ISACA, also known as the Information Systems Audit and Control Association, is a membership association for Information Technology (IT) and information systems (IS) professionals. ISACA’s global membership is comprised of professionals from a diverse range of IT positions such as IS auditor, IS security and risk professionals, chief information officer, internal auditor, and consultant. These professionals are employed in virtually every industry: finance and banking, government, public accounting, utilities, and manufacturing. ISACA supports its members by offering resources to help them enhance their skills and broaden their professional knowledge. ISACA supports research and development of IT products that are valuable in the areas of IT governance, control, assurance, and security.
ISACA offers certification programs that are recognized and accepted around the globe. Professionals with an ISACA certification enhance their credibility and recognition within their profession, and have access to greater job opportunities and earnings potential. One such certification offered by ISACA is that of Certified Information Systems Auditor (CISA). Individuals who audit, monitor, control, and assess the IT and business systems of an organization seek to obtain the CISA certification, as it represents a high standard of qualification and achievement.
Information Systems auditing, control, and security professionals must comply with specific criteria in order to receive the CISA designation. In addition to meeting specific work experience and other requirements, a candidate for CISA must successfully complete the CISA examination that is offered by ISACA. The CISA certification examination consists of 150 multiple-choice questions that cover the following five job practice areas: Governance and Management of IT; Information Systems Acquisition, Development, and Implementation; Process of Auditing Information Systems; Protection of Information Assets; and Information Systems Operations, Maintenance, and Support.
Each job practice area is weighed differently, with emphasis on certain questions. The Process of Auditing Information Systems requires examinees to demonstrate that they provide audit services as per the standards of IT auditing with the objective of helping organizations protect and control their information systems. The emphasis of the questions that will appear on the examination relating to this topic is 21%.
Also representing 16% of the emphasis will be the questions relating to the job practice area of Governance and Management of IT. For this portion of the examination, the individual must demonstrate an ability to assure that the required leadership, structures and process of an organization exist for the purposes of achieving the organization’s objectives and supporting its strategy.
The section on Information Systems Acquisition, Development and Implementation will account for 18% of the weight of the examination. Examinees will need to demonstrate their ability to ensure that the practices and processes for acquiring, developing, testing, and implementing information systems align with the strategies and objectives of an organization.
Accounting for 20% of the emphasis will be those questions relating to Information Systems Operations, Maintenance and Support. For these questions, examinees will need to demonstrate their ability to ensure that the practices and processes for the operations, maintenance, and support of an organization’s information systems align with the strategies and objectives of the organization.
The job practice area that weighs the most, Protection of Information Assets, comprises 25% of the weight of all examination questions. Examinees will need to demonstrate their ability to ensure that the security policies, standards, procedures, and controls safeguard the confidentiality, integrity, and availability of an organization’s information assets.
Any IT professional who is interested in the audit, control, and security of information systems is encouraged to prepare for and take the CISA examination. Prior to each examination, ISACA makes an Exam Registration Information Bulletin of Information available online for anyone who is interested in taking the examination. The Bulletin of Information contains a registration form that must be completed and returned to ISACA for processing.
Why Take the CISA Examination?
Why is certification important? There are many valuable personal and professional benefits to obtaining certification.
From a professional standpoint, passing the CISA examination and obtaining ISACA certification may be required for specific jobs; many organizations and governmental agencies around the world recognize and require ISACA certification. Even if certification is not required, by preparing for and successfully passing the CISA examination, individuals demonstrate their knowledge and bring value to the enterprise where they work. Many organizations today recommend that employees become certified as demand for professionals who possess IS audit, control, and security skills increases. Those who obtain and maintain their ISACA certification show others they are motivated to learn the latest job-related skills, thereby enhancing their professional credibility.
Another benefit to passing the CISA examination and obtaining certification is that the professional will enjoy increased opportunities for employment and greater earnings potential. Employers know that CISA certification is a standard of competence, and they recognize that an individual who is sufficiently motivated to study and take the CISA examination will be equally motivated to do well on the job. Employers are likely to demonstrate a hiring preference for job applicants who possess certification or promote an employee who is already certified. In addition, ISACA-certified professionals can command a higher salary than their non-certified counterparts. Studies have shown that individuals with the ISACA certification are among the highest paid of all IT professionals. By passing the CISA examination and obtaining ISACA certification, many individuals have gone on to obtain jobs as CIOs, security directors and managers, or work in consulting positions in IT operations or compliance.
The first step toward obtaining ISACA certification is to register to take the CISA examination one of the two times it is offered each year. Once the applicant has successfully registered for examination, they should spend whatever time is necessary to properly prepare for and pass the examination. Upon successfully passing the examination, the next step is to submit the application for CISA certification. This process requires the applicant to also submit documentation substantiating the work experience and education requirements.
Professionals who are members of ISACA are eligible to receive various discounts, including a discount on the CISA examination registration and certification maintenance fees. ISACA members gain a wealth of additional professional benefits including networking support, access to job boards, career enhancement options, ISACA news, updates, and professional journals, opportunities to participate in standards development, and much more.
Earning CISA certification from ISACA and meeting the necessary renewal requirements is vitally important for anyone who wants to distinguish themselves in the field of IS audit, control, and security. Professionals who have worked hard to pass the CISA and obtain certification have taken a key step toward ensuring themselves and others that they possess the skills and knowledge in order to perform their job in a skilled, competent manner, performing at the highest industry and professional standards.
