CISA vs. CIA Certification

cisa study guide, tipsIf you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?

Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.


The CISA is the gold standard for IT auditors and requires that you know the basics of auditing and a little about IT. Most IT auditors get it or wish they had it; some non-IT auditors get it to round themselves out and/or use it to get into IT auditing.

At the time of this post, the CISA consists of 1 exam and costs around $415, which includes a 1-year membership to ISACA. Keep in mind that you also have to add the cost of training (books, prep courses, exam questions) to all the exams mentioned in this post.

I’ve written about certification quite a bit, so don’t miss the links at the end of this post!

If you have the proper background and experience, you can study for and obtain the certification in about 6 months to a year, which is a good return on your investment.

I have written more about the CISA in Where is the IS in CISA? and More on the CisA Exam. Although I’m not real impressed with the content of this exam, I still think you should get it. More on that later.

CIA Exam

The CIA is a broader certification, and in 2013 changed from 4 exams to 3. This certification covers auditing and IT at a deeper level (like the CISA, it’s much more about auditing than IT). Each exam costs about $150. You must pass all 3 exams within 4 years of passing the first exam. You can study and pass all 3 exams reasonably in about 1-2 years.

The CIA, due to its broader nature and 3 exams, is more respected than the CISA. It’s also a harder set of exams.

The big thing to keep in mind is that, in general, IT auditors are paid more than non-IT auditors.

IIA Survey: CIA vs. CISA Salary (2012)

See below for 2015 info. I left this 2012 data here for comparison and to show some history. — Mack

In 2012, the IIA did a survey that showed auditors holding the CISA certification are paid more than those holding the CIA (see below), about $6,000 (median). That’s not bad, considering the CISA requires 2 less exams and a lot less time than the CIA. The graphic is on page 39 here.

What’s the reason for the difference? First, the more technical a job, the higher the pay usually is. Second, IT auditors are generally paid more than other auditors, and they are more likely to hold the CISA.

IIA: CISA Highler Salary than CIA

–Start of 9/25/15 Update

Robert Half Survey: IT Auditor vs Internal Audior Salary (2015)

Note: These salaries are for USA only. Sorry!

While the graphs above contrast those with CISA vs. CIA, the following graphs show the salary differences between IT auditors and internal auditors. Since IT auditors usually get the CISA and internal auditors usually get the CIA, I think they both say the same thing: IT auditors are paid more than non-IT auditors, as a general rule.

The graphs below are from the annual Robert Half (RH) salary guide, which you can read free at (it looks like they updated this every year with the most current info). The salary calculator, which available for US zip codes only, is also on that web page, below the salary guide link.

These graphs are for a large city, Minneapolis, MN (USA). Note the differences in IT auditor (green box) and internal auditor (black box) with 1-3 years experience for a company size of 250+M.

Auditor Pay 1-3 years

If you change only the job level to ‘senior’ (4+ years), the salaries are as follows.

Auditor Pay 4+years

Again, you can run the salary calculator from the web page noted above. You can view more than just auditor salaries (accounting and many more) and can choose zip code, job level, and company size.

According to the survey, the salary figures are based on thousands of full-time, temporary and project placements RH makes each year, surveys of U.S. chief financial officers (CFOs) and hiring managers, and other analysis performed by RH.

Also, the projected salaries for each position reflect starting pay only. Bonuses, incentives and other forms of compensation are not taken into account.

–End of 9/25/15 Update

So, if you want to get into IT auditing or you want to advance your IT auditing career, get the CISA. It’s faster, cheaper, and results in better pay. And you’ll learn enough about auditing to get you going.

If you’re an IT auditor and you want to get both certs, get the CISA first for the same reasons. The CIA certainly won’t hurt you.

You could get just the CIA and skip the CISA altogether, but I wouldn’t recommend it. Once you have the CIA, the CISA isn’t that much more work. It’s a chip shot. And it makes the CIA look better, in other words, “now you’re a REAL IT auditor.”

In addition, the PERCEPTION of the CISA is that it is more IT focused than the CIA, and a better cert for IT auditors. Based on my passing the CISA, my studying for the CIA, and talking to IT auditors who have the CIA, that’s just not true. But it’s the perception, and careers are often affected more by perceptions than facts, unfortunately.

Some believe that after the CISA, the CIA is a waste of time for IT auditors. I disagree. The CISA says you can do IT audit; the CIA says you’re broader than just IT audit. It’s your call.

Best Certs for an IT Auditor

If you want to be a great IT auditor, I’d suggest you get the CISA and the CISSP (more comments on the CIA later).

First, as noted above, the CISA will ensure you understand the basics of auditing, which is more important than understanding IT (what? Hold onto that for a minute).

The CISSP will ensure you understand the basics of IT and security and costs about $450. Trust me, you won’t pass the CISSP with minimal IT knowledge. It will also provide a background in security, which is the biggest area, in my opinion, that most IT auditors don’t understand (the next biggest area is IT).

IT auditing is more than the right access, configuration, patches, and backups. It’s about understanding technology and  IT operations and how they intersect with risk. That’s what the CISSP is about, much more so than the CISA.

A good IT auditor understands the basics of security, what technology can and can’t provide, and how easily things can go wrong. A security certification like the CISSP leads auditors to look into areas that where other IT auditors don’t go or even know exist.

It’s the difference between watching a contact sport like football and getting tackled by a real 275-pound lineman. Your perception of the risk and the pain is totally different (by pain, I mean the injury that could be caused, not only by the audit finding, but also by the control that could mitigate the risk).

The CISSP is also more applicable to other jobs than the CISA or the CIA. I’ve noted elsewhere on this blog that I was hired in 3 different companies to do audit based on the CISSP alone (at that time, I didn’t have the CISA).

Also, notice that when the IIA’s The Path to IT Audit article asks “What certification do IT auditors need?”, the CIA is NOT mentioned by the very organization that sponsors it! But the CISA, CISSP, CISM, and MCSE are highlighted (while the MCSE would help, I think it’s overkill and too much work for what it will provide; besides, that exam expires eventually, which was why I never obtained it when I was in IT).

Finally, few auditors have the CISSP. It makes you stand out, and it says you’re much more technical than most auditors. As a result, you’ll get more challenging audits, while your buddies will get stuck with the fluff audits that even a non-IT auditor could do.

IT Auditor Trifecta

I think the IT auditor trifecta would be to add the CIA to the CISA and CISSP (I’m toying with that still, but I’m not sure I want to stay in audit). Like security, the financial side of audit is a different world. Understanding the basics of an accounting, which the CIA provides, will only make the IT auditor more relevant to the business.

Learn Audit or IT First?

In the end, it’s more important for IT auditors to understand how to audit than the intricacies of IT. Although I’ve ranted about how little technology many IT auditors understand, if you know understand the principles and practice of auditing (risk assessment, interviewing, the differing qualities of evidence, sampling, etc.), you will still be able to identify the basic IT risks. That’s why so many IT auditors that don’t understand IT are gainfully employed.

In contrast, if you understand IT well, but don’t know how to audit, you’ll miss basic risks, and you won’t have a framework to investigate, evaluate, rank, document, and articulate what you find.

In other words, your audits won’t meet IIA standards or be very helpful to your clients. And I’ve seen great, Big 4 techies who could not write an audit workpaper to save their life or their client, but my company paid them $150/hour.

If you need to learn both audit and IT, focus on audit first, and learn the IT as you mature as an auditor. But make sure you eventually get the IT side. To do that, you need to do more than audit IT; you need to read IT publications and play with the technology when you can at work, and outside of work. GO BACK AND READ THAT LAST SENTENCE AGAIN!

To learn IT audit, see Audit and IT Audit for Dummies and What IT Auditors Ought to Know – and Don’t!.

If you’re new to IT auditing or want to become an IT auditor, check out my multi-threaded post, New IT Auditors Should Start Here.

Your turn

What’s your experience with certification? Was the effort worth it? Did a cert really make the difference in getting in the door or a higher salary? Leave a comment.

Related posts:

How to Pass Certification Exams

Top 10 Pay-Boosting Tech Certifications

Top 7 Reasons for Security Certification

What IT Auditors Ought to Know – and Don’t!

Audit and IT Audit for Dummies

IIA Basics for Auditors

** FREE CISA Study Guide **

Where is the IS in CISA?

More on the CisA Exam

Security Certs for Commoners? Nope (how uncommon is the CISSP!)

Fun CPEs for CISSPs



Filed under Audit, Certification, Security, Technology

176 responses to “CISA vs. CIA Certification

  1. blair151

    Very interesting post! It’s nice to see insights into the relative merits of the certifications. I’ve been in IT Audit about 7 years, after spending 15-ish years in IT (mostly management) and Engineering before that. We have a pretty small IA department (10 people), with the IT Audit portion being just me (manager/auditor) and one auditor reporting to me. I got my CISA about 6 years ago and agree with you that it was pretty light on the IT side, but I think there was enough of that to earn the “Information Systems” in its name. I’ve since also obtained a Master’s degree in Information & Communications Technology, with an emphasis in InfoSec. (I was a bit disappointed in my degree curriculum, which I thought didn’t go into InfoSec in enough depth, but that’s a whole different discussion. :-)

    I’ve been toying with the idea of pursuing a CIA, but had decided to put it off for a year, to allow them to get the bugs worked out of their new format. One of my better Master’s classes used Shon Harris’s great CISSP sourcebook as a text, and that piqued my interest in the CISSP certification. I would like to learn more about the financial audit side of the business (CIA), but my IT/InfoSec skills could use some updating, too (CISSP), so I’m torn. So, it was good to hear your thoughts on both those certs.

    To answer your question: From the career perspective, since I obtained the CISA after I was hired for the audit job, it certainly didn’t influence my hire. However, I would say that I think it (and the Master’s) has added to my status/credibility in the eyes of my boss, peers, and auditees. That’s not terribly quantitative, but it can’t hurt.

    Based on your post, I feel better about postponing the CIA, and I may very well pursue the CISSP instead. Thanks again for your great article.


    • Hi blair151,
      Thanks for your comments. Based on what you wrote, I agree that pursing the CISSP might be better to do first, and would be more applicable for now.

      However, if you want to branch out of IT, the CIA would certainly help. I like your idea of getting both.


  2. Nick

    Hi Mack. First of all, I’d like to say that I really like your blog, even though I have just discovered it recently. Secondly, I would like to ask you for some advice. I have just graduated from UofT in an Accounting program. I have showed an interest in IT auditing, and audit in general. As a result, I am about to order the CISA resources from ISACA and prepare for the exam in September. Would you think this is a good move for a new grad without any IT or audit experience? Most IT Audit jobs require you to have at least 2 years of experience, so where should I be looking for employment now while I study for the CISA and after I pass the exam? Thanks again, and I look forward to your response!


  3. Nick,
    Thanks for the kudos.

    Do you have some knowledge of IT basics (see What IT Auditors Ought to Know – And Don’t!)? However, most IT auditors I met don’t know this stuff (and still get the job knowing only bits and pieces), but you should know some IT. If you don’t know IT basics, it will likely be hard to get into IT auditing.

    Assuming you have some IT background, yes, go for the CISA. Even if you don’t have any IT background, you’ll learn some of it while studying for the cert (see my posts re: the CISA exam). Either way, it won’t hurt you, and you can train more on IT as you do the CPEs after you get the cert.

    If you don’t know IT basics, I suggest you get a job in operational/financial auditing and read all the IT auditing workpapers that the other auditors are doing. Make it known you want to do IT auditing too. After a while, try to team up and help on an IT audit, make as many friends in IT as you can, and make the leap to IT auditing when the opportunity arises.

    I hope this helps. We can keep the conversation going, too. Best wishes, Mack.


    • Nick

      Hey Mack.

      Thanks for the advice. From the article you linked I would say I know about half the things just from being a techie. I don’t have an IT background or any formal IT education. All I have is my Bachelor’s from an accounting program and some work experience with minor IT components and minor accounting components. No real relevant experience.

      I can probably learn all the material for the CISA and then some by myself but I have a hard time believing that it’ll be enough to land an IT Audit job, esp with my background. I have already ordered the resources and I cannot change that, but my first priority now is to find a entry level financial accounting/audit job while I do the CMA designation program (I am Canadian and that is the Certified Management Accountant). Once I have the designation and audit experience I will try to move into the field of IT Audit.

      My second priority is to apply for IT Audit jobs (unlikely) and entry-level IT support jobs (more likely), and if I land one I will take the CISA exam in September whilst working the IT job, instead of doing the CMA program.

      Please tell me how this plan of action sounds to you.



      • Nick,
        It sounds good. With your accounting background and some IT background, you might be able to find a business that needs an entry-level person to cover both areas. Remember, some IT auditors get hired with little IT experience. I’ve worked with a couple.

        As you interview, mention your plan. That you’re seeking the CISA already, that will be a plus, as well as the CMA. Also, if you have any time left over :) see if you can volunteer somewhere doing IT stuff (church, civic organization, and non-profits are always looking for volunteers, which will help your resume). Remember, as I’ve noted in my CISA posts, the CISA is mostly about audit, not IT, so study accordingly.

        Also, once you join ISACA, you’ll have access to a lot of other material that will help you. For starters, see my post Audit and IT Audit for Dummies (especially the last 2 links).

        I’d also join IIA and take advantage of their materials after you land your first job as auditor.

        Stop back when you pass your CISA and tell us about it, and let us know as you progress through your plan. Everyone loves a success story. I have no doubt you will succeed.


  4. Hi,
    I have been into s/w development from last 8.5yrs and have some expeirience in deployment, Disaster Recovery. The field of IT Audit has put interests in me and so was thinking to get one of the certication to start into a new career altogether. First please let me know if it is advisable for me to get into a new career or not. Secondaly if i go then which certification should i first try for, is it CISA, CIA or CISSP or some other.

    Please advise.


    Liked by 1 person

    • S,
      You won’t make as much money in IT audit, so make sure you understand your motives for a change. I always recommend experience over certification for new people, but getting the certification won’t hurt, as you will learn a lot.

      The problem is that some experience in some areas are required before you can receive any of these 3 certs. Some of your development experience may cover some of the areas. Check that out first before you do anything–you can discuss your experience with these organizations to get an idea of what they will accept and what you still need to qualify for the cert.

      I would recommend in your circumstance starting with the CISA. It’s easier and cheaper and will give you an idea of what you’re getting into. If you change plans after the CISA, you haven’t invested a ton of time.

