Take This Quiz & Predict Your Score in the coming CA CS or CMA Exam!
  • How important it is for you to pass the exam in this attempt?
  • What percentage of course you have finished well so far roughly?
  • How many hours you study in a day?
  • How many times you have revised the topics you have finished
  • Have you taken online or pen drive or live class from a renowned faculty?
  • What percentage of the classes you have watched?
  • Have you attempted mock tests or practice tests yet?
  • Are you planning to attempt mock tests conducted by external bodies- ICAI, ICSI, ICMAI or other institute?
  • How many tests you have taken?
  • Did you manage to finish the test papers on time?
  • Are you strictly following study material provided by the exam conducting authority such as ICAI/ICSI/ICMAI/Other Body?
  • How is your health in general?
  • How is your food habit?
  • Any interest in yoga or exercise or play sports regularly?
  • Planning to sleep well nights before the exams?
  • Planning to have light food and water before exams?

All About CISA Exam – Preparation Study Materials

All About CISA Exam – Preparation Study Materials

CISA Exam – The CISA (Certified Information Systems Auditor) certificate is renowned all across the globe as a standard for Business Systems and Information technology professionals to be able to audit, monitor, access and control data. Being certified identifies candidates for their professional experience, knowledge and skills and further their expertise in managing vulnerabilities, institute control and ensure compliance within the production.

ISACA certification is one of the toughest and most respected achievements in your field. You can now stand a little taller knowing you have taken the initial steps toward certification. ISACA recommends numerous materials in various languages to assist you in studying for the CISA certification exam.

CISA Exam Study Material

ISACA has prepared a variety of study resources in various languages to fully prepare for your CISA Exam. These include primary references, publications, articles, the ISACA Journal and other links.

Benefits of using a study guide when preparing to take your Exam

  • You will save hours of time.
  • You will Identify Strengths and Weaknesses via Pre-Assessments
  • A Study Guide Simulates the Exam-Taking Experience
  • A Study Guide Allows You to Monitor Your Progress
  • Your Study Guide is a Portable, Reliable Reference

CISA Study material free download

CISA Study Material Free download

Candidates guide for CISA exam and certification

Recommended Read : Complete details of CISA Exam study Material

CISA Exam Revision tips

The CISM examination is difficult. Not only is there a lot of material to know and revise, but the CISA exam is long—at four hours, it is much longer than many of us will have experienced during our formal education. Here are some tips from my own experience to help you through the ISACA exam process for all certifications.


Start with the practice exam in the CISM review book. You will find it to be hard work. I had to force myself to read each question carefully towards the end. Self-marking this exam identifies the areas for improvement in revision. Going through these questions will help you to understand the question format on the exam. These questions are not actual or even retired questions from an exam.

Revising effectively consists of three stages:

  1. Reviewing the practice exam—was that wrong answer a careless mistake or a lack of knowledge?
  2. Tailoring the revision—ISACA’s resources and other security publications are extremely useful. Make sure you learn ISACA’s preferred terminology.
  3. The questions in the review book explain the correct answer and why the other options are false. This ensures both your knowledge and reasoning are sound. In hindsight, this was the most valuable part of my revision programme.

With the real exam nearing, re-take the practice test. I felt less tired and more in control this time around. I improved my score significantly, with consistent results across all the knowledge domains. Make sure to review incorrect answers and learn from them. However, do not be over confident if you pass these practice exams. They are used for review and are not reflective of the questions being tested on the exam.

The Exam

Read all the provided information about the exam administration—specifically the Candidates Guide, and take everything you need (particularly suitable ID) with you!

Most people will need to travel to the exam venue. Try to stay in a local hotel the night before as stress from delays or traffic will not help your chances of success. A good night’s rest is an excellent investment.

Once you arrive for the exam, after registration you will enter the exam room itself (often it will be rows of school desks). Relax. If you suffer from pre-exam nerves, try to delay your registration a little to minimise the time you spend waiting at your desk.

