Certified Information Systems Auditor, or CISA, is one of the most recognized designations for information systems professionals. The certification is designed to help IS and IT auditors and other information security professionals advance their careers. This certification signifies experience and competence within the realm of IS auditing, and as such, candidates must meet specific experience criteria to sit for the exam.
Information systems pros just graduating from a program must first gain hands-on auditing experience before they can realistically pursue the CISA credential. Here, we'll go over what IS pros need to know about becoming CISA-certified from requirements to the exam, ethics code, and more. Read on to see what it takes, how much it costs, and why you might want to pursue this path.
Why Earn the CISA Certificate?
This certification is an internationally recognized designation that meets global security and IT auditing standards. So, naturally, it comes with a certain level of prestige, not unlike attending a top-ranked school or earning an advanced degree.
According to the ISACA website, the CISA credentialing process aims to help professionals develop the skills and best practices that represent the building blocks of success in this field, offering a global standard for measuring proficiency. Being CISA certified also makes it easier for systems auditors to find work. It gives employers assurance that candidates possess the expertise, skills, and knowledge that organizations depend on to keep data safe and secure.
Key benefits of the certification include the following:
- Validates professional experience and expert knowledge
- It offers global recognition as an IS audit professional
- Increased value to an organization
- Gives job seekers a competitive advantage over non-CISA peers
Overview of Who Offers CISA Certification?
While this particular credential isn't the only professional certification option for IS/IT auditors, the CISA is the most recognizable designation in the field. Additionally, we should mention that ISACA is the only organization that offers the CISA certification, though they have testing centers all over the world.
ISACA stands for Information Systems Audit and Control Association. It's a global non-profit that offers practical guidance, ongoing education, and other resources to IT professionals looking to advance their careers. The ISACA website also provides a wealth of information to prospective CISA candidates, covering everything from testing, preparation, and prerequisites, to prep courses and interactive training tools.
ISACA members receive benefits, including:
- Events and training available at 200+ ISACA Chapters
- Access to IT Audit Leaders and CISO Forums
- Free webinars
- Conference registration discounts
- Career coaching, tools, and access to professional development resources
- Professional and industry advocacy
- 25% discounts on CISA, CISM, CRISC, and CGEIT exam registrations
- 72 hours of free continuing professional education
- Member discounts on ISACA publications and research
Keep in mind, ISACA also offers CRISC, CISM, and CGEITA certifications. As such, you'll want to make sure you look over your options to see if the CISA is the right fit for your career goals.
How to Get Certified
Getting your CISA certification isn't a decision you should take lightly. You'll need several years of experience, education, and demonstrated competency in the field. You'll also need to pass an exam and, long-term, will need to meet continuing education requirements to maintain your certification. Below, we've outlined what prospective CISAs need to know before they apply for certification.
Before you can take the CISA exam, you'll need to work as an information systems auditor for at least five years. Alternatively, if you have educational experience or related work experience, you may be able to use that experience to waive up to three of those five years.
Here's a quick look at what the ISACA considers adequate experience:
- Minimum one-year experience as an information systems auditor or one year of working as an auditor outside of the IS field
- A two- or four-year degree can replace the experience requirement as well, so long as you earned said degree sometime in the past ten years - an associate degree can replace one year of work experience, while a bachelor’s replaces two
- A Master's degree in Information Technology, Information Security, or a related field, can also replace a year of work experience
- A minimum of two years' experience working as a professor of accounting, computer science, or information systems may also count toward one year of experience
Keep in mind that, while you'll submit your work requirements after you pass the certification exam, the ISACA recommends fulfilling them before sitting for the exam. However, work experience needs to be earned either within ten years before passing the exam or up to five years after, so there's ample time to tie up any loose ends.
Taking the Exam
The CISA exam is a 150-question exam composed of five sections. Test-takers will have four hours to complete their work, and questions are multiple-choice.
Each of the five sections covers a subsection of what you can expect to do on the job, and per the ISACA website, is broken down as follows:
- Domain 1 – Information System Auditing Process (21%)
- Domain 2 – Governance and Management of IT (17%)
- Domain 3 – Information Systems Acquisition, Development, and Implementation (12%)
- Domain 4 – Information Systems Operations and Business Resilience (23%)
- Domain 5 – Protection of Information Assets (27%)
How Do You Sign Up?
To sign up for the exam, head over to the ISACA website and check the exam schedule. Candidates can register here: http://www.isaca.org/examreg
and from there, will be prompted to follow these steps:
- Fill Out the Application: The registration form does require quite a bit of information, so you’ll need to be prepared to provide your professional history, references, and educational background, much like a job application.
- Indicate Preferences: Next, you’ll be directed to the registration screen where you’ll indicate any exam preferences such as any disability accommodations, or whether you’d like to authorize the release of information to your ISACA chapter.
- Review: Confirm all information is correct and add to cart.
- Pay for the Exam: Members pay $575 while non-members pay $760, and upon checkout you’ll also have the option to pay for membership and purchase study aids to help you prepare. You can opt to either pay now or pay later, but keep in mind, you will not be able to schedule the exam until the organization receives your payment and your 365-day eligibility period begins from the time you register, not the day you make a payment.
- Next Steps: After making the payment, you’ll receive a confirmation email. If you opt to pay later, you’ll get an email reminder with additional instructions.