      If you want to get another cert, then I’d go with the CISSP. That cert will help you in audit or if you stay in development. That cert is also 1 exam, where the CIA is 3, which requires more money, time, and commitment to pass.

      Let me know if you have any other comments or questions. I’d like to know what you decide to do. Go for it


      • Thanks for your suggestion.
        Regarding the earning as you mentioned i presume that it will be applicable in the initial part of my career though it should not matter as i gain expirience in this field. But the major question remain do comapnies prefer people with this type of profile where they move from one type of dome to auditing and will my current expirience be taken into account when getting into auditing?
        I will definetly keep you posted as i proceed



        • s,
          Yes, I think your experience in software, deployment, and DR could help you. Most auditors won’t have experience in these areas. But it will up to you to sell those skills to your employers. I would describe how these skills could benefit an employer in your cover letter that is sent with your resume, and also in the interview.

          I would specifically target companies that really care about these areas, such as banks, insurance companies, and health care companies, as they cannot afford to issues in these areas where your skills are. They are also heavily regulated and need skilled auditors. I’d stay away from manufacturing for the opposite reasons.

          If you’re not sure how to sell these skills, talk to some auditors and ask them for their help. They can help you understand how they audit these areas and give you ideas, and perhaps, even some people to contact. If you don’t know any auditors, call the IIA or ISACA and ask for their help in finding some auditors to talk to.

          One selling point you can use is that the folks you audit won’t be able to tell you misleading information because you know those areas and will be able to see through it. And you will know the important questions to ask and the areas to look deeper into, as you’ve been there and know the tasks that are often done poorly or not done at all.


  5. Am I wasting my time and money should I take an CompTIA A+ certification before diving into CISA? I have been a financial auditor for at least a decade now and I still have not outgrown my fascination for computers and technology. Just wondering.


    • p,
      I would not bother with the CompTIA A+ certification. As I understand it, it deals more with hardware and installing and configuring computers. That will not help you much with IT audit. Read my post What IT Auditors Ought to Know and Don’t to get an idea of the things you need to learn.

      Purchase a CISA book and read through it and it will give you an idea of what the CISA is all about. Then you can decide whether you want to go for the cert and be an IT auditor.

      You should NOT have too much trouble with the CISA as it is more audit than IT.


  6. Frank

    Thanks for the lovely post. I have been in Application support for a year 3 months now,have a bit of system admins experience, and have a bit of software development as an Intern. i plan to go into IT security and Audit. which will you advice i start with?(CISA or CISSP).



    • Hi Frank,
      I’d go for the CISA. It’s easier, quicker, and cheaper to get. Then you’ll have 1 cert under your belt, the one you need for IT auditing. Then I’d get the CISSP. Then you’ll be set for audit and IT security. Or you could move over to IT and get out of audit.


  7. Hassan

    I just stumbled upon your prestigious blog, and I am so glad I did. I have found your articles really helpful and informative.
    As an ACCA student, I am still undecided on what interests I may have in future. However, it’s mainly audit that interests me. I used to be tempted by the idea of CFA and/or Masters in Finance but I soon realized that Finance was not an ‘easy’ thing for me to tackle. As a result, I was drawn by Audit and Forensics purely due to the adventurous nature of the jobs (detecting fraud etc.).
    Ever since, I have been a bit confused about what qualification I should pursue after completing my ACCA and claiming exemptions in the ICAEW program. CIA was one option and then I heard about the CISA. CISSP is a new one for me. For a person who has little to no knowledge in the IT field but studied Audit at a more rudimentary level, would you suggest going with CIA and then CISSP or CISA and CISSP or would CIA alone would suffice?
    Just so that you know, I wish to pursue a path that takes less time, is not too taxing in regards to time and money (dropped the idea of pursuing CFA for that reason also) and rewards well.
    I welcome any further suggestions that you may have and would highly appreciate an elaborate response from you.
    Kind Regards.


    • Hassan,
      I had to look up ACCA (which, for those of us who are not familiar with it, is the “Association of Chartered Certified Accountants, …the global body for professional accountants…[who] aim to offer business-relevant, first-choice qualifications to people of application, ability and ambition around the world who seek a rewarding career in accountancy, finance and management.”)

      With little background in IT, I would not recommend becoming an IT auditor, so I’d avoid the CISA (and the CISSP, which is a security certification, not an audit certification.).

      If you must be certified (not all auditors are, but I”d recommend it). I’d go for the CIA (more general certification, which includes some IT info) or perhaps the CFE (certified fraud examiner – see, due to your interest in fraud and forensics.

      If you feel you’re really solid in understanding the audit process, you go for the CFE, which costs $300 for the exam plus study material and membership in the ACFE. Otherwise, I think your best bet is the CIA, which will give you better grounding in audit in general. However, that is the more expensive route and is 3 exams vs. 1 CFE exam.

      If you’re new to the field, you’re better off getting a more rounded education with the CIA and specialize in the CFE later after you have more experience. I wish you the best.


      • Hassan

        Thanks so much, IT. I acknowledge that these are still early days for me. I also appreciate that flooding the CV with too many qualifications is somewhat a wasted effort at the end of the day. As a result, I was eyeing a maximum of three qualifications for myself. I believe the combination you suggested at the end is nearly ideal after having completed ACCA and the ICAEW. Not only would it pave way for Audit in general but also open gates to forensics.
        Thanks once more for making it seem simpler. I ll make sure I continue dropping by. :)


      • Hello once more.

        It’s highly unfortunate that the ACCA course I have been studying has nearly lost its standing in the country where I reside and I highly doubt that it has any standing whatsoever in the USA (where I plan to move). Having said that, I plan on pursuing certification/s that would not only be rewarding but well recognized worldwide (especially throughout the USA).

        To be honest with you, I am not quite sure where my interests lie anymore. I do know that I don’t enjoy finance so I would be open to your suggestions as to what options I have in this regard and what entry requirements there would be for the route you suggest along with other essential information such as duration of course and costs (ideally, I would love to pursue certification/s that would not take too much of my time and also cost less.

        Thanks in advance.


        • Syed,
          I’m not sure what to suggest as you don’t know what you want. I’d suggest talking to a recruiter and seek their advice, especially about the standing of the ACCA in his eyes.

          To change fields is not easy or cheap. You must have passion for the new line and work and be willing to work hard. The shortest and easiest course is to do the CISA (cheaper too) and become an IT audtior, but I as I noted before, I don’t think that’s the route for you.

          I think your first goal should be to determine your passion and follow that. Once you determine your passion, the rest is easier as you have a purpose. Otherwise, you are flopping around doing work that may not pay off for you. Sorry I can’t be of more help. Best Wishes, Mack.


        • I understand what you mean. It’s still early for me to decide, I suppose. I should just keep my focus and let the experience guide me.



        • Syed,
          One last thought: I’ve always found it helpful to be thankful for where I’m at, especially when I am looking toward a change. While nothing is wrong with striving for change and bettering yourself, if that is your primary focus, you lose sight of the blessings that you already have, and can even lose some of them as you push yourself forward too much.


        • You are SO right. I have actually been thinking too much for my own good. I shall keep that in mind as I proceed.

          Thanks so much for your assistance. :)


  8. Sethu

    Hello!!!, its a good post. I’ve completed CCNA and i’ve a work experience for 3 years as a N/W Admin. I have more interest in Hacking and LPT from my schooldays. I’m Planning to do those certifications. Will these certifications help in IT Audits?. I came across CISA and CISSP contents too!!!, I understood that CISSP deals with network security. I also started liking CISSP and developed interest in completing that cert too. So, do I need to do CISSP along with CEH and LPT?. Which is advisable for my profile CISA/CISSP. And apart from all these, will i be able to get a job with the combination of certifications like CCNA,CEH & CISSP. If what i planned is a good move, which one should i do first. or is it advisable to do both. But let me tell you this also, I have my plans to do CCIE(Security), which is my dream too.


    • Sethu,
      It sounds like you are more interested in security than audit. Having been in security myself, it sure is more exciting and open-ended. Audit is more procedure-oriented. If you go toward security, the CISA is probably the least of the certs you should pursue. Why I moved to audit is another story in itself….see my post regarding IT Admin vs. IT Auditor.

      If you really want to pursue audits, you most likely won’t do pentesting or anything like that. I haven’t done that in any audits I’ve done even though I used to do pentesting when I was in security. Some auditors do pentest, but that’s unusual. Even the pentesters that work for the Big 4 audit firms are security people not auditors, and I’ve seldom met one who could write an audit work paper.

      The security certs won’t hurt you in IT auditing, but I think you might be a bit bored with most IT security audits. If you really want to get into audit, you need the CISA (or need to get a good understanding of how to audit). Knowing IT and security is not enough.

      As I’ve said before, if you know audit but not IT/security, you’ll still be a better IT auditor that the person who knows IT/security, but not audit.

      If you go for a security job, get the CISSP next. That’s a broader, more business-oiriented security cert that still deals with security, technology, compliance, and risk. Then get your other techie certs.

      Hope that helps. Happy to discuss more if you desire…


  9. Sethu

    Hello there, thanks for your valuable reply. What does Security Audit deal with(IT Security Auditor). Whats the growth of an employee with CISA and CISSP as well along with other security certs. What would you recommend for my experience. If i go ahead with CEH and CISSP, will that be a good move. If i complete these two certification, what kind of jobs can i apply for?


    • Sethu,
      Typically, IT auditors can get involved in security audits, but that’s not the bulk of what they do. They also audit software configurations, user access, and other things that are not security per se. I still think you sound like you’d be more interested in working as a security analyst than an IT auditor.

      The career path of an IT auditor within an audit or compliance department is mainly a progression of rank, from beginner, intermediate, and senior (expert). After that, unless you go into managing IT auditors, the career path stops there in an audit department.

      However, this can lead to other jobs in other departments in the company like security or IT. However, it can be hard to make the move because IT auditors do not manage security or security systems; they only audit them. Sometimes it’s hard to convince someone to take you into IT based on your work, because usually it’s spread between applications and systems–you generally don’t get deep enough into them for someone to hire you in another department.

      For example, during a VMware audit, I learned a ton about virtualization, and actually had READ access to Vcenter (the app that controls all virtual hosts and virtual servers in the VMware enviroment) during the audit. Even though I noted several observations for improvement (new controls they needed and just some operational items) and shared some things I learned with the head IT virtualization expert (which he said he didn’t know), there’s no way they’d hire me into their group to create and manage virtual hosts and virtual servers. I simply don’t have depth in VMware or virtualization. Besides, they have to pay me a lot to do entry-level work in their area.

      I went from server/network admin to managing IT security and then got the CISSP (that was a LONG time ago). Today, you can still get a security analyst job with your background plus the CISSP. However, many intermediate security analyst or security administrator jobs positions also want you to know how to manage routers, firewalls, IDS/IPS, and a host of other security systems. Your CCNA should be a big help here.

      So my advice is to get the CISSP and look for an entry-level security analyst/admin job. Make sure you’re not just going to do user access administration, which is what a lot of these jobs entail.

      Look for a position where you doing things like: 1) review new projects, systems, and software for security issues, which company security policies they need to follow, and how to implement the systems in a secure manner (the most important part), 2) help implement new security systems (antivirus, VPN, single sign-on), 3) provide input (not manage!) to other IT groups that build desktop images, server images, write/update security policy, manage mobile devices, upgrade the network, etc., 4) do penetration testing and vulnerability testing of the network and new servers, applications, etc., and 5) provide security awareness to management and employees.

      Each job is different and few will have you do all of these things, but these are things to look for. And avoid user access admin work like the plague. Once you start doing that, it’s hard to get away from. And it’s just boring! (Apologies to anyone out there doing this now)

      Once you get your foot in the door, try to get into managing IDS/IPS and all the security systems and/or forensics. That’s the career path up the ladder for a techie.

      Again, get the CISSP and look for an entry-level job. Then depending on what the job is or what the next level up is, then plan your next cert. For example, if the company doesn’t do pentesting, why get the CEH? But if the position you take does it or the next level does, go for it.

      Again, for you, I’d stay away from the CISA as that is NOT a techie cert; it’s a compliance and audit cert.

      Of course, if you don’t find a security job after you get the CISSP, go for the CEH and other certs if you can afford it. It certainly won’t hurt.

      Wish you the Best!


      • Annie

        It was interesting reading your article, especially the part where you mentioned knowledge of audit is a pre-requisite. I am interested to pursue the IT audit certification but am not sure whether it should be CISA or CISSP. My background is I have a systems analyst degree and have completed my ICAEW qualificaiton. Which IT audit certificaiton should I pursue next??


  10. Pingback: So you want to work in information technology audit (IT Audit): What about IT Audit Certifications? |

  11. Umesha

    I am now in the process of getting ready for the CISA exam that is going to be held this December. I am little bit scared of the little remaining time, as I can’t assure myself whether I’ll be well prepared before the exam, but I am so desperate to pass the exam as it cost a quite a lot. Unfortunately I came across this site just the day before. I read almost all of your articles regarding the CISA exam and also the accompanying comments with each article. I am much impressed with the insights and advise you’ve given. I recently graduated from an IT degree that is about Computer Systems and Networking. Currently I am working at one of the BIG 4 audit firms. I am in the IT Risk and Assurance division. I have done few IT advisory projects (Application control review and ITGC review) and currently doing some IT audit support for the first time. By now, I have my experience regarding IT advisory and auditing close to 8 months. While I am going through your articles I came across CISSP cert which I see, I should go for it later as well. For the CISA I have ISACA’s review manual which I am currently going through. After seeing your CISA study guide I realized that there are few things I need to memorize as well apart from understanding. When going through the ISACA review manual I realized that it contains some that are difficult to understand and some that are easier since I have them in practice. As I am like one month away from the exam and since is in the process of getting prepared, I would welcome any advice and comments you would like to offer.
    At the same time I would like to know your thoughts on the salary payments on the field as I am not familiar with the standard salaries. While I am going through your articles I came to know that the IT auditor could not go for higher salaries and proceed further in the career path. Is that true? Because I love the field I am currently working on and would like very much to advance in the field.


  12. Umesha,
    First, I think you have a good shot at passing the CISA, Again, if you must skip studying on something, skip most of the IT stuff and focus on the auditing basics like sampling, the different levels of evidence, etc. The CISA is foremost an auditing cert, not an IT cert, so focus on the auditing side.

