About the CISA Exam and Content Areas

Previous page
Table of content
Next page

The Information Systems Audit and Control Association (ISACA) developed the Certified Information Systems Auditor (CISA) program in 1978 to accomplish these goals:

  • Develop and maintain a testing instrument that could be used to evaluate an individual's competency in conducting information systems audits

  • Provide a mechanism for motivating information systems auditors to maintain their competencies and monitoring the success of the maintenance programs

  • Aid top management in developing a sound information systems audit function by providing criteria for personnel selection and development

The CISA program is designed to assess and certify individuals in the IS audit, control, or security profession who demonstrate exceptional skill, judgment and proficiency in IS audit, control, and security practices.

More than 35,000 professionals have earned the CISA certification since inception, and the certification is widely respected as a premier information security and information systems auditing accreditation. The certification continues to grow in acceptance and employer desirability; more than 15,000 candidates are expected to register for the 2005 exam (15% growth from 2004).

The CISA exam is offered only once per year, in early June; the exam for 2005 is offered on June 11. You may register as early as February 2, 2005, and the registration deadline is March 30, 2005. You should note that this exam is not computerized and is not provided through conventional testing centers such as Prometric or Vue. You may register online at www.isaca.org or take the exam at any ISACA chapter location. The current published exam registration fee is $385 for members and $505 for nonmembers. The best place to learn more about the CISA certification and the CISA exam is www.isaca.org.

The Information Systems Audit and Control Association states that the tasks and knowledge required of today's and tomorrow's information systems audit professional serve as the blueprint for the CISA examination. These areas are defined through a Practice Analysis that is conducted at regular intervals and consists of both process and content components in a CISA's job function. Accordingly, exams consist of tasks that are routinely performed by a CISA and the required knowledge to perform these tasks.

How valuable is the CISA certification to employers and individuals? Sometimes the best measure of a certification's value is reflected by how certification holders feel about the certification after having achieved it. In 2001, ISACA surveyed its membership to obtain feedback from CISA certified professionals as to whether obtaining the certification had advanced their careers. Seventy-one percent of members holding the CISA certification affirmed the value of the certification toward career advancement, and 75% of all members, certified and noncertified alike, felt that the CISA certification would be valuable for career advancement in the future.

Another measure of a certification's value can be found by assessing the desirability of the certification to employers. How many employers desire the certification as an employment prerequisite? Looking to popular job boards on the Internet such as Monster.com, TotalJobs.com, and Workthing.com, we can see that the quantity and quality of jobs requiring CISA certification are growing every month.

What is driving the employer demand for the CISA certification? Companies are under growing pressure to improve, document, and test their methods for managing information. As the late Dr. W. E. Deming (19001993) was able to prove, the quest for quality of processes and product is achieved through careful measurement of what exists, thorough analysis of defects, and effective remediation and correction. The quest for quality is just that: a quest. This means that quality improvement is an ongoing process that requires continuous reassessment. Assessing the capability of information systems to support business goals while maintaining information confidentiality, integrity, and reliability is exactly what a Certified Information Systems Auditor (CISA) does well.

It is easy enough to create and implement a technology for processing information, which is what the majority of individuals within the information technology (IT) industry are tasked with. However, using IT to facilitate communication and information management is only half the story. Today we need to make sure that IT not only does what it is supposed to do, but also that it will not do what it is not supposed to do. For example, we have created systems to facilitate online commerce and transaction processing. Will those same systems ensure that no transactional errors occur? Will those systems resist accidental or purposeful and malicious modification of data? Do the systems protect the information confidentiality well enough to comply with new privacy laws and standards? We cannot know the answers to these questions unless we have professionally reviewed, measured, and tested the systems. Again, this is what a CISA does.

Although many organizations strive to ensure quality of processes and manufacturing according to ISO standards such as the ISO 9000 series, for competitive reasons, other organizations are forced to invest in quality assurance to comply with the law. Either way, most organizations are spending increasing amounts of money to improve corporate governance. We draw from this example to show the importance of improving IT governance in today's corporate and governmental environment.

In the United States, the healthcare industry is painfully aware of the effects the Health Insurance Portability and Accountability Act (HIPAA) has had on how it does business and manages information. How does an affected healthcare entity prove systems compliance with HIPAA? Why, an audit must be performed! Who directs or assists such a specialized systems audit? Finding someone certified to perform professional systems audits might be a good start. A CISA perhaps?

Likewise, other U.S. legislation, such as the Gramm-Leach-Bliley Act of 1999 (affecting financial institutions) and the Sarbanes-Oxley Act of 2002 (affecting all organizations that are publicly traded on the New York Stock Exchange), are forcing companies to change they way they do business and manage information. Other countries around the world have instituted similar laws or are in the process of creating similar laws. Just look at the United Kingdom's Combined Code, more commonly known as the Turnbull report, and you will see what we mean. Proving compliance with any legislation requires testing and documentation. Testing and documentation of systems controls is what a CISA systems auditor does. The simple fact is that there are new and compelling reasons for companies and government agencies to increase and improve systems auditing, and they need CISA professionals to help them.

The CISA examination is quite broad in scope. The following is a brief description of each topic area. As we move through the chapters, we cover each area in greater detail and provide a map for navigating the CISA exam.

  • Area 1 Management, planning, and organization of IS comprise 11% of the exam. Evaluate strategy, policies, standards, procedures, and related practices for the management, planning, and organization of IS.

  • Area 2 Technical infrastructure and operational practices comprise 13% of the exam. Evaluate the effectiveness and efficiency of the organization's implementation and ongoing management of technical and operational infrastructure to ensure that they adequately support the organization's business objectives.

  • Area 3 Protection of information assets comprises 25% of the exam. Evaluate IT infrastructure security to ensure that it satisfies the organization's business requirements for safeguarding information assets against unauthorized use, disclosure, modification, damage, and loss.

  • Area 4 Disaster recovery and business continuity comprise 10% of the exam. Evaluate the process for developing and maintaining documented, communicated, and tested plans for the continuity of business operations and IS processing in the event of a disruption.

  • Area 5 Business application system development, acquisition, implementation, and maintenance comprise 16% of the exam. Evaluate the methodology and processes by which the business application system development, acquisition, implementation, and maintenance are undertaken to ensure that they meet the organization's business objectives.

  • Area 6 Business process evaluation and risk management comprise 15% of the exam. Evaluate business systems and processes to ensure that risks are managed in accordance with the organization's business objectives.

  • Area 7 The IS audit process comprises 10% of the exam. Conduct IS audits in accordance with generally accepted IS audit standards and guidelines to ensure that the organization's information technology and business systems are adequately controlled, monitored, and assessed.

Reference: www.isca.org


Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
A Practitioners Guide to Software Test Design
Mapping Hacks: Tips & Tools for Electronic Cartography
Microsoft WSH and VBScript Programming for the Absolute Beginner
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
What is Lean Six Sigma
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy