7.9 Auditing Standards and Groups 211
Chapter 7
7.9.1 Information Systems Audit and Control
Association (ISACA)
ISACA provides information on generally applicable and accepted stan-
dards for good information technology security and control practices. The
association’s Web site also provides a global information repository to help
members keep pace with technological change. Additional details on
ISACA can be found on the Internet at http://www.isaca.org.
7.9.1.1 ISACA CISA Certification
The Certified Information Systems Auditor (CISA) is the primary ISACA
certification. The CISA exam tests applicants in the areas of IS auditing,
control, and security. CISA has grown to be a globally recognized and
widely adopted worldwide certification standard. According to the ISACA
Web site, there are more than 29,000 CISAs worldwide. More than 10,000
individuals took the CISA exam in 2002 alone! The CISA designation is
awarded to individuals with an interest in Information Systems auditing,
control, and security who have met and continue to meet stringent require-
ments, outlined below:
Candidates must demonstrate at least five years of experience work-
ing in the field of information systems auditing, control, or security.
Such experience must have been gained within the ten-year period
preceding the application date for certification or within five years
from the date of initially passing the examination. Retaking and suc-
cessfully passing the examination will be required if the application
for certification is not submitted within five years from the passing
date of the examination. All experience must be verified indepen-
dently with employers.
All candidates must agree to adhere to a Code of Professional Ethics
to guide professional and personal conduct.
Candidates must participate in continuing education programs. This
helps maintain an individual’s competency by requiring the update of
existing knowledge and skills in the areas of information systems
auditing, management, accounting, and business areas related to spe-
cific industries. It provides a means to differentiate between qualified
CISAs and those who have not met the requirements for continuation
of their certification, and it is a mechanism for monitoring informa-
tion systems audit, control, and security professionals’ maintenance of