MenuClose
 Log Out
Cart 0 items
Site Search
Course Search

CISA: Take your internal audit career to the next level

July 19, 2023
  1. Home
  2. CISA: Take your internal audit career to the next level

By Kristy M. Scott, CPA, CISA, CIA

Internal audit departments serve a crucial role in many organizations of varying sizes and purposes in both the private and public sector. The International Professional Practices Framework (IPPF) is the conceptual framework providing authoritative guidance from the Institute of Internal Auditors (IIA). The IPPF states internal audit’s mission as “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”1

It’s no secret to anyone who has worked in or continues to work in internal audit: the achievement of this mission is largely supported by maintaining and continuing to grow the department’s knowledge and skill set. For internal audit departments to fulfill this mission and be impactful with their work, continuing professional education and development are key. Skill sets within an internal audit department may be accompanied by professional certifications including, but not limited to: Certified Internal Auditor (CIA), Certified Public Accountant (CPA), Project Management Professional (PMP), Certified Risk Management Assurance (CRMA), Certified Fraud Examiner (CFE), and Certified Information Systems Auditor (CISA).

What is CISA certification?

With the pace and scope of technological change and its effects on organizations, the CISA certification and its areas of focus have been gaining more attention in recent years, with employers and the IT and audit communities recognizing its value. The certification is offered through the Information Systems Audit and Control Association (ISACA), which cites more than 151,000 certification holders with an average U.S. salary of more than $149,000.2 See Table 1 for the domains covered by the CISA examination.

In order to obtain the CISA certification, applicants must:

  • Demonstrate required minimum work experience.
  • Successfully pass the CISA examination.
  • Adhere to the ISACA Code of Professional Ethics and Continuing Professional Education Policy.
  • Comply with Information Systems Auditing Standards.4

Applicants can register online for the CISA certification exam, which can be completed either remotely with virtual proctoring or in person at a testing center. 2 A variety of different exam preparation resources are offered by ISACA and other organizations, such as instructor-led courses, self-study courses, answer and explanation databases, manuals, and online forums.

The value-add for your organization

In addition to professional advantages, such as enhancing one’s résumé and opportunities for salary increases, auditors committed to obtaining and maintaining the CISA certification can add value to both their internal audit department and organizations in a variety of ways.

The position of the internal audit department affords it the unique vantage point to consider risks not only within an individual department, but holistically for the entire organization. Pairing the department’s position with audit staff knowledge and experience required by the CISA promotes thorough information technology (IT) and security considerations during the audit process and as the department serves in other roles for its organization (see Box 1).

Benefits of the presence of CISA(s) in internal audit departments

  1. Risk assessment: CISAs can promote a more in-depth exploration and discussion of IT and security during risk assessments to develop audit plans for the department and as part of brainstorming activities related to identifying key risks, controls, and potential for fraud.
  2. Audit planning: When gaining an understanding of an audit area, a CISA’s experience and knowledge can guide discussions with management to establish a more extensive understanding of the integration of IT and security into the relevant business processes and functions. This understanding can support more effective audit planning by identifying key IT risks, and then collaborating within the internal audit department to determine how to scope audits to address these risks.
  3. Audit execution: The professional experience of a CISA facilitates the performance of field work, communication of related IT audit requests and inquiries, and identification of potential issues.
  4. Audit reporting: A CISA can provide perspective on how to explain IT concepts and test work within audit reports, to communicate the IT work performed and results in new and different ways to the department’s intended audiences.
  5. Communication: The CISA’s knowledge base allows for familiarity with IT terminology, concepts, and relevant standards, laws, and resources to engage with management and to convey questions and concerns.
  6. Trusted advisor: The growing recognition of the CISA as a respected IT credential may encourage management to consult with the internal audit department as a trusted advisor on the organization’s IT and security activities and enterprise risk management program.
  7. Education: A CISA can serve as a resource to other members of the internal audit department, providing learning opportunities through on-the-job training and exposure to other available educational resources.

As internal audit departments recognize the benefits of having a CISA(s) as part of the team, other ways to continue to enhance IT audit test work may emerge. This may include a CISA partnering with specialists, when deemed necessary, to perform more technical test work and reviews. Additionally, a CISA(s) may find chances for the internal audit department to network with IT professional organizations to stay informed of emerging risks and trends.

Pursuing and maintaining the CISA certification requires dedication and an interest in IT and security concepts and topics, but this dedication is rewarded by the advantages it provides to an internal auditor’s organization, as well as to the individual professionally. The cadence of change for IT is not slowing, and these days no organization or process appears to be exempt from the impacts of it.

Professionally, the CISA provides an avenue for an internal auditor to demonstrate a level of IT audit education and experience for the individual to be competitive within the job market. Additionally, required continuing professional education and the related work experience challenges the internal auditor to think critically about IT and security as the threat and vulnerability landscape continues to evolve. This in turn adds value to the audit process, which impacts the internal auditor’s organization by providing timely and meaningful feedback on IT and security controls through audits and consulting.

Consider taking your internal audit career to the next level by pursuing the CISA certification!

Kristy M. Scott, CPA, CISA, CIA, is a principal auditor at the Virginia Retirement System in Richmond.

  1. “The IPPF: The Framework for Internal Audit Effectiveness” and “Mission of Internal Audit” from International Professional Practices Framework (IPPF) | The IIA
  2. “CISA” from CISA Certificate | Certified Information Systems Auditor | ISACA
  3. “CISA Job Practice Areas” from CISA Job Practice Areas | CISA Certification | ISACA
  4. "Get CISA Certified” from Get CISA Certified | Earn CISA Certification | ISACA