Certified Information Systems Auditor (CISA)

Contributor(s): Taina Teravainen

Certified Information Systems Auditor (CISA) is a certification issued by ISACA to people in charge of ensuring that an organization's IT and business systems are monitored, managed and protected; the certification is presented after completion of a comprehensive testing and application process. The CISA certification is a globally recognized standard for appraising an IT auditor's knowledge, expertise and skill in assessing vulnerabilities and instituting IT controls in an enterprise environment. It is designed for IT auditors, audit managers, consultants and security professionals.

Attaining CISA certification is considered beneficial since it is accepted by employers worldwide and is often requested for IT audit and security information management (SIM) positions. The certification provides the holder with greater visibility throughout the job application process since most recruiters prefer and keep an eye out for IT auditors with a CISA certification.

Responsibilities of a Certified Information Systems Auditor

The primary duties of a CISA include:

  • Implementing an audit strategy for information systems (IS) that is based on risk management.
  • Planning audits that can be used to determine whether or not IT assets are protected, managed and valuable.
  • Executing the audits in compliance with the organization's set standards and objectives.
  • Sharing audit results and providing recommendations to management based on the results.
  • Performing reexaminations of the audits to ensure the recommended actions have been performed by management.

However, a CISA's responsibilities often extend beyond auditing control. They are expected to work with management in order to confirm the organizational processes, plans for implementation and operation of the deployed system promote the organization's objectives and strategies. At first, this includes evaluating:

Then, while the IS is prepared for implementation, the CISA must continue to monitor various areas to ensure successful deployment of the system. This includes conducting project and post-implementation reviews. Other responsibilities include evaluating:

  • the business case for the proposed system;
  • controls for the IS;
  • IT supplier selection and contract management processes;
  • the project management framework and controls; and
  • the preparedness of the IS.

Once the system is implemented, the CISA is responsible for evaluating:

Finally, a CISA is responsible for working with management to ensure the security standards, policies, procedures and controls within the organization impart integrity, confidentiality and availability of information assets.

How to become a Certified Information Systems Auditor

In order to become CISA certified, applicants must complete the following five steps:

  1. Successfully complete and pass the CISA exam.
  2. Apply for CISA certification.
  3. Adhere to ISACA's Code of Professional Ethics.
  4. Follow ISACA's Continuing Professional Education Program.
  5. Comply with ISACA's Information Systems Auditing Standards.

The CISA exam is open to any individual who expresses an interest in IS auditing, control and security. It is four hours long and consists of 150 multiple choice questions set around five job practice domains:

  • The process of auditing information systems.
  • Governance and management of IT.
  • Information systems, acquisition, development and implementation.
  • IS operations, maintenance and service management.
  • Protection of information assets.

A score of 450 or higher (scored on a scale of 200 to 800) is required to pass the exam. It is administered in June, September and December in testing locations worldwide. The exam is offered in English, Chinese Mandarin Simplified, French, Japanese, Korean and Spanish.

Individuals looking to prepare for the exam can take advantage of preparation materials that are available through the ISACA; many ISACA chapters also host CISA exam review courses. It is recommended that people preparing for the exam take as many practice tests as possible in addition to studying the ISACA Review Manual and learning to think like an accountant.

Adopting an accountant's mindset is beneficial because most of the people who write the CISA exam either work as accountants or in the financial services industry. Therefore, by thinking like an accountant, a test taker can gain a greater understanding of the questions and answers and the way they were written.

If a CISA candidate passes the exam, then they will be sent all the information they need about how to apply for the CISA certificate. However, they must first ensure they have met all of the work experience requirements.

ISACA asks that all CISA applicants complete five years of professional IS auditing, control, assurance or security work, but substitutions and waivers can be obtained. For example, one year of IS experience or one year of non-IS auditing can be substituted for one year of experience. Also, 60 to 120 university semester credit hours -- a two year to four year degree -- can replace one or two years of experience, respectively. A third example: two years as a full-time instructor within the related field at a university can replace one year of experience.

It is important to note that the work experience must be within the 10 years prior to a candidate's application submission or within five years of a passed CISA exam. The candidate must also show adherence to ISACA's Code of Professional Ethics and Information Systems Auditing Standards. Once these criteria are met, the candidate can successfully apply for certification.

CISA applicants and certification holders must also abide by ISACA's Continuing Professional Education (CPE) program. This training is to ensure that CISAs stay up to date and proficient in their fields.

The goals of the CPE program include:

  • Monitoring IS audit, control and security professionals' maintenance of knowledge and capabilities.
  • Dividing qualified CISAs from those who have not met the requirements and cannot continue their certification.
  • Assisting top management in the construction of stable IS audit, control and security functions with suggestions and criteria for personnel selection, training and development.
  • Preserving an individual's CISA capabilities by updating existing knowledge and skills within IS auditing, control and security.

Furthermore, ISACA requires maintenance fees and a minimum of 20 CPE hours annually, plus an additional 120 contact hours during a fixed three year period.

Benefits of a CISA certification

The CISA certification is recognized worldwide as the sign of an individual's excellence within information system auditing. Benefits of a CISA certification include:

  • A competitive advantage in the job market and with job growth.
  • Increased value of the individual within the organization.
  • Increased credibility in the workplace due to the combination of the achievement of passing the exam and the recognition of work and educational experience.
  • Assistance meeting high professional standards with ISACA's requirements and Continuing Professional Education program.
  • Confirmation of an individual's knowledge, experience and expertise in the field as well as demonstration of their ability to successfully meet challenges that may arise.

CISA certification can also impact an individual's salary. Professionals with CISA certification often make between $52,459 and $122,326 per year. Internal audit directors are one of the highest paid positions with a CISA certificate. This position can make around $136,082 per year.


This was last updated in August 2019

Continue Reading About Certified Information Systems Auditor (CISA)

Dig Deeper on Security industry certifications

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Till 12/2013 I worked as senior auditor in IA&AD and in 12/2013 got promotion as supervisor. As Sr.Ar. worked in IT section and handled the section single handed for 2 years. Audited IDPL, PTL, ECIL, BHEL. Can I undertake this course?
You can view the CISA guidelines here.
Are there any other certifications an information security auditor should consider in addition to the CISA? If so, which ones?
Am in zim and my  wife wants to do cisa. She did an IT diploma. Is there somewhere to register for cisa or isaca?