Why do so many IT auditors who pass the CISA know so little about IS and security–and in my opinion aren’t worth hiring* for that and several other reasons?
Well, I think I figured it out. So what clarified my understanding? I took the CISA exam.
ISACA’s CISA Self-Assessment
To test my theory, I reviewed ISACA’s own CISA Self-Assessment exam (get it here), which is 50 questions that allow exam candidates to “assess their knowledge of the CISA job practice areas and determine in which information security areas they may have strengths and weaknesses.” By my count, 35 of the 50 questions on the assessment are IT and/or security related, and the rest were focused more on general auditing principles.
ISACA’s website states that the questions on the self-assessment “are not actual CISA exam items, but are representative of items that have appeared on the exam.” I dispute that claim.
If the actual exam that I took had that large a percentage of IT/security questions on it, I wouldn’t be ranting right now; however, the exam I took was most general auditing with very few IT/security questions. By my estimate, my exam was more 70% audit and only 30% IT and security questions.
Keep in mind that 4 of the 6 domains* tested relate to IT and security:
Systems and Infrastructure Lifecycle Management (16%)
IT Service Delivery and Support (14%)
Protection of Information Assets (31%)
Business Continuity and Disaster Recovery (14%)
*Some time after I wrote this, ISACA revised the domain names and content, so that’s why they don’t match the current domains.
And one relates to Audit: IS Audit Process (10%). So what happened?
My CISA Exam Experience
In all that I read about the exam before taking it, and all the studying I did (I used several different materials, including the ISACA books and questions), I never saw anything that said, “Don’t expect an IT exam.” Rather it appeared that the exam was at least 50% IT and 50% audit. That was NOT my experience at all.
When I mentioned my surprise to a friend who passed the exam previously, she said, “Oh, yeah, it’s an audit exam, not an IT exam.” Several of my fellow testers said the same thing: “Where’s the IT beef?”
Which brings me back to my original point: no wonder so few IT auditors understand information technology; the gold standard exam doesn’t require it!
Other things that surprised me about the exam:
- Even though the exam email I received forbid bringing cell phones, bags, and a host of other things to the exam, people did it. No one cared.
- The proctor told everyone not to break the seal on the exam papers (it was a written exam) until instructed–the Deloitte guy sitting next to me broke the seal right away and opened the exam, but no one noticed. Not sure if he didn’t hear or didn’t care. If caught, he could have been disqualified and told to leave the room (I doubt that would have been enforced).
- One of the urinals in the nearby bathroom couldn’t handle the stress of the exam and overflowed continuously for at least an hour. Even stranger than that, most of the water flowed down a crack in the wall even though a drain was directly below the urinal.
- Only about half the people finished and left within 3 hours. When I took the CISSP, most people had left by the 3-hour mark. I think that the CISSP exam was harder technically, but it’s also a more technical exam.
- Finally, unlike the CISSP, hardly any of the study questions from ISACA or other sources, appeared on the CISA exam. Out of 200 exam questions, somewhere between 5-10 questions were similar (I used about 2500 study questions).
What Do you Think?
I still think the certification was worth getting, I learned some new insights during the process, and it helps my resume. I’d just like to see more IS basics on the exam.
For those of you who’ve taken the exam, what’s your opinion? Agree or disagree? When you leave a comment, please indicate whether you’ve worked in IT and how many years.
If you haven’t taken the exam yet, what have you heard or read? I’d be interested in all viewpoints.
And yes, I did pass. But what does that mean? I’m well-versed in general audit principles and techniques? And the IT part is easy to fake?
* For the reasons I don’t hire some IT auditors, see my series of “interviewing auditors” series that starts with Interviewing IT Auditors.
** FREE CISA Study Guide **
How to Pass Certification Exams
Top 10 Pay-Boosting Tech Certifications
Top 7 Reasons for Security Certification
What IT Auditors Ought to Know – and Don’t!
Audit and IT Audit for Dummies
10 responses to “Where is the IS in CISA?”
I took the CISA exam back in 2005 (I believe). I have been involved in the IT field since about 1990 and IT audit from 2003-today (2010).
The CISA exam, when I took it seemed to be more than 50% technical. I was working for a major accounting firm at the time, and the general trend was that the financial auditors who were coming over to the IT audit side typically failed the exam on their first attempt, and those of us with a college degree in CIS or MIS tended to pass on the first attempt. To me this indicates that the exam leaned more heavily toward the IT side, back then at least. When I left the exam I felt as if I had taken a comprehensive exam covering my entire academic CIS studies with the exception of programming.
