Certification and Accreditation for Auditors
Both IIA and ISACA provide certification designed specifically for auditors. While these certifications are useful for non-auditors, these professional associations gear their certification and continual education opportunities toward the audit community. This chapter will review the most common IIA and ISACA certifications for auditors. Table 15-2 provides a broader list of certifications which can be found on the organizations’ websites.
TABLE 15-2 IIA and ISACA certifications.
| Association | Certification |
|---|---|
| IIA | Certified Internal Auditor (CIA) |
| IIA | Certified Government Auditing Professional (CGAP) |
| IIA | Certified Financial Services Auditor (CFSA) |
| IIA | Certification in Control Self-Assessment (CCSA) |
| IIA | Certification in Risk Management Assurance (CRMA) |
| IIA | Certified Professional Environmental Auditor (CPEA) |
| IIA | Certified Process Safety Auditor (CPSA) |
| ISACA | Certified Information Systems Auditor (CISA) |
| ISACA | Certified in Risk and Information Systems Control (CRISC) |
| ISACA | Certified Information Security Manager (CISM) |
| ISACA | Certified in the Governance of Enterprise IT (CGEIT) |
| ISACA | Cybersecurity Practitioner Certification (CSX-P) |
| ISACA | Certified Data Privacy Solutions Engineer (CDPSE) |
| ISACA | Information Technology Certified Associate (ITCA) |
| ISACA | Certified in Emerging Technology (CET) |
IIA
Established in 1941, long before the Internet, when most processes were performed manually, IIA is an international professional association for auditors. The IIA’s mission is to “provide dynamic leadership for the global profession of internal auditing.” To achieve this mission, the IIA supports many activities that promote the value of the internal audit function. Activities include a wide range of educational and developmental opportunities. The IIA is well known, and considered the gold standard for many audit departments and regulators for its published standards and guidance provided to internal auditors.
The IIA provides guidance through the International Professional Practices Framework. This framework includes mandatory and strongly recommended guidance. Mandatory guidance includes the definition of internal auditing, the code of ethics discussed earlier, and various standards. Standards provide the framework for performing internal auditing functions. They include the basic requirements of internal auditing, including further explanations to clarify terms and concepts.
The IIA’s recommended guidance includes position papers, practice advisories, and practice guides. The position papers include general topics on governance, risk, and control. They also include explanations of the different roles and responsibilities within the auditing community. The practice advisories assist auditors in applying the standards specific to approaches and methodologies. Finally, the practice guides provide details for internal audit activities. Pertaining to the IT auditor, the IIA provides a series of audit guides specific to IT called Global Technology Audit Guides (GTAGs). These guides provide audit-related guidance pertaining to technology management, control, and security. Another series of guides deal with specific areas related to IT risk and control and is called Guide to the Assessment of IT Risk (GAIT).
Certified Internal Auditor (CIA)
The Certified Internal Auditor (CIA) certification, according to the IIA, is “the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competency and professionalism in the internal auditing field.” The CIA exam covers internal auditing practices and issues as well as risks and solutions.
The CIA certification is made up of four parts. The first three parts are modeled on the IPPF. Candidates may receive credit for the fourth part if they have obtained another related specialty certification. This includes one of the other three IIA certifications or a number of other non-IIA certifications. The Certified Public Accountant (CPA) designation from the American Institute of Certified Public Accountants (AICPA) qualifies, for example. Another example is the CISA certification from ISACA, which is explored further in the next section.
The four parts of the CIA exam process are as follows:
-
Part 1—Essentials of Internal Auditing
125 questions, 2.5 hours (150 minutes)
-
Part 2—Practice of Internal Auditing
100 questions, 2.0 hours (120 minutes)
-
Part 3—Business Knowledge for Internal Auditing
100 questions, 2.0 hours (120 minutes)
To become certified, candidates must meet the following requirements:
-
Exam requirements—Candidates must complete the exam with a passing score.
-
Educational requirements—Candidates must have a bachelor’s degree, or an associate degree combined with A-level certificate
-
Experience requirements—Candidates must have 12 to 60 months’ work experience depending on the educational degree obtained. All experience needs to be verified using a form on the IIA website.
-
Professional conduct requirements—Candidates must abide by the IIA code of ethics. They must also provide a completed IIA character reference form.
The IIA makes exceptions for experience and educational requirements for certain equivalents. In both cases, proper documentation is required.
The following three specialty certifications offered by the IIA also require a bachelor’s degree or higher, adherence to the IIA code of conduct, and a completed character reference form.
Certification in Control Self-Assessment (CCSA)
The Certification in Control Self-Assessment (CCSA) is for practitioners of control self-assessments (CSAs). A CSA provides a method for those internal to an organization to assess risks and controls on their own. Internal auditors are often involved from a more consultative standpoint and can use the CSA program for focusing audit work on more high-risk areas. Candidates for the CCSA exam must obtain one year of control-related business experience, which could be experienced with CSA, auditing, or risk management.
Certified Government Auditing Professional
The Certified Government Auditing Professional (CGAP) certification is for public sector internal auditors. This exam tests areas of audit knowledge unique to the public sector. This includes grants and legislative oversight. Candidates must obtain two years of auditing experience in a government environment. This can include federal, state, or local government.
