Professional Associations and Certifications

Professional associations for auditors promote the profession and establish standards that their members must abide by as well. The standards include exemplary ethical and professional behaviors. These organizations serve to educate and inform members of the most current approach to auditing and certify their members as competent to perform audits in their discipline.

Professional associations are common across many professionals where the discipline requires adherence to rigorous standards. These associations promote public confidence in the profession. Consider when it is tax time and you need to complete your income tax. Would having a certified public account (CPA) prepare your tax return provide more confidence that your taxes per completely correctly?! Yes. Equally important, in the event there was a problem with your income tax return, using a CPA demonstrates you took every effort to get it right. This approach could shift some of the risks to the CPA. The same applies to performing audits. Having a certified auditor perform the work provides management with confidence in the completeness and accuracy of the work performed. It also demonstrates to regulators that management is making every effort to be compliant with policies, industry norms, and the law.

This chapter will discuss three of the most common audit professional associations that IT auditors will encounter: Institute of Internal Auditors (IIA), Information Systems Audit and Control Association (ISACA), and International Information System Security Certification Consortium [(ISC)²]. The certification issued by these three professional associations are common and considered the gold-standard across many industries.

It is common for an auditor to have multiple certifications. Consider a doctor who is a general practitioner family doctor versus a heart surgeon. In the first case, the professional needs broad foundational knowledge, and the latter case needs highly specialized knowledge about surgery and the heart. The same exists for audit certifications, which can be broad and general or highly specialized. In either case, most public and large companies require auditors to be certified. Consequently, as a job requirement auditors often must have one or more audit certification.

Certifications are not just obtained by auditors across multiple disciplines. Certifications are often used by non-auditors to obtain a better understanding of risks. This also goes for auditors who want to obtain a deeper understanding of specific technologies. Regardless of whether you are configuring technology or auditing that technology, in both cases a deep understanding of the technology and associated risks are required.

Table 15-1 illustrates how multiple certifications can create synergies and build an auditor’s skills. The table includes common certifications issued by IIA, ISACA and (ISC)².

TABLE 15-1 Common auditor certifications.

When starting their career, auditors may choose to obtain a CIA certification. Once in auditing, individuals often start to specialize and choose to obtain a CISA because their focus may be on performing infrastructure audits. An infrastructure auditor may further specialize in information security and obtain a CISSP. While these certifications build on each other, they are not dependent on each other. In other words, individuals who want to specialize in IT audits may choose to jump to a CISA or CISSP and skip obtaining a CIA certification. While the CISSP is not technically an audit certification, it does focus on foundational information security knowledge, which makes it a popular certification to obtain for auditors and non-auditors alike.

Worldwide, IIA serves more than 200,000 members, ISACA more than 145,000 members, and (ISC)² more than 160,000 members. The certifications from these three professional associations are considered the gold standard for auditors.