With a few hundred people in the room, it is quiet, but not silent. There will be a background of rustling paper, coughing and creaking chairs. Earplugs are provided, but you are not allowed to bring your own or noise-cancelling headphones.

A good exam technique is the method I was taught many years ago:

  1. Answer quick wins on a first pass.
  2. Spend longer on more difficult questions, but do not be afraid to move on.
  3. Revisit remaining questions, using reasonable methods to find an answer.

What’s Reasonable? You could:

  1. Identify wrong answers. This is why it is important to know not only why an answer is correct, but also why the other three are false.
  2. Use facts from other questions. If you are stuck on “What type of control is a firewall?” another question might ask “Preventive controls such as firewalls are useful in which scenarios?” You’ve been given the answer—thanks ISACA!

Finally, copy your answers to the answer sheet. Having learnt from previous mistakes, I now use this method:

  1. Copy the question book answers onto the answer sheet
  2. Ensure the correct dots are filled for each question
  3. Ensure exactly 200 dots are filled (as a final check)

If you have finished early, you can put your hand up and you can leave once an invigilator has collected your papers. You will be tired afterwards, so plan to relax, get some fresh air, some lunch and move about a bit. Nobody wants to finish their exam day with an accident caused through tiredness.

Recommended Read:

Complete details of CISA Exam Study tips

Complete details of CISA Exam Preparation

CISA Exam Format

The CISA Exam format is multiple choice. You get 200 questions which have to be completed in xx hours. So just keep moving ! If the answer does not hit you as you are reading the question, mark it and come back later. Just keep moving….. and you will be safe. Each question has 4 choices and some are devilishly close to each other. You have to think straight and at times you would like to have a fight with the person who crafted the question and prove that your response is correct, but if you analyse closely you will realise that the book was right.

The CISA exam is offered in several languages, including Chinese (simplified and traditional), English, French, German, Hebrew, Italian, Japanese, Korean, Spanish and Turkish.

Traditional Chinese, German, Hebrew and Italian are offered in June exams only.The exam is positively graded, and passing score is 450 in the range of 200 to 800.

The CISA exam is divided into five modules that covers the complete scope of IS audits and review. Each of these modules comes with individual professional credits that get reflected in the final certificate.

  • Module 1 – The Process of Auditing Information Systems

This helps the candidate gain the knowledge required to comply with the highest standards of information systems and provide the best audit practices for the same. For organisations, this would mean thorough control and protection of their business and information systems.

  • Module 2 – CISA’s role in IT governance

Topics covered under Module 2 helps learning to develop sound IS control practices and management mechanisms. Certified professionals will provide the organization with the assurance of best policies, accountability and structures of monitoring to arrive at the desired IT governance.

  • Module 3 – CISA’s role in Systems and Infrastructure Life Cycle Management

This Module covers the processes and methodologies that modern organisations employ while changing or reinventing the infrastructure components of their application systems.

  • Module 4 – CISA’s role in IT Service Delivery and Support

Herein the candidate is required to review the processes and methodologies applicable to different IT systems. Further, it will deliver learning of the IS audit in the event of a disruption. Businesses can gain by expect disaster recovery methodologies and timely resumption of database services, thus minimising the negative impact on a range of business processes.

  • Module 5 – CISA’s role in Protection of Information Assets

The key component of Module 5 enables a professional to be able to ensure the integrity, availability and confidentiality of information assets while instituting physical and logical access controls and other security measures.

Recommended Read : Complete details of CISA Exam format, rules and regulation

CISA Exam Practice Questions and Suggested answers 

The CISA exam question bank include definitions, lists, acronyms, fill in the blanks, long answer forms and others.

Q. 1. The application test plans are developed in which of the following systems development life cycle (SDLC) phases? A. Design B. Testing C. Requirement D. Development

Answer: A Developing test plans for the various levels of testing is one of the key activities during the application development design phase. The test plans are used in the actual software testing.

