Well, I think I figured it out. So what clarified my understanding? I took the CISA exam.
ISACA’s CISA Self-Assessment
To test my theory, I reviewed ISACA’s own CISA Self-Assessment exam (get it here), which is 50 questions that allow exam candidates to “assess their knowledge of the CISA job practice areas and determine in which information security areas they may have strengths and weaknesses.” By my count, 35 of the 50 questions on the assessment are IT and/or security related, and the rest were focused more on general auditing principles.
ISACA’s website states that the questions on the self-assessment “are not actual CISA exam items, but are representative of items that have appeared on the exam.” I dispute that claim.
If the actual exam that I took had that large a percentage of IT/security questions on it, I wouldn’t be ranting right now; however, the exam I took was most general auditing with very few IT/security questions. By my estimate, my exam was more 70% audit and only 30% IT and security questions.
Keep in mind that 4 of the 6 domains* tested relate to IT and security:
Systems and Infrastructure Lifecycle Management (16%)
IT Service Delivery and Support (14%)
Protection of Information Assets (31%)
Business Continuity and Disaster Recovery (14%)
*Some time after I wrote this, ISACA revised the domain names and content, so that’s why they don’t match the current domains.
And one relates to Audit: IS Audit Process (10%). So what happened?
My CISA Exam Experience
In all that I read about the exam before taking it, and all the studying I did (I used several different materials, including the ISACA books and questions), I never saw anything that said, “Don’t expect an IT exam.” Rather it appeared that the exam was at least 50% IT and 50% audit. That was NOT my experience at all.
When I mentioned my surprise to a friend who passed the exam previously, she said, “Oh, yeah, it’s an audit exam, not an IT exam.” Several of my fellow testers said the same thing: “Where’s the IT beef?”
Which brings me back to my original point: no wonder so few IT auditors understand information technology; the gold standard exam doesn’t require it!
Other things that surprised me about the exam:
- Even though the exam email I received forbid bringing cell phones, bags, and a host of other things to the exam, people did it. No one cared.
- The proctor told everyone not to break the seal on the exam papers (it was a written exam) until instructed–the Deloitte guy sitting next to me broke the seal right away and opened the exam, but no one noticed. Not sure if he didn’t hear or didn’t care. If caught, he could have been disqualified and told to leave the room (I doubt that would have been enforced).
- One of the urinals in the nearby bathroom couldn’t handle the stress of the exam and overflowed continuously for at least an hour. Even stranger than that, most of the water flowed down a crack in the wall even though a drain was directly below the urinal.
- Only about half the people finished and left within 3 hours. When I took the CISSP, most people had left by the 3-hour mark. I think that the CISSP exam was harder technically, but it’s also a more technical exam.
- Finally, unlike the CISSP, hardly any of the study questions from ISACA or other sources, appeared on the CISA exam. Out of 200 exam questions, somewhere between 5-10 questions were similar (I used about 2500 study questions).
What Do you Think?
I still think the certification was worth getting, I learned some new insights during the process, and it helps my resume. I’d just like to see more IS basics on the exam.
For those of you who’ve taken the exam, what’s your opinion? Agree or disagree? When you leave a comment, please indicate whether you’ve worked in IT and how many years.
If you haven’t taken the exam yet, what have you heard or read? I’d be interested in all viewpoints.
And yes, I did pass. But what does that mean? I’m well-versed in general audit principles and techniques? And the IT part is easy to fake?
* For the reasons I don’t hire some IT auditors, see my series of “interviewing auditors” series that starts with Interviewing IT Auditors.
** FREE CISA Study Guide **