1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
#+title: I Passed the CISA!
#+date: 2021-12-04
#+description: A recap of the CISA certification exam and my results.
#+filetags: :audit:
* What is the CISA?
For those of you lucky enough not to be knee-deep in the world of IT/IS
Auditing, [[https://www.isaca.org/credentialing/cisa][CISA]] stands for
Certified Information Systems Auditor. This certification and exam are
part of ISACA's suite of certifications. As I often explain it to people
like my family, it basically means you're employed to use your knowledge
of information systems, regulations, common threats, risks, etc. in
order to assess an organization's current control of their risk. If a
risk isn't controlled (and the company doesn't want to accept the risk),
an IS auditor will suggest implementing a control to address that risk.
Now, the CISA certification itself is, in my opinion, the main
certification for this career. While certifications such as the CPA or
CISSP are beneficial, nothing matches the power of the CISA for an IS
auditor when it comes to getting hired, getting a raise/bonus, or
earning respect in the field.
However, to be honest, I am a skeptic of most certifications. I
understand the value they hold in terms of how much you need to commit
to studying or learning on the job, as well as the market value for
certifications such as the CISA. But I also have known some very
+incompetent+ /less than stellar/ auditors who have CPAs, CISAs, CIAs,
etc.
The same goes for most industries: if a person is good at studying, they
can earn the certification. However, that knowledge means nothing unless
you're actually able to use it in real life and perform as expected of a
certification holder. The challenge comes when people are hired or
connected strictly because of their certifications or resume; you need
to see a person work before you can assume them having a CISA means
they're better than someone without the CISA.
Okay, rant over. Certifications are generally accepted as a measuring
stick of commitment and quality of an employee, so I am accepting it
too.
* Exam Content
The CISA is broken down into five sections, each weighted with a
percentage of test questions that may appear.
#+caption: CISA exam sections
[[https://img.cleberg.net/blog/20211204-i-passed-the-cisa/cisa-exam-sections.png]]
Since the exam contains 150 questions, here's how those sections break
down:
| Exam Section | Percentage of Exam | Questions |
|---------------+--------------------+-----------|
| 1 | 21% | 32 |
| 2 | 17% | 26 |
| 3 | 12% | 18 |
| 4 | 23% | 34 |
| 5 | 27% | 40 |
| *Grand Total* | *100%* | *150* |
* My Studying Habits
This part is a little hard for me to break down into specific detail due
to the craziness of the last year. While I officially purchased my
studying materials in December 2020 and opened them to "start studying"
in January 2021, I really wasn't able to study much due to the demands
of my job and personal life.
Let me approach this from a few different viewpoints.
** Study Materials
Let's start by discussing the study materials I purchased. I'll be
referring to #1 as the CRM and #2 as the QAE.
1. [[https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCbEAK][CISA
Review Manual, 27th Edition | Print]]
2. [[[[https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCcEAK]]][CISA
Review Questions, Answers & Explanations Manual, 12th Edition |
Print]]
The CRM is an excellent source of information and could honestly be used
as a reference for most IS auditors as a learning reference during their
daily audit responsibilities. However, it is *full** of information and
can be overloading if you're not good at filtering out useless
information while studying.
The QAE is the real star of the show here. This book contains 1000
questions, separated by exam section, and a practice exam. My only
complaint about the QAE is that each question is immediately followed
with the correct answer and explanations below it, which means I had to
use something to constantly cover the answers while I was studying.
I didn't use the online database version of the QAE, but I've heard that
it's easier to use than the printed book. However, it is more expensive
($299 database vs $129 book) which might be important if you're paying
for materials yourself.
In terms of question difficulty, I felt that the QAE was a good
representation of the actual exam. I've seen a lot of people online say
it wasn't accurate to the exam or that it was much easier/harder, but I
disagree with all of those. The exam was fairly similar to the QAE, just
focusing on whichever topics they chose for my version of the exam.
If you understand the concepts, skim the CRM (and read in-depth on
topics you struggle with), and use the QAE to continue practicing
exam-like questions, you should be fine. I didn't use any online
courses, videos, etc. - the ISACA materials are more than enough.
