1.1 Current CISA Exam Facts
Key Takeaways
- CISA is administered by ISACA.
- The exam has 150 multiple-choice questions.
- The time limit is 4 hours.
- The passing standard is 450/800 scaled score.
1.1 Current CISA Exam Facts
CISA preparation starts with the official facts: exam body, question count, time limit, scoring, eligibility, cost, and delivery model.
Official baseline
Use the current official materials before relying on secondary summaries. Primary source: ISACA CISA Certification Page. Also compare the official content outline, candidate guide, and scheduling resources when policies affect eligibility, fees, timing, or retakes.
Study notes
The CISA exam is the credential exam for ISACA Certified Information Systems Auditor (CISA). Treat the official sponsor page as the source of truth for policies, fees, eligibility, and scheduling. For this guide, the main official source is ISACA CISA Certification Page.
| Fact | Current detail |
|---|---|
| Official body | ISACA |
| Questions | 150 multiple-choice questions |
| Time limit | 4 hours |
| Passing score | 450/800 scaled score |
| Fee | $575 (ISACA member) / $760 (nonmember) |
| Delivery | PSI |
The exam should be studied as an applied workflow exam. A candidate is expected to recognize a situation, choose the governing rule or process, and apply it to a realistic job task. Memorized definitions help, but the score usually comes from knowing what to do with the definition.
Use the practice questions as diagnostic data. If you miss several questions from the same domain, go back to the workflow and ask which cue you failed to notice: the document type, the patient right, the calculation, the compliance risk, the reimbursement step, or the leadership decision.
Exam-ready mental model
For this section, reduce the material to a repeatable model: cue, authority, action, evidence, and risk. The cue tells you why the question is being asked. The authority is the rule, policy, standard, configuration behavior, official guideline, or operational constraint. The action is what the professional should do next. The evidence is the data point, document, log, calculation, or system state that supports the answer. The risk is what goes wrong if you choose the shortcut.
When reviewing, force yourself to state that model out loud for missed questions. If you can only remember a definition but cannot connect it to an action, the material is not yet exam-ready. If you can name the action but not the authority, you may choose an answer that sounds operationally convenient but violates the official process. If you can name the rule but not the evidence, you may overapply it to the wrong scenario.
How this appears on the exam
The exam usually tests applied judgment. Read the stem for the role, the setting, the governing rule, and the immediate task. Then choose the answer that is most accurate, policy-aligned, and complete for that task. If an answer sounds familiar but ignores the specific cue in the stem, treat it as a distractor. If two answers seem possible, prefer the one that is more specific to the stated task and leaves the cleanest audit trail.
Error-log rule
After each missed question in this area, write one sentence that starts with: I missed this because. Good categories are misread cue, did not know rule, wrong sequence, calculation error, overgeneralized policy, or chose the faster but less defensible action. Add a second sentence that starts with: Next time I will look for. That second sentence turns the miss into a concrete cue you can recognize later.
Which of the following is the PRIMARY objective of an information systems audit?
An IS auditor discovers that an organization lacks a formal audit charter. What is the MOST significant risk associated with this finding?