Chapter 1. The CISA Certification

This chapter will help you understand the Certified Information Systems Auditor (CISA) exam. This chapter covers the fundamentals of the CISA exam—including the intent, requirements, knowledge domains covered, types of questions you will encounter, scoring, test results, and more. The chapter explains the difference between the CISA exam and CISA certification. Understanding these fundamentals will help you better appreciate the complexity and scope of knowledge expected. It will also prepare you to navigate the exam.

To understand the popularity of CISA certification, you need to understand the exam’s intent. The key mission of the CISA exam, as stated by ISACA, is as follows:

To develop and maintain a testing instrument that can be used to evaluate an individual’s competency in conducting information systems audits.

This mission statement only begins to scratch the surface of the intent of the CISA exam. Consider how much the business world and technology have evolved in recent years. Globalization, fueled by the Internet, has in many ways broken down national barriers. Technology has evolved at lightning speeds—beyond the capability of the current laws to keep pace. Core issues related to personal privacy, electronic surveillance, and corporate ethics continue to challenge how personal rights are perceived in this digital age.

No doubt we have all been recipients of the benefits of this digital and technology explosion. Just consider what today’s life would be like without the ability to instantly connect through smartphones or how narrow our perception of the world would be without the Internet.

As businesses and governments continue to innovate through technology, they challenge the boundaries between personal and professional life. It often seems that every aspect of a person’s life has been digitized somewhere by someone—from health records and school records to personal emails and photos. The advent of social media has made it increasingly difficult for us to control our own personal data or to maintain privacy.

As a result, businesses, governments, and individuals are on a constantly evolving journey, dealing with how to realize the benefits that technology provides while figuring out how to navigate the risks. On this journey, events and technology innovation continually redefine what is considered acceptable. Think about major cybersecurity breaches in which millions of customer credit card accounts or health care records are stolen. Or consider the evolution of autonomous vehicles: Driverless cars are more and more making life-and-death decisions on behalf of passengers and pedestrians.

Top leadership in any organization needs the assurance that the organization is doing everything possible to follow a common set of accepted rules and principles. In this way, top leadership can be assured that they are managing these technology risks in an acceptable manner.

Why is this assurance to top leadership so important to an organization? In addition to just being the right thing to do, in many cases, it’s the law. Top leaders of an organization can be personally liable for failure to put in place digital safeguards to protect customers and shareholders from technology risks.

When the U.S. Congress passed the Sarbanes-Oxley Act of 2002, it wanted to restore the confidence of investors by improving the reliability of financial reporting and strengthening the control environment, such as information systems controls. The law calls out specific obligations for officers of a company, such as the principal executive (often called the chief executive officer) and financial officer (often called the chief financial officer), who must certify compliance with the law and ensure that the related control environment is in place and working. If this certification is found to be materially flawed or fraudulent, the officers can be held personally accountable and subject to heavy fines and potentially even prison time.

Senior executives need to know whether their organization is compliant with the Sarbanes-Oxley Act, but this can be a daunting task, especially in a large organization where operations and technical knowledge are siloed. Senior executives, therefore, need to have competent individuals to build, maintain, and audit their technology. We have looked briefly at a single law and a single company. Now take this one example and multiply by thousands of laws, rules, and regulations across thousands of companies in hundreds of industries. You can quickly see the need for a core set of commonly accepted rules and principles. The CISA exam addresses this important need, and that’s why it continues to gain popularity.

To quickly get a sense of its importance, you can search any major job board, such as Indeed.com or Monster.com, for “CISA.” The results will reveal its popularity in the thousands of listings that note the CISA certification as a job requirement.

Over the years, the intent of CISA certification has moved well beyond the systems audit community. The individuals accountable for building, implementing, and maintaining technology controls have just as much need to understand the core set of commonly accepted rules and principles—and top leadership expect them to. The population of the individuals taking the CISA exam today is diverse and includes many disciplines, including the following:

Auditing

Compliance

Control

Information security/cybersecurity

Legal function

Operations/information technology risk

In seeking to take the CISA exam, you are taking a major step forward into becoming part of this growing community of information systems control professionals!