    Second, make sure you read my post about passing certification exams.

    Third, salaries depend on the location and the market, so I can’t help you much there. I’d suggest looking at salary surveys for IT auditors in your location. The big 4 and some of the computer/IT magazines do these surveys every year in the US; I’m not sure whether they cover other locations, but I imagine they probably do.

    To advance in the IT audit field, you need to work up to the senior level IT auditor, and then to manager, and maybe director. The problem with IT auditing is that unless you understand the operations/finance side, you can’t keep rising. In large firms, IT audit directors are paid pretty well. But you’ll seldom see someone with only an IT audit background rising to director, and never to Chief Auditor.

    Finally, in my experience, IT auditors are generally paid more than other auditors, so I’m not sure what you meant by your “IT auditor could not go for higher salaries” comment, unless you were referring what I mentioned in my comment directly above.

    Good luck and let us know how you do!


  13. akheel

    Great post i stumbled upon. I have around 6+ years of experience as system admin. Am i eligible for CISA. I want to be a CISA certified Auditor.


  14. zonaira

    The article was really very helpful and i found it amazing !
    I wanted you to help me. I have done my bachelors in IT one year ago and currently a student of ms information security.i am studding information system auditing and information system management courses which developed my interest in CISA. I am doing a a not so technical job in a software house which has mostly to deal with requirements gathering. I dont have development experience. If i go for CISA after my MS degree what is the CISA scope of a job for an individual like me who has no such experience of development. does freshers get IT auditing with CISA certification with no such relevant experience ? I have great interest in Cisa certificaton but I am afraid it might not be of any gain to me in professional career since I don’t have experience in pure technical IT field. please help what should I do?


    • zonaria,
      You don’t need development experience to be an IT auditor. You first need to understand auditing and then how IT works (see my What IT Auditors Ought to Know – And Don’t! post).

      It sounds like you are acquiring that knowledge, so I think you have a good chance of passing the CISA if you study some good books (see my other posts about CISA and certification).

      Can you then find a job with your current experience if you get the CISA? It depends on the market. Some companies will hire people with little to no experience (I once worked at a large company that had 30+ auditors that hired 2 IT auditors who had no audit experience; they had been at the company for 10 years in other jobs that didn’t relate directly to auditing, Neither of them had real IT experience. The big thing they had was experience with the company, which you obviously don’t have. The point is that people do get hired even when they have little experience.

      So I suggest you talk to auditors you know and ask for their help. They know your local market. I cover more ideas for finding a job in Find an IT Audit job (note: this link goes to a reply I left for Nick, who asked a similar question).

      Wish you the best.


  15. Jephreciation


    This is a good post! This provides so much insight about Audit and IT.

    I am aiming for CISA but the thing is, I only have 1 year experience on Audit (not IT Audit). My colleague told me that the requirement is 3years of experience but based on the link you posted regarding the professional experience requirement, one has to have at least five years of experience. Am I missing something? I am aware that you can take the exam even without complying the said requirements yet but I prefer immediate acknowledgement. Please shed some light. I really want to have CISA and CIA.


    • HI J, and thanks for your kind words!
      Per the ISACA website (the link I posted above in the Comments), 5 years of experience is required. You can substitute OTHER experience for 3 of those 5 years.

      Your 1 year of non-IS auditing experience can be one of those 3 years. University credits can be used for up to 2 other of those 3 years. The remaining 2 years must be IT audit experience. So, in other words, you have to work in IT audit at least 2 years before you can be awarded the CISA, regardless of whether you passed the exam already and regardless of how much non-IT auditing experience you have.

      To get that IT audit experience, talk to your audit manager and ask for the opportunity to do more IT audit. I’d go ahead and take the exam as that will give your manager more reasons to let you do more IT audit.

      Wish you the best, and Merry CHRISTmas! Mack


  16. akshay

    excellent article :)
    i am doin chartered accountancy as well as cma course . I have an interest in audit field, as i spent 3 years of my articleship training doing audits. please guide me whether only cisa cert is sufficient or cisa + cia, , so as to excel in job.


  17. Emmy

    Hi itauditseucrity
    I have done BS in information technology 5 years back. I want to do a certification. I am doing job as lab supervisor but my work mostly not related with IT. Some of work related to maintenance of servers like (windows installation, RAID configuration etc). I am confused to do a certification which is better for LIKE
    1. MCITP
    2. CISA
    3. CIA
    I want to know about which is better for me?
    Kindly reply me in detail.


    Emmy Khan


    • Hi Emmy,
      It depends on what you want to do. If an IT auditor, do CISA or CIA (I wrote an entire post about the difference between the two). The Microsoft Certified IT Professional (MCITP) won’t help much in auditing without an audit cert, so do MCITP if you want to get into IT.

      First figure out what you want to do, then determine how to get there. Give me some more info on your goals, and we can continue the conversation. Good luck.


  18. Umesha

    Yes!! I passed the CISA exam. I’ll tell what I did as studying. I read the ISACA manual, but I can’t say that I memorized the content there. All I did is trying to understand the content. Also as you advised I obediently covered the first chapter which is all about auditing. Every chapter first describes the technologies and auditing practices later. Lot of time goes to cover the manual. It took me few days to read a chapter while thoroughly understanding it. The question database is a huge help. I recommend trying out the whole database and reviewing each question after trying and also redoing the troubled questions later. According to my experience that is sufficient for studying the content. Apart from that during the exam sticking to the time restrictions (50 MCQs per hour) and trying all 200 MCQs will be sufficient to pass the exam. For me I would say your advice on my comment and the articles here were a great source of motivation and knowledge. Thank you.
    I am hoping to do CISSP also some time later. But I believe rushing for certifications is not good as I just got my CISA and my experience in IT audit field is now only 9 months. Am I correct? I would like to have some insight on that thought. Thank you in advance.


    • Emmy khan

      Hi umesha!
      Can u help me
      to proceed for CISA certification. I have no idea and here is no institute currently providing training of this cert. Kindly guide me how much u paid for certification as there are some member nd non member fee difference. Tell me about study resources. I have download cisa questions database but its not working.
      Kindly help me….

      Thnk u so much..



    • Umesha,
      Congratulations! Doesn’t that feel good? I think you’re the first one who has ever come back to say whether they passed, so thanks! AND CONGRATS TO ALL THE OTHER CISAs WHO PASSED RECENTLY!

      Your study approach was great. As I’ve noted in my posts, you really need to read the book from the organization who provides the certification (just like you did). It’s usually the most boring version, but has all the info you need. I like to read at least one other study guide too and recommend Shon Harris.

      It always helps to have some experience before you take the exam. You could start studying for the CISSP now, take your time, and then do the exam in a year. Then you’ll have almost 2 years under your belt.

      The CISSP is a LOT harder than the CISA, and broader too. So take your time and pass it the first time. You’re on the right track.

      I was most impressed that you took the time and effort to UNDERSTAND the process of auditing and IT, and didn’t just try to memorize a lot of information. That paid off big for you on the exam and will continue to pay off as you do your audits.

      Thanks for the nice words about the blog. I’m glad we could help. I look forward to more comments from you in the future.


    • Sridev G Pai

      Hello Umesha, congrats on cracking the CISA exam ! Am also preparing for this exam from the CISA Review Manual (CRM) 2015 from ISAACA. I am not sure if I am ready for the December 2015 exam, but I’ll be appearing for the June 2016 exam for sure. Can you please share your approach, that you followed while preparing for this exam like –
      1. the number of study hours per day
      2. how long did it take for you to prepare for this exam
      3. did you prepare any study notes from the CRM
      4. did you referred any other book/website apart from CRM
      5. what has been your educational & professional qualification before you certified in CISA. And also when (year) did you completed these.

      Would be grateful if you can reply with extensive details.

      Sridev Pai


      • Sridev G Pai,
        Hopefully Umesha and others will respond to your questions too.. From what I recall, I probably spent about 1-2 hours a day for 6 months, but I always overstudy. It all depends on how well you understand audit and IT. The less you know, the more you need to study, especially the audit side.
        I wish you success!


  19. Dutchauditguy

    Many thanks for for your views on this certification! I have been working in the Netherlands in IT and Operational Audit for the past 8 years, but originally come from a non-technical background (business economics).

    I have a solid background in auditing, working for a Big4-company. I don’t have CISA, but here in the Netherlands we have post-master Executive Master in IT Auditing (EMITA) which take two years of study / 1 day per week to complete. It’s required in the Netherlands to be taken seriously as an IT-auditor, but it doesn’t do you much good abroad.

    My work in the past years has mostly focused on the non-technical side of IT, auditing processes such as change management and management controls systems. In the past few years, I’ve started to notice that in general, my clients are starting to require different things from an IT-auditor: much more in-depth knowledge of how systems work and interact, from hardware to middleware to DBMS to applications, and how it interacts.

    I took your advice and passed the CISSP-exam last monday, and am glad I did. Any views on what certifications are a logical next step to extend technical knowledge? I noticed that you haven’t posted on the Certified Ethical Hacker-certification, do you have any opinions on that?

    Kind Regards & warm thanks,


    • Dutch,
      I find the EMITA fascinating and will have to read up on it. It sound more like what we need in the USA instead of CISA, which I have always complained is not technical enough.

      With a business economics background, you’ll be a great auditor as you understand more and more about IT and systems. I’ve always wished I had a financial background, but that stuff doesn’t come easy to me (i’ve tried).

      The CEH and other hacking certifications are more about hacking tools and vulnerabilities. It won’t hurt you, but it won’t teach you what you want to learn. What you’ll learn is how easy it is to hack most companies and that might lead to your dismissal if you don’t have a GOOJ card (see my How to Stay Out of Jail post).

      As for what to learn next, have you seen my post entitled What IT Auditors Ought to Know – and Don’t!? I’d start learning those items if you think they would be useful in your position. Some of the items link to other posts that explain them and the rest you can Google.

      Since I can’t think of any other certs that will teach you what you want to know, I again suggest Google. Search for “free online course technology” or something similar to that. Many free college classes or other tutorials are just waiting for you. Some are all reading, some have video lectures, lab exercises, and exams.

      Just take your list of what comes up at work, prioritize it (some things will apply to multiple audits you’re doing, so start with those), search for it, and go for it.


    • Another FREE resource, co-founded by SANS:

      Teaches security skills.


  20. Dutchauditguy

    Thanks for the pointers. The Dutch EMITA’s are taught by four or five universities here in the Netherlands, and apart from auditing skills also include classes on ethics, standards (Cobit, ITIL, ISO 27x etc.) and quite a few classes on various technical subjects. One university has chosen recently decided to give their students a choice: in the final year, one can either choose to follow the normal classes on IT subjects or to take a course that will prepare them for the CISSP exam. Not a bad idea in my opinion!

    Thanks for your opinion on CEH. You’re right, I’m looking for more in-depth technical knowledge but not on penetration testing per se. I did check out your your post on “what auditors ought to know”. Didnt think I fared too badly on the knowledge questions and I don’t peck like a bird either :-)

    Will check out your tip on the SANS-resources. Another good site I found was:, which has quite a few courses on technical topics ranging from basics on networking and cryptography to more advanced courses such as software-defined networking, secure software development etc. Looks exactly like the thing I need :-) The courses appear to be derived from classroom courses given at Stanford for example. Looks exactly like the thing I need :-) Perhaps a good to share with others in a post on your blog?

    Kind regards & thanks again,


  21. Grief

    Hi Mack,

    Also passed the CISA (part of the top 10% of takers; not really bragging but it just feels so good that all the rigorous studying paid off).What’s interesting though is that the lowest domain for me was Domain 1, which to be honest, should have been a breeze as I originally have a fairly solid financial audit background. Here’s what’s more interesting: the highest I got was for Domain 5 – incredible since I don’t really count myself as having a deep understanding of the more technical IT audit perspective.

    Now that CISA’s done though, I’m torn between taking CIA or any of the more IT audit-oriented certifications (i.e. CISM, CRISC, CISSP). I’m keen on honing my professional career as an IT auditor while at the same time acquiring a deeper understanding of the more technical side of things within the IT audit perspective (again, this is because I’m no IT guy and started my career in financial audit). Which do you think should I pursue next?

    P.S. I’ve actually started digging into more SANS-related resources and have been looking for worthwhile online courses on computer technology and security. Thanks again!


    • Grief,
      Since your interest is more technical, I’d lean toward the CISSP or one of those certs. You won’t learn that much more technical stuff pursuing the CIA.

      I can’t speak highly enough of SANS courses. If your employer will pay, take some of those classes. Otherwise, do some online courses and then do another cert.

      And as you do more IT audting, do some more digging in the technology involved in that audit, on your own time, if necessary. Not only will your audit be better, but you are more likely to remember what you learn as you’ll be applying it a current project. And you might impress others with your work, too.


      • Grief

        Hi Mack,

        I stumbled upon this a few hours ago and thought you and the rest of your readers might be interested. Well, not with the awards, but basically the tons of blogs devoted to network security as well, which everyone of us (your readers) can use for supplemental reading. Not sure how they came up with the list but I’m pretty sure you deserve to be part of that too.


        • Grief, thanks for the link. While this blog isn’t up for any awards, I am a part of the Security Bloggers Network.


        • Grief

          Great! By the way, seeing that CISSP is a very big dragon to slay for me at the moment (considering the little knowledge I have on the more technical side of IT audit), I have decided to go for SSCP for now and move on to CISSP as soon as I have more experience and deeper knowledge in infosec. what do you think?


  22. Grief,
    I couldn’t find much info about the difference between the CISSP and the SSCP. In his blog, David Farquhar said that “SSCP is (ISC)²’s answer to the CompTIA Security+. It’s half as long as the CISSP and only covers 70% of the material that CISSP covers”

    Better to have a junior cert than no cert. Good plan. Let us know when you pass the cert.

    I’d read David’s entire post and his other CISSP posts.


    • Grief

      hey mack,
      yes, you’re right, the SSCP is, indeed, like a warm-up test for CISSP. according to the (ISC)² website, SSCP is “the little brother” of CISSP. i think it’s some sort of pre-CISSP conditioning and can be a good gauge of how much you know before finally becoming confident to taking the CISSP.

      p.s. thanks for david’s blog link. that’s a pretty neat treasure trove of all things computer security.