Certified Financial Services Auditor
The Certified Financial Services Auditor (CFSA) exam tests a candidate’s audit knowledge and abilities concerning financial services. Candidates must obtain two years of auditing experience in a financial services environment. In addition to testing on these four domains, the candidate must choose from one of three financial service areas. These include banking, insurance, or securities. The exam includes additional questions specific to the chosen discipline covering the relevant products, processes, and regulatory environments.
Certification in Risk Management Assurance
The Certification in Risk Management Assurance (CRMA) exam tests the candidate’s ability to evaluate and provide advice on organizational governance and enterprise risk management. CRMA candidates are required to pass Part 1 of the CIA exam and the separate CRMA exam.
ISACA
ISACA is a professional association that provides many resources for information systems auditors and IT security and governance professionals. ISACA publishes technical journals, standards, guidelines, and procedures. The organization also promotes research and provides educational programs as well as several professional certifications. ISACA is widely recognized as a result of its popular CISA exam.
ISACA publishes several best-practice framework guidelines. These include COBIT, ITAF, Risk IT, Val IT, and most recently COBIT 5, which combines many of the frameworks into one. In addition, ISACA provides several other educational opportunities and professional resources:
-
Standards—These are for IT auditors as well as information systems control professionals. The standards provide mandatory requirements for IT audits.
-
Research—This includes research papers to promote the development of timely topics relevant to IT governance, control, assurance, and security professionals.
-
Publications—These include the ISACA Journal, a bimonthly publication for audit, control, security, and IT governance professionals. Additionally, ISACA offers a bookstore containing professional development and reference material. There is also an online library, which provides web access to a wide collection of books.
-
Chapter membership—This includes membership in chapters around the world that sponsor local education events and seminars and conduct regular meetings.
-
Training and conferences—These include various conferences that appeal to those new to the field as well as experienced professionals. Additionally, ISACA provides training opportunities such as certification review courses, onsite training, and online courses.
-
Certifications—These include a handful of certifications for information governance, risk, security, and auditing.
Each ISACA certification requires experience, ethics, education, and an exam. The candidate must pass an exam, adhere to the code of professional ethics, and prove relevant experience. Upon certification, the candidate must also adhere to the continuing professional education program. The continuing education program ensures that certification holders maintain knowledge and skills within the certified area. Each exam is based on a job practice. The job practice provides the foundation for the experience requirements and is the basis of the exam. The job practice is organized by a series of statements that test both knowledge and skills. These are known as task and knowledge statements, which are grouped together and make up parts of the exam, known as domains.
CISA Certification
The Certified Information Systems Auditor (CISA) program is well accepted and mature; it’s been available since 1978. This certification program is arguably the benchmark for an information systems audit certification for audit, control, and security professionals. In fact, ISACA lists several facts recognizing the significance and importance of the CISA certification. Examples include the following:
-
CISA has won or been a finalist in the Best Professional Certification Program from SC Magazine for a number of years.
-
The National Stock Exchange of India requires CISA certification to conduct system audits.
-
CISA is an approved certification for the U.S. Department of Defense Information Assurance Workforce Improvement Program.
-
Payment Card Industry Data Security Standard accepts CISA as a validation requirement for qualified security assessors.
-
The U.S. Federal Reserve Bank requires all assistant examiners to pass the CISA exam before they can be eligible for commissioning.
To qualify, a candidate needs at least five years of professional information systems auditing or security work experience. ISACA provides a list of available substitutions. Candidates may substitute a maximum of one year of information systems experience. Certification holders are also required to adhere to the ISACA information systems auditing standards. CISA covers the following domains:
-
Information Systems Audit Process—This provides assurance that IT and associated data are protected and controlled. Specifically, this includes making sure that system audit services are within audit standards, guidelines, and best practices.
-
Governance and Management of IT —This ensures that a governing program is in place. This includes the structure, policies, processes, and monitoring to achieve effective governance.
-
Information Systems, Acquisition, Development, and Implementation—This ensures that practices from systems development and acquisition to disposal are adequately in place.
-
Protection of Information Assets—This ensures that a security policy framework is in place. This also ensures that appropriate controls are in place to protect the confidentiality, integrity, and availability of information systems and data.
-
Information Systems Operations and Business Resilience—This ensures that the business will continue despite disruptions.
Certified Information Security Manager
The Certified Information Security Manager (CISM) certification is designed for information security managers. Candidates also need to prove a minimum of five years of information security experience, which must include three years of experience in three or more of the focus areas or domains. This exam also allows for substitutions. For example, two years may be substituted for a CISA, a CISSP, or a postgraduate degree in information security.
Certified in Risk and Information Systems Control
Certified in Risk and Information Systems and Control (CRISC) is a broad certification program, appealing mostly to IT professionals. CRISC tests for knowledge of enterprise risk as well as the life cycle of information systems controls to mitigate risk. Candidates also need to prove at least five years of IT or business experience and at least three years of experience in one or more of the CRISC focus areas.
Governance of Enterprise IT Certification
The Certified in the Governance of Enterprise IT (CGEIT) certification is targeted to IT governance professionals. This includes those involved in the leadership and processes to help make sure that the IT organization is aligned with an organization’s strategies. Candidates need to prove at least five years of experience in a governance support role of an organization’s IT department.