To schedule the exam:
- Log into your MyISACA account and select the Certifications & CPE Management tab from the lower left-hand corner.
- Click “Schedule Your Exam” and you’ll be taken to the PSI scheduling platform, where you’ll again click “Schedule Exam.”
- Choose your language preferences and location to view available dates and times.
- Book an exam, review details, and select “continue.”
- You should see a success pop-up that confirms your registration—click close and view your schedule details. You’ll have the option to reschedule or print confirmation details
How is the CISA exam proctored?
ISACA works with a partner organization, PSI, that administers exams to CISA candidates from all over the world. Test-takers will have the choice to take the exam in a testing center or at a remote kiosk. You can compare the two experiences here,
but the breakdown is as follows:
- Testing Center - Exams are administered live in a computer lab setting where proctors monitor multiple candidates.
- Remote Kiosk - A self-service option where test-takers sit at an individual workstation to take the exam. Remote proctors verify candidates' identities and monitor the process via three digital cameras, chat, and a microphone that allows testers to ask questions.
How Do You Prepare for the Exam?
The exam is four-hours long and is structured as follows:
- All questions are designed with one best answer
- Every question has a stem (question) and four options (answer choices)
- Choose the correct or best answer from the options
- Stems might come in the form of a question or a fragment
- In some cases, you'll be presented with a scenario, which includes a description of the situation and several questions you'll answer based on the information provided
The ISACA offers preparation courses, as well as study guides and prep materials you can use to prepare on your own. Additionally, CISA candidates may be able to enroll in a local prep course through a university or another professional association.
Code of Professional Conduct/Ethics
According to the ISACA website, all certified professionals must adhere to a professional code of conduct, which lays out the ethical responsibilities the organization expects from those carrying the CISA certification.
Here is a quick rundown of what that entails:
- Demonstrate competence in managing enterprise information systems, running audits, and implementing control, security, and risk management best practices
- CISA holders must be objective, thorough, and professional as they carry out their duties
- Auditors must operate with the interests of their employers or clients in mind, maintaining the high character and conduct standards while on the job
- Protect the privacy of clients and employee privacy and confidentiality of information obtained on the job, unless required by law
- Auditors cannot use data for personal gain or release information to unauthorized third-parties
- Participate in ongoing education to maintain competency and expertise in their field
- CISA must be transparent about all work performed in the field, audit results, and other key findings
- They must also commit to ongoing professional development to keep pace with the latest industry standards
Those CISA’s who fail to follow the organization's Code of Professional Ethics may become the subject of an investigation, and if necessary, risk disciplinary action or loss of certification.
Continuing Professional Education
Beyond gaining the required work experience and passing the exam, CISA-certified professionals must also complete a minimum of 20 hours per year of continuing education. According to the ISCA, the goal of continuing education is to ensure that CISAs will keep pace with changes in the IS and IT landscape, provide leadership to their team, and add value to their organization.
To maintain certification, you'll also need to pay an annual renewal fee on January 1st of each year. Alternatively, CISAs have the option to renew for three years up front.
Advantages to CISA Certification
The main reason that information systems auditors choose to get this certification is that it improves job prospects. CISA certification signals competence and expertise to employers, many of which will only work with IS pros that have the credential. For auditors, the certification allows them to further develop their skills, both in preparing for the exam, and in the long-term, as the ISACA requires CISAs to participate in continuous training.
- Improves information auditing skills
- Opens the door to more career opportunities
- Demonstrates expertise
- Globally recognized credential
The CISA represents a global standard of IT competence and professionalism that can help professionals communicate their expertise by adding a few extra letters to their email signature.
Typical CISA Responsibilities & Duties
The CISA credential recognizes individuals who are skilled in auditing, control, and assurance of enterprise IT systems. What that means in terms of daily tasks is IT auditors collect and analyze data to prevent fraud, rogue spending, and non-compliance. Auditors report findings to the organization's leaders and make recommendations for action.
Critical skills for CISA pros:
- Gather data, compile information, and prepare reports
- Perform audits and quality reviews on systems, databases, data management, programming workflows, and development processes
- Implement and maintain controls, governance, and security best practices.
Careers and Salaries for CISA Certified Professionals
According to Payscale, the average CISA earns about $100,000 annually, though compensation varies considerably based on where you work, how much experience you have, and other factors. That said, many IT/IS jobs hover around the $60-65k range, so earning the credential can help you bring home higher paychecks than you would without the designation. Keep in mind that CISA certification isn't just for auditors.
Here are some additional roles where earning the credential can serve you well:
- Internal Auditor
- Public Accounting Auditor
- IS Analyst
- IT Audit Manager
- IT Project Manager
- IT Security Officer
- Network Operation Security Engineer
- Cybersecurity Professional
- IT Consultant
- IT Risk and Assurance Manager
- Privacy Officer
- Chief Information Officer
With security breaches and cyber-attacks on the rise, the need for competent auditors is growing. According to the United States Department of Labor, IS analysts and similar professionals are high in demand, and they predict that this trend will continue over the long-term.
For those pursuing IS/IT careers, it's worth mentioning one last time, CISA-certified auditors have an advantage over candidates without the credential. Bottom line: CISAs stand to set themselves on the path for a stable, well-paid career if they're willing to do the work.