CISA is possibly the one ‘pure’ Information systems audit qualification that is recognised anywhere. It is balanced between technical IT knowledge and business understanding. There are other IT audit certifications – such as the IIA’s aborted QiCA – but none with the universal recognition CISA holds. Having said that, it is a baseline and not a gold standard. If you can’t do this after a few years experience, you probably shouldn’t be an IT auditor. Holding it doesn’t prove your competence in any particular area – but it does verify that you understand what you are doing and have the skills and experience to undertake at least simpler audit assignments.
How can I obtain a CISA qualification?
There are two things you need to do to qualify: Pass a 200 question multiple choice exam in 4 hours, and demonstrate 5 years relevant experience. You can get a year or two off the experience requirement from relevant degrees and qualifications, or other relevant experience.
The exam is wide in it’s scope, but for anyone with a good all-round understanding of enterprise IT and a comprehension of business risk it should not be too hard. There is a book to support it and also a CD question bank for practice – both are worth having. The book is mind-numbingly dull and best used as a tool to identify any areas within the syllabus that where you may need further study. The CD is a far-too-accurate practice questions tool, and many candidates have noticed a strong similarity between some of the CD questions and exam questions on the day. Still, if a few questions are similar it’s nowhere near enough to pass, so use the practice questions to identify areas of weakness. Address these areas with the book or other resources, then re-test yourself.
What does it cover?
The syllabus is split into six domains. You need to do well in all areas to pass the exam, but some areas are more important than others:
- IS Audit Process – 10% exam weighting
- IT Governance – 15% of Exam
- Systems and Infrastructure Lifecycle Management – 16% exam weighting
- IT Service Delivery and Support – 14% exam weighting
- Protection of Information Assets – 31% exam weighting
- Business Continuity and Disaster Recovery- 14% exam weighting
What does it cost?
The exam is around the $500 mark. You don’t have to attend a course, but a number of organisations run CISA preparation classes commercially.
How long will it take?
It varies from person to person. If you are have IT audit experience, good IT knowledge and a strong background in business, you may be able to get away with as little as a few hours preparation. If there are gaps in your knowledge, you have a technical background that has focused on specific areas of the syllabus, or your IT knowledge is weak (for example, you’ve moved recently from a general audit background to and IT audit role), you will need more time. You may want to take relevant courses, read up in weak areas, and spend a few months preparing for the exam.
If you’re doing well in every area on the CD, you should do well in the exam.
Do I get letters after my name?
Yes, you can use the letters CISA, as long are you keep your certification up to date.
Do I need to do CPD?
Yes. You need 20 hours of verifiable CPD a year, and a total of 120 hours over 3 years. However, if you don’t have the time to go on a week-long course each year, ISACA branches run regular seminars, and you can also gain CPD from completing a quiz in their journal or from taking part in branch activities.
Is it for me?
Given the very reasonable cost and the fact that most employers look for it when recruiting, if you’re an IT auditor and you haven’t done CISA yet you should probably have your head examined. The bottom line is that CISA makes you a safer hire, and therefore more likley to get the job you’re looking for at an acceptable salary.
How do I get started with a CISA certification?
Visit the CISA pages on the ISACA web site and enrol.