Think of it this way: If you passed the written driver’s license test without having spent much or any time behind the wheel, would you be competent to drive? Of course not. You also need driving experience under the watchful eye of an experienced driver. Once you pass the physical road test, in addition to the written test, you can obtain a driver’s license.

The CISA certification takes a similar approach, requiring a combination of passing a knowledge test and also demonstrating competence through actual work experience. To obtain CISA certification, you must meet four key requirements:

Pass the CISA exam

Demonstrate five years of professional work experience, which will be verified through your employer

Agree to adhere to the ISACA rules related to the ISACA Code of Professional Ethics, standards, and continuing education

Submit an application for CISA certification

The schedule is published on the ISACA website (www.isaca.org). The three exam windows can change from year to year but will typically align to the following schedule:

May 1–June 30

August 1–September 30

November 1–December 31

The exam is administered by a professional testing company called PSI. To find the PSI locations for taking the exam, see the ISACA website (www.isaca.org/examlocations). Exam locations can fill up quickly, so it’s important to register at least a month before you plan to take the exam. In addition, each exam location services multiple certifications. It’s not unusual for a testing room to be filled with individuals taking tests for other certifications.

After you register and pay, ISACA sends you an email confirmation. Several weeks prior to the scheduled test date, you should receive an admission ticket for the exam by email.

On exam day you must bring a government-issued picture ID. Without proper identification that exactly matches the admission ticket, you will not be allowed to take the exam. If you have any question on the forms of acceptable identification, you should call the testing center directly. Generally, the testing centers accept the following forms of identification:

Driver’s license

Non-driver state ID card

Passport or passport card

Military ID

Permanent resident card (green card)

The requirement to have five years of professional work experience often creates anxiety for individuals who are new in the technology field. The good news is that ISACA has a waiver program that allows individuals to substitute up to three of the five years of work experience. At the time of this writing, the waiver program generally allows the following substitutions for work experience:

One year’s credit for either one year of information systems experience or one year of non-IS auditing

One year’s credit for a two-year associate’s degree

Two years’ credit for a four-year bachelor’s degree

One year’s credit for a master’s degree

Two years’ credit for Chartered Institute of Management Accountants (CIMA) full certification

Two years’ credit for member status from the Association of Chartered Certified Accountants (ACCA)

One year’s credit for every two years as a full-time university instructor in a related field (for example, computer science, accounting, information systems auditing)

You can mix and match these credits but cannot substitute for more than three of the five years of work experience.

The best source of information on what ISACA will accept as credit for work experience is the CISA certification application form. The instructions on how to fill out the form detail the credits that are available, the restrictions, and how they can be combined. Be sure to download the correct form aligned with the year you passed the exam to identify any changes to the waiver program.

A CISA candidate has the option to specify in which language the CISA exam will be taken. At the time of this writing, the CISA exam can be taken in English, Chinese Simplified, Chinese Traditional, French, German, Hebrew, Italian, Japanese, Korean, Spanish, and Turkish. Not all languages may be offered at the same time, so it’s important that you check on the preferred language at the time and location you wish to take the exam.

For the purpose of planning, there are three key points to remember:

Passing the CISA exam does not mean you are CISA certified.

You must demonstrate five years of work experience and apply for the CISA certification within five years of passing the CISA exam.

You can get up to three years’ work experience credit through the ISACA waiver program.

To conduct yourself honestly and ethically and abide by the Code of Professional Ethics (see www.isaca.org/ethics for details)

To abide by the information systems standards, as adopted by ISACA (see www.isaca.org/standards for details)

To maintain your competency through continuing professional education (CPE) (see www.isaca.org/cisacpepolicy for details)

These three agreements are part of the CISA application form, and ISACA takes them very seriously. Violations are rarely found, but when a clear violation is identified, the penalty may include revocation of CISA certification.