  23. Jitendra M Jain

    Hi my name is Jitendra Jain, i am from India and have completed my Chartered Accountancy (CA) in may 2007, have 6 years of experience in Risk Based Auditing (completely non IT based). I very well understand the various buisness and the various operation within a business i,e, purchase, inventory, production, sales, financial reporting etc. I just happened to read your various posts on IT auditing especially CISA and am quite fascinated by it. Do you think if i want to jump or extend by auditing skills to IT, gaining initial IT experience is more relevant or gaining a certification?

    Can you please suggest some books that i should read before i apply to the institute that monitors the CISA program.


  24. Hi Jitendra,
    By ‘initial IT experience’, do you mean experience in IT auditing or experience working in IT? I’ll address each in turn.

    Gaining actual experience in IT is better in my opinion, as you would have operational knowledge in addition to head knowledge; Studying for a cert will only teach you what the cert requires, not general IT knowledge or operations. The problem with that is it will take more time than you want to spend and your audit skills will get rusty.

    If you have the opportunity to gain experience in IT auditing in the near future, go for it; don’t pass up the opportunity even if you are new to the area. However, I would start studying (or at least reading about) for the CISA and reading as much about IT as you can. You will need both and they will compliment each other.

    My suggestions:
    0) Search for free, online course in IT and take a couple. I can’t recommend anything for that as I didn’t learn IT that way; I was IT, and learned on the job.
    1) Read Shon Harris’s CISA Study Guide. That will give you an overview of IT and help you study for the CISA at the same time.
    2) Check out my post, Teach Yourself Security, especially the CISSP links and Steve Gibson’s Security Now podcasts. While this post focuses on security, you’ll learn a lot about general IT. Gibson produces written transcripts of all his podcasts, and they are a treasure trove (
    3) See my post What IT Auditors Ought to Know – and Don’t!.
    4) If you are in internal audit of a company you want to do IT auditing in, talk to those doing IT audit in that company for ideas on getting started. Some companies have internal IT training.
    5) Talk to your IT staff to learn what technologies are used in your company and focus on learning what you can about them, especially the technologies that process your financials and other other key company systems, as that’s what needs the most auditing.

    That should get you started. Let me know if you have other questions. Stop back and let us know how you’re progressing. Good luck, Mack.


  25. Akash


    Very well written :)

    I have acquired my CIA degree. Have a almost 4 years experience in one of the Big 4’s. But i am some way or the other getting attracted towards IT. Will CISA be good for me ?? I have learnt SAP through one of my clients when i was auditing them for 3 years out of my 4 years in the Big 4.



    • Akash,
      The CISA used to count as the IT exam for the CIA. Not sure if that’s the case any more. If you are comfortable with IT and/or can pick it up quickly, you might be able to skip the CISA. However, if you don’t know IT very well, I’d suggest you get that cert, as you will learn a lot.

      Either way, it will help you, and it’s cheap to get and maintain compared to other certs.


  26. Hello once more. I have been been contemplating my career options after qualifying as a Chartered Accountancy (ACCA) affiliate and I am sure that I would want to serve as an auditor in the future.

    I see that you particularly favour the CISSP qualification in the knowledge that less IT auditors have it and it separates ones who do from the rest. It still begs the question, isn’t adding a CISSP to a CIA and CISA overkill? Wouldn’t it warrant an employer’s frown once he/she notices a barrage of qualifications on that CV?

    I have been eyeing the Middle East as my landing spot for my first job and have heard that most employers there value CIAs better than most (in regards to the audit profession). I was wondering if I should add CFE to CIA as “Forensic interviewing skills where you observe whether someone is nervous, lying to you etc. can also be used as an auditor when interviewing staff.”

    I hope you agree that “Understanding the fraud schemes, red flags and being able to implement effective anti bribery, anti-corruption controls are all skills that are useful for an auditor to have.”- response on LinkedIn

    I am assuming that CIA does have components of IT audit within the course and it might be enough to help secure an IT audit job on occasions it is available (kindly correct me if I am wrong). The world is more or less computerized, afterall. Besides, I might be moving to places like Canada and Australia at some point anyway. Considering all that, would you still recommend getting CISA AND CISSP later at some point or would CISA after CIA and CFE suffice (Would it even be necessary getting CISA and/or CISSP for that matter?)?

    Sorry for typing in another long lecture here.

    I look forward to your valuable response anyway.

    Kind Regards.


  27. Syed.
    Here’s my responses…
    1) “isn’t adding a CISSP to a CIA and CISA overkill? Wouldn’t it warrant an employer’s frown once he/she notices a barrage of qualifications on that CV?”
    First, the CISA isn’t about security like the CISSP or mostly IT; it’s about audit. I think the 2 go together perfectly.
    Second, like the CISA, the CIA is about audit. So, no overkill there either. Getting the CIA and the CISA is more of an overlap.
    I like the CISSP because most IT auditors don’t understand security fundamentals or IT fundamentals. The CISSP helps will this.
    Third, after 3 certs, I start to wonder. I think employers like certs more than we want to admit, mostly because it makes choosing between new hires more easy for them. The real downside is that employers might think that 3 or more certs means they have to pay the employee a bit more. If you have too many certs, you can always tell employers only about the ones that apply to the job for which you’re applying.
    2) I “have heard that most employers there value CIAs better than most (in regards to the audit profession). I was wondering if I should add CFE to CIA”
    I agree that CIA is better than CISA. I wish I had the CIA myself. I favor the CISA because it’s cheaper, easier to obtain, and it’s all an IT auditor needs to get in the door. CIA has more financial audit in it, so it applies better to general auditors. A CFE will never hurt you in any kind of audit position. If you interests lie there, I would steer you away from IT audit, not that you can’t find fraud or its workings in IT, but technology can be hard to master if your heart is in finance. As I have said before, getting an IT audit job and being a GOOD IT auditor are different.Due to my extensive IT, technical, and security background, I consistently find problems where other IT auditors don’t.
    3) “I am assuming that CIA does have components of IT audit within the course and it might be enough to help secure an IT audit job”
    True, and technically (a slight pun) you don’t need both. If you had the CISA, that would cover 1 of the CIA tests (not sure if that’s true since they revamped the test). When choosing between 2 auditors, one with a CIA and one with a CISA, a careful employer would choose the one with more IT experience.
    4)”would you still recommend getting CISA AND CISSP later at some point or would CISA after CIA and CFE suffice (Would it even be necessary getting CISA and/or CISSP for that matter?)?”
    If you have the CIA and CFE, you could get IT audit jobs, but the CFE would tell employers you’re more of a financial auditor. You’d be better off if you had some IT background, but those certs would probably be enough. So make sure you talk to employers about your understanding of IT.
    If you find you don’t get IT audit jobs with those certs, I’d get the CISA (again because it’s cheaper and easier). You wouldn’t need the CISSP. Since much of IT auditing is about security (and many IT auditors would disagree with me on this), I’d suggest you get the CISSP only if you want to make a career out of IT auditing. With the CIA and CFE and some IT background, you’d be a valuable auditor who could do financial AND basic IT audit. That’s the direction I’d suggest you go, and your IT knowledge would expand as you do IT audits.
    Always happy to give my opinion.
    I wish more people would give this kind of thought to their career choices. Cheers!

    NOTE to other readers: My advice is based on Syed’s specific questions and situation. Please read his comment above and make sure you take that in account if you apply any of this advice to yourself.


    • So glad to hear from you again, IT.
      This made things clearer for me and to be honest, you are the one person whom I got the idea of CFE and CISSP from. I suppose it’s going to be CIA after I complete my ACCA along with CFE. That somewhat opens doors of financial internal audit for me since ACCA covers elements of external financial audit itself. From there on, I could later (perhaps much later) pursue CISA to give myself a chance with IT audit jobs (hopefully, employer funded :p).
      I’m thinking it’s better to know more about what I decide to do so that I can do myself justice with whatever profession I choose (hence, your motivating take on CISSP might well convince me to take on that qualification at some point in my career).
      I can’t thank you enough for your continued support with those generously detailed responses and such educational articles.
      This would surely sound cliched but I wish there were more people like you in this world.
      Stay blessed.


  28. Rayees

    Dear Sir,

    I am also having doubts something similar to Sayed. I am very confused and cant take a decision, I need your support.

    I have partly qualified ACCA. Passed CISA in 2011 and i got work as an IS Auditor in a small IT Audit firm. I was a fresher and dnt know anything about IT and audit at that time. Now i did many audits and iam learning slowly.

    Iam continuing my ACCA. But when studying i get confuse that ACCA is for financial and CISA is for IT Audit and both are entirely different. Some time i think to drop acca and do cissp /ISO27701/ CEH.

    Whether ACCA with CISA is valuable. IT Audit or Financial Audit is good. Which will give high salary. Whether completing acca and do ISO 27001 and concentrating on IT Audit is better or change the career to finance is better.

    what about doing CISSP after all this ?

    I know to do IT audits more using tools and less manually.
    I have knowledge and done Bank process and concurrent audit based on ISO 270101, Policy framework, Network audits, VAPT, web application audits, SAP security audit using onapsis. Whether a deep technical knowledge is required to do IT audit. As of now i think not required , only a basic understanding is enough. But my confusion is when moving to or applying in a big company whether they look technical knowledge.

    please help me


  29. Rayees,
    Understanding and auditing both the financial and IT sides of a company can be very valuable. Unless you hate finance, keep going on the ACCA, especially with more companies stressing integrated audits, where both sides are tested in an audit, versus splitting them into 2 separate audits. You’ll see things that auditors that have only the ACCA or CISA will miss. And with both, you’ll always have work to do, as you’ll be able to work on more types of audits than most auditors, including me.

    I’ve usually found that IT auditors are paid more, not a ton more, but more. See my ‘CISA vs CIA Cert’ post for proof. But it always depends on what is in more demand in your area. Good IT auditors are in high demand in my locale right now, but even so-so IT auditors are being hired.

    While it’s nice to be able to audit a system using tools, the real value is in interpreting the results and how they affect your systems, data, and employees. You don’t want to just run a tool and provide the report, as you will be labeled a “checklist auditor”. Too many pentest companies already do that, and poorly.

    While a basic understanding is enough to get you work as an IT auditor, you won’t be a GOOD IT auditor unless you have some technical knowledge and a good understanding of how YOUR COMPANY uses the systems. Only then can you see that problem A will cause result B, which impacts systems C and D, and processes E and F..

    Yes, bigger companies will expect more technical knowledge, as well as how to audit processes you are not familiar with; they will want you to figure it out. Too many auditors think they’re doing okay when they are given a test plan, some tools, and test steps, and they can complete the audit. But if those same auditors are told to audit something and determine how to do it from scratch, they can’t do it.

    As for CISSP, if you have only basic knowledge of IT and security, CISSP will be a big challenge. If you’ve been doing IT auditing at least 3 years, then go for the CISSP and other certs, as the ones you mentioned were more technical. Again, you can take the CEH and learn to hack without understanding what you’re really doing, and as a result, you’ll miss all kinds of other problems that the tools will miss.

    Overall, I get the sense that you need to spend some time increasing your understanding of IT and security. Did you see my post, What IT Auditors Ought To Know – But Don’t? If you don’t know at least 80% of those items, you need to continue to work on (what I consider) the basics.

    I don’t mean to discourage you, and I may have read more into your comment than I should have, but I’ve given you my honest opinion. Take what you feel is valuable, and leave the rest. If you reply, we can continue the discussion.
    Take care. -Mack


  30. JW

    I have a Master’s Degree in Accounting with a 3.85 GPA and have the CPA and CMA certifications. I have been working as a Staff Accountant for a little over two years at a tiny real estate LLC. I have no experience in IT or in audit, just general accounting. Now I’m interested in getting into IT auditing. I have no idea how to go about that. I am looking into getting a Master’s in MIS while keeping my job. It will probably take a couple of years to get through the 33 hour program. In your opinion, should I go ahead and try to get into audit somewhere now or go for the Master’s in MIS? Also, I’m unsure about whether to study for the CIA or CISA. I have absolutely no IT knowledge, but I am interested and want to learn. Let it be said that I’m dead set on getting into the field of IT audit. I am very passionate about it. Let me know what you think.


  31. JW,
    I’ve covered most of your questions in my previous replies to other comments, but briefly, if you don’t know IT or audit, you’d have to learn both to do IT audit, which would be hard. I suggest you try to get a job doing financial audit first, but if you insist on doing IT audit, do the CISA, not the CIA, for reasons noted in other comments above.


  32. JW

    Thanks for your advice. So I should not get the M.S. in MIS degree? What about the audit job–public accounting audit or internal audit at a company?


    • JW,
      If you really are dead set on IT audit, then go for the MIS degree. However, if you go that route and get an IT audit job and it doesn’t work out, you’ve spent a lot of time and money. That’s why I’d suggest you do the CISA first, to get your feet wet.
      Again, if you goal is IT auditing, I’d go for internal audit. You have a much better chance of doing IT audit at a company, not public accounting.

      I wish you the best.


  33. Preethi Vikram

    Hi, Your blog is amazing, I find it really informative and inspiring. I am actively studying for CISA exam now and your blog gives me so much of motivation and what not. Thank you loads and loads!!!!!!!!


  34. Preethi,
    Thanks for the feedback. Glad the blog is helpful.


  35. Hey,

    Very useful article. Just wondering though, how does CISM compare with CISSP?


  36. Neema,
    The CISSP, issued by ISC2, deals with the common body of knowledge around practicing security–being a security analyst. The CISM, issued by ISACA, deals with the governance and management of the security function–being a security manager.

    The CISSP does not require security management experience; the CISM requires 3 years of security management experience,

    The CISSP is more technical, and security pros often get that plus the CISM so they can someday manage. For auditors, the CISSP is more applicable, but the CISM also adds a manger’s view of risk.

    If you want more info, I suggest you read and compare the two certs on Wikipedia.

    If you want to be a great IT auditor and plan on staying in that profession for a long time, I’d get the CISA, then the CISSP. The next cert I’d get is CIA. Personally, I would not pursue the CISM.


