Certified Information Systems Auditor

Certified Information Systems Auditor (CISA) is a professional certification for information technology audit professionals sponsored by ISACA, formerly the Information Systems Audit and Control Association. Candidates for the certification must meet requirements set by ISACA. The CISA certification was established in 1978 for several reasons:

1. Develop and maintain a tool that could be used to evaluate an individual's competency in conducting information system audits.
2. Provide a motivational tool for information systems auditors to maintain their skills, and monitor the success of the maintenance programs.
3. Provide criteria to help aid management in the selection of personnel and development.

The first CISA examination was administered in 1981, and registration numbers have grown each year. As of 2010, over 79,000 candidates worldwide have earned the CISA designation since its inception. It is one of the few certifications formally approved by the US Department of Defense in their Information Assurance Technical category (DoD 8570.01-M). In 2009, SC Magazine named the CISA designation winner of the Best Professional Certification Program. Candidates for a CISA certification must pass the examination, agree to adhere to ISACA's Code of Professional Ethics, submit evidence of a minimum of five years of professional IS auditing, control, or security work, and abide by a program of continuing professional education.

Substitutions and waivers of such experience may be obtained as follows:

* A maximum of one year of information systems experience, or one year of financial or operational auditing experience can be substituted for one year of information systems auditing, control, or security experience.
* 60 to 120 completed college semester credit hours (the equivalent of an Associate or Bachelor degree) can be substituted for one or two years, respectively, of information systems auditing, control or security experience.
* A bachelor's or master's degree from a university that enforces the ISACA sponsored Model Curricula can be substituted for one year of information systems audit, control, assurance or security experience. To view a list of these schools, please visit www.isaca.org/modeluniversities. This option cannot be used if three years of experience substitution and education waiver have already been claimed.
* A master’s degree in information security or information technology from an accredited university can be substituted for one year of experience. This option cannot be used if three years of experience substitution and educational waiver have already been claimed.
* Two years as a full-time university instructor in a related field (e.g., computer science, accounting, information systems auditing) can be substituted for one year of information systems auditing, control or security experience.

Examination

The exam consists of 200 multiple-choice questions that must be answered within 4 hours. Candidate scores are reported as a scaled score. A scaled score is a conversion of a candidate's raw score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. For example, the scaled score of 800 represents a perfect score with all questions answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions were answered correctly. A candidate must receive a score of 450 or higher to pass the exam. As of 2011, the exam will cover 5 Content Areas:

* The Process of Auditing Information Systems
* Governance and Management of IT
* Information Systems Acquisition, Development and Implementation
* Information Systems Operations, Maintenance and Support
* Protection of Information Assets

The exam is offered in 12 languages at more than 200 locations worldwide in June and December.