This topic will be assorted rambles and comments regarding what I now call the “CisA” exam. Check out this post that started it all: Where is the IS in CISA?
– First of all, I realize that different exams are used. The guy next to me (the Deloitte guy) had a different version. But still, shouldn’t all versions contain similar content? Maybe his was all IT and very little audit?
– I have to admit that I’m thrilled that I passed the exam. Like the CISSP, it helps get you in the door. Regardless of what I thought of the exam, it means much more to HR folks and hiring managers. Another confession: the #1 reason I went after the CISA certification is because, in a previous job, I hired contract IT auditors (see Interviewing IT Auditors), and almost every resume I saw during that year had those letters on it. So it was a matter of survival. Did I learn anything? I’m embarrassed to say that what I learned was worth the investment of time and money. Like I said in my About page, “I still have a lot to learn.” It’s still true. Enough confessions…
– When I took the CISSP exam, I knew I passed. I wasn’t sure about the CISA. I guess that means I know more than I realize.
– One strange exam “help” website I found stated that the CISA is “40% technology + 60% business practice.”[Normally, I link to sites, but I wasn’t comfortable linking my readers to this one. ] That still wasn’t the percentage on my exam.
– Here’s a telling quote that makes a lot of sense to me! Wish I would have seen this before the exam. It’s the sixth Q/A on the page:
In our opinion, the $135 ISACA study guide was written for a CPA to gain CISA certification and assumes you already understand the CPA background knowledge. Details a CPA would know about audit rules, responsibilities and duties. This is what led David to write the Sybex study guide designed for use by both beginners and professionals with more experience. [emphasis mine]
One of the books I used was the Sybex. The only reason I bought it was because I learned about a free CISA review seminar being held in my area in two weeks, and it was the only book I could find and buy that weekend. It wasn’t a bad book. I’d rather have used the Shon Harris book.
Ok, I think I’m done ranting about this exam and how little info tech was on it. Anyone want to add anything from their experience?
————
Read my other CisA rant: Where is the IS in CISA?
Even more:
Related posts:
** FREE CISA Study Guide **
How to Pass Certification Exams
Top 10 Pay-Boosting Tech Certifications
Top 7 Reasons for Security Certification
What IT Auditors Ought to Know – and Don’t!
ITauditSecurity 
Hi Mack,
I enjoyed reading your posts! Thank you for providing such wonderful information. My name is Aishu and I would like to seek your advice on taking up either a CISA/CISSP certification. I have my Bachelors in Computer Science & Engineering and a Post Graduate degree in Business Administration. I have 1 year of IT programming experience with an IT MNC in India, and 1 year of Revenue Assurance auditing experience with one of the Big 4 audit consultancy firms. I had to take a break due to personal reasons and I am currently looking out for jobs. I would like to become an IS auditor. Can I go ahead and take up the exam even before gaining the relevant work exp to achieve my certification ? I believe I can gain an exempt of 3 yrs of work exp. Please do correct me if I am wrong. ( 2 yrs exemption for my 4 yr B.E Degree + 1 yr exemption for my 1 yr Non IS audit experience). Is it advisable to take CISA/CISSP at this point of time? (Considering the fact that I am currently unemployed) . I am basically torn between the 2 certifications. Since I have a decent background with respect to IT field, I am sure I can do a good job in preparing for the exams. But I would want to seek your expert opinion regarding the same. I am skeptical about the reqd work exp. Please advice! Thanks a bunch for your time!
LikeLike
Aishu,
Glad you find the blog helpful!
Yes, you can take the exam before you have all the work experience. According to ISACA at http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspx?gclid=CMiZm-DN_rkCFYxcMgod8DgAOA
“It is important to note that many individuals choose to take the CISA exam prior to meeting the experience requirements.
This practice is acceptable and encouraged although the CISA designation will not be awarded until all requirements are met.
The work experience for CISA certification must be gained within the 10-year period preceding the application date for certification or within 5 years from the date of originally passing the exam. The CISA Application for Certification is available at http://www.isaca.org/cisaapp. Note that candidates have 5 years from the passing date to apply for certification.”
If you want to be an IS Auditor, go for the CISA. It applies directly to audit, whereas the CISSP, while helpful, isn’t as good as the CISA for auditors. Employers look for the CISA, not the CISSP.
You might find my answers to similar questions helpul–see https://itauditsecurity.wordpress.com/2013/06/17/ask-a-question/ and CISA vs CISSP at https://itauditsecurity.wordpress.com/2013/05/28/why-cissp/
Best wishes!
LikeLike
Is it possible to study for the exam within 4 months?
and I don’t have a work experience?
LikeLike
Yes. You can take and pass the exam without the required work experience but you can’t call yourself a CISA until ISACA approves your work experience and your application.
Having the cert and no work experience is much better than no cert and no work experience. So it’s still worth it. Study hard and go for it.
LikeLike
Sir it means that after Passing the Exams. before submitting an application whose sending is on the discretion of applicant, one should have 5 or 10 years of experience for gaining the Certification at full. Is that What you explained to Aishu
Thanks
ALAY RAZA
LikeLike
Alay Raza,
You must have a “minimum of 5 years of professional information systems auditing, control or security work experience (as described in the CISA job practice areas) is required for certification.” That’s from the first link I gave to Aishu,
Up to a maximum of 3 years of other experience can be substituted for work experience as noted on the CISA website (see link).
So, yes, 5 years of experience is required, but 3 of those years can substituted with schooling or other types of related security/control work.
LikeLike
Hi Mack,
I sat in the CISA exam yesterday. I have same experience as you have about the exam. I was sure that I would pass my CISSP exam when I was taking it, but for my CISA I am not sure.
It was a tough exam. The difficulty of questions was average but the way of testing was stressful. 200 questions within 4 hours means roughly 1 question per minute. It is not like CISSP exam. CISA exam is on paper. A paper exam is riskier than the computer one because of “higher control risk”. During the exam I found that I mistakenly put some answers in wrong places. This created more stress.
The greatest benefit I gained from learning CISA is to have an auditor’s mindset, which enables me to think in an independent and objective way. It is so hard to be an independent thinker in the world we live now. The auditing methodology and techniques I learned at least make me able to have a second thought about some “truths” I used to take for granted.
TT
LikeLike
TT,
Did you encounter much IT material on the exam? I’m always ranting that the exam is too watered down on the IT side.
Glad to hear you’ve developed an auditor’s mindset. The trick is to be a skeptic without making people feel you mistrust them. Healthy skepticism and mistrust are 2 different things. Skepticism is seeking objective validation that something is true or false; Mistrust just says “no way”, and is often not founded upon truth.
Stop back and let me hear the results of the exam. I’m sure you did ok, especially since you already have the CISSP.
LikeLike
Mack,
I don’t think the exam is as technical as CISSP. One interesting thing from my observation to my CISA exam group is that a few exam takers sounded that they had business background instead of technical background. For example, they talked about CPA exam a lot. A few of them are young, probably just graduated from business school.
TT
LikeLike
TT,
I agree that the CISSP is more technical than the CISA, but my complaint is that the CISA is no where near technical enough. You can understand how to audit, but an IT auditor that does not make.
I think most people that take the CISA don’t have an IT background or even a basic understanding of technology, which I think is the foundation of IT audit.
LikeLike