CISA Examination Logistics
The Information Systems Audit and Control Association, more commonly known as ICASA, offers the Certified Information Systems Auditor (CISA) examination twice each year, in June and December. Once an examination registrant has submitted a properly completed examination registration form and full payment, ISACA will process the documentation and send an email confirmation acknowledging receipt of it.
ISACA sends candidates an admission ticket approximately two to three weeks before the CISA examination date. ISACA will mail the registrant a physical ticket and also email them an e-ticket that can be printed out and brought the day of the examination. This admission ticket is important in that it contains the date and location of the CISA examination as well as the registration time. The ticket also provides a schedule of events that will occur on the date of the examination and a listing of the materials the registrant must bring along in order to be able to take the examination. Registrants are advised to not write anything on the admission ticket other than changes to contact information. Anyone who has not received their admission ticket within 10-12 days of the date of the examination should contact ICASA either via email or telephone.
In order to gain entrance to the examination, you must have your admission ticket and an acceptable form of government issued identification, such as a driver’s license, passport, military identification, or state-issued identification. Your name as it appears on your identification must match the way it appears on your admission ticket. Improper or invalid identification is sufficient cause to deny a registrant admission to the examination. It is also important to note the specific registration and examination time that is noted on the admission ticket and arrive on time. Once the chief examiner begins reading the oral instructions, 30 minutes before the start of the examination, no one else will be admitted to the examination.
ISACA takes any form of misconduct during the CISA examination very seriously. Any examinee is found to be either giving or receiving help during the examination, using notes or some other test aid, or using any type of communication device including a cell telephone, will be disqualified from the examination and subject to legal actions that may be taken on the part of ISACA. Candidates are not permitted to remove examination-related information from the testing room. What is more, examinees are not permitted to bring any type of communication device into the testing area nor can they leave the testing room without proper authorization or unless accompanied by the test proctor.
The official results of the examination will be mailed to examinees approximately eight weeks after the date of the test. Candidates who indicated consent on the registration form will also receive an email from ISACA advising them of their pass/fail status and score. ISACA will email these results only to the email address noted in the examinee’s profile at the time they initially release the test results. The official test results letter will provide a score analysis by content area.
ISACA uses a scale for scoring and reporting examination results, converting the examinee’s raw score and reporting it on a scale of between 200 and 800. A scaled score of 200 is the lowest possible score, indicating that very few questions were answered correctly. A scaled score of 800 means the examinee answered every question correctly and has received a perfect score. In order to pass the examination, a score of at least 450 is required. ISACA’s CISA Certification Committee has designated 450 as the minimum standard of knowledge for those examinees who wish to proceed in applying for CISA certification. Examinees who do not pass can re-take the examination by re-registering and paying another examination fee.
Preparing for the CISA Examination
The CISA examination lasts four hours. Examinees should follow all instructions closely and read each of the 200 multiple-choice questions carefully and completely. Each question has four response options. Examinees are not penalized for incorrect answers, so they should answer every question with the response they believe best answers the question. To be fully prepared for the examination, the registrant should understand that it covers five specific job practice areas, or domains. Within each domain, there are certain tasks the examinee is expected to be able to perform and the knowledge statements indicating the learnings required to complete each of the tasks. What follows are examples of each.
Within Domain 1, the Process of Auditing Information Systems, the professional should be able to develop an IT audit strategy in compliance with IT standards and also plan and conduct specific audits, reporting on their findings. He/She should also be able to follow up with the organization being audited to ensure appropriate actions have been taken by management. To do this, the individual should have knowledge of ISACA audit and assurance standards, information systems controls and control objectives, audit planning and project management, fundamental business processes, sampling methodologies, and applicable laws and regulations.
The next domain, Governance and Management of IT, requires the professional to evaluate an organization’s IT governance structures, IT strategy, IT policies and procedures, and the adequacy of the organization’s management and monitoring controls and resources as well as its risk management practices. For this, the individual must understand organizational structures, the processes for implementing and maintaining an IT strategy, and quality management systems. Supplier selection, risk management, IT performance monitoring and reporting practices, and business impact analysis are also key knowledge areas.
Several tasks required for the third domain, Information Systems Acquisition, Development, and Implementation include evaluating an organization’s proposed investments in acquiring and maintaining IT systems, evaluating project management practices for cost effectiveness and risk management, reviewing projects to ensure they are progressing according to plans, and conducting post-implementation reviews. Professionals should be knowledgeable in the areas of project governance mechanisms, project management controls and tools, IT architecture related to data, applications and technology, and knowledge of testing practices, configurations and release management when developing information systems. Also important is knowledge of post-implementation objectives and practices, such as performance measurement.
The fourth domain, Information Systems Operations, Maintenance, and Support requires the professional to evaluate service level and third-party management practices, operations and end-user procedures, information systems maintenance processes including problem and incident management and disaster recovery plan. The professional must be knowledgeable on service level management practices and components, concepts of hardware, network components and system software, system control techniques and resiliency tools, database administration practices, and database administration. Also key is knowledge of practices for data backup, storage, maintenance, and retention, as well as regulatory, legal, and insurance matters relating to disaster recovery.
Protection of Information Assets is the fifth domain. The IT professional must be able to evaluate information security policies and procedures for thoroughness and alignment with generally accepted standards, evaluate system and logical security controls for confidentiality, integrity and availability of information, and evaluate processes for storing, retrieving, transporting and disposing of information assets. Knowledge of implementing and monitoring security controls, knowledge of network and Internet and security devices and protocols, knowledge of encryption techniques, and knowledge of evidence preservation techniques and procedures used in forensics investigations are all important requirements.