  37. Ahmad Al-Tayyeb


    i’m working as an IT Administrator in one of the global auditing firms in the IT department , i have a 5 years of experience in the IT technical & administration field , working to manage,administrate,troubleshoot the IT infrastructure in general that consist of network,servers,databases& applications , and this is my experience , now i’m looking to move to a another sector and another career path which is the IT Audit and the IT advisory and looking to have the CISA in December 14 , there is a line for this sector in the company i’m working in , all the employees in this line experienced in the IT sector before , that’s why i’m thinking to move to this line,mostly they are working & focusing in on the IT Auditing more often than the IT Advisory , now i’m confused if this is a good step or not , i think CISA is an audit certification and it is a bit a way from my experience in the IT field , i wonder if there are another ISACA certificates more closer to the IT Advisory and to my experience ?? i’m thinking of other certificates like CISM or CRISC or CISSP ?? but i don’t have any idea about it ,i’m willing to study and pass the CISA if this is the first certificate i should go through to start the IT audit career,note that i’m still working as a technical in the IT dept and don’t have any IT Audit experience , passing the CISA exam will be enough for me to ask the company to move me to the IT Audit line , that is my question & hopefully to find the advice from you .


    • Ahmad,
      I remembered answering this before, but don’t see my reply anywhere….here’s take 2….

      Due to your background in IT, the CISA is the way to go. What you need to learn is audit. I’d suggest Shon Harris’ CISA book. That will tell you whether you can grasp auditing principles (and you will).

      Make sure you look at the work requirements of CISA to ensure you meet them. Your IT work should suffice, but check out the requirements and talk to ISACA if necessary.

      Yes, I think your IT background plus the CISA cert will get you an entry-level IT audit position. I see that all the time. The current company I’m in recently hired 2 new IT auditors. Neither had audit experience; 1 had no IT experience; the other only a little (far below yours).

      While CISM won’t hurt in you in IT audit, it won’t help much either. After the CISA, I’d suggest getting the CISSP or the CIA (if you want to understand the financial side of auditing).

      Not sure what you meant by IT Advisory, but I think you’d make a good IT auditor.

      Check out 2 of my earlier blog posts: CISA Quiz at and Internal Control quiz at

      I’d also suggest you read all my posts about the CISA (see link at top of page on right) and all my certification posts (in the Categories box on the right side of this page, select ‘Certification’).

      Best Wishes, Mack.


  38. Da bomb

    I stumbled across this blog. Basically am trying to find ways to help myself develop in auditing. I am taking the ACCA exams and employed in financial audits My employer wants me to take CISA exams I don’t know whether I should. On my own I wanted to pursue the CIA. I only learned of the CFE from your blog. I tried the link you gave for it above but am having problems accessing it. Could you kindly tell me what the entry requirements are for CFE?


    • Hi DB,
      I tried the CFE link above and it worked. Go to and search for ‘CFE requirements’. I hear it’s a tough exam, but it’s a great cert to have. I would strongly suggest you get an auditing cert before you attempt the CFE so that you have a solid auditing foundation.

      My advice: Study for the CISA. Your employer wants you to do it, and it’s an easier, cheaper cert that only requires 1 exam. Then do the CIA, which is 3. Then do the CFE. You need to be really solid in audit before the CFE.
      Best wishes. Mack


  39. Da bomb

    Thank you Mack for the advice. I guess it does make sense to start with what if faster and cheaper. A recent event my friend encountered has picked my interest in IT auditing even more. She met a friend on Facebook based in UK. On her birthday the friend send her a birthday present but the package never made it to its final destination- Lesotho. Mt friend was contacted by the shipping company that the package was stuck in Malaysia and she should make a pay a fine of $1250 because currency had been detected in the package. She was to pay using money gram. On reaching the bank, she was told that the bank no longer processes payments for packages said to be from the UK and stuck in Malaysia because they are fraudulent. When she told her Facebook friend about this he contacted the shipping company which sent her an alternative South African bank account to deposit into. The account holder name however was not in the company name. although I also agree that it may be fraud, I am having trouble explaining to my friend how it plays out. She is asking me, if it’s fraud who gets to benefit because the payment is made to Malaysia and not UK? I asked her to allow us both out to research more before making payment. Do you perhaps have any idea how such a fraud works? The bank teller did not explain any further, she only said that the bank no longer processes such payments.


    • DB,
      Did she ever talk to the ‘friend’ personally to verify a present was really sent? That might help convince her this is a con from the beginning.

      Most likely, no present exists, so Malaysia and UK are moot. The important thing is that the bank said be careful. Money is easily transferred to another location, so multiple locations don’t matter.



    I have done CCNA & CCNP and working in the Network Operations department of a service provider. Being bored with deadlines and tired of escalations….week after week…. i want to venture into Audit field so that i don’t bring work back home for ‘on call’ weekends or on holidays. Plus the idea of working only on networking does not appeal to me. My company has offered me to work for ‘Internal Audit’ department for half-day per week for next 3-4 months.So far the interaction with the ‘IA’ guys was cool and i think its interesting proposition. Do you think it makes sense ( i do) to utilise some of my skills from CCNA & CCNP in the audit field ? Please advise.


  41. V,
    Are your certs in voice or security? Either way, yes you will be able to use them in IT audit, but keep in mind that not all audit teams dive deep real into tech.

    Make sure you ask about how technical the audits are and the types of tech they audit. But if the company offered the opportunity to you, they must think you’ll be an asset.

    Your background will certainly be helpful and you can add a new perspective, and can think about audit issues in the network layer, which I’m sure they haven’t before. If your certs are in security, definitely more.

    I’d go for it, but understand audit gets very tedious. You might miss the excitement, but if you’re looking for a break, go for it. While I enjoy audit, I miss the excitement and authority of running systems and hacking them. But I’ve never had better work/life balance.

    Again, I’m assuming IT audit, not general audit. You will be lost and bored to tears in general audit.

    Let us know how things turn out.


    • Vin

      Thanks for the patience and your effort to go through my query.

      I am CCNA , CCNP(Switch) and CCIE (Routing & Switching) (written only) certified. Could not go ahead with lab practical exam so far…..

      Personally i have never been interested in security part for some reason but i guess with CISA and audit experience ahead this is what i am gonna play it seems. Have read your blog and appreciate your candid advice on the exam patter and prep method.

      Yes it is IT audit as it seems. Open position in the department ask for (preferred qualifications in brief) 3-4 years of IT systems audit experience, working with personally identifiable information, CISA / CISSP / CFE / CIPP certified, analytics skills: spreadsheet modeling, financial analysis, working with large datasets and basic probability and statistics, build custom ETLs, Proficiency in Python and SQL or ability to learn based on experience apart from soft skills like communication, leadership and working in cross functional teams.

      Above mentioned….is what they are asking but i guess, i can learn faster….work/life balance is what will motivate me.



      • Vin,
        Wow, I’ve never seen such technical requirements for audit. So it looks like they go very deep in technical audits. Remember that most job descriptions list EVERYTHING the manager WANTS in a new hire, but they never expect that one person will have all of it, but only 50-70% of job “requirements”.. If they did really expect all those skills, they could not afford to pay that person appropriately. You should have no problems learning what you need. The most important things are understanding risk, how to identify it, and how to talk to management about technical things in simple language. If you can master that, the techical stuff will come easy.

        In my mind, if an auditor is as technical as the job descriptions desires, why would that waste that person’s time doing financial analysis? Financial analysts are easy to find; good tech people who can do the 3 things I listed as most important are not easy to find.

        One thing you said regarding your lack of interest in security…security is very close to risk on the IT audit side, so if you interest doesn’t grow, you might want to look for something else. Having said that, I think you’ll do just fine. Pls keep me posted.


  42. Alex

    I’m telecommunication engineer with +11 years working experience in switching systems (C4, C5, maintenance, configuration, protocols), CCNA, Linux, windows, …. I’m now looking for new challenge. Want to go for CISA certification in order to move to IT auditing but I don’t have any prior knowledge in auditing. Do you think I can learn enough auditing basis from ISACA books for the exam? What do you say about moving to IT audit for an telecommunication engineer. Best regards.


    • Alex,
      Go for it. You will be ahead of most IT auditors because you understand operating systems, security, and networking because you worked with them daily. Also, you understand areas of IT you only understand if you worked in IT (like change management).

      Yes, you can learn the basic concepts of auditing from the books, but usually, departments that hire new auditors work under a senior person who helps them along. Most people learn auditing this way or from college classes, which start with books.

      Also, see these other posts on this blog for audit basics: IIA Basics for Auditors and Audit and IT Audit for Dummies. Lots of material out there.

      Finally, ask the auditors in your company for help. Most auditors would love to share their knowledge.

      If you move in that direction, let me know. I’d be interested in hearing about your journey and would be happy to provide further input if needed.


      • Alex

        Thanks a alot for your warm encouragement. I will definitely go for it. A training program nearby start early next month and I will join them. Do you think I can get from ISACA some substitution years considering my working experience?
        Best regards.


  43. Alex

    What about CRISC vs CISA?


    • Alex,
      Yes, you should be able to substitute experience, probably only 1 year. I don’t remember if it’s 1 or 2.. Best thing to do is call ISACA and discuss your situation. If you had any years relating to security or compliance, they might count 1 year of that too.

      Re CRISC, I don’t have much experience or knowledge with the cert or people who have it. See my comments in my ‘2014 Top Paying Certs (United States)’ post.

      My gut is that it is not that valuable. I never see anyone with just that cert. For auditors, it’s either the CISA or CIA first. If you don’t have one of those, get one first.


  44. nick ycat

    Good morning sir,

    Thank you for your article, as I was looking for this exact comparison.

    A little about me: I got my CPA at a big 4 firm, and am almost finished the CIA. After some thought, i realized that I wish i had gone for the CISA over the CIA because i feel as though IT/technology audits will be the future because of advances in technology and a result of the security/privacy issues we see today.

    So, once i finish the CIA. I am debating on whether or not to get the CISA in order to round myself out and open the door to a whole new set of positions/careers.

    How difficult would the CISA exam be for me? What is the required level of study? i like the idea of a single exam for the CISA, so i can get it over with quickly. I dont want to rush it, but i am wondering if a quick completion is possible as I am hoping to finish the CIA by Jan 1 2014 and looking to make a career move in summer 2015.

    Thank you for any insight.


    • nick ycat

      Also, am i going to have any issues with work requirements to qualify for the CISA?


      • Nick,
        If you pass the CIA, the CISA should not be too hard. The CISA is more audit than IT, but you need to understand IT also. I would still get the CISA even if you get the CIA. You don’t have to get the CISA, but it won’t hurt.

        The level of study depends on your experience and how well you take exams. I generally overstudy as I don’t want to fail and take it again.
        If you pass CIA, make sure you study the IT sections a bit more and go for it.

        You didn’t say what work experience you have, so I can’t speak to that. If you meet the work requirements for CIA, meeting the CISA work requirements shouldn’t be that hard.

        I get the feeling you are new to audit and IT, so you should study pretty hard. Good luck.


        • nick ycat

          Thanks for your response.

          I did some reading looks like i should be ok with work experience. 4 years at big 4 firm in external audit and 2 years in internal audit.

          I finished part 4 and 3 of the CIA. just working on 2 now then 1. Im a bit of a nerd and ive done data security audits at work so i know the basics and general concepts. I have lots of audit experience given my history as well.

          So sounds like it shouldnt be too crazy. I was worried it would be very IT technical, but it sounds like its mostly audit which is good.

          Thanks again.


  45. Phil S.

    I have my CIA and CPA (i am Canadian). Do you see any value in me pursuing a CISA? Im still relatively young (28) so I figure I can get it now and maybe it will pay off in the long run. From your posts I suppose it would be mostly refreshing CIA/CPA material, with a bit of new stuff mixed in.


    • Phil,
      As with most questions, the answer depends…..
      – If you want to do mainly IT auditing,it will add to your knowledge and your ability to better understand and audit IT. If you want to do mostly financial and operational audit and then some IT audit, your CIA should do just fine by itself. The question is, how deep into IT auditing do you want to go?
      – Did you ask the audit managers and directors in your current company what the thought, especially those who assign the IT audits (or the IT portions of audits,assuming they are integrated? Did you ask the auditors and managers that you run into at ISACA and IIA events? This will give you a answer that fits the region of the country that you work in.

      Since you passed the IT section of the CIA, you already know auditing, and the CISA is not expensive to get or maintain, I say go for it. It won’t hurt you and will only help. And all the CPEs you earn for the CIA will work for the CISA. Good luck.


  46. Godwin

    I completed my ACCA studies and I am thinking of a career in internal audit. If I study CIA would it be value addition or a waste of resources?


    • Godwin,
      The CIA would be valuable, especially if you don’t have audit experience. Also, see the Comments above from Hassan, who also has a ACCA. We went back and forth with each other several times.

      Another reason CIA would be valuable is because few auditors have it. Of the 30 auditors I’ve worked with recently, only 2 had the cert.


  47. Isaías

    Howdy All,

    Pretty interesting article. Last year cleared CISA exam. This year I was planning to take one CIA exam at the end of the year but this article really cheers me up to take CISSP.

    I have some technical background, I used to be a network admin. Now, I´m the IT auditor for the company I work. For those who ask if necessary to have tech skills to pass CISA exam, I would say no. I mean, it can help to have a better understanding of the topics but if you do not get the ISACA´s logic in the exam, it will completely destroy you. I have some friends that are accountants and successfully passed the exam. Indeed, they took a course and did a lot practice. So, study hard and you will likely pass the exam.

    This coming June, I enrolled to do the CISM exam. I would like to do the CISSP. instead of CIA. Maybe, next year, why not? I know it is a long and hard way to master all the domains but I know I can do it :)


    • Isaías,
      Thanks for you comments, especially how the CISA is not technical. I think it should be more technical, do you?

      I agree that the CISSP and/or CISM will be more valuable to you as an IT auditor than CIA. I think the CISSP is more valuable than CISM, regardless of whether you stay in IT audit or go back to IT.

      If you understand auditing pretty well, I’d skip the CIA altogether unless you want to understand the financial side better. If you have the desire, get them All!

      I don’t doubt you can master all domains either!


