “overwhelmed” they read through the exam’s five content areas and grasps the depth of each area.

ISACA calls these five content areas “domains.” After a review of all domains, the structure and pattern takes shape. In time, a candidate can associate their own strengths and gaps against them. So, what may appear overwhelming at first will fast create a list of priority areas to study.

The domains covered in the CISA exam are as follows:

The Process of Auditing Information Systems
Governance and Management of IT
Information Systems Acquisition, Development and Implementation
Information Systems Operations, Maintenance and Support
Protection of Information Assets

How these domains are divided among the questions changes per exam, but ISACA does publicize the proportion in advance.

Experience Pays Off

To possess an introductory level across a few of the five domains requires a few years of relevant experience. For example, a person with three years enterprise auditing experience and two years of systems maintenance will have enough know-how to be quite familiar with two of the five domains. Familiarity will raise confidence. Confidence in the material will increase motivation to study more unfamiliar areas. So experience definitely pays off in time and motivation during your study.

Covering Both Operational and Policy Levels

Another trouble spot is the combination of both low-level and high-level understanding of the domains required of the candidate. Be aware, a candidate having a few years of experience in a domain does not guarantee they know the entire domain. Each domain covers job duties and knowledge that spans multiple levels of a job. For example, let’s look at Domain 4, covering systems maintenance. On an operational level of systems maintenance, a candidate will be more familiar with questions about procedures and implementation. On a higher, more management level of systems maintenance, the candidate is more familiar with policies and standards. Domain 4 spans both levels and much more.

No person is expected to know all areas solely based on experience. This means you must study and should not rely on experience alone for any domain.

Preparation Hints

Candidates’ best approach to preparation is to break down their studying according to the five domains listed above.

On the ISACA website, under the CISA exam section, click on the link titled “Prepare for the Exam.” There will be a helpful guide called “The Candidate's Guide to the CISA Exam” available for free.

Task and Knowledge Statements

“The Candidate's Guide to the CISA Exam” lists the several task statements and knowledge statements per domain. Task statements specify a job objective, while knowledge statements declare some specific awareness about an area. Each domain has between five and 11 task statements, and there are between 10 and 21 knowledge statements.

An example of a task statement would be “Evaluate the adequacy of backup and restore provisions to determine the availability of information required to resume processing.” That’s the task statement #10 of Domain 4: Information Systems Operations, Maintenance and Support. An example of a knowledge statement would be “Knowledge of operations and end-user procedures for managing scheduled and non-scheduled processes.” That’s statement #3 of the same Domain 4.

Study with Structure

Armed with the task and knowledge statements, a candidate has a structured framework for studying. Depending on your preference, you may wish to check off the topics you feel already comfortable with, prioritizing the most unfamiliar areas to concentrate on. Or you may wish to briefly visit the most well-known areas, which may provide you more insight on the detail level expected across all areas. In any case, use the domain breakdown to your advantage, as a checklist and path to covering all that is required of you.

Recommended Pace for Taking the CISA Exam

A word about the time limit: four hours may seem like a lot, even for 200 questions. It’s not. Four hours is 240 minutes, or one minute, twelve seconds per question.

Now even the most studious candidate shouldn’t try to concentrate for four hours straight. Instead, a candidate should take a break or two to refresh and reenergize. If a candidate takes two short breaks of 5-10 minutes each, that now leaves 220-230 minutes for the exam. Also consider that in any exam, it’s wise to allot time at the end to briefly scan your answer sheet for obvious mistakes (skipped or doubled-answered questions. A safe allotment of time would be 10%, or 20 minutes in this case. That leaves 200 minutes for 200 questions. With a break or two and some buffer time at the end, this gives a plain question-per-minute pace. This pace is especially helpful as you work through the exam, since you can confidently check your pace against the spent time and your current question.

Recommended Study Resources

Job experience helps, but can only get you so far. Preparation requires studying.

On the ISACA website, there are a variety of resources, such as study guides and review courses (virtual) through their “eLearning Campus.” Depending on your location, you may also find an instructor-led course available in your area. It’s a personal preference, but all these are available at a price.

There is also a “CISA Exam Preparation Community” expected to be accessible through the ISACA website. At the time of writing, the community is not yet available, citing, ”Exam preparation communities will open later this year.”

