Like information technology has affected almost every field of life, it has also impacted auditing functions. The records have been digitized, the processes have been built into the systems, and financial transactions and other critical information are being processed through information systems.
Before the arrival of information systems, the auditors will examine the record on papers and report their opinion, based on this examination, to the stakeholders like management and shareholders and board, etc. However, the information systems changed this situation significantly and brought in the role of information systems auditor.
Though it is still a statutory requirement to be audited by the paper, it was felt quite early that the skills that paper auditors had were not helping in auditing those entities where systems have been implemented. Without knowledge of the information systems, these auditors were clueless about how the records were being kept and whether they were maintained as per management’s and statutory directions.
Based on this need, it was felt that the auditors need to be trained on auditing these information systems. And from this, the field of information systems auditing emerges, which is broadly a mix of auditing principles, information systems governance and management principles, and information security.
And to standardize the information systems auditor knowledge and training, CISA certification emerged, administered by Information Systems Audit and Control Association (ISACA).
Though all the job practice areas of an information systems auditor are essential, but most critical is the review of the systems’ internal controls. How the controls have been designed and implemented in the information systems will be at the root of all the questions that will be asked from a cisa candidate. And this is an area where information security, manual controls, and automated controls all converge. An information systems auditor must be knowledgeable about all these aspects of auditing information systems besides being an auditor who follows an audit process.
Broadly speaking, an Information Systems Auditor does the following types of work as part of an internal audit or external audit assignment. As part of the internal audit assignments, he or she may also be in an advisory capacity to the management, but of course, he is never going to be a solutions implementer because that will generate a conflict of interest.
What Does a CISA Auditor Do?
Since information technology is an ever-changing field, an information systems auditor must be at the top of his skills and knowledge regarding information systems. In brief, IS auditor works everywhere, ranging from big four audit firms to information security companies. They also work in the government sector. Their work and skills are always in demand because of the increasing use of information systems in every sphere of life.
Another right way to know about what an IS auditor does is to go through the knowledge statements at the beginning of all four CISA Review Manual chapters. One key thing to remember is that taking remedial measures or being part of the corrective measures team is not the certified information systems auditor’s job. The auditor will compromise objectivity and independence, which are essential for all types of audits. Here is a brief list of the kind of work an information systems auditor may be doing:
- Internal and external audit assignments
- Advice at the solutions designing stage
- Risk-based audits
- Risk analysis and risk assessment
- Information technology and governance audits
- Work as a support for the financial audit team regarding information systems audit
- IT management audit
- Systems and application security audit
- Information systems internal control review
- Business continuity and data center security review and audit
- Operating systems review
- Penetration testing
- Database administration review
- Physical and logical security review
- Post-implementation systems review
And a host of other fascinating and challenging things.
How can you become an information systems auditor?
An information systems auditor will be mostly dealing with the following domains as part of their work as an auditor. Please note that they will be reviewing controls related to these areas and not managing these domains in an organization:
- Information systems security
- Information systems acquisition
- Information systems development
- information systems operations
- Backup and disaster recovery arrangements
You might already be doing this work of reviewing computer systems as part of your audit work. In that case, you might already be an information systems auditor.
While it is not essential to get an ISACA certification but it will go a long way in your ambitions for becoming an IS auditor.
And the best and, in fact, the only certification of value for the information systems auditing profession is Certified information systems auditor (CISA certification).
We have covered in detail CIsA certification, but we will touch upon the fundamental concepts here as well.
As this IS auditing certification is administered by ISACA, you have to register for the exam with them and pass the CISA exam. The exam content for the CISA credential is the job practice areas.
I will recommend you must buy the latest CISA review manual and CISA questions and answers database for preparing for the exam. This will tremendously increase your chances of qualifying for CISA qualification. You can also opt for CISA training offered by ISACA and many other vendors. But speaking from my personal experience, the CISA review manual and going through the questions and answers database a few times will be enough to pass the CISA certification exam.
To earn CISA designation, passing the exam is not enough. You will also have to have five years’ experience, some of which will have to be related to main job practice areas. However, exemptions can be available for a few years based on relevant qualifications.
After qualifying CISA examination, you apply for CISA certification if you already have the relevant experience. Otherwise, you can wait to complete your experience requirement and apply for a certificate once you have that experience.
Once you have become a certified information systems auditor, you will have to abide by the continuing education policy of ISACA and also the professional ethics policy to remain certified. You also will have to renew your certification every year by paying a renewal fee and meeting the CPE requirement of 20 hours per year and 120 hours in a three-year cycle.
Qualified CISA professionals are respected as information systems auditors, therefore, even if you are already doing IS auditing work, going for CISA certification will provide you recognition and accelerated career growth.