You should read ISACA’s information on ethics, information systems standards, and the CISA CPE policy prior to the taking the CISA exam. While much of the content of these agreements will not be on the exam as specific questions, reading these agreements will help you put yourself in the right mindset for the exam. Reading these agreements will help you immerse yourself in the language of and thinking behind the exam questions. (Any content-specific items that will be on the exam are covered in this book.)

What do we mean by having the right mindset for the exam? We will not go through these three agreements in detail, but consider the ethics document as an example. I have found the ethics document to be rich in content. It is short and easy to read, and it outlines core principles you need to follow as a professional and sets the bar on how you should think about the challenges presented to you.

The following is an example of a statement from ISACA’s Code of Professional Ethics:

Members and ISACA certification holders shall…perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.

What do objectivity and due diligence mean? The meaning depends on the context. Suppose you are assessing a specific technology or solution, and a senior executive and decision maker had a bias for one of the solutions well before the assessment started. We all have some bias to some extent, but if the executive’s bias was preventing the team from looking at all the options honestly and openly, there would be a lack of objectivity and due diligence. We as professionals are obligated to have the objectivity to perform the proper level of due diligence. This often means we need to answer hard questions and elevate concerns to appropriate leadership, regardless of the consequences.

We’ll get into these topics more later in the book. For now, the takeaway is that preparing for the exam is not just about facts but also about mindset.

These are the five domains:

Domain 1: The Process of Auditing Information Systems: This domain and its exam section cover how IT audit services are provided in accordance with audit standards, including planning and conducting an audit and reporting findings. The exam section goes into detail related to tasks used to develop and implement a risk-based audit strategy.

Domain 2: Governance and Management of IT: This domain and its exam section cover how information technology is governed and managed. You need to know the different parts of an organization and how risk is governed and managed across the organization.

Domain 3: Information Systems Acquisition, Development and Implementation: This domain and its exam section cover best practices for the acquisition, development, testing, and implementation of information systems to meet the organization’s needs and strategic objectives.

Domain 4: Information Systems Operations, Maintenance and Service Management: This domain and its exam section cover the information systems back-office operations, from the organization structure that supports it to the infrastructure and network technology it rides on. This exam section goes into detail related to tasks which provide assurance that the processes supporting information systems operations, maintenance, and service management meet the organization’s needs.

Domain 5: Protection of Information Assets: This domain and its exam section cover information security and cybersecurity disciplines, including how to provide assurance that the organization’s security policies, standards, procedures, and controls are working properly. In addition, this domain involves ensuring the confidentiality, integrity, and availability of data assets. This domain speaks to both logical and physical security risks, as well as evolving technologies such as mobile computing.

Table 1-1 describes the different exam domains in more detail and provides the percentage of the exam related to each domain.

Don’t be concerned at this point if many of the terms in Table 1-1 are unfamiliar. Use the table as a reference guide as you work through the subsequent chapters to understand the alignment of the chapters’ material to the exam domains. When you are finished with the rest of the book, return to this table to ensure that you have a solid understanding of each of these topic areas.

One of the most significant changes for the CISA exam in 2017 is the shift from a paper-and-pencil system to computer-based testing (CBT). Not all testing locations have CBT capability, and where that is the case, the old paper-and-pencil system is still used. However, the CBT system is such a marked improvement that there is a significant push for all locations to adopt this technology.

ISACA uses a scaling factor in scoring the exam. (It is not simply calculated as a percentage of the total number of questions correctly answered.) ISACA uses this scaling to normalize scores across a large population of test takers. That is, scores are reported on a scale, and the scale can be adjusted. Such scaling adjustments are almost always made so that an individual is not penalized for an outlier question or two. The scale eliminates the noise so the true competency of an individual’s knowledge of the subject material can be understood. Suppose, for example, that a new question is introduced and the vast majority of test takers answer incorrectly. ISACA has the capability through this scaling process to throw out the question without penalizing individuals.

