CHAPTER 1
Becoming a CISA
This chapter discusses the following major topics:
• What it means to be a CISA-certified professional
• Getting to know ISACA, its code of ethics, and its standards
• The certification process
• Applying for the exam
• Maintaining your certification
• Getting the most from your CISA journey
Congratulations on choosing to become a Certified Information Systems Auditor (CISA). Whether you have worked several years in the field of information systems auditing or have just recently been introduced to the world of controls, assurance, and security, don’t underestimate the hard work and dedication required to obtain and maintain CISA certification. Although ambition and motivation are required, the rewards can far exceed the effort.
You probably never imagined you would find yourself working in the world of auditing or looking to obtain a professional audit certification. Perhaps the increase in legislative or regulatory requirements for information system security led to your introduction to this field. Or possibly you have noticed that CISA-related career options are increasing exponentially, and you have decided to get ahead of the curve. You aren’t alone: 55,000 professionals worldwide reached the same conclusion and have earned the well-respected CISA certification. Welcome to the journey and the amazing opportunities that await you.
I have put together this information to help you further understand the commitment needed, prepare for the exam, and maintain your certification. Not only is it my wish to see you pass the exam with flying colors, but I also provide you with the information and resources to maintain your certification and to proudly represent yourself and the professional world of IS auditing with your new credentials.
The Information Systems Audit and Control Association (ISACA) is a recognized leader in the areas of control, assurance, and IT governance. This nonprofit organization represents more than 86,000 professionals in approximately 160 different countries. ISACA administers several exams and controls certifications including the CISA, the CISM (Certified Information Systems Management), and the CGEIT (Certified Governance of Enterprise Information Technology) certifications. The certification program itself has been accredited by the American National Standards Institute (ANSI) under International Organization for Standardization (ISO) 17024, which means that ISACA’s procedures for accreditation meet international requirements for quality, continuous improvement, and accountability.
If you’re new to ISACA, I recommend that you tour the web site and familiarize yourself with the guides and resources available. In addition, if you’re near one of the 175 local ISACA chapters in 70 countries, consider taking part in the activities and even reaching out to the chapter board for information on local training days or study sessions.
The CISA certification was established in 1978 and primarily focuses on audit, controls, assurance, and security. It certifies the individual’s knowledge around testing and documenting IS controls, and ability to conduct formal IS audits. Organizations seek out qualified personnel for assistance with developing and maintaining strong controls environments. A CISA-certified individual is a great candidate for this.
Benefits of CISA Certification
Obtaining the CISA certification offers several significant benefits:
Expands knowledge and skills, builds confidence Developing knowledge and skills around the areas of audit, controls, assurance, and security can prepare you for advancement or to expand your scope of responsibilities. The personal and professional achievement can boost confidence that encourages you to move forward and seek new career opportunities.
Increases marketability and career options Because of various legal and regulatory requirements such as HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry data security standard), Sarbanes-Oxley, GLBA (Gramm Leach Bliley Act), FDA (Food and Drug Administration), and FERC/NERC (Federal Energy Regulatory Commission/North American Electric Reliability Corporation), and the growing need for information systems and automation, controls, assurance, and audit experience, demand is growing for individuals with experience in testing and documenting controls. Many government agencies and organizations are requiring CISA certifications for positions involving IS audit activities. Having a CISA can open up many doors of opportunity in various industries and countries.
Builds customer confidence/international credibility Prospective customers needing control or audit work will have faith that the quality of the audits and controls documented or tested are in line with internationally recognized standards.
Regardless of your current position, demonstrating knowledge and experience in the areas of IS controls, audit, assurance, and security can expand your career options. The certification does not limit you to auditing; it can provide additional value and insight to those in or seeking the following positions:
Executives such as CEOs, CFOs, and CIOs
Chief audit executives, audit partners, and audit directors
Security and IT operations executives (CTOs, CISOs, CSOs), directors, managers, and staff
Compliance executives and management
Consultants
Becoming a CISA
The following list outlines the major requirements for becoming certified:
Experience A CISA candidate must be able to submit verifiable evidence of five years’ experience, with a minimum of two years’ professional work experience in IS auditing, control, or security. Experience can be in any of the job content areas, but must be verified. For those with less than five years’ experience, experience substitution options are available.
