Certified Information Systems Auditor (CISA): Exam Details and Processes [Updated 2019]
The Certified Information Systems Auditor (CISA) certification is for individuals who have interest in information systems auditing, control and security. It is a globally recognized certification for IS audit control, assurance and security professionals. It validates your experience in auditing and demonstrates you are capable of accessing vulnerabilities, reporting on compliance and instituting controls within an enterprise.
CISA certification is one of the four certifications granted by ISACA. This association was established in 1969 and has franchises in 180 countries. The CISA certification was launched in 1976 and it is an attractive choice for many IT professionals.
Benefits of CISA Certification
Once you are CISA-exam certified, it confirms your knowledge and experience in IS, quantifies your expertise and shows you have the knowledge required to meet the challenges seen in a dynamic and modern enterprise. After certification, you will be a more valuable employee to your organization and you will have a competitive advantage over your peers when it comes to looking for a job.
Here are three key benefits of earning your CISA certification:
- It’s the best qualification in your niche: CISA is even more technical than CIA and CPA. Proving your technical expertise in IT auditing can be a great investment.
- IT auditing is becoming an emerging field: Demand for IT auditing services has increased as more and more accounting functions are performed through information systems. You will be surprised to know the highest demands for CISAs comes from financial institutes in audit and non-audit capacities.
- Higher salary: IT auditing gets you a higher salary compared to a general internal audit salary.
Understanding the Five CISA Domains
The CISA exam consists of five domains. Each of them is explained as follows:
- Processing of auditing information systems: This domain covers how IT auditors provide their services in accordance to the IT audit standards to assist organizations in the protection and control of information systems. It also includes development and implementation of risk-based IT audit strategy, planning and reporting the findings. The domain includes the following topics:
- Risk-based IS audit strategy
- Planning and conducting audits
- Control self assessments
- Communicating audit results and follow up
- Governance and management of IT: This domain covers how auditors provide assurance the structure and processes of an organization are in place. The domain includes the following topics:
- Evaluate the IT strategy; IT governance structure; organization structure and HR management; IT policies; and standards and procedures
- Evaluate IT resource management and IT portfolio management
- Evaluate risk management practices and IT management
- Evaluate controls and KPIs
- Evaluate the business continuity planning of the organization
- IS acquisition, development & implementation: This domain covers how IT auditors provide assurance that the acquisition, development, testing and implementation of the IS meet the objectives of the organization. The domain includes the following topics:
- Evaluate the business case for proposed investments
- Evaluate the IT supplier selection and contract management processes
- Evaluate the project management framework and conduct reviews
- Virtualization and CSP (Cloud service provider) architecture
- Evaluate the readiness for implementation
- Conduct post implementation reviews
- IS operations, maintenance & support: This domain explains how to provide assurance the processes for operations, maintenance and support of the IS are aligned to the objectives of the organization. The domain includes the following topics:
- Evaluate IT service management framework and practices
- Conduct periodic reviews of IS
- Evaluate IT operations and IT maintenance, evaluate database management practices and data quality
- Evaluate problem and incident management
- Change and release management practices
- Evaluate end-user computing, and IT continuity and resilience
- Disaster recovery testing
- Protection of information assets
IT auditors have to ensure the security policies, standards and procedures protect the integrity, confidentiality and availability of information assets of the organization. The domain includes the following topics:
- Evaluate IS and privacy
- Evaluate physical and environmental controls
- Evaluate the system and logical security controls
- Evaluate classification of data and information asset safeguards
- Evaluate IS programs
How to Earn Your CISA Certification
Follow these five steps to earn your CISA certification.
- Clear the exam: The CISA exam is open to all individuals who have interest in IS audit, control and security. After successfully passing the exam, the candidates have to apply for the certification with their passing score.
- Submit an application for CISA certification: After passing the exam and meeting the work experience requirements, the next step is to complete the application for the certification. The candidate must have a minimum of five years of professional experience in IS auditing, control or security. Substitutions and waivers to experience can be obtained, too.
- Adhere to the Code of Professional Ethics: All CISA designation holders have to agree to the Code of Professional Ethics for professional and personal conduct.
- Adhere to CPE program: The CISA designation holders also have to adhere to the CPE, i.e., continuing professional education program. View the complete policy here.
- Comply with IS auditing standards: CISA holders have to adhere to the IS auditing standards followed by ISACA.
Earning a CISA certification will advance your career and benefit your organization. Once you have obtained this certification, it proves your expertise and increases your value as an employee or candidate. If you are committed to a career in the field of IT assurance, this certification is for you.
For more on the CISA certification, view our CISA certification hub.