  48. SimonR


    I’ve been reading through your blog all day, especially the various comments throughout this thread, and hope you can give me some advice as well.
    I have a business administration background (from undergrad; as well as entry level work in procurement/budgeting/project management). For the last year and a half i took on an entry level infosec admin role with the same company (with no IT experience), while i pursued my MBA part-time. During this time i have also completed the CompTIA entry-level triad of certs: A+, Net+ and Sec+, per guidance of my employer to get on track with the basics

    While these certifications did give a “boot-camp” fast-track to learning the basics, my role on the infosec team has been minimal and i would not consider myself to be in a position (or knowledgeable enough) to call the shots or influence change. My workload mainly consists of running vulnerability scans throughout the network and compiling reports, and running low-level audits against physical security systems, shared accounts, etc. On the positive side, i have obtained great exposure to our entire system/network, various teams/depts, and top of the line tools like FW’s, Vuln. Management, log management, etc

    I have taken an interest in IT audit after taking a systems audit class in my mba program, and am now looking for the best way to get started (since the prof of the class was useless in that regard). My biggest concern is finding an appropriate track to leverage my MBA (once completed) with the time and effort i have already put into establishing a foundation in IT. Is an IT auditor role appropriate? Will studying CISA over the next 3-6 months, and assuming I pass the exam put me into a good position for an entry-level IT Auditor role?

    Thank you in advance for your time!


    • Simon,
      I think you’re on the right track. Passing the CISA along with your MBA should allow you to find an entry-level IT auditor role, especially with your exposure to IT, vuln scanning, and doing low-level audits. That’s a lot less than the 2 auditors I know who had little to no IT background or audit background who both got IT audit jobs last year.

      If you missed it, see my reply to Jitendra above for some ideas.

      The best advice will come from IT auditors in your company, if any exist. If you can talk to the audit manager and ask for advice, they will often be happy to help, especially since an IT auditor shortage seems to be occurring (at least in the US; I get calls from all over the county, including Canada. And as the economy improves, the demand will go higher. The company I’m auditing for right now cannot find permanent IT auditors with any experience and had a hard time finding a decent IT auditor contractor).

      If you have no one in your company or circle of friends, contact the closest ISACA or IIA chapter and ask for help. Usually they can direct you to IT auditors in your area.

      Hope that helps.


  49. Nd,


    I have a BS degree in one of the basic medical sciences. After some yrs of experience in a Finance related organization, I prepared and passed CFE exam, I also passed CISA exams and got moved to Internal Control & Audit Dept.

    However, I am considering building a career path in auditing/risk management. The challenge is that my academic qualification (medical related) is in a totally different field. If I study and become a CIA, does it suffice for the academic qualification that I don’t have in an accounting related discipline?

    Would employers give serious considerations to employing a prospective staff with CIA, CFE, CCNA, CISA, and maybe a CISSP certifications for mid-management positions bearing in mind that the First degree is in a totally different academic field.

    I just got admission to undertake PGD in InfoTech. Do I run with the PGD / MIT since it strengthens the CISA or do I simply focus on CIA?

    What’s your advice?



    • Nd,
      By PDG you mean General Management Program?

      If you passed the CFE and the CISA, you are ahead of most of the auditors I know from a certification standpoint, whether they are financial/operational or IT auditors. So you have a great start.

      If you add the CIA to that, you should be okay (I’m speaking from a USA standpoint, as that’s the only business climate I know).

      Doing next the PDG or CIA? That depends. The CIA is 3 exams I believe and you can do it in 6 mos to a year; I would think the PDG would take more time and be more expensive. Other than that, do you want to manage financial audit or IT audit or both? That’s another factor to consider.

      Based on the little info you provided, I would think the CIA is a better route as it is broader than the InfoTech route, especially since you have an eye on management. To manage, you need broad knowledge of audit areas, not detailed knowledge that an IT auditor would need. The CIA will help more with that and will also give you some accounting basics.

      You might look into getting more accounting experience (free courses abound on the Internet, like I’ve posted some ideas before, mostly for IT, but many of them have accounting classes too, all free). Also see if you can work on as many finance related audits as possible.

      Have you thought of working for audit in a medical company? That would turn your background into a plus.

      The most important things you need to master in audit management is seeing the big picture across the audit department and your company’s operations, dealing with clients (communication), and managing people and processes. Most of that only comes with experience. Many companies have committees and projects that reach across the company, so I’d volunteer for some of those to gain additional experience and do some networking.

      So pick a path (I’d go CIA) and work as audit staff to gain experience. Either route won’t hurt you. Wish you the best. Mack


  50. COBIT

    Hello Mack,
    First off, thanks for the all valuable info in this website. I just found it today and this is the one I was looking for.

    I have an accounting degree and have been working as xbrl(extensible business reporting language) specialist for a while. Due to countless reasons, I am seriously trying to change my career.

    From my working experience, I realized I am more interested in technology such as fixing technical validation issues, changing coding in editors and developing database rather than accounting which is my background.

    I have been applied to IT auditor positions and had only few interviews. However, because either I don’t have working experience or lack of interview skills, I haven’t gotten any offer yet.

    I have a CPA license but it seems having CISA is more effective way to get into the IT field, especially, someone like me without working experience. So I am considering taking CISA exam and I would like to ask some questions for you.

    1. estimated study time to pass CISA exam for someone w/o experience.
    2. what kind of career paths are there after passing CISA exam
    3. As working as IT auditor, what are the things you most like about?
    4. Are there anything I should do beside working the CISA exam in order to getting into the IT field?

    Thanks for your help in advance.


    • Cobit,
      You ask great but tough questions.. You’ve indicated you’re found some of the answers elsewhere on this blog.. but I’ll add a few additional thoughts.

      1. At least 6 months. After reading the materials, use the test questions to see where you’re weak and restudy those areas.
      2. IT auditor, compliance, and other regular IT jobs. These days, lots of IT jobs have compliance components or have to deal with auditors, so the cert helps you almost anywhere in IT.
      3. I love learning new technology and testing it, as wells as helping people understand the implications of managing technology and processes appropriately. I love being able to work across the entire company. See my post here for more reasons:
      4. Get a PC, load windows server on it, and play with it. You can get a free 120-day trial license from Microsoft. Read the ISACA “What every IT auditor should know about X”” series. I wrote a post about it. Read everything about IT that you can in free online magazines like computerworld.

      Finally, don’t discount your accounting experience. It’s very valuable. The best IT auditors understand auditing, finance, and IT. (remember, lots of IT auditors don’t really get IT, so you’re not far behind them, and you have accounting knowledge that they don’t).

      So go forward and conquer. Lots of auditors learn on the job! You’ll do fine.


  51. COBIT

    I really appreciate you took time to answer my questions. Your comments really help me to have motivation for CISA exam and to decide on career directions, especially from #3 since I also likes to play with new technology.
    I definitely will read those articles you recommended and may bug you again if you don’t mind.
    Thanks again!!


    • Cobit,
      I don’t consider it bugging, and I don’t mind. I have leaned on many others in my career (did it again today, in fact), and enjoy helping others. All I ask is do the same when you can.

      I look forward to our next chat.


  52. Frank

    I have taken several certification exams, in order taken (With BS in Accountancy) CISA, CISM, CPA, CIA (After Masters of Accounting and Information Systems) CISSP. I think the CIA was the easiest. In order of difficulty I would say CPA, CISSP, CISA, CISM, CIA. The only test that came close to the CPA exam in difficulty was the NASD series 7.

    I do think the CIA is a needed certification, having been a financial, internal and IT auditor they are are all different and each type audit has a different objective.

    As a side note, when I see “Information Security” jobs posted that ask for a CISSP, CISM or CISA certification I feel that the recruiter really doesn’t know what the CISA does. The CISA has no business being involved in the Info Sec operations side, but it is useful for policy development and testing/enforcement.


    • Frank,
      It doesn’t surprise me that the CISSP was 2nd hardest. I know someone going to a CISSP boot camp soon and doesn’t plan on studying beforehand. We’ll find out whether he knows his stuff, I guess. I’d be surprised if he passes.

      In my boot camp class, half of the class failed. Most didn’t study before the class. I studied 6 months before the class, and I still thought it was tough, but I knew I passed when I walked out of the exam.

      I was surprised to hear how easy the CIA was for you. I wish I would have plowed ahead and taken the exams; I did study for 3 of the 4 exams a while back.

      I disagree with your CISA/security position assessment. Security people deal with auditors all the time, and that would be a good cert to have. Not crucial, but doesn’t hurt. I think having an audit mindset would be helpful in most technology jobs.

      However, since I consider the CISA a lightweight cert due to the number of people who pass it without understanding IT, I can also agree with you a little (NOTE: I still think the CISA is critical to GETTING a job as an auditor, and you will learn some stuff when you study for it; I just get irked that it is so easy to pass).


  53. Siva


    I hold a B. Tech in IT. And I started my career as a Software Developer. After few years of S/W development career, I completed CISA exam and switched my career to auditing. Currently I work as an IT auditor over a year and a half. In the mean time I also took other IT certifications CEH and GSNA. I do not have any accounting background.

    So far I am a pure IT auditor, I am also wondering would it be good to try CIA or CFE to improve my value ? Although I do not want to switch my audit field to Non-IT.

    If so, do I need Accounting knowledge as pre-requisite for CIA and CFE ?

    Is it really worth to try these certification ?

    -Siva (From Hong Kong)


    • Siva,
      Keep in mind my response is based on my non-finance background. Like you, I am strictly an IT auditor. But based on my experience and the other auditors I know, here’s what I think. (Those of you who have experience with this situation, or that are finance/operations auditors, or IT auditors who also know finance, please add your thoughts…)

      I would study for the CIA and pass that. That will expose you to a bit of finance background. My suggestion is to study and pass that exam first. That will tell you where you need to focus. The other 2 exams for that cert shouldn’t give you any trouble.

      I think the CIA would be a great add to your resume, and the CFE certainly will help.

      You also might want to check out the free financial online courses at places like or Many free courses exist, and these are only 2 sites.

      Wish you the best, Mack

      What does everyone else think?


  54. Sujith

    Hi All,
    I have 8 years of experience in application development and data architect field. If I can use that experience to get the certification after passing the CISA exam.

    Your advice would be greatly appreciated.



  55. Dibyangana


    I have an MBA in Finace and 4 years of work experience in SAP FICO consulting. If I want to continue in SAP FICO consulting and want to appear for CISA exams just to boost my career will that help? How much of Finance/accounting knowledge will be applied for studying the CISA exams?

    Thanking You


  56. Ramesh Kumar Shetty

    Very nice information thanks a lot


  57. ME

    hi, i’d like to know if it’s better to do self review first before going into online review for cisa.. thanks :)


    • ME,
      I’m not following you. Do you mean the self review I linked to? What online review? You mean purchasing the CISA online materials?

      If you mean read a CISA book before doing the online materials, I would suggest doing the reading first, but I doubt most people do that.

      If you want to learn the material, read the book, then do online. You’ll get the info twice in 2 different formats.

      If you just want to get done in the shortest amount of time, just do online, but keep in mind you may not pass, depending on how much you already know about audit, controls, and IT in general, and how well you understand the material and can apply it in different scenarios.

      It depends on 1) how you learn best (no everyone learns best from reading), 2) what your ultimate goal is, and 3) how much you already know about audit and IT.

      In my opinion, when you cheat yourself, you cheat yourself. You’ll pay eventually.


  58. Saim\


    I have done MBA doing a job in Compliance department, My passion is to earn good money, as i was having conversation with my cousins they are into IT industry they were saying and they are getting handsome salaries compare to me which urge me to pursue IT related certification so that i would be earning more but one of the financial colleague suggest me to pursue CIA ….i am confuse what to pursue. In addition, i dont see any job post related to CISA in my country ie Pakistan which again influence my decision might take thorough decision because i have to pay from my own pocket :) Hope to get the answer



    • Siam,
      I’d listen to those closest to your situation who know your country and economy better….

      I would not chose IT auditing unless you enjoy technology and constant learning to keep up with tech changes, and unless you have a proficiency with computers.

      The CIA is broader and more applicable to more types of auditing, but if IT auditing is your goal, CISA is easier, cheaper, and faster to obtain. See my post CISA vs. CIA Certification; the link is above on the right under TOP 7 POSTS.

      After you make your decision, I’d be interested to hear what you decide and why. Regards.


  59. Sonja


    I am currently working in IT audit and passed my CISA examination this year. I want to remain in IT audit and considered doing my CISSP only to find out that as with CISA you need working experience in IT Security which I do not have and are not sure whether I will be able to get it. I have applied for entry level jobs in IT security but have had no success.

    I have also done my CompTIA A+ and have been playing around with the idea of doing CIA, or the other CompTIA’s (N+ and Sec). What would be your suggestion as I am not able to do CISSP at this stage. I am currently registered for ISACA’s cybersecurity fundamentals exam, just to keep busy while I make up my mind.

    Thank you.


    • Sonja,
      You do not need experience in security per se, but in SOME of the 8 domains that the CISSP covers, which are:

      1 Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
      2 Asset Security (Protecting Security of Assets)
      3 Security Engineering (Engineering and Management of Security)
      4 Communications and Network Security (Designing and Protecting Network Security)
      5 Identity and Access Management (Controlling Access and Managing Identity)
      6 Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
      7 Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
      8 Software Development Security (Understanding, Applying, and Enforcing Software Security)

      As an auditor, you likely have experience in domains 1, 6, and 7, maybe more. If you have enough years experience in any of those areas, that should be sufficient.

      Take another look at your experience and see how it might apply. I’d stay on the CISSP track.

      I’d be happy to discuss further if you’d like. Mack


  60. Kishore

    Great blog Mack. Thanks for your wonderful advises to the needy ones.
    I have CISA , ISO 27001 Lead Auditor, ITIL (F) , CeH certifications with 9.5 year of experience in Information Security Management,Consulting, Compliance, Audits. I have some plans to apply for US jobs in an year or so(I know its a lengthy process). I also have plans to write CISM this June’16. Can you please help me understand how is the scope and demand (Firstly) and ofcouse payout for my profile in US and would it be a good call to move to US (If I get a chance). The reason I ask this question is, I see there are thousands of CISA/CISM certified people in US right now and would I be just one among them ?



    • Kishore,
      If you mean as an IT auditor, your chances of success are excellent, strictly speaking to your certifications and skills, assuming everything else is equal, and you have no skeletons or monsters in your closet (background).

      We have a shortage of IT auditors and are hurting for GOOD IT auditors.

      The question I would ask you, is why work as an IT auditor? You’d probably make more in the security field, but with your background, companies would certainly want you.

      I only know one person who holds the CISA and CISM, and he works in risk management. Most auditors are not going to hold both of those, as I think it’s overkill. It won’t hurt you though.

      Best wishes, Mack.