Q. 2. Which of the following tests confirm that the new system can operate in its target environment? A. Sociability testing B. Regression testing C. Validation testing D. Black box testing

Answer: A Sociability testing is used to confirm that the new or modified system can operate in its target environment without adversely impacting on existing system. Regression testing is the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. Validation testing is used to test the functionality of the system against the detailed requirement to ensure that the software that has been built is traceable to customer requirements. Black box testing examines some aspect of the system during integration testing with little regard for the internal logical structure of the software.

Q. 3. The MOST appropriate person to chair the steering committee for a system development project with significant impact on a business area would be the: A. business analyst. B. chief information officer. C. project manager. D. executive level manager.

Answer: D The chair of the steering committee should be a senior person (executive level manager) with the authority to make decisions relating to the business requirements, resources, priority and deliverables of the system. The chief information officer (CIO) would not normally be the chair, although the CIO or his representative would be a member to provide input on organisation wide strategies. The project manager and the business analyst do not have an appropriate level of authority within the organisation,

Q. 4. The Primary purpose of undertaking a parallel run of a new system is to: A. verify that the system provides required business functionality. B. validate the operation of the new system against its predecessor. C. resolve any errors in the program and file interfaces. D. verify that the system can process the production load.

Answer: B The objective of parallel running is to verify that the new system produces the same results as the old system. The verification of functionality is through acceptance testing, while resolving errors in programs is accomplished through system testing. Verifying that the system can handle the production load may be a secondary outcome of a parallel run, but it is not the primary purpose. If it were the primary purpose, it would be a stress test probably run in the test environment.

Q. 5. Change control procedures to prevent scope creep during an application development project should be defined during: A. design. B. feasibility. C. implementation. D. requirements definition.

Answer: A The change control procedures are generally common for applications within one organization; however, the application-specific change control procedures are to be defined during the design phase of SDLC and should be based on the modules in the software. The other choices are incorrect. It is too early to define change control procedures during the feasibility phase, and it would also be too late during the implementation phase and after the implementation of software.

Q. 6. Which of the following would MOST likely ensure that a system development project meets business objectives? A. Maintenance of program change logs B. Development of a project plan identifying all development activities C. Release of application changes at specific times of the year D. User involvement in system specification and acceptance

Answer: D Effective user involvement (choice D) is the most critical factor in ensuring that the application meets business objectives. Choices A, B and C are project management tools and techniques and are not of themselves methods for ensuring that the business objectives are met by the application system.

Q. 7. Which of the following is a measure of the size of an information system based on the number and complexity of a system’s inputs, outputs and files? A. Function point (FP) B. Program evaluation review technique (PERT) C. Rapid application design (RAD) D. Critical path method (CPM)

Answer: A Function point (FP) analysis is a measure of the size of an information system based on the number and complexity of the inputs, outputs and files with which a user sees and interacts with. FPs are used in a manner analogous to LOC as a measure of software productivity, quality and other attributes. PERT is a network management technique used in both the planning and control of projects. RAD is a methodology that enables organisations to develop strategically important systems faster while reducing development costs and maintaining quality. CPM is used by network management techniques such as PERT, to compute a critical path.

Q. 8. When auditing the requirements phase of a software acquisition, the IS auditor should: A. assess the feasibility of the project timetable. B. assess the vendor’s proposed quality processes. C. ensure that the best software package is acquired. D. review the completeness of the specifications.

Answer: D The purpose of the requirements phase is to specify the functionality of the proposed system; therefore the IS auditor would concentrate on the completeness of the specifications. The decision to purchase a package from a vendor would come after the requirements have been completed. Therefore choices B and C are incorrect. Choice A is incorrect because a project timetable normally would not be found in a requirements document.

Q. 9.  The purpose of debugging programs is to: A. generate random data that can be used to test programs before implementing them. B. protect, during the programming phase, valid changes from being overwritten by other changes. C. define the program development and maintenance costs to be include in the feasibility study. D. ensure that program abnormal terminations and program coding flaws are detected and corrected.