Ethics Candidates must commit to adhere to ISACA’s Code of Professional Ethics, which guides the personal and professional conduct of those certified.
Exam Candidates must receive a passing score on the CISA exam.
Education Those certified must adhere to the CISA Continuing Education Policy, which requires a minimum of 20 continuing professional education (CPE) hours each year, with a total requirement of 120 CPEs over the course of the certification period (three years).
Standards Those certified agree to abide by IS auditing standards and minimum guidelines for performing IS audits.
Application After successfully passing the exam, meeting the experience requirements, and having read through the Code of Professional Ethics, a candidate is ready to apply for certification.
Experience Requirements
To qualify for CISA certification, you must have completed the equivalent of five years’ total work experience. These five years can take many forms, with several substitutions available. Additional details on the minimum certification requirements, substitution options, and various examples are discussed next.
NOTE Although it is not recommended, a CISA candidate can take the exam before completing any work experience directly related to IS audit. As long as the candidate passes the exam and the work experience requirements are filled within five years of the exam date and within ten years from application for certification, the candidate is eligible for certification.
Direct Work Experience
You are required to have a minimum of two years’ work experience in the fields of IS audit, controls, or security. This is equivalent to 4,000 actual work hours, which must be related to the six CISA job practice areas:
IS Audit Process Planning and conducting information systems audits in accordance with IS Standards and best practices, communicating results, and advising on risk management and control practices.
IT Governance Ensuring that adequate human resource, performance, value, and risk management are in place to align and support the organization’s strategies and objectives.
Systems and Infrastructure Life-Cycle Management Ensuring that systems and infrastructure have appropriate controls in place (acquisition, development, testing implementation, maintenance, and disposal) to provide reasonable assurance that the organization’s objectives will be met.
IT Service Delivery and Support Evaluating or implementing IT service management practices to ensure an organization’s objectives are met.
Protection of Information Assets Evaluating, designing, or implementing a security architecture with the intent of ensuring the confidentiality, integrity, and availability of information assets.
Business Continuity and Disaster Recovery Evaluating, developing, or managing business continuity and disaster recovery processes that minimize impact to the organization in the event of disruption.
All work experience must be completed within the ten years before completing the certification application, and five years from the date of initially passing the CISA exam. You will need to complete a separate Verification of Work Experience form for each segment of experience.
There is only one exception to this minimum two-year direct work experience requirement: if you are a full-time instructor. This option is discussed in the next section.
Substitution of Experience
Up to a maximum of three years’ direct work experience can be substituted with the following to meet the five-year experience requirement:
One year of information systems or one year of non-IS auditing experience can be substituted for up to one year of direct work experience.
If you have completed a two- or four-year degree, 60–120 completed university semester credit hours, regardless of when completed, can substitute for one or two years of direct work experience, respectively. Transcripts or a letter confirming degree status must be sent from the university attended to obtain the experience waiver.
If you have completed a bachelor’s or master’s degree from a university that enforces an ISACA-sponsored curriculum, it can be substituted for one or two years of direct work experience, respectively (for information on ISACA-sponsored curricula and participating universities, see www.isaca.org/modeluniversities). Transcripts or a letter confirming degree status will need to be sent from the university to obtain an experience waiver.
Association of Chartered Certified Accountants (ACCA) members and Chartered Institute of Management Accountants (CIMA) members with full certification can apply for a two-year experience waiver.
Those applying with a master’s degree in information systems or IT from a university can apply for a one-year experience waiver.
As noted earlier, there is only one exception to the experience requirements. Should you have experience as a full-time university instructor in a related field (that is, information security, computer science, and accounting), each year of your experience can be substituted for one year of required direct work experience, without limitation.
Here is an example CISA candidate whose experience and education are considered for CISA certification:
Jane Doe graduated in 1995 with a bachelor’s degree in accounting. She spent five years working for an accounting firm conducting non-IS audits, and in January 2000, she began conducting IS audits full time. In January 2002, she took some time off work for personal reasons and rejoined the workforce in December 2007, working for a public company in their internal audit department documenting and testing financial controls. Jane passed the CISA exam in June 2008 and applied for CISA certification in January 2009. Does Jane have all of the experience required? What evidence will she need to submit?
Two-year substitution Jane obtained a bachelor’s degree in accounting, which equates to two years’ experience substitution.
