CISA certification guide: Certified Information Systems Auditor explained
- 11 April, 2019 20:00
The Certified Information Systems Auditor (CISA) certification validates your knowledge for information systems auditing, assurance, control, security, cybersecurity and governance. Offering by the Information Systems Audit and Control Association (ISACA), the credential is designed for IT and IS auditors who are tasked with evaluating an organization’s information systems to identify any issues or potential security threats. This globally recognized certification is one of the few certifications specifically designed for IT auditors.
CISA certification requirements
To apply for the CISA exam, you’ll need at least five years of professional information systems auditing, control or security work experience within the past 10 years. You can receive a waiver for up to three years of experience if you have the following:
- Maximum of one year of IS experience or one year of non-IS auditing experience
- The equivalent of a two- or four-year degree, which can be substituted for one to two years of experience
- A bachelor’s degree or master’s degree from a university that teaches the ISACA-sponsored curriculum, which can be substituted for one year of experience
- A master’s degree in IS or IT from any accredited university, which is equivalent to one year of experience
ISACA also offers exceptions for those who have spent two years as a full-time university instructor in a related field, which can be substituted for one year of experience.
Alternatively, you can opt to take the exam before you meet the requirements, and once the requirements are met, you’ll be awarded the CISA designation. This is a practice encouraged by the ISACA, but you’ll need to complete the prerequisites within five years after passing the exam.
The CISA exam
The CISA exam is graded on a scale of 200 to 800 points. To pass, you’ll need to earn a score of 450 or higher. You will be given four hours to complete the 150-question multiple-choice exam, which covers five main job practice areas in IS audit, control and security:
- Domain 1: The process of auditing information systems (21%)
- Domain 2: Governance and management of IT (16%)
- Domain 3: Information systems acquisition, development and implementation (18%)
- Domain 4: Information systems operations, maintenance and service management (20%)
- Domain 5: Protection of information assets (25%)
CISA’s five domains
Domain 1 covers the basics of IT auditing, which includes executing risk-based IT audits of high-risk areas and ensuring the strategy is compliant with audit standards. It also includes how to plan audits, conduct audits, communicate audit results and conduct follow-ups to see whether anything needs to be adjusted.
Domain 2 includes all the steps of evaluation IT auditors need to take to assure that “the necessary leadership and organizational structures and processes are in place to achieve objectives and to support the organization’s strategies and objectives,” according to the ISACA. Tasks include evaluating IT strategies, governance, organizational structures, resource management, portfolio management, risk management, control monitoring, reporting of KPIs and the organization’s business continuity plan.
Domain 3 involves all the steps for the acquisition, development, testing and implementation of IT systems to meet the organization’s goals. This includes evaluating proposed IT investments, contract management processes, IT supplier selection and project management frameworks. This domain also covers conducting reviews to ensure projects will be delivered on time, evaluating the readiness of IT systems for implementation and conducting post-implementation reviews.
Domain 4 covers everything you need to ensure that the processes for IT operations, maintenance and service management align with the company’s business goals. It involves evaluating IT management frameworks and practices and ensuring that the organization is following established best practices. It also includes evaluating how IT operations, maintenance, data quality, database management practices align with the business’ strategy and objectives.
The ISACA offers several options to prepare yourself for the CISA exam. You can choose from visual instructor-led training, online or on-demand review courses, print or downloadable review manuals, review questions and access to an answers and explanation database with a 12-month ISACA membership subscription.
You can also choose to attend a four-day in-person course hosted by the ISACA in different locations across the company. Alternatively, if your organization wants to certify a group of employees at once, IT leaders can bring the training directly to the company.
If you want to go a different route, you can also find courses and bootcamps offered outside the ISACA from third-party companies such as Infosec Institute, Learning Tree, Cybrary, Secure Ninja, Career Academy, BSI group and others.
CISA exam and maintenance fees
There are discounted exam fees for ISACA members, but if you want to pass on a membership, you can opt to pay higher fees for certification exams and renewals. To start, the exam requires a $50 application fee. Once your application is accepted, ISACA members can pay $415 for early registration, while non-members will need to pay $545 for early registration. After the early-registration period ends, the fee goes up to $465 for ISACA members and $595 for non-members.
To maintain your CISA certification, you’ll need to earn a minimum of 20 hours of professional education credits per year and 120 hours every three years. You’ll also need to pay the annual maintenance fee of $45 for ISACA members or $85 for non-members.
Certifications are great for filling out your resume with more experience and demonstrating your qualifications, but they can also help boost your salary. According to PayScale, the average salary for IT auditors with CISA certification is $99,000 per year. To compare, PayScale cites the average salary for an IT auditor is $65,000 and $85,301 for a senior IT auditor.