** Studying Process
While I was able to briefly read through sections 1 and 2 in early 2021,
I had to stop and take a break from February/March to September. I
switched jobs in September, which allowed me a lot more free time to
study.
In September, I studied sections 3-5, took notes, and did a quick review
of the section topics. Once I felt comfortable with my notes, I took a
practice exam from the QAE manual and scored 70% (105/150).
Here's a breakdown of my initial practice exam:
| Exam Section | Incorrect | Correct | Grand Total | Percent |
|---------------+-----------+---------+-------------+---------|
| 1 | 8 | 25 | 33 | 76% |
| 2 | 5 | 20 | 25 | 80% |
| 3 | 6 | 12 | 18 | 67% |
| 4 | 10 | 23 | 33 | 70% |
| 5 | 16 | 25 | 41 | 61% |
| *Grand Total** | *45** | *105** | *150** | *70%** |
As I expected, my toughest sections were related to project management,
development, implementation, and security.
This just leaves October and November. For these months, I tried to
practice every few days, doing 10 questions for each section, until the
exam. This came out to 13 practice sessions, ~140 questions per section,
and ~700 questions total.
While some practice sessions were worse and some were better, the final
results were similar to my practice exam results. As you can see below,
my averages were slightly worse than my practice exam. However, I got in
over 700 questions of practice and, most importantly, *I read through
the explanations every time I answered incorrectly and learned from my
mistakes*.
| Exam Section | Incorrect | Correct | Grand Total | Percent |
|---------------+-----------+---------+-------------+---------|
| 1 | 33 | 108 | 141 | 77% |
| 2 | 33 | 109 | 142 | 77% |
| 3 | 55 | 89 | 144 | 62% |
| 4 | 52 | 88 | 140 | 63% |
| 5 | 55 | 85 | 140 | 61% |
| *Grand Total** | *228** | *479** | *707** | *68%** |
#+caption: CISA practice question results
[[https://img.cleberg.net/blog/20211204-i-passed-the-cisa/cisa-practice-questions-results.png]]
* Results
Now, how do the practice scores reflect my actual results? After all,
it's hard to tell how good a practice regimen is unless you see how it
turns out.
| Exam Section | Section Name | Score |
|--------------+------------------------------------------------------------------+-------|
| 1 | Information Systems Auditing Process | 678 |
| 2 | Governance and Management of IT | 590 |
| 3 | Information Systems Acquisition, Development, and Implementation | 721 |
| 4 | Information Systems Operations and Business Resilience | 643 |
| 5 | Protection of Information Assets | 511 |
| *TOTAL* | | *616* |
Now, in order to pass the CISA, you need at least 450 on a sliding scale
of 200-800. Personally, I really have no clue what an average CISA score
is. After a /very/ brief look online, I can see that the high end is
usually in the low 700s. In addition, only about 50-60% of people pass
the exam.
Given this information, I feel great about my scores. 616 may not be
phenomenal, and I wish I had done better on sections 2 & 5, but my
practicing seems to have worked very well overall.
However, the practice results do not conform to the actual results.
Section 2 was one of my highest practice sections and was my
second-lowest score in the exam. Conversely, section 3 was my
second-lowest practice section and turned out to be my highest actual
score!
After reflecting, it is obvious that if you have any background on the
CISA topics at all, the most important part of studying is doing
practice questions. You really need to understand how to read the
questions critically and pick the best answer.
* Looking Forward
I am extremely happy that I was finally able to pass the CISA. Looking
to the future, I'm not sure what's next in terms of professional
learning. My current company offers internal learning courses, so I will
most likely focus on that if I need to gain more knowledge in certain
areas.
To be fair, even if you pass the CISA, it's hard to become an expert on
any specific topic found within. My career may take me in a different
direction, and I might need to focus more on security or networking
certifications (or possibly building a better analysis/visualization
portfolio if I want to go into data analysis/science).
All I know is that I am content at the moment and extremely proud of my
accomplishment.
|
