Update: CISA Certification and Frequently Asked Questions

CISA logoIn August 2014, I published a post about my experience with the CISA exam and the required experience. Even 3 years later, it is still the most popular post here and not so long ago, I was always seeing more requests after the exam dates. However, it seems that exams are not on specific dates anymore but within 3 specific testing windows throughout the year. I am still surprised by the number of comments I received on this post and I wanted to do an update with some recurrent questions.

Exam Before the Required Experience

It is absolutely possible to pass the exam before having the required experience. I would even recommend it to show your interest toward this field. Your current or future employer will recognize the effort invested in passing the exam. However, you have to keep in mind that you will have to obtain the required work experience and send your certification application within 5 years from the date of the exam. If you really need 5 years of experience and it is not possible to have any waiver, maybe the timeframe is unfortunately too short. But if you only need 2 to 3 years of experience, it is a good plan, in my opinion.

Even if you can’t introduce yourself as being CISA certified, it will definitely be an advantage to mention during an interview that you passed the exam. You will also receive a letter from ISACA with your passing score that you can use as a proof.

Substitutions and Waivers

You will need a minimum of 5 years of work experience in order to obtain the certification. It goes without saying that you need to pass the exam too with a score of 450 or higher. However, it is possible to obtain 1 to 3 years as substitutions and waivers of this experience. In any case, you will always need at least 2 years of work experience related to CISA domains.

  • One year : Any work experience in information technology (IT) or any work related to auditing. For example, financial auditing or compliance work experience such as SOX would be a valid auditing experience.
  • One year : For 60 completed university credit hours which are normally 2 years as a full-time student. The credit hours could be for an undergraduate and/or graduate degree. There is also no mention that you actually need to have obtained the related degree, as long as you have proof that you have completed the courses. It could be from any recognized university, on-site or distant learning.
  • Two years : For 120 completed university credit hours which are normally 4 years as a full-time student.
  • One year : With a master in information security or information technology.
  • One year : With a bachelor or a master degree that enforces the ISACA-sponsored Model Curricula.


The easiest way to obtain the work experience for the CISA certification is obviously to be an IT auditor. But it is not always possible for everyone and it is definitely not a requirement. It is important to carefully read all the job practice areas including the task and knowledge statements. There are many candidates who are surprised by these statements. The CISA practice areas include many work fields in IT and not only IT audits.

CISA Application

You will have to get the work experience 10 years before the certification application or within 5 years from the date of the exam. You only have to send your application to ISACA when you actually have all required experience. In any case, you absolutely have to submit your application within 5 years from the passing date of the exam.

Financial to IT Audit

If you are already performing financial audit with a CPA designation, it is absolutely possible to do the transition to IT audits. You could simply ask to be more involved with IT controls. You will already have the advantage to have an understanding on how audit works. There are many IT General Controls (ITGC) that don’t require advanced IT knowledge in order to be adequately audited. The Big 4 use an army of interns to audit these IT controls.


There are many more jobs related to the CISA than being an IT auditor. Many positions related to IT risk and compliance, even information security. However, there are other certifications if you want to work in information security and a candidate with the CISA would not be my first choice. I would recommend doing a search on a job posting website such as Indeed.

Worldwide Recognition

ISACA and the CISA certification are well recognized worldwide. A quick search on a job posting website and you will probably have many results. Furthermore, there are more than 200 local chapters worldwide.


When you are officially awarded with the CISA certification, you will then have to complete your continuing professional education (CPE) credits. The ISACA membership is not a requirement. However, I would recommend it to have access to many free resources in order to obtain your CPE credits.

ISACA Website

All information provided here could change anytime and the reference must always be the ISACA website. The page “How to Become CISA Certified” is mainly the reference about common questions related to the CISA certification. If you are unsure about your experience and possible waivers, I would recommend validating directly with ISACA and/or your local chapters. Each application is different and they are the only one able to validate your application.

CISA exam passed, now the required experience

Update: I published a new post with the most frequently asked questions on this post.

Back in the summer 2013, I was interested to pass the CISA exam even if could not obtain the certification without experience. This was a way for me to demonstrate my interest in IT audit to future potential employers. I thought that I could have done the exam in December 2013, but I wasn’t enough sure that I was ready to pass the exam and considering the cost, I preferred to wait until the next date. Furthermore, it is possible to sit for this exam only three times per year in June, September and December; this is the same exam everywhere in the world at the same time. On June 14 2014, this was finally the date and I sat for the CISA exam here in Montreal. I’m not sure how to explain yet this experience. I read a lot on Internet about other experiences and how I could prepare myself to this day. People have normally read many books to study for this exam. For me, I really tried to read the official manual from ISACA and to be honest, I was sleeping on it after only the first few pages. However, I have practiced many hours with the CISA Review Questions, Answers & Explanations Database which, in my opinion, is the best resource that someone could use to study for this exam. Even if I didn’t have any experience in IT audit nor have read a book related to the CISA, my past technical experience in IT was really useful, but also knowledge of my different degrees. This is certainly an exam that requests a really broad set of general IT knowledge. The true challenge with this exam is to learn how to think like ISACA and their kind of questions. Of course, an exam with answer choices seems really simple to pass, but the right answer is always the best answer according to ISACA. It is easily possible to eliminate two on four choices, but the last two choices are always confusing because some choices could be the right one from a technical point of view and not an IT audit perspective. This is not the hardest exam, but stupid mistakes could rapidly occur during a four hour exam with 200 questions.

Now that I have passed the exam, I have to fulfill the experience requirements to officially obtain the CISA certification. Five years are normally required with tasks related to the five CISA domains, but some waivers are possible as much as three years when a candidate has done prior educations, experiences or other certifications. In my case, my bachelor and graduate degrees with IT general work experiences will waive up to three years.