A career as Information Systems Auditor
We are familiar with the term auditing, which is usually associated with financial auditing. We also come across terms like quality audit, management audit, environment audit and now, Information Systems Audit. So, who can be an IS Auditor? To quote from the famous book, Information Systems Control and Audit by Ron Weber: "To be a good auditor, you have to be better at business than your client." Further, the purpose of information systems audit is to evaluate whether computer-based information systems fulfill the following aims:
- Safeguard assets
- Maintain data integrity
- Achieve organizational objectives effectively
- Consume resources efficiently
So, the expectations from an information systems auditor are rather high. The IS auditor should know what the business expects from information systems, what are the best IT practices, and whether the information systems of an organization realize these expectations and best practices. Since all businesses are now heavily dependent on information systems, management wants assurance from independent experts. A Certified Information Systems Auditor or CISA is an independent expert who is qualified to perform information systems audit. This has uplifted the status of the CISA designation, which is often a mandatory qualification for an information systems auditor.
Information Systems Audit and Control Association (ISACA) is a world recognized body, that was founded in 1969. The CISA examination and certification was initiated in 1978, to address industry requirements. Today, there are more than 30,000 CISAs worldwide.
The examination is conducted in
- 1 languages at 200 locations. The 2003 CISA examination had more than
- 1,900 candidates.
ISACA has ensured that the CISA syllabus meets the industry expectations. The syllabus is periodically enhanced to reflect the current trends in information technology. The current syllabus expects one to know the following domains.
(Figures in brackets are the weightage given to each domain in the examination paper.).
1. Management, Planning, and Organization of IS (11%)
This domain describes the best IS management practices. Unlike CISSP, this domain does not restrict itself to only Information Security, but covers all aspects of information systems. To begin with, it defines the entire organizational structure of the Information Systems department, from Chief Information Officer to tape librarian, or data-entry operator. In the current scenario of downsizing and outsourcing, we may not find all the classical job definitions and practices in the organization, but we need to understand the best practices for managing the IS department, planning its activities and having an appropriate management structure in place.
2. Technical Infrastructure and Operational Practices (13%)
This domain covers all the technologies pertaining to hardware, software and networking. So, you have to study the types of databases, the TCP/IP protocols, telecommunications, the LAN and also various operational practices and how to audit these, along with the infrastructure. Understanding the technology is important to evaluate whether the implementation has been done appropriately.
3. Protection of Information Assets (25%)
This domain focuses on information security management. You have to study various vulnerabilities of the infrastructure as well as the security technologies that would protect these. These include logical access controls, networking access controls like firewalls, intrusion detection, encryption and environmental and physical exposure and controls.
4. Disaster Recovery and Business Continuity (10%)
Business continuity has become a major focus area as the availability of information systems has become critical to business. This domain requires a good understanding of the business continuity/disaster recovery planning process, which includes business impact analysis, recovery strategies, developing, implementing, testing and updating the plans, and how the plan should be audited.
5. Business Application System Development, Acquisition, Implementation, and Maintenance (16%)
This domain focuses on the core area of information systems development. You have to learn the traditional system development lifecycle, also the modern development strategies like object-oriented system development, component-based and Web-based system development; understand the information system management practices, project management practices, tools, process improvement models, and the auditing of the entire system development process.
6. Business Process Evaluation and Risk Management (15%)
This module links the business expectations and the risks, to the development and deployment of information systems. Areas like Business Process Reengineering, Risk Management, IT governance, application controls, various business application systems like e-Commerce, EDI, Artificial Intelligence, data warehouse, Decision Support Systems are covered here.
7. The IS Audit Process (10%)
This module familiarizes us with ISACA's code of ethics, auditing standards, guidelines, as well as audit methodology, Computer Assisted Audit techniques and Control Self-Assessment.
In the last article on CISSP, I compared the CISSP domains with BS7799 domains. I have done a similar exercise of comparing the CISA domains with BS7799 domains in the table.
So you will find that there is a good amount of overlap in the knowledge areas. CISA is focused on overall information systems, and so, security is one of the components handled in domains 2, 3 and 4—which is about 48% of the total syllabus. Domain 1 of CISA indirectly covers the requirements for Domain 1 of BS7799. The remaining 52% of CISA is devoted to areas like IS Management, IS Audit, Business Process Evaluation & Risk Management; Business Application Development; Acquisition & Maintenance—which do not directly relate to security, but are focused on effectiveness and efficiency of information system implementation in business, and indirectly refer to security implications.
This is one reason why many professionals acquire both certifications: CISA as well as CISSP. After all, if you have completed CISA successfully, you have covered a lot of material for CISSP. It may not be to the same depth of technical knowledge as expected for CISSP, but you would be able to easily build on this base. Similarly, if you have done CISSP first, you would have already covered half the CISA material, and need to concentrate on the new areas of Business Application, Management and IS Audit.
I would personally recommend both certifications to get an all round exposure of Information Management as well as Information Security Management.
How to become a CISA
ISACA has stipulated the following guidelines for getting the CISA designation. Remember, passing the examination is just the first step.
1. Successful completion of the CISA examination.
The examination is conducted once a year on the second Saturday of June. So the next examination is scheduled for 12th June 2004. The examination consists of 200 multiple choice questions to be answered within four hours. The passing score is 75 percent, which means that if you pass the exam, you have scored marks, which put you in the top 25%.
2. Information systems auditing, control or security experience.
You need to have five years of IS audit experience, with waivers of up to two years given, based on auditing experience, graduate degree or teaching experience in a related field. This experience could even be gained after passing the examination.
3. Adherence to the Code of Professional Ethics.
ISACA has formulated the Code of Professional Ethics. You must read and abide by the same.
4. Adherence to the continuing professional education program.
You have to ensure that you are keeping your knowledge up-to-date by clocking 120 hours in three years in acquiring the knowledge by means of attending lectures, giving lectures or doing work for the ISACA local chapter.
5. Compliance with the Information Systems Auditing Standards.
You have to adhere to the IS Audit Standards as promulgated by ISACA.
Apart from these, you have also to pay various fees like membership fees, certification fees, local chapter fees and the examination fees. All these details are available on the website, www.isaca.org.
How to prepare for the examination
Each year ISACA publishes a CISA Review Manual. This is a must buy as it reflects the complete syllabus for the CISA examination. This is not a textbook but a review manual, as such it helps you to review all the topics. If you are not familiar with some areas, good textbooks like Information Systems Control and Audit by Ron Webercan really help. Another good book is Computer Networks by Tannenbaum. ISACA has a number of white papers and articles available for its members on the website.
ISACA has nine local chapters in
The study circle's classes usually start in November and continue till the end of April, and are conducted either in the evenings or weekends, depending on the convenience of most of the participants. The local chapters also conduct short duration crash courses for those who cannot attend a full duration study circle.
Unlike CISSP, there are not many books with question banks. Joining the study circle gives you access to some question banks compiled by past students. Also, the study circles conduct mock tests based on previous questions banks from the old review manuals. These could be used for practice, but the difficulty level of the actual examination will be higher than these questions.
If you start serious studies from November and regularly assess your preparation by solving various question banks or taking up the mock tests at the study circle, you should be well prepared to appear for the June examination. You have to make a decision by 4th February to get an early bird discount.
The fact that a requisite CISA qualification is mentioned in advertisements for IS Auditors is proof enough of its acceptability in the industry. With increasing emphasis by Government to have periodic IS audits, and the industry opting for security certifications like BS7799, the roles of IS auditor, as well as Information Security Auditor are becoming very important.
CISA certification definitely opens up doors to many opportunities.