1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
+++
date = 2021-12-04
title = "I Passed the CISA!"
description = ""
draft = false
+++
# What is the CISA?
For those of you lucky enough not to be knee-deep in the world of IT/IS
Auditing, [CISA](https://www.isaca.org/credentialing/cisa) stands for Certified
Information Systems Auditor. This certification and exam are part of ISACA's
suite of certifications. As I often explain it to people like my family, it
basically means you're employed to use your knowledge of information systems,
regulations, common threats, risks, etc. in order to assess an organization's
current control of their risk. If a risk isn't controlled (and the company
doesn't want to accept the risk), an IS auditor will suggest implementing a
control to address that risk.
Now, the CISA certification itself is, in my opinion, the main certification for
this career. While certifications such as the CPA or CISSP are beneficial,
nothing matches the power of the CISA for an IS auditor when it comes to getting
hired, getting a raise/bonus, or earning respect in the field.
However, to be honest, I am a skeptic of most certifications. I understand the
value they hold in terms of how much you need to commit to studying or learning
on the job, as well as the market value for certifications such as the CISA. But
I also have known some very ~~incompetent~~ *less than stellar* auditors who
have CPAs, CISAs, CIAs, etc.
The same goes for most industries: if a person is good at studying, they can
earn the certification. However, that knowledge means nothing unless you're
actually able to use it in real life and perform as expected of a certification
holder. The challenge comes when people are hired or connected strictly because
of their certifications or resume; you need to see a person work before you can
assume them having a CISA means they're better than someone without the CISA.
Okay, rant over. Certifications are generally accepted as a measuring stick of
commitment and quality of an employee, so I am accepting it too.
# Exam Content
The CISA is broken down into five sections, each weighted with a percentage of
test questions that may appear.
Since the exam contains 150 questions, here's how those sections break down:
| Exam Section | Percentage of Exam | Questions |
|-----------------|--------------------|-----------|
| 1 | 21% | 32 |
| 2 | 17% | 26 |
| 3 | 12% | 18 |
| 4 | 23% | 34 |
| 5 | 27% | 40 |
| **Grand Total** | **100%** | **150** |
# My Studying Habits
This part is a little hard for me to break down into specific detail due to the
craziness of the last year. While I officially purchased my studying materials
in December 2020 and opened them to "start studying" in January 2021, I really
wasn't able to study much due to the demands of my job and personal life.
Let me approach this from a few different viewpoints.
## Study Materials
Let's start by discussing the study materials I purchased. I'll be referring
to #1 as the CRM and #2 as the QAE.
1. [CISA Review Manual, 27th Edition |
Print](https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCbEAK)
2. [CISA Review Questions, Answers & Explanations Manual, 12th Edition |
Print](https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCcEAK)
The CRM is an excellent source of information and could honestly be used as a
reference for most IS auditors as a learning reference during their daily audit
responsibilities. However, it is **full** of information and can be
overloading if you're not good at filtering out useless information while
studying.
The QAE is the real star of the show here. This book contains 1000 questions,
separated by exam section, and a practice exam. My only complaint about the QAE
is that each question is immediately followed with the correct answer and
explanations below it, which means I had to use something to constantly cover
the answers while I was studying.
I didn't use the online database version of the QAE, but I've heard that it's
easier to use than the printed book. However, it is more expensive ($299
database vs $129 book) which might be important if you're paying for materials
yourself.
In terms of question difficulty, I felt that the QAE was a good representation
of the actual exam. I've seen a lot of people online say it wasn't accurate to
the exam or that it was much easier/harder, but I disagree with all of those.
The exam was fairly similar to the QAE, just focusing on whichever topics they
chose for my version of the exam.
If you understand the concepts, skim the CRM (and read in-depth on topics you
struggle with), and use the QAE to continue practicing exam-like questions, you
should be fine. I didn't use any online courses, videos, etc. - the ISACA
materials are more than enough.
## Studying Process
While I was able to briefly read through sections 1 and 2 in early 2021, I had
to stop and take a break from February/March to September. I switched jobs in
September, which allowed me a lot more free time to study.
In September, I studied sections 3-5, took notes, and did a quick review of the
section topics. Once I felt comfortable with my notes, I took a practice exam
from the QAE manual and scored 70% (105/150).
Here's a breakdown of my initial practice exam:
| Exam Section | Incorrect | Correct | Grand Total | Percent |
|-----------------|-----------|---------|-------------|---------|
| 1 | 8 | 25 | 33 | 76% |
| 2 | 5 | 20 | 25 | 80% |
| 3 | 6 | 12 | 18 | 67% |
| 4 | 10 | 23 | 33 | 70% |
| 5 | 16 | 25 | 41 | 61% |
| **Grand Total** | **45** | **105** | **150** | **70%** |
As I expected, my toughest sections were related to project management,
development, implementation, and security.
This just leaves October and November. For these months, I tried to practice
every few days, doing 10 questions for each section, until the exam. This came
out to 13 practice sessions, ~140 questions per section, and ~700 questions
total.
While some practice sessions were worse and some were better, the final results
were similar to my practice exam results. As you can see below, my averages were
slightly worse than my practice exam. However, I got in over 700 questions of
practice and, most importantly, *I read through the explanations every time I
answered incorrectly and learned from my mistakes*.
| Exam Section | Incorrect | Correct | Grand Total | Percent |
|-----------------|-----------|---------|-------------|---------|
| 1 | 33 | 108 | 141 | 77% |
| 2 | 33 | 109 | 142 | 77% |
| 3 | 55 | 89 | 144 | 62% |
| 4 | 52 | 88 | 140 | 63% |
| 5 | 55 | 85 | 140 | 61% |
| **Grand Total** | **228** | **479** | **707** | **68%** |
# Results
Now, how do the practice scores reflect my actual results? After all, it's hard
to tell how good a practice regimen is unless you see how it turns out.
| Exam Section | Section Name | Score |
|--------------|------------------------------------------------------------------|-------|
| 1 | Information Systems Auditing Process | 678 |
| 2 | Governance and Management of IT | 590 |
| 3 | Information Systems Acquisition, Development, and Implementation | 721 |
| 4 | Information Systems Operations and Business Resilience | 643 |
| 5 | Protection of Information Assets | 511 |
Now, in order to pass the CISA, you need at least 450 on a sliding scale of
200-800. Personally, I really have no clue what an average CISA score is. After
a *very* brief look online, I can see that the high end is usually in the low
700s. In addition, only about 50-60% of people pass the exam.
Given this information, I feel great about my scores. 616 may not be phenomenal,
and I wish I had done better on sections 2 & 5, but my practicing seems to have
worked very well overall.
However, the practice results do not conform to the actual results. Section 2
was one of my highest practice sections and was my second-lowest score in the
exam. Conversely, section 3 was my second-lowest practice section and turned out
to be my highest actual score!
After reflecting, it is obvious that if you have any background on the CISA
topics at all, the most important part of studying is doing practice questions.
You really need to understand how to read the questions critically and pick the
best answer.
# Looking Forward
I am extremely happy that I was finally able to pass the CISA. Looking to the
future, I'm not sure what's next in terms of professional learning. My current
company offers internal learning courses, so I will most likely focus on that if
I need to gain more knowledge in certain areas.
To be fair, even if you pass the CISA, it's hard to become an expert on any
specific topic found within. My career may take me in a different direction, and
I might need to focus more on security or networking certifications (or possibly
building a better analysis/visualization portfolio if I want to go into data
analysis/science).
All I know is that I am content at the moment and extremely proud of my
accomplishment.
|
