CISA prep, IT auditor roadmap with ARIA

The ISACA Certified Information Systems Auditor (CISA) is 240 minutes, 150 questions, scaled 450 out of 800 to pass (roughly 75 percent), expert difficulty, with a five-year IS audit experience requirement that can be waived in part and an endorsement step after the exam. I prep you for it with a CAT evaluation across the five audit domains, a roadmap weighted toward Protection of Information Assets and IS Operations, an error backlog that tags audit reasoning traps, and a pass guarantee tied to five measurable conditions. Start your free CAT evaluation at claudelab.me/onboarding/select-cert?code=CISA.

TL;DR

240 minutes, 150 questions, scaled 200-800 with 450 to pass (about 75 percent), expert difficulty.
Protection of Information Assets is 27 percent and IS Operations and Business Resilience is 23 percent. Half the exam lives in those two.
Five-year IS audit experience requirement is waivable in parts, and the exam itself can be sat before the experience is complete.
The auditor's perspective drives most of the exam. The right answer is usually the one that protects the auditor's objectivity and is evidence-driven, not the most technical one.
Endorsement is a separate ISACA step after passing. Plan for it; do not skip it.

What the CISA exam is

CISA is the current ISACA Certified Information Systems Auditor exam (as of 2026). It tests your ability to audit, control, and assure information systems across five domains. 150 multiple-choice items, 240 minutes, scaled passing score of 450 out of 800. No lab segment. ISACA positions CISA as the IT audit gold standard, and most large-organization IT audit job descriptions list it by name.

The blueprint splits across five domains:

Domain	Weight	What it covers
Information System Auditing Process	21%	Audit planning, risk-based strategy, evidence, sampling, testing, reporting, audit standards, ethics.
Governance and Management of IT	17%	COBIT, strategy alignment, IT policies, enterprise risk management, performance measurement, BCM governance.
IS Acquisition, Development, and Implementation	12%	Project oversight, business case review, SDLC controls, testing, conversion, post-implementation review.
IS Operations and Business Resilience	23%	Operations, incident and problem management, capacity, change and patch controls, BCP, DRP, RTO, RPO, backups.
Protection of Information Assets	27%	Logical and physical access, IAM, network and endpoint security, encryption, data classification, privacy, incident response.

Protection at 27 and Operations and Business Resilience at 23 mean half the exam sits in two domains. The Auditing Process domain at 21 is the lens through which every other domain is answered, so its weight is effectively higher than the number suggests.

CISA is often confused with two other credentials. CISM is ISACA's information security management cert, oriented to security leadership, not audit. CISSP from (ISC)2 is the technical breadth security cert for architects and engineers. CISA is the audit specialist track, and the right CISA answer rarely matches the right CISSP answer because the questioner's perspective differs.

How ARIA preps you for it

ARIA owns your CISA prep end to end. Five pieces, weighted to where the exam scores you.

The CAT evaluation. Your first session is a 15-to-25-question adaptive test across the five CISA domains. Difficulty adjusts after every answer, stopping at 95 percent confidence or 25 questions. Read the full CAT explainer for the mechanics. If the eval flags weak audit fundamentals (sampling, evidence, risk components), I front-load the Auditing Process phase before the heavy domains.

The personalized roadmap weighted to Protection and Operations. Those two domains carry 50 percent of the exam, so your roadmap concentrates milestones there. A novice on Protection gets the heaviest phase. Acquisition and Development at 12 percent is the lightest, but it still gets its own phase because SDLC control questions show up reliably. Phases sequence worst to best. Full structure is in the roadmap overview.

The daily task engine with audit-perspective framing. Every time you reopen the app, I pick the next thing to work on, today. One task. Roadmap practice sessions advance milestones; free-play tasks improve readiness but never advance a milestone. Every roadmap item is framed as an auditor would meet it: a finding to evaluate, a control to test, a risk to rate, an evidence sample to judge.

The error backlog with audit-trap categorization. Every wrong answer is tagged with the trap pattern, not just the topic. Sub-patterns include "technical answer over auditor's answer", "audit risk component confusion", "control type misread", "sampling method mismatch", "evidence reliability hierarchy", "three lines of defense role swap", "framework confusion (COBIT vs NIST vs ISO 27001)", and "resilience metric confusion (RTO vs RPO vs MTD vs WRT)". A trap retires only after three correct answers in a row, spaced out.

The gauntlet and readiness gating. A single 0-to-100 readiness number. At 60 it unlocks the demo test. At 80 it unlocks the gauntlet, which on this cert is mandatory: the pass guarantee requires at least one gauntlet pass at 80 percent or higher before exam day. Four hours of dense audit-scenario reading is its own skill, and the gauntlet is the only honest way to confirm you can hold judgment through it.

Common pitfalls on CISA

Eight traps that quietly cost the most points. Each one has a structural answer, not a "study harder" answer.

1. Choosing the auditor's answer, not the engineer's answer

The most technically correct answer is rarely the right CISA answer. The right one preserves objectivity, relies on evidence, and follows audit standards. "What should the IS auditor do first" almost never wants remediation. It wants documentation, reporting, and a decision routed to management. Every miss where the technical answer beat the audit answer gets tagged so the same scenario comes back from the auditor's seat.

