This past December I took the ISACA CISA exam and I’m pleased to announce that last week, I got my confirmation letter stating that I passed in the top 10 percentile of fellow test takers!

With the test passed and the experience still very fresh on my mind, I felt I should take the opportunity share my experience and any advice to aid my fellow aspiring Certified Information Systems Auditors (CISA) out there!

indexWhat was the CISA Exam Like!?

I’ll get strait to answering the question I assume 99% of the people who stumble onto this blog are looking for.

The name of the certification is “Certified Information Systems auditor” yet I felt like the content was a bit light on the information systems side. This might be personal bias, since I have a very technical background and most of what was covered on the exam from a technical standpoint was fairly lightweight to me.

Instead, I felt like a lot more attention was given to IT governance (for example, what is the appropriate role of the board of directors, senior management, audit staff, etc.) and things like Disaster Recovery and Vendor Management. (Side Note: After studying and sitting for the CISA exam I’ve come to realize most of the organizations I audit are not giving their disaster recovery planning enough attention!)

There were also a fair amount of questions on actual audit processes, like which kind of control is best in what situation (detective VS preventative controls, automated controls, and so forth). The takeaway here is that if you aren’t highly technical – you should be fine.

CISA Test Prep

To prepare for the CISA, I relied heavily on ISACA’s official study materials. I primarily ran through their 1150 question test database and review manual. I also referred to a free CISA study guide put together by Mack over at the ITAuditSecurity blog.

The Book

The ISACA review manual was helpful as a support text for topics I encountered while running through the test database. I strongly suggest you DO NOT read the review manual from front to back as you would a traditional text book. You’ll quickly become bored to tears and start contemplating new career choices. Instead, skim the book for key concepts and terms.

Test Database Questions

What was most surprising to me upon actually taking the CISA was that none of the questions in the official ISACA test database showed up on the exam. (Christian, the co-author of this blog, said that when he took the exam the test database was very similar to the exam.) Simply running through the test database and memorizing answers will not help you (at least in my experience). It is much more important you take the test questions and read the explanations ISACA gives you then follow up in their review manual for more details.

Thankfully, I took the time to properly prepare and didn’t try to “pump and dump” for this exam. The exam did force me to actually think through many of the questions.

What is the CISA Test Taking Experience Like?

I sat for the CISA in Atlanta, GA. The test taking environment was extremely controlled with three proctors walking the room for the duration of the exam.

We were asked to empty our pockets and put any personal items at the front of the room when entering. Cell phones were not allowed in the exam space and had to be checked at the front desk before entering.

During the test, only one person was allowed to go to the restroom at a time and a proctor stood outside the door of the restroom while you went. The only thing allowed on the desk during the test were a few #2 pencils and an eraser. I saw some people have their erasers inspected (because they were covered in a paper wrapping). If the leads broke on all your pencils during the test, you were out of luck and warned of that ahead of time.

The test was all Scantron (fill in the bubble), multiple choice and consisted of 200 questions. I finished the exam in about an hour and a half of the four hours allotted. I was among the first to complete the exam. We were warned repeatedly that there was a zero tolerance policy for breaking any rules and the proctors appeared to take the rules very seriously.

In the lobby there were free refreshments (including a soda fountain machine and a Keurig coffee machine) and parking was partially validated for us. The test taking environment was very nice.

Anyone else a CISA? Do you have any pressing questions I didn’t address? Share your questions and experiences in the comments.