Study guides are not restricted to ISACA. Proven guides are available by online book outlets such as Amazon, and independent education providers. It is possible to get freely-available, downloadable study guides and practice exams. However, be aware that these are often provided to help generate leads for retail exams.

Exam Objectives

The five domains are not covered equally in the CISA exam. Instead, the domains are covered according to ISACA’s analysis of IT auditors’ jobs. Their analysis has created the following proportion of domains to the IT auditor’s job. The domains, and their task and knowledge statements, are as follows:

Domain 1—The Process of Auditing Information Systems (14%)

Provide audit services in accordance with IT audit standards to assist the organization in protecting and controlling information systems.

Domain 1—Task Statements:

Develop and implement a risk-based IT audit strategy in compliance with IT audit standards to ensure that key areas are included.
Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.
Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.
Communicate emerging issues, potential risks, and audit results to key stakeholders.
Advise on the implementation of risk management and control practices within the organization, while maintaining independence.

Domain 1—Knowledge Statements:

Knowledge of ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards
Knowledge of risk assessment concepts, tools and techniques in an audit context
Knowledge of control objectives and controls related to information systems
Knowledge of audit planning and audit project management techniques, including follow-up
Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) including relevant IT
Knowledge of applicable laws and regulations which affect the scope, evidence collection and preservation, and frequency of audits
Knowledge of evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis) used to gather, protect and preserve audit evidence
Knowledge of different sampling methodologies
Knowledge of reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure)
Knowledge of audit quality assurance systems and frameworks

Domain 2—Governance and Management of IT (14%)

Provide assurance that the necessary leadership and organization structure and processes are in place to achieve objectives and to support the organization's strategy.

Domain 2—Task Statements:

Evaluate the effectiveness of the IT governance structure to determine whether IT decisions, directions and performance support the organization’s strategies and objectives.
Evaluate IT organizational structure and human resources (personnel) management to determine whether they support the organization’s strategies and objectives.
Evaluate the IT strategy, including the IT direction, and the processes for the strategy’s development, approval, implementation and maintenance for alignment with the organization’s strategies and objectives.
Evaluate the organization’s IT policies, standards, and procedures, and the processes for their development, approval, implementation, maintenance, and monitoring, to determine whether they support the IT strategy and comply with regulatory and legal requirements.
Evaluate the adequacy of the quality management system to determine whether it supports the organization’s strategies and objectives in a cost-effective manner.
Evaluate IT management and monitoring of controls (e.g., continuous monitoring, QA) for compliance with the organization’s policies, standards and procedures.
Evaluate IT resource investment, use and allocation practices, including prioritization criteria, for alignment with the organization’s strategies and objectives.
Evaluate IT contracting strategies and policies, and contract management practices to determine whether they support the organization’s strategies and objectives.
Evaluate risk management practices to determine whether the organization’s IT-related risks are properly managed.
Evaluate monitoring and assurance practices to determine whether the board and executive management receive sufficient and timely information about IT performance.
Evaluate the organization’s business continuity plan to determine the organization’s ability to continue essential business operations during the period of an IT disruption.

Domain 2—Knowledge Statements:

Knowledge of IT governance, management, security and control frameworks, and related standards, guidelines, and practices
Knowledge of the purpose of IT strategy, policies, standards and procedures for an organization and the essential elements of each
Knowledge of organizational structure, roles and responsibilities related to IT
Knowledge of the processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures
Knowledge of the organization’s technology direction and IT architecture and their implications for setting long-term strategic directions
Knowledge of relevant laws, regulations and industry standards affecting the organization
Knowledge of quality management systems
Knowledge of the use of maturity models
Knowledge of process optimization techniques
Knowledge of IT resource investment and allocation practices, including prioritization criteria (e.g., portfolio management, value management, project management)
Knowledge of IT supplier selection, contract management, relationship management and performance monitoring processes including third party outsourcing relationships
Knowledge of enterprise risk management
Knowledge of practices for monitoring and reporting of IT performance (e.g., balanced scorecards, key performance indicators [KPI])
Knowledge of IT human resources (personnel) management practices used to invoke the business continuity plan
Knowledge of business impact analysis (BIA) related to business continuity planning
Knowledge of the standards and procedures for the development and maintenance of the business continuity plan and testing methods

Domain 3—Information Systems Acquisition, Development, and Implementation (19%)

Provide assurance that the practices for the acquisition, development, testing, and implementation of information systems meet the organization’s strategies and objectives.