Let’s consider a sample test question from the self-assessment on ISACA’s website for CISA exam preparation:

1. Which control is the BEST way to ensure that the data in a file has not been changed during transmission?

a. Reasonableness check

b. Parity bits

c. Hash values

d. Check digits

While you may rationalize that all the answers can be applied in some context, the hint word is important. The hint word here is BEST, so which of these acceptable methods provides the most assurance that data has not been changed during transmission?

To illustrate this point, let’s examine possible answers to the question, with a focus on finding the BEST way to determine if data was changed:

a. Reasonableness check—Used to approximate what data values are expected

b. Parity bits—Used to identify data errors

c. Hash values—Used to verify the integrity of data

d. Check digits—Used to verify data input

All these items listed in the answers could be indicators of potential data tampering. But remember that the hint word is BEST. So if you could have only one of these controls, which one, in the context of the question, would you choose? Answer C is correct because hash values focus on data integrity, which is defined based on the assurance of data accuracy.

Understanding the exam question language, format, and context takes some practice. As you move through this book, you will become more familiar with how to answer the exam questions. This book is designed to help you quickly assess questions, identify hint words, and understand context. As you master these skills, you will find that narrowing down to the correct answer is much easier.

The good news is that with the adoption of CBT technology, many testing centers provide an unofficial score the same day. Be sure to ask on the day of the exam how to obtain your unofficial score. In fact, some CBT systems display your raw unofficial score when you submit your answers to end the testing session. So be sure to read the screen carefully after submitting your answers.

Unfortunately, if you are at a location that only offers paper-and-pencil testing, you will have to wait longer for your scores. However, ISACA recognizes this frustration and is continuously working to improve the process. You can also opt in for email notification during registration, and you will receive an email indicating passing or failure before the official results are mailed.

Scores also become available through the ISACA website. Look in your profile at the My ISACA > My Certifications page on the ISACA website.

The official exam results show your scores for all the domains. While the scale grading may be hard to understand, the domain scores help you identify areas of strength and weakness. The domain breakdown is particularly useful if you do not pass the exam the first time as it will help you determine for which domains you should put in the most exam prep effort.

To retake the CISA exam, you simply register for the exam again and pay the appropriate exam fee. The one restriction is that you are not allowed to take the exam twice within the same testing window. For example, if you failed the exam in May (during the May–June testing window), the soonest you can retake the exam is August (during the August–September testing window). In other words, you can’t fail the exam in May and retake the exam in June as that would be the same testing window.

The following are the highlights of the CPE policy:

Attain and report an annual minimum of 20 CPE hours

Annually report the CPE hours you have earned

Attain a minimum of 120 CPE hours for a three-year reporting period

The ISACA website has greatly improved in recent years. From the My Certifications page, you can manage all your ISACA certifications, pay fees, and report CPE hours.

All certifications are assigned a three-year cycle. Figure 1-1 is an actual screen shot from the My Certifications page. This page quickly shows your progress in maintaining your CISA certification. In this example, the certification is on a three-year cycle starting in 2015 and ending in 2017. This means that by the end of 2017, the individual must have earned 120 CPE hours, and at least 20 of them must have been earned within each of the three years 2015, 2016, and 2017.

As Figure 1-1 illustrates, assuming that the current year is 2017, the individual has met the ISACA CPE requirements by earning 94 CPE hours during 2015 and 2016 and meeting the minimum threshold of 20 CPE hours per year. To complete the CPE requirements, this person must complete a minimum of 26 (120 – 94 = 26) CPE hours in 2017. Also note in Figure 1-1 that this person has a warning message which says that to maintain the CISA certification, the individual needs to also pay the annual renewal fee.