Answer: D Debugging provides the basis for the programmer to correct the logic errors in a program under development before it goes into production. Tools such as logic paths monitors, memory dumps and output analyzers aid in this process.

Q. 10. Software maintainability BEST relates to which of the following software attributes? A. Resources needed to make specified modifications. B. Effort needed to use the system application. C. Relationship between software performance and the resources needed. D. Fulfillment of user needs.

Answer: A Maintainability is the set of attributes that bears on the effort needed to make specified modifications. Other choices relate to software attributes for usability, efficiency and functionality respectively.

Q. 11. IT governance ensures that an organization aligns its IT strategy with: A. Enterprise objectives. B. IT objectives. C. Audit objectives. D. Finance objectives.

Answer: A IT governance ensures that the organisation aligns its IT strategy with the enterprise/business objectives. Choices B, C and D are too limited.

Q. 12. A validation which ensures that input data are matched to predetermined reasonable limits or occurrence rates, is known as: A. Reasonableness check. B. Validity check. C. Existence check. D. Limit check.

Answer: A A reasonableness check ensures that input data are matched to predetermined reasonable limits or occurrence rates. A validity check is a programmed checking of the data validity in accordance with predetermined criteria. Existence checks are checks for data reentered correctly and agree with valid predetermined criteria. A limit check ensures data does not exceed a predetermined amount.

Q. 13. During which of the following steps in the business process reengineering should the benchmarking team visit the benchmarking partner? A. Observation B. Planning C. Analysis D. Adaptation

Answer: A During the observation stage, the team collects data and visits the benchmarking partner. In the planning stage, the team identifies the critical processes for the benchmarking purpose. The analysis stage involves summarizing and interpreting the data collected and analyzing the gaps between an organization’s process and its partner’s process. During the adaptation step, the team needs to translate the findings into a few core principles and work down from principles to strategies, to action plans.

Q. 14. Which of the following procedures should be implemented to help ensure the completeness of inbound transactions via electronic data interchange (EDI)? A. Segment counts built into the transaction set trailer B. A log of the number of messages received, periodically verified with the transaction originator C. An electronic audit trail for accountability and tracking D. Matching acknowledgement transactions received to the log of EDI messages sent

Answer: A Control totals built into the trailer record of each segment is the only option that will ensure all individual transactions sent are completely received. The other options provide supporting evidence, but their findings are either incomplete or not timely.

Q. 15. A utility is available to update critical tables in case of data inconsistency. This utility can be executed at the OS prompt or as one of menu options in an application. The BEST control to mitigate the risk of unauthorized manipulation of data is to: A. delete the utility software and install it as and when required. B. provide access to utility on a need-to-use basis. C. provide access to utility to user management D. define access so that the utility can be only executed in menu option.

Answer: B Utility software in this case is a data correction program for correcting any inconsistency in data. However, this utility can be used to over-ride wrong update of tables directly. Hence, access to this utility should be restricted on a need-to-use basis and a log should be automatically generated whenever this utility is executed. The senior management should review this log periodically. Deleting the utility and installing it as and when required may not be practically feasible as there would be time delay. Access to utilities should not be provided to user management. Defining access so that the utility can be executed in a menu option may not generate a log.

Q. 16. When conducting a review of business process re-engineering, an IS auditor found that a key preventive control had been removed. In this case, the IS auditor should: A. inform management of the finding and determine if management is willing to accept the potential material risk of not having that preventing control. B. determine if a detective control has replaced the preventive control during the process and if so, not report the removal of the preventive control. C. recommend that this and all control procedures that existed before the process was reengineered be included in the new process. D. develop a continuous audit approach to monitor the effects of the removal of the preventive control. Answer: A Choice A is the best answer. Management should be informed immediately to determine if they are willing to accept the potential material risk of not having that preventive control in place. The existence of a detective control instead of a preventive control usually increases the risks that a material problem may occur. Often during a BPR many non-value-added controls will be eliminated. This is good, unless they increase the business and financial risks. The IS auditor may wish to monitor or recommend that management monitor the new process, but this should be done only after management has been informed and accepts the risk of not having the preventive control in place.