  61. Kishore

    Thank you Mack. I have been into information security for most of my experience and recently moved into Compliance and Audits due to the demand in India these days. Having said that I don’t want to confine my skills/experience to one area of Audit/compliance/risk/information security. So I always wanted to do certifications as a combination of these skills which allows more flexibility when needed.

    Again, I appreciate your all advises and help you have been doing for so long. Thank you Sir !


  62. sri nandu

    Than you for the article it gave a great insight needed to be part of IT Audit.
    I plan on entering this path have no clear experience with IT audits.Just completed my Bachelors and pursuing masters in Information systems security.
    I have CEH certification can you please let me know if it is worth/beneficial writing all those certification you mentioned above now or later and seriously i want to pursue the IT audit career path with concentration on IT security.
    Please guide me through my dilemma.


    • sri nandu,
      If you want an IT auditor position, you either need to have the CISA cert or have broad IT experience. When I became an IT auditor, I did not have the CISA for 2 years, but I had over a decade of experience in IT break/fix, networking, system administration, change management, etc.

      Since you don’t have IT experience, you need the CISA cert. Otherwise, you will not know how to audit IT processes, systems, etc. A masters in IT will help, but it’s not the same as working in various positions in IT for years.

      If you want to specialize in IT security audit, you need more than just CEH. That’s why I recommend the CISSP as it is a mile wide and an inch deep.

      So yes, get the certs. You’ll learn a lot in the process.


  63. Ahmed

    I found this post very interesting and very helpful.
    I am actually very confused right now. I am completing my bachelor’s degree in accounting from Canada.
    I intend in doing my masters in the U.S. At first, I was considering going to do a master in Accounting in order to do CPA since my dream is to be an auditor.
    While carrying researches, i discovered certifications like CISSA and CISSP which i did not know the existence before. According to those researches, IT auditing will have more opportunities. Will you advice me to pursue a Masters in IT auditing and cyber security or Master’s in Accountancy.
    Note that i don’t mind putting extra effort in order to obtain any of the certifications.
    Thanks again for your help.


    • Ahmed,
      IF you have an interest in technology, computers, networks, applications, etc., then by all means, pursue IT auditing as a career. Good and bad IT auditors are in short supply in the US.

      However, if you are the type of person who doesn’t try to figure out smartphones, applications, and technology yourself, and if you don’t like learning constantly, don’t go into IT auditing.

      Instead of pursuing a Masters in IT auditing, I’d pursue information security or something more general. Then when you’re done, you can then go into IT auditing, security, or information systems.

      If you pursue IT auditing masters degree, you won’t learn as much about technology and security. If you don’t pursue IT auditing masters and go the more general route, make sure you take as many auditing classes as you can, including finance and accounting.


  64. Anthony

    Hi ITauditSecurity,

    First of all, your site is a gold mine of information. I love how you tackled this topic with impartiality.

    My name’s Anthony and I am an Internal Auditor. I have been working for 3 years (1.5 in a big 4 financial external audit and 1.5 in operations internal audit for an oil/gas company). I am contented but I know for a fact that the geek inside me just wants to let loose. Making the shift to IT audit will make me (and okay, maybe my wallet) very happy.

    I’m planning on taking both CIA this first half 2016 and CISA on the latter half. My question is, if ever I do get into an IT audit job after I get both certs, will it be hard for me to adapt and perform the IT specific audits? Given that my experience is heavy in operational audit (with just cert in infosystems audit) but no hands on background/experience on IT audit.

    I’m targeting for a supervisory position so I dunno if I would actually fit the mold. Maybe I’ll just end up being a laughing stock. What do you think?


    • Anthony

      Just to add. :)

      What are your views on professionals without IT/IT audit experience but want to grab the CISA before actually entering the arena.

      Thank you


      • Anthony

        PS., these are just plans and I am hoping to get unbiased advise from a trained professional. Please do feel free to tell me your honest opinion, ITauditSecurity. I trust and respect your prowess on this. Thank you!

        Sorry for flooding this comment. ( I hope there was an edit comment portion in wordpress). haha


    • Anthony,
      Glad you like the blog; I appreciate the feedback.
      You ask some great questions.

      I think you’ll be able to get and succeed in an IT audit job for the following reasons:

      – You describe yourself as a geek. I’m assuming that means you enjoy technology and trying things. That you’re not afraid of exploring and experimentation. That you enjoy learning.

      Unfortunately I know employed IT auditors that don’t have those qualities. And they work for BIG companies, names you would know.

      – You already have a foundation in audit. That will help you with both certs. A lot of IT auditors come to the job with no experience in IT and no experience in audit. If others do that, you certainly can.

      -As I’ve said before, IT auditors are in high demand. Good ones. New ones. Bad ones. They all eventually get hired.

      – Most IT auditors don’t have both certs, just the CISA. You will learn a lot about auditing and some about technology as you study for those certs.

      – Most IT auditors learn on the job; it never ends. (Most jobs require on-the-job learning. I never thought I was qualified for any of the jobs I accepted, but I believed in myself, dug in, Googled a lot, and found mentors.)

      – IIA, ISACA,and Auditnet (search my blog for more info on Auditnet) have good audit plans for most technologies and are a good place to start if you don’t know how to audit some aspect of IT. They will give you questions to ask even though you may not understand them. When your auditee answers them, you ask questions like “Why do you think X is important or not?”

      In regards to the certs:

      – Getting a cert before working in a field is a good idea. However, with CISA, you can’t be awarded the cert without the appropriate 5 years of experience. What you’ve done so far will count for some of it at least. At least you can tell employers you passed the exam and are still working on the experience requirements. That trumps someone who hasn’t passed the exam and shows you have a proactive plan and drive.

      – I would tackle the CISA before the CISA. It’s only 1 exam, easier, and cheaper. It’s also the defacto requirement for being an IT auditor.
      Furthermore, the CIA is 3 exams, harder, and more expensive. Unless you are planning to have very little of a life outside of studying, I would plan on more than 6 months to pass those exams. A year is more realistic, but that depends on your motivation, time available, and other commitments.

      Happy to discuss more. Wish you the best. Mack


      • Anthony

        Yes! I’m definitely not a technophobe. I love tinkering my computer and learning about IT technical stuff. Also, I firmly believe that tackling the IT controls of ANY company will address more than half of the hard hitting risks during audits.

        Thank you so much for the insights on these audit plan resources! I think this could be another big article for you. You can share your own IT audit plans, programs, etc. (or even sell them).

        Re. the certs, CIA is actually available in my current company as “scholarship plan” but has a bond of maybe a year. Most of the CIAs in my country (the Philippines) finish and pass in about 6 months, depending on your audit experience, study speed, learning capacity and available resources.

        I will highly consider the CISA this year and start developing my skills! I don’t want to be one of those IT Auditors that are just in it for the money, although it is a good motivation.

        Thank you so much for the insights, Mack. It’s very rare to find a good blogger and mentor online, especially on these topics, but You are definitely one of those.

        Wishing you all the best!


  65. CV

    Just passed my CISA. I’m doing CRISC next to get a deeper understanding of IT Risk as the CISA just scrapes the surface.

    After that, I’m wondering if CISSP or GSNA is better, thoughts?


    • CV,
      Sorry I didn’t see your question earlier. I missed it somehow; I try to respond rather quickly.

      You didn’t tell me what your end goal is, so I’ll have to assume you are a beginning auditor, so I’ll approach it from that point of view.

      I have CISA and CISSP certs. THe CISSP is more for understanding security across several domains at a higher level, whereas the GSNA (GIAC Systems and Network Auditor) is more in-depth training regarding how to audit. They are totally different certs.

      If you are pursuing IT audit, I would suggest going for the GIAC cert as it is more specific to auditing. While GIAC certs are respected, they are not as well known as CISSP, so some hiring managers and screeners may not be familiar with it, so if you go that route, make sure you specify in your CV , cover letters, and interviews what the cert is about.

      Also, the people you audit will be more familiar with the CISSP (especially IT folks, and they respect that cert).

      The other big difference between the CISSP and GIAC is that the CISSP has experience requirements while the GIAC does not. Also, the GIAC has 3 different levels of certiification. If you obtain a higher level cert, make sure you make that clear on your resume/interviews.

      In summary: the GIAC cert will help you be a better auditor; the CISSP is better known and will help you get the job. Either cert is good; it just depends on your end goal.

      If you have the time, the money, and are willing to study hard, get both.

      The CPEs for the CISA can also be used for the CISSP (that’s what I do). You might want to look into how the GIAC is renewed and whether your CISA CPEs can be used for that.

      If you clarify your end goals, I might be able to give you more direct advice.


  66. HDi

    Great article sir. I have also cleared CISA recently.


  67. Dibyangana saha

    HI ITAuditsecurity,

    HI, My name is Dibyangana Saha . I am interested in appearing for the CISA exam but would want to know if I will be eligible to achieve the certification or not. I have a B.Tech in Electrical Engineering from West Bengal Unviersity of Technology,Kolkata,India. It was a 4 year course (2005-2009). After that I have an MBA in Finance (2 year full time course) from Symbiosis International University, (2009-2011). Since 2011 I have been working as an SAP Finance and Controlling (FICO) consultant ( 2011-2016). I have currently completed 57 months of work experience. My job requires me to have a good grasp on Finance, Financial accounting,Management accounting, Business processes as well as IT. However I do no have experience in IS audit,control security or assurance. I will be continuing as a Financial consultant in the IT industry and hence wondering whether CISA will help? Will my SAP FICO experience be counted to meet the eligibility criteria to achieve the CISA certification? Please do respond.


    • Dibyangana saha,
      I’m not sure your experience will qualify you. The work requirement is “five years of professional IS auditing, control or security work experience” per

      I am not familiar with what a AP Finance and Controlling (FICO) consultant does, but a quick Google search didn’t convince me it would qualify. The best thing to do is contact ISACA and talk to someone.

      It sounds like you do have a good background, but I’m not clear as to what the CISA will do for you unless you want to focus more on how to build SAP processes that have appropriate financial and IT controls. It certainly won’t hurt you, but since I am not real familiar with the FICO work, I can’t give you a wise answer. Sorry.

      Anyone else have any input?


  68. Abhimanyu Sharma


    Thank you for a wonderful article.

    I am a Unix/Linux and IT infrastructure administrator. I have 8 years of experience in it and now I am feeling that my career is stagnant.
    Therefore, I want to add more skills to my profile relating to auditing and security of IT infrastructure.

    I am looking forward to go for CISA certification. Will that be appropriate? Will it add benefit to my job profile of Unix system administrator? I personally feel that knowledge of IT security along with system administration skills can land me in perfect position.

    I appreciate if you can advise on it.


  69. HI Abhimanyu,
    CISA will give you a better understanding of auditing and risk. I can’t say it will help you much in your *nix administration other than give you a wider security perspective unless you start working more with compliance and audit staff.

    It certainly won’t hurt you. You don’t sound like you want to head down the audit path, so I’m not sure CISA is what you want.

    If you want to grow more in security infrastructure, I’d suggest some a network course like SEC401: Security Essentials Bootcamp Style at Then you might consider a GIAC course. Depending on which area you are most interested in, you might want to check out the GIAC roadmap at

    Based on the little information you gave me, you might be interested in Intrustion analyst or incident handler. Usually, having a solid understanding of networking is key. Hope that helps.

    I realize these aren’t cheap. See if your company owns any self-study courses that you can take advantage of.

    You can also take free classes online. Check out for example. Colleges all over the world offer free classes, which include video lectures, exercises, and even grading. Wish you the best.


    • Thank you Sir, for your advice. I went through GIAC roadmap and other certifications offered by them and (ISC)2.
      Now , I am planning to follow the path like below :-

      I appreciate if you can see, if that is the right approach.

      Also, my organization is reluctant to bear the cost due to its high price, so I have to bear it by myself. I am looking at and other relevant sites for study material, as you suggested. Any relevant website or book which I can purchase to prepare GCUX?

      Thank you, once again for your help :)



      • Abhimanyu,
        I’m still not sure what your overall goal/destination is. Assuming you want to stay in UX administration, the GCUX > GISP > GSNA looks good. ONce you get these 3 certs, I don’t think you’d need the CISSP, as the GISP is similar to the CISSP, according to

        As far as cost, the CISSP would probably be cheaper, as several good books are available for that cert. I don’t know of any good GCUX books. An Internet search should provide some choices, but make sure you get find someone discussing the value of the website/book before you purchase anything. Get some input from your network or security team.

        The one thing I didn’t see in here was network training/cert, especially if you want to move out of UX admin into infosec….

        If you want to get into IT auditing, this path is not the best. I’d suggest CISA, then CISSP. While GSNA would be great for an auditor, it’s not where you need to start.

        Cheers. Mack


  70. Shan S

    Nice article with lots of practical info that you wont elsewhere!! I have a question though. I have more than 7 years of experience internal audit in quality assurance (standards like ISO 9001, ISAE 3402 etc.). I plan to switch to IS auditing. Do I qualify for the 5 year experience part of CISA or only 1 year exception?


  71. Tuba N

    Reading through your blog was immensely helpful! I am definitely considering taking CISA. I don’t have a completed accounting degree and currently work as a staff accountant in an insurance company. I want to take the CISA. What are my chances of landing a job as soon as I pass the CISA exam without a degree? I am currently residing in the US.I know the CISA certification doesn’t require a degree which works in my favor. Any help is appreciated.


    • Tuba,
      Glad you like the blog and took the time to say so. It’s appreciated.
      I assume you know that you don’t need an accounting background or accounting degree to work as an IT auditor, which is who the CISA is for. Most companies want a college degree, but having the CISA will be in your favor. The problem is that you’ll be going up against others with college degrees that have the CISA.

      You mention accounting, but I assume you want to move into IT auditing. If you don’t have IT background, a CISA will help. The US is screaming for IT auditors right now. A company I was at a couple months ago couldn’t find IT auditors at a decent price, so they hired 3 non-IT auditors. Two had worked in IT, but had no audit experience. The other is a new grad with no IT or audit experience. None of the 3 had the CISA.

      I’m assuming that you don’t have much IT experience. Your chances go up with the CISA, but without a degree, I don’t think that’s enough. If a degree isn’t something you are working on or can work on anytime soon, ask some of the auditors at the company you’re at for advice. That’s your best bet.

      If you have IT experience and obtain the CISA, and are willing to work on a degree once you’re hired, your chances are better.

