Table of Contents
1. What is the CISA?
For those of you lucky enough not to be knee-deep in the world of IT/IS Auditing, CISA stands for Certified Information Systems Auditor. This certification and exam are part of ISACA's suite of certifications. As I often explain it to people like my family, it basically means you're employed to use your knowledge of information systems, regulations, common threats, risks, etc. in order to assess an organization's current control of their risk. If a risk isn't controlled (and the company doesn't want to accept the risk), an IS auditor will suggest implementing a control to address that risk.
Now, the CISA certification itself is, in my opinion, the main certification for this career. While certifications such as the CPA or CISSP are beneficial, nothing matches the power of the CISA for an IS auditor when it comes to getting hired, getting a raise/bonus, or earning respect in the field.
However, to be honest, I am a skeptic of most certifications. I
understand the value they hold in terms of how much you need to commit
to studying or learning on the job, as well as the market value for
certifications such as the CISA. But I also have known some very
incompetent less than stellar auditors who have CPAs, CISAs, CIAs,
etc.
The same goes for most industries: if a person is good at studying, they can earn the certification. However, that knowledge means nothing unless you're actually able to use it in real life and perform as expected of a certification holder. The challenge comes when people are hired or connected strictly because of their certifications or resume; you need to see a person work before you can assume them having a CISA means they're better than someone without the CISA.
Okay, rant over. Certifications are generally accepted as a measuring stick of commitment and quality of an employee, so I am accepting it too.
2. Exam Content
The CISA is broken down into five sections, each weighted with a percentage of test questions that may appear.
Figure 1: CISA exam sections
Since the exam contains 150 questions, here's how those sections break down:
| Exam Section | Percentage of Exam | Questions |
|---|---|---|
| 1 | 21% | 32 |
| 2 | 17% | 26 |
| 3 | 12% | 18 |
| 4 | 23% | 34 |
| 5 | 27% | 40 |
| Grand Total | 100% | 150 |
3. My Studying Habits
This part is a little hard for me to break down into specific detail due to the craziness of the last year. While I officially purchased my studying materials in December 2020 and opened them to "start studying" in January 2021, I really wasn't able to study much due to the demands of my job and personal life.
Let me approach this from a few different viewpoints.
3.1. Study Materials
Let's start by discussing the study materials I purchased. I'll be referring to #1 as the CRM and #2 as the QAE.
- CISA Review Manual, 27th Edition | Print
- [[https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCcEAK][CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print]]
The CRM is an excellent source of information and could honestly be used as a reference for most IS auditors as a learning reference during their daily audit responsibilities. However, it is full* of information and can be overloading if you're not good at filtering out useless information while studying.
The QAE is the real star of the show here. This book contains 1000 questions, separated by exam section, and a practice exam. My only complaint about the QAE is that each question is immediately followed with the correct answer and explanations below it, which means I had to use something to constantly cover the answers while I was studying.
I didn't use the online database version of the QAE, but I've heard that it's easier to use than the printed book. However, it is more expensive ($299 database vs $129 book) which might be important if you're paying for materials yourself.
In terms of question difficulty, I felt that the QAE was a good representation of the actual exam. I've seen a lot of people online say it wasn't accurate to the exam or that it was much easier/harder, but I disagree with all of those. The exam was fairly similar to the QAE, just focusing on whichever topics they chose for my version of the exam.
If you understand the concepts, skim the CRM (and read in-depth on topics you struggle with), and use the QAE to continue practicing exam-like questions, you should be fine. I didn't use any online courses, videos, etc. - the ISACA materials are more than enough.
3.2. Studying Process
While I was able to briefly read through sections 1 and 2 in early 2021, I had to stop and take a break from February/March to September. I switched jobs in September, which allowed me a lot more free time to study.
In September, I studied sections 3-5, took notes, and did a quick review of the section topics. Once I felt comfortable with my notes, I took a practice exam from the QAE manual and scored 70% (105/150).
Here's a breakdown of my initial practice exam:
| Exam Section | Incorrect | Correct | Grand Total | Percent |
|---|---|---|---|---|
| 1 | 8 | 25 | 33 | 76% |
| 2 | 5 | 20 | 25 | 80% |
| 3 | 6 | 12 | 18 | 67% |
| 4 | 10 | 23 | 33 | 70% |
| 5 | 16 | 25 | 41 | 61% |
| Grand Total* | 45* | 105* | 150* | 70%* |
As I expected, my toughest sections were related to project management, development, implementation, and security.
This just leaves October and November. For these months, I tried to practice every few days, doing 10 questions for each section, until the exam. This came out to 13 practice sessions, ~140 questions per section, and ~700 questions total.
While some practice sessions were worse and some were better, the final results were similar to my practice exam results. As you can see below, my averages were slightly worse than my practice exam. However, I got in over 700 questions of practice and, most importantly, I read through the explanations every time I answered incorrectly and learned from my mistakes.
| Exam Section | Incorrect | Correct | Grand Total | Percent |
|---|---|---|---|---|
| 1 | 33 | 108 | 141 | 77% |
| 2 | 33 | 109 | 142 | 77% |
| 3 | 55 | 89 | 144 | 62% |
| 4 | 52 | 88 | 140 | 63% |
| 5 | 55 | 85 | 140 | 61% |
| Grand Total* | 228* | 479* | 707* | 68%* |
Figure 2: CISA practice question results
4. Results
Now, how do the practice scores reflect my actual results? After all, it's hard to tell how good a practice regimen is unless you see how it turns out.
| Exam Section | Section Name | Score |
|---|---|---|
| 1 | Information Systems Auditing Process | 678 |
| 2 | Governance and Management of IT | 590 |
| 3 | Information Systems Acquisition, Development, and Implementation | 721 |
| 4 | Information Systems Operations and Business Resilience | 643 |
| 5 | Protection of Information Assets | 511 |
| TOTAL | 616 |
Now, in order to pass the CISA, you need at least 450 on a sliding scale of 200-800. Personally, I really have no clue what an average CISA score is. After a very brief look online, I can see that the high end is usually in the low 700s. In addition, only about 50-60% of people pass the exam.
Given this information, I feel great about my scores. 616 may not be phenomenal, and I wish I had done better on sections 2 & 5, but my practicing seems to have worked very well overall.
However, the practice results do not conform to the actual results. Section 2 was one of my highest practice sections and was my second-lowest score in the exam. Conversely, section 3 was my second-lowest practice section and turned out to be my highest actual score!
After reflecting, it is obvious that if you have any background on the CISA topics at all, the most important part of studying is doing practice questions. You really need to understand how to read the questions critically and pick the best answer.
5. Looking Forward
I am extremely happy that I was finally able to pass the CISA. Looking to the future, I'm not sure what's next in terms of professional learning. My current company offers internal learning courses, so I will most likely focus on that if I need to gain more knowledge in certain areas.
To be fair, even if you pass the CISA, it's hard to become an expert on any specific topic found within. My career may take me in a different direction, and I might need to focus more on security or networking certifications (or possibly building a better analysis/visualization portfolio if I want to go into data analysis/science).
All I know is that I am content at the moment and extremely proud of my accomplishment.