I recently stumbled across an article discussing how to choose an outside IT auditor by Kevin Beaver that stated, “With a few exceptions, auditors aren’t highly technical”–and may not need to know the difference between firewalls and fire hydrants.
If you know me, you know non-technicality of many IT auditors really bangs my keyboard (see the CISA posts listed below). An IT auditor who doesn’t have technical knowledge about IT is like a person who washes dishes without water.
Is it not obvious that an Information Technology auditor should understand technology? By the way, I bypass the term “IS auditor”, and use “IT auditor”. Auditors should not only audit systems, but also technology, as both can have vulnerabilities and inefficiencies. In addition, having a technical title can mean higher pay.
Also, the “CISA” really should be the “CITA”, not only for the Technology reason, but “sisa” (as CISA is pronounced) sounds kind of wussy. At least “sita” has a hard consonant in it, and we could rhyme it with “pita”. Sure sounds more palatable, but I digress.
Beaver says, “I know some great IT auditors who can’t explain the difference between a firewall and a fire hydrant.” I guess the biggest difference is that dogs cannot physically access firewalls because they are in secured data centers.
So maybe Beaver’s statement that it’s OK for IT auditors to be non-technical nerds (which was written in 2004) led to today’ predicament. And if outside or external IT auditors can be technically illiterate, so can internal IT auditors. Thinking that way makes sense of another of the article’s points: Don’t assume a brand name (Big 4) IT auditor is always better. I agree; they are just more snooty and expensive.
Then the Beav goes on to say: “The CISA is an internationally recognized certification, which compares to the CISSP certification for information security. ” Yes, the CISA is as international as the CISSP, and these 2 are the defacto certs in the IT auditing and security fields. But the 2 certs are not comparable in content, coverage, nor respect–I have both of the certs, and because the CISSP is much more respected, it has made more difference in my career (opened more doors, but not specifically increased my salary).
To compare the two certs is to compare, as Mark Twain would say, the lightning bug and lightning. The CISA is no where near the CISSP in technical breadth. Maybe that’s why the CISSP consists of 5 letters and CISA has only 4. Heck, “Kissing for Dummies” is more technical than the CISA exam.
While Beaver and I agree that most IT auditors are not technical, unlike Beaver, I don’t think that’s OK; I think it’s a shame. I don’t understand why ISACA doesn’t beef up their exam requirements (it wouldn’t make as much money as fewer could pass the exam?).
I guess IT isn’t complaining; more technical auditors would just mean more risk and control failures would be identified, which would result in more work for everybody. Hey, that might be a solution to the job shortage!
My Rants or Musings about Certs: