A.Rafeq, FCA, CISA, CQA, CFE, CIA, Past President, ISACA Bangalore Chapter

and

Shirish S. Deshpande, FCA, CISA, Past President, ISACA Pune Chapter

This article consists of two sections. The first section provides a effective approach for CISA exam and second section provides practical tips before, during, at and after the exam.

The CISA Exam Bulletin states that the CISA program is designed to assess and certify individuals in the IS Audit, control, assurance and security professions who demonstrate exceptional skill and judgment. The CISA exam is offered each year in June and December and consists of 200 multiple-choice questions, administered during a four-hour session. The purpose of the exam is to test a candidate’s knowledge, evaluation and application of IS audit principles and practices and six technical content areas covering IS Audit process, IT Governance, Systems and Infrastructure life cycle, protection of information assets and Business continuity and disaster recovery.

The CISA exam questions are developed and maintained carefully to ensure they accurately test an individual’s proficiency in IS audit, control and security practices. Hence, CISA Candidates are expected to have working knowledge of IT, auditing, control and security practices. The basic understanding of IT should cover key concepts of various components of Information Technology in their practical deployment. The IT knowledge should encompass overall understanding of IT Infrastructure, IT Facilities, various types of Computer hardware, Systems Software (Operating System, Database, Networking, Multimedia, etc), Business Application software, Office Automation Software and Audit Software. Further, candidates are expected to know concepts and practice of Management as relevant to IT deployment in enterprises.

CISA Candidates are advised to read the CISA Exam Bulletin of information for understanding details of CISA exam. The Candidates guide to CISA exam must be read to understand broad range of job/process content areas covered including objective, tasks and knowledge statements. The CRM elaborates and covers the topics as per the job/process content areas and including task and knowledge statements. Candidates are advised to use the CRM as the basic guide for learning and supplement additional material as required based on their assessment of gaps and individual competency areas. CRM is not expected to teach fundamental concepts of Information Technology. However, IT components are explained only to the extent required.

CISA Candidates need to have conceptual clarity in the following key areas:

• Risks in deployment of Implementing Information Technology
• Appropriate risk management strategy for mitigating these risks.
• Security and controls, which need to be implemented for risk mitigation.
• Strategy, approach, methodology and techniques for auditing technology.

Candidates who are not well conversant with IT are advised to do a practical course on IT covering hardware, systems software, office automation, business applications and audit software. This is no substitute for working knowledge but would help familiarize candidates with IT in their practical deployment.

The overall understanding of a CISA candidate is expected to cover the related content areas as per the objectives, tasks and knowledge statements given in the Candidates Guide to CISA Exam. Primarily it encompasses three major disciplines - Information Technology, Management, Auditing, control and security practices. The CISA candidates may follow the following approach for getting the perspective of a CISA:

• Obtain overall understanding of Information Technology – concepts and practice
• Understand the Risks of deployment of relevant IT Component
• Know the features and functionalities of security and controls of IT Component
• Understand how controls could be implemented using the security features and functionalities so as to mitigate the risks in the relevant IT Component
• Learn how to audit IT components by understanding the risks, review related security, evaluate implemented controls, identify areas of weaknesses and provide appropriate recommendations to mitigate the control weakness.

The CISA Review Manual (latest) as relevant to the exam is the best reference material for the exam. This should be supplemented with other material as required. In addition to this, the CISA Questions, Answers and Explanations Manual or CD is an excellent reference point for practicing questions. Please read articles of IS Control Journal of last two years. COBIT Control objectives can be read to understand Controls for various IT processes. Answer the CPE quiz of journal. Sample On-line references are given below:

• www.isaca.org and www.itgi.org – IT Governance and K-Net Articles
• www.theiia.org, IT audit articles
• www.auditnet.org – articles and audit programs
• www.whatis.techtarget.com - IT encyclopedia and learning centre
• www.techweb.com – Technology encyclopedia (>20,000 IT Terms)
• http://foldoc.org/ - free online dictionary of computing
• www.google.com – search for IT audit presentations

Candidates may read the article published in ISACA Journal 2006-1 titled: “Preparing for the CISA or CISM Examination: A Brief, Hands-on Supplement for Candidates” By Derek J. Oliver, CISA, CISM, CFE, and Max Shanahan, CISA, FCPA

1. Take a decision early when to take exam. Please remember that early registration reduces fees and also provides you more time for preparation. Make early commitment so that you have more time and save money but don’t postpone your preparation. You need to be regular and consistent in your preparation

1. Read the “CISA Exam Bulletin of Information” and “Candidates guide to CISA exam” to get overall understanding of exam and scope of coverage of the exam.