Jane can count all work experience after January 1999:
Two years’ direct experience She can count her two full years of IS audit experience in 2000 and 2001.
One-year substitution She can also take into account one year of non-IS audit experience completed between January 1999 to January 2000.
One-year substitution Should she want to utilize her new internal audit financial controls experience, Jane has the option to use this for experience substitution rather than her earlier non-IS audit experience. The choice is hers.
Jane would need to send the following with her application to prove experience requirements are met:
Verification of Work Experience forms filled out and signed by her supervisors (or any superior) at the accounting firm, verifying both the IS and non-IS audit work conducted.
Transcripts or letter confirming degree status sent from the university.
ISACA Code of Professional Ethics
Becoming a CISA means that you agree to adhere to the ISACA Code of Professional Ethics. The code of ethics is a formal document outlining those things you will do to ensure the utmost integrity and that best support and represent the organization and certification.
The following summarizes the code of ethics:
Support the implementation of standards, procedures, and controls for IS.
Encourage compliance with standards, procedures, and controls for IS.
Conduct audits and related tasks with objectivity, due diligence, and professional care.
Conduct audits in accordance with standards and best practices.
Serve in the interest of stakeholders, lawfully and with integrity.
Avoid engaging in acts that may be disreputable to the profession.
Maintain privacy and confidentiality of information unless legally required to disclose it.
Never disclose information for personal benefit or to inappropriate parties.
Maintain competencies and agree to undertake only those activities that you can reasonably complete with professional competence.
Inform appropriate parties of audit results, stating all significant facts known.
Educate stakeholders and enhance their understanding of IS security and controls.
Failure to follow the code can result in investigation of the member’s conduct and potential disciplinary measures that range from warning to revocation of certification and/or membership. For more information on the complaint-handling process and for information on the Investigations Committee, see the Code of Professional Ethics section on the ISACA web site.
ISACA IS Standards
An auditor can gather information from several credible resources to conduct an audit with integrity and confidence. ISACA has developed its own set of standards of mandatory requirements for IS auditing and reporting.
As a CISA, you agree to abide by and promote the IS Standards where applicable, encouraging compliance and supporting their implementation. As you prepare for certification and beyond, you will need to read through and become familiar with these standards. The following standards were created to define the minimum level of acceptable performance required to meet the professional requirements as required in the ISACA and to help set expectations. They have been established, vetted, and approved by ISACA:
S1: Audit Charter This standard describes the importance of having a documented audit charter or engagement letter to clearly state the purpose, responsibilities, authority, and accountability of the information systems audit function or audits.
S2: Independence This standard describes the importance of the IS auditor’s independence with regard to the audit work and the auditee, in activity and perception.
S3: Professional Ethics and Standards The IS auditor should exercise due professional care, adhere to the code of ethics, and abide by professional auditing standards.
S4: Professional—Competence Each IS auditor should obtain and maintain professional competence and only conduct assignments in which he or she has the skills and knowledge.
S5: Planning This standard describes planning best practices including those concerning scope and audit objectives, developing and documenting a risk-based audit approach, the creation of an audit plan, and development of an audit program and procedures.
S6: Performance of Audit Work When conducting an audit, it is critical to provide reasonable assurance that audit objectives have been met; sufficient, reliable, and relevant evidence is collected; and all audit work is appropriately documented to support conclusions and findings.
S7: Reporting This standard provides guidance on audit reporting, including guidance on stating scope, objectives, audit work performed, and on stating findings, conclusions, and recommendations.
S8: Follow-up Activities IS auditors are responsible for particular follow-up activities once the findings and recommendations have been reported.
S9: Irregularities and Illegal Acts This standard thoroughly describes those considerations of irregularities and illegal acts the IS auditor should have throughout the audit process.
S10: IT Governance This standard provides guidance to the IS auditor as to what governance areas should be considered during the audit process, including whether the IS function is strategically aligned with the organization, performance management, compliance, risk management, resource management, and the control environment.
S11: Use of Risk Analysis in Audit Planning An appropriate risk assessment methodology should be utilized when developing the IS audit plan, prioritizing activities, and planning individual audits.
S12: Audit Materiality This standard provides guidance on audit materiality, how it relates to audit risk, and how to rate the significance of control deficiencies and whether they lead to significant deficiencies or material weakness.
