Where is the IS in CISA?

cisa study guide, tipsWhy do so many IT auditors who pass the CISA know so little about IS and security–and in my opinion aren’t worth hiring* for that and several other reasons?

Well, I think I figured it out. So what clarified my understanding? I took the CISA exam.

ISACA’s CISA Self-Assessment

To test my theory, I reviewed ISACA’s  own CISA Self-Assessment exam (get it here), which is 50 questions that allow exam candidates to  “assess their knowledge of the CISA job practice areas and determine in which information security areas they may have strengths and weaknesses.”  By my count, 35 of the 50 questions on the assessment are IT and/or security related, and the rest were focused more on general auditing  principles.

ISACA’s website states that the questions on the self-assessment “are not actual CISA exam items, but are representative of items that have appeared on the exam.” I dispute that claim.

If the actual exam that I took had that large a percentage of IT/security questions on it, I wouldn’t be ranting right now; however, the exam I took was most general auditing with very few IT/security questions. By my estimate, my exam was more 70% audit and only 30% IT and security questions.

Keep in mind that 4 of the 6 domains* tested relate to IT and security:

Systems and Infrastructure Lifecycle Management (16%)
IT Service Delivery and Support (14%)
Protection of Information Assets (31%)
Business Continuity and Disaster Recovery (14%)

*Some time after I wrote this, ISACA revised the domain names and content, so that’s why they don’t match the current domains.

And one relates to Audit: IS Audit Process (10%). So what happened?

My CISA Exam Experience

In all that I read about the exam before taking it, and all the studying I did (I used several different materials, including the ISACA books and questions), I never saw anything that said, “Don’t expect an IT exam.”  Rather it appeared that the exam was at least 50% IT and 50% audit. That was NOT my experience at all.

When I mentioned my surprise to a friend who passed the exam previously, she said, “Oh, yeah, it’s an audit exam, not an IT exam.” Several of my fellow testers said the same thing: “Where’s the IT beef?”

Which brings me back to my original point: no wonder so few IT auditors understand information technology; the gold standard exam doesn’t require it!

Other things that surprised me about the exam:

  • Even though the exam email I received forbid bringing cell phones, bags, and a host of other things to the exam, people did it. No one cared.
  • The proctor told everyone not to break the seal on the exam papers (it was a written exam) until instructed–the Deloitte guy sitting next to me broke the seal right away and opened the exam, but no one noticed. Not sure if he didn’t hear or didn’t care. If caught, he could have been disqualified and told to leave the room (I doubt that would have been enforced).
  • One of the urinals in the nearby bathroom couldn’t handle the stress of the exam and overflowed continuously for at least an hour. Even stranger than that, most of the water flowed down a crack in the wall even though a drain was directly below the urinal.
  • Only about half the people finished and left within 3 hours. When I took the CISSP, most people had left by the 3-hour mark. I think that the CISSP exam was harder technically, but it’s also a more technical exam.
  • Finally, unlike the CISSP, hardly any of the study questions from ISACA or other sources, appeared on the CISA exam. Out of 200 exam questions, somewhere between 5-10 questions were similar (I used about 2500 study questions).

What Do you Think?

I still think the certification was worth getting, I learned some new insights during the process, and it helps my resume. I’d just like to see more IS basics on the exam.

For those of you who’ve taken the exam, what’s your opinion? Agree or disagree? When you leave a comment, please indicate whether you’ve worked in IT and how many years.

If you haven’t taken the exam yet, what have you heard or read? I’d be interested in all viewpoints.

And yes, I did pass. But what does that mean? I’m well-versed in general audit principles and techniques? And the IT part is easy to fake?

—————————————

* For the reasons I don’t hire some IT auditors, see my series of “interviewing auditors” series that starts with Interviewing IT Auditors.

Related posts:

More on the CisA Exam

CISA vs. CIA Certification

** FREE CISA Study Guide **

How to Pass Certification Exams

Top 10 Pay-Boosting Tech Certifications

Top 7 Reasons for Security Certification

What IT Auditors Ought to Know – and Don’t!

