Passing the CISA exam does not make you a good IT auditor anymore than passing a driving test makes you a good driver.
Passing either exam says that you know the basics, but you still have a lot to learn.
Most likely, you still don’t know how and when to use what you know and apply it to the current situation. That’s why experience is necessary. Lots of it.
I’m going on a rant here, so reader beware. If you read on, make sure you hang in there until I make my main point in the end.
You just won’t feel the love right away…
One of the reasons that cars have brakes is because drivers make mistakes. Lots of them.
Many times, the brakes save you. Sometimes they don’t.
Certifications are similar to brakes. You have to keep the brakepads fresh, drive carefully, and know when to put them to good use.
A big concern of mine is that since IT auditors are in such short supply, too many of the people are trying to become IT auditors without considering whether they have or are able to develop the appropriate auditing, technical, writing, analytic, and social skills.
A second concern is that IT audit managers are not taking the time to properly interview IT auditors to determine whether they have the skills OR that they are lowering their standards of who they hire due to the shortage.
Require Analytic Skills to Hire and Promote
Based on some recent conversations, reading comments on this blog and other blogs, I get the impression that passing the CISA exam makes some people think they are qualified to perform IT audits. Not according to IIA standards.
I realize that the CISA cert also requires 5 years of professional information systems auditing, control, or security work experience. But you can use non-audit work like control or security experience.
While all 3 areas have commonalities, auditing is bit different. You have to be careful about objectivity and use a slightly different mindset, among other things.
It’s obvious that it’s not too hard for people working in IS or security to get their managers to sign off on 5 years of experience, of which you can substitute some years of college in areas totally unrelated to auditing, IT, or security.
But that doesn’t make you an auditor, much less an IT auditor.
That just means you have the cert.
A good auditor has to understand control design, how to test controls, how pick a good sample when data analytics isn’t an option, how to identify, analyze, and rank risk, and a host of other things (like technology).
Most of the mechanics of good auditing cannot be learned doing control work or security.
While you can get an IT auditor job with a CISA certification, you might struggle to do well.
So my advice is to get the certification, but make sure you have a good mentor, which is called “audit supervision”.
And if you don’t have a lot of IT experience, you will find yourself over your head. However, you’ll probably be in good company.
And you’ll learn on the job like most IT auditors do.
I don’t write this to discourage those who want to be IT auditors (especially since Mack, in his posts and comments to readers, encourages them all the time, and he should).
I write this to encourage those CISA-certified auditors to be good IT auditors. Which means:
- Taking the time to gain a good understanding of audit, IT, and security principles.
- Taking the time at the start of each audit to do a deep, but quick dive into the technology that you’re auditing (the Internet is your friend).
- Not believing everything your auditees tell you. Verify it.
- Making some good friends in IT that you can call on when you need advice or clarification.
- Talking to your fellow auditors, inside and outside your company; trade ideas and approaches.
- Develop and regularly employ analytic skills to dig deeper than most auditors.
To sum up, don’t take shortcuts. Take the time and do it right.
And when you get in over your head, ask for help.
I still do that, all the time, as there’s a ton of stuff I still don’t know or understand.
10 responses to “CISA Does NOT an IT Auditor Make”
CISA is Crawled Into Silent Area? So that’s where all the commenters are?
Or are you too smug in your certifications to comment?
I’m not going to bother reading this article because the fundamental problem with the CISA qualification is that it is non-technical. I will get my coat…
I agree wholeheartedly.
I find it humorous that you won’t bother to read an article, but you will bother to comment on the topic.
Either way, I win! :)
I find it ironic that you’ve spent time advocating the CISA qualification despite its limitations.
I think you need to read my posts closer. I think the cert is a joke. But managers and companies want it and you’re at a disadvantage if you don’t have it.
Didn’t you tell me that you got the CISA yourself, monkey?
Nice blog right here! Additionally your site lots up fast! What host are you the use of? Can I am getting your affiliate link in your host? I desire my site loaded up as fast as yours lol
You actually make it seem so easy together with your presentation however I in finding this matter to be actually one thing that I feel I might never understand. It kind of feels too complicated and extremely wide for me. I am having a look ahead to your next submit, I’ll try to get the dangle of it!
I agree with you. I passed the CISA exam, but yet to be certified because i don’t have sufficient experience as required. And i always declare, I only passed the exam, but yet certified; but my department glorified with CISA anyway…
And, I use similar analogy… I only pass the theory exam for driving license; but not the practical driving yet.
You’ll get there. The difference between you and many others that pass the exam is that you KNOW you don’t know everything. That puts you way ahead. :)