Certified Information Systems Auditors in the Real World

In the next section, I describe an ideal CISA candidate, knowing full well that only a few actual candidates meet this ideal. In fact, my description of that ideal candidate might seem downright scary. But take heart; although the requirements to obtain a CISA certification may seem formidable, they are by no means impossible to meet. However, you should be keenly aware that it does take time, requires some expense, and calls for a substantial effort.

You can get all the real-world motivation you need from knowing that many others have gone before you. You can follow in their footsteps. If you're willing to tackle the process seriously and do what it takes to gain the necessary experience and knowledge, you can takeand passthe certification exam. In fact, the Exam Crams and the companion Exam Preps are designed to make it as easy as possible for you to prepare for these exams, but prepare you must!

The Ideal ISACA Certified Information Systems Auditor Candidate

Just to give you some idea of what an ideal Certified Information Systems Auditor candidate is like, here are some relevant statistics about the background and experience such an individual should have. ISACA requires the following for CISA certification (these details are listed on ISACA's website at www.isaca.org):

Successful completion of the CISA examination
Information systems auditing, control, or security experience
Adherence to ISACA's Code of Professional Ethics
Adherence to the continuing professional education program
Compliance with the information systems auditing standards

Taking a closer look at the experience requirements, ISACA explains that a CISA candidate should have the following:

A minimum of five years of professional IS auditing, control, or security work experience.
Substitution and waivers of such experience may be obtained as follows:
- A maximum of one year of information systems experience OR one year of financial or operational auditing experience can be substituted for one year of information systems auditing, control, or security experience.
- 60 to 120 completed college semester credit hours (the equivalent of an Associate's or Bachelor's degree) can be substituted for one or two years, respectively, of information systems auditing, control, or security experience.
- Two years as a full-time university instructor in a related field (such as computer science, accounting, or information systems auditing) can be substituted for one year of information systems auditing, control or security experience.

Experience must have been gained within the 10-year period preceding the application for certification or within 5 years from the date of initially passing the examination. Application for certification must be submitted within five years from the passing date of the CISA exam. All experience will be verified independently with employers.

I believe that well under half of all certification candidates meet these requirements. In fact, most probably meet less than half of these requirements (that is, at least when they begin the certification process). However, because all those who have their certifications already survived this ordeal, you can survive it, tooespecially if you heed what this Self-Assessment can tell you about what you already know and what you need to learn.

Put Yourself to the Test

The following series of questions and observations is designed to help you figure out how much work you'll face in pursuing CISA certification and what kinds of resources you can consult on your quest. Be absolutely honest in your answers, or you'll end up wasting money on an exam you're not ready to take. There are no right or wrong answersonly steps along the path to certification. Only you can decide where you really belong in the broad spectrum of aspiring candidates.

Two things should be clear from the outset, however:

Even a modest background in computer science will be helpful.
Hands-on experience with testing, documenting, and advising on internal systems controls is an essential ingredient for certification success.

Educational Background

Have you ever taken any computer-related classes? (Yes or No)
If yes, proceed to question 2; if no, proceed to question 4.
Have you taken any classes on formal systems audit concepts and practices? (Yes or No)
If yes, you will probably be able to handle the questions relating to the "best" way to respond to systems auditing key issues. If you're rusty, brush up on the formal frameworks, standards, and procedures for systems auditing, and maybe even attend a short CISA preparation review seminar before taking the exam. Such courses are offered by ISACA chapters themselves or can be found at professional information security and systems auditing training centers such as Certified Tech Trainers (www.certifiedtechtrainers.com). If the answer is no, consider some professional training in this area. I strongly recommend a good high-level systems auditing class, such as "IT Auditing and Assurance," provided by Certified Tech Trainers. If this title doesn't appeal to you, ISACA has recommendations for other resources (www.isaca.org).
Have you taken any networking concepts or technologies classes? (Yes or No)
If yes, you will probably be able to handle the networking terminology, concepts, and technologies (but brace yourself for frequent departures from normal usage). If you're rusty, brush up on basic networking concepts and terminology. If your answer is no, you might want to check out some titles on the Transport Communication Protocol/Internet Protocol (TCP/IP).
Have you done any reading on systems auditing frameworks and standards? (Yes or No)
If yes, review the requirements from questions 2 and 3. If you meet them, move to the next section, "Hands-On Experience." If you answered no, consult the recommended reading for both topics. This kind of strong background will be of great help in preparing for the CISA exam.
Are you knowledgeable and experienced in risk-management concepts and practices? Fully 60% of a systems auditor's job is ensuring that the organization being audited has handled risk appropriately. If you answered yes to this question, your intuition for "best auditing practices" will be much keener and more accurate. If you answered no to this question, you should consider attending a professional instructor-led class on systems auditing. Books do not seem to be well suited to transferring risk management perspective gained from experience.

Hands-On Experience

Another important key to success on all ISACA tests is hands-on experience. If I leave you with only one realization after taking this Self-Assessment, it should be that there's no substitute for time spent performing systems auditing according to frameworks and standards, on which you'll be tested repeatedly and in depth.

You can obtain the exam objectives, practice questions, and get other information about ISACA exams from the ISACA Certification page on the Web at www.isaca.org.

If you have the funds or your employer will pay your way, consider taking a class led by a professional systems-auditing instructor. Systems auditing intertwines widely disparate concepts, and the class will only be as good as the wide scope of knowledge and experience of the instructor leading it.

Testing Your Exam Readiness

Whether you attend a formal class on a specific topic to get ready for an exam or use written materials to study on your own, some preparation for the ISACA certification exams is essential. At up to $505 a try, pass or fail, you want to do everything you can to pass on your first try. Not only can failed attempts be very expensive to your pocketbook, but remember that ISACA provides testing only once per year. If you fail an attempt, you will need to wait an entire year to try again. This delay can often mean much more than the cost of the repeated exam. It can mean that you are not able to obtain or maintain a career in systems auditing! That's where studying comes in.

We have included in this book several practice exam questions for each chapter and two sample tests, so if you don't score well on the chapter questions, you can study more and then tackle the sample tests at the end of chapter.

For any given subject, consider taking a class if you've tackled self-study materials, taken the practice test, and failed anyway. If you can afford the privilege, the opportunity to interact with an instructor and fellow students can make all the difference in the world. For information about systems auditing classes, visit the Certification Program page at www.isaca.org, or at www.certifiedtechtrainers.com.

Have you taken a practice exam on your chosen test subject? (Yes or No)
If yesand you scored 90% or better, you're probably ready to tackle the real thing. If your score isn't above that crucial threshold, keep at it until you break that barrier. If you answered no, go back and study the book some more, and repeat the practice tests. Keep at it until you can comfortably break the passing threshold.

There is no better way to assess your test readiness than to take a good-quality practice exam and pass with a score of 90% or better. When I'm preparing, I shoot for 95+%, just to leave room for the "weirdness factor" that sometimes shows up on ISACA exams.

One last note: I hope it makes sense to stress the importance of hands-on experience in the context of the exams. As you review the material for the exams, you'll realize that hands-on experience with systems auditing key concepts and best practices is invaluable.

Onward, Through the Fog!

After you've assessed your readiness, undertaken the right background studies, obtained the hands-on experience that will help you understand the products and technologies at work, and reviewed the many sources of information to help you prepare for a test, you'll be ready to take a round of practice tests. When your scores come back positive enough to get you through the exam, you're ready to go after the real thing. If you follow our assessment regimen, you'll not only know what you need to study, but you'll also know when you're ready to take the CISA exam this June. Good luck!