The first trouble spot for exam candidates is the sheer scope of material. Without actually knowing the scope, someone may shrug off the exam as simply a non-technical, IT auditing exam. But after a few minutes reviewing the scope, that opinion may change to “overwhelmed” they read through the exam’s five content areas and grasps the depth of each area.
ISACA calls these five content areas “domains.” After a review of all domains, the structure and pattern takes shape. In time, a candidate can associate their own strengths and gaps against them. So, what may appear overwhelming at first will fast create a list of priority areas to study.
The domains covered in the CISA exam are as follows:
- The Process of Auditing Information Systems
- Governance and Management of IT
- Information Systems Acquisition, Development and Implementation
- Information Systems Operations, Maintenance and Support
- Protection of Information Assets
How these domains are divided among the questions changes per exam, but ISACA does publicize the proportion in advance.
Experience Pays Off
To possess an introductory level across a few of the five domains requires a few years of relevant experience. For example, a person with three years enterprise auditing experience and two years of systems maintenance will have enough know-how to be quite familiar with two of the five domains. Familiarity will raise confidence. Confidence in the material will increase motivation to study more unfamiliar areas. So experience definitely pays off in time and motivation during your study.
Covering Both Operational and Policy Levels
Another trouble spot is the combination of both low-level and high-level understanding of the domains required of the candidate. Be aware, a candidate having a few years of experience in a domain does not guarantee they know the entire domain. Each domain covers job duties and knowledge that spans multiple levels of a job. For example, let’s look at Domain 4, covering systems maintenance. On an operational level of systems maintenance, a candidate will be more familiar with questions about procedures and implementation. On a higher, more management level of systems maintenance, the candidate is more familiar with policies and standards. Domain 4 spans both levels and much more.
No person is expected to know all areas solely based on experience. This means you must study and should not rely on experience alone for any domain.