ISACAProfessional Level2026 Updated

Certified Information Systems Auditor

Updated May 1, 202612 min readWritten by Certsqill experts

Quick facts — CISA

Exam cost

$575 USD (ISACA members $415)

Questions

150 items

Time limit

4 hours

Passing score

450/800

Valid for

3 years

Testing

PSI

Who this exam is for

The Certified Information Systems Auditor certification is designed for professionals who work with or want to work with ISACA technologies in a professional capacity. It is taken by cloud engineers, DevOps practitioners, IT administrators, and technical professionals looking to validate their expertise.

You do not need extensive prior experience to attempt it, but you will benefit from hands-on familiarity with the subject matter. The exam tests applied knowledge and architectural judgment, not just memorization. If you can reason about trade-offs and real-world scenarios, structured practice will handle the rest.

Domain breakdown

The CISA exam is built around official domains, each with a fixed percentage of the question pool. This distribution should directly inform how you allocate your study time.

Domain

Weight

Focus areas

Information System Auditing Process

21%

Audit planning, risk-based audit approach, audit execution techniques, audit evidence collection, and reporting audit findings in accordance with IS audit standards.

Governance & Management of IT

17%

IT governance frameworks (COBIT), IT strategy alignment with business objectives, IT organizational structures, and management of IT resources.

Information Systems Acquisition, Development & Implementation

12%

Business case development, project management oversight, SDLC audit points, change management controls, and post-implementation review.

Information Systems Operations & Business Resilience

23%

IT service management, operational controls, IT asset management, business continuity planning, disaster recovery, and service level agreement auditing.

Protection of Information Assets

27%

Information security management, logical and physical access controls, network security controls, encryption use and key management, and security incident auditing.

Note the domain with the highest weight — many candidates under-invest here because it feels conceptual. In practice, this is where the exam is most precise, with scenario-based questions that test specifics.

What the exam actually tests

This is not a memorization exam. Questions require applied judgment under constraints. Almost every question includes a scenario with explicit requirements and asks you to select the most appropriate solution.

Here are examples of the question types you will encounter:

Auditor Mindset

During an audit, an IS auditor discovers a critical vulnerability in a production system. The system owner is unaware. What should the auditor do FIRST?

CISA tests the auditor's role: observe, document, report, and recommend — not fix, implement, or take corrective action. The auditor reports findings to management; management decides corrective action.

Audit Evidence Standards

An IS auditor is evaluating access controls. Which type of audit evidence MOST directly demonstrates that controls are operating effectively?

Know audit evidence types: sufficient (enough quantity), reliable (from credible source), relevant (pertains to the audit objective), and useful. Direct observation and system-generated reports are more reliable than verbal confirmations.

Control Objectives vs Control Activities

Management states that unauthorized access to financial data must be prevented. This is BEST described as which type of control?

Control objectives state what must be achieved (prevent unauthorized access). Control activities are the specific actions taken to achieve the objective (access logs, MFA, separation of duties). CISA distinguishes these carefully.

How to prepare — 4-week study plan

This plan assumes one hour per weekday and roughly 30 minutes of lighter review on weekends. It is calibrated for someone with some relevant experience. If you are starting from zero, add an extra week before Week 1 to familiarise yourself with the basics.

Week 1: Audit Process & Governance

Study Domain 1: ISACA IS audit standards, risk-based audit approach, and audit program development
Learn audit evidence: types, characteristics (sufficient, reliable, relevant, useful), and collection methods
Study Domain 2: COBIT framework, IT governance structures, and IT strategy-business alignment concepts
Complete 80 practice questions on audit process and IT governance topics

Week 2: Systems Acquisition & Operations

Study Domain 3: SDLC audit checkpoints, project management controls, and change management auditing
Cover Domain 4: IT service management (ITIL basics), operational controls, and BCP/DR audit objectives
Learn SLA auditing: key metrics (availability, MTTR, MTBF) and how auditors evaluate SLA compliance
Practice 100 questions on systems acquisition, development, and operations domains

Week 3: Information Asset Protection

Study Domain 5: logical access controls, network security architecture from an auditor perspective
Cover encryption control auditing: key management practices, certificate management, and data classification
Study physical access controls, environmental controls, and how auditors test them
Practice 120 questions on information asset protection — the highest-weighted domain

Week 4: Mock Exams & Auditor Mindset Drill

Complete 2 full 150-question mock exams under 4-hour timed conditions
For every incorrect answer, identify: did you answer as an IT manager (wrong) or as an IS auditor (right)?
Review ISACA audit standards: ITAF (IT Assurance Framework) and how it structures audit work
Focus on Domain 5 (27%) if below 75% accuracy — it carries the most exam weight

Common mistakes candidates make

These patterns appear repeatedly among candidates who resit this exam. Knowing them in advance is worth several percentage points.

Answering as an IT manager instead of an IS auditor

The most common CISA failure mode. Auditors observe, document, report, and recommend. They do not fix vulnerabilities, implement controls, or make decisions for management. When you see "auditor discovers a problem," the answer involves reporting to management — not resolving it.

Weak on audit evidence standards

CISA tests whether you know what constitutes good audit evidence: sufficient in quantity, reliable in source, relevant to the objective, and useful to auditors. System-generated evidence with automated controls is more reliable than manually created records.

Confusing control objectives with control activities

Control objectives define what must be achieved (e.g., prevent unauthorized data access). Control activities are what is done to meet that objective (e.g., access logs, MFA, user provisioning reviews). ISACA tests whether you can classify a given statement correctly.

Neglecting Domain 5 (Protection of Information Assets)

At 27%, Domain 5 is the heaviest CISA domain. Candidates who treat all domains equally will underperform here. Allocate extra study time to access controls, encryption, and network security controls from an audit perspective.

Is Certsqill right for you?

Honestly: Certsqill is built for candidates who have already done some studying and want to convert knowledge into exam performance. If you have never touched the subject, start with a foundational course first — then come to Certsqill when you are ready to practice.

Where Certsqill is strong: question depth, AI-powered explanations, and domain analytics. Every question is mapped to the exam blueprint. When you get something wrong, the AI tutor explains why the right answer is right and why each wrong answer fails under the specific constraints in the question.

Where Certsqill is not a replacement: video courses and hands-on labs. Use Certsqill to test and sharpen — not as your first exposure to a topic you have never encountered.

Ready to start practicing?

920 CISA questions. AI tutor. 6 mock exams. 7-day free trial.