Broadening One’s Horizons… December 10, 2011
Posted by Audit Monkey in The Joy & Pain of Internal Audit.Tags: CISA, qualifications
trackback
As my readers well know, I’m always looking for opportunities to exit the auditing profession. However of late, I’m been quite comfortable being an Internal Auditor, probably because I’m being paid handsomely for doing very bog standard audits which aren’t going to ruffle too many feathers. Yet I’ve got this nagging feeling this honeymoon period will soon be over. So, I’ve decided to re-educate myself in the New Year and up-skill.
To get the ball rolling, I’ve just checked out this site: http://www.itgovernance.co.uk/infosec_quals.aspx and I thought I’d go down the CISA route. For the ignorant out there, that’s become an IT auditor. All well and good you would think but check out the fine print:
“Candidates looking to gain the CISA certification must sit an examination, submit evidence of a minimum of 5 years (sic) IS auditing, security or control work.”
C’mon, that’s a longer period than an undergraduate degree and Masters on top, as well as the ACA, ACCA and CIMA qualifications. I’ll grow old waiting to qualify and the letter ‘CISA’ might as well be chiselled on my grave-stone.
This all seems terribly contrived. I have no idea who dreamt up the 5 year threshold but it seems all terribly contrived. It’s akin to a closed shop. although I’m enthusiastic and wanna progress, I’ve been effective deterred from doing so. Sucks, doesn’t it?
Audit Monkey's Blog 
AuditMonkey,
I laugh at that requirement because, as I’ve blogged, most IT auditors I know don’t know IT, And that’s probably because the CISA exam is not much about IT.
Which makes it funny that you have to have 5 years experience doing IT security or control work before you can take an exam that doesn’t require much IT knowledge.
The only reason I got the CISA is because employers value it and most of the contract auditors I was hiring had it.
My other beef (closer to pork) with the CISA is how expensive it is to maintain. The CISA is over $200 per yer, the CISSP only $85.
You can subsitute other experience for the 5 years as follows, per ISACA:
“Substitutions and waivers of such experience, to a maximum of 3 years, may be obtained as follows:
– A maximum of 1 year of information systems experience OR 1 year of non-IS auditing experience can be substituted for 1 year of experience.
– 60 to 120 completed university semester credit hours (the equivalent of an 2-year or 4-year degree) not limited by the 10-year preceding restriction, can be substituted for 1 or 2 years, respectively, of experience.”
So with a college degree and SOME auditing experience, you now only need 2 years of IT/security experience! (tongue in cheek, sorry).
Have you thought about learning data analytics, like ACL? Is that used much in the UK?
Good luck anyway, Monkey. I’m glad at least 1 (you) of the “big 3” bloggers (you, Cow, and I) is still posting. I’m working on a couple things, but having trouble getting them finished. Always easier to jump over to your blog. Cheers
A few comments.
The problem with CISA is the time to qualify period deters those who wish to study.
The cost of membership is getting silly across all bodies. ACCA subs this year are nudging £200 which equates to $350. Fortunately I’m not a member of the IIA.
I did an IT audit recently, well the non-techie stuff. How come I found more control weaknesses and break-downs thann my IT colleague? I can’t believe it was all hunky dory!
Indded, ACL is used in the UK. However, the problem with using ACL is not ACL but getting the data in the first in instant so you can crunch it!
Do you mean acquiring the data or loading it into ACL and formatting it so that you can use it?
Acquiring the data. The issue with a lot of British firms is they often have a multitude of old legacy systems (none this Microsoft windows malarky) and job of obtaining the data is often falls to a specialist. So, when I say I wish to learn go down to the IT audit route, frequently those with a background in software engineering, etc, tend to float to the top of the pond where the rest of us sink!
Interesting. 2 jobs ago, I had read access to most systems and queried or downloaded my own data. It was great. In my current job, I can’t access as much, but certainly more than auditors can in most US firms.