1. Use the CISA Review Manual as the basic reading material and supplement other material as and when required. If you are from IT, you need to get basic concepts of Auditing right. IT Auditing by Ron Weber could be an excellent book to refer. However, pick up only what is relevant to read. If you are an auditor, then basic book on computers and networking could be referred in addition to doing basic course on computers.

1. Take your family and friends into confidence so that you are able to sacrifice your social commitments and focus on the exam.

1. Motivation is an important aspect of preparation for the exam. Motivation will help you concentrate and be focused on the task on hand. Self Motivation is the best motivation. Remember, you are taking a prestigious and global recognized exam, which will make a significant difference to your career, earnings and your self-esteem. Visualize receiving the Congratulations letter from ISACA and CISA Certification. See yourself being congratulated by your peers and colleagues.

1. The Exam is not Technology or platform specific. Hence, do not get too engrossed with technology details and reading of technology. Focus during your study to get clarity on the fundamentals. Read the IS Auditing standards, guidelines and COBIT Control objectives to get the thinking of an IS Auditor. Put on the cap of the global IS Auditor. Don’t bring in your personal experience and answer questions from your past data unless it is in line with ISACA’s thinking. Please don’t think what is practiced in your technology platform or industry as it may not be applicable or relevant.

1. Make a time plan of what you need to read and prioritize. Deal with unread materials concisely. Formulate a reading strategy in advance with a time table and study plan.

1. The approximate time required for preparing for the exam is subjective and depends on the individual competency, skill-sets and learn-ability. However, it is advisable to study for about 2 hours for 3 to 4 months. The best time to study is as per your regular habit. Follow a regular schedule which is most convenient to you but ensure consistency.

1. Practice the questions and get the reasoning and choice correctly. Remember, the exam is not expected to test your memory but your understanding. Hence, don’t cram any definitions or concepts except the most fundamental ones and that too for understanding.

1. Practice, practice and practice questions available with you. But remember the standard of the questions in the exam is much higher than what you have practiced. Be mentally prepared. If you have conceptual clarity and apply your thinking as an IS Auditor, you should be able to pick up the right answer.

1. Use the CISA Questions, Answer and Explanations Manual for pactising the questions. Answer questions in a block of 100 at a time and then review your performance.
1. Evaluate your performance both for correct and incorrect answers.
2. You should have got the correct answers by choice not by chance and for the incorrect answers, analyze why you got it wrong:

i. Is it because your logic was wrong or you did not know the topic of the question.

ii. If you got the answer wrong because the logic was wrong, think, introspect and get your logic right.

iii. If you got the answer wrong because you did not know the topic of the question, read the CRM or additional material as required.

1. After you have done the above evaluation for the 100 questions, answer the questions again and evaluate, you should have got 100% right. You may not, then repeat the above steps till you get 100% right.
2. Once you have 100% right, then repeat for next 100 questions and follow the above cycle given above. Keep repeating this till you complete all questions.
3. After you have completed answering all the questions, then answer the questions in block of 200 questions at a time; evaluate your timing and performance.
4. After you have practised all the questions, then read the CRM once fully and answer the questions.

1. Consider joining local CISA Review Course. The CISA review courses are conducted by many ISACA chapters. These courses are often taught by current CISAs who present and discuss exam topics and share their secrets of success.

1. Form a small study group or join an e-group for studies and discussions. Review your preparation actively alone and also with group on a regular basis. Review and discuss with group your logic and reasoning and get other perspective also.

1. Focus on ensuring that you get the required knowledge and competency rather than worrying about your prospects of passing the exam. Don’t be too concerned about the percentage of pass or how to apply for certification. Focus on passing the exam first.

1. Don’t sit up late day before the exam trying to read and catch up on lost time. Remember, the principle of farming, you need to sow in time and take care on regular basis so as to reap in time. Last minute preparations may result in lack of concentration in the exam.

