What Does a Certified Information Systems Auditor (CISA) Do?
Posted by: Robin Abernathy
Published: November 6, 2018
In today’s environment, information has become the most valuable organizational asset. Information systems professionals must leverage the value of data and assure the security and integrity of data that drives business. The Certified Information System Auditor (CISA) certification is recognized the world over as proof of competency and experience in securing critical business assets and ensuring that these assets are available.
The CISA certification is a globally recognized certification for IS audit control, assurance, and security professionals. According to the Information Systems Audit and Control Association (ISACA), this certification showcases an individual’s audit experience, skills, and knowledge, and demonstrates the capability to assess vulnerabilities, report on compliance, and institute controls within the enterprise.
The CISA exam covers the following five domains:
Auditing Information Systems
Governance and Management of IT
Information Systems Acquisition, Development, and Implementation
Information Systems Operations, Maintenance, and Service Management
Protection of Information Assets
Candidates taking the CISA exam will be expected to demonstrate proficiency in these five areas by taking the 150-question exam.
As the name implies, an IS system auditor will be responsible for the auditing functions within an organization. This includes:
Executing a risk-based IS audit strategy
Planning audits to determine if assets are protected, controlled, and provide value
Conducting audits according to standards and audit objectives
Communicating audit results and making recommendations to management
Conducting audit follow-up to determine if recommended actions have been taken by management
In addition to regular auditing duties, an IS system auditor must work with management to ensure that organizational processes support the organization’s strategies and objectives. This includes evaluating:
The IT strategy for alignment
The effectiveness of the IT governance structure
IT organizational structure and personnel management
Organizational IT policies, standards, procedures, and processes
IT resource management
IT portfolio management
Risk management practices
IT management and monitoring of controls
An IS system auditor must work with management to ensure that the acquisition, development, testing, and implementation of information systems meet the organization’s strategies and objectives. This includes:
Evaluating the business case for proposed information systems
Evaluating IT supplier selection and contract management processes
Evaluating the project management framework and controls
Conducting project reviews
Evaluating controls for information systems
Evaluating the readiness of information systems
Conducting post-implementation reviews
Once systems are implemented, an IS system auditor must work with management to ensure the operations, maintenance, and service management of information systems meet the organization’s strategies and objectives. This includes:
Evaluating the IT service management framework and practices
Conducting periodic reviews of information systems
Evaluating IT operations
Evaluating IT maintenance
Evaluating database management practices
Evaluating data quality and life cycle management
Evaluating problems and incident management practices
Evaluating change and release management practices
Evaluating end-user computing
Evaluating IT continuity and resilience
Finally, an IS system auditor must work with management to ensure that the organization’s security policies, standards, procedures, and controls provide confidentiality, integrity, and availability of information assets. This includes evaluating:
The information security and privacy policies, standards, and procedures for completion and alignment
The design, implementation, maintenance, monitoring, and reporting of:
physical and environmental controls
systems and logical security controls
data classification processes and procedures
The processes and procedures used to store, retrieve, transport, and dispose of assets
The information security program
According to ISACA, hiring managers look for the CISA certification, and some business and governmental agency roles require it. Financial institutions, healthcare organizations, colleges and universities, and certifying bodies often seek individuals with the CISA certification. Specific organizations include Ernst and Young, Financial Industry Regulatory Authority (FINRA), Nintendo of America, The Institute of Internal Auditors, Sempra Energy, and Freddie Mac.
If you’re interested in learning more about the CISA certification, visit the ISACA website for more information.
Start Your Certification Journey
Keep on top of industry news with Kaplan IT Training. You'll also be the first to get our exclusive product promotions and discounts.