Certified Information Systems Auditor (CISA)

What is Certified Information Systems Auditor (CISA)?

The Certified Information Systems Auditor (CISA) is a certification and a globally recognized standard for appraising an IT auditor's knowledge, expertise and skill in assessing vulnerabilities and instituting IT controls in an enterprise environment.

This certification is issued by ISACA to people in charge of ensuring an organization's IT and business systems are monitored, managed and protected. It is presented after completion of a comprehensive testing and application process. It is designed for IT auditors, audit managers, consultants and security professionals.

Attaining CISA certification is considered beneficial because it is accepted by employers worldwide and is often requested for IT audit and security information management (SIM) positions. The certification provides the holder with greater visibility throughout the job application process since most recruiters prefer and keep an eye out for IT auditors with a CISA certification.

Responsibilities of a Certified Information Systems Auditor

The primary duties of a CISA include:

  • Implementing an audit strategy for information systems (IS) that is based on risk management.
  • Planning audits that can be used to determine whether or not IT assets are protected, managed and valuable.
  • Executing the audits in compliance with the organization's set standards and objectives.
  • Sharing audit results and providing recommendations to management based on the results.
  • Performing reexaminations of the audits to ensure the recommended actions have been performed by management.

A CISA's responsibilities often extend beyond auditing control. They are expected to work with management to confirm organizational processes, plans for implementation and operation of the deployed systems, and promote the organization's objectives and strategies.

This includes evaluating:

  • risk management practices;
  • IT portfolio and resource management;
  • strategies for business-IT alignment;
  • business continuity and disaster recovery strategies;
  • IT policies, standards, processes and procedures within the organization;
  • the value of the IT control framework; and
  • the management and monitoring of IT personnel, the IT organizational structure and controls.

After systems are implemented, CISAs must continue to monitor various areas to ensure successful deployment of the systems. This includes conducting project and post-implementation reviews. Other responsibilities include evaluating:

  • the business case for the proposed system;
  • controls for the IS;
  • IT supplier selection and contract management processes;
  • the project management framework and controls; and
  • the preparedness of the IS.

Once the system is implemented, the CISA is responsible for evaluating:

Finally, a CISA is responsible for working with management. This is to ensure the security standards, policies, procedures and controls within the organization impart integrity, confidentiality and availability of information assets.

How to become a Certified Information Systems Auditor

In order to become CISA certified, applicants must complete the following five steps:

  1. Successfully complete and pass the CISA exam.
  2. Apply for CISA certification.
  3. Adhere to ISACA's Code of Professional Ethics.
  4. Follow ISACA's Continuing Professional Education Program.
  5. Comply with ISACA's Information Systems Auditing Standards.

ISACA asks that all CISA applicants complete five years of professional IS auditing, control, assurance or security work, but substitutions and waivers can be obtained. For example, one year of IS experience or one year of non-IS auditing can be substituted for one year of experience. Also, 60 to 120 university semester credit hours -- a two year to four year degree -- can replace one or two years of experience, respectively. Two years as a full-time instructor within the related field at a university can also replace one year of experience.

Work experience must be within the 10 years prior to a candidate's application submission or within five years of a passed CISA exam. The candidate must also show adherence to ISACA's Code of Professional Ethics and Information Systems Auditing Standards. Once these criteria are met, the candidate can successfully apply for certification.

About the CISA exam

The CISA exam is open to any individual who expresses an interest in IS auditing, control and security. It is four hours long and consists of 150 multiple-choice questions set around five job practice domains:

  • Information Systems Auditing Process
  • Governance and Management of IT
  • Information System Acquisition, Development and Implementation
  • Information Systems Operations and Business Resilience
  • Protection of Information Assets

A score of 450 or higher (scored on a scale of 200 to 800) is required to pass the exam. It can be taken at any time in testing locations worldwide and remotely online. The exam is offered in English, Chinese Mandarin Simplified, Chinese Traditional, French, German, Italian, Japanese, Korean, Spanish and Turkish.

How to prepare for the CISA exam

Individuals looking to prepare for the exam can take advantage of preparation materials that are available through the ISACA. Many ISACA chapters also host CISA exam review courses. It is recommended that people preparing for the exam take as many practice tests as possible in addition to studying the ISACA Review Manual and learning to think like an accountant.

Adopting an accountant's mindset is beneficial because most of the people who write the CISA exam either work as accountants or in the financial services industry. Therefore, by thinking like an accountant, a test-taker can gain a greater understanding of the questions and answers and the way they were written.

If a CISA candidate passes the exam, they will be sent the information needed to apply for the CISA certificate. However, they must first ensure they have met the work experience requirements.

How to maintain CISA certification

CISA applicants and certification holders must abide by ISACA's Continuing Professional Education (CPE) program. This training is to ensure that CISAs stay up to date and proficient in their fields.

The goals of the CPE program include:

  • Monitoring IS audit, control and security professionals' maintenance of knowledge and capabilities.
  • Dividing qualified CISAs from those who have not met the requirements and cannot continue their certification.
  • Assisting top management in the construction of stable IS audit, control and security functions with suggestions and criteria for personnel selection, training and development.
  • Preserving an individual's CISA capabilities by updating existing knowledge and skills within IS auditing, control and security.

ISACA requires maintenance fees and a minimum of 20 CPE hours annually, plus an additional 120 contact hours during a fixed three-year period.

Benefits of a CISA certification

The CISA certification is recognized worldwide as the sign of an individual's excellence within information system auditing. Benefits of a CISA certification include:

  • A competitive advantage in the job market and with job growth.
  • Increased value of the individual within the organization.
  • Increased credibility in the workplace. This is due to the combination of the achievement of passing the exam and the recognition of work and educational experience.
  • Assistance meeting high professional standards with ISACA's requirements and Continuing Professional Education program.
  • Confirmation of an individual's knowledge, experience and expertise in the field. Demonstration of their ability to successfully meet challenges that may arise.

CISA certification can also impact an individual's salary. Professionals with CISA certification often make between $52,459 and $122,326 per year. Internal audit directors are one of the highest paid positions with a CISA certificate. This position can make around $136,082 per year.

This was last updated in October 2021

Continue Reading About Certified Information Systems Auditor (CISA)

Dig Deeper on Careers and certifications

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing