Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.
The CISA is the gold standard for IT auditors and requires that you know the basics of auditing and a little about IT. Most IT auditors get it or wish they had it; some non-IT auditors get it to round themselves out and/or use it to get into IT auditing.
The CISA consists of 1 exam and costs around $415, which includes a 1-year membership to ISACA. Keep in mind that you also have to add the cost of training (books, prep courses, exam questions) to all the exams mentioned in this post.
I’ve written about certification quite a bit, so don’t miss the links at the end of this post!
If you have the proper background and experience, you can study for and obtain the certification in about 6 months to a year, which is a good return on your investment.
I have written more about the CISA in Where is the IS in CISA? and More on the CisA Exam. Although I’m not real impressed with the content of this exam, I still think you should get it. More on that later.
The CIA is a broader certification, and in 2013 changed from 4 exams to 3. This certification covers auditing and IT at a deeper level (like the CISA, it’s much more about auditing than IT). Each exam costs about $150. You must pass all 3 exams within 4 years of passing the first exam. You can study and pass all 3 exams reasonably in about 1-2 years.
The CIA, due to its broader nature and 3 exams, is more respected than the CISA. It’s also a harder set of exams.
The big thing to keep in mind is that, in general, IT auditors are paid more than non-IT auditors.
IIA Survey: CIA vs. CISA Salary (2012)
See below for 2015 info. I left this 2012 data here for comparison and to show some history. — Mack
In 2012, the IIA did a survey that showed auditors holding the CISA certification are paid more than those holding the CIA (see below), about $6,000 (median). That’s not bad, considering the CISA requires 2 less exams and a lot less time than the CIA. The graphic is on page 39 here (this looks like a static link, but I think the content is updated periodically).
What’s the reason for the difference? First, the more technical a job, the higher the pay usually is. Second, IT auditors are generally paid more than other auditors, and they are more likely to hold the CISA.
–Start of 9/25/15 Update
Robert Half Survey: IT Auditor vs Internal Audior Salary (2015)
Note: These salaries are for USA only. Sorry!
While the graphs above contrast those with CISA vs. CIA, the following graphs show the salary differences between IT auditors and internal auditors. Since IT auditors usually get the CISA and internal auditors usually get the CIA, I think they both say the same thing: IT auditors are paid more than non-IT auditors as a general rule.
The graphs below are from the annual Robert Half (RH) salary guide, which you can read free at http://www.roberthalf.com/finance/the-salary-guide-for-accounting-and-finance (not sure how long they will leave it up). The salary calculator, which available for US zip codes ony, is also on that web page, below the salary guide link.
These graphs are for a large city, Minneapolis, MN (USA). Note the differences in IT auditor (green box) and internal auditor (black box) with 1-3 years experience for a company size of 250+M.
If you change only the job level to ‘senior’ (4+ years), the salaries are as follows.
Again, you can run the salary calculator from the web page noted above. You can view more than just auditor salaries (accounting and many more) and can choose zip code, job level, and company size.
According to the survey, the salary figures are based on thousands of full-time, temporary and project placements RH makes each year, surveys of U.S. chief financial officers (CFOs) and hiring managers, and other analysis performed by RH.
Also, the projected salaries for each position reflect starting pay only. Bonuses, incentives and other forms of compensation are not taken into account.
–End of 9/25/15 Update
So, if you want to get into IT auditing or you want to advance your IT auditing career, get the CISA. It’s faster, cheaper, and results in better pay. And you’ll learn enough about auditing to get you going.
If you’re an IT auditor and you want to get both certs, get the CISA first for the same reasons. The CIA certainly won’t hurt you.
You could get just the CIA and skip the CISA altogether, but I wouldn’t recommend it. Once you have the CIA, the CISA isn’t that much more work. It’s a chip shot. And it makes the CIA look better, in other words, “now you’re a REAL IT auditor.”
In addition, the PERCEPTION of the CISA is that it is more IT focused than the CIA, and a better cert for IT auditors. Based on my passing the CISA, my studying for the CIA, and talking to IT auditors who have the CIA, that’s just not true. But it’s the perception, and careers are often affected more by perceptions than facts, unfortunately.
Some believe that after the CISA, the CIA is a waste of time for IT auditors. I disagree. The CISA says you can do IT audit; the CIA says you’re broader than just IT audit. It’s your call.
Best Certs for an IT Auditor
If you want to be a great IT auditor, I’d suggest you get the CISA and the CISSP (more comments on the CIA later).
First, as noted above, the CISA will ensure you understand the basics of auditing, which is more important than understanding IT (what? Hold onto that for a minute).
The CISSP will ensure you understand the basics of IT and security and costs about $450. Trust me, you won’t pass the CISSP with minimal IT knowledge. It will also provide a background in security, which is the biggest area, in my opinion, that most IT auditors don’t understand (the next biggest area is IT).
IT auditing is more than the right configuration, patches, and backups. It’s about understanding technology and IT operations and how they intersect with risk. That’s what the CISSP is about, much more so than the CISA.
A good IT auditor understands the basics of security, what technology can and can’t provide, and how easily things can go wrong. A security certification like the CISSP leads auditors to places other IT auditors don’t go or even know exist.
It’s the difference between watching a contact sport like football and getting tackled by a real 275-pound lineman. Your perception of the risk and the pain is totally different (by pain, I mean the injury that could be caused, not only by the audit finding, but also by the control that could mitigate the risk).
The CISSP is also more applicable to other jobs than the CISA or the CIA. I’ve noted elsewhere on this blog that I was hired in 3 different companies to do audit based on the CISSP alone (at that time, I didn’t have the CISA).
Also, notice that when the IIA’s The Path to IT Audit article asks “What certification do IT auditors need?”, the CIA is NOT mentioned, but the CISA, CISSP, CISM, and MCSE are highlighted (while the MCSE would help, I think it’s overkill and too much work for what it will provide; besides, that exam expires eventually, which was why I never obtained it when I was in IT).
Finally, few auditors have the CISSP. It makes you stand out, and it says you’re much more technical than most auditors. As a result, you’ll get more challenging audits, while your buddies will get stuck with the fluff audits that even a non-IT auditor could do.
IT Auditor Trifecta
I think the IT auditor trifecta would be to add the CIA to the CISA and CISSP (I’m toying with that still, but I’m not sure I want to stay in audit). Like security, the financial side of audit is a different world. Understanding the basics of an accounting, which the CIA provides, will only make the IT auditor more relevant to the business.
Learn Audit or IT First?
In the end, it’s more important for IT auditors to understand how to audit than the intricacies of IT. Although I’ve ranted about how little technology many IT auditors understand, if you know understand the principles and practice of auditing (risk assessment, interviewing, the differing qualities of evidence, sampling, etc.), you will still be able to identify the basic IT risks. That’s why so many IT auditors that don’t understand IT are gainfully employed.
In contrast, if you understand IT well, but don’t know how to audit, you’ll miss basic risks, and you won’t have a framework to investigate, evaluate, rank, document, and articulate what you find.
In other words, your audits won’t meet IIA standards or be very helpful. And I’ve seen great, Big 4 techies who could not write an audit workpaper to save their life or their client, but my company paid them $150/hour.
If you need to learn both audit and IT, focus on audit first, and learn the IT as you mature as an auditor. But make sure you eventually get the IT side. To do that, you need to do more than audit IT; you need to read IT publications and play with the technology when you can at work, and outside of work.
What’s your experience with certification? Was the effort worth it? Did a cert really make the difference in getting in the door or a higher salary? Leave a comment.
** FREE CISA Study Guide **
Security Certs for Commoners? Nope (how uncommon is the CISSP!)