S13: Using the Work of Other Experts The purpose of this standard is to provide guidance to the IS auditor on when it may be appropriate to use the work of other experts during an audit, how to assess this work, how to determine adequacy, and then how to document the work.
S14: Audit Evidence The IS auditor may use this standard as a guideline for what constitutes audit evidence, and the quality and quantity of evidence that should be obtained in order to draw reasonable conclusions.
S15: IT Controls This standard provides guidance regarding the evaluation and monitoring of IT controls and the importance of providing guidance to management regarding the design, implementation, operation, and improvement of these controls.
S16: E-Commerce For those IS auditors who may be tasked with reviewing controls and assessing risk within e-commerce environments, this standard provides guidance on how to evaluate the controls and ensure transactions are properly controlled.
I recommend that you check the ISACA web site periodically for updates to the standards. As an ISACA member, you will automatically be notified when changes have been submitted and the documents are open for review (www.isaca.org/standards).
The Certification Exam
The certification is offered twice each year, in June and December. You have several ways to register; however, regardless of method chosen, I highly recommend that you plan ahead and register early. Registering early and online reaps the most benefits, saving up to $100 compared with late, mailed, or faxed registrations.
In 2009 the schedule of fees in U.S. dollars was
Exam Fee (early registration)
$345 Member / $475 Non-member—online
$395 Member / $525 Non-member—fax/mail
Exam Fee (regular registration)
$395 Member / $525 Non-member—online
$445 Member / $575 Non-member—fax/mail
The test is administered by an ISACA-sponsored location. For additional details on the location nearest you, see the ISACA web site for more details.
Each registrant has four hours to take the multiple-choice question exam. There are 200 questions on the exam representing the six job practice areas. The exam is not computerized, but is provided via paper exam booklet. Each question has four answer choices; test-takers can select only one best answer by filling out the appropriate bubbles on the answer sheet provided, in pencil or pen. You will be scored for each job practice area and then provided one final score. Scores range from 200 to 800; however, a final score of 450 is required to pass.
Table 1-1 CISA Exam Practice Areas
Exam questions are derived from a job practice analysis study conducted by ISACA. The areas selected represent those tasks performed in a CISA’s day-to-day activities and represent the background knowledge required to perform the tasks.
The CISA exam is quite broad in scope. It covers several six job practice areas, as shown in Table 1-1.
Independent committees have been developed to determine the best questions, review exam results, and statistically analyze the results for continuous improvement. Should you come across a horrifically difficult or strange question, do not panic. This question may have been written for another purpose. A few questions on the exam are included for research and analysis purposes and will not be counted against your score.
Preparing for the Exam
The following sections offer some tips and are intended to help guide you to, through, and beyond exam day.
Before the Exam
Take a moment to read through the following list of tips on tasks and resources for exam preparation. They are listed in sequential order.
Obtain the Bulletin of Information (BOI) The BOI contains the most current information about exam requirements, additional information about the exam, registration instructions, test dates, score reporting, test center locations, and registration forms. The BOI can be found at www.isaca.org/cisaboi.
Read the Candidate’s Guide For information on the certification exam and requirements for the current year, see www.isaca.org/cisaguide.
Register If you are able to, register early for the cost savings and to solidify your commitment to moving forward with this professional achievement.
Self-assess Run through practice exam questions. Be sure to see the ISACA web site for CISA self-assessment at www.isaca.org/cisaassessment.
Avoid cramming We’ve all seen the books on the shelves with titles that involve last-minute cramming. Just one look on the Internet reveals a variety of web sites that cater to teaching individuals how to most effectively cram for exams. There are also research sites claiming that exam cramming can lead to susceptibility to colds and flu, sleep disruptions, overeating, and digestive problems. One thing is certain: many people find that good, steady study habits result in less stress and greater clarity and focus during the exam. Due to the complexity of this exam, I highly recommend the steady study option. Study the job practice areas thoroughly. There are many study options. If time permits, investigate the many resources available to you.
You are not alone Oftentimes ISACA chapters will have formed specific study groups or offer less-expensive exam review courses. Contact your local chapter to see if these options are available to you.
Admission ticket Approximately two to three weeks before the exam, you will receive the admission ticket. Do not lose this ticket. Put it in a safe place, and take note of what time you will need to arrive at the site. Note this on your calendar.
