IT Certification and Training Blog

Certified Information Systems Auditor (CISA) is an exam sponsored by the organization named ISACA. Passing this exam is one of the requirements for becoming a CISA. The exam is guiling. You need to answer 150 questions in four hours or less. The questions are not very long; so just over a minute a half per question should be quite sufficient—that is, if you can grasp the meaning of a question on the fly. The problem is not that you’ll have only a minute and a half to read a question. The problem is that a minute and a half is all you are going to get for coming up with the correct answer. Sounds easy?—Think again! ISACA doesn’t publish any information about the candidates’ success rates, but a rumor has it that only one half of the candidates pass the exam on the first attempt.

What is it about this exam that makes it so intimidating? There are lots and lots of resources out there for preparing for this exam—training courses, books, thousands upon thousands of practice questions with answers and some are even with explanations (sort of), and the entire Internet universe full of relevant articles. But this is probably one of those counter-intuitive cases where more doesn’t necessarily translate into better—more information doesn’t make it more helpful. You can’t possibly read all the books or answer all practice questions. So, you need to choose which materials to study and which questions are worth your time and effort. But how should you choose?

The trick with this exam is that it requires relatively little special knowledge (on auditing) and a whole lot of common sense. To pass this exam, you first and foremost must have an open-minded attitude and the ability to think logically. Some degree of general technical knowledge will be very helpful—traditional IT and cloud computing basics, TCP/IP networking, firewalls, and cybersecurity. Of course, you should know what information systems (IS) auditing is all about, but what is more important than cramming a few facts, definitions, and rules is your ability to apply that knowledge.

Most questions on the real exam present a realistic situation and ask you how it should be resolved or how an IS auditor should act under those circumstances. There are so many possible situations and scenarios that it is absolutely impossible to describe them all, even in the form of relatively brief questions. No matter how many so-called “braindumps” you go over, you can never cover all the possibilities, not to mention that maybe a half of their “answers” are usually wrong. Even if you could memorize every question that you saw, you would still get a whole lot of “surprise questions” on the real exam—quite possibly, enough to fail the exam. That is probably the main reason for the aforementioned rumor about the high first-time failure rate.

Fortunately, cramming thousands upon thousands of questions is not really necessary. All you need is to get into the role—learn to think as an IS auditor. That is where Boson’s CISA practice exam product comes into play. It is not a “braindump.” Our questions are different from the real exam ones. The product contains 450 questions, and every single one of them tells you something that you need to know in order to pass the exam. Our questions are designed in such a way that helps you both focus on the requisite knowledge and think logically and realistically. Here are a few examples of the important points to keep in mind.

1. Pay close attention to the main actor of a scenario. If it is an auditor, remember that auditors are not supposed to do “regular” work. An auditor can evaluate, assess, verify, review, or determine but cannot ensure, assign, configure, or require. The latter actions are the prerogative of nonaudit employees, and an auditor can only recommend them.
2. An auditor should be thorough. If there appears to be a problem, the auditor should usually—except obvious emergencies—investigate further in order to then report a more detailed finding.
3. An auditor should be helpful and understanding if an auditee provides a reasonable explanation for what the auditor deems a concern.
4. Laws and regulations almost always trump any other requirements. But nevertheless be mindful of the almost
5. Industry standards, best practices, and guidelines can be made mandatory but by default are not. They are intended for an entire industry. Therefore, they are usually too general. They may be good for some companies and not so good for others.

Most books on the subject are very big—around 1,000 pages or even more.—and have one of the two typical drawback. Some books are so nebulous that they drown whatever few precious droplets of useful information they have in an ocean of clever words that have little practical merit. If normal humans try to earnestly read them, they usually start dozing off within the first 10 minutes or so. Other books, on the contrary, try to simplify everything to the point of trivializing, which can cost you dearly on the real exam. Boson’s CISA practice-exam product is somewhere in the middle—we have tried to simplify everything as much as possible but without losing the sight of the big picture.

We tried to emulate the real exam’s level of difficulty, including some of its vagueness and tricky points. The same choice can be the correct answer in one question and a wrong choice in another. For example, an independent review can be the best answer in one question about separation of duties (SoD) and can be a suboptimal choice in another SoD question where the correct answer might be audit trails. You should be mindful of some common buzz words, which can refer to different things in different questions. For example, there is a significant difference between monitoring the performance of IT and monitoring the system performance. The former is a management issue, whereas the latter is a technical one.

We are confident that our CISA practice-exam product will take you over the finish line. But just in case, here are a few quick tips for the live exam:

1. For each question, first identify the section/topic where the question belongs. It is not always obvious or even easy, but if you do it right, it is usually very helpful.
2. Pay attention to the big words in the question, such as FIRST, NEXT, BEST, PRIMARY, MOST important, or GREATEST.
3. Pay attention to an auditor’s requisite action: is it do or recommend? An auditor can do only a few specific things but can recommend almost anything.
4. Learn to compare seemingly legitimate choices and identify the one that is the best or most important. Be careful about most important, though, because it can sometimes be about good things and sometimes about bad ones.
5. Always go for the choice that is related to what you are supposed to accomplish or identify in the most direct and practical way.

We value your feedback. After the exam, please let us know how much you think our product has helped you.