The Certified Information Systems Auditor (CISA) credential, offered through ISACA, requires certified practitioners to attain continuing professional education (CPE). The CPE program is designed to ensure that CISAs maintain their current knowledge and proficiency in auditing, monitoring, assessing, and controlling information systems (IS).
CISA CPE Guidelines
CPE refers to professional development activities related to technical and managerial training for IS assessment and for improving audit, security, or control skills. Only training outside of regular on-the-job activities count as CPE.
ISACA requires a minimum of 20 CPE hours annually and a minimum of 120 hours over a three-year period. CISAs need to keep records of their CPE activities and report their CPE hours. ISACA may elect to audit a CISA’s CPE activities and request supporting documentation.
In addition to earning CPE credits, there are several other requirements for maintaining the certification. CISAs must:
Adhere to ISACA’s Professional Code of Ethics
Agree to abide by ISACA’s auditing standards for information technology
Submit an annual fee to ISACA
How Can I Earn CISA CPEs?
ISACA has 11 categories that qualify as CPEs, and some of the categories have limits on how many hours you can earn.
The following categories don’t have a limit:
ISACA professional education: This includes seminars, workshops, and conferences offered by ISACA, as well as chapter activities such as meetings and programs. CPE hours are based on active participation, and chapter meetings earn at least one hour regardless of duration.
Non-ISACA professional education: This is a broad category that includes professional meetings, university courses, corporate in-house training, seminars, conferences and so forth. Certification review courses also qualify if they advance IS audit, control or security skills or expertise related to audit-related management. CPE credit is earned based on active participation but successfully completed university courses count as 15 CPE hours per semester credit hour (semester is 15 weeks) and 10 CPE hours per quarter (10 weeks) credit hour.
Self-study courses: To qualify for CPE credit, self-study courses need to offer a certificate of completion that specifies the number of CPE hours earned for the course. Other activities that are included in this category are online eLearning presentations by ISACA, such as webinars. Additionally, you can earn one hour for passing an ISACA Journal quiz.
Teaching, lecturing and presenting: CPEs can be earned for developing and delivering IS professional education programs as well as self-study or distance education courses; however, you may not earn credits for delivering the same material again unless you extensively change the content. Courses and presentations earn CPEs at five times the presentation time or estimated delivery time for the first delivery. For the second delivery, only the actual presentation time counts. The calculation for self-study and distance education is hour-per-hour for upgrading and maintaining the course but is limited to double the time that the course is estimated to take.
Publication activities: This category includes publication or review of materials related to IS systems and control, such as articles, books, and monographs, as long as the materials are published in a formal print or online publication and copies are available. Credit is based on the actual time that it took to create the content.
Development and review of exam questions: You can earn CPEs for developing or reviewing materials related to the CISA exam. Each question that’s accepted by a CISA review committee earns two CPE hours, while the review hours are counted based on time spent.
Other professional examinations: Related professional examinations count toward CPE if you achieve a passing score, with two CPE hours earned per examination hour.
CPE categories that have an annual limit include:
Activities on ISACA boards and committees (20 hours): CPEs are calculated based on active participation on the board, committees, subcommittees and task forces, as well as activities of officers of ISACA chapters.
Professional contributions (20 hours): This category includes contributions both to ISACA and other bodies that relate to the information systems audit and control profession. Some examples include research development and peer reviews.
Mentoring (10 hours): Coaching, assistance with CISA exam preparation and career advice are some example of activities that may qualify. Refer to ISACA guidelines for specific guidance.
Sales and marketing presentations by vendors (10 hours): Sales presentations for products and systems count toward CPEs if the vendor offering is specific to IS.
How Do I Calculate CISA CPE Credits?
For professional activities such as presentations, conferences, meetings and workshops, every 50 minutes of active participation count as one CPE hour. You can also earn the credit in quarter-hour increments. When calculating the total time for an event, subtract time for lunch and breaks, and round your calculation to the nearest quarter hour.
What Are Some Free Ways I Can Earn CISA CPEs?
ISACA has a variety of opportunities that allow CISAs to earn free credits every year. Additionally, other organizations such as SANS offer free training like webinars to their members. Joining an ISACA chapter will also present opportunities for professional programs. You may find enough free activities available to satisfy the minimum annual and three-year requirements.
Here’s how you can earn free CPEs directly through ISACA:
Online education — webinars, virtual conferences, CPE quizzes for members: up to 36 free CPEs.
Volunteer activities — participation in activities of the ISACA and IT Governance Institute board, committees or working groups; volunteering for ISACA projects; and chapter officer activities earn CPEs subject to the 20-hour per year limit.
Conferences — ISACA sponsors several conferences across the globe every year, and you can earn up to 32 CPEs for each event.
Online courses — you can access a variety of on-demand online courses, which are recorded live at professional training events and conferences and earn up to 26 CPEs per course.
Training courses — ISACA offers four-day training programs across the country throughout the year, and you can earn up to 32 CPEs per course.
Mentoring — Subject to the 10-hour per year limitation, you can earn CPEs for mentoring someone in qualifying activities related to career guidance through the credentialing process and related to certification exam preparation.
Have There Been Any CISA CPE Policy Changes Recently?
ISACA changed CPE policies for all its certifications, including CISA, in 2014, related to the professional examination category. Starting January 1, 2014, CISAs can earn two times the number of CPEs per examination hour as long as they pass the examination.
For more information about the CISA program and how to maintain certification, visit ISACA’s website.