More on the CisA Exam

cisa study guide, tipsThis topic will be assorted rambles and comments regarding what I now call the “CisA” exam. Check out this post that started it all:  Where is the IS in CISA?

– First of all, I realize that different exams are used. The guy next to me (the Deloitte guy) had a different version. But still, shouldn’t all versions contain similar content? Maybe his was all IT and very little audit?

– I have to admit that I’m thrilled that I passed the exam. Like the CISSP, it helps get you in the door. Regardless of what I thought of the exam, it means much more to HR folks and hiring managers. Another confession: the #1 reason I went after the CISA certification is because, in a previous job, I hired contract IT auditors (see Interviewing IT Auditors), and almost every resume I saw during that year had those letters on it. So it was a matter of survival. Did I learn anything? I’m embarrassed to say that what I learned was worth the investment of time and money. Like I said in my About page, “I still have a lot to learn.”  It’s still true. Enough confessions…

– When I took the CISSP exam, I knew I passed. I wasn’t sure about the CISA. I guess that means I know more than I realize.

– One strange exam “help” website I found stated that the CISA is “40% technology + 60% business practice.”[Normally, I link to sites, but I wasn’t comfortable linking my readers to this one. ]  That still wasn’t the percentage on my exam.

– Here’s a telling quote that makes a lot of sense to me!  Wish I would have seen this before the exam. It’s the sixth Q/A on the page:

In our opinion, the $135 ISACA study guide was written for a CPA to gain CISA certification and assumes you already understand the CPA background knowledge. Details a CPA would know about audit rules, responsibilities and duties. This is what led David to write the Sybex study guide designed for use by both beginners and professionals with more experience. [emphasis mine]

One of the books I used was the Sybex. The only reason I bought it was because I learned about a free CISA review seminar being held in my area in two weeks, and it was the only book I could find and buy that weekend. It wasn’t a bad book. I’d rather have used the Shon Harris book.

Ok, I think I’m done ranting about this exam and how little info tech was on it. Anyone want to add anything from their experience?


Read my other CisA rant:  Where is the IS in CISA?

Even more:

Related posts:

** FREE CISA Study Guide **

How to Pass Certification Exams

Top 10 Pay-Boosting Tech Certifications

Top 7 Reasons for Security Certification

What IT Auditors Ought to Know – and Don’t!

Audit and IT Audit for Dummies

IIA Basics for Auditors



Filed under Audit, Certification, Technology

10 responses to “More on the CisA Exam

  1. Aiyeswaria J

    Hi Mack,
    I enjoyed reading your posts! Thank you for providing such wonderful information. My name is Aishu and I would like to seek your advice on taking up either a CISA/CISSP certification. I have my Bachelors in Computer Science & Engineering and a Post Graduate degree in Business Administration. I have 1 year of IT programming experience with an IT MNC in India, and 1 year of Revenue Assurance auditing experience with one of the Big 4 audit consultancy firms. I had to take a break due to personal reasons and I am currently looking out for jobs. I would like to become an IS auditor. Can I go ahead and take up the exam even before gaining the relevant work exp to achieve my certification ? I believe I can gain an exempt of 3 yrs of work exp. Please do correct me if I am wrong. ( 2 yrs exemption for my 4 yr B.E Degree + 1 yr exemption for my 1 yr Non IS audit experience). Is it advisable to take CISA/CISSP at this point of time? (Considering the fact that I am currently unemployed) . I am basically torn between the 2 certifications. Since I have a decent background with respect to IT field, I am sure I can do a good job in preparing for the exams. But I would want to seek your expert opinion regarding the same. I am skeptical about the reqd work exp. Please advice! Thanks a bunch for your time!


  2. Alaa

    Is it possible to study for the exam within 4 months?
    and I don’t have a work experience?


    • Yes. You can take and pass the exam without the required work experience but you can’t call yourself a CISA until ISACA approves your work experience and your application.

      Having the cert and no work experience is much better than no cert and no work experience. So it’s still worth it. Study hard and go for it.


  3. Sir it means that after Passing the Exams. before submitting an application whose sending is on the discretion of applicant, one should have 5 or 10 years of experience for gaining the Certification at full. Is that What you explained to Aishu




    • Alay Raza,
      You must have a “minimum of 5 years of professional information systems auditing, control or security work experience (as described in the CISA job practice areas) is required for certification.” That’s from the first link I gave to Aishu,

      Up to a maximum of 3 years of other experience can be substituted for work experience as noted on the CISA website (see link).

      So, yes, 5 years of experience is required, but 3 of those years can substituted with schooling or other types of related security/control work.


  4. TT

    Hi Mack,

    I sat in the CISA exam yesterday. I have same experience as you have about the exam. I was sure that I would pass my CISSP exam when I was taking it, but for my CISA I am not sure.

    It was a tough exam. The difficulty of questions was average but the way of testing was stressful. 200 questions within 4 hours means roughly 1 question per minute. It is not like CISSP exam. CISA exam is on paper. A paper exam is riskier than the computer one because of “higher control risk”. During the exam I found that I mistakenly put some answers in wrong places. This created more stress.

    The greatest benefit I gained from learning CISA is to have an auditor’s mindset, which enables me to think in an independent and objective way. It is so hard to be an independent thinker in the world we live now. The auditing methodology and techniques I learned at least make me able to have a second thought about some “truths” I used to take for granted.



    • TT,
      Did you encounter much IT material on the exam? I’m always ranting that the exam is too watered down on the IT side.

      Glad to hear you’ve developed an auditor’s mindset. The trick is to be a skeptic without making people feel you mistrust them. Healthy skepticism and mistrust are 2 different things. Skepticism is seeking objective validation that something is true or false; Mistrust just says “no way”, and is often not founded upon truth.

      Stop back and let me hear the results of the exam. I’m sure you did ok, especially since you already have the CISSP.


  5. TT


    I don’t think the exam is as technical as CISSP. One interesting thing from my observation to my CISA exam group is that a few exam takers sounded that they had business background instead of technical background. For example, they talked about CPA exam a lot. A few of them are young, probably just graduated from business school.



    • TT,
      I agree that the CISSP is more technical than the CISA, but my complaint is that the CISA is no where near technical enough. You can understand how to audit, but an IT auditor that does not make.

      I think most people that take the CISA don’t have an IT background or even a basic understanding of technology, which I think is the foundation of IT audit.


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.