1. Prepare yourself emotionally and physically to take the exam. If you have any medical problems, which hinder your sitting for long stretch of time, or you need regular medication, inform the proctor in advance and take necessary precaution.

1. Don’t stress yourself physically before or during the exam. You need to be fully relaxed so as to have maximum concentration. Avoid last minute reading and late night reading before the exam day. It may not really help. Please also take care of your food intake so that you are able to concentrate well during the exam.

1. You may need probably all of four hours to answer 200 questions. Hence, it is essential that you practice sitting at one place and practicing answering the mock tests so that you get practice of sitting for four to five hours at a stretch.

1. The exam is objective (multiple-choice). The answer is available in the choices. Hence, the approach to studies should not be from the perspective of remembering but more from perspective of understanding.

1. The CISA Exam Questions could be broadly categorized into 2 categories:
1. Based on Facts – technology, auditing standards. No specific technology related questions. For eg: SAP, Oracle, SQL, etc.
2. Based on Analysis – context and decision oriented. These questions require you to understand the scenario and formulate your opinion/judgment.

1. In every case, the candidate is required to read the question carefully, eliminate known incorrect answers and then make the best choice possible. Every CISA question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct or best answer from the options. The stem may be in the form of a question or incomplete statement. In some instances, a scenario or description problem may also be included. These questions normally include a description of a situation and require the candidate to answer two/more questions based on the information provided. The candidate has to read each question carefully. Many times a CISA exam question will require the candidate to choose the appropriate answer that is MOST likely or BEST.

1. To assist candidates taking the exam with the translation of technical terminology, a list of the most frequently used technical terms in English along with how they will appear on the exam in other languages offered is available on ISACA’s web site at www.isaca.org/examterm.

1. The Questions and choices are straightforward and simple. They are meant for testing your understanding of concepts and practice of IS Audit. They are not meant to test your grammar or proficiency in English. Hence, do not try to analyze the question and answers too much. Don’t waste time trying to read between the lines and find hidden meaning.

1. The exam consists of one paper, which has all 200 questions. The questions are not in a particular order of domains or chapters but are usually mixed up at random. It is not worthwhile trying to figure out to which domain a question belongs. What is most important is how well you are able to answer the questions in the exam.

1. The exam is based on percentile. The CISA exam consists of 200 items. Candidate scores are reported as a scaled scored. A scaled score is a conversion of a candidate's raw score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. A candidate must receive a score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard of knowledge as established by ISACA’s CISA Certification Board. It is advisable not to worry too much about the percentile but focus on getting the maximum questions right.

1. Generally, the style of writing in the CISA Exam is based on American English and it follows American Spelling. Hence, please get acquainted by practicing the questions in CISA review manual and CISA Questions, Answers and Explanations manual.

1. As part of preparation, do discuss the questions and answers with an open mind. If you are auditor, get the technology perspective and if you are from IT, get the Audit perspective. Remember as an IS Auditor, you are expected to be auditing Technology as deployed in the organization.

1. Familiarize yourself with the test. Know the tasks, knowledge and scope of the subject, the type of questions and proposed answers. The key ideas to be remembered as an IS Auditor are IS Risks, IS Security, IS Control and IS Audit. You need to be well versed with these concepts. The questions may require you to grade the risks in terms of highest or lowest. In terms of security and controls, you may be required to pick up the best or least effective controls in the context of the question. An IS Audit question may require your judgment in terms of concepts, practical procedures or risk ranking or presenting the findings to the management. There may be few questions, which tests your understanding of core technology. For example, encryption, EDI, Internet Security, Telecommunications control, etc.

1. There are 200 questions to be answered in four hours. This would mean that approx. 70 seconds per question. Some of the questions may be answerable within 30 seconds and some may take more time. Further, in some cases, if you get lost in too much thinking, you may lose track of time and may not have time to answer all questions. Hence, it is essential to manage based on a slot of one hour or for a block of 50 questions. Depending on the progress, you can increase or decrease the pace as required.

1. The questions are not directly picked up from any text book or reading material but are prepared by Practicing CISAs and are aimed to test your understanding of the concepts and practice of IS Audit.