Now having said that, I recognize from my experience that the theory behind IT audit is not on its own technical, meaning the CISA should not be like the CISSP exam. An IT auditor should know what weaknesses to look for and have a general understanding of where the weaknesses exist, but IT auditors can not be familiar with every type of technology that they will come across in their career. Most IT auditors must rely on their client’s administrators to get to the place in the system they need to be to look for a weakness.
For example there was a period in my career when I had approximately 20 different IT Audit clients in a year using SAP, PeopleSoft, JD Edwards, Linux, UNIX, AIX, Windows, Oracle, MS-SQL and a plethera of home grown applications… there is no way that I could have a technical expertise in all of those different technologies, but I did know how to get the admins to show me where the weaknesses in the systems were. If you have a good understanding of audit process knowledge you can work with the admin to determine where real weaknesses exist.
But… and there is always a but, IT auditors do need some level of technical expertise iin order to know when an admin or system owner is trying to pull the wool over their eyes. I hope that the CISA exam has not deteriorated to the point where it does not require an adequate level of technical skill.
I agree that a good IT auditor is hard to find, either you get an overly technical person who can’t understand that systems must operate effectively, in addition to being secure, or you get a person who has no clue of why SQL injection is a problem.
Although IT Audit & IT Security Policy is my bread and butter, I am expanding into online marketing and social media stragety for businesses, to learn more find me at http://zanderedward.com
Thanks for all your input.
I hope you didn’t think my post was implying that I think all IT auditors should come from IT or be extremely technical; I don’t think so, but too many IT auditors I’ve encountered don’t understand Active Directory at all, not even that AD accounts are separate from a server or PC operating system’s local accounts. Another issue I run into with IT auditors is a lack of understanding regarding how the network, applications, and databases work together. Some day I’ll draw up a short list of basics that I would expect IT auditors to know…anyone who wants to start a list, please comment.
I didn’t say it, but fortunately you did: the reason you need to be a little bit more knowledgeable about IT is so that your clients/subject matter experts (admins, DBAs, security folks) can’t hide an issue behind jargon or “that’s just how it works.”
I found this blurb on a forum, left by “coffeeking” in May 2009. Is this you? Either way, please weigh in on this topic.
The CISA is “not a technical cert, more of a management cert and from what I have heard it is not one of the tough ones”
I like your ‘My CISA Exam Experience’ post – the humor in test taking. Regarding your short list of basics that you would expect IT auditors to know – I would like a copy of the list. Thank you.
The list is here:
What IT Auditors Ought to Know – And Don’t!
Thanks for the feedback!
I need your advise on the upcoming CISA 2016 exam. Firstly, I want to say your website is extremely helpful in preparing for the CISA! keep up the good work.
Coming to my question, I am registered to give the CISA exam this coming June. In order to prepare for the exam, I have purchased the 2016 CISA Review manual. I had a question in regards to the 2016 CISA Review Questions, Answers & Explanations Database – 12 Month Subscription. The thing is that, my friend lent me his 2013 CISA Practice Question Database v13 (CD-ROM), which he used for the 2013 exam. Would practicing from this one suffice or do you folks recommend me to buy the new one? The changes between the 2016 and 2013 manual are minimal. Is it worth still buying the new q&a database?
Appreciate your help.
The 2013 version would probably suffice.SEE MY UPDATED REPLY BELOW.
However, you might want to review the CISA code of ethics and consider whether borrowing another person’s version is appropriate.
As an auditor, you will face tougher ethical questions than that one; I’d suggest you get used to making the tough choices right away.
I changed my opinion. Please see this comment https://itauditsecurity.wordpress.com/links/free-downloads/#comment-10574 as well as the question that proceeds it.
Recently I have been searching a lot on CISA certification, preparation and study materials as my Company asked me to take certification. I have been into IT & Networking for the past 1 and half years and prior to that was into Software application development (around 4 years), but I don’t have any background of Auditing. So what would be the best way for me to prepare and crack the CISA exam, as you mentioned you faced an 70% audit and 30% IT & security related questions, which arises thoughts in my mind of going ahead with CISA. Your inputs would be highly appreciable.
Thanks in Advance
Get the CISA book that I mentioned and read that. Read all the free IT Audit for Dummies material at ISACA and IIA (see my post by the same name).