Passing the CISA exam does not make you a good IT auditor anymore than passing a driving test makes you a good driver.
Passing either exam says that you know the basics, but you still have a lot to learn.
Most likely, you still don’t know how and when to use what you know and apply it to the current situation. That’s why experience is necessary. Lots of it.
I’m going on a rant here, so reader beware. If you read on, make sure you hang in there until I make my main point in the end.
You just won’t feel the love right away…
One of the reasons that cars have brakes is because drivers make mistakes. Lots of them.
Many times, the brakes save you. Sometimes they don’t.
Certifications are similar to brakes. You have to keep the brakepads fresh, drive carefully, and know when to put them to good use.
A big concern of mine is that since IT auditors are in such short supply, too many of the people are trying to become IT auditors without considering whether they have or are able to develop the appropriate auditing, technical, writing, analytic, and social skills.
A second concern is that IT audit managers are not taking the time to properly interview IT auditors to determine whether they have the skills OR that they are lowering their standards of who they hire due to the shortage.
Based on some recent conversations, reading comments on this blog and other blogs, I get the impression that passing the CISA exam makes some people think they are qualified to perform IT audits. Not according to IIA standards.
I realize that the CISA cert also requires 5 years of professional information systems auditing, control, or security work experience. But you can use non-audit work like control or security experience.
While all 3 areas have commonalities, auditing is bit different. You have to be careful about objectivity and use a slightly different mindset, among other things.
It’s obvious that it’s not too hard for people working in IS or security to get their managers to sign off on 5 years of experience, of which you can substitute some years of college in areas totally unrelated to auditing, IT, or security.
But that doesn’t make you an auditor, much less an IT auditor.
That just means you have the cert.
A good auditor has to understand control design, how to test controls, how pick a good sample when data analytics isn’t an option, how to identify, analyze, and rank risk, and a host of other things (like technology).
Most of the mechanics of good auditing cannot be learned doing control work or security.
While you can get an IT auditor job with a CISA certification, you might struggle to do well.
So my advice is to get the certification, but make sure you have a good mentor, which is called “audit supervision”.
And if you don’t have a lot of IT experience, you will find yourself over your head. However, you’ll probably be in good company.
And you’ll learn on the job like most IT auditors do.
I don’t write this to discourage those who want to be IT auditors (especially since Mack, in his posts and comments to readers, encourages them all the time, and he should).
I write this to encourage those CISA-certified auditors to be good IT auditors. Which means:
- Taking the time to gain a good understanding of audit, IT, and security principles.
- Taking the time at the start of each audit to do a deep, but quick dive into the technology that you’re auditing (the Internet is your friend).
- Not believing everything your auditees tell you. Verify it.
- Making some good friends in IT that you can call on when you need advice or clarification.
- Talking to your fellow auditors, inside and outside your company; trade ideas and approaches.
- Develop and regularly employ analytic skills to dig deeper than most auditors.
To sum up, don’t take shortcuts. Take the time and do it right.
And when you get in over your head, ask for help.
I still do that, all the time, as there’s a ton of stuff I still don’t know or understand.