Audit and IT Audit for Dummies

IIA Basics for Auditors

8 Comments

Filed under Audit, Certification, Technology

8 responses to “Where is the IS in CISA?

  1. I took the CISA exam back in 2005 (I believe). I have been involved in the IT field since about 1990 and IT audit from 2003-today (2010).
    The CISA exam, when I took it seemed to be more than 50% technical. I was working for a major accounting firm at the time, and the general trend was that the financial auditors who were coming over to the IT audit side typically failed the exam on their first attempt, and those of us with a college degree in CIS or MIS tended to pass on the first attempt. To me this indicates that the exam leaned more heavily toward the IT side, back then at least. When I left the exam I felt as if I had taken a comprehensive exam covering my entire academic CIS studies with the exception of programming.

    Now having said that, I recognize from my experience that the theory behind IT audit is not on its own technical, meaning the CISA should not be like the CISSP exam. An IT auditor should know what weaknesses to look for and have a general understanding of where the weaknesses exist, but IT auditors can not be familiar with every type of technology that they will come across in their career. Most IT auditors must rely on their client’s administrators to get to the place in the system they need to be to look for a weakness.

    For example there was a period in my career when I had approximately 20 different IT Audit clients in a year using SAP, PeopleSoft, JD Edwards, Linux, UNIX, AIX, Windows, Oracle, MS-SQL and a plethera of home grown applications… there is no way that I could have a technical expertise in all of those different technologies, but I did know how to get the admins to show me where the weaknesses in the systems were. If you have a good understanding of audit process knowledge you can work with the admin to determine where real weaknesses exist.

    But… and there is always a but, IT auditors do need some level of technical expertise iin order to know when an admin or system owner is trying to pull the wool over their eyes. I hope that the CISA exam has not deteriorated to the point where it does not require an adequate level of technical skill.

    I agree that a good IT auditor is hard to find, either you get an overly technical person who can’t understand that systems must operate effectively, in addition to being secure, or you get a person who has no clue of why SQL injection is a problem.

    Although IT Audit & IT Security Policy is my bread and butter, I am expanding into online marketing and social media stragety for businesses, to learn more find me at http://zanderedward.com

    Like

    • ITauditSecurity

      Glenn,
      Thanks for all your input.

      I hope you didn’t think my post was implying that I think all IT auditors should come from IT or be extremely technical; I don’t think so, but too many IT auditors I’ve encountered don’t understand Active Directory at all, not even that AD accounts are separate from a server or PC operating system’s local accounts. Another issue I run into with IT auditors is a lack of understanding regarding how the network, applications, and databases work together. Some day I’ll draw up a short list of basics that I would expect IT auditors to know…anyone who wants to start a list, please comment.

      I didn’t say it, but fortunately you did: the reason you need to be a little bit more knowledgeable about IT is so that your clients/subject matter experts (admins, DBAs, security folks) can’t hide an issue behind jargon or “that’s just how it works.”

      Like

  2. ITauditSecurity

    coffeeking,
    I found this blurb on a forum, left by “coffeeking” in May 2009. Is this you? Either way, please weigh in on this topic.

    The CISA is “not a technical cert, more of a management cert and from what I have heard it is not one of the tough ones”

    Like

  3. I like your ‘My CISA Exam Experience’ post – the humor in test taking. Regarding your short list of basics that you would expect IT auditors to know – I would like a copy of the list. Thank you.

    Like

  4. Fawzan

    Hi Mack,

    I need your advise on the upcoming CISA 2016 exam. Firstly, I want to say your website is extremely helpful in preparing for the CISA! keep up the good work.

    Coming to my question, I am registered to give the CISA exam this coming June. In order to prepare for the exam, I have purchased the 2016 CISA Review manual. I had a question in regards to the 2016 CISA Review Questions, Answers & Explanations Database – 12 Month Subscription. The thing is that, my friend lent me his 2013 CISA Practice Question Database v13 (CD-ROM), which he used for the 2013 exam. Would practicing from this one suffice or do you folks recommend me to buy the new one? The changes between the 2016 and 2013 manual are minimal. Is it worth still buying the new q&a database?

    Appreciate your help.

    Thanks!

    Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s