The Certified Information Systems Auditor (CISA) is a certification and globally recognized standard for appraising an IT auditor's knowledge, expertise and skill in assessing vulnerabilities and instituting IT controls in an enterprise environment. This certification is issued by ISACA to people in charge of ensuring that an organization's IT and business systems are monitored, managed and protected. It is presented after completion of a comprehensive testing and application process. It is designed for IT auditors, audit managers, consultants and security professionals.
Attaining CISA certification is considered beneficial since it is accepted by employers worldwide and is often requested for IT audit and security information management (SIM) positions. The certification provides the holder with greater visibility throughout the job application process since most recruiters prefer and keep an eye out for IT auditors with a CISA certification.
Responsibilities of a Certified Information Systems Auditor
The primary duties of a CISA include:
- Implementing an audit strategy for information systems (IS) that is based on risk management.
- Planning audits that can be used to determine whether or not IT assets are protected, managed and valuable.
- Executing the audits in compliance with the organization's set standards and objectives.
- Sharing audit results and providing recommendations to management based on the results.
- Performing reexaminations of the audits to ensure the recommended actions have been performed by management.
However, a CISA's responsibilities often extend beyond auditing control. They are expected to work with management in order to confirm the organizational processes, plans for implementation and operation of the deployed system promote the organization's objectives and strategies. At first, this includes evaluating:
- risk management practices;
- IT portfolio and resource management;
- strategies for business-IT alignment;
- business continuity and disaster recovery strategies;
- IT policies, standards, processes and procedures within the organization;
- the value of the IT control framework; and
- the management and monitoring of IT personnel, the IT organizational structure and controls.
Then, while the IS is prepared for implementation, the CISA must continue to monitor various areas to ensure successful deployment of the system. This includes conducting project and post-implementation reviews. Other responsibilities include evaluating:
- the business case for the proposed system;
- controls for the IS;
- IT supplier selection and contract management processes;
- the project management framework and controls; and
- the preparedness of the IS.
Once the system is implemented, the CISA is responsible for evaluating:
- the IT service management practices and structure;
- end user computing;
- change and release management operations;
- IT continuity and resilience;
- database management system execution;
- IT operations and maintenance;
- conducted reviews of the IS;
- complications and incident management practices; and
- data quality and life cycle management.
Finally, a CISA is responsible for working with management. This is to ensure the security standards, policies, procedures and controls within the organization impart integrity, confidentiality and availability of information assets.
How to become a Certified Information Systems Auditor
In order to become CISA certified, applicants must complete the following five steps:
- Successfully complete and pass the CISA exam.
- Apply for CISA certification.
- Adhere to ISACA's Code of Professional Ethics.
- Follow ISACA's Continuing Professional Education Program.
- Comply with ISACA's Information Systems Auditing Standards.
The CISA exam is open to any individual who expresses an interest in IS auditing, control and security. It is four hours long and consists of 150 multiple choice questions set around five job practice domains:
- The process of auditing information systems.
- Governance and management of IT.
- Information systems, acquisition, development and implementation.
- IS operations, maintenance and service management.
- Protection of information assets.
A score of 450 or higher (scored on a scale of 200 to 800) is required to pass the exam. It is administered in June, September and December in testing locations worldwide. The exam is offered in English, Chinese Mandarin Simplified, French, Japanese, Korean and Spanish.
Individuals looking to prepare for the exam can take advantage of preparation materials that are available through the ISACA; many ISACA chapters also host CISA exam review courses. It is recommended that people preparing for the exam take as many practice tests as possible in addition to studying the ISACA Review Manual and learning to think like an accountant.
Adopting an accountant's mindset is beneficial because most of the people who write the CISA exam either work as accountants or in the financial services industry. Therefore, by thinking like an accountant, a test taker can gain a greater understanding of the questions and answers and the way they were written.
If a CISA candidate passes the exam, then they will be sent all the information they need about how to apply for the CISA certificate. However, they must first ensure they have met all of the work experience requirements.
ISACA asks that all CISA applicants complete five years of professional IS auditing, control, assurance or security work, but substitutions and waivers can be obtained. For example, one year of IS experience or one year of non-IS auditing can be substituted for one year of experience. Also, 60 to 120 university semester credit hours -- a two year to four year degree -- can replace one or two years of experience, respectively. A third example: two years as a full-time instructor within the related field at a university can replace one year of experience.
It is important to note that the work experience must be within the 10 years prior to a candidate's application submission or within five years of a passed CISA exam. The candidate must also show adherence to ISACA's Code of Professional Ethics and Information Systems Auditing Standards. Once these criteria are met, the candidate can successfully apply for certification.
CISA applicants and certification holders must also abide by ISACA's Continuing Professional Education (CPE) program. This training is to ensure that CISAs stay up to date and proficient in their fields.
The goals of the CPE program include:
- Monitoring IS audit, control and security professionals' maintenance of knowledge and capabilities.
- Dividing qualified CISAs from those who have not met the requirements and cannot continue their certification.
- Assisting top management in the construction of stable IS audit, control and security functions with suggestions and criteria for personnel selection, training and development.
- Preserving an individual's CISA capabilities by updating existing knowledge and skills within IS auditing, control and security.
Furthermore, ISACA requires maintenance fees and a minimum of 20 CPE hours annually, plus an additional 120 contact hours during a fixed three year period.
Benefits of a CISA certification
The CISA certification is recognized worldwide as the sign of an individual's excellence within information system auditing. Benefits of a CISA certification include:
- A competitive advantage in the job market and with job growth.
- Increased value of the individual within the organization.
- Increased credibility in the workplace. This is due to the combination of the achievement of passing the exam and the recognition of work and educational experience.
- Assistance meeting high professional standards with ISACA's requirements and Continuing Professional Education program.
- Confirmation of an individual's knowledge, experience and expertise in the field. Demonstration of their ability to successfully meet challenges that may arise.
CISA certification can also impact an individual's salary. Professionals with CISA certification often make between $52,459 and $122,326 per year. Internal audit directors are one of the highest paid positions with a CISA certificate. This position can make around $136,082 per year.