2. Audit risk components: inherent vs control vs detection

Inherent risk is the risk of misstatement before any controls. Control risk is the risk that internal controls fail to catch it. Detection risk is the risk the auditor's procedures miss it, and it is the only one the auditor controls directly. Stems turn on that distinction; every miss tags which component you confused.

3. Control types: preventive vs detective vs corrective, manual vs automated, key vs compensating

Preventive stops an event, detective finds it, corrective restores state. A key control is one the audit relies on; a compensating control offsets a missing one. Stems mix axes (purpose, mode, role), and the wrong answer often picks the right type on the wrong axis.

4. Sampling techniques: statistical vs judgmental

Statistical sampling projects to a population with a known confidence level; judgmental does not. Attribute tests whether a control was followed; variable tests dollar amounts. Scenarios about estimating an error rate across all transactions want statistical attribute. Picking judgmental for a population estimate is the common error.

5. Evidence types and reliability hierarchy

Independent third-party evidence outranks auditee evidence. Auditor-generated (observation, recomputation) outranks auditee-generated. Original beats copy, written beats oral. Stems ask which piece to weight more heavily, and the wrong answer often picks the most convenient.

6. Three lines of defense model

Line one is operational management owning controls. Line two is risk and compliance setting standards. Line three is internal audit providing independent assurance. Functions doing work that belongs to another line compromise independence, and mixing line two with line three is the most common error.

7. Control framework familiarity: COBIT, NIST, ISO 27001

COBIT is ISACA's governance and management framework for enterprise IT. NIST CSF has five functions: Identify, Protect, Detect, Respond, Recover. ISO 27001 is the international standard for information security management systems. Stems reference a domain or function and ask which framework owns it.

8. Business resilience metrics: RTO vs RPO vs MTD vs WRT

RTO is how long until the service is back. RPO is how much data loss is acceptable, measured backward from failure. MTD is the upper bound the business can survive. WRT is the time after technical recovery before the business is fully operational. Stems often want RPO or MTD where RTO is the obvious pick.

Common questions

How does the 200-800 scoring scale on CISA actually work?

ISACA reports a scaled score from 200 to 800. The pass mark is 450, roughly 75 percent of items correct, but the raw-to-scaled mapping is not linear and ISACA does not publish the conversion. Items are weighted by difficulty. Treat 75 percent as the working floor in mock exams, not 70.

Can I sit CISA without the five years of experience?

Yes. ISACA lets you sit and pass the exam first, then complete the experience within five years of passing. Waivers reduce the requirement: a relevant degree credits one or two years, certain other certifications credit one year, teaching credits up to three. The exam result is valid for five years pending certification, after which it expires.

How is CISA different from the IIA Certified Internal Auditor (CIA)?

CISA is the IT audit specialist track, owned by ISACA. CIA is general internal audit, broader and less technical, owned by the IIA. CISA goes deep on systems, controls frameworks, IS operations, and information security. CIA goes deep on governance, risk, ICFR, and audit methodology in general. If your job involves auditing systems, CISA is the one employers ask for by name.

How long should I plan for CISA prep at 30 or 45 minutes a day?

At 30 minutes a day, plan for 14 to 20 weeks with prior IS audit exposure, longer if the CAT eval lands you novice on multiple domains. At 45 minutes a day, 10 to 14 weeks is typical. CISA is expert difficulty by ISACA's own positioning, and the auditor's-perspective answer pattern takes time to internalize even for experienced practitioners.

What does the ISACA endorsement step involve after passing?

Passing is necessary but not sufficient. To become certified, you submit an application to ISACA documenting the experience requirement and have it endorsed by someone who can verify it, typically a current CISA holder or your direct supervisor. ISACA reviews the application, can request more evidence, and then awards the credential. The step usually takes a few weeks.

Start your CISA prep

The cheapest signal is the 15-minute CAT evaluation. It tells you which of the five CISA domains you actually own, which one will cost you the exam if you sit it tomorrow, and whether your audit fundamentals are strong enough to start at the heavy domains.

Start your free CISA evaluation at claudelab.me/onboarding/select-cert?code=CISA.

Background reading: the AI cert prep guide covers the four categories of AI prep tools, and readiness and decay explains the score that drives the experience.

TL;DR​

What the CISA exam is​

How ARIA preps you for it​

Common pitfalls on CISA​

1. Choosing the auditor's answer, not the engineer's answer​

2. Audit risk components: inherent vs control vs detection​

3. Control types: preventive vs detective vs corrective, manual vs automated, key vs compensating​

4. Sampling techniques: statistical vs judgmental​

5. Evidence types and reliability hierarchy​

6. Three lines of defense model​

7. Control framework familiarity: COBIT, NIST, ISO 27001​

8. Business resilience metrics: RTO vs RPO vs MTD vs WRT​

Common questions​

How does the 200-800 scoring scale on CISA actually work?​

Can I sit CISA without the five years of experience?​

How is CISA different from the IIA Certified Internal Auditor (CIA)?​

How long should I plan for CISA prep at 30 or 45 minutes a day?​

What does the ISACA endorsement step involve after passing?​

Start your CISA prep​