1. Remember that CISA is an objective type exam and just like any exam, it is not necessarily a reflection of your talent, capabilities, competencies or skill-sets. Hence, if you have not been or are not successful, then you should not take it personally. There are times when senior and experienced professionals have failed in the CISA exam not once but two to three times. It does not mean that they were not capable. This only means that they need to learn the knack of passing the exam. It is important to analyze what could have wrong and learn from them. It is quite possible that your current experience itself is becoming a baggage. Think from a new perspective and focus now only on questions and answers and read the topics where you need to.

1. Learn to play the game of CISA. It is not just your knowledge but your ability to answer the questions which is very important. Most candidates who take the exam have most of the knowledge required to pass the CISA exam. You are possibly making the same mistake again and again because you are stuck in your approach. Hence, read the CRM afresh and answer the questions. Interact with other students and get your perspective right. If required, attend a CISA refresher course conducted by a nearby chapter. Identify where you are going wrong else you may commit the same mistakes again.

1. Do not attempt to read through the question paper fully. You may lose time and may not have time to answer all the questions. The ideal method is to take up one question at a time and answer them one by one.

1. You need to compartmentalize your mind and take one question at a time. Think and decide on the right answer. Once you have answered, forget it and go ahead and tackle the next one and so on. Don’t carry your doubts of the previous question to the next.

1. There may be questions for which you may not be able to strike the right answer straight away. You may skip, but mark it in the questions paper so that it is identifiable and come back to it later. However, the best approach is to take a DECISION and answer it then and there. You may not have time to come back to the question again. Further, there may always be lurking feeling that you have left some questions unanswered. This will be at the back of your mind always. However, if you do have to change, please ensure that you erase the previous answer carefully and fully.

1. Please do not think of coming back to the answers for corrections later on. You may change if and only if you are additional insights or data, which necessitates that your previous answer was incorrect.

1. You may decide on which order you want to answer the questions. Some tend to start from question no. 50 or 100 as it gives them confidence they are progressing and come back. However, the ideal approach is to answer sequentially one at a time.

1. Take one question at a time. Read it fully and carefully. Identify the stem, the key concept that is being tested. Underline the core concept, which is being tested. Read all the choices even if you think you have the right answer in the first or second or third choice.

1. As there is no negative marking, you must answer all questions. Even in case of questions, where you are not sure of right answer, you may guess intelligently.

1. For choosing the right answer, you may be able to identify the right answer straight away. You may also adapt the process of elimination by ruling out the apparently incorrect choices one by one so as to narrow down your choices and pick up the right choice.

1. Every question will have one of the choices framed as a distracter. The distracter may attract those with incomplete knowledge or attempting to answer the question with just common sense. It is essential to be able to eliminate the distracter.

1. You may mark the answers in your question paper and transfer it periodically or mark your answer for every question directly in the answer sheet.

1. If you have to modify your answers for any reason, please ensure that you erase the previous choice properly so that there is no trace of marking else it may be construed as multiple marking and your answer ignored for valuation.

1. Your concentration level may come down after an hour or so. It is important that you have a little break by having a sip of water and looking away from the question paper and get back your concentration before you start answering again. Take a few deep breaths, stretch yourself if required and then get back to the task. Consistent concentration is important.

1. You may encounter some questions, which are familiar to you, which you have answered in the CISA review manual or in the test questions. Don’t be prejudiced by your past answers. Read the question fully, understand it, and look at the choices and then answer. It may be possible that the questions may have been rephrased or re-worded and may have a different answer to what you have seen in the tests or the choices may be re-arranged or rephrased.

1. In the choices, when there are two choices which are similar. Pick the one which is more macro and bigger in nature. Remember the context of the situation as given in the question and the available choices have to be considered to arrive at the best choice.

1. The pass % is normally about 55% globally and varies from centre to centre. However, passing the exam is primarily dependent on your ability to concentrate during your exams and picking up the right choice. Our Analysis reveals that most of the students who fail tend to get around 70% which means that another 5 to 10 questions answered correctly would have got them through. Hence, it is very important that you are able to devote proper time for each of the question and concentrate throughout the exam.