Domain 3—Task Statements:

Evaluate the business case for the proposed investments in information systems acquisition, development, maintenance and subsequent retirement to determine whether it meets business objectives.
Evaluate the project management practices and controls to determine whether business requirements are achieved in a cost-effective manner while managing risks to the organization.
Conduct reviews to determine whether a project is progressing in accordance with project plans, is adequately supported by documentation and status reporting is accurate.
Evaluate controls for information systems during the requirements, acquisition, development and testing phases for compliance with the organization's policies, standards, procedures and applicable external requirements.
Evaluate the readiness of information systems for implementation and migration into production to determine whether project deliverables, controls and organization's requirements are met.
Conduct post-implementation reviews of systems to determine whether project deliverables, controls and organization's requirements are met.

Domain 3—Knowledge Statements:

Knowledge of benefits realization practices, (e.g., feasibility studies, business cases, total cost of ownership [TCO], ROI)
Knowledge of project governance mechanisms (e.g., steering committee, project oversight board, project management office)
Knowledge of project management control frameworks, practices and tools
Knowledge of risk management practices applied to projects
Knowledge of IT architecture related to data, applications and technology (e.g., distributed applications, web-based applications, web services, n-tier applications)
Knowledge of acquisition practices (e.g., evaluation of vendors, vendor management, escrow)
Knowledge of requirements analysis and management practices (e.g., requirements verification, traceability, gap analysis, vulnerability management, security requirements)
Knowledge of project success criteria and risks
Knowledge of control objectives and techniques that ensure the completeness, accuracy, validity and authorization of transactions and data
Knowledge of system development methodologies and tools including their strengths and weaknesses (e.g., agile development practices, prototyping, rapid application development [RAD], object-oriented design techniques)
Knowledge of testing methodologies and practices related to information systems development
Knowledge of configuration and release management relating to the development of information systems
Knowledge of system migration and infrastructure deployment practices and data conversion tools, techniques and procedures.
Knowledge of post-implementation review objectives and practices (e.g., project closure, control implementation, benefits realization, performance measurement)

Domain 4—Information Systems Operations, Maintenance and Support (23%)

Provide assurance that the processes for information systems operations, maintenance and support meet the organization’s strategies and objectives.

Domain 4—Task Statements:

Conduct periodic reviews of information systems to determine whether they continue to meet the organization’s objectives.
Evaluate service level management practices to determine whether the level of service from internal and external service providers is defined and managed.
Evaluate third party management practices to determine whether the levels of controls expected by the organization are being adhered to by the provider.
Evaluate operations and end-user procedures to determine whether scheduled and non-scheduled processes are managed to completion.
Evaluate the process of information systems maintenance to determine whether they are controlled effectively and continue to support the organization’s objectives.
Evaluate data administration practices to determine the integrity and optimization of databases.
Evaluate the use of capacity and performance monitoring tools and techniques to determine whether IT services meet the organization’s objectives.
Evaluate problem and incident management practices to determine whether incidents, problems or errors are recorded, analyzed and resolved in a timely manner.
Evaluate change, configuration and release management practices to determine whether scheduled and non-scheduled changes made to the organization’s production environment are adequately controlled and documented.
Evaluate the adequacy of backup and restore provisions to determine the availability of information required to resume processing.
Evaluate the organization’s disaster recovery plan to determine whether it enables the recovery of IT processing capabilities in the event of a disaster.

Domain 4—Knowledge Statements:

Knowledge of service level management practices and the components within a service level agreement
Knowledge of techniques for monitoring third party compliance with the organization’s internal controls
Knowledge of operations and end-user procedures for managing scheduled and non-scheduled processes
Knowledge of the technology concepts related to hardware and network components, system software and database management systems
Knowledge of control techniques that ensure the integrity of system interfaces
Knowledge of software licensing and inventory practices
Knowledge of system resiliency tools and techniques (e.g., fault tolerant hardware, elimination of single point of failure, clustering)
Knowledge of database administration practices
Knowledge of capacity planning and related monitoring tools and techniques
Knowledge of systems performance monitoring processes, tools and techniques (e.g., network analyzers, system utilization reports, load balancing)
Knowledge of problem and incident management practices (e.g., help desk, escalation procedures, tracking)
Knowledge of processes, for managing scheduled and non-scheduled changes to the production systems and/or infrastructure including change, configuration, release and patch management practices
Knowledge of data backup, storage, maintenance, retention and restoration practices
Knowledge of regulatory, legal, contractual and insurance issues related to disaster recovery
Knowledge of business impact analysis (BIA) related to disaster recovery planning
Knowledge of the development and maintenance of disaster recovery plans
Knowledge of types of alternate processing sites and methods used to monitor the contractual agreements (e.g., hot sites, warm sites, cold sites)
Knowledge of processes used to invoke the disaster recovery plans
Knowledge of disaster recovery testing methods

Domain 5—Protection of Information Assets (30%)

Provide assurance that the organization’s security policies, standards, procedures, and controls ensure the confidentiality, integrity and availability of information assets.

Domain 5—Task Statements:

Evaluate the information security policies, standards and procedures for completeness and alignment with generally accepted practices.
Evaluate the design, implementation and monitoring of system and logical security controls to verify the confidentiality, integrity and availability of information.
Evaluate the design, implementation, and monitoring of the data classification processes and procedures for alignment with the organization’s policies, standards, procedures, and applicable external requirements.
Evaluate the design, implementation and monitoring of physical access and environmental controls to determine whether information assets are adequately safeguarded.
Evaluate the processes and procedures used to store, retrieve, transport and dispose of information assets (e.g., backup media, offsite storage, hard copy/print data, and softcopy media) to determine whether information assets are adequately safeguarded.

Domain 5—Knowledge Statements:

Knowledge of the techniques for the design, implementation, and monitoring of security controls, including security awareness programs
Knowledge of processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team)
Knowledge of logical access controls for the identification, authentication and restriction of users to authorized functions and data
Knowledge of the security controls related to hardware, system software (e.g., applications, operating systems), and database management systems.
Knowledge of risks and controls associated with virtualization of systems
Knowledge of the configuration, implementation, operation and maintenance of network security controls
Knowledge of network and Internet security devices, protocols, and techniques
Knowledge of information system attack methods and techniques
Knowledge of detection tools and control techniques (e.g., malware, virus detection, spyware)
Knowledge of security testing techniques (e.g., intrusion testing, vulnerability scanning)
Knowledge of risks and controls associated with data leakage
Knowledge of encryption-related techniques
Knowledge of public key infrastructure (PKI) components and digital signature techniques
Knowledge of risks and controls associated with peer-to-peer computing, instant messaging, and web-based technologies (e.g., social networking, message boards, blogs)
Knowledge of controls and risks associated with the use of mobile & wireless devices
Knowledge of voice communications security (e.g., PBX, VoIP)
Knowledge of the evidence preservation techniques and processes followed in forensics investigations (e.g., IT, process, chain of custody)
Knowledge of data classification standards and supporting procedures
Knowledge of physical access controls for the identification, authentication and restriction of users to authorized facilities
Knowledge of environmental protection devices and supporting practices
Knowledge of the processes and procedures used to store, retrieve, transport and dispose of confidential information assets

Where yo Go From Here

Where to Go From Here

If you can feasibly prepare for the exam before the exam date, you should immediately register for the exam. This obligation will help you to commit to a study and training regimen.

Familiarize yourself with the five domains.
Familiarize yourself with the Job Practice Areas, available on the ISACA website under the CISA exam section. The Job Practice is an analysis or breakdown of the five domains and how each domain “reflects the vital and evolving responsibilities of IT auditors.”
As said earlier, the Job Practice Areas also shows the proportion of each domain to the exam. For example, Domain 5 (“Protection of Information Assets”) comprises 30% of the exam, while Domain 2 (“Governance and Management of IT”) covers only 14%.
Finally, also in the Job Practice Areas section or the Candidate’s Guide, use the full list of statements as a structured checklist. Allocate your time accordingly.
Once you feel relatively confident, you may opt to take a practice exam to discover any possible gaps left to refresh before taking the real exam.
Remember during the exam to pace yourself accordingly, relying on the question/minute rate.

Good luck!