Q. 17. Which of the following is an output control objective? A. Maintenance of accurate batch registers B. Completeness of batch processing C. Appropriate accounting for rejections and exceptions D. Authorization of file updates
Answer: C Exceptions and rejections are output products that must be accounted for by appropriate output controls. Choices A, B and D are input control objectives.

Q. 18. In a system that records all receivables for a company, the receivables are posted on a daily basis. Which of the following would ensure that receivables balances are unaltered between postings? A. Range checks B. Record counts C. Sequence checking D. Run-to-run control totals

Answer: D Run-to-run control totals are totals of key fields – in this case the totals of the receivables balances – taken when the receivables are posted. If the totals are recalculated and compared with previous balance, this would detect alterations between postings. Both record counts and sequence checking would only detect missing records. They would not detect situations in which records are altered, but the number of records are unchanged. Range checks would only detect when the balances are outside a predetermined value range and not changes to balances within those ranges.

Q. 19. Which of the following is the MOST important issue to the IS auditor in a business process re-engineering (BPR) project would be? A. The loss of middle management, which often is a result of a BPR project B. That controls are usually given low priority in a BPR project C. The considerable negative impact that information protection could have on BPR D. The risk of failure due to the large size of the task usually undertaken in a BPR project

Answer: B Controls should be given high priority during a BPR project, therefore this would be a concern for the IS auditor if they are not adequately considered by management. The fact that middle management is lost, as stated in choice A, is not necessarily a concern as long as controls are in place. Choices C and D do not have any relevance to a BPR project.

Q. 20. To meet pre-defined criteria, which of the following continuous audit techniques would BEST identify transactions to audit? A. Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM) B. Continuous and Intermittent Simulation (CIS) C. Integrated Test Facilities (ITF) D. Audit hooks

Answer: B Continuous and Intermittent Simulation (CIS) is a moderately complex set of programs that during a process run of a transaction, simulates the instruction execution of its application. As each transaction is entered, the simulator decides whether the transaction meets certain predetermined criteria and if so, audits the transaction. If not, the simulator waits until it encounters the next transaction that meets the criteria. Audits hooks which are of low complexity focus on specific conditions instead of detailed criteria in identifying transactions for review. ITF is incorrect because its focus is on test versus live data. And SCARF/EAM focus is on controls versus data.

Q. 21. In a risk-based audit approach, an IS auditor, in addition to risk, would be influenced by: A. the availability of CAATs. B. management’s representation. C. organizational structure and job responsibilities. D. the existence of internal and operational controls

Answer: D The existence of internal and operational controls will have a bearing on the IS auditor’s approach to the audit. In a risk-based approach the IS auditor is not just relying on risk, but also on internal and operational controls as well as knowledge of the company and the business. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk, allowing practical choices. The nature of available testing techniques and management’s representations, have little impact on the risk-based audit approach. Although organisational structure and job responsibilities need to be considered, they are not directly considered unless they impact internal and operational controls.

Q. 22. The extent to which data will be collected during an IS audit should be determined, based on the: A. availability of critical and required information. B. auditor’s familiarity with the circumstances. C. audit’s ability to find relevant evidence. D. purpose and scope of the audit being done.

Answer: D The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor’s familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit and the scope of the audit should not be limited by the auditee’s ability to find relevant evidence.

Q. 23. The Primary advantage of a continuous audit approach is that it: A. does not require an IS auditor to collect evidence on system reliability while processing is taking place. B. requires the IS auditor to review and follow up immediately on all information collected. C. can improve system security when used in time-sharing environments that process a large number of transactions. D. does not depend on the complexity of an organisation’s computer systems. Answer: C The use of continuous auditing techniques can actually improve system security when used in time-sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit techniques does depend on the complexity of an organisation’s computer systems.