There are many ways to earn CPE hours. Consider the following list from the CPE policy guide, for example:

ISACA professional education activities and meetings

Non-ISACA professional education activities and meetings

Self-study courses

Vendor sales/marketing presentations (10-hour annual limit)

Teaching/lecturing/presenting

Publication of articles, monographs, and books

Exam question development and review

Contributions to the IS audit and control profession

Mentoring (10-hour annual limitation)

Tip 1: Read through this book at least twice. Become familiar with the language of and mindset behind the material.

Tip 2: Focus on the context of the question. Ask what key problem each question is trying to solve. That may mean rereading a question several times. A single word or a phrase and hint words can change the context and lead to a different meaning. Understand why one answer is more suitable than the others.

Even as you focus carefully on each question, keep in mind that it is a timed test. Taking a disciplined approach to reading the questions will help you build a natural rhythm in taking the exam.

Tip 3: Arrive at least 30 minutes early. Assume that there will be delays and be flexible. Don’t be afraid to ask questions about the facilities and CBT options.

Tip 4: Look for additional prep material judiciously. There is a lot of material on the market and available for free. Much of it is outdated. You can get prepared more quickly with a few well-constructed sources that you have reviewed multiple times than with massive amounts of verbose conflicting sources.

Tip 5: The CISA Review Questions, Answers & Explanations (QAE) Manual from ISACA is an excellent prep guide supplement. The manual contains in-depth questions, answers, and well-constructed explanations.

Tip 6: Take your time to prepare. Everyone learns at a unique pace and starts with a unique set of knowledge and skills. You are not likely to pass the CISA exam through last-minute cramming sessions.

A typical CISA prep schedule may be two to four months or longer, depending on the amount of time and knowledge you have.

Tip 7: The week before the exam, focus on sample tests. Be sure to work on the mindset and rhythm mentioned in Tip 2.

Tip 8: Reach out to the local ISACA chapter. Often these chapters have CISA study groups and mentors to help you understand the material and get you motivated!

Tip 9: Don’t burn out before the test even begins. Relax the day before you take the exam and take the day off on exam day so your body and mind are fresh.

Tip 10: Bring a brown bag lunch and a snack such as a protein bar to the testing center just in case it doesn’t have vending machines. Each testing center is different, and you may end up in an exam center that offers only a drinking fountain and a rest room.

The chapter also discusses the difference between the CISA exam and CISA certification. It explains the requirements and deadlines for applying for CISA certification and how to maintain the certification once achieved.

The chapter explores the five domains of the CISA exam. It shows how each domain is weighed and gives you a look at the question format.

Finally, one of the most important takeaways from the chapter is the importance of having the right mindset going into the exam. The chapter discusses how to break down an exam question and look for context and hint words. The chapter provides a list of 10 tips and tricks to get ready for exam day.

Attaining CISA certification distinguishes you as being highly qualified to work in information systems auditing, control, or security. Passing the CISA exam is not easy. But the rewards in personal growth and professional recognition are substantial. The likelihood of passing the CISA exam is higher if you have deep background knowledge in information systems. Regardless of where you are on the learning curve, a CISA preparation plan is a must. Even for seasoned professionals, having a solid plan for preparing to take the CISA exam is essential.

Subsequent chapters focus on the CISA exam content and the knowledge needed to answer exam questions.

audit function

CISA certification

CISA exam domains

CISA exam windows

Code of Professional Ethics

compliance function

computer-based testing (CBT)

continuing professional education (CPE)

control function

CPE hours

domains

information security/cybersecurity

information systems standards

job practice areas

legal function

mindset

My Certifications (ISACA website)

operations/information technology risk

waiver program

Job Practice Areas 2017: www.isaca.org/certification/cism-certified-information-security-manager/job-practice-areas/pages/default.aspx

Prepare for the CISA Exam – Documents: www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Prepare-for-the-Exam/Documents/Forms/AllItems.aspx