1. Ensure that you are marking the answers exactly. Cross-check regularly to ensure this. You have to be extra careful if have skipped any questions to be answered later. It is important to ensure that you skip marking the answers for that question. You may use a ruler for ensuring you are marking the required choice for the appropriate question.

1. Prepare an exam kit in advance of the exam and carry it to the exam. This kit could include your admission ticket, identity card, pencils, erasers, water bottle, medicines (if required), etc.

1. Visit the venue in advance before the exam and know the route, parking facility and exact place of exam. Reach the exam half an hour before the scheduled time so that you are not running to the venue in a hurry. Do come to the exam to the venue before time and use the time for relaxing.

1. Carry your identification cards, admission tickets, 3-4 pencils sharpened, 2-3 erasers, water bottle. Don’t carry any books. You may not get time to read and it may not be worthwhile trying to read in the last minute. Remember the questions don’t test your memory but are more a test of your judgemental ability as an IS Auditor.

1. The admission ticket is expected to be received by the candidate 2-3 weeks before the exam. It is sent both by email and by post. You can bring printout of email copy to the exam if you don’t receive the hard copy by post. However, if you don’t receive hard copy also, you may contact the chapter office to confirm your name is in the candidates list. The chapter gets a copy of all the candidates writing exam from the test centre. They are authorized to identify candidates who have not received the admission ticket. Hence, please don’t panic if you don’t receive the admission ticket but contact the chapter president or CISA Coordinator of your test centre who would have the complete list of candidates taking the exam from that test centre.

1. The proctor will start reading instructions of the exam 30 minutes before the exam time. You are expected to be in the hall before proctor commences reading the instructions. Proctor may not allow you inside once he starts reading the instructions.

1. The instructions relate to signing of forms and filling up your registration particulars. Clarify your doubts about any procedures you have. Follow the proctor’s instructions carefully and write down the details as per instructions. You can use pen or pencil for writing the registration no. and other details. However, answers are to be marked only in pencil.

1. The proctor will not answer any questions pertaining to the questions or answers.

1. You can go out of the exam hall for answering nature’s call with permission of proctor. You have to hand over your questions and answer paper before going out of the hall and collect it back on arrival.

1. No additional papers or sheets will be provided. You may use the question papers or its back side for making any rough notes. It is advisable not to make any notes or marking on the answer sheet except for marking the circles for the right choice.

1. The CISA Exam is a closed Exam which means neither the question paper or answer papers are released. You are not expected to discuss questions or answers with anyone.

1. After completing the exam, leave the venue silently. Don’t discuss your answers with the other candidates to confirm the answers. You may only get confused.

1. You may greatly relieved after writing the exam but begin your preparations for the next exam. Hence, when your memory is fresh, as a first step, walk-through the CRM and Questions manual to identify what went wrong and what went right. This could help you for future exam, if you fail or to become a CISA item write, once you succeed. Yes. You can become a CISA item writer and earn USD 50 per question!

1. Once you have received the score indicating you are successful in the CISA Exam, read the Application for Certification and if eligible apply for certification with all the required documents. Understand the CPE requirements and adhere to them.

You may have all the knowledge but remember that CISA is a multi-choice exam. Hence, there is only one correct answer and it is already in front of you. You should learn how to pick up the right answer. Being an experienced professional hard-pressed for time, you need to find time for study and orient your thinking as global IS Auditor. Practice the questions and get perspective right. Remember that passing the exam is only the beginning. Success in CISA exam opens out new windows of opportunity in your professional career. Hence, make learning a life-long experience.

Disclaimer:

We are glad that you read through these tips. While hoping they would be useful to you in passing the CISA Exam, please note that we do not provide any assurance of your success. We don’t claim that all the tips would be relevant and useful. However, you may pick up whatever you deem useful. Your success in the CISA Exam depends on YOU – your preparation and your performance on the exam day. Your success also depends on the overall performance of all the Candidates. You may consider the above as friendly tips from those who have written and passed the CISA Exam themselves and who have interacted with CISA Exam candidates since last ten years. Wish you Success in the CISA Exam and your professional career.

Do email your suggestions for improving or additions to these tips. Rafeq can be reached at rafeq@vsnl.com and Shirish Deshpande can be reached at dshirish99@vsnl.net.