Q. 24. Which of the following data entry controls provides the GREATEST assurance that the data is entered correctly? A. Using key verification B. Segregating the data entry function from data entry verification C. Maintaining a log/record detailing the time, date, employee’s initials/user id and progress of various data preparation and verification tasks D. Adding check digits

Answer: A Key verification or one-to-one verification will yield the highest degree of confidence that data entered is error free. However, this could be impractical for large amounts of data. The segregation of the data entry function from data entry verification is an additional data entry control but does not address accuracy. Maintaining a log/record detailing the time, date, employee’s initials/user ID and progress of various data preparation and verification tasks, provides an audit trail. A check digit is added to data to ensure that original data have not been altered. If a check digit is wrongly keyed, this would lead to accepting incorrect data but would only apply to those data elements having a check digit.

Q. 25. Capacity monitoring software is used to ensure: A. maximum use of available capacity. B. that future acquisitions meet user needs. C. concurrent use by a large number of users. D. continuity of efficient operations.

Answer: D Capacity monitoring software shows the actual usage of online systems versus their maximum capacity. The aim is to enable software support staff to ensure that efficient operation, in the form of response times, is maintained in the event that use begins to approach the maximum available capacity. Systems should never be allowed to operate at maximum capacity. Monitoring software is intended to prevent this. Although the software reports may be used to support a business case for future acquisitions, it would not provide information on the effect of user requirements and it would not ensure concurrent usage of the system by users, other than to highlight levels of user access.

Q. 26. Which of the following exposures associated with the spooling of sensitive reports for offline printing would an IS auditor consider to be the MOST serious? A. Sensitive data can be read by operators. B. Data can be amended without authorisation. C. Unauthorised report copies can be printed. D. Output can be lost in the event of system failure.

Answer: C Unless controlled, spooling for offline printing may enable additional copies to be printed. Print files are unlikely to be available for online reading by operators. Data on spool files are no easier to amend without authority than any other file. There is usually a lesser threat of unauthorised access to sensitive reports in the event of a system failure.

Q. 27. Which of the following types of firewalls would BEST protect a network from an Internet attack? A. Screened subnet firewall B. Application filtering gateway C. Packet filtering router D. Circuit-level gateway

Answer: A A screened subnet firewall would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. Application level gateways are mediators between two entities that want to communicate, also known as proxy gateways. The application level (proxy) works at the application level, not only at a package level. The screening controls at package level, addresses, ports, etc. but does not see the contents of the package. A packet filtering router examines the header of every packet or data travelling between the Internet and the corporate network.

Q. 28. Applying a retention date on a file will ensure that: A. data cannot be read until the date is set. B. data will not be deleted before that date. C. backup copies are not retained after that date. D. datasets having the same name are differentiated.

Answer: B A retention date will ensure that a file cannot be overwritten before that date has passed. The retention date will not affect the ability to read the file. Backup copies would be expected to have a different retention date and therefore may well be retained after the file has been overwritten. The creation date, not the retention date, will differentiate files with the same name.

Q. 29. A digital signature contains a message digest to: A. show if the message has been altered after transmission. B. define the encryption algorithm. C. confirm the identity of the originator. D. enable message transmission in a digital format.

Answer: A The message digest is calculated and included in a digital signature to prove that the message has not been altered. It should be the same value as a recalculation performed upon receipt. It does not define the algorithm or enable the transmission in digital format and has no effect on the identity of the user, being there to ensure integrity rather than identity.

Q. 30. Which of the following would be the BEST method for ensuring that critical fields in a master record have been updated properly? A. Field checks B. Control totals C. Reasonableness checks D. A before-and-after maintenance report Answer: D A before-and-after maintenance report is the best answer because a visual review would provide the most positive verification that updating was proper.