Logistics check Check the site a few days before the exam—become familiar with the location and tricks to getting there. If you are taking public transportation, be sure that you are looking at the schedule for the day of the exam: CISA exams are usually administered on a Saturday, when public transportation schedules may differ from weekday schedules. If you are driving, know the route and where to park your vehicle.
Pack Place your admissions ticket, several sharpened No. 2 pencils and erasers, and a photo ID in a safe place, ready to go. Your ID must be a current, government-issued photo ID that matches the name on the admission ticket and must not be handwritten. Examples of acceptable ID are passports, driver’s licenses, state IDs, green cards, and national IDs. For information on what can and cannot be brought to the exam site, see www.isaca.org/cisabelongings.
Notification decision Decide if you would like your test results e-mailed to you. You will have the opportunity to consent to an e-mail notification of the exam results. If you are fully paid (zero balance on exam fee) and have consented to the e-mail notification, you should receive a one-time e-mail approximately eight weeks from the date of the exam with the results.
Sleep Make sure you get a sound night’s sleep before the exam. Research suggests that you steer clear of caffeine at least four hours before bedtime, keep a notepad and pen next to the bed to capture late-night thoughts that might keep you awake worrying, eliminate as much noise and light as possible, and keep your room a good temperature for sleeping. In the morning, arise early so as not to rush and subject yourself to additional stress.
Day of the Exam
Arrive early Check the Bulletin of Information and your admission ticket for the exact time you are required to report to the test site. The ticket/BOI explains that you must be at the test site no later than approximately 30 minutes before testing time. The examiner will begin reading the exam instructions at this time, and any latecomers will be disqualified from taking the test and will not receive a refund of fees.
Observe test center rules There may be rules about taking breaks. This will be discussed by the examiner along with exam instructions. If at any time during the exam you need something and are unsure as to the rules, be sure to ask first. For information on conduct during the exam, see www.isaca.org/cisabelongings.
Answering exam questions Read questions carefully, but do not try to overanalyze. Remember to select the best solution. There may be several reasonable answers, but one is better than the others.
After the Exam
Approximately eight weeks from the date of the exam, you will receive your exam results by e-mail or surface mail. Each job practice area score will be noted in addition to the overall final score. Should you receive a passing score, you will also receive the application for certification. Those unsuccessful in passing will receive a copy of the most current BOI. These individuals will want to take a close look at the job practice area scores to determine areas for further study. Regardless of pass or fail, exam results will not be disclosed via telephone, fax, or e-mail (with the exception of the consented one-time e-mail notification).
Applying for Certification
To apply for certification, you must be able to submit evidence of a passing score and related work experience. Keep in mind that once you receive a passing score, you have five years to use this score on a CISA application. After this time, you will need to take the exam again. In addition, all work experience submitted must have been within ten years of your new certification application.
To complete the application process, you need to submit the following information:
CISA application Note the Exam ID # as found in your exam results letter and list the Information Systems Audit, control, security experience, and/or any experience substitutions, and identify which ISACA job practice area(s) the experience pertains to.
Verification of Work Experience form(s) Must be filled out and signed by your immediate supervisor or a person of higher rank in the organization to verify work experience noted on the application.
Transcript or letter If using an Educational Experience Waiver, you must submit an original transcript or letter from the college or university confirming degree status.
As with the exam, after you’ve successfully mailed the application, you must wait approximately eight weeks for processing. If your application is approved, you will receive a package in the mail containing your letter of certification, certificate, and a copy of the Continuing Education Policy. You can then proudly display your certificate and use the designation (“CISA”) on your résumé, e-mail profile, or business cards. Please note, however, that you cannot use the CISA logo.
Retaining Certification
There is more to becoming a CISA than merely passing an exam, submitting an application, and receiving a paper certificate. Becoming a CISA is an ongoing journey. Those with CISA certification not only agree to abide by the code of ethics and adhere to the IS Standards, but they must also meet education requirements and pay certification maintenance fees. Let’s take a closer look at the education requirements and explain the fees involved in retaining certification.
Continuing Education
The goal of continuing professional education (CPE) requirements is to ensure that individuals maintain CISA-related knowledge so that they can better manage, assess, and design controls around IS. To maintain CISA certification, individuals must obtain 120 continuing education hours within three years, with a minimum requirement of 20 hours per year. Each CPE is to account for 50 minutes of active participation in educational activities.
