CISA (Certified Information Systems Auditor) is an abbreviation for Certified Information Systems Auditor, a global standard established by the Information Systems Audit and Control Association (ISACA) in 1978. It serves as a global standard for information systems auditing, controls, and security. Certified individuals are regarded as “health checkers” for an organization’s information systems. Holders of this certification may be appointed as corporate information systems auditors, internal audit managers, heads of internal audit departments, heads of internal control departments, risk management managers, or internal audit managers. Steps to Obtain a CISA Certificate
Exam Structure and Certification Value
Exam Content and Question Types: Information Systems Audit Process (21%), Information Systems, Technology, and Controls (17%), Information Systems Acquisition, Development, and Implementation (12%), Information Systems Operations, Business Recovery, and Maintenance (23%), and Protection of Information Assets (27%). Exam Duration: 4 hours; 150 questions; 5 points per question; total score of 800 points; passing score of 450 points.
Certified professionals earn 25% more than the general workforce; the average annual salary is $110,000, with an average of $149,000 in the U.S. In Beijing, Shanghai, and Shenzhen, the average annual salary is 300,000 RMB, rising to over 500,000 RMB for experienced professionals. However, there were fewer than 130,000 certified professionals in China as of 2016. The certification is recognized in many cities as a foreign professional qualification, granting benefits such as preferential treatment in professional title evaluations and residency applications.
Steps to Obtain CISA
Obtaining CISA certification involves four steps.
Step 1: Verify Eligibility. There are no educational requirements; candidates must have at least 5 years of work experience in information systems auditing, control, or security (which can be used to offset the required experience). A bachelor’s degree can offset 2 or 3 years, and an associate’s degree can offset 1 year.
Step 2: Register for the Exam. Register as a member on the ISACA website, pay the exam fee, and schedule an in-person computer-based exam at a PSI testing center. The exam must be completed within one year of registration.
Step 3: Prepare for and Take the Exam. For preparation and exam-taking, it is recommended to study the official *CISA Review Manual*. Allow 200–300 hours of study time, supplemented by chapter exercises and practice exams.
Step 4: Apply for and Maintain Certification. After passing the exam, submit proof of work experience and a letter of confirmation from your employer. Once approved, you will receive your certificate. Thereafter, you must accumulate 120 CPE continuing education credits every 3 years and pay the renewal fee to ensure your certification remains valid.
CISA Difficulty Analysis
The difficulty of the CISA exam is classified as “above average; it can be conquered with a systematic study plan.” The pass rate is approximately 50% (meaning half of the examinees fail), and the difficulty is reflected in the following:
1. The exam covers an extremely broad range of knowledge: It encompasses multiple areas such as auditing, governance, security, and operations, requiring candidates to deeply understand the practical application of numerous frameworks, including COBIT, ISO 27001, and NIST.
2. Question Design: The new exam tends to emphasize “viewing issues from an auditor’s perspective” rather than following traditional exam formats. Most questions require candidates to consider problems from an auditor’s standpoint and select answers that are “practically feasible” rather than merely “seemingly correct.” Additionally, candidates must complete all 150 questions within a 4-hour timeframe, averaging only about 6.67 minutes per question.
3. Frequent Syllabus Updates: In just three years, the syllabus has undergone a 30% overhaul. The exam now includes numerous new topics such as artificial intelligence and blockchain, requiring candidates to learn and master a significant number of new concepts.
For those new to internal control auditing, it is advisable to first supplement your studies with systematic courses and case studies to compensate for a lack of practical experience. Allow 200–300 hours of preparation per subject, and 3–6 months to prepare for a single certification. Diligent students can earn the certification in 6 months. For those with 3–5 years of experience in internal control-related fields such as information security, IT services, and risk management, obtaining a CISA certification is a valuable career advancement. The financial returns and career growth opportunities this certification offers make it well worth the effort to pursue.