      I wish you the best.


  72. Pingback: What IT Auditors Ought to Know – and Don’t! | ITauditSecurity

  73. Devchand

    Hi there I have a degree in auditing and over 12 years experience working in the internal audit profession. I am contemplating doing the CISA exams however I am worried if I pass how will I get the required 5 years working experience.


    • D,
      It depends on what your auditing experience is. If you have not consistently done any work in information systems auditing, control or security. then you probably will not qualify. You can use 1 year of non-IT auditing and 2 years from your degree, but you’ll need another 2 years of some type of IT experience (5 years total).

      I think you’ll need a sponsor to sign off on your experience. Talk to that person as to whether you qualify. You can always call ISACA and talk to them.


  74. Paul

    I really enjoyed your blog. I have always been interested in computers as a child. Somewhere along the line I went into financials and I am now qualifying as a chartered accountant. Currently working as an auditor. I miss my IT experiences. How can I get into IT auditing and obtain CISA? I am also considering a master in finance which I haven’t started


    • Paul,
      You seem to be going down 2 roads at the same time. Why get a masters in finance and also get started in IT auditing. While have both would be helpful, I don’t see that all the work both will take will be worth it. That’s just my take based on your limited comments–one person’s opinion.

      To get started in IT auditing, see my recent post, “New IT Auditors Start Here.” Then read my CISA articles (see the link at the top, upper right of this page) and pay attention to the comments, where I have answered this question in several different ways.


  75. Akshay Misra


    I was just confused searching the Internet for CISA, ECSA, GSNA certifications and luckily stumbled upon your blog.
    This post started in 2013 and its still alive in 2017 shows the heart you put in while writing this blog :)

    I am a network administrator in my organisation for past 7 years. Due to my personal interest, I have also attended many IT security and basic hacking courses too, although I don’t have any certification as of now. I have a Post Graduation diploma in Cyber Laws.
    I have a very little experience in IT auditing. But I am really interested to take up this field as my career.
    I was planning to get ECSA certification first and then appear for CISA certification. Someone also suggested SANS’s GSNA certification to me.

    Is it a good move to take up IT auditing as a career considering by job background and the fact that I am already 29 years of age?

    I am really confused. Hope that you could guide me a little.
    Awaiting your reply.



    • Aksay, I was much older than you when I became an IT auditor. Much older. Don’t let that stop you.

      If your focus is IT auditing, your next cert needs to be CISA. If you don’t understand auditing, you need to get the CISA as that is really the only required cert for that job.

      Your understanding of networks and security will be a great help and your hacking knowledge is good although you seldom hack as an auditor.

      You might face a drop in pay but not too much with your background. Sell the hiring manager on your security and networking skills. The audit knowledge will come with the CISA and experience.

      Let me know if you have other questions. Mack


  76. Frank Udoh

    Hi Mack, I do have a concern. i currently work as a compliance professional. my dream is to become an IT Auditor. i am from a technology background, i have programming experience, i have had an Application Analyst experience and i have supported applications. But now am 37, do you think that age is a barrier in breaking into IT Audit?I have no auditing experience but i am hoping the CISA training i plan to enroll for before the CISA Exam will provide some insight. please what are your thoughts about age and breaking even in the IT audit career.

    Thank you and regards,


    • Frank, if you missed it, see my recent post how to get an IT audit job with no experience


    • Frank,
      Well, let me say this: I was older than you when I started in IT audit and you’re now asking me for advice. Nuf said? Go for it.

      So many run-of-the-mill IT people have been laid off in the last few years and they are getting hired as IT auditors; grief!

      You have a great background and you can’t find IT auditors anywhere. With the CISA under your belt, you will be able to compete. The issue will be salary, but don’t sell yourself short. Sell employers on what you do know and the IT experience you DO have. So many working auditors don’t understand IT, and you will be ahead of some of them.

      Compliance staff make great auditors, especially those with IT experience. With a programming background, consider helping with audit analytics, another possible selling point. Go for it!


  77. Charly

    Thanks for your post. A lot of good advice in there?

    How does IT risk careers and certifications like the CRISC fare in the mix of things seeing that Audit and security are leaning more towards applying risk-based approaches.

    I really like IT audit and security but audit seems too much after-the-fact while security gets too much of the heat. Is it ok to say that IT risk and control functions are more pro-active than audit while more cool-headed than security.

    IT risk advisory career seems more like a middle ground (I’m probably wrong). What’s your take.

    Thanks once again.



    • Charly,
      By risk advisory, I assume you mean folks who advise teams as to how to ‘bake security’.Essentially, they advise on how to deal with risk, but you don’t audit or implement the technology or the process.

      I agree with you for the most part. While audit has traditionally has been reviewing items after they occur, that is changing. The audit team I’m on now does some advising and some looking forward testing. Of course, audit has always tested for efficiency and recommend improvements, which is more looking forward than back. I expect that to continue to change, but for the most part, it is mostly looking back.

      Security is very much in the heat. I have worked as an IT drone, security analyst, security manager, and auditor. Security has positions that are on call 24/7, unlike auditors, although some IT risk advisory jobs may be on call also, but not many.

      In audit and risk advisory, you’re not on the hook; in security, you are more on the hook when something goes wrong. In risk advisory, I would think you would be part of a project here and there, where in security and definitely in audit, you tend to be in the project from start to finish.

      In my experience, risk advisory seems to be paid more than security or IT auditors, but I haven’t done any comparisons across multiple companies.


  78. Art Yip

    Hi Mack,

    I want to thank you for writing such an informative article on CISA vs. CIA Certification. I’m a financial/operational auditor (CPA, CIA) that decided to expand my career into IT Auditing. I took and passed the CISA exam back in Dec 2017. I’m now doing IT audits to gain the experience and the certification for the CISA.

    I want to say that your comments about the CISA as “only a chip shot from the CIA” is totally on the mark! Your other comment on the CISA as more audit than IT also gave me the courage to take on the CISA exam!

    It’s sad to hear companies are so desperate for IT auditors that they’ll take any that resembles one! I hope to eventually become one of the better ones out there!


    Liked by 1 person

    • Art,
      Thanks for the kind words. Glad I was helpful.
      The difference between you and most new IT auditors is that you already know how to audit. Most newbie IT auditors know IT pretty well or some, but don’t know how to audit.

      I know our department has hired at least 2 people person as an IT auditor who didn’t know either. One was already with the company and had some other risk-related experience; he does okay after a couple years, but not great.

      The other still doesn’t get IT or auditing.

      The other diff is that you seem to be a go-getter. The 2 I mentioned are not like that, especially the second one. You’ll do fine.

      Best wishes to you. Let me know what you think of the other posts, and whether you’d like me to address a certain topic.


  79. GH Tang

    Hi Sir,

    I’m currently working as Internal Auditor in public listed company for around 5 years. Prior to that, I also work in big4 audit firm (3 years) & as accountant (2 years). I managed to get Certified Internal Auditor from IIA, apart from Accounting Degree.

    I’m actually looking at CISA exam and not sure whether I should go ahead with it, mainly due to the following concern:

    1) I don’t have any direct IT auditor experience, all my audit experience was more on financial or operational audit. Occasionally, I was tasked to audit IT scope but that was very small portion of my Internal Audit Job.

    2) To be certified as CISA, 5 years of IT experience is required. It is impossible for me to get this IT experience in current company where most of subsidiaries are very traditional type which required simple IT set up.

    Also, it is difficult for me to start as fresh new IT auditor because I can’t get jobs at similar level of current salary. Which mean if I pass CISA exam, I will need to downgrade my salary in order to fulfill experience requirement? (maybe I understand wrongly?)

    3) I do think IT audit, or getting CISA is much more future proof especially to work in Multi National Company (MNC) environment. CISA is challenging but I think exam is doable with dedicated efforts.

    With this in mind, what is your advice in term of lack of IT experience? It is worth to take CISA exam?


  80. Sir,
    I like the way you thought this through. I still think you should study for and take the CISA exam. Here’s why…
    1) You want to increase your experience/knowledge and seem to have the interest in it. Preparing for and take the CISA will give you some head knowledge at the very least, which is better than you have today.
    2) To get the experience, you can ask your current company to give you more opportunities. Hopefully, they will. If not, after you get the CISA, then consider moving to another company in a similar position that you have today, but make sure you tell them you want to work on IT projects. Some companies will hire regular auditors and train them to be IT auditors due to the shortage. You could sell yourself as a good general auditor who is ready to learn IT audit and grow into it over time. A win for you and your new company.
    3) Many IT auditors, like myself, don’t understand the operational and finance side of business as well as we’d like to. You do, and after you get the CISA, you will have at least some understanding of IT also, which makes you more valuable. But you have to sell yourself and your skills to ensure companies see this.

    You are correct in that you might have to step down in salary to be hired as an IT auditor, so I would continue to audit as you are today, but start thinking about and suggesting some IT testing that you could add to your audit. Regardless, by taking on the CISA, you WILL be moving forward, just not as fast as you like.

    Think of it this way: If you don’t take the CISA, where will you be in 5 years? Same place you are today….so go for it.

    And don’t forget to talk to your IT auditor colleagues and IT people at your company about any items in the CISA you don’t understand. People love to help others, especially in their field.

    I wish you the best. Let me know if you have any other questions.


  81. Bill DeLong

    Mack, I have been in security for a while and currenty do third party security audits. I have both the CISA and CISSP. I have been toying with the CIA and even the CPA(i have my MBA already). What other certswould you reccomend and books you would add to an auditors library. Thanks


    • Bill,
      I’m not sure what your goals are. I’ll assume you want to continue to do audits, but perhaps broaden beyond IT/security audits. I’m also assuming you work in an internal or external audit department or want to.

      Disclaimer: I have the CISA and CISSP. I don’t have the CIA or the CPA. When the CIA was still 4 exams, I studied for all them except for the financial part, and realized I didn’t like the financial side that much, so I never took the exams. The finance side just didn’t compute in my brain, so I changed course. Since then, I have helped with financial audits. So keep this in mind as you ponder my advice…

      Given your assumed goal, I’d suggest that you do the CIA next as that will require you to gain a basic understanding of finance, which will help you if you pursue the CPA eventually. You may find you don’t like the financial side that much, but will learn enough to make an impact to your career and broaden what you can contribute to an audit. If you’ve been doing audits according to IIA standards, you should be able to pass the CIA as long as you know the financial side. The IT side you already have down.

      I don’t suggest you go for the CPA first because that’s a deeper dive into the financial world than the CIA. Also, I think the CIA would round you out better than simply the CPA. I’d get the CIA and then work your way into operational and financial type audits. Gain a little experience and then consider the CPA.

      After the CIA, if you enjoyed the financial side, then go for the CPA. However, keep in mind, even with the CIA and CPA under your belt, you’ll still need to prove yourself in the operational and financial audit space.

      One last comment…in the financial audits I’ve been involved in, and reading the test steps of the ones I’ve watched others do (in several different Fortune 500 companies and smaller companies), it does not appear to me that most of these audits require in-depth financial understanding. Now I can’t audit financial statements and taxes, but I understand debits, credits, and journal entries, and the controls you need to have around cash, invoices, and payments. It doesn’t seem like you need a CPA or deep finance smarts to do most of the financial audits I’ve seen (all you CPAs out there can beg to differ with me–please do–I always appreciate other input).

      Wish you the best, Bill. Merry CHRISTmas.


  82. Hi Mack, great article, loved it.
    I am an internal Auditor from India, currently I hold MBA & CISA, soon I am moving to Canada and I am not ashamed to say that I am literally fed up of Internal Audit role (too monotonous and boring), now I will be applying for the role of IT auditor, I have some experience of IT and I loved that part of my work. As I will be moving to a new country, I am thinking about getting a few more relevant certifications to make my CV stand out and learn some more skills, I am thinking about CompTia CySA + or CRISC or CISM (I checked the syllabus of CISSP, that’s a bit out of my league right now, I will need at-least an entire year’s work before I can give a shot to CISSP) so, what do you think will be the right path for me? I will appreciate your expert opinion, I am considering at-least one of the certifications that I mentioned above but I am not sure which one will be good for me, I wish to work as an IT auditor now, not as an internal auditor. Please help me out.
    Thank you in advance.


    • Hi Anuj,
      Glad you like the article and I’m happy to give you some advice.
      First of all, if you are bored with internal audit, then either the audit process you’re in doesn’t embrace audit innovation (what can we do different or in addition to what we have to do or traditionally do) or doesn’t embrace data analytics. I would guess both.
      Glad you’re moving, as IT audit can be just as boring if the audit process you have to follow is lacking. In other words, I would place the blame on your management, not audit in general.

      Having passed the CISA, you should be able to get IT audit work now, as long as you understand audit procedures (you obviously do, and that’s more important that understanding IT) and the IT concepts, risks, and processes that the CISA is built around. Make sure you emphasize in your CV that you have at least some understand both sides of audit: operational/finance and IT audit, and that allows you to do a more holistic audit.

      Unfortunately, you haven’t told me the following: 1) how much IT knowledge you have and 2) how long you think it would take you to do a cert other than the CISSP. I will assume you have some general IT understanding and that one of the other certs will take you about 6 months.

      Given your concern about the CISSP, I’d go for the CySA. While it is more focused on a security analyst role, it looks like it would be helpful–if you can do it quicker than the CISSP.

      The difference I see between the CISSP and CySA (based on a quick review of CySA) is that the CISSP is a mile wide and an inch deep, while the CySA is a quarter mile wide and 1 foot deep. In other words, I still think the CISSP is more applicable to audit and would set you apart more than the CySA. And the CISSP is more well known and respected. The CISSP lays the foundation for IT and security across the board, which is closer to what an IT auditor needs.

      If time is critical, go ahead with the CySA; it won’t hurt you at all. But as soon as you pass that, go for the CISSP. To stand out more, you have to have the CISSP.

      Otherwise, go now for the CISSP and put on your CV that you are studying for it and expect to take the exam on MONTH/YEAR. Even if you haven’t passed the exam or pass the exam but don’t have the work experience yet to get the CISSP cert, the fact that you’re studying for it or have passed it will help tremendously.

      That’s my opinion, based on my jobs, experience, and people I know who are auditors or have the CISSP in the US. Not sure how Canada could be different.

      Let’s keep talking if needed. Wish you the best. Cheers!


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.