What Counts as a Valid CPE Credit?
A sample list of activities that you can count toward your CPE requirements follows:
ISACA professional education activities and meetings.
If you are an ISACA member, you can take Information Systems Control Journal CPE Quizzes online or participate in monthly webcasts. For each webcast, CPEs are rewarded after you pass a quiz.
Non-ISACA professional education activities and meetings.
Self-study courses.
Vendor sales or marketing presentations (ten-hour annual limit).
Teaching, lecturing, or presenting on subjects related to job practice areas.
Publication of articles and books related to the profession.
CISA exam question development and review.
Participation in ISACA and ITGI boards or committees (ten-hour annual limit).
For more information on what is accepted as a valid CPE credit, see the Continuing Professional Education Policy (www.isaca.org/cisacpepolicy).
Tracking and Submitting CPEs
Not only are you required to submit a CPE tracking form for the annual renewal process, but you also should keep detailed records for each activity. Records associated with each activity should have
Name of attendee
Name of sponsoring organization
Activity title
Activity description
Activity date and number of CPE hours awarded
It is in your best interest to track all CPE information in a single file. ISACA has developed a tracking form for your use, which can be found in the Continuing Professional Education Policy. To make it easy on yourself, consider keeping all related records such as receipts, brochures, and certificates in the same place. This is especially important as you may someday be audited. If this happens, you would be required to submit all paperwork. So why not be prepared?
For new CISAs, the annual and three-year certification period begins January 1 of the year following certification. It is not required that the hours from the first year that the individual was certified be reported; however, the hours earned from the time of certification to December 31 can be utilized in the first certification reporting period the following year. Therefore, should you get certified in January, you will have until the following January to gain CPEs and will not have to report them until you report the totals for the following year, which will be in October or November. This is known as the renewal period. During this time you will receive an e-mail directing you to the web site to enter in CPEs earned over the course of the year (www.isaca.org/renew). Alternatively, the renewal will be mailed to you, and then CPEs can be recorded on the hardcopy invoice and sent with your maintenance fee payment.
Notification of compliance from the certification department is sent after all of the information has been received and processed. Should ISACA have any questions about the information you have submitted, they will contact you directly.
Sample CPE Submission
Table 1-2 contains an example of a CPE submission:
Table 1-2 Sample CPE Submission
CPE Maintenance Fees
To remain CISA certified, you must pay CPE maintenance fees each year. These fees are (as of mid-2009) U.S. $40 for members and $80 for non-members each year. These fees are in addition to ISACA membership and local chapter dues.
Revocation of Certification
A CISA-certified individual may have his or her certification revoked for the following:
If the individual does not meet, or fails to provide evidence of, all the CPE requirements during a renewal or audit.
Failure to submit payment for maintenance fees.
Failure to comply with the Code of Professional Ethics can result in investigation and ultimately can lead to revocation of certification.
If you have received a revocation notice, you will need to contact the ISACA Certification Department ([email protected]) for more information.
CISA Exam Preparation Pointers
Register for the exam early and online to obtain greatest financial savings.
When studying for the exam, take as many practice exams as possible.
Memorization will not work—for this exam, it is critical that you understand the concepts.
If you have time while studying for the exam, begin gathering relevant Work Experience Verification forms from past employers and original transcripts from your college or university (if using the Education Experience Waiver).
Do not arrive late to the exam site. Latecomers are immediately disqualified.
Begin keeping track of CPEs as soon as you obtain certification.
Mark your calendar for CPE renewal time, which begins in October/November each year.
Become familiar with the IS Standards.
Become involved in your local ISACA chapter for networking and educational opportunities.
Summary
In this chapter I focused on the benefits of becoming a CISA and the process for obtaining and maintaining certification. Being a CISA is a journey, not just a one-time event. It takes motivation, skill, good judgment, and proficiency to be a strong leader in the world of Information Systems auditing. The CISA was designed to help you navigate the IS world with greater ease and confidence.
In the following chapters, each job practice area will be discussed in detail, and additional reference material will be presented. Not only is this information useful for studying prior to the exam, but it is also meant to serve as a resource throughout your career as an audit professional.