Must Read : CISA exam Question Bank with Sollution

Recommended Read :

Complete details of CISA Exam question bank with suggested answer

Complete details of CISA Exam Practice test papers

CISA Exam Best Recommended video lecture

CISA Exam Video Lectures is now available at With video lectures, students can learn anywhere from their mobile devices: desktops, laptops, tablets or smartphones. Students can easily search through the lecture to find the required sub-topic they need, without having to rewind and fast forward throughout the video.Students will understand the lecture better and can make sure that they have not misheard anything.

Best Recommended video lectures for CISA Examination

cisa training

Recommended Read: Complete details of CISA Exam best recommended video lecture

CISA Exam Study Plan | How to study CISA Exam

  • Remember that CISA exam is an objective type exam and just like any exam, it is not necessarily a reflection of your talent, capabilities, competencies or skill-sets. Hence, if you have not been or are not successful, then you should not take it personally. There are times when senior and experienced professionals have failed in the CISA exam not once but two to three times. It does not mean that they were not capable. This only means that they need to learn the knack of passing the exam. It is important to analyse what could have wrong and learn from them. It is quite possible that your current experience itself is becoming a baggage. Think from a new perspective and focus now only on questions and answers and read the topics where you need to.
  • There are 200 questions to be answered in four hours. This would mean that approx. 70 seconds per question. Some of the questions may be answerable within 30 seconds and some may take more time. Further, in some cases, if you get lost in too much thinking, you may lose track of time and may not have time to answer all questions. Hence, it is essential to manage based on a slot of one hour or for a block of 50 questions. Depending on the progress, you can increase or decrease the pace as required.
  • As part of preparation, do discuss the questions and answers with an open mind. If you are auditor, get the technology perspective and if you are from IT, get the Audit perspective. Remember as an IS Auditor, you are expected to be auditing Technology as deployed in the organisation.
CISA Study Plan
 CISA Manual:
ChapterSec 2 pagesSec 1 pagesTotal PagesRequired mins/pagesTotal Required minsIn HoursExam %
Chapter 139847104707.8314
Chapter 25111621062010.3314
Chapter 38410941094015.6719
Chapter 4588661066011.0023
Chapter 57011811081013.5030
 If I spend 3 hours everyday then in Days: 22.22
 ISACA Standard:
PagesRequired mins/QuesTotal Required MinsIn hours
 If I spend 3 hours everyday then in Days: 9.17

Recommended Read:  Complete details of CISA exam study plan, preparation tips

The Benefits of being CISA Certified

In order to become CISA certified you need to successfully complete the CISA examination. Prior to this you will need to carry out the necessary training and have a minimum of five years’ experience in a relevant role. The training you undergo will usually involve practising auditing techniques, gathering and preserving evidence and improving your control and reporting techniques. Once you have passed the examination you will need to submit an application for CISA certification. In order to be CISA certified you must also adhere to the Code of Professional Ethics and the Continuing Professional Education Programme.

CISA training encourages you to practice, practice, and practice! Through the training you will become more comfortable with your role as an IS auditor. Training programmes also enable you to make mistakes that you can learn from, ensuring that you do not make them when you actually on the job. Gaining the CISA certification will give you a confidence boost.  You will have greater belief in your abilities and will therefore be able to carry out your job better.

Being CISA certified can put you at an advantage when it comes to competing for a job or promotion. Employers will look favourably on you as you have bothered to do the training and gain a certification relevant to your line of work. The certification will set you apart from other candidates who are not CISA certified. You may also be able to use your CISA certification to negotiate a better salary.

Recommended Read : Complete Details of CISA Exam benefits

All About CISA Exam – Preparation Study Materials

CAKART provides India’s top CISA faculty video classes – online Classes – at very cost effective rates. Get CISA Video classes from to do a great preparation for your exam.
Watch CISA sample video lectures Here
For any questions chat with us by clicking on the chat button below or give a missed call at 9980100288


  1. aaaa says:


Leave a comment

Your email address will not be published. Required fields are marked *